Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
f_mass_storage.c
Go to the documentation of this file.
1 /*
2  * f_mass_storage.c -- Mass Storage USB Composite Function
3  *
4  * Copyright (C) 2003-2008 Alan Stern
5  * Copyright (C) 2009 Samsung Electronics
6  * Author: Michal Nazarewicz <[email protected]>
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  * notice, this list of conditions, and the following disclaimer,
14  * without modification.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  * notice, this list of conditions and the following disclaimer in the
17  * documentation and/or other materials provided with the distribution.
18  * 3. The names of the above-listed copyright holders may not be used
19  * to endorse or promote products derived from this software without
20  * specific prior written permission.
21  *
22  * ALTERNATIVELY, this software may be distributed under the terms of the
23  * GNU General Public License ("GPL") as published by the Free Software
24  * Foundation, either version 2 of that License or (at your option) any
25  * later version.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
28  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
29  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
30  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
31  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
32  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
33  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
34  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
35  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
36  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
37  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  */
39 
40 /*
41  * The Mass Storage Function acts as a USB Mass Storage device,
42  * appearing to the host as a disk drive or as a CD-ROM drive. In
43  * addition to providing an example of a genuinely useful composite
44  * function for a USB device, it also illustrates a technique of
45  * double-buffering for increased throughput.
46  *
47  * For more information about MSF and in particular its module
48  * parameters and sysfs interface read the
49  * <Documentation/usb/mass-storage.txt> file.
50  */
51 
52 /*
53  * MSF is configured by specifying a fsg_config structure. It has the
54  * following fields:
55  *
56  * nluns Number of LUNs function have (anywhere from 1
57  * to FSG_MAX_LUNS which is 8).
58  * luns An array of LUN configuration values. This
59  * should be filled for each LUN that
60  * function will include (ie. for "nluns"
61  * LUNs). Each element of the array has
62  * the following fields:
63  * ->filename The path to the backing file for the LUN.
64  * Required if LUN is not marked as
65  * removable.
66  * ->ro Flag specifying access to the LUN shall be
67  * read-only. This is implied if CD-ROM
68  * emulation is enabled as well as when
69  * it was impossible to open "filename"
70  * in R/W mode.
71  * ->removable Flag specifying that LUN shall be indicated as
72  * being removable.
73  * ->cdrom Flag specifying that LUN shall be reported as
74  * being a CD-ROM.
75  * ->nofua Flag specifying that FUA flag in SCSI WRITE(10,12)
76  * commands for this LUN shall be ignored.
77  *
78  * vendor_name
79  * product_name
80  * release Information used as a reply to INQUIRY
81  * request. To use default set to NULL,
82  * NULL, 0xffff respectively. The first
83  * field should be 8 and the second 16
84  * characters or less.
85  *
86  * can_stall Set to permit function to halt bulk endpoints.
87  * Disabled on some USB devices known not
88  * to work correctly. You should set it
89  * to true.
90  *
91  * If "removable" is not set for a LUN then a backing file must be
92  * specified. If it is set, then NULL filename means the LUN's medium
93  * is not loaded (an empty string as "filename" in the fsg_config
94  * structure causes error). The CD-ROM emulation includes a single
95  * data track and no audio tracks; hence there need be only one
96  * backing file per LUN.
97  *
98  * This function is heavily based on "File-backed Storage Gadget" by
99  * Alan Stern which in turn is heavily based on "Gadget Zero" by David
100  * Brownell. The driver's SCSI command interface was based on the
101  * "Information technology - Small Computer System Interface - 2"
102  * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
103  * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
104  * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
105  * was based on the "Universal Serial Bus Mass Storage Class UFI
106  * Command Specification" document, Revision 1.0, December 14, 1998,
107  * available at
108  * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
109  */
110 
111 /*
112  * Driver Design
113  *
114  * The MSF is fairly straightforward. There is a main kernel
115  * thread that handles most of the work. Interrupt routines field
116  * callbacks from the controller driver: bulk- and interrupt-request
117  * completion notifications, endpoint-0 events, and disconnect events.
118  * Completion events are passed to the main thread by wakeup calls. Many
119  * ep0 requests are handled at interrupt time, but SetInterface,
120  * SetConfiguration, and device reset requests are forwarded to the
121  * thread in the form of "exceptions" using SIGUSR1 signals (since they
122  * should interrupt any ongoing file I/O operations).
123  *
124  * The thread's main routine implements the standard command/data/status
125  * parts of a SCSI interaction. It and its subroutines are full of tests
126  * for pending signals/exceptions -- all this polling is necessary since
127  * the kernel has no setjmp/longjmp equivalents. (Maybe this is an
128  * indication that the driver really wants to be running in userspace.)
129  * An important point is that so long as the thread is alive it keeps an
130  * open reference to the backing file. This will prevent unmounting
131  * the backing file's underlying filesystem and could cause problems
132  * during system shutdown, for example. To prevent such problems, the
133  * thread catches INT, TERM, and KILL signals and converts them into
134  * an EXIT exception.
135  *
136  * In normal operation the main thread is started during the gadget's
137  * fsg_bind() callback and stopped during fsg_unbind(). But it can
138  * also exit when it receives a signal, and there's no point leaving
139  * the gadget running when the thread is dead. As of this moment, MSF
140  * provides no way to deregister the gadget when thread dies -- maybe
141  * a callback functions is needed.
142  *
143  * To provide maximum throughput, the driver uses a circular pipeline of
144  * buffer heads (struct fsg_buffhd). In principle the pipeline can be
145  * arbitrarily long; in practice the benefits don't justify having more
146  * than 2 stages (i.e., double buffering). But it helps to think of the
147  * pipeline as being a long one. Each buffer head contains a bulk-in and
148  * a bulk-out request pointer (since the buffer can be used for both
149  * output and input -- directions always are given from the host's
150  * point of view) as well as a pointer to the buffer and various state
151  * variables.
152  *
153  * Use of the pipeline follows a simple protocol. There is a variable
154  * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
155  * At any time that buffer head may still be in use from an earlier
156  * request, so each buffer head has a state variable indicating whether
157  * it is EMPTY, FULL, or BUSY. Typical use involves waiting for the
158  * buffer head to be EMPTY, filling the buffer either by file I/O or by
159  * USB I/O (during which the buffer head is BUSY), and marking the buffer
160  * head FULL when the I/O is complete. Then the buffer will be emptied
161  * (again possibly by USB I/O, during which it is marked BUSY) and
162  * finally marked EMPTY again (possibly by a completion routine).
163  *
164  * A module parameter tells the driver to avoid stalling the bulk
165  * endpoints wherever the transport specification allows. This is
166  * necessary for some UDCs like the SuperH, which cannot reliably clear a
167  * halt on a bulk endpoint. However, under certain circumstances the
168  * Bulk-only specification requires a stall. In such cases the driver
169  * will halt the endpoint and set a flag indicating that it should clear
170  * the halt in software during the next device reset. Hopefully this
171  * will permit everything to work correctly. Furthermore, although the
172  * specification allows the bulk-out endpoint to halt when the host sends
173  * too much data, implementing this would cause an unavoidable race.
174  * The driver will always use the "no-stall" approach for OUT transfers.
175  *
176  * One subtle point concerns sending status-stage responses for ep0
177  * requests. Some of these requests, such as device reset, can involve
178  * interrupting an ongoing file I/O operation, which might take an
179  * arbitrarily long time. During that delay the host might give up on
180  * the original ep0 request and issue a new one. When that happens the
181  * driver should not notify the host about completion of the original
182  * request, as the host will no longer be waiting for it. So the driver
183  * assigns to each ep0 request a unique tag, and it keeps track of the
184  * tag value of the request associated with a long-running exception
185  * (device-reset, interface-change, or configuration-change). When the
186  * exception handler is finished, the status-stage response is submitted
187  * only if the current ep0 request tag is equal to the exception request
188  * tag. Thus only the most recently received ep0 request will get a
189  * status-stage response.
190  *
191  * Warning: This driver source file is too long. It ought to be split up
192  * into a header file plus about 3 separate .c files, to handle the details
193  * of the Gadget, USB Mass Storage, and SCSI protocols.
194  */
195 
196 
197 /* #define VERBOSE_DEBUG */
198 /* #define DUMP_MSGS */
199 
200 #include <linux/blkdev.h>
201 #include <linux/completion.h>
202 #include <linux/dcache.h>
203 #include <linux/delay.h>
204 #include <linux/device.h>
205 #include <linux/fcntl.h>
206 #include <linux/file.h>
207 #include <linux/fs.h>
208 #include <linux/kref.h>
209 #include <linux/kthread.h>
210 #include <linux/limits.h>
211 #include <linux/rwsem.h>
212 #include <linux/slab.h>
213 #include <linux/spinlock.h>
214 #include <linux/string.h>
215 #include <linux/freezer.h>
216 
217 #include <linux/usb/ch9.h>
218 #include <linux/usb/gadget.h>
219 #include <linux/usb/composite.h>
220 
221 #include "gadget_chips.h"
222 
223 
224 /*------------------------------------------------------------------------*/
225 
226 #define FSG_DRIVER_DESC "Mass Storage Function"
227 #define FSG_DRIVER_VERSION "2009/09/11"
228 
229 static const char fsg_string_interface[] = "Mass Storage";
230 
231 #define FSG_NO_DEVICE_STRINGS 1
232 #define FSG_NO_OTG 1
233 #define FSG_NO_INTR_EP 1
234 
235 #include "storage_common.c"
236 
237 
238 /*-------------------------------------------------------------------------*/
239 
240 struct fsg_dev;
241 struct fsg_common;
242 
243 /* FSF callback functions */
244 struct fsg_operations {
245  /*
246  * Callback function to call when thread exits. If no
247  * callback is set or it returns value lower then zero MSF
248  * will force eject all LUNs it operates on (including those
249  * marked as non-removable or with prevent_medium_removal flag
250  * set).
251  */
252  int (*thread_exits)(struct fsg_common *common);
253 
254  /*
255  * Called prior to ejection. Negative return means error,
256  * zero means to continue with ejection, positive means not to
257  * eject.
258  */
259  int (*pre_eject)(struct fsg_common *common,
260  struct fsg_lun *lun, int num);
261  /*
262  * Called after ejection. Negative return means error, zero
263  * or positive is just a success.
264  */
265  int (*post_eject)(struct fsg_common *common,
266  struct fsg_lun *lun, int num);
267 };
268 
269 /* Data shared by all the FSG instances. */
270 struct fsg_common {
271  struct usb_gadget *gadget;
272  struct usb_composite_dev *cdev;
273  struct fsg_dev *fsg, *new_fsg;
275 
276  /* filesem protects: backing files in use */
277  struct rw_semaphore filesem;
278 
279  /* lock protects: state, all the req_busy's */
281 
282  struct usb_ep *ep0; /* Copy of gadget->ep0 */
283  struct usb_request *ep0req; /* Copy of cdev->req */
284  unsigned int ep0_req_tag;
285 
288  struct fsg_buffhd *buffhds;
289 
290  int cmnd_size;
292 
293  unsigned int nluns;
294  unsigned int lun;
295  struct fsg_lun *luns;
296  struct fsg_lun *curlun;
297 
298  unsigned int bulk_out_maxpacket;
299  enum fsg_state state; /* For exception handling */
300  unsigned int exception_req_tag;
301 
303  u32 data_size;
305  u32 tag;
306  u32 residue;
308 
309  unsigned int can_stall:1;
310  unsigned int free_storage_on_release:1;
311  unsigned int phase_error:1;
312  unsigned int short_packet_received:1;
313  unsigned int bad_lun_okay:1;
314  unsigned int running:1;
315 
318  struct task_struct *thread_task;
319 
320  /* Callback functions. */
321  const struct fsg_operations *ops;
322  /* Gadget's private data. */
323  void *private_data;
324 
325  /*
326  * Vendor (8 chars), product (16 chars), release (4
327  * hexadecimal digits) and NUL byte
328  */
329  char inquiry_string[8 + 16 + 4 + 1];
330 
331  struct kref ref;
332 };
333 
334 struct fsg_config {
335  unsigned nluns;
336  struct fsg_lun_config {
337  const char *filename;
338  char ro;
339  char removable;
340  char cdrom;
341  char nofua;
342  } luns[FSG_MAX_LUNS];
343 
344  /* Callback functions. */
345  const struct fsg_operations *ops;
346  /* Gadget's private data. */
347  void *private_data;
348 
349  const char *vendor_name; /* 8 characters or less */
350  const char *product_name; /* 16 characters or less */
351 
352  char can_stall;
353 };
354 
355 struct fsg_dev {
356  struct usb_function function;
357  struct usb_gadget *gadget; /* Copy of cdev->gadget */
358  struct fsg_common *common;
359 
361 
362  unsigned int bulk_in_enabled:1;
363  unsigned int bulk_out_enabled:1;
364 
365  unsigned long atomic_bitflags;
366 #define IGNORE_BULK_OUT 0
367 
368  struct usb_ep *bulk_in;
369  struct usb_ep *bulk_out;
370 };
371 
372 static inline int __fsg_is_set(struct fsg_common *common,
373  const char *func, unsigned line)
374 {
375  if (common->fsg)
376  return 1;
377  ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
378  WARN_ON(1);
379  return 0;
380 }
381 
382 #define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
383 
384 static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
385 {
386  return container_of(f, struct fsg_dev, function);
387 }
388 
389 typedef void (*fsg_routine_t)(struct fsg_dev *);
390 
391 static int exception_in_progress(struct fsg_common *common)
392 {
393  return common->state > FSG_STATE_IDLE;
394 }
395 
396 /* Make bulk-out requests be divisible by the maxpacket size */
397 static void set_bulk_out_req_length(struct fsg_common *common,
398  struct fsg_buffhd *bh, unsigned int length)
399 {
400  unsigned int rem;
401 
403  rem = length % common->bulk_out_maxpacket;
404  if (rem > 0)
405  length += common->bulk_out_maxpacket - rem;
406  bh->outreq->length = length;
407 }
408 
409 
410 /*-------------------------------------------------------------------------*/
411 
412 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
413 {
414  const char *name;
415 
416  if (ep == fsg->bulk_in)
417  name = "bulk-in";
418  else if (ep == fsg->bulk_out)
419  name = "bulk-out";
420  else
421  name = ep->name;
422  DBG(fsg, "%s set halt\n", name);
423  return usb_ep_set_halt(ep);
424 }
425 
426 
427 /*-------------------------------------------------------------------------*/
428 
429 /* These routines may be called in process context or in_irq */
430 
431 /* Caller must hold fsg->lock */
432 static void wakeup_thread(struct fsg_common *common)
433 {
434  /* Tell the main thread that something has happened */
435  common->thread_wakeup_needed = 1;
436  if (common->thread_task)
437  wake_up_process(common->thread_task);
438 }
439 
440 static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
441 {
442  unsigned long flags;
443 
444  /*
445  * Do nothing if a higher-priority exception is already in progress.
446  * If a lower-or-equal priority exception is in progress, preempt it
447  * and notify the main thread by sending it a signal.
448  */
449  spin_lock_irqsave(&common->lock, flags);
450  if (common->state <= new_state) {
451  common->exception_req_tag = common->ep0_req_tag;
452  common->state = new_state;
453  if (common->thread_task)
455  common->thread_task);
456  }
457  spin_unlock_irqrestore(&common->lock, flags);
458 }
459 
460 
461 /*-------------------------------------------------------------------------*/
462 
463 static int ep0_queue(struct fsg_common *common)
464 {
465  int rc;
466 
467  rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
468  common->ep0->driver_data = common;
469  if (rc != 0 && rc != -ESHUTDOWN) {
470  /* We can't do much more than wait for a reset */
471  WARNING(common, "error in submission: %s --> %d\n",
472  common->ep0->name, rc);
473  }
474  return rc;
475 }
476 
477 
478 /*-------------------------------------------------------------------------*/
479 
480 /* Completion handlers. These always run in_irq. */
481 
482 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
483 {
484  struct fsg_common *common = ep->driver_data;
485  struct fsg_buffhd *bh = req->context;
486 
487  if (req->status || req->actual != req->length)
488  DBG(common, "%s --> %d, %u/%u\n", __func__,
489  req->status, req->actual, req->length);
490  if (req->status == -ECONNRESET) /* Request was cancelled */
491  usb_ep_fifo_flush(ep);
492 
493  /* Hold the lock while we update the request and buffer states */
494  smp_wmb();
495  spin_lock(&common->lock);
496  bh->inreq_busy = 0;
497  bh->state = BUF_STATE_EMPTY;
498  wakeup_thread(common);
499  spin_unlock(&common->lock);
500 }
501 
502 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
503 {
504  struct fsg_common *common = ep->driver_data;
505  struct fsg_buffhd *bh = req->context;
506 
507  dump_msg(common, "bulk-out", req->buf, req->actual);
508  if (req->status || req->actual != bh->bulk_out_intended_length)
509  DBG(common, "%s --> %d, %u/%u\n", __func__,
510  req->status, req->actual, bh->bulk_out_intended_length);
511  if (req->status == -ECONNRESET) /* Request was cancelled */
512  usb_ep_fifo_flush(ep);
513 
514  /* Hold the lock while we update the request and buffer states */
515  smp_wmb();
516  spin_lock(&common->lock);
517  bh->outreq_busy = 0;
518  bh->state = BUF_STATE_FULL;
519  wakeup_thread(common);
520  spin_unlock(&common->lock);
521 }
522 
523 static int fsg_setup(struct usb_function *f,
524  const struct usb_ctrlrequest *ctrl)
525 {
526  struct fsg_dev *fsg = fsg_from_func(f);
527  struct usb_request *req = fsg->common->ep0req;
528  u16 w_index = le16_to_cpu(ctrl->wIndex);
529  u16 w_value = le16_to_cpu(ctrl->wValue);
530  u16 w_length = le16_to_cpu(ctrl->wLength);
531 
532  if (!fsg_is_set(fsg->common))
533  return -EOPNOTSUPP;
534 
535  ++fsg->common->ep0_req_tag; /* Record arrival of a new request */
536  req->context = NULL;
537  req->length = 0;
538  dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
539 
540  switch (ctrl->bRequest) {
541 
543  if (ctrl->bRequestType !=
545  break;
546  if (w_index != fsg->interface_number || w_value != 0 ||
547  w_length != 0)
548  return -EDOM;
549 
550  /*
551  * Raise an exception to stop the current operation
552  * and reinitialize our state.
553  */
554  DBG(fsg, "bulk reset request\n");
555  raise_exception(fsg->common, FSG_STATE_RESET);
556  return DELAYED_STATUS;
557 
558  case US_BULK_GET_MAX_LUN:
559  if (ctrl->bRequestType !=
561  break;
562  if (w_index != fsg->interface_number || w_value != 0 ||
563  w_length != 1)
564  return -EDOM;
565  VDBG(fsg, "get max LUN\n");
566  *(u8 *)req->buf = fsg->common->nluns - 1;
567 
568  /* Respond with data/status */
569  req->length = min((u16)1, w_length);
570  return ep0_queue(fsg->common);
571  }
572 
573  VDBG(fsg,
574  "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
575  ctrl->bRequestType, ctrl->bRequest,
576  le16_to_cpu(ctrl->wValue), w_index, w_length);
577  return -EOPNOTSUPP;
578 }
579 
580 
581 /*-------------------------------------------------------------------------*/
582 
583 /* All the following routines run in process context */
584 
585 /* Use this for bulk or interrupt transfers, not ep0 */
586 static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
587  struct usb_request *req, int *pbusy,
588  enum fsg_buffer_state *state)
589 {
590  int rc;
591 
592  if (ep == fsg->bulk_in)
593  dump_msg(fsg, "bulk-in", req->buf, req->length);
594 
595  spin_lock_irq(&fsg->common->lock);
596  *pbusy = 1;
597  *state = BUF_STATE_BUSY;
598  spin_unlock_irq(&fsg->common->lock);
599  rc = usb_ep_queue(ep, req, GFP_KERNEL);
600  if (rc != 0) {
601  *pbusy = 0;
602  *state = BUF_STATE_EMPTY;
603 
604  /* We can't do much more than wait for a reset */
605 
606  /*
607  * Note: currently the net2280 driver fails zero-length
608  * submissions if DMA is enabled.
609  */
610  if (rc != -ESHUTDOWN &&
611  !(rc == -EOPNOTSUPP && req->length == 0))
612  WARNING(fsg, "error in submission: %s --> %d\n",
613  ep->name, rc);
614  }
615 }
616 
617 static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
618 {
619  if (!fsg_is_set(common))
620  return false;
621  start_transfer(common->fsg, common->fsg->bulk_in,
622  bh->inreq, &bh->inreq_busy, &bh->state);
623  return true;
624 }
625 
626 static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
627 {
628  if (!fsg_is_set(common))
629  return false;
630  start_transfer(common->fsg, common->fsg->bulk_out,
631  bh->outreq, &bh->outreq_busy, &bh->state);
632  return true;
633 }
634 
635 static int sleep_thread(struct fsg_common *common)
636 {
637  int rc = 0;
638 
639  /* Wait until a signal arrives or we are woken up */
640  for (;;) {
641  try_to_freeze();
643  if (signal_pending(current)) {
644  rc = -EINTR;
645  break;
646  }
647  if (common->thread_wakeup_needed)
648  break;
649  schedule();
650  }
652  common->thread_wakeup_needed = 0;
653  return rc;
654 }
655 
656 
657 /*-------------------------------------------------------------------------*/
658 
659 static int do_read(struct fsg_common *common)
660 {
661  struct fsg_lun *curlun = common->curlun;
662  u32 lba;
663  struct fsg_buffhd *bh;
664  int rc;
665  u32 amount_left;
666  loff_t file_offset, file_offset_tmp;
667  unsigned int amount;
668  ssize_t nread;
669 
670  /*
671  * Get the starting Logical Block Address and check that it's
672  * not too big.
673  */
674  if (common->cmnd[0] == READ_6)
675  lba = get_unaligned_be24(&common->cmnd[1]);
676  else {
677  lba = get_unaligned_be32(&common->cmnd[2]);
678 
679  /*
680  * We allow DPO (Disable Page Out = don't save data in the
681  * cache) and FUA (Force Unit Access = don't read from the
682  * cache), but we don't implement them.
683  */
684  if ((common->cmnd[1] & ~0x18) != 0) {
686  return -EINVAL;
687  }
688  }
689  if (lba >= curlun->num_sectors) {
691  return -EINVAL;
692  }
693  file_offset = ((loff_t) lba) << curlun->blkbits;
694 
695  /* Carry out the file reads */
696  amount_left = common->data_size_from_cmnd;
697  if (unlikely(amount_left == 0))
698  return -EIO; /* No default reply */
699 
700  for (;;) {
701  /*
702  * Figure out how much we need to read:
703  * Try to read the remaining amount.
704  * But don't read more than the buffer size.
705  * And don't try to read past the end of the file.
706  */
707  amount = min(amount_left, FSG_BUFLEN);
708  amount = min((loff_t)amount,
709  curlun->file_length - file_offset);
710 
711  /* Wait for the next buffer to become available */
712  bh = common->next_buffhd_to_fill;
713  while (bh->state != BUF_STATE_EMPTY) {
714  rc = sleep_thread(common);
715  if (rc)
716  return rc;
717  }
718 
719  /*
720  * If we were asked to read past the end of file,
721  * end with an empty buffer.
722  */
723  if (amount == 0) {
724  curlun->sense_data =
726  curlun->sense_data_info =
727  file_offset >> curlun->blkbits;
728  curlun->info_valid = 1;
729  bh->inreq->length = 0;
730  bh->state = BUF_STATE_FULL;
731  break;
732  }
733 
734  /* Perform the read */
735  file_offset_tmp = file_offset;
736  nread = vfs_read(curlun->filp,
737  (char __user *)bh->buf,
738  amount, &file_offset_tmp);
739  VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
740  (unsigned long long)file_offset, (int)nread);
741  if (signal_pending(current))
742  return -EINTR;
743 
744  if (nread < 0) {
745  LDBG(curlun, "error in file read: %d\n", (int)nread);
746  nread = 0;
747  } else if (nread < amount) {
748  LDBG(curlun, "partial file read: %d/%u\n",
749  (int)nread, amount);
750  nread = round_down(nread, curlun->blksize);
751  }
752  file_offset += nread;
753  amount_left -= nread;
754  common->residue -= nread;
755 
756  /*
757  * Except at the end of the transfer, nread will be
758  * equal to the buffer size, which is divisible by the
759  * bulk-in maxpacket size.
760  */
761  bh->inreq->length = nread;
762  bh->state = BUF_STATE_FULL;
763 
764  /* If an error occurred, report it and its position */
765  if (nread < amount) {
767  curlun->sense_data_info =
768  file_offset >> curlun->blkbits;
769  curlun->info_valid = 1;
770  break;
771  }
772 
773  if (amount_left == 0)
774  break; /* No more left to read */
775 
776  /* Send this buffer and go read some more */
777  bh->inreq->zero = 0;
778  if (!start_in_transfer(common, bh))
779  /* Don't know what to do if common->fsg is NULL */
780  return -EIO;
781  common->next_buffhd_to_fill = bh->next;
782  }
783 
784  return -EIO; /* No default reply */
785 }
786 
787 
788 /*-------------------------------------------------------------------------*/
789 
790 static int do_write(struct fsg_common *common)
791 {
792  struct fsg_lun *curlun = common->curlun;
793  u32 lba;
794  struct fsg_buffhd *bh;
795  int get_some_more;
796  u32 amount_left_to_req, amount_left_to_write;
797  loff_t usb_offset, file_offset, file_offset_tmp;
798  unsigned int amount;
799  ssize_t nwritten;
800  int rc;
801 
802  if (curlun->ro) {
803  curlun->sense_data = SS_WRITE_PROTECTED;
804  return -EINVAL;
805  }
806  spin_lock(&curlun->filp->f_lock);
807  curlun->filp->f_flags &= ~O_SYNC; /* Default is not to wait */
808  spin_unlock(&curlun->filp->f_lock);
809 
810  /*
811  * Get the starting Logical Block Address and check that it's
812  * not too big
813  */
814  if (common->cmnd[0] == WRITE_6)
815  lba = get_unaligned_be24(&common->cmnd[1]);
816  else {
817  lba = get_unaligned_be32(&common->cmnd[2]);
818 
819  /*
820  * We allow DPO (Disable Page Out = don't save data in the
821  * cache) and FUA (Force Unit Access = write directly to the
822  * medium). We don't implement DPO; we implement FUA by
823  * performing synchronous output.
824  */
825  if (common->cmnd[1] & ~0x18) {
827  return -EINVAL;
828  }
829  if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
830  spin_lock(&curlun->filp->f_lock);
831  curlun->filp->f_flags |= O_SYNC;
832  spin_unlock(&curlun->filp->f_lock);
833  }
834  }
835  if (lba >= curlun->num_sectors) {
837  return -EINVAL;
838  }
839 
840  /* Carry out the file writes */
841  get_some_more = 1;
842  file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
843  amount_left_to_req = common->data_size_from_cmnd;
844  amount_left_to_write = common->data_size_from_cmnd;
845 
846  while (amount_left_to_write > 0) {
847 
848  /* Queue a request for more data from the host */
849  bh = common->next_buffhd_to_fill;
850  if (bh->state == BUF_STATE_EMPTY && get_some_more) {
851 
852  /*
853  * Figure out how much we want to get:
854  * Try to get the remaining amount,
855  * but not more than the buffer size.
856  */
857  amount = min(amount_left_to_req, FSG_BUFLEN);
858 
859  /* Beyond the end of the backing file? */
860  if (usb_offset >= curlun->file_length) {
861  get_some_more = 0;
862  curlun->sense_data =
864  curlun->sense_data_info =
865  usb_offset >> curlun->blkbits;
866  curlun->info_valid = 1;
867  continue;
868  }
869 
870  /* Get the next buffer */
871  usb_offset += amount;
872  common->usb_amount_left -= amount;
873  amount_left_to_req -= amount;
874  if (amount_left_to_req == 0)
875  get_some_more = 0;
876 
877  /*
878  * Except at the end of the transfer, amount will be
879  * equal to the buffer size, which is divisible by
880  * the bulk-out maxpacket size.
881  */
882  set_bulk_out_req_length(common, bh, amount);
883  if (!start_out_transfer(common, bh))
884  /* Dunno what to do if common->fsg is NULL */
885  return -EIO;
886  common->next_buffhd_to_fill = bh->next;
887  continue;
888  }
889 
890  /* Write the received data to the backing file */
891  bh = common->next_buffhd_to_drain;
892  if (bh->state == BUF_STATE_EMPTY && !get_some_more)
893  break; /* We stopped early */
894  if (bh->state == BUF_STATE_FULL) {
895  smp_rmb();
896  common->next_buffhd_to_drain = bh->next;
897  bh->state = BUF_STATE_EMPTY;
898 
899  /* Did something go wrong with the transfer? */
900  if (bh->outreq->status != 0) {
902  curlun->sense_data_info =
903  file_offset >> curlun->blkbits;
904  curlun->info_valid = 1;
905  break;
906  }
907 
908  amount = bh->outreq->actual;
909  if (curlun->file_length - file_offset < amount) {
910  LERROR(curlun,
911  "write %u @ %llu beyond end %llu\n",
912  amount, (unsigned long long)file_offset,
913  (unsigned long long)curlun->file_length);
914  amount = curlun->file_length - file_offset;
915  }
916 
917  /* Don't accept excess data. The spec doesn't say
918  * what to do in this case. We'll ignore the error.
919  */
920  amount = min(amount, bh->bulk_out_intended_length);
921 
922  /* Don't write a partial block */
923  amount = round_down(amount, curlun->blksize);
924  if (amount == 0)
925  goto empty_write;
926 
927  /* Perform the write */
928  file_offset_tmp = file_offset;
929  nwritten = vfs_write(curlun->filp,
930  (char __user *)bh->buf,
931  amount, &file_offset_tmp);
932  VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
933  (unsigned long long)file_offset, (int)nwritten);
934  if (signal_pending(current))
935  return -EINTR; /* Interrupted! */
936 
937  if (nwritten < 0) {
938  LDBG(curlun, "error in file write: %d\n",
939  (int)nwritten);
940  nwritten = 0;
941  } else if (nwritten < amount) {
942  LDBG(curlun, "partial file write: %d/%u\n",
943  (int)nwritten, amount);
944  nwritten = round_down(nwritten, curlun->blksize);
945  }
946  file_offset += nwritten;
947  amount_left_to_write -= nwritten;
948  common->residue -= nwritten;
949 
950  /* If an error occurred, report it and its position */
951  if (nwritten < amount) {
952  curlun->sense_data = SS_WRITE_ERROR;
953  curlun->sense_data_info =
954  file_offset >> curlun->blkbits;
955  curlun->info_valid = 1;
956  break;
957  }
958 
959  empty_write:
960  /* Did the host decide to stop early? */
961  if (bh->outreq->actual < bh->bulk_out_intended_length) {
962  common->short_packet_received = 1;
963  break;
964  }
965  continue;
966  }
967 
968  /* Wait for something to happen */
969  rc = sleep_thread(common);
970  if (rc)
971  return rc;
972  }
973 
974  return -EIO; /* No default reply */
975 }
976 
977 
978 /*-------------------------------------------------------------------------*/
979 
980 static int do_synchronize_cache(struct fsg_common *common)
981 {
982  struct fsg_lun *curlun = common->curlun;
983  int rc;
984 
985  /* We ignore the requested LBA and write out all file's
986  * dirty data buffers. */
987  rc = fsg_lun_fsync_sub(curlun);
988  if (rc)
989  curlun->sense_data = SS_WRITE_ERROR;
990  return 0;
991 }
992 
993 
994 /*-------------------------------------------------------------------------*/
995 
996 static void invalidate_sub(struct fsg_lun *curlun)
997 {
998  struct file *filp = curlun->filp;
999  struct inode *inode = filp->f_path.dentry->d_inode;
1000  unsigned long rc;
1001 
1002  rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
1003  VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
1004 }
1005 
1006 static int do_verify(struct fsg_common *common)
1007 {
1008  struct fsg_lun *curlun = common->curlun;
1009  u32 lba;
1010  u32 verification_length;
1011  struct fsg_buffhd *bh = common->next_buffhd_to_fill;
1012  loff_t file_offset, file_offset_tmp;
1013  u32 amount_left;
1014  unsigned int amount;
1015  ssize_t nread;
1016 
1017  /*
1018  * Get the starting Logical Block Address and check that it's
1019  * not too big.
1020  */
1021  lba = get_unaligned_be32(&common->cmnd[2]);
1022  if (lba >= curlun->num_sectors) {
1024  return -EINVAL;
1025  }
1026 
1027  /*
1028  * We allow DPO (Disable Page Out = don't save data in the
1029  * cache) but we don't implement it.
1030  */
1031  if (common->cmnd[1] & ~0x10) {
1033  return -EINVAL;
1034  }
1035 
1036  verification_length = get_unaligned_be16(&common->cmnd[7]);
1037  if (unlikely(verification_length == 0))
1038  return -EIO; /* No default reply */
1039 
1040  /* Prepare to carry out the file verify */
1041  amount_left = verification_length << curlun->blkbits;
1042  file_offset = ((loff_t) lba) << curlun->blkbits;
1043 
1044  /* Write out all the dirty buffers before invalidating them */
1045  fsg_lun_fsync_sub(curlun);
1046  if (signal_pending(current))
1047  return -EINTR;
1048 
1049  invalidate_sub(curlun);
1050  if (signal_pending(current))
1051  return -EINTR;
1052 
1053  /* Just try to read the requested blocks */
1054  while (amount_left > 0) {
1055  /*
1056  * Figure out how much we need to read:
1057  * Try to read the remaining amount, but not more than
1058  * the buffer size.
1059  * And don't try to read past the end of the file.
1060  */
1061  amount = min(amount_left, FSG_BUFLEN);
1062  amount = min((loff_t)amount,
1063  curlun->file_length - file_offset);
1064  if (amount == 0) {
1065  curlun->sense_data =
1067  curlun->sense_data_info =
1068  file_offset >> curlun->blkbits;
1069  curlun->info_valid = 1;
1070  break;
1071  }
1072 
1073  /* Perform the read */
1074  file_offset_tmp = file_offset;
1075  nread = vfs_read(curlun->filp,
1076  (char __user *) bh->buf,
1077  amount, &file_offset_tmp);
1078  VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1079  (unsigned long long) file_offset,
1080  (int) nread);
1081  if (signal_pending(current))
1082  return -EINTR;
1083 
1084  if (nread < 0) {
1085  LDBG(curlun, "error in file verify: %d\n", (int)nread);
1086  nread = 0;
1087  } else if (nread < amount) {
1088  LDBG(curlun, "partial file verify: %d/%u\n",
1089  (int)nread, amount);
1090  nread = round_down(nread, curlun->blksize);
1091  }
1092  if (nread == 0) {
1094  curlun->sense_data_info =
1095  file_offset >> curlun->blkbits;
1096  curlun->info_valid = 1;
1097  break;
1098  }
1099  file_offset += nread;
1100  amount_left -= nread;
1101  }
1102  return 0;
1103 }
1104 
1105 
1106 /*-------------------------------------------------------------------------*/
1107 
1108 static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1109 {
1110  struct fsg_lun *curlun = common->curlun;
1111  u8 *buf = (u8 *) bh->buf;
1112 
1113  if (!curlun) { /* Unsupported LUNs are okay */
1114  common->bad_lun_okay = 1;
1115  memset(buf, 0, 36);
1116  buf[0] = 0x7f; /* Unsupported, no device-type */
1117  buf[4] = 31; /* Additional length */
1118  return 36;
1119  }
1120 
1121  buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1122  buf[1] = curlun->removable ? 0x80 : 0;
1123  buf[2] = 2; /* ANSI SCSI level 2 */
1124  buf[3] = 2; /* SCSI-2 INQUIRY data format */
1125  buf[4] = 31; /* Additional length */
1126  buf[5] = 0; /* No special options */
1127  buf[6] = 0;
1128  buf[7] = 0;
1129  memcpy(buf + 8, common->inquiry_string, sizeof common->inquiry_string);
1130  return 36;
1131 }
1132 
1133 static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1134 {
1135  struct fsg_lun *curlun = common->curlun;
1136  u8 *buf = (u8 *) bh->buf;
1137  u32 sd, sdinfo;
1138  int valid;
1139 
1140  /*
1141  * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1142  *
1143  * If a REQUEST SENSE command is received from an initiator
1144  * with a pending unit attention condition (before the target
1145  * generates the contingent allegiance condition), then the
1146  * target shall either:
1147  * a) report any pending sense data and preserve the unit
1148  * attention condition on the logical unit, or,
1149  * b) report the unit attention condition, may discard any
1150  * pending sense data, and clear the unit attention
1151  * condition on the logical unit for that initiator.
1152  *
1153  * FSG normally uses option a); enable this code to use option b).
1154  */
1155 #if 0
1156  if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1157  curlun->sense_data = curlun->unit_attention_data;
1158  curlun->unit_attention_data = SS_NO_SENSE;
1159  }
1160 #endif
1161 
1162  if (!curlun) { /* Unsupported LUNs are okay */
1163  common->bad_lun_okay = 1;
1165  sdinfo = 0;
1166  valid = 0;
1167  } else {
1168  sd = curlun->sense_data;
1169  sdinfo = curlun->sense_data_info;
1170  valid = curlun->info_valid << 7;
1171  curlun->sense_data = SS_NO_SENSE;
1172  curlun->sense_data_info = 0;
1173  curlun->info_valid = 0;
1174  }
1175 
1176  memset(buf, 0, 18);
1177  buf[0] = valid | 0x70; /* Valid, current error */
1178  buf[2] = SK(sd);
1179  put_unaligned_be32(sdinfo, &buf[3]); /* Sense information */
1180  buf[7] = 18 - 8; /* Additional sense length */
1181  buf[12] = ASC(sd);
1182  buf[13] = ASCQ(sd);
1183  return 18;
1184 }
1185 
1186 static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1187 {
1188  struct fsg_lun *curlun = common->curlun;
1189  u32 lba = get_unaligned_be32(&common->cmnd[2]);
1190  int pmi = common->cmnd[8];
1191  u8 *buf = (u8 *)bh->buf;
1192 
1193  /* Check the PMI and LBA fields */
1194  if (pmi > 1 || (pmi == 0 && lba != 0)) {
1196  return -EINVAL;
1197  }
1198 
1199  put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1200  /* Max logical block */
1201  put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1202  return 8;
1203 }
1204 
1205 static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1206 {
1207  struct fsg_lun *curlun = common->curlun;
1208  int msf = common->cmnd[1] & 0x02;
1209  u32 lba = get_unaligned_be32(&common->cmnd[2]);
1210  u8 *buf = (u8 *)bh->buf;
1211 
1212  if (common->cmnd[1] & ~0x02) { /* Mask away MSF */
1214  return -EINVAL;
1215  }
1216  if (lba >= curlun->num_sectors) {
1218  return -EINVAL;
1219  }
1220 
1221  memset(buf, 0, 8);
1222  buf[0] = 0x01; /* 2048 bytes of user data, rest is EC */
1223  store_cdrom_address(&buf[4], msf, lba);
1224  return 8;
1225 }
1226 
1227 static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1228 {
1229  struct fsg_lun *curlun = common->curlun;
1230  int msf = common->cmnd[1] & 0x02;
1231  int start_track = common->cmnd[6];
1232  u8 *buf = (u8 *)bh->buf;
1233 
1234  if ((common->cmnd[1] & ~0x02) != 0 || /* Mask away MSF */
1235  start_track > 1) {
1237  return -EINVAL;
1238  }
1239 
1240  memset(buf, 0, 20);
1241  buf[1] = (20-2); /* TOC data length */
1242  buf[2] = 1; /* First track number */
1243  buf[3] = 1; /* Last track number */
1244  buf[5] = 0x16; /* Data track, copying allowed */
1245  buf[6] = 0x01; /* Only track is number 1 */
1246  store_cdrom_address(&buf[8], msf, 0);
1247 
1248  buf[13] = 0x16; /* Lead-out track is data */
1249  buf[14] = 0xAA; /* Lead-out track number */
1250  store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1251  return 20;
1252 }
1253 
1254 static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1255 {
1256  struct fsg_lun *curlun = common->curlun;
1257  int mscmnd = common->cmnd[0];
1258  u8 *buf = (u8 *) bh->buf;
1259  u8 *buf0 = buf;
1260  int pc, page_code;
1261  int changeable_values, all_pages;
1262  int valid_page = 0;
1263  int len, limit;
1264 
1265  if ((common->cmnd[1] & ~0x08) != 0) { /* Mask away DBD */
1267  return -EINVAL;
1268  }
1269  pc = common->cmnd[2] >> 6;
1270  page_code = common->cmnd[2] & 0x3f;
1271  if (pc == 3) {
1273  return -EINVAL;
1274  }
1275  changeable_values = (pc == 1);
1276  all_pages = (page_code == 0x3f);
1277 
1278  /*
1279  * Write the mode parameter header. Fixed values are: default
1280  * medium type, no cache control (DPOFUA), and no block descriptors.
1281  * The only variable value is the WriteProtect bit. We will fill in
1282  * the mode data length later.
1283  */
1284  memset(buf, 0, 8);
1285  if (mscmnd == MODE_SENSE) {
1286  buf[2] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */
1287  buf += 4;
1288  limit = 255;
1289  } else { /* MODE_SENSE_10 */
1290  buf[3] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */
1291  buf += 8;
1292  limit = 65535; /* Should really be FSG_BUFLEN */
1293  }
1294 
1295  /* No block descriptors */
1296 
1297  /*
1298  * The mode pages, in numerical order. The only page we support
1299  * is the Caching page.
1300  */
1301  if (page_code == 0x08 || all_pages) {
1302  valid_page = 1;
1303  buf[0] = 0x08; /* Page code */
1304  buf[1] = 10; /* Page length */
1305  memset(buf+2, 0, 10); /* None of the fields are changeable */
1306 
1307  if (!changeable_values) {
1308  buf[2] = 0x04; /* Write cache enable, */
1309  /* Read cache not disabled */
1310  /* No cache retention priorities */
1311  put_unaligned_be16(0xffff, &buf[4]);
1312  /* Don't disable prefetch */
1313  /* Minimum prefetch = 0 */
1314  put_unaligned_be16(0xffff, &buf[8]);
1315  /* Maximum prefetch */
1316  put_unaligned_be16(0xffff, &buf[10]);
1317  /* Maximum prefetch ceiling */
1318  }
1319  buf += 12;
1320  }
1321 
1322  /*
1323  * Check that a valid page was requested and the mode data length
1324  * isn't too long.
1325  */
1326  len = buf - buf0;
1327  if (!valid_page || len > limit) {
1329  return -EINVAL;
1330  }
1331 
1332  /* Store the mode data length */
1333  if (mscmnd == MODE_SENSE)
1334  buf0[0] = len - 1;
1335  else
1336  put_unaligned_be16(len - 2, buf0);
1337  return len;
1338 }
1339 
1340 static int do_start_stop(struct fsg_common *common)
1341 {
1342  struct fsg_lun *curlun = common->curlun;
1343  int loej, start;
1344 
1345  if (!curlun) {
1346  return -EINVAL;
1347  } else if (!curlun->removable) {
1348  curlun->sense_data = SS_INVALID_COMMAND;
1349  return -EINVAL;
1350  } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1351  (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1353  return -EINVAL;
1354  }
1355 
1356  loej = common->cmnd[4] & 0x02;
1357  start = common->cmnd[4] & 0x01;
1358 
1359  /*
1360  * Our emulation doesn't support mounting; the medium is
1361  * available for use as soon as it is loaded.
1362  */
1363  if (start) {
1364  if (!fsg_lun_is_open(curlun)) {
1366  return -EINVAL;
1367  }
1368  return 0;
1369  }
1370 
1371  /* Are we allowed to unload the media? */
1372  if (curlun->prevent_medium_removal) {
1373  LDBG(curlun, "unload attempt prevented\n");
1375  return -EINVAL;
1376  }
1377 
1378  if (!loej)
1379  return 0;
1380 
1381  /* Simulate an unload/eject */
1382  if (common->ops && common->ops->pre_eject) {
1383  int r = common->ops->pre_eject(common, curlun,
1384  curlun - common->luns);
1385  if (unlikely(r < 0))
1386  return r;
1387  else if (r)
1388  return 0;
1389  }
1390 
1391  up_read(&common->filesem);
1392  down_write(&common->filesem);
1393  fsg_lun_close(curlun);
1394  up_write(&common->filesem);
1395  down_read(&common->filesem);
1396 
1397  return common->ops && common->ops->post_eject
1398  ? min(0, common->ops->post_eject(common, curlun,
1399  curlun - common->luns))
1400  : 0;
1401 }
1402 
1403 static int do_prevent_allow(struct fsg_common *common)
1404 {
1405  struct fsg_lun *curlun = common->curlun;
1406  int prevent;
1407 
1408  if (!common->curlun) {
1409  return -EINVAL;
1410  } else if (!common->curlun->removable) {
1411  common->curlun->sense_data = SS_INVALID_COMMAND;
1412  return -EINVAL;
1413  }
1414 
1415  prevent = common->cmnd[4] & 0x01;
1416  if ((common->cmnd[4] & ~0x01) != 0) { /* Mask away Prevent */
1418  return -EINVAL;
1419  }
1420 
1421  if (curlun->prevent_medium_removal && !prevent)
1422  fsg_lun_fsync_sub(curlun);
1423  curlun->prevent_medium_removal = prevent;
1424  return 0;
1425 }
1426 
1427 static int do_read_format_capacities(struct fsg_common *common,
1428  struct fsg_buffhd *bh)
1429 {
1430  struct fsg_lun *curlun = common->curlun;
1431  u8 *buf = (u8 *) bh->buf;
1432 
1433  buf[0] = buf[1] = buf[2] = 0;
1434  buf[3] = 8; /* Only the Current/Maximum Capacity Descriptor */
1435  buf += 4;
1436 
1437  put_unaligned_be32(curlun->num_sectors, &buf[0]);
1438  /* Number of blocks */
1439  put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1440  buf[4] = 0x02; /* Current capacity */
1441  return 12;
1442 }
1443 
1444 static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1445 {
1446  struct fsg_lun *curlun = common->curlun;
1447 
1448  /* We don't support MODE SELECT */
1449  if (curlun)
1450  curlun->sense_data = SS_INVALID_COMMAND;
1451  return -EINVAL;
1452 }
1453 
1454 
1455 /*-------------------------------------------------------------------------*/
1456 
1457 static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1458 {
1459  int rc;
1460 
1461  rc = fsg_set_halt(fsg, fsg->bulk_in);
1462  if (rc == -EAGAIN)
1463  VDBG(fsg, "delayed bulk-in endpoint halt\n");
1464  while (rc != 0) {
1465  if (rc != -EAGAIN) {
1466  WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1467  rc = 0;
1468  break;
1469  }
1470 
1471  /* Wait for a short time and then try again */
1472  if (msleep_interruptible(100) != 0)
1473  return -EINTR;
1474  rc = usb_ep_set_halt(fsg->bulk_in);
1475  }
1476  return rc;
1477 }
1478 
1479 static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1480 {
1481  int rc;
1482 
1483  DBG(fsg, "bulk-in set wedge\n");
1484  rc = usb_ep_set_wedge(fsg->bulk_in);
1485  if (rc == -EAGAIN)
1486  VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1487  while (rc != 0) {
1488  if (rc != -EAGAIN) {
1489  WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1490  rc = 0;
1491  break;
1492  }
1493 
1494  /* Wait for a short time and then try again */
1495  if (msleep_interruptible(100) != 0)
1496  return -EINTR;
1497  rc = usb_ep_set_wedge(fsg->bulk_in);
1498  }
1499  return rc;
1500 }
1501 
1502 static int throw_away_data(struct fsg_common *common)
1503 {
1504  struct fsg_buffhd *bh;
1505  u32 amount;
1506  int rc;
1507 
1508  for (bh = common->next_buffhd_to_drain;
1509  bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1510  bh = common->next_buffhd_to_drain) {
1511 
1512  /* Throw away the data in a filled buffer */
1513  if (bh->state == BUF_STATE_FULL) {
1514  smp_rmb();
1515  bh->state = BUF_STATE_EMPTY;
1516  common->next_buffhd_to_drain = bh->next;
1517 
1518  /* A short packet or an error ends everything */
1519  if (bh->outreq->actual < bh->bulk_out_intended_length ||
1520  bh->outreq->status != 0) {
1521  raise_exception(common,
1523  return -EINTR;
1524  }
1525  continue;
1526  }
1527 
1528  /* Try to submit another request if we need one */
1529  bh = common->next_buffhd_to_fill;
1530  if (bh->state == BUF_STATE_EMPTY
1531  && common->usb_amount_left > 0) {
1532  amount = min(common->usb_amount_left, FSG_BUFLEN);
1533 
1534  /*
1535  * Except at the end of the transfer, amount will be
1536  * equal to the buffer size, which is divisible by
1537  * the bulk-out maxpacket size.
1538  */
1539  set_bulk_out_req_length(common, bh, amount);
1540  if (!start_out_transfer(common, bh))
1541  /* Dunno what to do if common->fsg is NULL */
1542  return -EIO;
1543  common->next_buffhd_to_fill = bh->next;
1544  common->usb_amount_left -= amount;
1545  continue;
1546  }
1547 
1548  /* Otherwise wait for something to happen */
1549  rc = sleep_thread(common);
1550  if (rc)
1551  return rc;
1552  }
1553  return 0;
1554 }
1555 
1556 static int finish_reply(struct fsg_common *common)
1557 {
1558  struct fsg_buffhd *bh = common->next_buffhd_to_fill;
1559  int rc = 0;
1560 
1561  switch (common->data_dir) {
1562  case DATA_DIR_NONE:
1563  break; /* Nothing to send */
1564 
1565  /*
1566  * If we don't know whether the host wants to read or write,
1567  * this must be CB or CBI with an unknown command. We mustn't
1568  * try to send or receive any data. So stall both bulk pipes
1569  * if we can and wait for a reset.
1570  */
1571  case DATA_DIR_UNKNOWN:
1572  if (!common->can_stall) {
1573  /* Nothing */
1574  } else if (fsg_is_set(common)) {
1575  fsg_set_halt(common->fsg, common->fsg->bulk_out);
1576  rc = halt_bulk_in_endpoint(common->fsg);
1577  } else {
1578  /* Don't know what to do if common->fsg is NULL */
1579  rc = -EIO;
1580  }
1581  break;
1582 
1583  /* All but the last buffer of data must have already been sent */
1584  case DATA_DIR_TO_HOST:
1585  if (common->data_size == 0) {
1586  /* Nothing to send */
1587 
1588  /* Don't know what to do if common->fsg is NULL */
1589  } else if (!fsg_is_set(common)) {
1590  rc = -EIO;
1591 
1592  /* If there's no residue, simply send the last buffer */
1593  } else if (common->residue == 0) {
1594  bh->inreq->zero = 0;
1595  if (!start_in_transfer(common, bh))
1596  return -EIO;
1597  common->next_buffhd_to_fill = bh->next;
1598 
1599  /*
1600  * For Bulk-only, mark the end of the data with a short
1601  * packet. If we are allowed to stall, halt the bulk-in
1602  * endpoint. (Note: This violates the Bulk-Only Transport
1603  * specification, which requires us to pad the data if we
1604  * don't halt the endpoint. Presumably nobody will mind.)
1605  */
1606  } else {
1607  bh->inreq->zero = 1;
1608  if (!start_in_transfer(common, bh))
1609  rc = -EIO;
1610  common->next_buffhd_to_fill = bh->next;
1611  if (common->can_stall)
1612  rc = halt_bulk_in_endpoint(common->fsg);
1613  }
1614  break;
1615 
1616  /*
1617  * We have processed all we want from the data the host has sent.
1618  * There may still be outstanding bulk-out requests.
1619  */
1620  case DATA_DIR_FROM_HOST:
1621  if (common->residue == 0) {
1622  /* Nothing to receive */
1623 
1624  /* Did the host stop sending unexpectedly early? */
1625  } else if (common->short_packet_received) {
1626  raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1627  rc = -EINTR;
1628 
1629  /*
1630  * We haven't processed all the incoming data. Even though
1631  * we may be allowed to stall, doing so would cause a race.
1632  * The controller may already have ACK'ed all the remaining
1633  * bulk-out packets, in which case the host wouldn't see a
1634  * STALL. Not realizing the endpoint was halted, it wouldn't
1635  * clear the halt -- leading to problems later on.
1636  */
1637 #if 0
1638  } else if (common->can_stall) {
1639  if (fsg_is_set(common))
1640  fsg_set_halt(common->fsg,
1641  common->fsg->bulk_out);
1642  raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1643  rc = -EINTR;
1644 #endif
1645 
1646  /*
1647  * We can't stall. Read in the excess data and throw it
1648  * all away.
1649  */
1650  } else {
1651  rc = throw_away_data(common);
1652  }
1653  break;
1654  }
1655  return rc;
1656 }
1657 
1658 static int send_status(struct fsg_common *common)
1659 {
1660  struct fsg_lun *curlun = common->curlun;
1661  struct fsg_buffhd *bh;
1662  struct bulk_cs_wrap *csw;
1663  int rc;
1665  u32 sd, sdinfo = 0;
1666 
1667  /* Wait for the next buffer to become available */
1668  bh = common->next_buffhd_to_fill;
1669  while (bh->state != BUF_STATE_EMPTY) {
1670  rc = sleep_thread(common);
1671  if (rc)
1672  return rc;
1673  }
1674 
1675  if (curlun) {
1676  sd = curlun->sense_data;
1677  sdinfo = curlun->sense_data_info;
1678  } else if (common->bad_lun_okay)
1679  sd = SS_NO_SENSE;
1680  else
1682 
1683  if (common->phase_error) {
1684  DBG(common, "sending phase-error status\n");
1685  status = US_BULK_STAT_PHASE;
1686  sd = SS_INVALID_COMMAND;
1687  } else if (sd != SS_NO_SENSE) {
1688  DBG(common, "sending command-failure status\n");
1689  status = US_BULK_STAT_FAIL;
1690  VDBG(common, " sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1691  " info x%x\n",
1692  SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1693  }
1694 
1695  /* Store and send the Bulk-only CSW */
1696  csw = (void *)bh->buf;
1697 
1699  csw->Tag = common->tag;
1700  csw->Residue = cpu_to_le32(common->residue);
1701  csw->Status = status;
1702 
1703  bh->inreq->length = US_BULK_CS_WRAP_LEN;
1704  bh->inreq->zero = 0;
1705  if (!start_in_transfer(common, bh))
1706  /* Don't know what to do if common->fsg is NULL */
1707  return -EIO;
1708 
1709  common->next_buffhd_to_fill = bh->next;
1710  return 0;
1711 }
1712 
1713 
1714 /*-------------------------------------------------------------------------*/
1715 
1716 /*
1717  * Check whether the command is properly formed and whether its data size
1718  * and direction agree with the values we already have.
1719  */
1720 static int check_command(struct fsg_common *common, int cmnd_size,
1721  enum data_direction data_dir, unsigned int mask,
1722  int needs_medium, const char *name)
1723 {
1724  int i;
1725  int lun = common->cmnd[1] >> 5;
1726  static const char dirletter[4] = {'u', 'o', 'i', 'n'};
1727  char hdlen[20];
1728  struct fsg_lun *curlun;
1729 
1730  hdlen[0] = 0;
1731  if (common->data_dir != DATA_DIR_UNKNOWN)
1732  sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1733  common->data_size);
1734  VDBG(common, "SCSI command: %s; Dc=%d, D%c=%u; Hc=%d%s\n",
1735  name, cmnd_size, dirletter[(int) data_dir],
1736  common->data_size_from_cmnd, common->cmnd_size, hdlen);
1737 
1738  /*
1739  * We can't reply at all until we know the correct data direction
1740  * and size.
1741  */
1742  if (common->data_size_from_cmnd == 0)
1743  data_dir = DATA_DIR_NONE;
1744  if (common->data_size < common->data_size_from_cmnd) {
1745  /*
1746  * Host data size < Device data size is a phase error.
1747  * Carry out the command, but only transfer as much as
1748  * we are allowed.
1749  */
1750  common->data_size_from_cmnd = common->data_size;
1751  common->phase_error = 1;
1752  }
1753  common->residue = common->data_size;
1754  common->usb_amount_left = common->data_size;
1755 
1756  /* Conflicting data directions is a phase error */
1757  if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1758  common->phase_error = 1;
1759  return -EINVAL;
1760  }
1761 
1762  /* Verify the length of the command itself */
1763  if (cmnd_size != common->cmnd_size) {
1764 
1765  /*
1766  * Special case workaround: There are plenty of buggy SCSI
1767  * implementations. Many have issues with cbw->Length
1768  * field passing a wrong command size. For those cases we
1769  * always try to work around the problem by using the length
1770  * sent by the host side provided it is at least as large
1771  * as the correct command length.
1772  * Examples of such cases would be MS-Windows, which issues
1773  * REQUEST SENSE with cbw->Length == 12 where it should
1774  * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1775  * REQUEST SENSE with cbw->Length == 10 where it should
1776  * be 6 as well.
1777  */
1778  if (cmnd_size <= common->cmnd_size) {
1779  DBG(common, "%s is buggy! Expected length %d "
1780  "but we got %d\n", name,
1781  cmnd_size, common->cmnd_size);
1782  cmnd_size = common->cmnd_size;
1783  } else {
1784  common->phase_error = 1;
1785  return -EINVAL;
1786  }
1787  }
1788 
1789  /* Check that the LUN values are consistent */
1790  if (common->lun != lun)
1791  DBG(common, "using LUN %d from CBW, not LUN %d from CDB\n",
1792  common->lun, lun);
1793 
1794  /* Check the LUN */
1795  curlun = common->curlun;
1796  if (curlun) {
1797  if (common->cmnd[0] != REQUEST_SENSE) {
1798  curlun->sense_data = SS_NO_SENSE;
1799  curlun->sense_data_info = 0;
1800  curlun->info_valid = 0;
1801  }
1802  } else {
1803  common->bad_lun_okay = 0;
1804 
1805  /*
1806  * INQUIRY and REQUEST SENSE commands are explicitly allowed
1807  * to use unsupported LUNs; all others may not.
1808  */
1809  if (common->cmnd[0] != INQUIRY &&
1810  common->cmnd[0] != REQUEST_SENSE) {
1811  DBG(common, "unsupported LUN %d\n", common->lun);
1812  return -EINVAL;
1813  }
1814  }
1815 
1816  /*
1817  * If a unit attention condition exists, only INQUIRY and
1818  * REQUEST SENSE commands are allowed; anything else must fail.
1819  */
1820  if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1821  common->cmnd[0] != INQUIRY &&
1822  common->cmnd[0] != REQUEST_SENSE) {
1823  curlun->sense_data = curlun->unit_attention_data;
1824  curlun->unit_attention_data = SS_NO_SENSE;
1825  return -EINVAL;
1826  }
1827 
1828  /* Check that only command bytes listed in the mask are non-zero */
1829  common->cmnd[1] &= 0x1f; /* Mask away the LUN */
1830  for (i = 1; i < cmnd_size; ++i) {
1831  if (common->cmnd[i] && !(mask & (1 << i))) {
1832  if (curlun)
1834  return -EINVAL;
1835  }
1836  }
1837 
1838  /* If the medium isn't mounted and the command needs to access
1839  * it, return an error. */
1840  if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1842  return -EINVAL;
1843  }
1844 
1845  return 0;
1846 }
1847 
1848 /* wrapper of check_command for data size in blocks handling */
1849 static int check_command_size_in_blocks(struct fsg_common *common,
1850  int cmnd_size, enum data_direction data_dir,
1851  unsigned int mask, int needs_medium, const char *name)
1852 {
1853  if (common->curlun)
1854  common->data_size_from_cmnd <<= common->curlun->blkbits;
1855  return check_command(common, cmnd_size, data_dir,
1856  mask, needs_medium, name);
1857 }
1858 
1859 static int do_scsi_command(struct fsg_common *common)
1860 {
1861  struct fsg_buffhd *bh;
1862  int rc;
1863  int reply = -EINVAL;
1864  int i;
1865  static char unknown[16];
1866 
1867  dump_cdb(common);
1868 
1869  /* Wait for the next buffer to become available for data or status */
1870  bh = common->next_buffhd_to_fill;
1871  common->next_buffhd_to_drain = bh;
1872  while (bh->state != BUF_STATE_EMPTY) {
1873  rc = sleep_thread(common);
1874  if (rc)
1875  return rc;
1876  }
1877  common->phase_error = 0;
1878  common->short_packet_received = 0;
1879 
1880  down_read(&common->filesem); /* We're using the backing file */
1881  switch (common->cmnd[0]) {
1882 
1883  case INQUIRY:
1884  common->data_size_from_cmnd = common->cmnd[4];
1885  reply = check_command(common, 6, DATA_DIR_TO_HOST,
1886  (1<<4), 0,
1887  "INQUIRY");
1888  if (reply == 0)
1889  reply = do_inquiry(common, bh);
1890  break;
1891 
1892  case MODE_SELECT:
1893  common->data_size_from_cmnd = common->cmnd[4];
1894  reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1895  (1<<1) | (1<<4), 0,
1896  "MODE SELECT(6)");
1897  if (reply == 0)
1898  reply = do_mode_select(common, bh);
1899  break;
1900 
1901  case MODE_SELECT_10:
1902  common->data_size_from_cmnd =
1903  get_unaligned_be16(&common->cmnd[7]);
1904  reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1905  (1<<1) | (3<<7), 0,
1906  "MODE SELECT(10)");
1907  if (reply == 0)
1908  reply = do_mode_select(common, bh);
1909  break;
1910 
1911  case MODE_SENSE:
1912  common->data_size_from_cmnd = common->cmnd[4];
1913  reply = check_command(common, 6, DATA_DIR_TO_HOST,
1914  (1<<1) | (1<<2) | (1<<4), 0,
1915  "MODE SENSE(6)");
1916  if (reply == 0)
1917  reply = do_mode_sense(common, bh);
1918  break;
1919 
1920  case MODE_SENSE_10:
1921  common->data_size_from_cmnd =
1922  get_unaligned_be16(&common->cmnd[7]);
1923  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1924  (1<<1) | (1<<2) | (3<<7), 0,
1925  "MODE SENSE(10)");
1926  if (reply == 0)
1927  reply = do_mode_sense(common, bh);
1928  break;
1929 
1930  case ALLOW_MEDIUM_REMOVAL:
1931  common->data_size_from_cmnd = 0;
1932  reply = check_command(common, 6, DATA_DIR_NONE,
1933  (1<<4), 0,
1934  "PREVENT-ALLOW MEDIUM REMOVAL");
1935  if (reply == 0)
1936  reply = do_prevent_allow(common);
1937  break;
1938 
1939  case READ_6:
1940  i = common->cmnd[4];
1941  common->data_size_from_cmnd = (i == 0) ? 256 : i;
1942  reply = check_command_size_in_blocks(common, 6,
1944  (7<<1) | (1<<4), 1,
1945  "READ(6)");
1946  if (reply == 0)
1947  reply = do_read(common);
1948  break;
1949 
1950  case READ_10:
1951  common->data_size_from_cmnd =
1952  get_unaligned_be16(&common->cmnd[7]);
1953  reply = check_command_size_in_blocks(common, 10,
1955  (1<<1) | (0xf<<2) | (3<<7), 1,
1956  "READ(10)");
1957  if (reply == 0)
1958  reply = do_read(common);
1959  break;
1960 
1961  case READ_12:
1962  common->data_size_from_cmnd =
1963  get_unaligned_be32(&common->cmnd[6]);
1964  reply = check_command_size_in_blocks(common, 12,
1966  (1<<1) | (0xf<<2) | (0xf<<6), 1,
1967  "READ(12)");
1968  if (reply == 0)
1969  reply = do_read(common);
1970  break;
1971 
1972  case READ_CAPACITY:
1973  common->data_size_from_cmnd = 8;
1974  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1975  (0xf<<2) | (1<<8), 1,
1976  "READ CAPACITY");
1977  if (reply == 0)
1978  reply = do_read_capacity(common, bh);
1979  break;
1980 
1981  case READ_HEADER:
1982  if (!common->curlun || !common->curlun->cdrom)
1983  goto unknown_cmnd;
1984  common->data_size_from_cmnd =
1985  get_unaligned_be16(&common->cmnd[7]);
1986  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1987  (3<<7) | (0x1f<<1), 1,
1988  "READ HEADER");
1989  if (reply == 0)
1990  reply = do_read_header(common, bh);
1991  break;
1992 
1993  case READ_TOC:
1994  if (!common->curlun || !common->curlun->cdrom)
1995  goto unknown_cmnd;
1996  common->data_size_from_cmnd =
1997  get_unaligned_be16(&common->cmnd[7]);
1998  reply = check_command(common, 10, DATA_DIR_TO_HOST,
1999  (7<<6) | (1<<1), 1,
2000  "READ TOC");
2001  if (reply == 0)
2002  reply = do_read_toc(common, bh);
2003  break;
2004 
2006  common->data_size_from_cmnd =
2007  get_unaligned_be16(&common->cmnd[7]);
2008  reply = check_command(common, 10, DATA_DIR_TO_HOST,
2009  (3<<7), 1,
2010  "READ FORMAT CAPACITIES");
2011  if (reply == 0)
2012  reply = do_read_format_capacities(common, bh);
2013  break;
2014 
2015  case REQUEST_SENSE:
2016  common->data_size_from_cmnd = common->cmnd[4];
2017  reply = check_command(common, 6, DATA_DIR_TO_HOST,
2018  (1<<4), 0,
2019  "REQUEST SENSE");
2020  if (reply == 0)
2021  reply = do_request_sense(common, bh);
2022  break;
2023 
2024  case START_STOP:
2025  common->data_size_from_cmnd = 0;
2026  reply = check_command(common, 6, DATA_DIR_NONE,
2027  (1<<1) | (1<<4), 0,
2028  "START-STOP UNIT");
2029  if (reply == 0)
2030  reply = do_start_stop(common);
2031  break;
2032 
2033  case SYNCHRONIZE_CACHE:
2034  common->data_size_from_cmnd = 0;
2035  reply = check_command(common, 10, DATA_DIR_NONE,
2036  (0xf<<2) | (3<<7), 1,
2037  "SYNCHRONIZE CACHE");
2038  if (reply == 0)
2039  reply = do_synchronize_cache(common);
2040  break;
2041 
2042  case TEST_UNIT_READY:
2043  common->data_size_from_cmnd = 0;
2044  reply = check_command(common, 6, DATA_DIR_NONE,
2045  0, 1,
2046  "TEST UNIT READY");
2047  break;
2048 
2049  /*
2050  * Although optional, this command is used by MS-Windows. We
2051  * support a minimal version: BytChk must be 0.
2052  */
2053  case VERIFY:
2054  common->data_size_from_cmnd = 0;
2055  reply = check_command(common, 10, DATA_DIR_NONE,
2056  (1<<1) | (0xf<<2) | (3<<7), 1,
2057  "VERIFY");
2058  if (reply == 0)
2059  reply = do_verify(common);
2060  break;
2061 
2062  case WRITE_6:
2063  i = common->cmnd[4];
2064  common->data_size_from_cmnd = (i == 0) ? 256 : i;
2065  reply = check_command_size_in_blocks(common, 6,
2067  (7<<1) | (1<<4), 1,
2068  "WRITE(6)");
2069  if (reply == 0)
2070  reply = do_write(common);
2071  break;
2072 
2073  case WRITE_10:
2074  common->data_size_from_cmnd =
2075  get_unaligned_be16(&common->cmnd[7]);
2076  reply = check_command_size_in_blocks(common, 10,
2078  (1<<1) | (0xf<<2) | (3<<7), 1,
2079  "WRITE(10)");
2080  if (reply == 0)
2081  reply = do_write(common);
2082  break;
2083 
2084  case WRITE_12:
2085  common->data_size_from_cmnd =
2086  get_unaligned_be32(&common->cmnd[6]);
2087  reply = check_command_size_in_blocks(common, 12,
2089  (1<<1) | (0xf<<2) | (0xf<<6), 1,
2090  "WRITE(12)");
2091  if (reply == 0)
2092  reply = do_write(common);
2093  break;
2094 
2095  /*
2096  * Some mandatory commands that we recognize but don't implement.
2097  * They don't mean much in this setting. It's left as an exercise
2098  * for anyone interested to implement RESERVE and RELEASE in terms
2099  * of Posix locks.
2100  */
2101  case FORMAT_UNIT:
2102  case RELEASE:
2103  case RESERVE:
2104  case SEND_DIAGNOSTIC:
2105  /* Fall through */
2106 
2107  default:
2108 unknown_cmnd:
2109  common->data_size_from_cmnd = 0;
2110  sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2111  reply = check_command(common, common->cmnd_size,
2112  DATA_DIR_UNKNOWN, ~0, 0, unknown);
2113  if (reply == 0) {
2114  common->curlun->sense_data = SS_INVALID_COMMAND;
2115  reply = -EINVAL;
2116  }
2117  break;
2118  }
2119  up_read(&common->filesem);
2120 
2121  if (reply == -EINTR || signal_pending(current))
2122  return -EINTR;
2123 
2124  /* Set up the single reply buffer for finish_reply() */
2125  if (reply == -EINVAL)
2126  reply = 0; /* Error reply length */
2127  if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2128  reply = min((u32)reply, common->data_size_from_cmnd);
2129  bh->inreq->length = reply;
2130  bh->state = BUF_STATE_FULL;
2131  common->residue -= reply;
2132  } /* Otherwise it's already set */
2133 
2134  return 0;
2135 }
2136 
2137 
2138 /*-------------------------------------------------------------------------*/
2139 
2140 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2141 {
2142  struct usb_request *req = bh->outreq;
2143  struct bulk_cb_wrap *cbw = req->buf;
2144  struct fsg_common *common = fsg->common;
2145 
2146  /* Was this a real packet? Should it be ignored? */
2147  if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2148  return -EINVAL;
2149 
2150  /* Is the CBW valid? */
2151  if (req->actual != US_BULK_CB_WRAP_LEN ||
2152  cbw->Signature != cpu_to_le32(
2153  US_BULK_CB_SIGN)) {
2154  DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2155  req->actual,
2156  le32_to_cpu(cbw->Signature));
2157 
2158  /*
2159  * The Bulk-only spec says we MUST stall the IN endpoint
2160  * (6.6.1), so it's unavoidable. It also says we must
2161  * retain this state until the next reset, but there's
2162  * no way to tell the controller driver it should ignore
2163  * Clear-Feature(HALT) requests.
2164  *
2165  * We aren't required to halt the OUT endpoint; instead
2166  * we can simply accept and discard any data received
2167  * until the next reset.
2168  */
2169  wedge_bulk_in_endpoint(fsg);
2171  return -EINVAL;
2172  }
2173 
2174  /* Is the CBW meaningful? */
2175  if (cbw->Lun >= FSG_MAX_LUNS || cbw->Flags & ~US_BULK_FLAG_IN ||
2176  cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) {
2177  DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2178  "cmdlen %u\n",
2179  cbw->Lun, cbw->Flags, cbw->Length);
2180 
2181  /*
2182  * We can do anything we want here, so let's stall the
2183  * bulk pipes if we are allowed to.
2184  */
2185  if (common->can_stall) {
2186  fsg_set_halt(fsg, fsg->bulk_out);
2187  halt_bulk_in_endpoint(fsg);
2188  }
2189  return -EINVAL;
2190  }
2191 
2192  /* Save the command for later */
2193  common->cmnd_size = cbw->Length;
2194  memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2195  if (cbw->Flags & US_BULK_FLAG_IN)
2196  common->data_dir = DATA_DIR_TO_HOST;
2197  else
2198  common->data_dir = DATA_DIR_FROM_HOST;
2199  common->data_size = le32_to_cpu(cbw->DataTransferLength);
2200  if (common->data_size == 0)
2201  common->data_dir = DATA_DIR_NONE;
2202  common->lun = cbw->Lun;
2203  if (common->lun >= 0 && common->lun < common->nluns)
2204  common->curlun = &common->luns[common->lun];
2205  else
2206  common->curlun = NULL;
2207  common->tag = cbw->Tag;
2208  return 0;
2209 }
2210 
2211 static int get_next_command(struct fsg_common *common)
2212 {
2213  struct fsg_buffhd *bh;
2214  int rc = 0;
2215 
2216  /* Wait for the next buffer to become available */
2217  bh = common->next_buffhd_to_fill;
2218  while (bh->state != BUF_STATE_EMPTY) {
2219  rc = sleep_thread(common);
2220  if (rc)
2221  return rc;
2222  }
2223 
2224  /* Queue a request to read a Bulk-only CBW */
2225  set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2226  if (!start_out_transfer(common, bh))
2227  /* Don't know what to do if common->fsg is NULL */
2228  return -EIO;
2229 
2230  /*
2231  * We will drain the buffer in software, which means we
2232  * can reuse it for the next filling. No need to advance
2233  * next_buffhd_to_fill.
2234  */
2235 
2236  /* Wait for the CBW to arrive */
2237  while (bh->state != BUF_STATE_FULL) {
2238  rc = sleep_thread(common);
2239  if (rc)
2240  return rc;
2241  }
2242  smp_rmb();
2243  rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2244  bh->state = BUF_STATE_EMPTY;
2245 
2246  return rc;
2247 }
2248 
2249 
2250 /*-------------------------------------------------------------------------*/
2251 
2252 static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2253  struct usb_request **preq)
2254 {
2255  *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2256  if (*preq)
2257  return 0;
2258  ERROR(common, "can't allocate request for %s\n", ep->name);
2259  return -ENOMEM;
2260 }
2261 
2262 /* Reset interface setting and re-init endpoint state (toggle etc). */
2263 static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2264 {
2265  struct fsg_dev *fsg;
2266  int i, rc = 0;
2267 
2268  if (common->running)
2269  DBG(common, "reset interface\n");
2270 
2271 reset:
2272  /* Deallocate the requests */
2273  if (common->fsg) {
2274  fsg = common->fsg;
2275 
2276  for (i = 0; i < fsg_num_buffers; ++i) {
2277  struct fsg_buffhd *bh = &common->buffhds[i];
2278 
2279  if (bh->inreq) {
2280  usb_ep_free_request(fsg->bulk_in, bh->inreq);
2281  bh->inreq = NULL;
2282  }
2283  if (bh->outreq) {
2284  usb_ep_free_request(fsg->bulk_out, bh->outreq);
2285  bh->outreq = NULL;
2286  }
2287  }
2288 
2289  /* Disable the endpoints */
2290  if (fsg->bulk_in_enabled) {
2291  usb_ep_disable(fsg->bulk_in);
2292  fsg->bulk_in_enabled = 0;
2293  }
2294  if (fsg->bulk_out_enabled) {
2295  usb_ep_disable(fsg->bulk_out);
2296  fsg->bulk_out_enabled = 0;
2297  }
2298 
2299  common->fsg = NULL;
2300  wake_up(&common->fsg_wait);
2301  }
2302 
2303  common->running = 0;
2304  if (!new_fsg || rc)
2305  return rc;
2306 
2307  common->fsg = new_fsg;
2308  fsg = common->fsg;
2309 
2310  /* Enable the endpoints */
2311  rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2312  if (rc)
2313  goto reset;
2314  rc = usb_ep_enable(fsg->bulk_in);
2315  if (rc)
2316  goto reset;
2317  fsg->bulk_in->driver_data = common;
2318  fsg->bulk_in_enabled = 1;
2319 
2320  rc = config_ep_by_speed(common->gadget, &(fsg->function),
2321  fsg->bulk_out);
2322  if (rc)
2323  goto reset;
2324  rc = usb_ep_enable(fsg->bulk_out);
2325  if (rc)
2326  goto reset;
2327  fsg->bulk_out->driver_data = common;
2328  fsg->bulk_out_enabled = 1;
2329  common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2331 
2332  /* Allocate the requests */
2333  for (i = 0; i < fsg_num_buffers; ++i) {
2334  struct fsg_buffhd *bh = &common->buffhds[i];
2335 
2336  rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2337  if (rc)
2338  goto reset;
2339  rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2340  if (rc)
2341  goto reset;
2342  bh->inreq->buf = bh->outreq->buf = bh->buf;
2343  bh->inreq->context = bh->outreq->context = bh;
2344  bh->inreq->complete = bulk_in_complete;
2345  bh->outreq->complete = bulk_out_complete;
2346  }
2347 
2348  common->running = 1;
2349  for (i = 0; i < common->nluns; ++i)
2350  common->luns[i].unit_attention_data = SS_RESET_OCCURRED;
2351  return rc;
2352 }
2353 
2354 
2355 /****************************** ALT CONFIGS ******************************/
2356 
2357 static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2358 {
2359  struct fsg_dev *fsg = fsg_from_func(f);
2360  fsg->common->new_fsg = fsg;
2361  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2363 }
2364 
2365 static void fsg_disable(struct usb_function *f)
2366 {
2367  struct fsg_dev *fsg = fsg_from_func(f);
2368  fsg->common->new_fsg = NULL;
2369  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2370 }
2371 
2372 
2373 /*-------------------------------------------------------------------------*/
2374 
2375 static void handle_exception(struct fsg_common *common)
2376 {
2377  siginfo_t info;
2378  int i;
2379  struct fsg_buffhd *bh;
2380  enum fsg_state old_state;
2381  struct fsg_lun *curlun;
2382  unsigned int exception_req_tag;
2383 
2384  /*
2385  * Clear the existing signals. Anything but SIGUSR1 is converted
2386  * into a high-priority EXIT exception.
2387  */
2388  for (;;) {
2389  int sig =
2390  dequeue_signal_lock(current, &current->blocked, &info);
2391  if (!sig)
2392  break;
2393  if (sig != SIGUSR1) {
2394  if (common->state < FSG_STATE_EXIT)
2395  DBG(common, "Main thread exiting on signal\n");
2396  raise_exception(common, FSG_STATE_EXIT);
2397  }
2398  }
2399 
2400  /* Cancel all the pending transfers */
2401  if (likely(common->fsg)) {
2402  for (i = 0; i < fsg_num_buffers; ++i) {
2403  bh = &common->buffhds[i];
2404  if (bh->inreq_busy)
2405  usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2406  if (bh->outreq_busy)
2407  usb_ep_dequeue(common->fsg->bulk_out,
2408  bh->outreq);
2409  }
2410 
2411  /* Wait until everything is idle */
2412  for (;;) {
2413  int num_active = 0;
2414  for (i = 0; i < fsg_num_buffers; ++i) {
2415  bh = &common->buffhds[i];
2416  num_active += bh->inreq_busy + bh->outreq_busy;
2417  }
2418  if (num_active == 0)
2419  break;
2420  if (sleep_thread(common))
2421  return;
2422  }
2423 
2424  /* Clear out the controller's fifos */
2425  if (common->fsg->bulk_in_enabled)
2426  usb_ep_fifo_flush(common->fsg->bulk_in);
2427  if (common->fsg->bulk_out_enabled)
2428  usb_ep_fifo_flush(common->fsg->bulk_out);
2429  }
2430 
2431  /*
2432  * Reset the I/O buffer states and pointers, the SCSI
2433  * state, and the exception. Then invoke the handler.
2434  */
2435  spin_lock_irq(&common->lock);
2436 
2437  for (i = 0; i < fsg_num_buffers; ++i) {
2438  bh = &common->buffhds[i];
2439  bh->state = BUF_STATE_EMPTY;
2440  }
2441  common->next_buffhd_to_fill = &common->buffhds[0];
2442  common->next_buffhd_to_drain = &common->buffhds[0];
2443  exception_req_tag = common->exception_req_tag;
2444  old_state = common->state;
2445 
2446  if (old_state == FSG_STATE_ABORT_BULK_OUT)
2447  common->state = FSG_STATE_STATUS_PHASE;
2448  else {
2449  for (i = 0; i < common->nluns; ++i) {
2450  curlun = &common->luns[i];
2451  curlun->prevent_medium_removal = 0;
2452  curlun->sense_data = SS_NO_SENSE;
2453  curlun->unit_attention_data = SS_NO_SENSE;
2454  curlun->sense_data_info = 0;
2455  curlun->info_valid = 0;
2456  }
2457  common->state = FSG_STATE_IDLE;
2458  }
2459  spin_unlock_irq(&common->lock);
2460 
2461  /* Carry out any extra actions required for the exception */
2462  switch (old_state) {
2464  send_status(common);
2465  spin_lock_irq(&common->lock);
2466  if (common->state == FSG_STATE_STATUS_PHASE)
2467  common->state = FSG_STATE_IDLE;
2468  spin_unlock_irq(&common->lock);
2469  break;
2470 
2471  case FSG_STATE_RESET:
2472  /*
2473  * In case we were forced against our will to halt a
2474  * bulk endpoint, clear the halt now. (The SuperH UDC
2475  * requires this.)
2476  */
2477  if (!fsg_is_set(common))
2478  break;
2480  &common->fsg->atomic_bitflags))
2481  usb_ep_clear_halt(common->fsg->bulk_in);
2482 
2483  if (common->ep0_req_tag == exception_req_tag)
2484  ep0_queue(common); /* Complete the status stage */
2485 
2486  /*
2487  * Technically this should go here, but it would only be
2488  * a waste of time. Ditto for the INTERFACE_CHANGE and
2489  * CONFIG_CHANGE cases.
2490  */
2491  /* for (i = 0; i < common->nluns; ++i) */
2492  /* common->luns[i].unit_attention_data = */
2493  /* SS_RESET_OCCURRED; */
2494  break;
2495 
2497  do_set_interface(common, common->new_fsg);
2498  if (common->new_fsg)
2500  break;
2501 
2502  case FSG_STATE_EXIT:
2503  case FSG_STATE_TERMINATED:
2504  do_set_interface(common, NULL); /* Free resources */
2505  spin_lock_irq(&common->lock);
2506  common->state = FSG_STATE_TERMINATED; /* Stop the thread */
2507  spin_unlock_irq(&common->lock);
2508  break;
2509 
2511  case FSG_STATE_DISCONNECT:
2513  case FSG_STATE_DATA_PHASE:
2515  case FSG_STATE_IDLE:
2516  break;
2517  }
2518 }
2519 
2520 
2521 /*-------------------------------------------------------------------------*/
2522 
2523 static int fsg_main_thread(void *common_)
2524 {
2525  struct fsg_common *common = common_;
2526 
2527  /*
2528  * Allow the thread to be killed by a signal, but set the signal mask
2529  * to block everything but INT, TERM, KILL, and USR1.
2530  */
2535 
2536  /* Allow the thread to be frozen */
2537  set_freezable();
2538 
2539  /*
2540  * Arrange for userspace references to be interpreted as kernel
2541  * pointers. That way we can pass a kernel pointer to a routine
2542  * that expects a __user pointer and it will work okay.
2543  */
2544  set_fs(get_ds());
2545 
2546  /* The main loop */
2547  while (common->state != FSG_STATE_TERMINATED) {
2548  if (exception_in_progress(common) || signal_pending(current)) {
2549  handle_exception(common);
2550  continue;
2551  }
2552 
2553  if (!common->running) {
2554  sleep_thread(common);
2555  continue;
2556  }
2557 
2558  if (get_next_command(common))
2559  continue;
2560 
2561  spin_lock_irq(&common->lock);
2562  if (!exception_in_progress(common))
2563  common->state = FSG_STATE_DATA_PHASE;
2564  spin_unlock_irq(&common->lock);
2565 
2566  if (do_scsi_command(common) || finish_reply(common))
2567  continue;
2568 
2569  spin_lock_irq(&common->lock);
2570  if (!exception_in_progress(common))
2571  common->state = FSG_STATE_STATUS_PHASE;
2572  spin_unlock_irq(&common->lock);
2573 
2574  if (send_status(common))
2575  continue;
2576 
2577  spin_lock_irq(&common->lock);
2578  if (!exception_in_progress(common))
2579  common->state = FSG_STATE_IDLE;
2580  spin_unlock_irq(&common->lock);
2581  }
2582 
2583  spin_lock_irq(&common->lock);
2584  common->thread_task = NULL;
2585  spin_unlock_irq(&common->lock);
2586 
2587  if (!common->ops || !common->ops->thread_exits
2588  || common->ops->thread_exits(common) < 0) {
2589  struct fsg_lun *curlun = common->luns;
2590  unsigned i = common->nluns;
2591 
2592  down_write(&common->filesem);
2593  for (; i--; ++curlun) {
2594  if (!fsg_lun_is_open(curlun))
2595  continue;
2596 
2597  fsg_lun_close(curlun);
2599  }
2600  up_write(&common->filesem);
2601  }
2602 
2603  /* Let fsg_unbind() know the thread has exited */
2604  complete_and_exit(&common->thread_notifier, 0);
2605 }
2606 
2607 
2608 /*************************** DEVICE ATTRIBUTES ***************************/
2609 
2610 static DEVICE_ATTR(ro, 0644, fsg_show_ro, fsg_store_ro);
2611 static DEVICE_ATTR(nofua, 0644, fsg_show_nofua, fsg_store_nofua);
2612 static DEVICE_ATTR(file, 0644, fsg_show_file, fsg_store_file);
2613 
2614 static struct device_attribute dev_attr_ro_cdrom =
2615  __ATTR(ro, 0444, fsg_show_ro, NULL);
2616 static struct device_attribute dev_attr_file_nonremovable =
2617  __ATTR(file, 0444, fsg_show_file, NULL);
2618 
2619 
2620 /****************************** FSG COMMON ******************************/
2621 
2622 static void fsg_common_release(struct kref *ref);
2623 
2624 static void fsg_lun_release(struct device *dev)
2625 {
2626  /* Nothing needs to be done */
2627 }
2628 
2629 static inline void fsg_common_get(struct fsg_common *common)
2630 {
2631  kref_get(&common->ref);
2632 }
2633 
2634 static inline void fsg_common_put(struct fsg_common *common)
2635 {
2636  kref_put(&common->ref, fsg_common_release);
2637 }
2638 
2639 static struct fsg_common *fsg_common_init(struct fsg_common *common,
2640  struct usb_composite_dev *cdev,
2641  struct fsg_config *cfg)
2642 {
2643  struct usb_gadget *gadget = cdev->gadget;
2644  struct fsg_buffhd *bh;
2645  struct fsg_lun *curlun;
2646  struct fsg_lun_config *lcfg;
2647  int nluns, i, rc;
2648  char *pathbuf;
2649 
2650  rc = fsg_num_buffers_validate();
2651  if (rc != 0)
2652  return ERR_PTR(rc);
2653 
2654  /* Find out how many LUNs there should be */
2655  nluns = cfg->nluns;
2656  if (nluns < 1 || nluns > FSG_MAX_LUNS) {
2657  dev_err(&gadget->dev, "invalid number of LUNs: %u\n", nluns);
2658  return ERR_PTR(-EINVAL);
2659  }
2660 
2661  /* Allocate? */
2662  if (!common) {
2663  common = kzalloc(sizeof *common, GFP_KERNEL);
2664  if (!common)
2665  return ERR_PTR(-ENOMEM);
2666  common->free_storage_on_release = 1;
2667  } else {
2668  memset(common, 0, sizeof *common);
2669  common->free_storage_on_release = 0;
2670  }
2671 
2672  common->buffhds = kcalloc(fsg_num_buffers,
2673  sizeof *(common->buffhds), GFP_KERNEL);
2674  if (!common->buffhds) {
2675  if (common->free_storage_on_release)
2676  kfree(common);
2677  return ERR_PTR(-ENOMEM);
2678  }
2679 
2680  common->ops = cfg->ops;
2681  common->private_data = cfg->private_data;
2682 
2683  common->gadget = gadget;
2684  common->ep0 = gadget->ep0;
2685  common->ep0req = cdev->req;
2686  common->cdev = cdev;
2687 
2688  /* Maybe allocate device-global string IDs, and patch descriptors */
2689  if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {
2690  rc = usb_string_id(cdev);
2691  if (unlikely(rc < 0))
2692  goto error_release;
2693  fsg_strings[FSG_STRING_INTERFACE].id = rc;
2694  fsg_intf_desc.iInterface = rc;
2695  }
2696 
2697  /*
2698  * Create the LUNs, open their backing files, and register the
2699  * LUN devices in sysfs.
2700  */
2701  curlun = kcalloc(nluns, sizeof(*curlun), GFP_KERNEL);
2702  if (unlikely(!curlun)) {
2703  rc = -ENOMEM;
2704  goto error_release;
2705  }
2706  common->luns = curlun;
2707 
2708  init_rwsem(&common->filesem);
2709 
2710  for (i = 0, lcfg = cfg->luns; i < nluns; ++i, ++curlun, ++lcfg) {
2711  curlun->cdrom = !!lcfg->cdrom;
2712  curlun->ro = lcfg->cdrom || lcfg->ro;
2713  curlun->initially_ro = curlun->ro;
2714  curlun->removable = lcfg->removable;
2715  curlun->dev.release = fsg_lun_release;
2716  curlun->dev.parent = &gadget->dev;
2717  /* curlun->dev.driver = &fsg_driver.driver; XXX */
2718  dev_set_drvdata(&curlun->dev, &common->filesem);
2719  dev_set_name(&curlun->dev, "lun%d", i);
2720 
2721  rc = device_register(&curlun->dev);
2722  if (rc) {
2723  INFO(common, "failed to register LUN%d: %d\n", i, rc);
2724  common->nluns = i;
2725  put_device(&curlun->dev);
2726  goto error_release;
2727  }
2728 
2729  rc = device_create_file(&curlun->dev,
2730  curlun->cdrom
2731  ? &dev_attr_ro_cdrom
2732  : &dev_attr_ro);
2733  if (rc)
2734  goto error_luns;
2735  rc = device_create_file(&curlun->dev,
2736  curlun->removable
2737  ? &dev_attr_file
2738  : &dev_attr_file_nonremovable);
2739  if (rc)
2740  goto error_luns;
2741  rc = device_create_file(&curlun->dev, &dev_attr_nofua);
2742  if (rc)
2743  goto error_luns;
2744 
2745  if (lcfg->filename) {
2746  rc = fsg_lun_open(curlun, lcfg->filename);
2747  if (rc)
2748  goto error_luns;
2749  } else if (!curlun->removable) {
2750  ERROR(common, "no file given for LUN%d\n", i);
2751  rc = -EINVAL;
2752  goto error_luns;
2753  }
2754  }
2755  common->nluns = nluns;
2756 
2757  /* Data buffers cyclic list */
2758  bh = common->buffhds;
2759  i = fsg_num_buffers;
2760  goto buffhds_first_it;
2761  do {
2762  bh->next = bh + 1;
2763  ++bh;
2764 buffhds_first_it:
2765  bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2766  if (unlikely(!bh->buf)) {
2767  rc = -ENOMEM;
2768  goto error_release;
2769  }
2770  } while (--i);
2771  bh->next = common->buffhds;
2772 
2773  /* Prepare inquiryString */
2774  i = get_default_bcdDevice();
2775  snprintf(common->inquiry_string, sizeof common->inquiry_string,
2776  "%-8s%-16s%04x", cfg->vendor_name ?: "Linux",
2777  /* Assume product name dependent on the first LUN */
2778  cfg->product_name ?: (common->luns->cdrom
2779  ? "File-Stor Gadget"
2780  : "File-CD Gadget"),
2781  i);
2782 
2783  /*
2784  * Some peripheral controllers are known not to be able to
2785  * halt bulk endpoints correctly. If one of them is present,
2786  * disable stalls.
2787  */
2788  common->can_stall = cfg->can_stall &&
2789  !(gadget_is_at91(common->gadget));
2790 
2791  spin_lock_init(&common->lock);
2792  kref_init(&common->ref);
2793 
2794  /* Tell the thread to start working */
2795  common->thread_task =
2796  kthread_create(fsg_main_thread, common, "file-storage");
2797  if (IS_ERR(common->thread_task)) {
2798  rc = PTR_ERR(common->thread_task);
2799  goto error_release;
2800  }
2801  init_completion(&common->thread_notifier);
2802  init_waitqueue_head(&common->fsg_wait);
2803 
2804  /* Information */
2805  INFO(common, FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
2806  INFO(common, "Number of LUNs=%d\n", common->nluns);
2807 
2808  pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2809  for (i = 0, nluns = common->nluns, curlun = common->luns;
2810  i < nluns;
2811  ++curlun, ++i) {
2812  char *p = "(no medium)";
2813  if (fsg_lun_is_open(curlun)) {
2814  p = "(error)";
2815  if (pathbuf) {
2816  p = d_path(&curlun->filp->f_path,
2817  pathbuf, PATH_MAX);
2818  if (IS_ERR(p))
2819  p = "(error)";
2820  }
2821  }
2822  LINFO(curlun, "LUN: %s%s%sfile: %s\n",
2823  curlun->removable ? "removable " : "",
2824  curlun->ro ? "read only " : "",
2825  curlun->cdrom ? "CD-ROM " : "",
2826  p);
2827  }
2828  kfree(pathbuf);
2829 
2830  DBG(common, "I/O thread pid: %d\n", task_pid_nr(common->thread_task));
2831 
2832  wake_up_process(common->thread_task);
2833 
2834  return common;
2835 
2836 error_luns:
2837  common->nluns = i + 1;
2838 error_release:
2839  common->state = FSG_STATE_TERMINATED; /* The thread is dead */
2840  /* Call fsg_common_release() directly, ref might be not initialised. */
2841  fsg_common_release(&common->ref);
2842  return ERR_PTR(rc);
2843 }
2844 
2845 static void fsg_common_release(struct kref *ref)
2846 {
2847  struct fsg_common *common = container_of(ref, struct fsg_common, ref);
2848 
2849  /* If the thread isn't already dead, tell it to exit now */
2850  if (common->state != FSG_STATE_TERMINATED) {
2851  raise_exception(common, FSG_STATE_EXIT);
2853  }
2854 
2855  if (likely(common->luns)) {
2856  struct fsg_lun *lun = common->luns;
2857  unsigned i = common->nluns;
2858 
2859  /* In error recovery common->nluns may be zero. */
2860  for (; i; --i, ++lun) {
2861  device_remove_file(&lun->dev, &dev_attr_nofua);
2862  device_remove_file(&lun->dev,
2863  lun->cdrom
2864  ? &dev_attr_ro_cdrom
2865  : &dev_attr_ro);
2866  device_remove_file(&lun->dev,
2867  lun->removable
2868  ? &dev_attr_file
2869  : &dev_attr_file_nonremovable);
2870  fsg_lun_close(lun);
2871  device_unregister(&lun->dev);
2872  }
2873 
2874  kfree(common->luns);
2875  }
2876 
2877  {
2878  struct fsg_buffhd *bh = common->buffhds;
2879  unsigned i = fsg_num_buffers;
2880  do {
2881  kfree(bh->buf);
2882  } while (++bh, --i);
2883  }
2884 
2885  kfree(common->buffhds);
2886  if (common->free_storage_on_release)
2887  kfree(common);
2888 }
2889 
2890 
2891 /*-------------------------------------------------------------------------*/
2892 
2893 static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2894 {
2895  struct fsg_dev *fsg = fsg_from_func(f);
2896  struct fsg_common *common = fsg->common;
2897 
2898  DBG(fsg, "unbind\n");
2899  if (fsg->common->fsg == fsg) {
2900  fsg->common->new_fsg = NULL;
2901  raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2902  /* FIXME: make interruptible or killable somehow? */
2903  wait_event(common->fsg_wait, common->fsg != fsg);
2904  }
2905 
2906  fsg_common_put(common);
2907  usb_free_descriptors(fsg->function.descriptors);
2908  usb_free_descriptors(fsg->function.hs_descriptors);
2909  usb_free_descriptors(fsg->function.ss_descriptors);
2910  kfree(fsg);
2911 }
2912 
2913 static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2914 {
2915  struct fsg_dev *fsg = fsg_from_func(f);
2916  struct usb_gadget *gadget = c->cdev->gadget;
2917  int i;
2918  struct usb_ep *ep;
2919 
2920  fsg->gadget = gadget;
2921 
2922  /* New interface */
2923  i = usb_interface_id(c, f);
2924  if (i < 0)
2925  return i;
2926  fsg_intf_desc.bInterfaceNumber = i;
2927  fsg->interface_number = i;
2928 
2929  /* Find all the endpoints we will use */
2930  ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2931  if (!ep)
2932  goto autoconf_fail;
2933  ep->driver_data = fsg->common; /* claim the endpoint */
2934  fsg->bulk_in = ep;
2935 
2936  ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2937  if (!ep)
2938  goto autoconf_fail;
2939  ep->driver_data = fsg->common; /* claim the endpoint */
2940  fsg->bulk_out = ep;
2941 
2942  /* Copy descriptors */
2943  f->descriptors = usb_copy_descriptors(fsg_fs_function);
2944  if (unlikely(!f->descriptors))
2945  return -ENOMEM;
2946 
2947  if (gadget_is_dualspeed(gadget)) {
2948  /* Assume endpoint addresses are the same for both speeds */
2949  fsg_hs_bulk_in_desc.bEndpointAddress =
2950  fsg_fs_bulk_in_desc.bEndpointAddress;
2951  fsg_hs_bulk_out_desc.bEndpointAddress =
2952  fsg_fs_bulk_out_desc.bEndpointAddress;
2953  f->hs_descriptors = usb_copy_descriptors(fsg_hs_function);
2954  if (unlikely(!f->hs_descriptors)) {
2955  usb_free_descriptors(f->descriptors);
2956  return -ENOMEM;
2957  }
2958  }
2959 
2960  if (gadget_is_superspeed(gadget)) {
2961  unsigned max_burst;
2962 
2963  /* Calculate bMaxBurst, we know packet size is 1024 */
2964  max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2965 
2966  fsg_ss_bulk_in_desc.bEndpointAddress =
2967  fsg_fs_bulk_in_desc.bEndpointAddress;
2968  fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2969 
2970  fsg_ss_bulk_out_desc.bEndpointAddress =
2971  fsg_fs_bulk_out_desc.bEndpointAddress;
2972  fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2973 
2974  f->ss_descriptors = usb_copy_descriptors(fsg_ss_function);
2975  if (unlikely(!f->ss_descriptors)) {
2976  usb_free_descriptors(f->hs_descriptors);
2977  usb_free_descriptors(f->descriptors);
2978  return -ENOMEM;
2979  }
2980  }
2981 
2982  return 0;
2983 
2984 autoconf_fail:
2985  ERROR(fsg, "unable to autoconfigure all endpoints\n");
2986  return -ENOTSUPP;
2987 }
2988 
2989 
2990 /****************************** ADD FUNCTION ******************************/
2991 
2992 static struct usb_gadget_strings *fsg_strings_array[] = {
2993  &fsg_stringtab,
2994  NULL,
2995 };
2996 
2997 static int fsg_bind_config(struct usb_composite_dev *cdev,
2998  struct usb_configuration *c,
2999  struct fsg_common *common)
3000 {
3001  struct fsg_dev *fsg;
3002  int rc;
3003 
3004  fsg = kzalloc(sizeof *fsg, GFP_KERNEL);
3005  if (unlikely(!fsg))
3006  return -ENOMEM;
3007 
3008  fsg->function.name = FSG_DRIVER_DESC;
3009  fsg->function.strings = fsg_strings_array;
3010  fsg->function.bind = fsg_bind;
3011  fsg->function.unbind = fsg_unbind;
3012  fsg->function.setup = fsg_setup;
3013  fsg->function.set_alt = fsg_set_alt;
3014  fsg->function.disable = fsg_disable;
3015 
3016  fsg->common = common;
3017  /*
3018  * Our caller holds a reference to common structure so we
3019  * don't have to be worry about it being freed until we return
3020  * from this function. So instead of incrementing counter now
3021  * and decrement in error recovery we increment it only when
3022  * call to usb_add_function() was successful.
3023  */
3024 
3025  rc = usb_add_function(c, &fsg->function);
3026  if (unlikely(rc))
3027  kfree(fsg);
3028  else
3029  fsg_common_get(fsg->common);
3030  return rc;
3031 }
3032 
3033 
3034 /************************* Module parameters *************************/
3035 
3036 struct fsg_module_parameters {
3037  char *file[FSG_MAX_LUNS];
3038  bool ro[FSG_MAX_LUNS];
3039  bool removable[FSG_MAX_LUNS];
3040  bool cdrom[FSG_MAX_LUNS];
3041  bool nofua[FSG_MAX_LUNS];
3042 
3044  unsigned int nofua_count;
3045  unsigned int luns; /* nluns */
3046  bool stall; /* can_stall */
3047 };
3048 
3049 #define _FSG_MODULE_PARAM_ARRAY(prefix, params, name, type, desc) \
3050  module_param_array_named(prefix ## name, params.name, type, \
3051  &prefix ## params.name ## _count, \
3052  S_IRUGO); \
3053  MODULE_PARM_DESC(prefix ## name, desc)
3054 
3055 #define _FSG_MODULE_PARAM(prefix, params, name, type, desc) \
3056  module_param_named(prefix ## name, params.name, type, \
3057  S_IRUGO); \
3058  MODULE_PARM_DESC(prefix ## name, desc)
3059 
3060 #define FSG_MODULE_PARAMETERS(prefix, params) \
3061  _FSG_MODULE_PARAM_ARRAY(prefix, params, file, charp, \
3062  "names of backing files or devices"); \
3063  _FSG_MODULE_PARAM_ARRAY(prefix, params, ro, bool, \
3064  "true to force read-only"); \
3065  _FSG_MODULE_PARAM_ARRAY(prefix, params, removable, bool, \
3066  "true to simulate removable media"); \
3067  _FSG_MODULE_PARAM_ARRAY(prefix, params, cdrom, bool, \
3068  "true to simulate CD-ROM instead of disk"); \
3069  _FSG_MODULE_PARAM_ARRAY(prefix, params, nofua, bool, \
3070  "true to ignore SCSI WRITE(10,12) FUA bit"); \
3071  _FSG_MODULE_PARAM(prefix, params, luns, uint, \
3072  "number of LUNs"); \
3073  _FSG_MODULE_PARAM(prefix, params, stall, bool, \
3074  "false to prevent bulk stalls")
3075 
3076 static void
3077 fsg_config_from_params(struct fsg_config *cfg,
3078  const struct fsg_module_parameters *params)
3079 {
3080  struct fsg_lun_config *lun;
3081  unsigned i;
3082 
3083  /* Configure LUNs */
3084  cfg->nluns =
3085  min(params->luns ?: (params->file_count ?: 1u),
3086  (unsigned)FSG_MAX_LUNS);
3087  for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3088  lun->ro = !!params->ro[i];
3089  lun->cdrom = !!params->cdrom[i];
3090  lun->removable = !!params->removable[i];
3091  lun->filename =
3092  params->file_count > i && params->file[i][0]
3093  ? params->file[i]
3094  : 0;
3095  }
3096 
3097  /* Let MSF use defaults */
3098  cfg->vendor_name = 0;
3099  cfg->product_name = 0;
3100 
3101  cfg->ops = NULL;
3102  cfg->private_data = NULL;
3103 
3104  /* Finalise */
3105  cfg->can_stall = params->stall;
3106 }
3107 
3108 static inline struct fsg_common *
3109 fsg_common_from_params(struct fsg_common *common,
3110  struct usb_composite_dev *cdev,
3111  const struct fsg_module_parameters *params)
3112  __attribute__((unused));
3113 static inline struct fsg_common *
3114 fsg_common_from_params(struct fsg_common *common,
3115  struct usb_composite_dev *cdev,
3116  const struct fsg_module_parameters *params)
3117 {
3118  struct fsg_config cfg;
3119  fsg_config_from_params(&cfg, params);
3120  return fsg_common_init(common, cdev, &cfg);
3121 }