Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
f_mass_storage.c
Go to the documentation of this file.
1 /*
2  * f_mass_storage.c -- Mass Storage USB Composite Function
3  *
4  * Copyright (C) 2003-2008 Alan Stern
5  * Copyright (C) 2009 Samsung Electronics
6  * Author: Michal Nazarewicz <[email protected]>
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  * notice, this list of conditions, and the following disclaimer,
14  * without modification.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  * notice, this list of conditions and the following disclaimer in the
17  * documentation and/or other materials provided with the distribution.
18  * 3. The names of the above-listed copyright holders may not be used
19  * to endorse or promote products derived from this software without
20  * specific prior written permission.
21  *
22  * ALTERNATIVELY, this software may be distributed under the terms of the
23  * GNU General Public License ("GPL") as published by the Free Software
24  * Foundation, either version 2 of that License or (at your option) any
25  * later version.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
28  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
29  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
30  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
31  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
32  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
33  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
34  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
35  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
36  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
37  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  */
39 
40 /*
41  * The Mass Storage Function acts as a USB Mass Storage device,
42  * appearing to the host as a disk drive or as a CD-ROM drive. In
43  * addition to providing an example of a genuinely useful composite
44  * function for a USB device, it also illustrates a technique of
45  * double-buffering for increased throughput.
46  *
47  * For more information about MSF and in particular its module
48  * parameters and sysfs interface read the
49  * <Documentation/usb/mass-storage.txt> file.
50  */
51 
52 /*
53  * MSF is configured by specifying a fsg_config structure. It has the
54  * following fields:
55  *
56  * nluns Number of LUNs function have (anywhere from 1
57  * to FSG_MAX_LUNS which is 8).
58  * luns An array of LUN configuration values. This
59  * should be filled for each LUN that
60  * function will include (ie. for "nluns"
61  * LUNs). Each element of the array has
62  * the following fields:
63  * ->filename The path to the backing file for the LUN.
64  * Required if LUN is not marked as
65  * removable.
66  * ->ro Flag specifying access to the LUN shall be
67  * read-only. This is implied if CD-ROM
68  * emulation is enabled as well as when
69  * it was impossible to open "filename"
70  * in R/W mode.
71  * ->removable Flag specifying that LUN shall be indicated as
72  * being removable.
73  * ->cdrom Flag specifying that LUN shall be reported as
74  * being a CD-ROM.
75  * ->nofua Flag specifying that FUA flag in SCSI WRITE(10,12)
76  * commands for this LUN shall be ignored.
77  *
78  * vendor_name
79  * product_name
80  * release Information used as a reply to INQUIRY
81  * request. To use default set to NULL,
82  * NULL, 0xffff respectively. The first
83  * field should be 8 and the second 16
84  * characters or less.
85  *
86  * can_stall Set to permit function to halt bulk endpoints.
87  * Disabled on some USB devices known not
88  * to work correctly. You should set it
89  * to true.
90  *
91  * If "removable" is not set for a LUN then a backing file must be
92  * specified. If it is set, then NULL filename means the LUN's medium
93  * is not loaded (an empty string as "filename" in the fsg_config
94  * structure causes error). The CD-ROM emulation includes a single
95  * data track and no audio tracks; hence there need be only one
96  * backing file per LUN.
97  *
98  * This function is heavily based on "File-backed Storage Gadget" by
99  * Alan Stern which in turn is heavily based on "Gadget Zero" by David
100  * Brownell. The driver's SCSI command interface was based on the
101  * "Information technology - Small Computer System Interface - 2"
102  * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
103  * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
104  * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
105  * was based on the "Universal Serial Bus Mass Storage Class UFI
106  * Command Specification" document, Revision 1.0, December 14, 1998,
107  * available at
108  * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
109  */
110 
111 /*
112  * Driver Design
113  *
114  * The MSF is fairly straightforward. There is a main kernel
115  * thread that handles most of the work. Interrupt routines field
116  * callbacks from the controller driver: bulk- and interrupt-request
117  * completion notifications, endpoint-0 events, and disconnect events.
118  * Completion events are passed to the main thread by wakeup calls. Many
119  * ep0 requests are handled at interrupt time, but SetInterface,
120  * SetConfiguration, and device reset requests are forwarded to the
121  * thread in the form of "exceptions" using SIGUSR1 signals (since they
122  * should interrupt any ongoing file I/O operations).
123  *
124  * The thread's main routine implements the standard command/data/status
125  * parts of a SCSI interaction. It and its subroutines are full of tests
126  * for pending signals/exceptions -- all this polling is necessary since
127  * the kernel has no setjmp/longjmp equivalents. (Maybe this is an
128  * indication that the driver really wants to be running in userspace.)
129  * An important point is that so long as the thread is alive it keeps an
130  * open reference to the backing file. This will prevent unmounting
131  * the backing file's underlying filesystem and could cause problems
132  * during system shutdown, for example. To prevent such problems, the
133  * thread catches INT, TERM, and KILL signals and converts them into
134  * an EXIT exception.
135  *
136  * In normal operation the main thread is started during the gadget's
137  * fsg_bind() callback and stopped during fsg_unbind(). But it can
138  * also exit when it receives a signal, and there's no point leaving
139  * the gadget running when the thread is dead. As of this moment, MSF
140  * provides no way to deregister the gadget when thread dies -- maybe
141  * a callback functions is needed.
142  *
143  * To provide maximum throughput, the driver uses a circular pipeline of
144  * buffer heads (struct fsg_buffhd). In principle the pipeline can be
145  * arbitrarily long; in practice the benefits don't justify having more
146  * than 2 stages (i.e., double buffering). But it helps to think of the
147  * pipeline as being a long one. Each buffer head contains a bulk-in and
148  * a bulk-out request pointer (since the buffer can be used for both
149  * output and input -- directions always are given from the host's
150  * point of view) as well as a pointer to the buffer and various state
151  * variables.
152  *
153  * Use of the pipeline follows a simple protocol. There is a variable
154  * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
155  * At any time that buffer head may still be in use from an earlier
156  * request, so each buffer head has a state variable indicating whether
157  * it is EMPTY, FULL, or BUSY. Typical use involves waiting for the
158  * buffer head to be EMPTY, filling the buffer either by file I/O or by
159  * USB I/O (during which the buffer head is BUSY), and marking the buffer
160  * head FULL when the I/O is complete. Then the buffer will be emptied
161  * (again possibly by USB I/O, during which it is marked BUSY) and
162  * finally marked EMPTY again (possibly by a completion routine).
163  *
164  * A module parameter tells the driver to avoid stalling the bulk
165  * endpoints wherever the transport specification allows. This is
166  * necessary for some UDCs like the SuperH, which cannot reliably clear a
167  * halt on a bulk endpoint. However, under certain circumstances the
168  * Bulk-only specification requires a stall. In such cases the driver
169  * will halt the endpoint and set a flag indicating that it should clear
170  * the halt in software during the next device reset. Hopefully this
171  * will permit everything to work correctly. Furthermore, although the
172  * specification allows the bulk-out endpoint to halt when the host sends
173  * too much data, implementing this would cause an unavoidable race.
174  * The driver will always use the "no-stall" approach for OUT transfers.
175  *
176  * One subtle point concerns sending status-stage responses for ep0
177  * requests. Some of these requests, such as device reset, can involve
178  * interrupting an ongoing file I/O operation, which might take an
179  * arbitrarily long time. During that delay the host might give up on
180  * the original ep0 request and issue a new one. When that happens the
181  * driver should not notify the host about completion of the original
182  * request, as the host will no longer be waiting for it. So the driver
183  * assigns to each ep0 request a unique tag, and it keeps track of the
184  * tag value of the request associated with a long-running exception
185  * (device-reset, interface-change, or configuration-change). When the
186  * exception handler is finished, the status-stage response is submitted
187  * only if the current ep0 request tag is equal to the exception request
188  * tag. Thus only the most recently received ep0 request will get a
189  * status-stage response.
190  *
191  * Warning: This driver source file is too long. It ought to be split up
192  * into a header file plus about 3 separate .c files, to handle the details
193  * of the Gadget, USB Mass Storage, and SCSI protocols.
194  */
195 
196 
197 /* #define VERBOSE_DEBUG */
198 /* #define DUMP_MSGS */
199 
200 #include <linux/blkdev.h>
201 #include <linux/completion.h>
202 #include <linux/dcache.h>
203 #include <linux/delay.h>
204 #include <linux/device.h>
205 #include <linux/fcntl.h>
206 #include <linux/file.h>
207 #include <linux/fs.h>
208 #include <linux/kref.h>
209 #include <linux/kthread.h>
210 #include <linux/limits.h>
211 #include <linux/rwsem.h>
212 #include <linux/slab.h>
213 #include <linux/spinlock.h>
214 #include <linux/string.h>
215 #include <linux/freezer.h>
216 #include <linux/utsname.h>
217 
218 #include <linux/usb/ch9.h>
219 #include <linux/usb/gadget.h>
220 #include <linux/usb/composite.h>
221 
222 #include "gadget_chips.h"
223 
224 
225 /*------------------------------------------------------------------------*/
226 
227 #define FSG_DRIVER_DESC "Mass Storage Function"
228 #define FSG_DRIVER_VERSION "2009/09/11"
229 
230 static const char fsg_string_interface[] = "Mass Storage";
231 
232 #define FSG_NO_DEVICE_STRINGS 1
233 #define FSG_NO_OTG 1
234 #define FSG_NO_INTR_EP 1
235 
236 #include "storage_common.c"
237 
238 
239 /*-------------------------------------------------------------------------*/
240 
241 struct fsg_dev;
242 struct fsg_common;
243 
244 /* FSF callback functions */
246  /*
247  * Callback function to call when thread exits. If no
248  * callback is set or it returns value lower then zero MSF
249  * will force eject all LUNs it operates on (including those
250  * marked as non-removable or with prevent_medium_removal flag
251  * set).
252  */
254 
255  /*
256  * Called prior to ejection. Negative return means error,
257  * zero means to continue with ejection, positive means not to
258  * eject.
259  */
261  struct fsg_lun *lun, int num);
262  /*
263  * Called after ejection. Negative return means error, zero
264  * or positive is just a success.
265  */
267  struct fsg_lun *lun, int num);
268 };
269 
270 /* Data shared by all the FSG instances. */
271 struct fsg_common {
274  struct fsg_dev *fsg, *new_fsg;
276 
277  /* filesem protects: backing files in use */
279 
280  /* lock protects: state, all the req_busy's */
282 
283  struct usb_ep *ep0; /* Copy of gadget->ep0 */
284  struct usb_request *ep0req; /* Copy of cdev->req */
285  unsigned int ep0_req_tag;
286 
290 
293 
294  unsigned int nluns;
295  unsigned int lun;
296  struct fsg_lun *luns;
297  struct fsg_lun *curlun;
298 
299  unsigned int bulk_out_maxpacket;
300  enum fsg_state state; /* For exception handling */
301  unsigned int exception_req_tag;
302 
309 
310  unsigned int can_stall:1;
311  unsigned int free_storage_on_release:1;
312  unsigned int phase_error:1;
313  unsigned int short_packet_received:1;
314  unsigned int bad_lun_okay:1;
315  unsigned int running:1;
316 
320 
321  /* Callback functions. */
322  const struct fsg_operations *ops;
323  /* Gadget's private data. */
325 
326  /*
327  * Vendor (8 chars), product (16 chars), release (4
328  * hexadecimal digits) and NUL byte
329  */
330  char inquiry_string[8 + 16 + 4 + 1];
331 
332  struct kref ref;
333 };
334 
335 struct fsg_config {
336  unsigned nluns;
337  struct fsg_lun_config {
338  const char *filename;
339  char ro;
340  char removable;
341  char cdrom;
342  char nofua;
343  } luns[FSG_MAX_LUNS];
344 
345  /* Callback functions. */
346  const struct fsg_operations *ops;
347  /* Gadget's private data. */
349 
350  const char *vendor_name; /* 8 characters or less */
351  const char *product_name; /* 16 characters or less */
353 
354  char can_stall;
355 };
356 
357 struct fsg_dev {
359  struct usb_gadget *gadget; /* Copy of cdev->gadget */
361 
363 
364  unsigned int bulk_in_enabled:1;
365  unsigned int bulk_out_enabled:1;
366 
367  unsigned long atomic_bitflags;
368 #define IGNORE_BULK_OUT 0
369 
370  struct usb_ep *bulk_in;
371  struct usb_ep *bulk_out;
372 };
373 
374 static inline int __fsg_is_set(struct fsg_common *common,
375  const char *func, unsigned line)
376 {
377  if (common->fsg)
378  return 1;
379  ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
380  WARN_ON(1);
381  return 0;
382 }
383 
384 #define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
385 
386 static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
387 {
388  return container_of(f, struct fsg_dev, function);
389 }
390 
391 typedef void (*fsg_routine_t)(struct fsg_dev *);
392 
393 static int exception_in_progress(struct fsg_common *common)
394 {
395  return common->state > FSG_STATE_IDLE;
396 }
397 
398 /* Make bulk-out requests be divisible by the maxpacket size */
399 static void set_bulk_out_req_length(struct fsg_common *common,
400  struct fsg_buffhd *bh, unsigned int length)
401 {
402  unsigned int rem;
403 
405  rem = length % common->bulk_out_maxpacket;
406  if (rem > 0)
407  length += common->bulk_out_maxpacket - rem;
408  bh->outreq->length = length;
409 }
410 
411 
412 /*-------------------------------------------------------------------------*/
413 
414 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
415 {
416  const char *name;
417 
418  if (ep == fsg->bulk_in)
419  name = "bulk-in";
420  else if (ep == fsg->bulk_out)
421  name = "bulk-out";
422  else
423  name = ep->name;
424  DBG(fsg, "%s set halt\n", name);
425  return usb_ep_set_halt(ep);
426 }
427 
428 
429 /*-------------------------------------------------------------------------*/
430 
431 /* These routines may be called in process context or in_irq */
432 
433 /* Caller must hold fsg->lock */
434 static void wakeup_thread(struct fsg_common *common)
435 {
436  /* Tell the main thread that something has happened */
437  common->thread_wakeup_needed = 1;
438  if (common->thread_task)
439  wake_up_process(common->thread_task);
440 }
441 
442 static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
443 {
444  unsigned long flags;
445 
446  /*
447  * Do nothing if a higher-priority exception is already in progress.
448  * If a lower-or-equal priority exception is in progress, preempt it
449  * and notify the main thread by sending it a signal.
450  */
451  spin_lock_irqsave(&common->lock, flags);
452  if (common->state <= new_state) {
453  common->exception_req_tag = common->ep0_req_tag;
454  common->state = new_state;
455  if (common->thread_task)
457  common->thread_task);
458  }
459  spin_unlock_irqrestore(&common->lock, flags);
460 }
461 
462 
463 /*-------------------------------------------------------------------------*/
464 
465 static int ep0_queue(struct fsg_common *common)
466 {
467  int rc;
468 
469  rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
470  common->ep0->driver_data = common;
471  if (rc != 0 && rc != -ESHUTDOWN) {
472  /* We can't do much more than wait for a reset */
473  WARNING(common, "error in submission: %s --> %d\n",
474  common->ep0->name, rc);
475  }
476  return rc;
477 }
478 
479 
480 /*-------------------------------------------------------------------------*/
481 
482 /* Completion handlers. These always run in_irq. */
483 
484 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
485 {
486  struct fsg_common *common = ep->driver_data;
487  struct fsg_buffhd *bh = req->context;
488 
489  if (req->status || req->actual != req->length)
490  DBG(common, "%s --> %d, %u/%u\n", __func__,
491  req->status, req->actual, req->length);
492  if (req->status == -ECONNRESET) /* Request was cancelled */
493  usb_ep_fifo_flush(ep);
494 
495  /* Hold the lock while we update the request and buffer states */
496  smp_wmb();
497  spin_lock(&common->lock);
498  bh->inreq_busy = 0;
499  bh->state = BUF_STATE_EMPTY;
500  wakeup_thread(common);
501  spin_unlock(&common->lock);
502 }
503 
504 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
505 {
506  struct fsg_common *common = ep->driver_data;
507  struct fsg_buffhd *bh = req->context;
508 
509  dump_msg(common, "bulk-out", req->buf, req->actual);
510  if (req->status || req->actual != bh->bulk_out_intended_length)
511  DBG(common, "%s --> %d, %u/%u\n", __func__,
512  req->status, req->actual, bh->bulk_out_intended_length);
513  if (req->status == -ECONNRESET) /* Request was cancelled */
514  usb_ep_fifo_flush(ep);
515 
516  /* Hold the lock while we update the request and buffer states */
517  smp_wmb();
518  spin_lock(&common->lock);
519  bh->outreq_busy = 0;
520  bh->state = BUF_STATE_FULL;
521  wakeup_thread(common);
522  spin_unlock(&common->lock);
523 }
524 
525 static int fsg_setup(struct usb_function *f,
526  const struct usb_ctrlrequest *ctrl)
527 {
528  struct fsg_dev *fsg = fsg_from_func(f);
529  struct usb_request *req = fsg->common->ep0req;
530  u16 w_index = le16_to_cpu(ctrl->wIndex);
531  u16 w_value = le16_to_cpu(ctrl->wValue);
532  u16 w_length = le16_to_cpu(ctrl->wLength);
533 
534  if (!fsg_is_set(fsg->common))
535  return -EOPNOTSUPP;
536 
537  ++fsg->common->ep0_req_tag; /* Record arrival of a new request */
538  req->context = NULL;
539  req->length = 0;
540  dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
541 
542  switch (ctrl->bRequest) {
543 
545  if (ctrl->bRequestType !=
547  break;
548  if (w_index != fsg->interface_number || w_value != 0 ||
549  w_length != 0)
550  return -EDOM;
551 
552  /*
553  * Raise an exception to stop the current operation
554  * and reinitialize our state.
555  */
556  DBG(fsg, "bulk reset request\n");
557  raise_exception(fsg->common, FSG_STATE_RESET);
558  return DELAYED_STATUS;
559 
560  case US_BULK_GET_MAX_LUN:
561  if (ctrl->bRequestType !=
563  break;
564  if (w_index != fsg->interface_number || w_value != 0 ||
565  w_length != 1)
566  return -EDOM;
567  VDBG(fsg, "get max LUN\n");
568  *(u8 *)req->buf = fsg->common->nluns - 1;
569 
570  /* Respond with data/status */
571  req->length = min((u16)1, w_length);
572  return ep0_queue(fsg->common);
573  }
574 
575  VDBG(fsg,
576  "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
577  ctrl->bRequestType, ctrl->bRequest,
578  le16_to_cpu(ctrl->wValue), w_index, w_length);
579  return -EOPNOTSUPP;
580 }
581 
582 
583 /*-------------------------------------------------------------------------*/
584 
585 /* All the following routines run in process context */
586 
587 /* Use this for bulk or interrupt transfers, not ep0 */
588 static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
589  struct usb_request *req, int *pbusy,
590  enum fsg_buffer_state *state)
591 {
592  int rc;
593 
594  if (ep == fsg->bulk_in)
595  dump_msg(fsg, "bulk-in", req->buf, req->length);
596 
597  spin_lock_irq(&fsg->common->lock);
598  *pbusy = 1;
599  *state = BUF_STATE_BUSY;
600  spin_unlock_irq(&fsg->common->lock);
601  rc = usb_ep_queue(ep, req, GFP_KERNEL);
602  if (rc != 0) {
603  *pbusy = 0;
604  *state = BUF_STATE_EMPTY;
605 
606  /* We can't do much more than wait for a reset */
607 
608  /*
609  * Note: currently the net2280 driver fails zero-length
610  * submissions if DMA is enabled.
611  */
612  if (rc != -ESHUTDOWN &&
613  !(rc == -EOPNOTSUPP && req->length == 0))
614  WARNING(fsg, "error in submission: %s --> %d\n",
615  ep->name, rc);
616  }
617 }
618 
619 static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
620 {
621  if (!fsg_is_set(common))
622  return false;
623  start_transfer(common->fsg, common->fsg->bulk_in,
624  bh->inreq, &bh->inreq_busy, &bh->state);
625  return true;
626 }
627 
628 static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
629 {
630  if (!fsg_is_set(common))
631  return false;
632  start_transfer(common->fsg, common->fsg->bulk_out,
633  bh->outreq, &bh->outreq_busy, &bh->state);
634  return true;
635 }
636 
637 static int sleep_thread(struct fsg_common *common)
638 {
639  int rc = 0;
640 
641  /* Wait until a signal arrives or we are woken up */
642  for (;;) {
643  try_to_freeze();
645  if (signal_pending(current)) {
646  rc = -EINTR;
647  break;
648  }
649  if (common->thread_wakeup_needed)
650  break;
651  schedule();
652  }
654  common->thread_wakeup_needed = 0;
655  return rc;
656 }
657 
658 
659 /*-------------------------------------------------------------------------*/
660 
661 static int do_read(struct fsg_common *common)
662 {
663  struct fsg_lun *curlun = common->curlun;
664  u32 lba;
665  struct fsg_buffhd *bh;
666  int rc;
667  u32 amount_left;
668  loff_t file_offset, file_offset_tmp;
669  unsigned int amount;
670  ssize_t nread;
671 
672  /*
673  * Get the starting Logical Block Address and check that it's
674  * not too big.
675  */
676  if (common->cmnd[0] == READ_6)
677  lba = get_unaligned_be24(&common->cmnd[1]);
678  else {
679  lba = get_unaligned_be32(&common->cmnd[2]);
680 
681  /*
682  * We allow DPO (Disable Page Out = don't save data in the
683  * cache) and FUA (Force Unit Access = don't read from the
684  * cache), but we don't implement them.
685  */
686  if ((common->cmnd[1] & ~0x18) != 0) {
688  return -EINVAL;
689  }
690  }
691  if (lba >= curlun->num_sectors) {
693  return -EINVAL;
694  }
695  file_offset = ((loff_t) lba) << curlun->blkbits;
696 
697  /* Carry out the file reads */
698  amount_left = common->data_size_from_cmnd;
699  if (unlikely(amount_left == 0))
700  return -EIO; /* No default reply */
701 
702  for (;;) {
703  /*
704  * Figure out how much we need to read:
705  * Try to read the remaining amount.
706  * But don't read more than the buffer size.
707  * And don't try to read past the end of the file.
708  */
709  amount = min(amount_left, FSG_BUFLEN);
710  amount = min((loff_t)amount,
711  curlun->file_length - file_offset);
712 
713  /* Wait for the next buffer to become available */
714  bh = common->next_buffhd_to_fill;
715  while (bh->state != BUF_STATE_EMPTY) {
716  rc = sleep_thread(common);
717  if (rc)
718  return rc;
719  }
720 
721  /*
722  * If we were asked to read past the end of file,
723  * end with an empty buffer.
724  */
725  if (amount == 0) {
726  curlun->sense_data =
728  curlun->sense_data_info =
729  file_offset >> curlun->blkbits;
730  curlun->info_valid = 1;
731  bh->inreq->length = 0;
732  bh->state = BUF_STATE_FULL;
733  break;
734  }
735 
736  /* Perform the read */
737  file_offset_tmp = file_offset;
738  nread = vfs_read(curlun->filp,
739  (char __user *)bh->buf,
740  amount, &file_offset_tmp);
741  VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
742  (unsigned long long)file_offset, (int)nread);
743  if (signal_pending(current))
744  return -EINTR;
745 
746  if (nread < 0) {
747  LDBG(curlun, "error in file read: %d\n", (int)nread);
748  nread = 0;
749  } else if (nread < amount) {
750  LDBG(curlun, "partial file read: %d/%u\n",
751  (int)nread, amount);
752  nread = round_down(nread, curlun->blksize);
753  }
754  file_offset += nread;
755  amount_left -= nread;
756  common->residue -= nread;
757 
758  /*
759  * Except at the end of the transfer, nread will be
760  * equal to the buffer size, which is divisible by the
761  * bulk-in maxpacket size.
762  */
763  bh->inreq->length = nread;
764  bh->state = BUF_STATE_FULL;
765 
766  /* If an error occurred, report it and its position */
767  if (nread < amount) {
769  curlun->sense_data_info =
770  file_offset >> curlun->blkbits;
771  curlun->info_valid = 1;
772  break;
773  }
774 
775  if (amount_left == 0)
776  break; /* No more left to read */
777 
778  /* Send this buffer and go read some more */
779  bh->inreq->zero = 0;
780  if (!start_in_transfer(common, bh))
781  /* Don't know what to do if common->fsg is NULL */
782  return -EIO;
783  common->next_buffhd_to_fill = bh->next;
784  }
785 
786  return -EIO; /* No default reply */
787 }
788 
789 
790 /*-------------------------------------------------------------------------*/
791 
792 static int do_write(struct fsg_common *common)
793 {
794  struct fsg_lun *curlun = common->curlun;
795  u32 lba;
796  struct fsg_buffhd *bh;
797  int get_some_more;
798  u32 amount_left_to_req, amount_left_to_write;
799  loff_t usb_offset, file_offset, file_offset_tmp;
800  unsigned int amount;
801  ssize_t nwritten;
802  int rc;
803 
804  if (curlun->ro) {
805  curlun->sense_data = SS_WRITE_PROTECTED;
806  return -EINVAL;
807  }
808  spin_lock(&curlun->filp->f_lock);
809  curlun->filp->f_flags &= ~O_SYNC; /* Default is not to wait */
810  spin_unlock(&curlun->filp->f_lock);
811 
812  /*
813  * Get the starting Logical Block Address and check that it's
814  * not too big
815  */
816  if (common->cmnd[0] == WRITE_6)
817  lba = get_unaligned_be24(&common->cmnd[1]);
818  else {
819  lba = get_unaligned_be32(&common->cmnd[2]);
820 
821  /*
822  * We allow DPO (Disable Page Out = don't save data in the
823  * cache) and FUA (Force Unit Access = write directly to the
824  * medium). We don't implement DPO; we implement FUA by
825  * performing synchronous output.
826  */
827  if (common->cmnd[1] & ~0x18) {
829  return -EINVAL;
830  }
831  if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
832  spin_lock(&curlun->filp->f_lock);
833  curlun->filp->f_flags |= O_SYNC;
834  spin_unlock(&curlun->filp->f_lock);
835  }
836  }
837  if (lba >= curlun->num_sectors) {
839  return -EINVAL;
840  }
841 
842  /* Carry out the file writes */
843  get_some_more = 1;
844  file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
845  amount_left_to_req = common->data_size_from_cmnd;
846  amount_left_to_write = common->data_size_from_cmnd;
847 
848  while (amount_left_to_write > 0) {
849 
850  /* Queue a request for more data from the host */
851  bh = common->next_buffhd_to_fill;
852  if (bh->state == BUF_STATE_EMPTY && get_some_more) {
853 
854  /*
855  * Figure out how much we want to get:
856  * Try to get the remaining amount,
857  * but not more than the buffer size.
858  */
859  amount = min(amount_left_to_req, FSG_BUFLEN);
860 
861  /* Beyond the end of the backing file? */
862  if (usb_offset >= curlun->file_length) {
863  get_some_more = 0;
864  curlun->sense_data =
866  curlun->sense_data_info =
867  usb_offset >> curlun->blkbits;
868  curlun->info_valid = 1;
869  continue;
870  }
871 
872  /* Get the next buffer */
873  usb_offset += amount;
874  common->usb_amount_left -= amount;
875  amount_left_to_req -= amount;
876  if (amount_left_to_req == 0)
877  get_some_more = 0;
878 
879  /*
880  * Except at the end of the transfer, amount will be
881  * equal to the buffer size, which is divisible by
882  * the bulk-out maxpacket size.
883  */
884  set_bulk_out_req_length(common, bh, amount);
885  if (!start_out_transfer(common, bh))
886  /* Dunno what to do if common->fsg is NULL */
887  return -EIO;
888  common->next_buffhd_to_fill = bh->next;
889  continue;
890  }
891 
892  /* Write the received data to the backing file */
893  bh = common->next_buffhd_to_drain;
894  if (bh->state == BUF_STATE_EMPTY && !get_some_more)
895  break; /* We stopped early */
896  if (bh->state == BUF_STATE_FULL) {
897  smp_rmb();
898  common->next_buffhd_to_drain = bh->next;
899  bh->state = BUF_STATE_EMPTY;
900 
901  /* Did something go wrong with the transfer? */
902  if (bh->outreq->status != 0) {
904  curlun->sense_data_info =
905  file_offset >> curlun->blkbits;
906  curlun->info_valid = 1;
907  break;
908  }
909 
910  amount = bh->outreq->actual;
911  if (curlun->file_length - file_offset < amount) {
912  LERROR(curlun,
913  "write %u @ %llu beyond end %llu\n",
914  amount, (unsigned long long)file_offset,
915  (unsigned long long)curlun->file_length);
916  amount = curlun->file_length - file_offset;
917  }
918 
919  /* Don't accept excess data. The spec doesn't say
920  * what to do in this case. We'll ignore the error.
921  */
922  amount = min(amount, bh->bulk_out_intended_length);
923 
924  /* Don't write a partial block */
925  amount = round_down(amount, curlun->blksize);
926  if (amount == 0)
927  goto empty_write;
928 
929  /* Perform the write */
930  file_offset_tmp = file_offset;
931  nwritten = vfs_write(curlun->filp,
932  (char __user *)bh->buf,
933  amount, &file_offset_tmp);
934  VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
935  (unsigned long long)file_offset, (int)nwritten);
936  if (signal_pending(current))
937  return -EINTR; /* Interrupted! */
938 
939  if (nwritten < 0) {
940  LDBG(curlun, "error in file write: %d\n",
941  (int)nwritten);
942  nwritten = 0;
943  } else if (nwritten < amount) {
944  LDBG(curlun, "partial file write: %d/%u\n",
945  (int)nwritten, amount);
946  nwritten = round_down(nwritten, curlun->blksize);
947  }
948  file_offset += nwritten;
949  amount_left_to_write -= nwritten;
950  common->residue -= nwritten;
951 
952  /* If an error occurred, report it and its position */
953  if (nwritten < amount) {
954  curlun->sense_data = SS_WRITE_ERROR;
955  curlun->sense_data_info =
956  file_offset >> curlun->blkbits;
957  curlun->info_valid = 1;
958  break;
959  }
960 
961  empty_write:
962  /* Did the host decide to stop early? */
963  if (bh->outreq->actual < bh->bulk_out_intended_length) {
964  common->short_packet_received = 1;
965  break;
966  }
967  continue;
968  }
969 
970  /* Wait for something to happen */
971  rc = sleep_thread(common);
972  if (rc)
973  return rc;
974  }
975 
976  return -EIO; /* No default reply */
977 }
978 
979 
980 /*-------------------------------------------------------------------------*/
981 
982 static int do_synchronize_cache(struct fsg_common *common)
983 {
984  struct fsg_lun *curlun = common->curlun;
985  int rc;
986 
987  /* We ignore the requested LBA and write out all file's
988  * dirty data buffers. */
989  rc = fsg_lun_fsync_sub(curlun);
990  if (rc)
991  curlun->sense_data = SS_WRITE_ERROR;
992  return 0;
993 }
994 
995 
996 /*-------------------------------------------------------------------------*/
997 
998 static void invalidate_sub(struct fsg_lun *curlun)
999 {
1000  struct file *filp = curlun->filp;
1001  struct inode *inode = filp->f_path.dentry->d_inode;
1002  unsigned long rc;
1003 
1004  rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
1005  VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
1006 }
1007 
1008 static int do_verify(struct fsg_common *common)
1009 {
1010  struct fsg_lun *curlun = common->curlun;
1011  u32 lba;
1012  u32 verification_length;
1013  struct fsg_buffhd *bh = common->next_buffhd_to_fill;
1014  loff_t file_offset, file_offset_tmp;
1015  u32 amount_left;
1016  unsigned int amount;
1017  ssize_t nread;
1018 
1019  /*
1020  * Get the starting Logical Block Address and check that it's
1021  * not too big.
1022  */
1023  lba = get_unaligned_be32(&common->cmnd[2]);
1024  if (lba >= curlun->num_sectors) {
1026  return -EINVAL;
1027  }
1028 
1029  /*
1030  * We allow DPO (Disable Page Out = don't save data in the
1031  * cache) but we don't implement it.
1032  */
1033  if (common->cmnd[1] & ~0x10) {
1035  return -EINVAL;
1036  }
1037 
1038  verification_length = get_unaligned_be16(&common->cmnd[7]);
1039  if (unlikely(verification_length == 0))
1040  return -EIO; /* No default reply */
1041 
1042  /* Prepare to carry out the file verify */
1043  amount_left = verification_length << curlun->blkbits;
1044  file_offset = ((loff_t) lba) << curlun->blkbits;
1045 
1046  /* Write out all the dirty buffers before invalidating them */
1047  fsg_lun_fsync_sub(curlun);
1048  if (signal_pending(current))
1049  return -EINTR;
1050 
1051  invalidate_sub(curlun);
1052  if (signal_pending(current))
1053  return -EINTR;
1054 
1055  /* Just try to read the requested blocks */
1056  while (amount_left > 0) {
1057  /*
1058  * Figure out how much we need to read:
1059  * Try to read the remaining amount, but not more than
1060  * the buffer size.
1061  * And don't try to read past the end of the file.
1062  */
1063  amount = min(amount_left, FSG_BUFLEN);
1064  amount = min((loff_t)amount,
1065  curlun->file_length - file_offset);
1066  if (amount == 0) {
1067  curlun->sense_data =
1069  curlun->sense_data_info =
1070  file_offset >> curlun->blkbits;
1071  curlun->info_valid = 1;
1072  break;
1073  }
1074 
1075  /* Perform the read */
1076  file_offset_tmp = file_offset;
1077  nread = vfs_read(curlun->filp,
1078  (char __user *) bh->buf,
1079  amount, &file_offset_tmp);
1080  VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1081  (unsigned long long) file_offset,
1082  (int) nread);
1083  if (signal_pending(current))
1084  return -EINTR;
1085 
1086  if (nread < 0) {
1087  LDBG(curlun, "error in file verify: %d\n", (int)nread);
1088  nread = 0;
1089  } else if (nread < amount) {
1090  LDBG(curlun, "partial file verify: %d/%u\n",
1091  (int)nread, amount);
1092  nread = round_down(nread, curlun->blksize);
1093  }
1094  if (nread == 0) {
1096  curlun->sense_data_info =
1097  file_offset >> curlun->blkbits;
1098  curlun->info_valid = 1;
1099  break;
1100  }
1101  file_offset += nread;
1102  amount_left -= nread;
1103  }
1104  return 0;
1105 }
1106 
1107 
1108 /*-------------------------------------------------------------------------*/
1109 
1110 static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1111 {
1112  struct fsg_lun *curlun = common->curlun;
1113  u8 *buf = (u8 *) bh->buf;
1114 
1115  if (!curlun) { /* Unsupported LUNs are okay */
1116  common->bad_lun_okay = 1;
1117  memset(buf, 0, 36);
1118  buf[0] = 0x7f; /* Unsupported, no device-type */
1119  buf[4] = 31; /* Additional length */
1120  return 36;
1121  }
1122 
1123  buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1124  buf[1] = curlun->removable ? 0x80 : 0;
1125  buf[2] = 2; /* ANSI SCSI level 2 */
1126  buf[3] = 2; /* SCSI-2 INQUIRY data format */
1127  buf[4] = 31; /* Additional length */
1128  buf[5] = 0; /* No special options */
1129  buf[6] = 0;
1130  buf[7] = 0;
1131  memcpy(buf + 8, common->inquiry_string, sizeof common->inquiry_string);
1132  return 36;
1133 }
1134 
1135 static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1136 {
1137  struct fsg_lun *curlun = common->curlun;
1138  u8 *buf = (u8 *) bh->buf;
1139  u32 sd, sdinfo;
1140  int valid;
1141 
1142  /*
1143  * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1144  *
1145  * If a REQUEST SENSE command is received from an initiator
1146  * with a pending unit attention condition (before the target
1147  * generates the contingent allegiance condition), then the
1148  * target shall either:
1149  * a) report any pending sense data and preserve the unit
1150  * attention condition on the logical unit, or,
1151  * b) report the unit attention condition, may discard any
1152  * pending sense data, and clear the unit attention
1153  * condition on the logical unit for that initiator.
1154  *
1155  * FSG normally uses option a); enable this code to use option b).
1156  */
1157 #if 0
1158  if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1159  curlun->sense_data = curlun->unit_attention_data;
1160  curlun->unit_attention_data = SS_NO_SENSE;
1161  }
1162 #endif
1163 
1164  if (!curlun) { /* Unsupported LUNs are okay */
1165  common->bad_lun_okay = 1;
1167  sdinfo = 0;
1168  valid = 0;
1169  } else {
1170  sd = curlun->sense_data;
1171  sdinfo = curlun->sense_data_info;
1172  valid = curlun->info_valid << 7;
1173  curlun->sense_data = SS_NO_SENSE;
1174  curlun->sense_data_info = 0;
1175  curlun->info_valid = 0;
1176  }
1177 
1178  memset(buf, 0, 18);
1179  buf[0] = valid | 0x70; /* Valid, current error */
1180  buf[2] = SK(sd);
1181  put_unaligned_be32(sdinfo, &buf[3]); /* Sense information */
1182  buf[7] = 18 - 8; /* Additional sense length */
1183  buf[12] = ASC(sd);
1184  buf[13] = ASCQ(sd);
1185  return 18;
1186 }
1187 
1188 static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1189 {
1190  struct fsg_lun *curlun = common->curlun;
1191  u32 lba = get_unaligned_be32(&common->cmnd[2]);
1192  int pmi = common->cmnd[8];
1193  u8 *buf = (u8 *)bh->buf;
1194 
1195  /* Check the PMI and LBA fields */
1196  if (pmi > 1 || (pmi == 0 && lba != 0)) {
1198  return -EINVAL;
1199  }
1200 
1201  put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1202  /* Max logical block */
1203  put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1204  return 8;
1205 }
1206 
1207 static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1208 {
1209  struct fsg_lun *curlun = common->curlun;
1210  int msf = common->cmnd[1] & 0x02;
1211  u32 lba = get_unaligned_be32(&common->cmnd[2]);
1212  u8 *buf = (u8 *)bh->buf;
1213 
1214  if (common->cmnd[1] & ~0x02) { /* Mask away MSF */
1216  return -EINVAL;
1217  }
1218  if (lba >= curlun->num_sectors) {
1220  return -EINVAL;
1221  }
1222 
1223  memset(buf, 0, 8);
1224  buf[0] = 0x01; /* 2048 bytes of user data, rest is EC */
1225  store_cdrom_address(&buf[4], msf, lba);
1226  return 8;
1227 }
1228 
1229 static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1230 {
1231  struct fsg_lun *curlun = common->curlun;
1232  int msf = common->cmnd[1] & 0x02;
1233  int start_track = common->cmnd[6];
1234  u8 *buf = (u8 *)bh->buf;
1235 
1236  if ((common->cmnd[1] & ~0x02) != 0 || /* Mask away MSF */
1237  start_track > 1) {
1239  return -EINVAL;
1240  }
1241 
1242  memset(buf, 0, 20);
1243  buf[1] = (20-2); /* TOC data length */
1244  buf[2] = 1; /* First track number */
1245  buf[3] = 1; /* Last track number */
1246  buf[5] = 0x16; /* Data track, copying allowed */
1247  buf[6] = 0x01; /* Only track is number 1 */
1248  store_cdrom_address(&buf[8], msf, 0);
1249 
1250  buf[13] = 0x16; /* Lead-out track is data */
1251  buf[14] = 0xAA; /* Lead-out track number */
1252  store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1253  return 20;
1254 }
1255 
1256 static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1257 {
1258  struct fsg_lun *curlun = common->curlun;
1259  int mscmnd = common->cmnd[0];
1260  u8 *buf = (u8 *) bh->buf;
1261  u8 *buf0 = buf;
1262  int pc, page_code;
1263  int changeable_values, all_pages;
1264  int valid_page = 0;
1265  int len, limit;
1266 
1267  if ((common->cmnd[1] & ~0x08) != 0) { /* Mask away DBD */
1269  return -EINVAL;
1270  }
1271  pc = common->cmnd[2] >> 6;
1272  page_code = common->cmnd[2] & 0x3f;
1273  if (pc == 3) {
1275  return -EINVAL;
1276  }
1277  changeable_values = (pc == 1);
1278  all_pages = (page_code == 0x3f);
1279 
1280  /*
1281  * Write the mode parameter header. Fixed values are: default
1282  * medium type, no cache control (DPOFUA), and no block descriptors.
1283  * The only variable value is the WriteProtect bit. We will fill in
1284  * the mode data length later.
1285  */
1286  memset(buf, 0, 8);
1287  if (mscmnd == MODE_SENSE) {
1288  buf[2] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */
1289  buf += 4;
1290  limit = 255;
1291  } else { /* MODE_SENSE_10 */
1292  buf[3] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */
1293  buf += 8;
1294  limit = 65535; /* Should really be FSG_BUFLEN */
1295  }
1296 
1297  /* No block descriptors */
1298 
1299  /*
1300  * The mode pages, in numerical order. The only page we support
1301  * is the Caching page.
1302  */
1303  if (page_code == 0x08 || all_pages) {
1304  valid_page = 1;
1305  buf[0] = 0x08; /* Page code */
1306  buf[1] = 10; /* Page length */
1307  memset(buf+2, 0, 10); /* None of the fields are changeable */
1308 
1309  if (!changeable_values) {
1310  buf[2] = 0x04; /* Write cache enable, */
1311  /* Read cache not disabled */
1312  /* No cache retention priorities */
1313  put_unaligned_be16(0xffff, &buf[4]);
1314  /* Don't disable prefetch */
1315  /* Minimum prefetch = 0 */
1316  put_unaligned_be16(0xffff, &buf[8]);
1317  /* Maximum prefetch */
1318  put_unaligned_be16(0xffff, &buf[10]);
1319  /* Maximum prefetch ceiling */
1320  }
1321  buf += 12;
1322  }
1323 
1324  /*
1325  * Check that a valid page was requested and the mode data length
1326  * isn't too long.
1327  */
1328  len = buf - buf0;
1329  if (!valid_page || len > limit) {
1331  return -EINVAL;
1332  }
1333 
1334  /* Store the mode data length */
1335  if (mscmnd == MODE_SENSE)
1336  buf0[0] = len - 1;
1337  else
1338  put_unaligned_be16(len - 2, buf0);
1339  return len;
1340 }
1341 
1342 static int do_start_stop(struct fsg_common *common)
1343 {
1344  struct fsg_lun *curlun = common->curlun;
1345  int loej, start;
1346 
1347  if (!curlun) {
1348  return -EINVAL;
1349  } else if (!curlun->removable) {
1350  curlun->sense_data = SS_INVALID_COMMAND;
1351  return -EINVAL;
1352  } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1353  (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1355  return -EINVAL;
1356  }
1357 
1358  loej = common->cmnd[4] & 0x02;
1359  start = common->cmnd[4] & 0x01;
1360 
1361  /*
1362  * Our emulation doesn't support mounting; the medium is
1363  * available for use as soon as it is loaded.
1364  */
1365  if (start) {
1366  if (!fsg_lun_is_open(curlun)) {
1368  return -EINVAL;
1369  }
1370  return 0;
1371  }
1372 
1373  /* Are we allowed to unload the media? */
1374  if (curlun->prevent_medium_removal) {
1375  LDBG(curlun, "unload attempt prevented\n");
1377  return -EINVAL;
1378  }
1379 
1380  if (!loej)
1381  return 0;
1382 
1383  /* Simulate an unload/eject */
1384  if (common->ops && common->ops->pre_eject) {
1385  int r = common->ops->pre_eject(common, curlun,
1386  curlun - common->luns);
1387  if (unlikely(r < 0))
1388  return r;
1389  else if (r)
1390  return 0;
1391  }
1392 
1393  up_read(&common->filesem);
1394  down_write(&common->filesem);
1395  fsg_lun_close(curlun);
1396  up_write(&common->filesem);
1397  down_read(&common->filesem);
1398 
1399  return common->ops && common->ops->post_eject
1400  ? min(0, common->ops->post_eject(common, curlun,
1401  curlun - common->luns))
1402  : 0;
1403 }
1404 
1405 static int do_prevent_allow(struct fsg_common *common)
1406 {
1407  struct fsg_lun *curlun = common->curlun;
1408  int prevent;
1409 
1410  if (!common->curlun) {
1411  return -EINVAL;
1412  } else if (!common->curlun->removable) {
1413  common->curlun->sense_data = SS_INVALID_COMMAND;
1414  return -EINVAL;
1415  }
1416 
1417  prevent = common->cmnd[4] & 0x01;
1418  if ((common->cmnd[4] & ~0x01) != 0) { /* Mask away Prevent */
1420  return -EINVAL;
1421  }
1422 
1423  if (curlun->prevent_medium_removal && !prevent)
1424  fsg_lun_fsync_sub(curlun);
1425  curlun->prevent_medium_removal = prevent;
1426  return 0;
1427 }
1428 
1429 static int do_read_format_capacities(struct fsg_common *common,
1430  struct fsg_buffhd *bh)
1431 {
1432  struct fsg_lun *curlun = common->curlun;
1433  u8 *buf = (u8 *) bh->buf;
1434 
1435  buf[0] = buf[1] = buf[2] = 0;
1436  buf[3] = 8; /* Only the Current/Maximum Capacity Descriptor */
1437  buf += 4;
1438 
1439  put_unaligned_be32(curlun->num_sectors, &buf[0]);
1440  /* Number of blocks */
1441  put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1442  buf[4] = 0x02; /* Current capacity */
1443  return 12;
1444 }
1445 
1446 static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1447 {
1448  struct fsg_lun *curlun = common->curlun;
1449 
1450  /* We don't support MODE SELECT */
1451  if (curlun)
1452  curlun->sense_data = SS_INVALID_COMMAND;
1453  return -EINVAL;
1454 }
1455 
1456 
1457 /*-------------------------------------------------------------------------*/
1458 
1459 static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1460 {
1461  int rc;
1462 
1463  rc = fsg_set_halt(fsg, fsg->bulk_in);
1464  if (rc == -EAGAIN)
1465  VDBG(fsg, "delayed bulk-in endpoint halt\n");
1466  while (rc != 0) {
1467  if (rc != -EAGAIN) {
1468  WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1469  rc = 0;
1470  break;
1471  }
1472 
1473  /* Wait for a short time and then try again */
1474  if (msleep_interruptible(100) != 0)
1475  return -EINTR;
1476  rc = usb_ep_set_halt(fsg->bulk_in);
1477  }
1478  return rc;
1479 }
1480 
1481 static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1482 {
1483  int rc;
1484 
1485  DBG(fsg, "bulk-in set wedge\n");
1486  rc = usb_ep_set_wedge(fsg->bulk_in);
1487  if (rc == -EAGAIN)
1488  VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1489  while (rc != 0) {
1490  if (rc != -EAGAIN) {
1491  WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1492  rc = 0;
1493  break;
1494  }
1495 
1496  /* Wait for a short time and then try again */
1497  if (msleep_interruptible(100) != 0)
1498  return -EINTR;
1499  rc = usb_ep_set_wedge(fsg->bulk_in);
1500  }
1501  return rc;
1502 }
1503 
1504 static int throw_away_data(struct fsg_common *common)
1505 {
1506  struct fsg_buffhd *bh;
1507  u32 amount;
1508  int rc;
1509 
1510  for (bh = common->next_buffhd_to_drain;
1511  bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1512  bh = common->next_buffhd_to_drain) {
1513 
1514  /* Throw away the data in a filled buffer */
1515  if (bh->state == BUF_STATE_FULL) {
1516  smp_rmb();
1517  bh->state = BUF_STATE_EMPTY;
1518  common->next_buffhd_to_drain = bh->next;
1519 
1520  /* A short packet or an error ends everything */
1521  if (bh->outreq->actual < bh->bulk_out_intended_length ||
1522  bh->outreq->status != 0) {
1523  raise_exception(common,
1525  return -EINTR;
1526  }
1527  continue;
1528  }
1529 
1530  /* Try to submit another request if we need one */
1531  bh = common->next_buffhd_to_fill;
1532  if (bh->state == BUF_STATE_EMPTY
1533  && common->usb_amount_left > 0) {
1534  amount = min(common->usb_amount_left, FSG_BUFLEN);
1535 
1536  /*
1537  * Except at the end of the transfer, amount will be
1538  * equal to the buffer size, which is divisible by
1539  * the bulk-out maxpacket size.
1540  */
1541  set_bulk_out_req_length(common, bh, amount);
1542  if (!start_out_transfer(common, bh))
1543  /* Dunno what to do if common->fsg is NULL */
1544  return -EIO;
1545  common->next_buffhd_to_fill = bh->next;
1546  common->usb_amount_left -= amount;
1547  continue;
1548  }
1549 
1550  /* Otherwise wait for something to happen */
1551  rc = sleep_thread(common);
1552  if (rc)
1553  return rc;
1554  }
1555  return 0;
1556 }
1557 
1558 static int finish_reply(struct fsg_common *common)
1559 {
1560  struct fsg_buffhd *bh = common->next_buffhd_to_fill;
1561  int rc = 0;
1562 
1563  switch (common->data_dir) {
1564  case DATA_DIR_NONE:
1565  break; /* Nothing to send */
1566 
1567  /*
1568  * If we don't know whether the host wants to read or write,
1569  * this must be CB or CBI with an unknown command. We mustn't
1570  * try to send or receive any data. So stall both bulk pipes
1571  * if we can and wait for a reset.
1572  */
1573  case DATA_DIR_UNKNOWN:
1574  if (!common->can_stall) {
1575  /* Nothing */
1576  } else if (fsg_is_set(common)) {
1577  fsg_set_halt(common->fsg, common->fsg->bulk_out);
1578  rc = halt_bulk_in_endpoint(common->fsg);
1579  } else {
1580  /* Don't know what to do if common->fsg is NULL */
1581  rc = -EIO;
1582  }
1583  break;
1584 
1585  /* All but the last buffer of data must have already been sent */
1586  case DATA_DIR_TO_HOST:
1587  if (common->data_size == 0) {
1588  /* Nothing to send */
1589 
1590  /* Don't know what to do if common->fsg is NULL */
1591  } else if (!fsg_is_set(common)) {
1592  rc = -EIO;
1593 
1594  /* If there's no residue, simply send the last buffer */
1595  } else if (common->residue == 0) {
1596  bh->inreq->zero = 0;
1597  if (!start_in_transfer(common, bh))
1598  return -EIO;
1599  common->next_buffhd_to_fill = bh->next;
1600 
1601  /*
1602  * For Bulk-only, mark the end of the data with a short
1603  * packet. If we are allowed to stall, halt the bulk-in
1604  * endpoint. (Note: This violates the Bulk-Only Transport
1605  * specification, which requires us to pad the data if we
1606  * don't halt the endpoint. Presumably nobody will mind.)
1607  */
1608  } else {
1609  bh->inreq->zero = 1;
1610  if (!start_in_transfer(common, bh))
1611  rc = -EIO;
1612  common->next_buffhd_to_fill = bh->next;
1613  if (common->can_stall)
1614  rc = halt_bulk_in_endpoint(common->fsg);
1615  }
1616  break;
1617 
1618  /*
1619  * We have processed all we want from the data the host has sent.
1620  * There may still be outstanding bulk-out requests.
1621  */
1622  case DATA_DIR_FROM_HOST:
1623  if (common->residue == 0) {
1624  /* Nothing to receive */
1625 
1626  /* Did the host stop sending unexpectedly early? */
1627  } else if (common->short_packet_received) {
1628  raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1629  rc = -EINTR;
1630 
1631  /*
1632  * We haven't processed all the incoming data. Even though
1633  * we may be allowed to stall, doing so would cause a race.
1634  * The controller may already have ACK'ed all the remaining
1635  * bulk-out packets, in which case the host wouldn't see a
1636  * STALL. Not realizing the endpoint was halted, it wouldn't
1637  * clear the halt -- leading to problems later on.
1638  */
1639 #if 0
1640  } else if (common->can_stall) {
1641  if (fsg_is_set(common))
1642  fsg_set_halt(common->fsg,
1643  common->fsg->bulk_out);
1644  raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1645  rc = -EINTR;
1646 #endif
1647 
1648  /*
1649  * We can't stall. Read in the excess data and throw it
1650  * all away.
1651  */
1652  } else {
1653  rc = throw_away_data(common);
1654  }
1655  break;
1656  }
1657  return rc;
1658 }
1659 
1660 static int send_status(struct fsg_common *common)
1661 {
1662  struct fsg_lun *curlun = common->curlun;
1663  struct fsg_buffhd *bh;
1664  struct bulk_cs_wrap *csw;
1665  int rc;
1667  u32 sd, sdinfo = 0;
1668 
1669  /* Wait for the next buffer to become available */
1670  bh = common->next_buffhd_to_fill;
1671  while (bh->state != BUF_STATE_EMPTY) {
1672  rc = sleep_thread(common);
1673  if (rc)
1674  return rc;
1675  }
1676 
1677  if (curlun) {
1678  sd = curlun->sense_data;
1679  sdinfo = curlun->sense_data_info;
1680  } else if (common->bad_lun_okay)
1681  sd = SS_NO_SENSE;
1682  else
1684 
1685  if (common->phase_error) {
1686  DBG(common, "sending phase-error status\n");
1687  status = US_BULK_STAT_PHASE;
1688  sd = SS_INVALID_COMMAND;
1689  } else if (sd != SS_NO_SENSE) {
1690  DBG(common, "sending command-failure status\n");
1691  status = US_BULK_STAT_FAIL;
1692  VDBG(common, " sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1693  " info x%x\n",
1694  SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1695  }
1696 
1697  /* Store and send the Bulk-only CSW */
1698  csw = (void *)bh->buf;
1699 
1701  csw->Tag = common->tag;
1702  csw->Residue = cpu_to_le32(common->residue);
1703  csw->Status = status;
1704 
1705  bh->inreq->length = US_BULK_CS_WRAP_LEN;
1706  bh->inreq->zero = 0;
1707  if (!start_in_transfer(common, bh))
1708  /* Don't know what to do if common->fsg is NULL */
1709  return -EIO;
1710 
1711  common->next_buffhd_to_fill = bh->next;
1712  return 0;
1713 }
1714 
1715 
1716 /*-------------------------------------------------------------------------*/
1717 
1718 /*
1719  * Check whether the command is properly formed and whether its data size
1720  * and direction agree with the values we already have.
1721  */
1722 static int check_command(struct fsg_common *common, int cmnd_size,
1723  enum data_direction data_dir, unsigned int mask,
1724  int needs_medium, const char *name)
1725 {
1726  int i;
1727  int lun = common->cmnd[1] >> 5;
1728  static const char dirletter[4] = {'u', 'o', 'i', 'n'};
1729  char hdlen[20];
1730  struct fsg_lun *curlun;
1731 
1732  hdlen[0] = 0;
1733  if (common->data_dir != DATA_DIR_UNKNOWN)
1734  sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1735  common->data_size);
1736  VDBG(common, "SCSI command: %s; Dc=%d, D%c=%u; Hc=%d%s\n",
1737  name, cmnd_size, dirletter[(int) data_dir],
1738  common->data_size_from_cmnd, common->cmnd_size, hdlen);
1739 
1740  /*
1741  * We can't reply at all until we know the correct data direction
1742  * and size.
1743  */
1744  if (common->data_size_from_cmnd == 0)
1745  data_dir = DATA_DIR_NONE;
1746  if (common->data_size < common->data_size_from_cmnd) {
1747  /*
1748  * Host data size < Device data size is a phase error.
1749  * Carry out the command, but only transfer as much as
1750  * we are allowed.
1751  */
1752  common->data_size_from_cmnd = common->data_size;
1753  common->phase_error = 1;
1754  }
1755  common->residue = common->data_size;
1756  common->usb_amount_left = common->data_size;
1757 
1758  /* Conflicting data directions is a phase error */
1759  if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1760  common->phase_error = 1;
1761  return -EINVAL;
1762  }
1763 
1764  /* Verify the length of the command itself */
1765  if (cmnd_size != common->cmnd_size) {
1766 
1767  /*
1768  * Special case workaround: There are plenty of buggy SCSI
1769  * implementations. Many have issues with cbw->Length
1770  * field passing a wrong command size. For those cases we
1771  * always try to work around the problem by using the length
1772  * sent by the host side provided it is at least as large
1773  * as the correct command length.
1774  * Examples of such cases would be MS-Windows, which issues
1775  * REQUEST SENSE with cbw->Length == 12 where it should
1776  * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1777  * REQUEST SENSE with cbw->Length == 10 where it should
1778  * be 6 as well.
1779  */
1780  if (cmnd_size <= common->cmnd_size) {
1781  DBG(common, "%s is buggy! Expected length %d "
1782  "but we got %d\n", name,
1783  cmnd_size, common->cmnd_size);
1784  cmnd_size = common->cmnd_size;
1785  } else {
1786  common->phase_error = 1;
1787  return -EINVAL;
1788  }
1789  }
1790 
1791  /* Check that the LUN values are consistent */
1792  if (common->lun != lun)
1793  DBG(common, "using LUN %d from CBW, not LUN %d from CDB\n",
1794  common->lun, lun);
1795 
1796  /* Check the LUN */
1797  curlun = common->curlun;
1798  if (curlun) {
1799  if (common->cmnd[0] != REQUEST_SENSE) {
1800  curlun->sense_data = SS_NO_SENSE;
1801  curlun->sense_data_info = 0;
1802  curlun->info_valid = 0;
1803  }
1804  } else {
1805  common->bad_lun_okay = 0;
1806 
1807  /*
1808  * INQUIRY and REQUEST SENSE commands are explicitly allowed
1809  * to use unsupported LUNs; all others may not.
1810  */
1811  if (common->cmnd[0] != INQUIRY &&
1812  common->cmnd[0] != REQUEST_SENSE) {
1813  DBG(common, "unsupported LUN %d\n", common->lun);
1814  return -EINVAL;
1815  }
1816  }
1817 
1818  /*
1819  * If a unit attention condition exists, only INQUIRY and
1820  * REQUEST SENSE commands are allowed; anything else must fail.
1821  */
1822  if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1823  common->cmnd[0] != INQUIRY &&
1824  common->cmnd[0] != REQUEST_SENSE) {
1825  curlun->sense_data = curlun->unit_attention_data;
1826  curlun->unit_attention_data = SS_NO_SENSE;
1827  return -EINVAL;
1828  }
1829 
1830  /* Check that only command bytes listed in the mask are non-zero */
1831  common->cmnd[1] &= 0x1f; /* Mask away the LUN */
1832  for (i = 1; i < cmnd_size; ++i) {
1833  if (common->cmnd[i] && !(mask & (1 << i))) {
1834  if (curlun)
1836  return -EINVAL;
1837  }
1838  }
1839 
1840  /* If the medium isn't mounted and the command needs to access
1841  * it, return an error. */
1842  if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1844  return -EINVAL;
1845  }
1846 
1847  return 0;
1848 }
1849 
1850 /* wrapper of check_command for data size in blocks handling */
1851 static int check_command_size_in_blocks(struct fsg_common *common,
1852  int cmnd_size, enum data_direction data_dir,
1853  unsigned int mask, int needs_medium, const char *name)
1854 {
1855  if (common->curlun)
1856  common->data_size_from_cmnd <<= common->curlun->blkbits;
1857  return check_command(common, cmnd_size, data_dir,
1858  mask, needs_medium, name);
1859 }
1860 
1861 static int do_scsi_command(struct fsg_common *common)
1862 {
1863  struct fsg_buffhd *bh;
1864  int rc;
1865  int reply = -EINVAL;
1866  int i;
1867  static char unknown[16];
1868 
1869  dump_cdb(common);
1870 
1871  /* Wait for the next buffer to become available for data or status */
1872  bh = common->next_buffhd_to_fill;
1873  common->next_buffhd_to_drain = bh;
1874  while (bh->state != BUF_STATE_EMPTY) {
1875  rc = sleep_thread(common);
1876  if (rc)
1877  return rc;
1878  }
1879  common->phase_error = 0;
1880  common->short_packet_received = 0;
1881 
1882  down_read(&common->filesem); /* We're using the backing file */
1883  switch (common->cmnd[0]) {
1884 
1885  case INQUIRY:
1886  common->data_size_from_cmnd = common->cmnd[4];
1887  reply = check_command(common, 6, DATA_DIR_TO_HOST,
1888  (1<<4), 0,
1889  "INQUIRY");
1890  if (reply == 0)
1891  reply = do_inquiry(common, bh);
1892  break;
1893 
1894  case MODE_SELECT:
1895  common->data_size_from_cmnd = common->cmnd[4];
1896  reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1897  (1<<1) | (1<<4), 0,
1898  "MODE SELECT(6)");
1899  if (reply == 0)
1900  reply = do_mode_select(common, bh);
1901  break;
1902 
1903  case MODE_SELECT_10:
1904  common->data_size_from_cmnd =
1905  get_unaligned_be16(&common->cmnd[7]);
1906  reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1907  (1<<1) | (3<<7), 0,
1908  "MODE SELECT(10)");
1909  if (reply == 0)
1910  reply = do_mode_select(common, bh);
1911  break;
1912 
1913  case MODE_SENSE:
1914  common->data_size_from_cmnd = common->cmnd[4];
1915  reply = check_command(common, 6, DATA_DIR_TO_HOST,
1916  (1<<1) | (1<<2) | (1<<4), 0,
1917  "MODE SENSE(6)");
1918  if (reply == 0)
1919  reply = do_mode_sense(common, bh);
1920  break;
1921 
1922  case MODE_SENSE_10:
1923  common->data_size_from_cmnd =
1924  get_unaligned_be16(&common->cmnd[7]);
1925  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1926  (1<<1) | (1<<2) | (3<<7), 0,
1927  "MODE SENSE(10)");
1928  if (reply == 0)
1929  reply = do_mode_sense(common, bh);
1930  break;
1931 
1932  case ALLOW_MEDIUM_REMOVAL:
1933  common->data_size_from_cmnd = 0;
1934  reply = check_command(common, 6, DATA_DIR_NONE,
1935  (1<<4), 0,
1936  "PREVENT-ALLOW MEDIUM REMOVAL");
1937  if (reply == 0)
1938  reply = do_prevent_allow(common);
1939  break;
1940 
1941  case READ_6:
1942  i = common->cmnd[4];
1943  common->data_size_from_cmnd = (i == 0) ? 256 : i;
1944  reply = check_command_size_in_blocks(common, 6,
1946  (7<<1) | (1<<4), 1,
1947  "READ(6)");
1948  if (reply == 0)
1949  reply = do_read(common);
1950  break;
1951 
1952  case READ_10:
1953  common->data_size_from_cmnd =
1954  get_unaligned_be16(&common->cmnd[7]);
1955  reply = check_command_size_in_blocks(common, 10,
1957  (1<<1) | (0xf<<2) | (3<<7), 1,
1958  "READ(10)");
1959  if (reply == 0)
1960  reply = do_read(common);
1961  break;
1962 
1963  case READ_12:
1964  common->data_size_from_cmnd =
1965  get_unaligned_be32(&common->cmnd[6]);
1966  reply = check_command_size_in_blocks(common, 12,
1968  (1<<1) | (0xf<<2) | (0xf<<6), 1,
1969  "READ(12)");
1970  if (reply == 0)
1971  reply = do_read(common);
1972  break;
1973 
1974  case READ_CAPACITY:
1975  common->data_size_from_cmnd = 8;
1976  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1977  (0xf<<2) | (1<<8), 1,
1978  "READ CAPACITY");
1979  if (reply == 0)
1980  reply = do_read_capacity(common, bh);
1981  break;
1982 
1983  case READ_HEADER:
1984  if (!common->curlun || !common->curlun->cdrom)
1985  goto unknown_cmnd;
1986  common->data_size_from_cmnd =
1987  get_unaligned_be16(&common->cmnd[7]);
1988  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1989  (3<<7) | (0x1f<<1), 1,
1990  "READ HEADER");
1991  if (reply == 0)
1992  reply = do_read_header(common, bh);
1993  break;
1994 
1995  case READ_TOC:
1996  if (!common->curlun || !common->curlun->cdrom)
1997  goto unknown_cmnd;
1998  common->data_size_from_cmnd =
1999  get_unaligned_be16(&common->cmnd[7]);
2000  reply = check_command(common, 10, DATA_DIR_TO_HOST,
2001  (7<<6) | (1<<1), 1,
2002  "READ TOC");
2003  if (reply == 0)
2004  reply = do_read_toc(common, bh);
2005  break;
2006 
2008  common->data_size_from_cmnd =
2009  get_unaligned_be16(&common->cmnd[7]);
2010  reply = check_command(common, 10, DATA_DIR_TO_HOST,
2011  (3<<7), 1,
2012  "READ FORMAT CAPACITIES");
2013  if (reply == 0)
2014  reply = do_read_format_capacities(common, bh);
2015  break;
2016 
2017  case REQUEST_SENSE:
2018  common->data_size_from_cmnd = common->cmnd[4];
2019  reply = check_command(common, 6, DATA_DIR_TO_HOST,
2020  (1<<4), 0,
2021  "REQUEST SENSE");
2022  if (reply == 0)
2023  reply = do_request_sense(common, bh);
2024  break;
2025 
2026  case START_STOP:
2027  common->data_size_from_cmnd = 0;
2028  reply = check_command(common, 6, DATA_DIR_NONE,
2029  (1<<1) | (1<<4), 0,
2030  "START-STOP UNIT");
2031  if (reply == 0)
2032  reply = do_start_stop(common);
2033  break;
2034 
2035  case SYNCHRONIZE_CACHE:
2036  common->data_size_from_cmnd = 0;
2037  reply = check_command(common, 10, DATA_DIR_NONE,
2038  (0xf<<2) | (3<<7), 1,
2039  "SYNCHRONIZE CACHE");
2040  if (reply == 0)
2041  reply = do_synchronize_cache(common);
2042  break;
2043 
2044  case TEST_UNIT_READY:
2045  common->data_size_from_cmnd = 0;
2046  reply = check_command(common, 6, DATA_DIR_NONE,
2047  0, 1,
2048  "TEST UNIT READY");
2049  break;
2050 
2051  /*
2052  * Although optional, this command is used by MS-Windows. We
2053  * support a minimal version: BytChk must be 0.
2054  */
2055  case VERIFY:
2056  common->data_size_from_cmnd = 0;
2057  reply = check_command(common, 10, DATA_DIR_NONE,
2058  (1<<1) | (0xf<<2) | (3<<7), 1,
2059  "VERIFY");
2060  if (reply == 0)
2061  reply = do_verify(common);
2062  break;
2063 
2064  case WRITE_6:
2065  i = common->cmnd[4];
2066  common->data_size_from_cmnd = (i == 0) ? 256 : i;
2067  reply = check_command_size_in_blocks(common, 6,
2069  (7<<1) | (1<<4), 1,
2070  "WRITE(6)");
2071  if (reply == 0)
2072  reply = do_write(common);
2073  break;
2074 
2075  case WRITE_10:
2076  common->data_size_from_cmnd =
2077  get_unaligned_be16(&common->cmnd[7]);
2078  reply = check_command_size_in_blocks(common, 10,
2080  (1<<1) | (0xf<<2) | (3<<7), 1,
2081  "WRITE(10)");
2082  if (reply == 0)
2083  reply = do_write(common);
2084  break;
2085 
2086  case WRITE_12:
2087  common->data_size_from_cmnd =
2088  get_unaligned_be32(&common->cmnd[6]);
2089  reply = check_command_size_in_blocks(common, 12,
2091  (1<<1) | (0xf<<2) | (0xf<<6), 1,
2092  "WRITE(12)");
2093  if (reply == 0)
2094  reply = do_write(common);
2095  break;
2096 
2097  /*
2098  * Some mandatory commands that we recognize but don't implement.
2099  * They don't mean much in this setting. It's left as an exercise
2100  * for anyone interested to implement RESERVE and RELEASE in terms
2101  * of Posix locks.
2102  */
2103  case FORMAT_UNIT:
2104  case RELEASE:
2105  case RESERVE:
2106  case SEND_DIAGNOSTIC:
2107  /* Fall through */
2108 
2109  default:
2110 unknown_cmnd:
2111  common->data_size_from_cmnd = 0;
2112  sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2113  reply = check_command(common, common->cmnd_size,
2114  DATA_DIR_UNKNOWN, ~0, 0, unknown);
2115  if (reply == 0) {
2116  common->curlun->sense_data = SS_INVALID_COMMAND;
2117  reply = -EINVAL;
2118  }
2119  break;
2120  }
2121  up_read(&common->filesem);
2122 
2123  if (reply == -EINTR || signal_pending(current))
2124  return -EINTR;
2125 
2126  /* Set up the single reply buffer for finish_reply() */
2127  if (reply == -EINVAL)
2128  reply = 0; /* Error reply length */
2129  if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2130  reply = min((u32)reply, common->data_size_from_cmnd);
2131  bh->inreq->length = reply;
2132  bh->state = BUF_STATE_FULL;
2133  common->residue -= reply;
2134  } /* Otherwise it's already set */
2135 
2136  return 0;
2137 }
2138 
2139 
2140 /*-------------------------------------------------------------------------*/
2141 
2142 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2143 {
2144  struct usb_request *req = bh->outreq;
2145  struct bulk_cb_wrap *cbw = req->buf;
2146  struct fsg_common *common = fsg->common;
2147 
2148  /* Was this a real packet? Should it be ignored? */
2149  if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2150  return -EINVAL;
2151 
2152  /* Is the CBW valid? */
2153  if (req->actual != US_BULK_CB_WRAP_LEN ||
2154  cbw->Signature != cpu_to_le32(
2155  US_BULK_CB_SIGN)) {
2156  DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2157  req->actual,
2158  le32_to_cpu(cbw->Signature));
2159 
2160  /*
2161  * The Bulk-only spec says we MUST stall the IN endpoint
2162  * (6.6.1), so it's unavoidable. It also says we must
2163  * retain this state until the next reset, but there's
2164  * no way to tell the controller driver it should ignore
2165  * Clear-Feature(HALT) requests.
2166  *
2167  * We aren't required to halt the OUT endpoint; instead
2168  * we can simply accept and discard any data received
2169  * until the next reset.
2170  */
2171  wedge_bulk_in_endpoint(fsg);
2173  return -EINVAL;
2174  }
2175 
2176  /* Is the CBW meaningful? */
2177  if (cbw->Lun >= FSG_MAX_LUNS || cbw->Flags & ~US_BULK_FLAG_IN ||
2178  cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) {
2179  DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2180  "cmdlen %u\n",
2181  cbw->Lun, cbw->Flags, cbw->Length);
2182 
2183  /*
2184  * We can do anything we want here, so let's stall the
2185  * bulk pipes if we are allowed to.
2186  */
2187  if (common->can_stall) {
2188  fsg_set_halt(fsg, fsg->bulk_out);
2189  halt_bulk_in_endpoint(fsg);
2190  }
2191  return -EINVAL;
2192  }
2193 
2194  /* Save the command for later */
2195  common->cmnd_size = cbw->Length;
2196  memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2197  if (cbw->Flags & US_BULK_FLAG_IN)
2198  common->data_dir = DATA_DIR_TO_HOST;
2199  else
2200  common->data_dir = DATA_DIR_FROM_HOST;
2201  common->data_size = le32_to_cpu(cbw->DataTransferLength);
2202  if (common->data_size == 0)
2203  common->data_dir = DATA_DIR_NONE;
2204  common->lun = cbw->Lun;
2205  if (common->lun >= 0 && common->lun < common->nluns)
2206  common->curlun = &common->luns[common->lun];
2207  else
2208  common->curlun = NULL;
2209  common->tag = cbw->Tag;
2210  return 0;
2211 }
2212 
2213 static int get_next_command(struct fsg_common *common)
2214 {
2215  struct fsg_buffhd *bh;
2216  int rc = 0;
2217 
2218  /* Wait for the next buffer to become available */
2219  bh = common->next_buffhd_to_fill;
2220  while (bh->state != BUF_STATE_EMPTY) {
2221  rc = sleep_thread(common);
2222  if (rc)
2223  return rc;
2224  }
2225 
2226  /* Queue a request to read a Bulk-only CBW */
2227  set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2228  if (!start_out_transfer(common, bh))
2229  /* Don't know what to do if common->fsg is NULL */
2230  return -EIO;
2231 
2232  /*
2233  * We will drain the buffer in software, which means we
2234  * can reuse it for the next filling. No need to advance
2235  * next_buffhd_to_fill.
2236  */
2237 
2238  /* Wait for the CBW to arrive */
2239  while (bh->state != BUF_STATE_FULL) {
2240  rc = sleep_thread(common);
2241  if (rc)
2242  return rc;
2243  }
2244  smp_rmb();
2245  rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2246  bh->state = BUF_STATE_EMPTY;
2247 
2248  return rc;
2249 }
2250 
2251 
2252 /*-------------------------------------------------------------------------*/
2253 
2254 static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2255  struct usb_request **preq)
2256 {
2257  *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2258  if (*preq)
2259  return 0;
2260  ERROR(common, "can't allocate request for %s\n", ep->name);
2261  return -ENOMEM;
2262 }
2263 
2264 /* Reset interface setting and re-init endpoint state (toggle etc). */
2265 static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2266 {
2267  struct fsg_dev *fsg;
2268  int i, rc = 0;
2269 
2270  if (common->running)
2271  DBG(common, "reset interface\n");
2272 
2273 reset:
2274  /* Deallocate the requests */
2275  if (common->fsg) {
2276  fsg = common->fsg;
2277 
2278  for (i = 0; i < fsg_num_buffers; ++i) {
2279  struct fsg_buffhd *bh = &common->buffhds[i];
2280 
2281  if (bh->inreq) {
2282  usb_ep_free_request(fsg->bulk_in, bh->inreq);
2283  bh->inreq = NULL;
2284  }
2285  if (bh->outreq) {
2286  usb_ep_free_request(fsg->bulk_out, bh->outreq);
2287  bh->outreq = NULL;
2288  }
2289  }
2290 
2291  /* Disable the endpoints */
2292  if (fsg->bulk_in_enabled) {
2293  usb_ep_disable(fsg->bulk_in);
2294  fsg->bulk_in_enabled = 0;
2295  }
2296  if (fsg->bulk_out_enabled) {
2297  usb_ep_disable(fsg->bulk_out);
2298  fsg->bulk_out_enabled = 0;
2299  }
2300 
2301  common->fsg = NULL;
2302  wake_up(&common->fsg_wait);
2303  }
2304 
2305  common->running = 0;
2306  if (!new_fsg || rc)
2307  return rc;
2308 
2309  common->fsg = new_fsg;
2310  fsg = common->fsg;
2311 
2312  /* Enable the endpoints */
2313  rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2314  if (rc)
2315  goto reset;
2316  rc = usb_ep_enable(fsg->bulk_in);
2317  if (rc)
2318  goto reset;
2319  fsg->bulk_in->driver_data = common;
2320  fsg->bulk_in_enabled = 1;
2321 
2322  rc = config_ep_by_speed(common->gadget, &(fsg->function),
2323  fsg->bulk_out);
2324  if (rc)
2325  goto reset;
2326  rc = usb_ep_enable(fsg->bulk_out);
2327  if (rc)
2328  goto reset;
2329  fsg->bulk_out->driver_data = common;
2330  fsg->bulk_out_enabled = 1;
2331  common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2333 
2334  /* Allocate the requests */
2335  for (i = 0; i < fsg_num_buffers; ++i) {
2336  struct fsg_buffhd *bh = &common->buffhds[i];
2337 
2338  rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2339  if (rc)
2340  goto reset;
2341  rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2342  if (rc)
2343  goto reset;
2344  bh->inreq->buf = bh->outreq->buf = bh->buf;
2345  bh->inreq->context = bh->outreq->context = bh;
2346  bh->inreq->complete = bulk_in_complete;
2347  bh->outreq->complete = bulk_out_complete;
2348  }
2349 
2350  common->running = 1;
2351  for (i = 0; i < common->nluns; ++i)
2352  common->luns[i].unit_attention_data = SS_RESET_OCCURRED;
2353  return rc;
2354 }
2355 
2356 
2357 /****************************** ALT CONFIGS ******************************/
2358 
2359 static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2360 {
2361  struct fsg_dev *fsg = fsg_from_func(f);
2362  fsg->common->new_fsg = fsg;
2363  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2365 }
2366 
2367 static void fsg_disable(struct usb_function *f)
2368 {
2369  struct fsg_dev *fsg = fsg_from_func(f);
2370  fsg->common->new_fsg = NULL;
2371  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2372 }
2373 
2374 
2375 /*-------------------------------------------------------------------------*/
2376 
2377 static void handle_exception(struct fsg_common *common)
2378 {
2379  siginfo_t info;
2380  int i;
2381  struct fsg_buffhd *bh;
2382  enum fsg_state old_state;
2383  struct fsg_lun *curlun;
2384  unsigned int exception_req_tag;
2385 
2386  /*
2387  * Clear the existing signals. Anything but SIGUSR1 is converted
2388  * into a high-priority EXIT exception.
2389  */
2390  for (;;) {
2391  int sig =
2392  dequeue_signal_lock(current, &current->blocked, &info);
2393  if (!sig)
2394  break;
2395  if (sig != SIGUSR1) {
2396  if (common->state < FSG_STATE_EXIT)
2397  DBG(common, "Main thread exiting on signal\n");
2398  raise_exception(common, FSG_STATE_EXIT);
2399  }
2400  }
2401 
2402  /* Cancel all the pending transfers */
2403  if (likely(common->fsg)) {
2404  for (i = 0; i < fsg_num_buffers; ++i) {
2405  bh = &common->buffhds[i];
2406  if (bh->inreq_busy)
2407  usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2408  if (bh->outreq_busy)
2409  usb_ep_dequeue(common->fsg->bulk_out,
2410  bh->outreq);
2411  }
2412 
2413  /* Wait until everything is idle */
2414  for (;;) {
2415  int num_active = 0;
2416  for (i = 0; i < fsg_num_buffers; ++i) {
2417  bh = &common->buffhds[i];
2418  num_active += bh->inreq_busy + bh->outreq_busy;
2419  }
2420  if (num_active == 0)
2421  break;
2422  if (sleep_thread(common))
2423  return;
2424  }
2425 
2426  /* Clear out the controller's fifos */
2427  if (common->fsg->bulk_in_enabled)
2428  usb_ep_fifo_flush(common->fsg->bulk_in);
2429  if (common->fsg->bulk_out_enabled)
2430  usb_ep_fifo_flush(common->fsg->bulk_out);
2431  }
2432 
2433  /*
2434  * Reset the I/O buffer states and pointers, the SCSI
2435  * state, and the exception. Then invoke the handler.
2436  */
2437  spin_lock_irq(&common->lock);
2438 
2439  for (i = 0; i < fsg_num_buffers; ++i) {
2440  bh = &common->buffhds[i];
2441  bh->state = BUF_STATE_EMPTY;
2442  }
2443  common->next_buffhd_to_fill = &common->buffhds[0];
2444  common->next_buffhd_to_drain = &common->buffhds[0];
2445  exception_req_tag = common->exception_req_tag;
2446  old_state = common->state;
2447 
2448  if (old_state == FSG_STATE_ABORT_BULK_OUT)
2449  common->state = FSG_STATE_STATUS_PHASE;
2450  else {
2451  for (i = 0; i < common->nluns; ++i) {
2452  curlun = &common->luns[i];
2453  curlun->prevent_medium_removal = 0;
2454  curlun->sense_data = SS_NO_SENSE;
2455  curlun->unit_attention_data = SS_NO_SENSE;
2456  curlun->sense_data_info = 0;
2457  curlun->info_valid = 0;
2458  }
2459  common->state = FSG_STATE_IDLE;
2460  }
2461  spin_unlock_irq(&common->lock);
2462 
2463  /* Carry out any extra actions required for the exception */
2464  switch (old_state) {
2466  send_status(common);
2467  spin_lock_irq(&common->lock);
2468  if (common->state == FSG_STATE_STATUS_PHASE)
2469  common->state = FSG_STATE_IDLE;
2470  spin_unlock_irq(&common->lock);
2471  break;
2472 
2473  case FSG_STATE_RESET:
2474  /*
2475  * In case we were forced against our will to halt a
2476  * bulk endpoint, clear the halt now. (The SuperH UDC
2477  * requires this.)
2478  */
2479  if (!fsg_is_set(common))
2480  break;
2482  &common->fsg->atomic_bitflags))
2483  usb_ep_clear_halt(common->fsg->bulk_in);
2484 
2485  if (common->ep0_req_tag == exception_req_tag)
2486  ep0_queue(common); /* Complete the status stage */
2487 
2488  /*
2489  * Technically this should go here, but it would only be
2490  * a waste of time. Ditto for the INTERFACE_CHANGE and
2491  * CONFIG_CHANGE cases.
2492  */
2493  /* for (i = 0; i < common->nluns; ++i) */
2494  /* common->luns[i].unit_attention_data = */
2495  /* SS_RESET_OCCURRED; */
2496  break;
2497 
2499  do_set_interface(common, common->new_fsg);
2500  if (common->new_fsg)
2502  break;
2503 
2504  case FSG_STATE_EXIT:
2505  case FSG_STATE_TERMINATED:
2506  do_set_interface(common, NULL); /* Free resources */
2507  spin_lock_irq(&common->lock);
2508  common->state = FSG_STATE_TERMINATED; /* Stop the thread */
2509  spin_unlock_irq(&common->lock);
2510  break;
2511 
2513  case FSG_STATE_DISCONNECT:
2515  case FSG_STATE_DATA_PHASE:
2517  case FSG_STATE_IDLE:
2518  break;
2519  }
2520 }
2521 
2522 
2523 /*-------------------------------------------------------------------------*/
2524 
2525 static int fsg_main_thread(void *common_)
2526 {
2527  struct fsg_common *common = common_;
2528 
2529  /*
2530  * Allow the thread to be killed by a signal, but set the signal mask
2531  * to block everything but INT, TERM, KILL, and USR1.
2532  */
2537 
2538  /* Allow the thread to be frozen */
2539  set_freezable();
2540 
2541  /*
2542  * Arrange for userspace references to be interpreted as kernel
2543  * pointers. That way we can pass a kernel pointer to a routine
2544  * that expects a __user pointer and it will work okay.
2545  */
2546  set_fs(get_ds());
2547 
2548  /* The main loop */
2549  while (common->state != FSG_STATE_TERMINATED) {
2550  if (exception_in_progress(common) || signal_pending(current)) {
2551  handle_exception(common);
2552  continue;
2553  }
2554 
2555  if (!common->running) {
2556  sleep_thread(common);
2557  continue;
2558  }
2559 
2560  if (get_next_command(common))
2561  continue;
2562 
2563  spin_lock_irq(&common->lock);
2564  if (!exception_in_progress(common))
2565  common->state = FSG_STATE_DATA_PHASE;
2566  spin_unlock_irq(&common->lock);
2567 
2568  if (do_scsi_command(common) || finish_reply(common))
2569  continue;
2570 
2571  spin_lock_irq(&common->lock);
2572  if (!exception_in_progress(common))
2573  common->state = FSG_STATE_STATUS_PHASE;
2574  spin_unlock_irq(&common->lock);
2575 
2576  if (send_status(common))
2577  continue;
2578 
2579  spin_lock_irq(&common->lock);
2580  if (!exception_in_progress(common))
2581  common->state = FSG_STATE_IDLE;
2582  spin_unlock_irq(&common->lock);
2583  }
2584 
2585  spin_lock_irq(&common->lock);
2586  common->thread_task = NULL;
2587  spin_unlock_irq(&common->lock);
2588 
2589  if (!common->ops || !common->ops->thread_exits
2590  || common->ops->thread_exits(common) < 0) {
2591  struct fsg_lun *curlun = common->luns;
2592  unsigned i = common->nluns;
2593 
2594  down_write(&common->filesem);
2595  for (; i--; ++curlun) {
2596  if (!fsg_lun_is_open(curlun))
2597  continue;
2598 
2599  fsg_lun_close(curlun);
2601  }
2602  up_write(&common->filesem);
2603  }
2604 
2605  /* Let fsg_unbind() know the thread has exited */
2606  complete_and_exit(&common->thread_notifier, 0);
2607 }
2608 
2609 
2610 /*************************** DEVICE ATTRIBUTES ***************************/
2611 
2612 static DEVICE_ATTR(ro, 0644, fsg_show_ro, fsg_store_ro);
2613 static DEVICE_ATTR(nofua, 0644, fsg_show_nofua, fsg_store_nofua);
2614 static DEVICE_ATTR(file, 0644, fsg_show_file, fsg_store_file);
2615 
2616 static struct device_attribute dev_attr_ro_cdrom =
2617  __ATTR(ro, 0444, fsg_show_ro, NULL);
2618 static struct device_attribute dev_attr_file_nonremovable =
2619  __ATTR(file, 0444, fsg_show_file, NULL);
2620 
2621 
2622 /****************************** FSG COMMON ******************************/
2623 
2624 static void fsg_common_release(struct kref *ref);
2625 
2626 static void fsg_lun_release(struct device *dev)
2627 {
2628  /* Nothing needs to be done */
2629 }
2630 
2631 static inline void fsg_common_get(struct fsg_common *common)
2632 {
2633  kref_get(&common->ref);
2634 }
2635 
2636 static inline void fsg_common_put(struct fsg_common *common)
2637 {
2638  kref_put(&common->ref, fsg_common_release);
2639 }
2640 
2641 static struct fsg_common *fsg_common_init(struct fsg_common *common,
2642  struct usb_composite_dev *cdev,
2643  struct fsg_config *cfg)
2644 {
2645  struct usb_gadget *gadget = cdev->gadget;
2646  struct fsg_buffhd *bh;
2647  struct fsg_lun *curlun;
2648  struct fsg_lun_config *lcfg;
2649  int nluns, i, rc;
2650  char *pathbuf;
2651 
2652  rc = fsg_num_buffers_validate();
2653  if (rc != 0)
2654  return ERR_PTR(rc);
2655 
2656  /* Find out how many LUNs there should be */
2657  nluns = cfg->nluns;
2658  if (nluns < 1 || nluns > FSG_MAX_LUNS) {
2659  dev_err(&gadget->dev, "invalid number of LUNs: %u\n", nluns);
2660  return ERR_PTR(-EINVAL);
2661  }
2662 
2663  /* Allocate? */
2664  if (!common) {
2665  common = kzalloc(sizeof *common, GFP_KERNEL);
2666  if (!common)
2667  return ERR_PTR(-ENOMEM);
2668  common->free_storage_on_release = 1;
2669  } else {
2670  memset(common, 0, sizeof *common);
2671  common->free_storage_on_release = 0;
2672  }
2673 
2674  common->buffhds = kcalloc(fsg_num_buffers,
2675  sizeof *(common->buffhds), GFP_KERNEL);
2676  if (!common->buffhds) {
2677  if (common->free_storage_on_release)
2678  kfree(common);
2679  return ERR_PTR(-ENOMEM);
2680  }
2681 
2682  common->ops = cfg->ops;
2683  common->private_data = cfg->private_data;
2684 
2685  common->gadget = gadget;
2686  common->ep0 = gadget->ep0;
2687  common->ep0req = cdev->req;
2688  common->cdev = cdev;
2689 
2690  /* Maybe allocate device-global string IDs, and patch descriptors */
2691  if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {
2692  rc = usb_string_id(cdev);
2693  if (unlikely(rc < 0))
2694  goto error_release;
2695  fsg_strings[FSG_STRING_INTERFACE].id = rc;
2696  fsg_intf_desc.iInterface = rc;
2697  }
2698 
2699  /*
2700  * Create the LUNs, open their backing files, and register the
2701  * LUN devices in sysfs.
2702  */
2703  curlun = kcalloc(nluns, sizeof(*curlun), GFP_KERNEL);
2704  if (unlikely(!curlun)) {
2705  rc = -ENOMEM;
2706  goto error_release;
2707  }
2708  common->luns = curlun;
2709 
2710  init_rwsem(&common->filesem);
2711 
2712  for (i = 0, lcfg = cfg->luns; i < nluns; ++i, ++curlun, ++lcfg) {
2713  curlun->cdrom = !!lcfg->cdrom;
2714  curlun->ro = lcfg->cdrom || lcfg->ro;
2715  curlun->initially_ro = curlun->ro;
2716  curlun->removable = lcfg->removable;
2717  curlun->dev.release = fsg_lun_release;
2718  curlun->dev.parent = &gadget->dev;
2719  /* curlun->dev.driver = &fsg_driver.driver; XXX */
2720  dev_set_drvdata(&curlun->dev, &common->filesem);
2721  dev_set_name(&curlun->dev, "lun%d", i);
2722 
2723  rc = device_register(&curlun->dev);
2724  if (rc) {
2725  INFO(common, "failed to register LUN%d: %d\n", i, rc);
2726  common->nluns = i;
2727  put_device(&curlun->dev);
2728  goto error_release;
2729  }
2730 
2731  rc = device_create_file(&curlun->dev,
2732  curlun->cdrom
2733  ? &dev_attr_ro_cdrom
2734  : &dev_attr_ro);
2735  if (rc)
2736  goto error_luns;
2737  rc = device_create_file(&curlun->dev,
2738  curlun->removable
2739  ? &dev_attr_file
2740  : &dev_attr_file_nonremovable);
2741  if (rc)
2742  goto error_luns;
2743  rc = device_create_file(&curlun->dev, &dev_attr_nofua);
2744  if (rc)
2745  goto error_luns;
2746 
2747  if (lcfg->filename) {
2748  rc = fsg_lun_open(curlun, lcfg->filename);
2749  if (rc)
2750  goto error_luns;
2751  } else if (!curlun->removable) {
2752  ERROR(common, "no file given for LUN%d\n", i);
2753  rc = -EINVAL;
2754  goto error_luns;
2755  }
2756  }
2757  common->nluns = nluns;
2758 
2759  /* Data buffers cyclic list */
2760  bh = common->buffhds;
2761  i = fsg_num_buffers;
2762  goto buffhds_first_it;
2763  do {
2764  bh->next = bh + 1;
2765  ++bh;
2766 buffhds_first_it:
2767  bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2768  if (unlikely(!bh->buf)) {
2769  rc = -ENOMEM;
2770  goto error_release;
2771  }
2772  } while (--i);
2773  bh->next = common->buffhds;
2774 
2775  /* Prepare inquiryString */
2776  if (cfg->release != 0xffff) {
2777  i = cfg->release;
2778  } else {
2779  i = usb_gadget_controller_number(gadget);
2780  if (i >= 0) {
2781  i = 0x0300 + i;
2782  } else {
2783  WARNING(common, "controller '%s' not recognized\n",
2784  gadget->name);
2785  i = 0x0399;
2786  }
2787  }
2788  snprintf(common->inquiry_string, sizeof common->inquiry_string,
2789  "%-8s%-16s%04x", cfg->vendor_name ?: "Linux",
2790  /* Assume product name dependent on the first LUN */
2791  cfg->product_name ?: (common->luns->cdrom
2792  ? "File-Stor Gadget"
2793  : "File-CD Gadget"),
2794  i);
2795 
2796  /*
2797  * Some peripheral controllers are known not to be able to
2798  * halt bulk endpoints correctly. If one of them is present,
2799  * disable stalls.
2800  */
2801  common->can_stall = cfg->can_stall &&
2802  !(gadget_is_at91(common->gadget));
2803 
2804  spin_lock_init(&common->lock);
2805  kref_init(&common->ref);
2806 
2807  /* Tell the thread to start working */
2808  common->thread_task =
2809  kthread_create(fsg_main_thread, common, "file-storage");
2810  if (IS_ERR(common->thread_task)) {
2811  rc = PTR_ERR(common->thread_task);
2812  goto error_release;
2813  }
2814  init_completion(&common->thread_notifier);
2815  init_waitqueue_head(&common->fsg_wait);
2816 
2817  /* Information */
2818  INFO(common, FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
2819  INFO(common, "Number of LUNs=%d\n", common->nluns);
2820 
2821  pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2822  for (i = 0, nluns = common->nluns, curlun = common->luns;
2823  i < nluns;
2824  ++curlun, ++i) {
2825  char *p = "(no medium)";
2826  if (fsg_lun_is_open(curlun)) {
2827  p = "(error)";
2828  if (pathbuf) {
2829  p = d_path(&curlun->filp->f_path,
2830  pathbuf, PATH_MAX);
2831  if (IS_ERR(p))
2832  p = "(error)";
2833  }
2834  }
2835  LINFO(curlun, "LUN: %s%s%sfile: %s\n",
2836  curlun->removable ? "removable " : "",
2837  curlun->ro ? "read only " : "",
2838  curlun->cdrom ? "CD-ROM " : "",
2839  p);
2840  }
2841  kfree(pathbuf);
2842 
2843  DBG(common, "I/O thread pid: %d\n", task_pid_nr(common->thread_task));
2844 
2845  wake_up_process(common->thread_task);
2846 
2847  return common;
2848 
2849 error_luns:
2850  common->nluns = i + 1;
2851 error_release:
2852  common->state = FSG_STATE_TERMINATED; /* The thread is dead */
2853  /* Call fsg_common_release() directly, ref might be not initialised. */
2854  fsg_common_release(&common->ref);
2855  return ERR_PTR(rc);
2856 }
2857 
2858 static void fsg_common_release(struct kref *ref)
2859 {
2860  struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2861 
2862  /* If the thread isn't already dead, tell it to exit now */
2863  if (common->state != FSG_STATE_TERMINATED) {
2864  raise_exception(common, FSG_STATE_EXIT);
2866  }
2867 
2868  if (likely(common->luns)) {
2869  struct fsg_lun *lun = common->luns;
2870  unsigned i = common->nluns;
2871 
2872  /* In error recovery common->nluns may be zero. */
2873  for (; i; --i, ++lun) {
2874  device_remove_file(&lun->dev, &dev_attr_nofua);
2875  device_remove_file(&lun->dev,
2876  lun->cdrom
2877  ? &dev_attr_ro_cdrom
2878  : &dev_attr_ro);
2879  device_remove_file(&lun->dev,
2880  lun->removable
2881  ? &dev_attr_file
2882  : &dev_attr_file_nonremovable);
2883  fsg_lun_close(lun);
2884  device_unregister(&lun->dev);
2885  }
2886 
2887  kfree(common->luns);
2888  }
2889 
2890  {
2891  struct fsg_buffhd *bh = common->buffhds;
2892  unsigned i = fsg_num_buffers;
2893  do {
2894  kfree(bh->buf);
2895  } while (++bh, --i);
2896  }
2897 
2898  kfree(common->buffhds);
2899  if (common->free_storage_on_release)
2900  kfree(common);
2901 }
2902 
2903 
2904 /*-------------------------------------------------------------------------*/
2905 
2906 static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2907 {
2908  struct fsg_dev *fsg = fsg_from_func(f);
2909  struct fsg_common *common = fsg->common;
2910 
2911  DBG(fsg, "unbind\n");
2912  if (fsg->common->fsg == fsg) {
2913  fsg->common->new_fsg = NULL;
2914  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2915  /* FIXME: make interruptible or killable somehow? */
2916  wait_event(common->fsg_wait, common->fsg != fsg);
2917  }
2918 
2919  fsg_common_put(common);
2920  usb_free_descriptors(fsg->function.descriptors);
2921  usb_free_descriptors(fsg->function.hs_descriptors);
2922  usb_free_descriptors(fsg->function.ss_descriptors);
2923  kfree(fsg);
2924 }
2925 
2926 static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2927 {
2928  struct fsg_dev *fsg = fsg_from_func(f);
2929  struct usb_gadget *gadget = c->cdev->gadget;
2930  int i;
2931  struct usb_ep *ep;
2932 
2933  fsg->gadget = gadget;
2934 
2935  /* New interface */
2936  i = usb_interface_id(c, f);
2937  if (i < 0)
2938  return i;
2939  fsg_intf_desc.bInterfaceNumber = i;
2940  fsg->interface_number = i;
2941 
2942  /* Find all the endpoints we will use */
2943  ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2944  if (!ep)
2945  goto autoconf_fail;
2946  ep->driver_data = fsg->common; /* claim the endpoint */
2947  fsg->bulk_in = ep;
2948 
2949  ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2950  if (!ep)
2951  goto autoconf_fail;
2952  ep->driver_data = fsg->common; /* claim the endpoint */
2953  fsg->bulk_out = ep;
2954 
2955  /* Copy descriptors */
2956  f->descriptors = usb_copy_descriptors(fsg_fs_function);
2957  if (unlikely(!f->descriptors))
2958  return -ENOMEM;
2959 
2960  if (gadget_is_dualspeed(gadget)) {
2961  /* Assume endpoint addresses are the same for both speeds */
2962  fsg_hs_bulk_in_desc.bEndpointAddress =
2963  fsg_fs_bulk_in_desc.bEndpointAddress;
2964  fsg_hs_bulk_out_desc.bEndpointAddress =
2965  fsg_fs_bulk_out_desc.bEndpointAddress;
2966  f->hs_descriptors = usb_copy_descriptors(fsg_hs_function);
2967  if (unlikely(!f->hs_descriptors)) {
2968  usb_free_descriptors(f->descriptors);
2969  return -ENOMEM;
2970  }
2971  }
2972 
2973  if (gadget_is_superspeed(gadget)) {
2974  unsigned max_burst;
2975 
2976  /* Calculate bMaxBurst, we know packet size is 1024 */
2977  max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2978 
2979  fsg_ss_bulk_in_desc.bEndpointAddress =
2980  fsg_fs_bulk_in_desc.bEndpointAddress;
2981  fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2982 
2983  fsg_ss_bulk_out_desc.bEndpointAddress =
2984  fsg_fs_bulk_out_desc.bEndpointAddress;
2985  fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2986 
2987  f->ss_descriptors = usb_copy_descriptors(fsg_ss_function);
2988  if (unlikely(!f->ss_descriptors)) {
2989  usb_free_descriptors(f->hs_descriptors);
2990  usb_free_descriptors(f->descriptors);
2991  return -ENOMEM;
2992  }
2993  }
2994 
2995  return 0;
2996 
2997 autoconf_fail:
2998  ERROR(fsg, "unable to autoconfigure all endpoints\n");
2999  return -ENOTSUPP;
3000 }
3001 
3002 
3003 /****************************** ADD FUNCTION ******************************/
3004 
3005 static struct usb_gadget_strings *fsg_strings_array[] = {
3006  &fsg_stringtab,
3007  NULL,
3008 };
3009 
3010 static int fsg_bind_config(struct usb_composite_dev *cdev,
3011  struct usb_configuration *c,
3012  struct fsg_common *common)
3013 {
3014  struct fsg_dev *fsg;
3015  int rc;
3016 
3017  fsg = kzalloc(sizeof *fsg, GFP_KERNEL);
3018  if (unlikely(!fsg))
3019  return -ENOMEM;
3020 
3021  fsg->function.name = FSG_DRIVER_DESC;
3022  fsg->function.strings = fsg_strings_array;
3023  fsg->function.bind = fsg_bind;
3024  fsg->function.unbind = fsg_unbind;
3025  fsg->function.setup = fsg_setup;
3026  fsg->function.set_alt = fsg_set_alt;
3027  fsg->function.disable = fsg_disable;
3028 
3029  fsg->common = common;
3030  /*
3031  * Our caller holds a reference to common structure so we
3032  * don't have to be worry about it being freed until we return
3033  * from this function. So instead of incrementing counter now
3034  * and decrement in error recovery we increment it only when
3035  * call to usb_add_function() was successful.
3036  */
3037 
3038  rc = usb_add_function(c, &fsg->function);
3039  if (unlikely(rc))
3040  kfree(fsg);
3041  else
3042  fsg_common_get(fsg->common);
3043  return rc;
3044 }
3045 
3046 
3047 /************************* Module parameters *************************/
3048 
3055 
3057  unsigned int nofua_count;
3058  unsigned int luns; /* nluns */
3059  bool stall; /* can_stall */
3060 };
3061 
3062 #define _FSG_MODULE_PARAM_ARRAY(prefix, params, name, type, desc) \
3063  module_param_array_named(prefix ## name, params.name, type, \
3064  &prefix ## params.name ## _count, \
3065  S_IRUGO); \
3066  MODULE_PARM_DESC(prefix ## name, desc)
3067 
3068 #define _FSG_MODULE_PARAM(prefix, params, name, type, desc) \
3069  module_param_named(prefix ## name, params.name, type, \
3070  S_IRUGO); \
3071  MODULE_PARM_DESC(prefix ## name, desc)
3072 
3073 #define FSG_MODULE_PARAMETERS(prefix, params) \
3074  _FSG_MODULE_PARAM_ARRAY(prefix, params, file, charp, \
3075  "names of backing files or devices"); \
3076  _FSG_MODULE_PARAM_ARRAY(prefix, params, ro, bool, \
3077  "true to force read-only"); \
3078  _FSG_MODULE_PARAM_ARRAY(prefix, params, removable, bool, \
3079  "true to simulate removable media"); \
3080  _FSG_MODULE_PARAM_ARRAY(prefix, params, cdrom, bool, \
3081  "true to simulate CD-ROM instead of disk"); \
3082  _FSG_MODULE_PARAM_ARRAY(prefix, params, nofua, bool, \
3083  "true to ignore SCSI WRITE(10,12) FUA bit"); \
3084  _FSG_MODULE_PARAM(prefix, params, luns, uint, \
3085  "number of LUNs"); \
3086  _FSG_MODULE_PARAM(prefix, params, stall, bool, \
3087  "false to prevent bulk stalls")
3088 
3089 static void
3090 fsg_config_from_params(struct fsg_config *cfg,
3091  const struct fsg_module_parameters *params)
3092 {
3093  struct fsg_lun_config *lun;
3094  unsigned i;
3095 
3096  /* Configure LUNs */
3097  cfg->nluns =
3098  min(params->luns ?: (params->file_count ?: 1u),
3099  (unsigned)FSG_MAX_LUNS);
3100  for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3101  lun->ro = !!params->ro[i];
3102  lun->cdrom = !!params->cdrom[i];
3103  lun->removable = !!params->removable[i];
3104  lun->filename =
3105  params->file_count > i && params->file[i][0]
3106  ? params->file[i]
3107  : 0;
3108  }
3109 
3110  /* Let MSF use defaults */
3111  cfg->vendor_name = 0;
3112  cfg->product_name = 0;
3113  cfg->release = 0xffff;
3114 
3115  cfg->ops = NULL;
3116  cfg->private_data = NULL;
3117 
3118  /* Finalise */
3119  cfg->can_stall = params->stall;
3120 }
3121 
3122 static inline struct fsg_common *
3123 fsg_common_from_params(struct fsg_common *common,
3124  struct usb_composite_dev *cdev,
3125  const struct fsg_module_parameters *params)
3126  __attribute__((unused));
3127 static inline struct fsg_common *
3128 fsg_common_from_params(struct fsg_common *common,
3129  struct usb_composite_dev *cdev,
3130  const struct fsg_module_parameters *params)
3131 {
3132  struct fsg_config cfg;
3133  fsg_config_from_params(&cfg, params);
3134  return fsg_common_init(common, cdev, &cfg);
3135 }