LXR linux/drivers/usb/gadget/function/f_mass

   1// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
   2/*
   3 * f_mass_storage.c -- Mass Storage USB Composite Function
   4 *
   5 * Copyright (C) 2003-2008 Alan Stern
   6 * Copyright (C) 2009 Samsung Electronics
   7 *                    Author: Michal Nazarewicz <mina86@mina86.com>
   8 * All rights reserved.
   9 *
  10 * Redistribution and use in source and binary forms, with or without
  11 * modification, are permitted provided that the following conditions
  12 * are met:
  13 * 1. Redistributions of source code must retain the above copyright
  14 *    notice, this list of conditions, and the following disclaimer,
  15 *    without modification.
  16 * 2. Redistributions in binary form must reproduce the above copyright
  17 *    notice, this list of conditions and the following disclaimer in the
  18 *    documentation and/or other materials provided with the distribution.
  19 * 3. The names of the above-listed copyright holders may not be used
  20 *    to endorse or promote products derived from this software without
  21 *    specific prior written permission.
  22 *
  23 * ALTERNATIVELY, this software may be distributed under the terms of the
  24 * GNU General Public License ("GPL") as published by the Free Software
  25 * Foundation, either version 2 of that License or (at your option) any
  26 * later version.
  27 *
  28 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  29 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  30 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  31 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  32 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  33 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  34 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  35 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  36 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  37 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  38 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  39 */
  40
  41/*
  42 * The Mass Storage Function acts as a USB Mass Storage device,
  43 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  44 * addition to providing an example of a genuinely useful composite
  45 * function for a USB device, it also illustrates a technique of
  46 * double-buffering for increased throughput.
  47 *
  48 * For more information about MSF and in particular its module
  49 * parameters and sysfs interface read the
  50 * <Documentation/usb/mass-storage.txt> file.
  51 */
  52
  53/*
  54 * MSF is configured by specifying a fsg_config structure.  It has the
  55 * following fields:
  56 *
  57 *      nluns           Number of LUNs function have (anywhere from 1
  58 *                              to FSG_MAX_LUNS).
  59 *      luns            An array of LUN configuration values.  This
  60 *                              should be filled for each LUN that
  61 *                              function will include (ie. for "nluns"
  62 *                              LUNs).  Each element of the array has
  63 *                              the following fields:
  64 *      ->filename      The path to the backing file for the LUN.
  65 *                              Required if LUN is not marked as
  66 *                              removable.
  67 *      ->ro            Flag specifying access to the LUN shall be
  68 *                              read-only.  This is implied if CD-ROM
  69 *                              emulation is enabled as well as when
  70 *                              it was impossible to open "filename"
  71 *                              in R/W mode.
  72 *      ->removable     Flag specifying that LUN shall be indicated as
  73 *                              being removable.
  74 *      ->cdrom         Flag specifying that LUN shall be reported as
  75 *                              being a CD-ROM.
  76 *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  77 *                              commands for this LUN shall be ignored.
  78 *
  79 *      vendor_name
  80 *      product_name
  81 *      release         Information used as a reply to INQUIRY
  82 *                              request.  To use default set to NULL,
  83 *                              NULL, 0xffff respectively.  The first
  84 *                              field should be 8 and the second 16
  85 *                              characters or less.
  86 *
  87 *      can_stall       Set to permit function to halt bulk endpoints.
  88 *                              Disabled on some USB devices known not
  89 *                              to work correctly.  You should set it
  90 *                              to true.
  91 *
  92 * If "removable" is not set for a LUN then a backing file must be
  93 * specified.  If it is set, then NULL filename means the LUN's medium
  94 * is not loaded (an empty string as "filename" in the fsg_config
  95 * structure causes error).  The CD-ROM emulation includes a single
  96 * data track and no audio tracks; hence there need be only one
  97 * backing file per LUN.
  98 *
  99 * This function is heavily based on "File-backed Storage Gadget" by
 100 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 101 * Brownell.  The driver's SCSI command interface was based on the
 102 * "Information technology - Small Computer System Interface - 2"
 103 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 104 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 105 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 106 * was based on the "Universal Serial Bus Mass Storage Class UFI
 107 * Command Specification" document, Revision 1.0, December 14, 1998,
 108 * available at
 109 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 110 */
 111
 112/*
 113 *                              Driver Design
 114 *
 115 * The MSF is fairly straightforward.  There is a main kernel
 116 * thread that handles most of the work.  Interrupt routines field
 117 * callbacks from the controller driver: bulk- and interrupt-request
 118 * completion notifications, endpoint-0 events, and disconnect events.
 119 * Completion events are passed to the main thread by wakeup calls.  Many
 120 * ep0 requests are handled at interrupt time, but SetInterface,
 121 * SetConfiguration, and device reset requests are forwarded to the
 122 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 123 * should interrupt any ongoing file I/O operations).
 124 *
 125 * The thread's main routine implements the standard command/data/status
 126 * parts of a SCSI interaction.  It and its subroutines are full of tests
 127 * for pending signals/exceptions -- all this polling is necessary since
 128 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 129 * indication that the driver really wants to be running in userspace.)
 130 * An important point is that so long as the thread is alive it keeps an
 131 * open reference to the backing file.  This will prevent unmounting
 132 * the backing file's underlying filesystem and could cause problems
 133 * during system shutdown, for example.  To prevent such problems, the
 134 * thread catches INT, TERM, and KILL signals and converts them into
 135 * an EXIT exception.
 136 *
 137 * In normal operation the main thread is started during the gadget's
 138 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 139 * also exit when it receives a signal, and there's no point leaving
 140 * the gadget running when the thread is dead.  As of this moment, MSF
 141 * provides no way to deregister the gadget when thread dies -- maybe
 142 * a callback functions is needed.
 143 *
 144 * To provide maximum throughput, the driver uses a circular pipeline of
 145 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 146 * arbitrarily long; in practice the benefits don't justify having more
 147 * than 2 stages (i.e., double buffering).  But it helps to think of the
 148 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 149 * a bulk-out request pointer (since the buffer can be used for both
 150 * output and input -- directions always are given from the host's
 151 * point of view) as well as a pointer to the buffer and various state
 152 * variables.
 153 *
 154 * Use of the pipeline follows a simple protocol.  There is a variable
 155 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 156 * At any time that buffer head may still be in use from an earlier
 157 * request, so each buffer head has a state variable indicating whether
 158 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 159 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 160 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 161 * head FULL when the I/O is complete.  Then the buffer will be emptied
 162 * (again possibly by USB I/O, during which it is marked BUSY) and
 163 * finally marked EMPTY again (possibly by a completion routine).
 164 *
 165 * A module parameter tells the driver to avoid stalling the bulk
 166 * endpoints wherever the transport specification allows.  This is
 167 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 168 * halt on a bulk endpoint.  However, under certain circumstances the
 169 * Bulk-only specification requires a stall.  In such cases the driver
 170 * will halt the endpoint and set a flag indicating that it should clear
 171 * the halt in software during the next device reset.  Hopefully this
 172 * will permit everything to work correctly.  Furthermore, although the
 173 * specification allows the bulk-out endpoint to halt when the host sends
 174 * too much data, implementing this would cause an unavoidable race.
 175 * The driver will always use the "no-stall" approach for OUT transfers.
 176 *
 177 * One subtle point concerns sending status-stage responses for ep0
 178 * requests.  Some of these requests, such as device reset, can involve
 179 * interrupting an ongoing file I/O operation, which might take an
 180 * arbitrarily long time.  During that delay the host might give up on
 181 * the original ep0 request and issue a new one.  When that happens the
 182 * driver should not notify the host about completion of the original
 183 * request, as the host will no longer be waiting for it.  So the driver
 184 * assigns to each ep0 request a unique tag, and it keeps track of the
 185 * tag value of the request associated with a long-running exception
 186 * (device-reset, interface-change, or configuration-change).  When the
 187 * exception handler is finished, the status-stage response is submitted
 188 * only if the current ep0 request tag is equal to the exception request
 189 * tag.  Thus only the most recently received ep0 request will get a
 190 * status-stage response.
 191 *
 192 * Warning: This driver source file is too long.  It ought to be split up
 193 * into a header file plus about 3 separate .c files, to handle the details
 194 * of the Gadget, USB Mass Storage, and SCSI protocols.
 195 */
 196
 197
 198/* #define VERBOSE_DEBUG */
 199/* #define DUMP_MSGS */
 200
 201#include <linux/blkdev.h>
 202#include <linux/completion.h>
 203#include <linux/dcache.h>
 204#include <linux/delay.h>
 205#include <linux/device.h>
 206#include <linux/fcntl.h>
 207#include <linux/file.h>
 208#include <linux/fs.h>
 209#include <linux/kthread.h>
 210#include <linux/sched/signal.h>
 211#include <linux/limits.h>
 212#include <linux/rwsem.h>
 213#include <linux/slab.h>
 214#include <linux/spinlock.h>
 215#include <linux/string.h>
 216#include <linux/freezer.h>
 217#include <linux/module.h>
 218#include <linux/uaccess.h>
 219
 220#include <linux/usb/ch9.h>
 221#include <linux/usb/gadget.h>
 222#include <linux/usb/composite.h>
 223
 224#include <linux/nospec.h>
 225
 226#include "configfs.h"
 227
 228
 229/*------------------------------------------------------------------------*/
 230
 231#define FSG_DRIVER_DESC         "Mass Storage Function"
 232#define FSG_DRIVER_VERSION      "2009/09/11"
 233
 234static const char fsg_string_interface[] = "Mass Storage";
 235
 236#include "storage_common.h"
 237#include "f_mass_storage.h"
 238
 239/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 240static struct usb_string                fsg_strings[] = {
 241        {FSG_STRING_INTERFACE,          fsg_string_interface},
 242        {}
 243};
 244
 245static struct usb_gadget_strings        fsg_stringtab = {
 246        .language       = 0x0409,               /* en-us */
 247        .strings        = fsg_strings,
 248};
 249
 250static struct usb_gadget_strings *fsg_strings_array[] = {
 251        &fsg_stringtab,
 252        NULL,
 253};
 254
 255/*-------------------------------------------------------------------------*/
 256
 257struct fsg_dev;
 258struct fsg_common;
 259
 260/* Data shared by all the FSG instances. */
 261struct fsg_common {
 262        struct usb_gadget       *gadget;
 263        struct usb_composite_dev *cdev;
 264        struct fsg_dev          *fsg, *new_fsg;
 265        wait_queue_head_t       io_wait;
 266        wait_queue_head_t       fsg_wait;
 267
 268        /* filesem protects: backing files in use */
 269        struct rw_semaphore     filesem;
 270
 271        /* lock protects: state and thread_task */
 272        spinlock_t              lock;
 273
 274        struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 275        struct usb_request      *ep0req;        /* Copy of cdev->req */
 276        unsigned int            ep0_req_tag;
 277
 278        struct fsg_buffhd       *next_buffhd_to_fill;
 279        struct fsg_buffhd       *next_buffhd_to_drain;
 280        struct fsg_buffhd       *buffhds;
 281        unsigned int            fsg_num_buffers;
 282
 283        int                     cmnd_size;
 284        u8                      cmnd[MAX_COMMAND_SIZE];
 285
 286        unsigned int            lun;
 287        struct fsg_lun          *luns[FSG_MAX_LUNS];
 288        struct fsg_lun          *curlun;
 289
 290        unsigned int            bulk_out_maxpacket;
 291        enum fsg_state          state;          /* For exception handling */
 292        unsigned int            exception_req_tag;
 293
 294        enum data_direction     data_dir;
 295        u32                     data_size;
 296        u32                     data_size_from_cmnd;
 297        u32                     tag;
 298        u32                     residue;
 299        u32                     usb_amount_left;
 300
 301        unsigned int            can_stall:1;
 302        unsigned int            free_storage_on_release:1;
 303        unsigned int            phase_error:1;
 304        unsigned int            short_packet_received:1;
 305        unsigned int            bad_lun_okay:1;
 306        unsigned int            running:1;
 307        unsigned int            sysfs:1;
 308
 309        struct completion       thread_notifier;
 310        struct task_struct      *thread_task;
 311
 312        /* Gadget's private data. */
 313        void                    *private_data;
 314
 315        char inquiry_string[INQUIRY_STRING_LEN];
 316};
 317
 318struct fsg_dev {
 319        struct usb_function     function;
 320        struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 321        struct fsg_common       *common;
 322
 323        u16                     interface_number;
 324
 325        unsigned int            bulk_in_enabled:1;
 326        unsigned int            bulk_out_enabled:1;
 327
 328        unsigned long           atomic_bitflags;
 329#define IGNORE_BULK_OUT         0
 330
 331        struct usb_ep           *bulk_in;
 332        struct usb_ep           *bulk_out;
 333};
 334
 335static inline int __fsg_is_set(struct fsg_common *common,
 336                               const char *func, unsigned line)
 337{
 338        if (common->fsg)
 339                return 1;
 340        ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 341        WARN_ON(1);
 342        return 0;
 343}
 344
 345#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 346
 347static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 348{
 349        return container_of(f, struct fsg_dev, function);
 350}
 351
 352typedef void (*fsg_routine_t)(struct fsg_dev *);
 353
 354static int exception_in_progress(struct fsg_common *common)
 355{
 356        return common->state > FSG_STATE_NORMAL;
 357}
 358
 359/* Make bulk-out requests be divisible by the maxpacket size */
 360static void set_bulk_out_req_length(struct fsg_common *common,
 361                                    struct fsg_buffhd *bh, unsigned int length)
 362{
 363        unsigned int    rem;
 364
 365        bh->bulk_out_intended_length = length;
 366        rem = length % common->bulk_out_maxpacket;
 367        if (rem > 0)
 368                length += common->bulk_out_maxpacket - rem;
 369        bh->outreq->length = length;
 370}
 371
 372
 373/*-------------------------------------------------------------------------*/
 374
 375static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 376{
 377        const char      *name;
 378
 379        if (ep == fsg->bulk_in)
 380                name = "bulk-in";
 381        else if (ep == fsg->bulk_out)
 382                name = "bulk-out";
 383        else
 384                name = ep->name;
 385        DBG(fsg, "%s set halt\n", name);
 386        return usb_ep_set_halt(ep);
 387}
 388
 389
 390/*-------------------------------------------------------------------------*/
 391
 392/* These routines may be called in process context or in_irq */
 393
 394static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 395{
 396        unsigned long           flags;
 397
 398        /*
 399         * Do nothing if a higher-priority exception is already in progress.
 400         * If a lower-or-equal priority exception is in progress, preempt it
 401         * and notify the main thread by sending it a signal.
 402         */
 403        spin_lock_irqsave(&common->lock, flags);
 404        if (common->state <= new_state) {
 405                common->exception_req_tag = common->ep0_req_tag;
 406                common->state = new_state;
 407                if (common->thread_task)
 408                        send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 409                                      common->thread_task);
 410        }
 411        spin_unlock_irqrestore(&common->lock, flags);
 412}
 413
 414
 415/*-------------------------------------------------------------------------*/
 416
 417static int ep0_queue(struct fsg_common *common)
 418{
 419        int     rc;
 420
 421        rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 422        common->ep0->driver_data = common;
 423        if (rc != 0 && rc != -ESHUTDOWN) {
 424                /* We can't do much more than wait for a reset */
 425                WARNING(common, "error in submission: %s --> %d\n",
 426                        common->ep0->name, rc);
 427        }
 428        return rc;
 429}
 430
 431
 432/*-------------------------------------------------------------------------*/
 433
 434/* Completion handlers. These always run in_irq. */
 435
 436static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 437{
 438        struct fsg_common       *common = ep->driver_data;
 439        struct fsg_buffhd       *bh = req->context;
 440
 441        if (req->status || req->actual != req->length)
 442                DBG(common, "%s --> %d, %u/%u\n", __func__,
 443                    req->status, req->actual, req->length);
 444        if (req->status == -ECONNRESET)         /* Request was cancelled */
 445                usb_ep_fifo_flush(ep);
 446
 447        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 448        smp_store_release(&bh->state, BUF_STATE_EMPTY);
 449        wake_up(&common->io_wait);
 450}
 451
 452static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 453{
 454        struct fsg_common       *common = ep->driver_data;
 455        struct fsg_buffhd       *bh = req->context;
 456
 457        dump_msg(common, "bulk-out", req->buf, req->actual);
 458        if (req->status || req->actual != bh->bulk_out_intended_length)
 459                DBG(common, "%s --> %d, %u/%u\n", __func__,
 460                    req->status, req->actual, bh->bulk_out_intended_length);
 461        if (req->status == -ECONNRESET)         /* Request was cancelled */
 462                usb_ep_fifo_flush(ep);
 463
 464        /* Synchronize with the smp_load_acquire() in sleep_thread() */
 465        smp_store_release(&bh->state, BUF_STATE_FULL);
 466        wake_up(&common->io_wait);
 467}
 468
 469static int _fsg_common_get_max_lun(struct fsg_common *common)
 470{
 471        int i = ARRAY_SIZE(common->luns) - 1;
 472
 473        while (i >= 0 && !common->luns[i])
 474                --i;
 475
 476        return i;
 477}
 478
 479static int fsg_setup(struct usb_function *f,
 480                     const struct usb_ctrlrequest *ctrl)
 481{
 482        struct fsg_dev          *fsg = fsg_from_func(f);
 483        struct usb_request      *req = fsg->common->ep0req;
 484        u16                     w_index = le16_to_cpu(ctrl->wIndex);
 485        u16                     w_value = le16_to_cpu(ctrl->wValue);
 486        u16                     w_length = le16_to_cpu(ctrl->wLength);
 487
 488        if (!fsg_is_set(fsg->common))
 489                return -EOPNOTSUPP;
 490
 491        ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 492        req->context = NULL;
 493        req->length = 0;
 494        dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 495
 496        switch (ctrl->bRequest) {
 497
 498        case US_BULK_RESET_REQUEST:
 499                if (ctrl->bRequestType !=
 500                    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 501                        break;
 502                if (w_index != fsg->interface_number || w_value != 0 ||
 503                                w_length != 0)
 504                        return -EDOM;
 505
 506                /*
 507                 * Raise an exception to stop the current operation
 508                 * and reinitialize our state.
 509                 */
 510                DBG(fsg, "bulk reset request\n");
 511                raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 512                return USB_GADGET_DELAYED_STATUS;
 513
 514        case US_BULK_GET_MAX_LUN:
 515                if (ctrl->bRequestType !=
 516                    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 517                        break;
 518                if (w_index != fsg->interface_number || w_value != 0 ||
 519                                w_length != 1)
 520                        return -EDOM;
 521                VDBG(fsg, "get max LUN\n");
 522                *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 523
 524                /* Respond with data/status */
 525                req->length = min((u16)1, w_length);
 526                return ep0_queue(fsg->common);
 527        }
 528
 529        VDBG(fsg,
 530             "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 531             ctrl->bRequestType, ctrl->bRequest,
 532             le16_to_cpu(ctrl->wValue), w_index, w_length);
 533        return -EOPNOTSUPP;
 534}
 535
 536
 537/*-------------------------------------------------------------------------*/
 538
 539/* All the following routines run in process context */
 540
 541/* Use this for bulk or interrupt transfers, not ep0 */
 542static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 543                           struct usb_request *req)
 544{
 545        int     rc;
 546
 547        if (ep == fsg->bulk_in)
 548                dump_msg(fsg, "bulk-in", req->buf, req->length);
 549
 550        rc = usb_ep_queue(ep, req, GFP_KERNEL);
 551        if (rc) {
 552
 553                /* We can't do much more than wait for a reset */
 554                req->status = rc;
 555
 556                /*
 557                 * Note: currently the net2280 driver fails zero-length
 558                 * submissions if DMA is enabled.
 559                 */
 560                if (rc != -ESHUTDOWN &&
 561                                !(rc == -EOPNOTSUPP && req->length == 0))
 562                        WARNING(fsg, "error in submission: %s --> %d\n",
 563                                        ep->name, rc);
 564        }
 565        return rc;
 566}
 567
 568static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 569{
 570        if (!fsg_is_set(common))
 571                return false;
 572        bh->state = BUF_STATE_SENDING;
 573        if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 574                bh->state = BUF_STATE_EMPTY;
 575        return true;
 576}
 577
 578static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 579{
 580        if (!fsg_is_set(common))
 581                return false;
 582        bh->state = BUF_STATE_RECEIVING;
 583        if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 584                bh->state = BUF_STATE_FULL;
 585        return true;
 586}
 587
 588static int sleep_thread(struct fsg_common *common, bool can_freeze,
 589                struct fsg_buffhd *bh)
 590{
 591        int     rc;
 592
 593        /* Wait until a signal arrives or bh is no longer busy */
 594        if (can_freeze)
 595                /*
 596                 * synchronize with the smp_store_release(&bh->state) in
 597                 * bulk_in_complete() or bulk_out_complete()
 598                 */
 599                rc = wait_event_freezable(common->io_wait,
 600                                bh && smp_load_acquire(&bh->state) >=
 601                                        BUF_STATE_EMPTY);
 602        else
 603                rc = wait_event_interruptible(common->io_wait,
 604                                bh && smp_load_acquire(&bh->state) >=
 605                                        BUF_STATE_EMPTY);
 606        return rc ? -EINTR : 0;
 607}
 608
 609
 610/*-------------------------------------------------------------------------*/
 611
 612static int do_read(struct fsg_common *common)
 613{
 614        struct fsg_lun          *curlun = common->curlun;
 615        u32                     lba;
 616        struct fsg_buffhd       *bh;
 617        int                     rc;
 618        u32                     amount_left;
 619        loff_t                  file_offset, file_offset_tmp;
 620        unsigned int            amount;
 621        ssize_t                 nread;
 622
 623        /*
 624         * Get the starting Logical Block Address and check that it's
 625         * not too big.
 626         */
 627        if (common->cmnd[0] == READ_6)
 628                lba = get_unaligned_be24(&common->cmnd[1]);
 629        else {
 630                lba = get_unaligned_be32(&common->cmnd[2]);
 631
 632                /*
 633                 * We allow DPO (Disable Page Out = don't save data in the
 634                 * cache) and FUA (Force Unit Access = don't read from the
 635                 * cache), but we don't implement them.
 636                 */
 637                if ((common->cmnd[1] & ~0x18) != 0) {
 638                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 639                        return -EINVAL;
 640                }
 641        }
 642        if (lba >= curlun->num_sectors) {
 643                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 644                return -EINVAL;
 645        }
 646        file_offset = ((loff_t) lba) << curlun->blkbits;
 647
 648        /* Carry out the file reads */
 649        amount_left = common->data_size_from_cmnd;
 650        if (unlikely(amount_left == 0))
 651                return -EIO;            /* No default reply */
 652
 653        for (;;) {
 654                /*
 655                 * Figure out how much we need to read:
 656                 * Try to read the remaining amount.
 657                 * But don't read more than the buffer size.
 658                 * And don't try to read past the end of the file.
 659                 */
 660                amount = min(amount_left, FSG_BUFLEN);
 661                amount = min((loff_t)amount,
 662                             curlun->file_length - file_offset);
 663
 664                /* Wait for the next buffer to become available */
 665                bh = common->next_buffhd_to_fill;
 666                rc = sleep_thread(common, false, bh);
 667                if (rc)
 668                        return rc;
 669
 670                /*
 671                 * If we were asked to read past the end of file,
 672                 * end with an empty buffer.
 673                 */
 674                if (amount == 0) {
 675                        curlun->sense_data =
 676                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 677                        curlun->sense_data_info =
 678                                        file_offset >> curlun->blkbits;
 679                        curlun->info_valid = 1;
 680                        bh->inreq->length = 0;
 681                        bh->state = BUF_STATE_FULL;
 682                        break;
 683                }
 684
 685                /* Perform the read */
 686                file_offset_tmp = file_offset;
 687                nread = kernel_read(curlun->filp, bh->buf, amount,
 688                                &file_offset_tmp);
 689                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 690                      (unsigned long long)file_offset, (int)nread);
 691                if (signal_pending(current))
 692                        return -EINTR;
 693
 694                if (nread < 0) {
 695                        LDBG(curlun, "error in file read: %d\n", (int)nread);
 696                        nread = 0;
 697                } else if (nread < amount) {
 698                        LDBG(curlun, "partial file read: %d/%u\n",
 699                             (int)nread, amount);
 700                        nread = round_down(nread, curlun->blksize);
 701                }
 702                file_offset  += nread;
 703                amount_left  -= nread;
 704                common->residue -= nread;
 705
 706                /*
 707                 * Except at the end of the transfer, nread will be
 708                 * equal to the buffer size, which is divisible by the
 709                 * bulk-in maxpacket size.
 710                 */
 711                bh->inreq->length = nread;
 712                bh->state = BUF_STATE_FULL;
 713
 714                /* If an error occurred, report it and its position */
 715                if (nread < amount) {
 716                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 717                        curlun->sense_data_info =
 718                                        file_offset >> curlun->blkbits;
 719                        curlun->info_valid = 1;
 720                        break;
 721                }
 722
 723                if (amount_left == 0)
 724                        break;          /* No more left to read */
 725
 726                /* Send this buffer and go read some more */
 727                bh->inreq->zero = 0;
 728                if (!start_in_transfer(common, bh))
 729                        /* Don't know what to do if common->fsg is NULL */
 730                        return -EIO;
 731                common->next_buffhd_to_fill = bh->next;
 732        }
 733
 734        return -EIO;            /* No default reply */
 735}
 736
 737
 738/*-------------------------------------------------------------------------*/
 739
 740static int do_write(struct fsg_common *common)
 741{
 742        struct fsg_lun          *curlun = common->curlun;
 743        u32                     lba;
 744        struct fsg_buffhd       *bh;
 745        int                     get_some_more;
 746        u32                     amount_left_to_req, amount_left_to_write;
 747        loff_t                  usb_offset, file_offset, file_offset_tmp;
 748        unsigned int            amount;
 749        ssize_t                 nwritten;
 750        int                     rc;
 751
 752        if (curlun->ro) {
 753                curlun->sense_data = SS_WRITE_PROTECTED;
 754                return -EINVAL;
 755        }
 756        spin_lock(&curlun->filp->f_lock);
 757        curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 758        spin_unlock(&curlun->filp->f_lock);
 759
 760        /*
 761         * Get the starting Logical Block Address and check that it's
 762         * not too big
 763         */
 764        if (common->cmnd[0] == WRITE_6)
 765                lba = get_unaligned_be24(&common->cmnd[1]);
 766        else {
 767                lba = get_unaligned_be32(&common->cmnd[2]);
 768
 769                /*
 770                 * We allow DPO (Disable Page Out = don't save data in the
 771                 * cache) and FUA (Force Unit Access = write directly to the
 772                 * medium).  We don't implement DPO; we implement FUA by
 773                 * performing synchronous output.
 774                 */
 775                if (common->cmnd[1] & ~0x18) {
 776                        curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 777                        return -EINVAL;
 778                }
 779                if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 780                        spin_lock(&curlun->filp->f_lock);
 781                        curlun->filp->f_flags |= O_SYNC;
 782                        spin_unlock(&curlun->filp->f_lock);
 783                }
 784        }
 785        if (lba >= curlun->num_sectors) {
 786                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 787                return -EINVAL;
 788        }
 789
 790        /* Carry out the file writes */
 791        get_some_more = 1;
 792        file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 793        amount_left_to_req = common->data_size_from_cmnd;
 794        amount_left_to_write = common->data_size_from_cmnd;
 795
 796        while (amount_left_to_write > 0) {
 797
 798                /* Queue a request for more data from the host */
 799                bh = common->next_buffhd_to_fill;
 800                if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 801
 802                        /*
 803                         * Figure out how much we want to get:
 804                         * Try to get the remaining amount,
 805                         * but not more than the buffer size.
 806                         */
 807                        amount = min(amount_left_to_req, FSG_BUFLEN);
 808
 809                        /* Beyond the end of the backing file? */
 810                        if (usb_offset >= curlun->file_length) {
 811                                get_some_more = 0;
 812                                curlun->sense_data =
 813                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 814                                curlun->sense_data_info =
 815                                        usb_offset >> curlun->blkbits;
 816                                curlun->info_valid = 1;
 817                                continue;
 818                        }
 819
 820                        /* Get the next buffer */
 821                        usb_offset += amount;
 822                        common->usb_amount_left -= amount;
 823                        amount_left_to_req -= amount;
 824                        if (amount_left_to_req == 0)
 825                                get_some_more = 0;
 826
 827                        /*
 828                         * Except at the end of the transfer, amount will be
 829                         * equal to the buffer size, which is divisible by
 830                         * the bulk-out maxpacket size.
 831                         */
 832                        set_bulk_out_req_length(common, bh, amount);
 833                        if (!start_out_transfer(common, bh))
 834                                /* Dunno what to do if common->fsg is NULL */
 835                                return -EIO;
 836                        common->next_buffhd_to_fill = bh->next;
 837                        continue;
 838                }
 839
 840                /* Write the received data to the backing file */
 841                bh = common->next_buffhd_to_drain;
 842                if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 843                        break;                  /* We stopped early */
 844
 845                /* Wait for the data to be received */
 846                rc = sleep_thread(common, false, bh);
 847                if (rc)
 848                        return rc;
 849
 850                common->next_buffhd_to_drain = bh->next;
 851                bh->state = BUF_STATE_EMPTY;
 852
 853                /* Did something go wrong with the transfer? */
 854                if (bh->outreq->status != 0) {
 855                        curlun->sense_data = SS_COMMUNICATION_FAILURE;
 856                        curlun->sense_data_info =
 857                                        file_offset >> curlun->blkbits;
 858                        curlun->info_valid = 1;
 859                        break;
 860                }
 861
 862                amount = bh->outreq->actual;
 863                if (curlun->file_length - file_offset < amount) {
 864                        LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 865                                       amount, (unsigned long long)file_offset,
 866                                       (unsigned long long)curlun->file_length);
 867                        amount = curlun->file_length - file_offset;
 868                }
 869
 870                /*
 871                 * Don't accept excess data.  The spec doesn't say
 872                 * what to do in this case.  We'll ignore the error.
 873                 */
 874                amount = min(amount, bh->bulk_out_intended_length);
 875
 876                /* Don't write a partial block */
 877                amount = round_down(amount, curlun->blksize);
 878                if (amount == 0)
 879                        goto empty_write;
 880
 881                /* Perform the write */
 882                file_offset_tmp = file_offset;
 883                nwritten = kernel_write(curlun->filp, bh->buf, amount,
 884                                &file_offset_tmp);
 885                VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 886                                (unsigned long long)file_offset, (int)nwritten);
 887                if (signal_pending(current))
 888                        return -EINTR;          /* Interrupted! */
 889
 890                if (nwritten < 0) {
 891                        LDBG(curlun, "error in file write: %d\n",
 892                                        (int) nwritten);
 893                        nwritten = 0;
 894                } else if (nwritten < amount) {
 895                        LDBG(curlun, "partial file write: %d/%u\n",
 896                                        (int) nwritten, amount);
 897                        nwritten = round_down(nwritten, curlun->blksize);
 898                }
 899                file_offset += nwritten;
 900                amount_left_to_write -= nwritten;
 901                common->residue -= nwritten;
 902
 903                /* If an error occurred, report it and its position */
 904                if (nwritten < amount) {
 905                        curlun->sense_data = SS_WRITE_ERROR;
 906                        curlun->sense_data_info =
 907                                        file_offset >> curlun->blkbits;
 908                        curlun->info_valid = 1;
 909                        break;
 910                }
 911
 912 empty_write:
 913                /* Did the host decide to stop early? */
 914                if (bh->outreq->actual < bh->bulk_out_intended_length) {
 915                        common->short_packet_received = 1;
 916                        break;
 917                }
 918        }
 919
 920        return -EIO;            /* No default reply */
 921}
 922
 923
 924/*-------------------------------------------------------------------------*/
 925
 926static int do_synchronize_cache(struct fsg_common *common)
 927{
 928        struct fsg_lun  *curlun = common->curlun;
 929        int             rc;
 930
 931        /* We ignore the requested LBA and write out all file's
 932         * dirty data buffers. */
 933        rc = fsg_lun_fsync_sub(curlun);
 934        if (rc)
 935                curlun->sense_data = SS_WRITE_ERROR;
 936        return 0;
 937}
 938
 939
 940/*-------------------------------------------------------------------------*/
 941
 942static void invalidate_sub(struct fsg_lun *curlun)
 943{
 944        struct file     *filp = curlun->filp;
 945        struct inode    *inode = file_inode(filp);
 946        unsigned long   rc;
 947
 948        rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 949        VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 950}
 951
 952static int do_verify(struct fsg_common *common)
 953{
 954        struct fsg_lun          *curlun = common->curlun;
 955        u32                     lba;
 956        u32                     verification_length;
 957        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 958        loff_t                  file_offset, file_offset_tmp;
 959        u32                     amount_left;
 960        unsigned int            amount;
 961        ssize_t                 nread;
 962
 963        /*
 964         * Get the starting Logical Block Address and check that it's
 965         * not too big.
 966         */
 967        lba = get_unaligned_be32(&common->cmnd[2]);
 968        if (lba >= curlun->num_sectors) {
 969                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 970                return -EINVAL;
 971        }
 972
 973        /*
 974         * We allow DPO (Disable Page Out = don't save data in the
 975         * cache) but we don't implement it.
 976         */
 977        if (common->cmnd[1] & ~0x10) {
 978                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 979                return -EINVAL;
 980        }
 981
 982        verification_length = get_unaligned_be16(&common->cmnd[7]);
 983        if (unlikely(verification_length == 0))
 984                return -EIO;            /* No default reply */
 985
 986        /* Prepare to carry out the file verify */
 987        amount_left = verification_length << curlun->blkbits;
 988        file_offset = ((loff_t) lba) << curlun->blkbits;
 989
 990        /* Write out all the dirty buffers before invalidating them */
 991        fsg_lun_fsync_sub(curlun);
 992        if (signal_pending(current))
 993                return -EINTR;
 994
 995        invalidate_sub(curlun);
 996        if (signal_pending(current))
 997                return -EINTR;
 998
 999        /* Just try to read the requested blocks */
1000        while (amount_left > 0) {

1001                /*
1002                 * Figure out how much we need to read:
1003                 * Try to read the remaining amount, but not more than
1004                 * the buffer size.
1005                 * And don't try to read past the end of the file.
1006                 */
1007                amount = min(amount_left, FSG_BUFLEN);
1008                amount = min((loff_t)amount,
1009                             curlun->file_length - file_offset);
1010                if (amount == 0) {
1011                        curlun->sense_data =
1012                                        SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1013                        curlun->sense_data_info =
1014                                file_offset >> curlun->blkbits;
1015                        curlun->info_valid = 1;
1016                        break;
1017                }
1018
1019                /* Perform the read */
1020                file_offset_tmp = file_offset;
1021                nread = kernel_read(curlun->filp, bh->buf, amount,
1022                                &file_offset_tmp);
1023                VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1024                                (unsigned long long) file_offset,
1025                                (int) nread);
1026                if (signal_pending(current))
1027                        return -EINTR;
1028
1029                if (nread < 0) {
1030                        LDBG(curlun, "error in file verify: %d\n", (int)nread);
1031                        nread = 0;
1032                } else if (nread < amount) {
1033                        LDBG(curlun, "partial file verify: %d/%u\n",
1034                             (int)nread, amount);
1035                        nread = round_down(nread, curlun->blksize);
1036                }
1037                if (nread == 0) {
1038                        curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1039                        curlun->sense_data_info =
1040                                file_offset >> curlun->blkbits;
1041                        curlun->info_valid = 1;
1042                        break;
1043                }
1044                file_offset += nread;
1045                amount_left -= nread;
1046        }
1047        return 0;
1048}
1049
1050
1051/*-------------------------------------------------------------------------*/
1052
1053static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1054{
1055        struct fsg_lun *curlun = common->curlun;
1056        u8      *buf = (u8 *) bh->buf;
1057
1058        if (!curlun) {          /* Unsupported LUNs are okay */
1059                common->bad_lun_okay = 1;
1060                memset(buf, 0, 36);
1061                buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1062                buf[4] = 31;            /* Additional length */
1063                return 36;
1064        }
1065
1066        buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1067        buf[1] = curlun->removable ? 0x80 : 0;
1068        buf[2] = 2;             /* ANSI SCSI level 2 */
1069        buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1070        buf[4] = 31;            /* Additional length */
1071        buf[5] = 0;             /* No special options */
1072        buf[6] = 0;
1073        buf[7] = 0;
1074        if (curlun->inquiry_string[0])
1075                memcpy(buf + 8, curlun->inquiry_string,
1076                       sizeof(curlun->inquiry_string));
1077        else
1078                memcpy(buf + 8, common->inquiry_string,
1079                       sizeof(common->inquiry_string));
1080        return 36;
1081}
1082
1083static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1084{
1085        struct fsg_lun  *curlun = common->curlun;
1086        u8              *buf = (u8 *) bh->buf;
1087        u32             sd, sdinfo;
1088        int             valid;
1089
1090        /*
1091         * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1092         *
1093         * If a REQUEST SENSE command is received from an initiator
1094         * with a pending unit attention condition (before the target
1095         * generates the contingent allegiance condition), then the
1096         * target shall either:
1097         *   a) report any pending sense data and preserve the unit
1098         *      attention condition on the logical unit, or,
1099         *   b) report the unit attention condition, may discard any
1100         *      pending sense data, and clear the unit attention
1101         *      condition on the logical unit for that initiator.
1102         *
1103         * FSG normally uses option a); enable this code to use option b).
1104         */
1105#if 0
1106        if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1107                curlun->sense_data = curlun->unit_attention_data;
1108                curlun->unit_attention_data = SS_NO_SENSE;
1109        }
1110#endif
1111
1112        if (!curlun) {          /* Unsupported LUNs are okay */
1113                common->bad_lun_okay = 1;
1114                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1115                sdinfo = 0;
1116                valid = 0;
1117        } else {
1118                sd = curlun->sense_data;
1119                sdinfo = curlun->sense_data_info;
1120                valid = curlun->info_valid << 7;
1121                curlun->sense_data = SS_NO_SENSE;
1122                curlun->sense_data_info = 0;
1123                curlun->info_valid = 0;
1124        }
1125
1126        memset(buf, 0, 18);
1127        buf[0] = valid | 0x70;                  /* Valid, current error */
1128        buf[2] = SK(sd);
1129        put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1130        buf[7] = 18 - 8;                        /* Additional sense length */
1131        buf[12] = ASC(sd);
1132        buf[13] = ASCQ(sd);
1133        return 18;
1134}
1135
1136static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1137{
1138        struct fsg_lun  *curlun = common->curlun;
1139        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1140        int             pmi = common->cmnd[8];
1141        u8              *buf = (u8 *)bh->buf;
1142
1143        /* Check the PMI and LBA fields */
1144        if (pmi > 1 || (pmi == 0 && lba != 0)) {
1145                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1146                return -EINVAL;
1147        }
1148
1149        put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1150                                                /* Max logical block */
1151        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1152        return 8;
1153}
1154
1155static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1156{
1157        struct fsg_lun  *curlun = common->curlun;
1158        int             msf = common->cmnd[1] & 0x02;
1159        u32             lba = get_unaligned_be32(&common->cmnd[2]);
1160        u8              *buf = (u8 *)bh->buf;
1161
1162        if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1163                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1164                return -EINVAL;
1165        }
1166        if (lba >= curlun->num_sectors) {
1167                curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1168                return -EINVAL;
1169        }
1170
1171        memset(buf, 0, 8);
1172        buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1173        store_cdrom_address(&buf[4], msf, lba);
1174        return 8;
1175}
1176
1177static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1178{
1179        struct fsg_lun  *curlun = common->curlun;
1180        int             msf = common->cmnd[1] & 0x02;
1181        int             start_track = common->cmnd[6];
1182        u8              *buf = (u8 *)bh->buf;
1183
1184        if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1185                        start_track > 1) {
1186                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1187                return -EINVAL;
1188        }
1189
1190        memset(buf, 0, 20);
1191        buf[1] = (20-2);                /* TOC data length */
1192        buf[2] = 1;                     /* First track number */
1193        buf[3] = 1;                     /* Last track number */
1194        buf[5] = 0x16;                  /* Data track, copying allowed */
1195        buf[6] = 0x01;                  /* Only track is number 1 */
1196        store_cdrom_address(&buf[8], msf, 0);
1197
1198        buf[13] = 0x16;                 /* Lead-out track is data */
1199        buf[14] = 0xAA;                 /* Lead-out track number */
1200        store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1201        return 20;
1202}
1203
1204static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1205{
1206        struct fsg_lun  *curlun = common->curlun;
1207        int             mscmnd = common->cmnd[0];
1208        u8              *buf = (u8 *) bh->buf;
1209        u8              *buf0 = buf;
1210        int             pc, page_code;
1211        int             changeable_values, all_pages;
1212        int             valid_page = 0;
1213        int             len, limit;
1214
1215        if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1216                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1217                return -EINVAL;
1218        }
1219        pc = common->cmnd[2] >> 6;
1220        page_code = common->cmnd[2] & 0x3f;
1221        if (pc == 3) {
1222                curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1223                return -EINVAL;
1224        }
1225        changeable_values = (pc == 1);
1226        all_pages = (page_code == 0x3f);
1227
1228        /*
1229         * Write the mode parameter header.  Fixed values are: default
1230         * medium type, no cache control (DPOFUA), and no block descriptors.
1231         * The only variable value is the WriteProtect bit.  We will fill in
1232         * the mode data length later.
1233         */
1234        memset(buf, 0, 8);
1235        if (mscmnd == MODE_SENSE) {
1236                buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1237                buf += 4;
1238                limit = 255;
1239        } else {                        /* MODE_SENSE_10 */
1240                buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1241                buf += 8;
1242                limit = 65535;          /* Should really be FSG_BUFLEN */
1243        }
1244
1245        /* No block descriptors */
1246
1247        /*
1248         * The mode pages, in numerical order.  The only page we support
1249         * is the Caching page.
1250         */
1251        if (page_code == 0x08 || all_pages) {
1252                valid_page = 1;
1253                buf[0] = 0x08;          /* Page code */
1254                buf[1] = 10;            /* Page length */
1255                memset(buf+2, 0, 10);   /* None of the fields are changeable */
1256
1257                if (!changeable_values) {
1258                        buf[2] = 0x04;  /* Write cache enable, */
1259                                        /* Read cache not disabled */
1260                                        /* No cache retention priorities */
1261                        put_unaligned_be16(0xffff, &buf[4]);
1262                                        /* Don't disable prefetch */
1263                                        /* Minimum prefetch = 0 */
1264                        put_unaligned_be16(0xffff, &buf[8]);
1265                                        /* Maximum prefetch */
1266                        put_unaligned_be16(0xffff, &buf[10]);
1267                                        /* Maximum prefetch ceiling */
1268                }
1269                buf += 12;
1270        }
1271
1272        /*
1273         * Check that a valid page was requested and the mode data length
1274         * isn't too long.
1275         */
1276        len = buf - buf0;
1277        if (!valid_page || len > limit) {
1278                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1279                return -EINVAL;
1280        }
1281
1282        /*  Store the mode data length */
1283        if (mscmnd == MODE_SENSE)
1284                buf0[0] = len - 1;
1285        else
1286                put_unaligned_be16(len - 2, buf0);
1287        return len;
1288}
1289
1290static int do_start_stop(struct fsg_common *common)
1291{
1292        struct fsg_lun  *curlun = common->curlun;
1293        int             loej, start;
1294
1295        if (!curlun) {
1296                return -EINVAL;
1297        } else if (!curlun->removable) {
1298                curlun->sense_data = SS_INVALID_COMMAND;
1299                return -EINVAL;
1300        } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1301                   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1302                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1303                return -EINVAL;
1304        }
1305
1306        loej  = common->cmnd[4] & 0x02;
1307        start = common->cmnd[4] & 0x01;
1308
1309        /*
1310         * Our emulation doesn't support mounting; the medium is
1311         * available for use as soon as it is loaded.
1312         */
1313        if (start) {
1314                if (!fsg_lun_is_open(curlun)) {
1315                        curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1316                        return -EINVAL;
1317                }
1318                return 0;
1319        }
1320
1321        /* Are we allowed to unload the media? */
1322        if (curlun->prevent_medium_removal) {
1323                LDBG(curlun, "unload attempt prevented\n");
1324                curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1325                return -EINVAL;
1326        }
1327
1328        if (!loej)
1329                return 0;
1330
1331        up_read(&common->filesem);
1332        down_write(&common->filesem);
1333        fsg_lun_close(curlun);
1334        up_write(&common->filesem);
1335        down_read(&common->filesem);
1336
1337        return 0;
1338}
1339
1340static int do_prevent_allow(struct fsg_common *common)
1341{
1342        struct fsg_lun  *curlun = common->curlun;
1343        int             prevent;
1344
1345        if (!common->curlun) {
1346                return -EINVAL;
1347        } else if (!common->curlun->removable) {
1348                common->curlun->sense_data = SS_INVALID_COMMAND;
1349                return -EINVAL;
1350        }
1351
1352        prevent = common->cmnd[4] & 0x01;
1353        if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1354                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1355                return -EINVAL;
1356        }
1357
1358        if (curlun->prevent_medium_removal && !prevent)
1359                fsg_lun_fsync_sub(curlun);
1360        curlun->prevent_medium_removal = prevent;
1361        return 0;
1362}
1363
1364static int do_read_format_capacities(struct fsg_common *common,
1365                        struct fsg_buffhd *bh)
1366{
1367        struct fsg_lun  *curlun = common->curlun;
1368        u8              *buf = (u8 *) bh->buf;
1369
1370        buf[0] = buf[1] = buf[2] = 0;
1371        buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1372        buf += 4;
1373
1374        put_unaligned_be32(curlun->num_sectors, &buf[0]);
1375                                                /* Number of blocks */
1376        put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1377        buf[4] = 0x02;                          /* Current capacity */
1378        return 12;
1379}
1380
1381static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1382{
1383        struct fsg_lun  *curlun = common->curlun;
1384
1385        /* We don't support MODE SELECT */
1386        if (curlun)
1387                curlun->sense_data = SS_INVALID_COMMAND;
1388        return -EINVAL;
1389}
1390
1391
1392/*-------------------------------------------------------------------------*/
1393
1394static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1395{
1396        int     rc;
1397
1398        rc = fsg_set_halt(fsg, fsg->bulk_in);
1399        if (rc == -EAGAIN)
1400                VDBG(fsg, "delayed bulk-in endpoint halt\n");
1401        while (rc != 0) {
1402                if (rc != -EAGAIN) {
1403                        WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1404                        rc = 0;
1405                        break;
1406                }
1407
1408                /* Wait for a short time and then try again */
1409                if (msleep_interruptible(100) != 0)
1410                        return -EINTR;
1411                rc = usb_ep_set_halt(fsg->bulk_in);
1412        }
1413        return rc;
1414}
1415
1416static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1417{
1418        int     rc;
1419
1420        DBG(fsg, "bulk-in set wedge\n");
1421        rc = usb_ep_set_wedge(fsg->bulk_in);
1422        if (rc == -EAGAIN)
1423                VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1424        while (rc != 0) {
1425                if (rc != -EAGAIN) {
1426                        WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1427                        rc = 0;
1428                        break;
1429                }
1430
1431                /* Wait for a short time and then try again */
1432                if (msleep_interruptible(100) != 0)
1433                        return -EINTR;
1434                rc = usb_ep_set_wedge(fsg->bulk_in);
1435        }
1436        return rc;
1437}
1438
1439static int throw_away_data(struct fsg_common *common)
1440{
1441        struct fsg_buffhd       *bh, *bh2;
1442        u32                     amount;
1443        int                     rc;
1444
1445        for (bh = common->next_buffhd_to_drain;
1446             bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1447             bh = common->next_buffhd_to_drain) {
1448
1449                /* Try to submit another request if we need one */
1450                bh2 = common->next_buffhd_to_fill;
1451                if (bh2->state == BUF_STATE_EMPTY &&
1452                                common->usb_amount_left > 0) {
1453                        amount = min(common->usb_amount_left, FSG_BUFLEN);
1454
1455                        /*
1456                         * Except at the end of the transfer, amount will be
1457                         * equal to the buffer size, which is divisible by
1458                         * the bulk-out maxpacket size.
1459                         */
1460                        set_bulk_out_req_length(common, bh2, amount);
1461                        if (!start_out_transfer(common, bh2))
1462                                /* Dunno what to do if common->fsg is NULL */
1463                                return -EIO;
1464                        common->next_buffhd_to_fill = bh2->next;
1465                        common->usb_amount_left -= amount;
1466                        continue;
1467                }
1468
1469                /* Wait for the data to be received */
1470                rc = sleep_thread(common, false, bh);
1471                if (rc)
1472                        return rc;
1473
1474                /* Throw away the data in a filled buffer */
1475                bh->state = BUF_STATE_EMPTY;
1476                common->next_buffhd_to_drain = bh->next;
1477
1478                /* A short packet or an error ends everything */
1479                if (bh->outreq->actual < bh->bulk_out_intended_length ||
1480                                bh->outreq->status != 0) {
1481                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1482                        return -EINTR;
1483                }
1484        }
1485        return 0;
1486}
1487
1488static int finish_reply(struct fsg_common *common)
1489{
1490        struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1491        int                     rc = 0;
1492
1493        switch (common->data_dir) {
1494        case DATA_DIR_NONE:
1495                break;                  /* Nothing to send */
1496
1497        /*
1498         * If we don't know whether the host wants to read or write,
1499         * this must be CB or CBI with an unknown command.  We mustn't
1500         * try to send or receive any data.  So stall both bulk pipes
1501         * if we can and wait for a reset.
1502         */
1503        case DATA_DIR_UNKNOWN:
1504                if (!common->can_stall) {
1505                        /* Nothing */
1506                } else if (fsg_is_set(common)) {
1507                        fsg_set_halt(common->fsg, common->fsg->bulk_out);
1508                        rc = halt_bulk_in_endpoint(common->fsg);
1509                } else {
1510                        /* Don't know what to do if common->fsg is NULL */
1511                        rc = -EIO;
1512                }
1513                break;
1514
1515        /* All but the last buffer of data must have already been sent */
1516        case DATA_DIR_TO_HOST:
1517                if (common->data_size == 0) {
1518                        /* Nothing to send */
1519
1520                /* Don't know what to do if common->fsg is NULL */
1521                } else if (!fsg_is_set(common)) {
1522                        rc = -EIO;
1523
1524                /* If there's no residue, simply send the last buffer */
1525                } else if (common->residue == 0) {
1526                        bh->inreq->zero = 0;
1527                        if (!start_in_transfer(common, bh))
1528                                return -EIO;
1529                        common->next_buffhd_to_fill = bh->next;
1530
1531                /*
1532                 * For Bulk-only, mark the end of the data with a short
1533                 * packet.  If we are allowed to stall, halt the bulk-in
1534                 * endpoint.  (Note: This violates the Bulk-Only Transport
1535                 * specification, which requires us to pad the data if we
1536                 * don't halt the endpoint.  Presumably nobody will mind.)
1537                 */
1538                } else {
1539                        bh->inreq->zero = 1;
1540                        if (!start_in_transfer(common, bh))
1541                                rc = -EIO;
1542                        common->next_buffhd_to_fill = bh->next;
1543                        if (common->can_stall)
1544                                rc = halt_bulk_in_endpoint(common->fsg);
1545                }
1546                break;
1547
1548        /*
1549         * We have processed all we want from the data the host has sent.
1550         * There may still be outstanding bulk-out requests.
1551         */
1552        case DATA_DIR_FROM_HOST:
1553                if (common->residue == 0) {
1554                        /* Nothing to receive */
1555
1556                /* Did the host stop sending unexpectedly early? */
1557                } else if (common->short_packet_received) {
1558                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1559                        rc = -EINTR;
1560
1561                /*
1562                 * We haven't processed all the incoming data.  Even though
1563                 * we may be allowed to stall, doing so would cause a race.
1564                 * The controller may already have ACK'ed all the remaining
1565                 * bulk-out packets, in which case the host wouldn't see a
1566                 * STALL.  Not realizing the endpoint was halted, it wouldn't
1567                 * clear the halt -- leading to problems later on.
1568                 */
1569#if 0
1570                } else if (common->can_stall) {
1571                        if (fsg_is_set(common))
1572                                fsg_set_halt(common->fsg,
1573                                             common->fsg->bulk_out);
1574                        raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1575                        rc = -EINTR;
1576#endif
1577
1578                /*
1579                 * We can't stall.  Read in the excess data and throw it
1580                 * all away.
1581                 */
1582                } else {
1583                        rc = throw_away_data(common);
1584                }
1585                break;
1586        }
1587        return rc;
1588}
1589
1590static void send_status(struct fsg_common *common)
1591{
1592        struct fsg_lun          *curlun = common->curlun;
1593        struct fsg_buffhd       *bh;
1594        struct bulk_cs_wrap     *csw;
1595        int                     rc;
1596        u8                      status = US_BULK_STAT_OK;
1597        u32                     sd, sdinfo = 0;
1598
1599        /* Wait for the next buffer to become available */
1600        bh = common->next_buffhd_to_fill;
1601        rc = sleep_thread(common, false, bh);
1602        if (rc)
1603                return;
1604
1605        if (curlun) {
1606                sd = curlun->sense_data;
1607                sdinfo = curlun->sense_data_info;
1608        } else if (common->bad_lun_okay)
1609                sd = SS_NO_SENSE;
1610        else
1611                sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1612
1613        if (common->phase_error) {
1614                DBG(common, "sending phase-error status\n");
1615                status = US_BULK_STAT_PHASE;
1616                sd = SS_INVALID_COMMAND;
1617        } else if (sd != SS_NO_SENSE) {
1618                DBG(common, "sending command-failure status\n");
1619                status = US_BULK_STAT_FAIL;
1620                VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1621                                "  info x%x\n",
1622                                SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1623        }
1624
1625        /* Store and send the Bulk-only CSW */
1626        csw = (void *)bh->buf;
1627
1628        csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1629        csw->Tag = common->tag;
1630        csw->Residue = cpu_to_le32(common->residue);
1631        csw->Status = status;
1632
1633        bh->inreq->length = US_BULK_CS_WRAP_LEN;
1634        bh->inreq->zero = 0;
1635        if (!start_in_transfer(common, bh))
1636                /* Don't know what to do if common->fsg is NULL */
1637                return;
1638
1639        common->next_buffhd_to_fill = bh->next;
1640        return;
1641}
1642
1643
1644/*-------------------------------------------------------------------------*/
1645
1646/*
1647 * Check whether the command is properly formed and whether its data size
1648 * and direction agree with the values we already have.
1649 */
1650static int check_command(struct fsg_common *common, int cmnd_size,
1651                         enum data_direction data_dir, unsigned int mask,
1652                         int needs_medium, const char *name)
1653{
1654        int                     i;
1655        unsigned int            lun = common->cmnd[1] >> 5;
1656        static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1657        char                    hdlen[20];
1658        struct fsg_lun          *curlun;
1659
1660        hdlen[0] = 0;
1661        if (common->data_dir != DATA_DIR_UNKNOWN)
1662                sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1663                        common->data_size);
1664        VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1665             name, cmnd_size, dirletter[(int) data_dir],
1666             common->data_size_from_cmnd, common->cmnd_size, hdlen);
1667
1668        /*
1669         * We can't reply at all until we know the correct data direction
1670         * and size.
1671         */
1672        if (common->data_size_from_cmnd == 0)
1673                data_dir = DATA_DIR_NONE;
1674        if (common->data_size < common->data_size_from_cmnd) {
1675                /*
1676                 * Host data size < Device data size is a phase error.
1677                 * Carry out the command, but only transfer as much as
1678                 * we are allowed.
1679                 */
1680                common->data_size_from_cmnd = common->data_size;
1681                common->phase_error = 1;
1682        }
1683        common->residue = common->data_size;
1684        common->usb_amount_left = common->data_size;
1685
1686        /* Conflicting data directions is a phase error */
1687        if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1688                common->phase_error = 1;
1689                return -EINVAL;
1690        }
1691
1692        /* Verify the length of the command itself */
1693        if (cmnd_size != common->cmnd_size) {
1694
1695                /*
1696                 * Special case workaround: There are plenty of buggy SCSI
1697                 * implementations. Many have issues with cbw->Length
1698                 * field passing a wrong command size. For those cases we
1699                 * always try to work around the problem by using the length
1700                 * sent by the host side provided it is at least as large
1701                 * as the correct command length.
1702                 * Examples of such cases would be MS-Windows, which issues
1703                 * REQUEST SENSE with cbw->Length == 12 where it should
1704                 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1705                 * REQUEST SENSE with cbw->Length == 10 where it should
1706                 * be 6 as well.
1707                 */
1708                if (cmnd_size <= common->cmnd_size) {
1709                        DBG(common, "%s is buggy! Expected length %d "
1710                            "but we got %d\n", name,
1711                            cmnd_size, common->cmnd_size);
1712                        cmnd_size = common->cmnd_size;
1713                } else {
1714                        common->phase_error = 1;
1715                        return -EINVAL;
1716                }
1717        }
1718
1719        /* Check that the LUN values are consistent */
1720        if (common->lun != lun)
1721                DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1722                    common->lun, lun);
1723
1724        /* Check the LUN */
1725        curlun = common->curlun;
1726        if (curlun) {
1727                if (common->cmnd[0] != REQUEST_SENSE) {
1728                        curlun->sense_data = SS_NO_SENSE;
1729                        curlun->sense_data_info = 0;
1730                        curlun->info_valid = 0;
1731                }
1732        } else {
1733                common->bad_lun_okay = 0;
1734
1735                /*
1736                 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1737                 * to use unsupported LUNs; all others may not.
1738                 */
1739                if (common->cmnd[0] != INQUIRY &&
1740                    common->cmnd[0] != REQUEST_SENSE) {
1741                        DBG(common, "unsupported LUN %u\n", common->lun);
1742                        return -EINVAL;
1743                }
1744        }
1745
1746        /*
1747         * If a unit attention condition exists, only INQUIRY and
1748         * REQUEST SENSE commands are allowed; anything else must fail.
1749         */
1750        if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1751            common->cmnd[0] != INQUIRY &&
1752            common->cmnd[0] != REQUEST_SENSE) {
1753                curlun->sense_data = curlun->unit_attention_data;
1754                curlun->unit_attention_data = SS_NO_SENSE;
1755                return -EINVAL;
1756        }
1757
1758        /* Check that only command bytes listed in the mask are non-zero */
1759        common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1760        for (i = 1; i < cmnd_size; ++i) {
1761                if (common->cmnd[i] && !(mask & (1 << i))) {
1762                        if (curlun)
1763                                curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1764                        return -EINVAL;
1765                }
1766        }
1767
1768        /* If the medium isn't mounted and the command needs to access
1769         * it, return an error. */
1770        if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1771                curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1772                return -EINVAL;
1773        }
1774
1775        return 0;
1776}
1777
1778/* wrapper of check_command for data size in blocks handling */
1779static int check_command_size_in_blocks(struct fsg_common *common,
1780                int cmnd_size, enum data_direction data_dir,
1781                unsigned int mask, int needs_medium, const char *name)
1782{
1783        if (common->curlun)
1784                common->data_size_from_cmnd <<= common->curlun->blkbits;
1785        return check_command(common, cmnd_size, data_dir,
1786                        mask, needs_medium, name);
1787}
1788
1789static int do_scsi_command(struct fsg_common *common)
1790{
1791        struct fsg_buffhd       *bh;
1792        int                     rc;
1793        int                     reply = -EINVAL;
1794        int                     i;
1795        static char             unknown[16];
1796
1797        dump_cdb(common);
1798
1799        /* Wait for the next buffer to become available for data or status */
1800        bh = common->next_buffhd_to_fill;
1801        common->next_buffhd_to_drain = bh;
1802        rc = sleep_thread(common, false, bh);
1803        if (rc)
1804                return rc;
1805
1806        common->phase_error = 0;
1807        common->short_packet_received = 0;
1808
1809        down_read(&common->filesem);    /* We're using the backing file */
1810        switch (common->cmnd[0]) {
1811
1812        case INQUIRY:
1813                common->data_size_from_cmnd = common->cmnd[4];
1814                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1815                                      (1<<4), 0,
1816                                      "INQUIRY");
1817                if (reply == 0)
1818                        reply = do_inquiry(common, bh);
1819                break;
1820
1821        case MODE_SELECT:
1822                common->data_size_from_cmnd = common->cmnd[4];
1823                reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1824                                      (1<<1) | (1<<4), 0,
1825                                      "MODE SELECT(6)");
1826                if (reply == 0)
1827                        reply = do_mode_select(common, bh);
1828                break;
1829
1830        case MODE_SELECT_10:
1831                common->data_size_from_cmnd =
1832                        get_unaligned_be16(&common->cmnd[7]);
1833                reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1834                                      (1<<1) | (3<<7), 0,
1835                                      "MODE SELECT(10)");
1836                if (reply == 0)
1837                        reply = do_mode_select(common, bh);
1838                break;
1839
1840        case MODE_SENSE:
1841                common->data_size_from_cmnd = common->cmnd[4];
1842                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1843                                      (1<<1) | (1<<2) | (1<<4), 0,
1844                                      "MODE SENSE(6)");
1845                if (reply == 0)
1846                        reply = do_mode_sense(common, bh);
1847                break;
1848
1849        case MODE_SENSE_10:
1850                common->data_size_from_cmnd =
1851                        get_unaligned_be16(&common->cmnd[7]);
1852                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1853                                      (1<<1) | (1<<2) | (3<<7), 0,
1854                                      "MODE SENSE(10)");
1855                if (reply == 0)
1856                        reply = do_mode_sense(common, bh);
1857                break;
1858
1859        case ALLOW_MEDIUM_REMOVAL:
1860                common->data_size_from_cmnd = 0;
1861                reply = check_command(common, 6, DATA_DIR_NONE,
1862                                      (1<<4), 0,
1863                                      "PREVENT-ALLOW MEDIUM REMOVAL");
1864                if (reply == 0)
1865                        reply = do_prevent_allow(common);
1866                break;
1867
1868        case READ_6:
1869                i = common->cmnd[4];
1870                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1871                reply = check_command_size_in_blocks(common, 6,
1872                                      DATA_DIR_TO_HOST,
1873                                      (7<<1) | (1<<4), 1,
1874                                      "READ(6)");
1875                if (reply == 0)
1876                        reply = do_read(common);
1877                break;
1878
1879        case READ_10:
1880                common->data_size_from_cmnd =
1881                                get_unaligned_be16(&common->cmnd[7]);
1882                reply = check_command_size_in_blocks(common, 10,
1883                                      DATA_DIR_TO_HOST,
1884                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1885                                      "READ(10)");
1886                if (reply == 0)
1887                        reply = do_read(common);
1888                break;
1889
1890        case READ_12:
1891                common->data_size_from_cmnd =
1892                                get_unaligned_be32(&common->cmnd[6]);
1893                reply = check_command_size_in_blocks(common, 12,
1894                                      DATA_DIR_TO_HOST,
1895                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
1896                                      "READ(12)");
1897                if (reply == 0)
1898                        reply = do_read(common);
1899                break;
1900
1901        case READ_CAPACITY:
1902                common->data_size_from_cmnd = 8;
1903                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1904                                      (0xf<<2) | (1<<8), 1,
1905                                      "READ CAPACITY");
1906                if (reply == 0)
1907                        reply = do_read_capacity(common, bh);
1908                break;
1909
1910        case READ_HEADER:
1911                if (!common->curlun || !common->curlun->cdrom)
1912                        goto unknown_cmnd;
1913                common->data_size_from_cmnd =
1914                        get_unaligned_be16(&common->cmnd[7]);
1915                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1916                                      (3<<7) | (0x1f<<1), 1,
1917                                      "READ HEADER");
1918                if (reply == 0)
1919                        reply = do_read_header(common, bh);
1920                break;
1921
1922        case READ_TOC:
1923                if (!common->curlun || !common->curlun->cdrom)
1924                        goto unknown_cmnd;
1925                common->data_size_from_cmnd =
1926                        get_unaligned_be16(&common->cmnd[7]);
1927                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1928                                      (7<<6) | (1<<1), 1,
1929                                      "READ TOC");
1930                if (reply == 0)
1931                        reply = do_read_toc(common, bh);
1932                break;
1933
1934        case READ_FORMAT_CAPACITIES:
1935                common->data_size_from_cmnd =
1936                        get_unaligned_be16(&common->cmnd[7]);
1937                reply = check_command(common, 10, DATA_DIR_TO_HOST,
1938                                      (3<<7), 1,
1939                                      "READ FORMAT CAPACITIES");
1940                if (reply == 0)
1941                        reply = do_read_format_capacities(common, bh);
1942                break;
1943
1944        case REQUEST_SENSE:
1945                common->data_size_from_cmnd = common->cmnd[4];
1946                reply = check_command(common, 6, DATA_DIR_TO_HOST,
1947                                      (1<<4), 0,
1948                                      "REQUEST SENSE");
1949                if (reply == 0)
1950                        reply = do_request_sense(common, bh);
1951                break;
1952
1953        case START_STOP:
1954                common->data_size_from_cmnd = 0;
1955                reply = check_command(common, 6, DATA_DIR_NONE,
1956                                      (1<<1) | (1<<4), 0,
1957                                      "START-STOP UNIT");
1958                if (reply == 0)
1959                        reply = do_start_stop(common);
1960                break;
1961
1962        case SYNCHRONIZE_CACHE:
1963                common->data_size_from_cmnd = 0;
1964                reply = check_command(common, 10, DATA_DIR_NONE,
1965                                      (0xf<<2) | (3<<7), 1,
1966                                      "SYNCHRONIZE CACHE");
1967                if (reply == 0)
1968                        reply = do_synchronize_cache(common);
1969                break;
1970
1971        case TEST_UNIT_READY:
1972                common->data_size_from_cmnd = 0;
1973                reply = check_command(common, 6, DATA_DIR_NONE,
1974                                0, 1,
1975                                "TEST UNIT READY");
1976                break;
1977
1978        /*
1979         * Although optional, this command is used by MS-Windows.  We
1980         * support a minimal version: BytChk must be 0.
1981         */
1982        case VERIFY:
1983                common->data_size_from_cmnd = 0;
1984                reply = check_command(common, 10, DATA_DIR_NONE,
1985                                      (1<<1) | (0xf<<2) | (3<<7), 1,
1986                                      "VERIFY");
1987                if (reply == 0)
1988                        reply = do_verify(common);
1989                break;
1990
1991        case WRITE_6:
1992                i = common->cmnd[4];
1993                common->data_size_from_cmnd = (i == 0) ? 256 : i;
1994                reply = check_command_size_in_blocks(common, 6,
1995                                      DATA_DIR_FROM_HOST,
1996                                      (7<<1) | (1<<4), 1,
1997                                      "WRITE(6)");
1998                if (reply == 0)
1999                        reply = do_write(common);
2000                break;

2001
2002        case WRITE_10:
2003                common->data_size_from_cmnd =
2004                                get_unaligned_be16(&common->cmnd[7]);
2005                reply = check_command_size_in_blocks(common, 10,
2006                                      DATA_DIR_FROM_HOST,
2007                                      (1<<1) | (0xf<<2) | (3<<7), 1,
2008                                      "WRITE(10)");
2009                if (reply == 0)
2010                        reply = do_write(common);
2011                break;
2012
2013        case WRITE_12:
2014                common->data_size_from_cmnd =
2015                                get_unaligned_be32(&common->cmnd[6]);
2016                reply = check_command_size_in_blocks(common, 12,
2017                                      DATA_DIR_FROM_HOST,
2018                                      (1<<1) | (0xf<<2) | (0xf<<6), 1,
2019                                      "WRITE(12)");
2020                if (reply == 0)
2021                        reply = do_write(common);
2022                break;
2023
2024        /*
2025         * Some mandatory commands that we recognize but don't implement.
2026         * They don't mean much in this setting.  It's left as an exercise
2027         * for anyone interested to implement RESERVE and RELEASE in terms
2028         * of Posix locks.
2029         */
2030        case FORMAT_UNIT:
2031        case RELEASE:
2032        case RESERVE:
2033        case SEND_DIAGNOSTIC:
2034                /* Fall through */
2035
2036        default:
2037unknown_cmnd:
2038                common->data_size_from_cmnd = 0;
2039                sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2040                reply = check_command(common, common->cmnd_size,
2041                                      DATA_DIR_UNKNOWN, ~0, 0, unknown);
2042                if (reply == 0) {
2043                        common->curlun->sense_data = SS_INVALID_COMMAND;
2044                        reply = -EINVAL;
2045                }
2046                break;
2047        }
2048        up_read(&common->filesem);
2049
2050        if (reply == -EINTR || signal_pending(current))
2051                return -EINTR;
2052
2053        /* Set up the single reply buffer for finish_reply() */
2054        if (reply == -EINVAL)
2055                reply = 0;              /* Error reply length */
2056        if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2057                reply = min((u32)reply, common->data_size_from_cmnd);
2058                bh->inreq->length = reply;
2059                bh->state = BUF_STATE_FULL;
2060                common->residue -= reply;
2061        }                               /* Otherwise it's already set */
2062
2063        return 0;
2064}
2065
2066
2067/*-------------------------------------------------------------------------*/
2068
2069static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2070{
2071        struct usb_request      *req = bh->outreq;
2072        struct bulk_cb_wrap     *cbw = req->buf;
2073        struct fsg_common       *common = fsg->common;
2074
2075        /* Was this a real packet?  Should it be ignored? */
2076        if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2077                return -EINVAL;
2078
2079        /* Is the CBW valid? */
2080        if (req->actual != US_BULK_CB_WRAP_LEN ||
2081                        cbw->Signature != cpu_to_le32(
2082                                US_BULK_CB_SIGN)) {
2083                DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2084                                req->actual,
2085                                le32_to_cpu(cbw->Signature));
2086
2087                /*
2088                 * The Bulk-only spec says we MUST stall the IN endpoint
2089                 * (6.6.1), so it's unavoidable.  It also says we must
2090                 * retain this state until the next reset, but there's
2091                 * no way to tell the controller driver it should ignore
2092                 * Clear-Feature(HALT) requests.
2093                 *
2094                 * We aren't required to halt the OUT endpoint; instead
2095                 * we can simply accept and discard any data received
2096                 * until the next reset.
2097                 */
2098                wedge_bulk_in_endpoint(fsg);
2099                set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2100                return -EINVAL;
2101        }
2102
2103        /* Is the CBW meaningful? */
2104        if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2105            cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2106            cbw->Length > MAX_COMMAND_SIZE) {
2107                DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2108                                "cmdlen %u\n",
2109                                cbw->Lun, cbw->Flags, cbw->Length);
2110
2111                /*
2112                 * We can do anything we want here, so let's stall the
2113                 * bulk pipes if we are allowed to.
2114                 */
2115                if (common->can_stall) {
2116                        fsg_set_halt(fsg, fsg->bulk_out);
2117                        halt_bulk_in_endpoint(fsg);
2118                }
2119                return -EINVAL;
2120        }
2121
2122        /* Save the command for later */
2123        common->cmnd_size = cbw->Length;
2124        memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2125        if (cbw->Flags & US_BULK_FLAG_IN)
2126                common->data_dir = DATA_DIR_TO_HOST;
2127        else
2128                common->data_dir = DATA_DIR_FROM_HOST;
2129        common->data_size = le32_to_cpu(cbw->DataTransferLength);
2130        if (common->data_size == 0)
2131                common->data_dir = DATA_DIR_NONE;
2132        common->lun = cbw->Lun;
2133        if (common->lun < ARRAY_SIZE(common->luns))
2134                common->curlun = common->luns[common->lun];
2135        else
2136                common->curlun = NULL;
2137        common->tag = cbw->Tag;
2138        return 0;
2139}
2140
2141static int get_next_command(struct fsg_common *common)
2142{
2143        struct fsg_buffhd       *bh;
2144        int                     rc = 0;
2145
2146        /* Wait for the next buffer to become available */
2147        bh = common->next_buffhd_to_fill;
2148        rc = sleep_thread(common, true, bh);
2149        if (rc)
2150                return rc;
2151
2152        /* Queue a request to read a Bulk-only CBW */
2153        set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2154        if (!start_out_transfer(common, bh))
2155                /* Don't know what to do if common->fsg is NULL */
2156                return -EIO;
2157
2158        /*
2159         * We will drain the buffer in software, which means we
2160         * can reuse it for the next filling.  No need to advance
2161         * next_buffhd_to_fill.
2162         */
2163
2164        /* Wait for the CBW to arrive */
2165        rc = sleep_thread(common, true, bh);
2166        if (rc)
2167                return rc;
2168
2169        rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2170        bh->state = BUF_STATE_EMPTY;
2171
2172        return rc;
2173}
2174
2175
2176/*-------------------------------------------------------------------------*/
2177
2178static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2179                struct usb_request **preq)
2180{
2181        *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2182        if (*preq)
2183                return 0;
2184        ERROR(common, "can't allocate request for %s\n", ep->name);
2185        return -ENOMEM;
2186}
2187
2188/* Reset interface setting and re-init endpoint state (toggle etc). */
2189static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2190{
2191        struct fsg_dev *fsg;
2192        int i, rc = 0;
2193
2194        if (common->running)
2195                DBG(common, "reset interface\n");
2196
2197reset:
2198        /* Deallocate the requests */
2199        if (common->fsg) {
2200                fsg = common->fsg;
2201
2202                for (i = 0; i < common->fsg_num_buffers; ++i) {
2203                        struct fsg_buffhd *bh = &common->buffhds[i];
2204
2205                        if (bh->inreq) {
2206                                usb_ep_free_request(fsg->bulk_in, bh->inreq);
2207                                bh->inreq = NULL;
2208                        }
2209                        if (bh->outreq) {
2210                                usb_ep_free_request(fsg->bulk_out, bh->outreq);
2211                                bh->outreq = NULL;
2212                        }
2213                }
2214
2215                /* Disable the endpoints */
2216                if (fsg->bulk_in_enabled) {
2217                        usb_ep_disable(fsg->bulk_in);
2218                        fsg->bulk_in_enabled = 0;
2219                }
2220                if (fsg->bulk_out_enabled) {
2221                        usb_ep_disable(fsg->bulk_out);
2222                        fsg->bulk_out_enabled = 0;
2223                }
2224
2225                common->fsg = NULL;
2226                wake_up(&common->fsg_wait);
2227        }
2228
2229        common->running = 0;
2230        if (!new_fsg || rc)
2231                return rc;
2232
2233        common->fsg = new_fsg;
2234        fsg = common->fsg;
2235
2236        /* Enable the endpoints */
2237        rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2238        if (rc)
2239                goto reset;
2240        rc = usb_ep_enable(fsg->bulk_in);
2241        if (rc)
2242                goto reset;
2243        fsg->bulk_in->driver_data = common;
2244        fsg->bulk_in_enabled = 1;
2245
2246        rc = config_ep_by_speed(common->gadget, &(fsg->function),
2247                                fsg->bulk_out);
2248        if (rc)
2249                goto reset;
2250        rc = usb_ep_enable(fsg->bulk_out);
2251        if (rc)
2252                goto reset;
2253        fsg->bulk_out->driver_data = common;
2254        fsg->bulk_out_enabled = 1;
2255        common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2256        clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2257
2258        /* Allocate the requests */
2259        for (i = 0; i < common->fsg_num_buffers; ++i) {
2260                struct fsg_buffhd       *bh = &common->buffhds[i];
2261
2262                rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2263                if (rc)
2264                        goto reset;
2265                rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2266                if (rc)
2267                        goto reset;
2268                bh->inreq->buf = bh->outreq->buf = bh->buf;
2269                bh->inreq->context = bh->outreq->context = bh;
2270                bh->inreq->complete = bulk_in_complete;
2271                bh->outreq->complete = bulk_out_complete;
2272        }
2273
2274        common->running = 1;
2275        for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2276                if (common->luns[i])
2277                        common->luns[i]->unit_attention_data =
2278                                SS_RESET_OCCURRED;
2279        return rc;
2280}
2281
2282
2283/****************************** ALT CONFIGS ******************************/
2284
2285static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2286{
2287        struct fsg_dev *fsg = fsg_from_func(f);
2288        fsg->common->new_fsg = fsg;
2289        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2290        return USB_GADGET_DELAYED_STATUS;
2291}
2292
2293static void fsg_disable(struct usb_function *f)
2294{
2295        struct fsg_dev *fsg = fsg_from_func(f);
2296        fsg->common->new_fsg = NULL;
2297        raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2298}
2299
2300
2301/*-------------------------------------------------------------------------*/
2302
2303static void handle_exception(struct fsg_common *common)
2304{
2305        int                     i;
2306        struct fsg_buffhd       *bh;
2307        enum fsg_state          old_state;
2308        struct fsg_lun          *curlun;
2309        unsigned int            exception_req_tag;
2310
2311        /*
2312         * Clear the existing signals.  Anything but SIGUSR1 is converted
2313         * into a high-priority EXIT exception.
2314         */
2315        for (;;) {
2316                int sig = kernel_dequeue_signal(NULL);
2317                if (!sig)
2318                        break;
2319                if (sig != SIGUSR1) {
2320                        spin_lock_irq(&common->lock);
2321                        if (common->state < FSG_STATE_EXIT)
2322                                DBG(common, "Main thread exiting on signal\n");
2323                        common->state = FSG_STATE_EXIT;
2324                        spin_unlock_irq(&common->lock);
2325                }
2326        }
2327
2328        /* Cancel all the pending transfers */
2329        if (likely(common->fsg)) {
2330                for (i = 0; i < common->fsg_num_buffers; ++i) {
2331                        bh = &common->buffhds[i];
2332                        if (bh->state == BUF_STATE_SENDING)
2333                                usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2334                        if (bh->state == BUF_STATE_RECEIVING)
2335                                usb_ep_dequeue(common->fsg->bulk_out,
2336                                               bh->outreq);
2337
2338                        /* Wait for a transfer to become idle */
2339                        if (sleep_thread(common, false, bh))
2340                                return;
2341                }
2342
2343                /* Clear out the controller's fifos */
2344                if (common->fsg->bulk_in_enabled)
2345                        usb_ep_fifo_flush(common->fsg->bulk_in);
2346                if (common->fsg->bulk_out_enabled)
2347                        usb_ep_fifo_flush(common->fsg->bulk_out);
2348        }
2349
2350        /*
2351         * Reset the I/O buffer states and pointers, the SCSI
2352         * state, and the exception.  Then invoke the handler.
2353         */
2354        spin_lock_irq(&common->lock);
2355
2356        for (i = 0; i < common->fsg_num_buffers; ++i) {
2357                bh = &common->buffhds[i];
2358                bh->state = BUF_STATE_EMPTY;
2359        }
2360        common->next_buffhd_to_fill = &common->buffhds[0];
2361        common->next_buffhd_to_drain = &common->buffhds[0];
2362        exception_req_tag = common->exception_req_tag;
2363        old_state = common->state;
2364        common->state = FSG_STATE_NORMAL;
2365
2366        if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2367                for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2368                        curlun = common->luns[i];
2369                        if (!curlun)
2370                                continue;
2371                        curlun->prevent_medium_removal = 0;
2372                        curlun->sense_data = SS_NO_SENSE;
2373                        curlun->unit_attention_data = SS_NO_SENSE;
2374                        curlun->sense_data_info = 0;
2375                        curlun->info_valid = 0;
2376                }
2377        }
2378        spin_unlock_irq(&common->lock);
2379
2380        /* Carry out any extra actions required for the exception */
2381        switch (old_state) {
2382        case FSG_STATE_NORMAL:
2383                break;
2384
2385        case FSG_STATE_ABORT_BULK_OUT:
2386                send_status(common);
2387                break;
2388
2389        case FSG_STATE_PROTOCOL_RESET:
2390                /*
2391                 * In case we were forced against our will to halt a
2392                 * bulk endpoint, clear the halt now.  (The SuperH UDC
2393                 * requires this.)
2394                 */
2395                if (!fsg_is_set(common))
2396                        break;
2397                if (test_and_clear_bit(IGNORE_BULK_OUT,
2398                                       &common->fsg->atomic_bitflags))
2399                        usb_ep_clear_halt(common->fsg->bulk_in);
2400
2401                if (common->ep0_req_tag == exception_req_tag)
2402                        ep0_queue(common);      /* Complete the status stage */
2403
2404                /*
2405                 * Technically this should go here, but it would only be
2406                 * a waste of time.  Ditto for the INTERFACE_CHANGE and
2407                 * CONFIG_CHANGE cases.
2408                 */
2409                /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2410                /*      if (common->luns[i]) */
2411                /*              common->luns[i]->unit_attention_data = */
2412                /*                      SS_RESET_OCCURRED;  */
2413                break;
2414
2415        case FSG_STATE_CONFIG_CHANGE:
2416                do_set_interface(common, common->new_fsg);
2417                if (common->new_fsg)
2418                        usb_composite_setup_continue(common->cdev);
2419                break;
2420
2421        case FSG_STATE_EXIT:
2422                do_set_interface(common, NULL);         /* Free resources */
2423                spin_lock_irq(&common->lock);
2424                common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2425                spin_unlock_irq(&common->lock);
2426                break;
2427
2428        case FSG_STATE_TERMINATED:
2429                break;
2430        }
2431}
2432
2433
2434/*-------------------------------------------------------------------------*/
2435
2436static int fsg_main_thread(void *common_)
2437{
2438        struct fsg_common       *common = common_;
2439        int                     i;
2440
2441        /*
2442         * Allow the thread to be killed by a signal, but set the signal mask
2443         * to block everything but INT, TERM, KILL, and USR1.
2444         */
2445        allow_signal(SIGINT);
2446        allow_signal(SIGTERM);
2447        allow_signal(SIGKILL);
2448        allow_signal(SIGUSR1);
2449
2450        /* Allow the thread to be frozen */
2451        set_freezable();
2452
2453        /* The main loop */
2454        while (common->state != FSG_STATE_TERMINATED) {
2455                if (exception_in_progress(common) || signal_pending(current)) {
2456                        handle_exception(common);
2457                        continue;
2458                }
2459
2460                if (!common->running) {
2461                        sleep_thread(common, true, NULL);
2462                        continue;
2463                }
2464
2465                if (get_next_command(common) || exception_in_progress(common))
2466                        continue;
2467                if (do_scsi_command(common) || exception_in_progress(common))
2468                        continue;
2469                if (finish_reply(common) || exception_in_progress(common))
2470                        continue;
2471                send_status(common);
2472        }
2473
2474        spin_lock_irq(&common->lock);
2475        common->thread_task = NULL;
2476        spin_unlock_irq(&common->lock);
2477
2478        /* Eject media from all LUNs */
2479
2480        down_write(&common->filesem);
2481        for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2482                struct fsg_lun *curlun = common->luns[i];
2483
2484                if (curlun && fsg_lun_is_open(curlun))
2485                        fsg_lun_close(curlun);
2486        }
2487        up_write(&common->filesem);
2488
2489        /* Let fsg_unbind() know the thread has exited */
2490        complete_and_exit(&common->thread_notifier, 0);
2491}
2492
2493
2494/*************************** DEVICE ATTRIBUTES ***************************/
2495
2496static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2497{
2498        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2499
2500        return fsg_show_ro(curlun, buf);
2501}
2502
2503static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2504                          char *buf)
2505{
2506        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2507
2508        return fsg_show_nofua(curlun, buf);
2509}
2510
2511static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2512                         char *buf)
2513{
2514        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2515        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2516
2517        return fsg_show_file(curlun, filesem, buf);
2518}
2519
2520static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2521                        const char *buf, size_t count)
2522{
2523        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2524        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2525
2526        return fsg_store_ro(curlun, filesem, buf, count);
2527}
2528
2529static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2530                           const char *buf, size_t count)
2531{
2532        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2533
2534        return fsg_store_nofua(curlun, buf, count);
2535}
2536
2537static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2538                          const char *buf, size_t count)
2539{
2540        struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2541        struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2542
2543        return fsg_store_file(curlun, filesem, buf, count);
2544}
2545
2546static DEVICE_ATTR_RW(nofua);
2547/* mode wil be set in fsg_lun_attr_is_visible() */
2548static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2549static DEVICE_ATTR(file, 0, file_show, file_store);
2550
2551/****************************** FSG COMMON ******************************/
2552
2553static void fsg_lun_release(struct device *dev)
2554{
2555        /* Nothing needs to be done */
2556}
2557
2558static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2559{
2560        if (!common) {
2561                common = kzalloc(sizeof(*common), GFP_KERNEL);
2562                if (!common)
2563                        return ERR_PTR(-ENOMEM);
2564                common->free_storage_on_release = 1;
2565        } else {
2566                common->free_storage_on_release = 0;
2567        }
2568        init_rwsem(&common->filesem);
2569        spin_lock_init(&common->lock);
2570        init_completion(&common->thread_notifier);
2571        init_waitqueue_head(&common->io_wait);
2572        init_waitqueue_head(&common->fsg_wait);
2573        common->state = FSG_STATE_TERMINATED;
2574        memset(common->luns, 0, sizeof(common->luns));
2575
2576        return common;
2577}
2578
2579void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2580{
2581        common->sysfs = sysfs;
2582}
2583EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2584
2585static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2586{
2587        if (buffhds) {
2588                struct fsg_buffhd *bh = buffhds;
2589                while (n--) {
2590                        kfree(bh->buf);
2591                        ++bh;
2592                }
2593                kfree(buffhds);
2594        }
2595}
2596
2597int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2598{
2599        struct fsg_buffhd *bh, *buffhds;
2600        int i;
2601
2602        buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2603        if (!buffhds)
2604                return -ENOMEM;
2605
2606        /* Data buffers cyclic list */
2607        bh = buffhds;
2608        i = n;
2609        goto buffhds_first_it;
2610        do {
2611                bh->next = bh + 1;
2612                ++bh;
2613buffhds_first_it:
2614                bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2615                if (unlikely(!bh->buf))
2616                        goto error_release;
2617        } while (--i);
2618        bh->next = buffhds;
2619
2620        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2621        common->fsg_num_buffers = n;
2622        common->buffhds = buffhds;
2623
2624        return 0;
2625
2626error_release:
2627        /*
2628         * "buf"s pointed to by heads after n - i are NULL
2629         * so releasing them won't hurt
2630         */
2631        _fsg_common_free_buffers(buffhds, n);
2632
2633        return -ENOMEM;
2634}
2635EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2636
2637void fsg_common_remove_lun(struct fsg_lun *lun)
2638{
2639        if (device_is_registered(&lun->dev))
2640                device_unregister(&lun->dev);
2641        fsg_lun_close(lun);
2642        kfree(lun);
2643}
2644EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2645
2646static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2647{
2648        int i;
2649
2650        for (i = 0; i < n; ++i)
2651                if (common->luns[i]) {
2652                        fsg_common_remove_lun(common->luns[i]);
2653                        common->luns[i] = NULL;
2654                }
2655}
2656
2657void fsg_common_remove_luns(struct fsg_common *common)
2658{
2659        _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2660}
2661EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2662
2663void fsg_common_free_buffers(struct fsg_common *common)
2664{
2665        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2666        common->buffhds = NULL;
2667}
2668EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2669
2670int fsg_common_set_cdev(struct fsg_common *common,
2671                         struct usb_composite_dev *cdev, bool can_stall)
2672{
2673        struct usb_string *us;
2674
2675        common->gadget = cdev->gadget;
2676        common->ep0 = cdev->gadget->ep0;
2677        common->ep0req = cdev->req;
2678        common->cdev = cdev;
2679
2680        us = usb_gstrings_attach(cdev, fsg_strings_array,
2681                                 ARRAY_SIZE(fsg_strings));
2682        if (IS_ERR(us))
2683                return PTR_ERR(us);
2684
2685        fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2686
2687        /*
2688         * Some peripheral controllers are known not to be able to
2689         * halt bulk endpoints correctly.  If one of them is present,
2690         * disable stalls.
2691         */
2692        common->can_stall = can_stall &&
2693                        gadget_is_stall_supported(common->gadget);
2694
2695        return 0;
2696}
2697EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2698
2699static struct attribute *fsg_lun_dev_attrs[] = {
2700        &dev_attr_ro.attr,
2701        &dev_attr_file.attr,
2702        &dev_attr_nofua.attr,
2703        NULL
2704};
2705
2706static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2707                                      struct attribute *attr, int idx)
2708{
2709        struct device *dev = kobj_to_dev(kobj);
2710        struct fsg_lun *lun = fsg_lun_from_dev(dev);
2711
2712        if (attr == &dev_attr_ro.attr)
2713                return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2714        if (attr == &dev_attr_file.attr)
2715                return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2716        return attr->mode;
2717}
2718
2719static const struct attribute_group fsg_lun_dev_group = {
2720        .attrs = fsg_lun_dev_attrs,
2721        .is_visible = fsg_lun_dev_is_visible,
2722};
2723
2724static const struct attribute_group *fsg_lun_dev_groups[] = {
2725        &fsg_lun_dev_group,
2726        NULL
2727};
2728
2729int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2730                          unsigned int id, const char *name,
2731                          const char **name_pfx)
2732{
2733        struct fsg_lun *lun;
2734        char *pathbuf, *p;
2735        int rc = -ENOMEM;
2736
2737        if (id >= ARRAY_SIZE(common->luns))
2738                return -ENODEV;
2739
2740        if (common->luns[id])
2741                return -EBUSY;
2742
2743        if (!cfg->filename && !cfg->removable) {
2744                pr_err("no file given for LUN%d\n", id);
2745                return -EINVAL;
2746        }
2747
2748        lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2749        if (!lun)
2750                return -ENOMEM;
2751
2752        lun->name_pfx = name_pfx;
2753
2754        lun->cdrom = !!cfg->cdrom;
2755        lun->ro = cfg->cdrom || cfg->ro;
2756        lun->initially_ro = lun->ro;
2757        lun->removable = !!cfg->removable;
2758
2759        if (!common->sysfs) {
2760                /* we DON'T own the name!*/
2761                lun->name = name;
2762        } else {
2763                lun->dev.release = fsg_lun_release;
2764                lun->dev.parent = &common->gadget->dev;
2765                lun->dev.groups = fsg_lun_dev_groups;
2766                dev_set_drvdata(&lun->dev, &common->filesem);
2767                dev_set_name(&lun->dev, "%s", name);
2768                lun->name = dev_name(&lun->dev);
2769
2770                rc = device_register(&lun->dev);
2771                if (rc) {
2772                        pr_info("failed to register LUN%d: %d\n", id, rc);
2773                        put_device(&lun->dev);
2774                        goto error_sysfs;
2775                }
2776        }
2777
2778        common->luns[id] = lun;
2779
2780        if (cfg->filename) {
2781                rc = fsg_lun_open(lun, cfg->filename);
2782                if (rc)
2783                        goto error_lun;
2784        }
2785
2786        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2787        p = "(no medium)";
2788        if (fsg_lun_is_open(lun)) {
2789                p = "(error)";
2790                if (pathbuf) {
2791                        p = file_path(lun->filp, pathbuf, PATH_MAX);
2792                        if (IS_ERR(p))
2793                                p = "(error)";
2794                }
2795        }
2796        pr_info("LUN: %s%s%sfile: %s\n",
2797              lun->removable ? "removable " : "",
2798              lun->ro ? "read only " : "",
2799              lun->cdrom ? "CD-ROM " : "",
2800              p);
2801        kfree(pathbuf);
2802
2803        return 0;
2804
2805error_lun:
2806        if (device_is_registered(&lun->dev))
2807                device_unregister(&lun->dev);
2808        fsg_lun_close(lun);
2809        common->luns[id] = NULL;
2810error_sysfs:
2811        kfree(lun);
2812        return rc;
2813}
2814EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2815
2816int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2817{
2818        char buf[8]; /* enough for 100000000 different numbers, decimal */
2819        int i, rc;
2820
2821        fsg_common_remove_luns(common);
2822
2823        for (i = 0; i < cfg->nluns; ++i) {
2824                snprintf(buf, sizeof(buf), "lun%d", i);
2825                rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2826                if (rc)
2827                        goto fail;
2828        }
2829
2830        pr_info("Number of LUNs=%d\n", cfg->nluns);
2831
2832        return 0;
2833
2834fail:
2835        _fsg_common_remove_luns(common, i);
2836        return rc;
2837}
2838EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2839
2840void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2841                                   const char *pn)
2842{
2843        int i;
2844
2845        /* Prepare inquiryString */
2846        i = get_default_bcdDevice();
2847        snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2848                 "%-8s%-16s%04x", vn ?: "Linux",
2849                 /* Assume product name dependent on the first LUN */
2850                 pn ?: ((*common->luns)->cdrom
2851                     ? "File-CD Gadget"
2852                     : "File-Stor Gadget"),
2853                 i);
2854}
2855EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2856
2857static void fsg_common_release(struct fsg_common *common)
2858{
2859        int i;
2860
2861        /* If the thread isn't already dead, tell it to exit now */
2862        if (common->state != FSG_STATE_TERMINATED) {
2863                raise_exception(common, FSG_STATE_EXIT);
2864                wait_for_completion(&common->thread_notifier);
2865        }
2866
2867        for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2868                struct fsg_lun *lun = common->luns[i];
2869                if (!lun)
2870                        continue;
2871                fsg_lun_close(lun);
2872                if (device_is_registered(&lun->dev))
2873                        device_unregister(&lun->dev);
2874                kfree(lun);
2875        }
2876
2877        _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2878        if (common->free_storage_on_release)
2879                kfree(common);
2880}
2881
2882
2883/*-------------------------------------------------------------------------*/
2884
2885static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2886{
2887        struct fsg_dev          *fsg = fsg_from_func(f);
2888        struct fsg_common       *common = fsg->common;
2889        struct usb_gadget       *gadget = c->cdev->gadget;
2890        int                     i;
2891        struct usb_ep           *ep;
2892        unsigned                max_burst;
2893        int                     ret;
2894        struct fsg_opts         *opts;
2895
2896        /* Don't allow to bind if we don't have at least one LUN */
2897        ret = _fsg_common_get_max_lun(common);
2898        if (ret < 0) {
2899                pr_err("There should be at least one LUN.\n");
2900                return -EINVAL;
2901        }
2902
2903        opts = fsg_opts_from_func_inst(f->fi);
2904        if (!opts->no_configfs) {
2905                ret = fsg_common_set_cdev(fsg->common, c->cdev,
2906                                          fsg->common->can_stall);
2907                if (ret)
2908                        return ret;
2909                fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2910        }
2911
2912        if (!common->thread_task) {
2913                common->state = FSG_STATE_NORMAL;
2914                common->thread_task =
2915                        kthread_create(fsg_main_thread, common, "file-storage");
2916                if (IS_ERR(common->thread_task)) {
2917                        ret = PTR_ERR(common->thread_task);
2918                        common->thread_task = NULL;
2919                        common->state = FSG_STATE_TERMINATED;
2920                        return ret;
2921                }
2922                DBG(common, "I/O thread pid: %d\n",
2923                    task_pid_nr(common->thread_task));
2924                wake_up_process(common->thread_task);
2925        }
2926
2927        fsg->gadget = gadget;
2928
2929        /* New interface */
2930        i = usb_interface_id(c, f);
2931        if (i < 0)
2932                goto fail;
2933        fsg_intf_desc.bInterfaceNumber = i;
2934        fsg->interface_number = i;
2935
2936        /* Find all the endpoints we will use */
2937        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2938        if (!ep)
2939                goto autoconf_fail;
2940        fsg->bulk_in = ep;
2941
2942        ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2943        if (!ep)
2944                goto autoconf_fail;
2945        fsg->bulk_out = ep;
2946
2947        /* Assume endpoint addresses are the same for both speeds */
2948        fsg_hs_bulk_in_desc.bEndpointAddress =
2949                fsg_fs_bulk_in_desc.bEndpointAddress;
2950        fsg_hs_bulk_out_desc.bEndpointAddress =
2951                fsg_fs_bulk_out_desc.bEndpointAddress;
2952
2953        /* Calculate bMaxBurst, we know packet size is 1024 */
2954        max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2955
2956        fsg_ss_bulk_in_desc.bEndpointAddress =
2957                fsg_fs_bulk_in_desc.bEndpointAddress;
2958        fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2959
2960        fsg_ss_bulk_out_desc.bEndpointAddress =
2961                fsg_fs_bulk_out_desc.bEndpointAddress;
2962        fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2963
2964        ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2965                        fsg_ss_function, fsg_ss_function);
2966        if (ret)
2967                goto autoconf_fail;
2968
2969        return 0;
2970
2971autoconf_fail:
2972        ERROR(fsg, "unable to autoconfigure all endpoints\n");
2973        i = -ENOTSUPP;
2974fail:
2975        /* terminate the thread */
2976        if (fsg->common->state != FSG_STATE_TERMINATED) {
2977                raise_exception(fsg->common, FSG_STATE_EXIT);
2978                wait_for_completion(&fsg->common->thread_notifier);
2979        }
2980        return i;
2981}
2982
2983/****************************** ALLOCATE FUNCTION *************************/
2984
2985static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2986{
2987        struct fsg_dev          *fsg = fsg_from_func(f);
2988        struct fsg_common       *common = fsg->common;
2989
2990        DBG(fsg, "unbind\n");
2991        if (fsg->common->fsg == fsg) {
2992                fsg->common->new_fsg = NULL;
2993                raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2994                /* FIXME: make interruptible or killable somehow? */
2995                wait_event(common->fsg_wait, common->fsg != fsg);
2996        }
2997
2998        usb_free_all_descriptors(&fsg->function);
2999}
3000

3001static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3002{
3003        return container_of(to_config_group(item), struct fsg_lun_opts, group);
3004}
3005
3006static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3007{
3008        return container_of(to_config_group(item), struct fsg_opts,
3009                            func_inst.group);
3010}
3011
3012static void fsg_lun_attr_release(struct config_item *item)
3013{
3014        struct fsg_lun_opts *lun_opts;
3015
3016        lun_opts = to_fsg_lun_opts(item);
3017        kfree(lun_opts);
3018}
3019
3020static struct configfs_item_operations fsg_lun_item_ops = {
3021        .release                = fsg_lun_attr_release,
3022};
3023
3024static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3025{
3026        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3027        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3028
3029        return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3030}
3031
3032static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3033                                       const char *page, size_t len)
3034{
3035        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3036        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3037
3038        return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3039}
3040
3041CONFIGFS_ATTR(fsg_lun_opts_, file);
3042
3043static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3044{
3045        return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3046}
3047
3048static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3049                                       const char *page, size_t len)
3050{
3051        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3052        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3053
3054        return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3055}
3056
3057CONFIGFS_ATTR(fsg_lun_opts_, ro);
3058
3059static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3060                                           char *page)
3061{
3062        return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3063}
3064
3065static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3066                                       const char *page, size_t len)
3067{
3068        return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3069}
3070
3071CONFIGFS_ATTR(fsg_lun_opts_, removable);
3072
3073static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3074{
3075        return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3076}
3077
3078static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3079                                       const char *page, size_t len)
3080{
3081        struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3082        struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3083
3084        return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3085                               len);
3086}
3087
3088CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3089
3090static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3091{
3092        return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3093}
3094
3095static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3096                                       const char *page, size_t len)
3097{
3098        return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3099}
3100
3101CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3102
3103static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3104                                                char *page)
3105{
3106        return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3107}
3108
3109static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3110                                                 const char *page, size_t len)
3111{
3112        return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3113}
3114
3115CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3116
3117static struct configfs_attribute *fsg_lun_attrs[] = {
3118        &fsg_lun_opts_attr_file,
3119        &fsg_lun_opts_attr_ro,
3120        &fsg_lun_opts_attr_removable,
3121        &fsg_lun_opts_attr_cdrom,
3122        &fsg_lun_opts_attr_nofua,
3123        &fsg_lun_opts_attr_inquiry_string,
3124        NULL,
3125};
3126
3127static const struct config_item_type fsg_lun_type = {
3128        .ct_item_ops    = &fsg_lun_item_ops,
3129        .ct_attrs       = fsg_lun_attrs,
3130        .ct_owner       = THIS_MODULE,
3131};
3132
3133static struct config_group *fsg_lun_make(struct config_group *group,
3134                                         const char *name)
3135{
3136        struct fsg_lun_opts *opts;
3137        struct fsg_opts *fsg_opts;
3138        struct fsg_lun_config config;
3139        char *num_str;
3140        u8 num;
3141        int ret;
3142
3143        num_str = strchr(name, '.');
3144        if (!num_str) {
3145                pr_err("Unable to locate . in LUN.NUMBER\n");
3146                return ERR_PTR(-EINVAL);
3147        }
3148        num_str++;
3149
3150        ret = kstrtou8(num_str, 0, &num);
3151        if (ret)
3152                return ERR_PTR(ret);
3153
3154        fsg_opts = to_fsg_opts(&group->cg_item);
3155        if (num >= FSG_MAX_LUNS)
3156                return ERR_PTR(-ERANGE);
3157        num = array_index_nospec(num, FSG_MAX_LUNS);
3158
3159        mutex_lock(&fsg_opts->lock);
3160        if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3161                ret = -EBUSY;
3162                goto out;
3163        }
3164
3165        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3166        if (!opts) {
3167                ret = -ENOMEM;
3168                goto out;
3169        }
3170
3171        memset(&config, 0, sizeof(config));
3172        config.removable = true;
3173
3174        ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3175                                    (const char **)&group->cg_item.ci_name);
3176        if (ret) {
3177                kfree(opts);
3178                goto out;
3179        }
3180        opts->lun = fsg_opts->common->luns[num];
3181        opts->lun_id = num;
3182        mutex_unlock(&fsg_opts->lock);
3183
3184        config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3185
3186        return &opts->group;
3187out:
3188        mutex_unlock(&fsg_opts->lock);
3189        return ERR_PTR(ret);
3190}
3191
3192static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3193{
3194        struct fsg_lun_opts *lun_opts;
3195        struct fsg_opts *fsg_opts;
3196
3197        lun_opts = to_fsg_lun_opts(item);
3198        fsg_opts = to_fsg_opts(&group->cg_item);
3199
3200        mutex_lock(&fsg_opts->lock);
3201        if (fsg_opts->refcnt) {
3202                struct config_item *gadget;
3203
3204                gadget = group->cg_item.ci_parent->ci_parent;
3205                unregister_gadget_item(gadget);
3206        }
3207
3208        fsg_common_remove_lun(lun_opts->lun);
3209        fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3210        lun_opts->lun_id = 0;
3211        mutex_unlock(&fsg_opts->lock);
3212
3213        config_item_put(item);
3214}
3215
3216static void fsg_attr_release(struct config_item *item)
3217{
3218        struct fsg_opts *opts = to_fsg_opts(item);
3219
3220        usb_put_function_instance(&opts->func_inst);
3221}
3222
3223static struct configfs_item_operations fsg_item_ops = {
3224        .release                = fsg_attr_release,
3225};
3226
3227static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3228{
3229        struct fsg_opts *opts = to_fsg_opts(item);
3230        int result;
3231
3232        mutex_lock(&opts->lock);
3233        result = sprintf(page, "%d", opts->common->can_stall);
3234        mutex_unlock(&opts->lock);
3235
3236        return result;
3237}
3238
3239static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3240                                    size_t len)
3241{
3242        struct fsg_opts *opts = to_fsg_opts(item);
3243        int ret;
3244        bool stall;
3245
3246        mutex_lock(&opts->lock);
3247
3248        if (opts->refcnt) {
3249                mutex_unlock(&opts->lock);
3250                return -EBUSY;
3251        }
3252
3253        ret = strtobool(page, &stall);
3254        if (!ret) {
3255                opts->common->can_stall = stall;
3256                ret = len;
3257        }
3258
3259        mutex_unlock(&opts->lock);
3260
3261        return ret;
3262}
3263
3264CONFIGFS_ATTR(fsg_opts_, stall);
3265
3266#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3267static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3268{
3269        struct fsg_opts *opts = to_fsg_opts(item);
3270        int result;
3271
3272        mutex_lock(&opts->lock);
3273        result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3274        mutex_unlock(&opts->lock);
3275
3276        return result;
3277}
3278
3279static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3280                                          const char *page, size_t len)
3281{
3282        struct fsg_opts *opts = to_fsg_opts(item);
3283        int ret;
3284        u8 num;
3285
3286        mutex_lock(&opts->lock);
3287        if (opts->refcnt) {
3288                ret = -EBUSY;
3289                goto end;
3290        }
3291        ret = kstrtou8(page, 0, &num);
3292        if (ret)
3293                goto end;
3294
3295        ret = fsg_common_set_num_buffers(opts->common, num);
3296        if (ret)
3297                goto end;
3298        ret = len;
3299
3300end:
3301        mutex_unlock(&opts->lock);
3302        return ret;
3303}
3304
3305CONFIGFS_ATTR(fsg_opts_, num_buffers);
3306#endif
3307
3308static struct configfs_attribute *fsg_attrs[] = {
3309        &fsg_opts_attr_stall,
3310#ifdef CONFIG_USB_GADGET_DEBUG_FILES
3311        &fsg_opts_attr_num_buffers,
3312#endif
3313        NULL,
3314};
3315
3316static struct configfs_group_operations fsg_group_ops = {
3317        .make_group     = fsg_lun_make,
3318        .drop_item      = fsg_lun_drop,
3319};
3320
3321static const struct config_item_type fsg_func_type = {
3322        .ct_item_ops    = &fsg_item_ops,
3323        .ct_group_ops   = &fsg_group_ops,
3324        .ct_attrs       = fsg_attrs,
3325        .ct_owner       = THIS_MODULE,
3326};
3327
3328static void fsg_free_inst(struct usb_function_instance *fi)
3329{
3330        struct fsg_opts *opts;
3331
3332        opts = fsg_opts_from_func_inst(fi);
3333        fsg_common_release(opts->common);
3334        kfree(opts);
3335}
3336
3337static struct usb_function_instance *fsg_alloc_inst(void)
3338{
3339        struct fsg_opts *opts;
3340        struct fsg_lun_config config;
3341        int rc;
3342
3343        opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3344        if (!opts)
3345                return ERR_PTR(-ENOMEM);
3346        mutex_init(&opts->lock);
3347        opts->func_inst.free_func_inst = fsg_free_inst;
3348        opts->common = fsg_common_setup(opts->common);
3349        if (IS_ERR(opts->common)) {
3350                rc = PTR_ERR(opts->common);
3351                goto release_opts;
3352        }
3353
3354        rc = fsg_common_set_num_buffers(opts->common,
3355                                        CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3356        if (rc)
3357                goto release_common;
3358
3359        pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3360
3361        memset(&config, 0, sizeof(config));
3362        config.removable = true;
3363        rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3364                        (const char **)&opts->func_inst.group.cg_item.ci_name);
3365        if (rc)
3366                goto release_buffers;
3367
3368        opts->lun0.lun = opts->common->luns[0];
3369        opts->lun0.lun_id = 0;
3370
3371        config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3372
3373        config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3374        configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3375
3376        return &opts->func_inst;
3377
3378release_buffers:
3379        fsg_common_free_buffers(opts->common);
3380release_common:
3381        kfree(opts->common);
3382release_opts:
3383        kfree(opts);
3384        return ERR_PTR(rc);
3385}
3386
3387static void fsg_free(struct usb_function *f)
3388{
3389        struct fsg_dev *fsg;
3390        struct fsg_opts *opts;
3391
3392        fsg = container_of(f, struct fsg_dev, function);
3393        opts = container_of(f->fi, struct fsg_opts, func_inst);
3394
3395        mutex_lock(&opts->lock);
3396        opts->refcnt--;
3397        mutex_unlock(&opts->lock);
3398
3399        kfree(fsg);
3400}
3401
3402static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3403{
3404        struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3405        struct fsg_common *common = opts->common;
3406        struct fsg_dev *fsg;
3407
3408        fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3409        if (unlikely(!fsg))
3410                return ERR_PTR(-ENOMEM);
3411
3412        mutex_lock(&opts->lock);
3413        opts->refcnt++;
3414        mutex_unlock(&opts->lock);
3415
3416        fsg->function.name      = FSG_DRIVER_DESC;
3417        fsg->function.bind      = fsg_bind;
3418        fsg->function.unbind    = fsg_unbind;
3419        fsg->function.setup     = fsg_setup;
3420        fsg->function.set_alt   = fsg_set_alt;
3421        fsg->function.disable   = fsg_disable;
3422        fsg->function.free_func = fsg_free;
3423
3424        fsg->common               = common;
3425
3426        return &fsg->function;
3427}
3428
3429DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3430MODULE_LICENSE("GPL");
3431MODULE_AUTHOR("Michal Nazarewicz");
3432
3433/************************* Module parameters *************************/
3434
3435
3436void fsg_config_from_params(struct fsg_config *cfg,
3437                       const struct fsg_module_parameters *params,
3438                       unsigned int fsg_num_buffers)
3439{
3440        struct fsg_lun_config *lun;
3441        unsigned i;
3442
3443        /* Configure LUNs */
3444        cfg->nluns =
3445                min(params->luns ?: (params->file_count ?: 1u),
3446                    (unsigned)FSG_MAX_LUNS);
3447        for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3448                lun->ro = !!params->ro[i];
3449                lun->cdrom = !!params->cdrom[i];
3450                lun->removable = !!params->removable[i];
3451                lun->filename =
3452                        params->file_count > i && params->file[i][0]
3453                        ? params->file[i]
3454                        : NULL;
3455        }
3456
3457        /* Let MSF use defaults */
3458        cfg->vendor_name = NULL;
3459        cfg->product_name = NULL;
3460
3461        cfg->ops = NULL;
3462        cfg->private_data = NULL;
3463
3464        /* Finalise */
3465        cfg->can_stall = params->stall;
3466        cfg->fsg_num_buffers = fsg_num_buffers;
3467}
3468EXPORT_SYMBOL_GPL(fsg_config_from_params);
3469