root/drivers/usb/gadget/function/f_mass_storage.c

DEFINITIONS

1. __fsg_is_set
2. fsg_from_func
3. exception_in_progress
4. set_bulk_out_req_length
5. fsg_set_halt
6. __raise_exception
7. raise_exception
8. ep0_queue
9. bulk_in_complete
10. bulk_out_complete
11. _fsg_common_get_max_lun
12. fsg_setup
13. start_transfer
14. start_in_transfer
15. start_out_transfer
16. sleep_thread
17. do_read
18. do_write
19. do_synchronize_cache
20. invalidate_sub
21. do_verify
22. do_inquiry
23. do_request_sense
24. do_read_capacity
25. do_read_header
26. do_read_toc
27. do_mode_sense
28. do_start_stop
29. do_prevent_allow
30. do_read_format_capacities
31. do_mode_select
32. halt_bulk_in_endpoint
33. wedge_bulk_in_endpoint
34. throw_away_data
35. finish_reply
36. send_status
37. check_command
38. check_command_size_in_blocks
39. do_scsi_command
40. received_cbw
41. get_next_command
42. alloc_request
43. do_set_interface
44. fsg_set_alt
45. fsg_disable
46. handle_exception
47. fsg_main_thread
48. ro_show
49. nofua_show
50. file_show
51. ro_store
52. nofua_store
53. file_store
54. fsg_lun_release
55. fsg_common_setup
56. fsg_common_set_sysfs
57. _fsg_common_free_buffers
58. fsg_common_set_num_buffers
59. fsg_common_remove_lun
60. _fsg_common_remove_luns
61. fsg_common_remove_luns
62. fsg_common_free_buffers
63. fsg_common_set_cdev
64. fsg_lun_dev_is_visible
65. fsg_common_create_lun
66. fsg_common_create_luns
67. fsg_common_set_inquiry_string
68. fsg_common_release
69. fsg_bind
70. fsg_unbind
71. to_fsg_lun_opts
72. to_fsg_opts
73. fsg_lun_attr_release
74. fsg_lun_opts_file_show
75. fsg_lun_opts_file_store
76. fsg_lun_opts_ro_show
77. fsg_lun_opts_ro_store
78. fsg_lun_opts_removable_show
79. fsg_lun_opts_removable_store
80. fsg_lun_opts_cdrom_show
81. fsg_lun_opts_cdrom_store
82. fsg_lun_opts_nofua_show
83. fsg_lun_opts_nofua_store
84. fsg_lun_opts_inquiry_string_show
85. fsg_lun_opts_inquiry_string_store
86. fsg_lun_make
87. fsg_lun_drop
88. fsg_attr_release
89. fsg_opts_stall_show
90. fsg_opts_stall_store
91. fsg_opts_num_buffers_show
92. fsg_opts_num_buffers_store
93. fsg_free_inst
94. fsg_alloc_inst
95. fsg_free
96. fsg_alloc
97. fsg_config_from_params

   1 // SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
   2 /*
   3  * f_mass_storage.c -- Mass Storage USB Composite Function
   4  *
   5  * Copyright (C) 2003-2008 Alan Stern
   6  * Copyright (C) 2009 Samsung Electronics
   7  *                    Author: Michal Nazarewicz <mina86@mina86.com>
   8  * All rights reserved.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions
  12  * are met:
  13  * 1. Redistributions of source code must retain the above copyright
  14  *    notice, this list of conditions, and the following disclaimer,
  15  *    without modification.
  16  * 2. Redistributions in binary form must reproduce the above copyright
  17  *    notice, this list of conditions and the following disclaimer in the
  18  *    documentation and/or other materials provided with the distribution.
  19  * 3. The names of the above-listed copyright holders may not be used
  20  *    to endorse or promote products derived from this software without
  21  *    specific prior written permission.
  22  *
  23  * ALTERNATIVELY, this software may be distributed under the terms of the
  24  * GNU General Public License ("GPL") as published by the Free Software
  25  * Foundation, either version 2 of that License or (at your option) any
  26  * later version.
  27  *
  28  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  29  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  30  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  31  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  32  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  33  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  34  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  35  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  36  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  37  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  38  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  39  */
  40 
  41 /*
  42  * The Mass Storage Function acts as a USB Mass Storage device,
  43  * appearing to the host as a disk drive or as a CD-ROM drive.  In
  44  * addition to providing an example of a genuinely useful composite
  45  * function for a USB device, it also illustrates a technique of
  46  * double-buffering for increased throughput.
  47  *
  48  * For more information about MSF and in particular its module
  49  * parameters and sysfs interface read the
  50  * <Documentation/usb/mass-storage.rst> file.
  51  */
  52 
  53 /*
  54  * MSF is configured by specifying a fsg_config structure.  It has the
  55  * following fields:
  56  *
  57  *      nluns           Number of LUNs function have (anywhere from 1
  58  *                              to FSG_MAX_LUNS).
  59  *      luns            An array of LUN configuration values.  This
  60  *                              should be filled for each LUN that
  61  *                              function will include (ie. for "nluns"
  62  *                              LUNs).  Each element of the array has
  63  *                              the following fields:
  64  *      ->filename      The path to the backing file for the LUN.
  65  *                              Required if LUN is not marked as
  66  *                              removable.
  67  *      ->ro            Flag specifying access to the LUN shall be
  68  *                              read-only.  This is implied if CD-ROM
  69  *                              emulation is enabled as well as when
  70  *                              it was impossible to open "filename"
  71  *                              in R/W mode.
  72  *      ->removable     Flag specifying that LUN shall be indicated as
  73  *                              being removable.
  74  *      ->cdrom         Flag specifying that LUN shall be reported as
  75  *                              being a CD-ROM.
  76  *      ->nofua         Flag specifying that FUA flag in SCSI WRITE(10,12)
  77  *                              commands for this LUN shall be ignored.
  78  *
  79  *      vendor_name
  80  *      product_name
  81  *      release         Information used as a reply to INQUIRY
  82  *                              request.  To use default set to NULL,
  83  *                              NULL, 0xffff respectively.  The first
  84  *                              field should be 8 and the second 16
  85  *                              characters or less.
  86  *
  87  *      can_stall       Set to permit function to halt bulk endpoints.
  88  *                              Disabled on some USB devices known not
  89  *                              to work correctly.  You should set it
  90  *                              to true.
  91  *
  92  * If "removable" is not set for a LUN then a backing file must be
  93  * specified.  If it is set, then NULL filename means the LUN's medium
  94  * is not loaded (an empty string as "filename" in the fsg_config
  95  * structure causes error).  The CD-ROM emulation includes a single
  96  * data track and no audio tracks; hence there need be only one
  97  * backing file per LUN.
  98  *
  99  * This function is heavily based on "File-backed Storage Gadget" by
 100  * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 101  * Brownell.  The driver's SCSI command interface was based on the
 102  * "Information technology - Small Computer System Interface - 2"
 103  * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 104  * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 105  * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 106  * was based on the "Universal Serial Bus Mass Storage Class UFI
 107  * Command Specification" document, Revision 1.0, December 14, 1998,
 108  * available at
 109  * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 110  */
 111 
 112 /*
 113  *                              Driver Design
 114  *
 115  * The MSF is fairly straightforward.  There is a main kernel
 116  * thread that handles most of the work.  Interrupt routines field
 117  * callbacks from the controller driver: bulk- and interrupt-request
 118  * completion notifications, endpoint-0 events, and disconnect events.
 119  * Completion events are passed to the main thread by wakeup calls.  Many
 120  * ep0 requests are handled at interrupt time, but SetInterface,
 121  * SetConfiguration, and device reset requests are forwarded to the
 122  * thread in the form of "exceptions" using SIGUSR1 signals (since they
 123  * should interrupt any ongoing file I/O operations).
 124  *
 125  * The thread's main routine implements the standard command/data/status
 126  * parts of a SCSI interaction.  It and its subroutines are full of tests
 127  * for pending signals/exceptions -- all this polling is necessary since
 128  * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 129  * indication that the driver really wants to be running in userspace.)
 130  * An important point is that so long as the thread is alive it keeps an
 131  * open reference to the backing file.  This will prevent unmounting
 132  * the backing file's underlying filesystem and could cause problems
 133  * during system shutdown, for example.  To prevent such problems, the
 134  * thread catches INT, TERM, and KILL signals and converts them into
 135  * an EXIT exception.
 136  *
 137  * In normal operation the main thread is started during the gadget's
 138  * fsg_bind() callback and stopped during fsg_unbind().  But it can
 139  * also exit when it receives a signal, and there's no point leaving
 140  * the gadget running when the thread is dead.  As of this moment, MSF
 141  * provides no way to deregister the gadget when thread dies -- maybe
 142  * a callback functions is needed.
 143  *
 144  * To provide maximum throughput, the driver uses a circular pipeline of
 145  * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 146  * arbitrarily long; in practice the benefits don't justify having more
 147  * than 2 stages (i.e., double buffering).  But it helps to think of the
 148  * pipeline as being a long one.  Each buffer head contains a bulk-in and
 149  * a bulk-out request pointer (since the buffer can be used for both
 150  * output and input -- directions always are given from the host's
 151  * point of view) as well as a pointer to the buffer and various state
 152  * variables.
 153  *
 154  * Use of the pipeline follows a simple protocol.  There is a variable
 155  * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 156  * At any time that buffer head may still be in use from an earlier
 157  * request, so each buffer head has a state variable indicating whether
 158  * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 159  * buffer head to be EMPTY, filling the buffer either by file I/O or by
 160  * USB I/O (during which the buffer head is BUSY), and marking the buffer
 161  * head FULL when the I/O is complete.  Then the buffer will be emptied
 162  * (again possibly by USB I/O, during which it is marked BUSY) and
 163  * finally marked EMPTY again (possibly by a completion routine).
 164  *
 165  * A module parameter tells the driver to avoid stalling the bulk
 166  * endpoints wherever the transport specification allows.  This is
 167  * necessary for some UDCs like the SuperH, which cannot reliably clear a
 168  * halt on a bulk endpoint.  However, under certain circumstances the
 169  * Bulk-only specification requires a stall.  In such cases the driver
 170  * will halt the endpoint and set a flag indicating that it should clear
 171  * the halt in software during the next device reset.  Hopefully this
 172  * will permit everything to work correctly.  Furthermore, although the
 173  * specification allows the bulk-out endpoint to halt when the host sends
 174  * too much data, implementing this would cause an unavoidable race.
 175  * The driver will always use the "no-stall" approach for OUT transfers.
 176  *
 177  * One subtle point concerns sending status-stage responses for ep0
 178  * requests.  Some of these requests, such as device reset, can involve
 179  * interrupting an ongoing file I/O operation, which might take an
 180  * arbitrarily long time.  During that delay the host might give up on
 181  * the original ep0 request and issue a new one.  When that happens the
 182  * driver should not notify the host about completion of the original
 183  * request, as the host will no longer be waiting for it.  So the driver
 184  * assigns to each ep0 request a unique tag, and it keeps track of the
 185  * tag value of the request associated with a long-running exception
 186  * (device-reset, interface-change, or configuration-change).  When the
 187  * exception handler is finished, the status-stage response is submitted
 188  * only if the current ep0 request tag is equal to the exception request
 189  * tag.  Thus only the most recently received ep0 request will get a
 190  * status-stage response.
 191  *
 192  * Warning: This driver source file is too long.  It ought to be split up
 193  * into a header file plus about 3 separate .c files, to handle the details
 194  * of the Gadget, USB Mass Storage, and SCSI protocols.
 195  */
 196 
 197 
 198 /* #define VERBOSE_DEBUG */
 199 /* #define DUMP_MSGS */
 200 
 201 #include <linux/blkdev.h>
 202 #include <linux/completion.h>
 203 #include <linux/dcache.h>
 204 #include <linux/delay.h>
 205 #include <linux/device.h>
 206 #include <linux/fcntl.h>
 207 #include <linux/file.h>
 208 #include <linux/fs.h>
 209 #include <linux/kthread.h>
 210 #include <linux/sched/signal.h>
 211 #include <linux/limits.h>
 212 #include <linux/rwsem.h>
 213 #include <linux/slab.h>
 214 #include <linux/spinlock.h>
 215 #include <linux/string.h>
 216 #include <linux/freezer.h>
 217 #include <linux/module.h>
 218 #include <linux/uaccess.h>
 219 
 220 #include <linux/usb/ch9.h>
 221 #include <linux/usb/gadget.h>
 222 #include <linux/usb/composite.h>
 223 
 224 #include <linux/nospec.h>
 225 
 226 #include "configfs.h"
 227 
 228 
 229 /*------------------------------------------------------------------------*/
 230 
 231 #define FSG_DRIVER_DESC         "Mass Storage Function"
 232 #define FSG_DRIVER_VERSION      "2009/09/11"
 233 
 234 static const char fsg_string_interface[] = "Mass Storage";
 235 
 236 #include "storage_common.h"
 237 #include "f_mass_storage.h"
 238 
 239 /* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
 240 static struct usb_string                fsg_strings[] = {
 241         {FSG_STRING_INTERFACE,          fsg_string_interface},
 242         {}
 243 };
 244 
 245 static struct usb_gadget_strings        fsg_stringtab = {
 246         .language       = 0x0409,               /* en-us */
 247         .strings        = fsg_strings,
 248 };
 249 
 250 static struct usb_gadget_strings *fsg_strings_array[] = {
 251         &fsg_stringtab,
 252         NULL,
 253 };
 254 
 255 /*-------------------------------------------------------------------------*/
 256 
 257 struct fsg_dev;
 258 struct fsg_common;
 259 
 260 /* Data shared by all the FSG instances. */
 261 struct fsg_common {
 262         struct usb_gadget       *gadget;
 263         struct usb_composite_dev *cdev;
 264         struct fsg_dev          *fsg;
 265         wait_queue_head_t       io_wait;
 266         wait_queue_head_t       fsg_wait;
 267 
 268         /* filesem protects: backing files in use */
 269         struct rw_semaphore     filesem;
 270 
 271         /* lock protects: state and thread_task */
 272         spinlock_t              lock;
 273 
 274         struct usb_ep           *ep0;           /* Copy of gadget->ep0 */
 275         struct usb_request      *ep0req;        /* Copy of cdev->req */
 276         unsigned int            ep0_req_tag;
 277 
 278         struct fsg_buffhd       *next_buffhd_to_fill;
 279         struct fsg_buffhd       *next_buffhd_to_drain;
 280         struct fsg_buffhd       *buffhds;
 281         unsigned int            fsg_num_buffers;
 282 
 283         int                     cmnd_size;
 284         u8                      cmnd[MAX_COMMAND_SIZE];
 285 
 286         unsigned int            lun;
 287         struct fsg_lun          *luns[FSG_MAX_LUNS];
 288         struct fsg_lun          *curlun;
 289 
 290         unsigned int            bulk_out_maxpacket;
 291         enum fsg_state          state;          /* For exception handling */
 292         unsigned int            exception_req_tag;
 293         void                    *exception_arg;
 294 
 295         enum data_direction     data_dir;
 296         u32                     data_size;
 297         u32                     data_size_from_cmnd;
 298         u32                     tag;
 299         u32                     residue;
 300         u32                     usb_amount_left;
 301 
 302         unsigned int            can_stall:1;
 303         unsigned int            free_storage_on_release:1;
 304         unsigned int            phase_error:1;
 305         unsigned int            short_packet_received:1;
 306         unsigned int            bad_lun_okay:1;
 307         unsigned int            running:1;
 308         unsigned int            sysfs:1;
 309 
 310         struct completion       thread_notifier;
 311         struct task_struct      *thread_task;
 312 
 313         /* Gadget's private data. */
 314         void                    *private_data;
 315 
 316         char inquiry_string[INQUIRY_STRING_LEN];
 317 };
 318 
 319 struct fsg_dev {
 320         struct usb_function     function;
 321         struct usb_gadget       *gadget;        /* Copy of cdev->gadget */
 322         struct fsg_common       *common;
 323 
 324         u16                     interface_number;
 325 
 326         unsigned int            bulk_in_enabled:1;
 327         unsigned int            bulk_out_enabled:1;
 328 
 329         unsigned long           atomic_bitflags;
 330 #define IGNORE_BULK_OUT         0
 331 
 332         struct usb_ep           *bulk_in;
 333         struct usb_ep           *bulk_out;
 334 };
 335 
 336 static inline int __fsg_is_set(struct fsg_common *common,
 337                                const char *func, unsigned line)
 338 {
 339         if (common->fsg)
 340                 return 1;
 341         ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 342         WARN_ON(1);
 343         return 0;
 344 }
 345 
 346 #define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 347 
 348 static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 349 {
 350         return container_of(f, struct fsg_dev, function);
 351 }
 352 
 353 typedef void (*fsg_routine_t)(struct fsg_dev *);
 354 
 355 static int exception_in_progress(struct fsg_common *common)
 356 {
 357         return common->state > FSG_STATE_NORMAL;
 358 }
 359 
 360 /* Make bulk-out requests be divisible by the maxpacket size */
 361 static void set_bulk_out_req_length(struct fsg_common *common,
 362                                     struct fsg_buffhd *bh, unsigned int length)
 363 {
 364         unsigned int    rem;
 365 
 366         bh->bulk_out_intended_length = length;
 367         rem = length % common->bulk_out_maxpacket;
 368         if (rem > 0)
 369                 length += common->bulk_out_maxpacket - rem;
 370         bh->outreq->length = length;
 371 }
 372 
 373 
 374 /*-------------------------------------------------------------------------*/
 375 
 376 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 377 {
 378         const char      *name;
 379 
 380         if (ep == fsg->bulk_in)
 381                 name = "bulk-in";
 382         else if (ep == fsg->bulk_out)
 383                 name = "bulk-out";
 384         else
 385                 name = ep->name;
 386         DBG(fsg, "%s set halt\n", name);
 387         return usb_ep_set_halt(ep);
 388 }
 389 
 390 
 391 /*-------------------------------------------------------------------------*/
 392 
 393 /* These routines may be called in process context or in_irq */
 394 
 395 static void __raise_exception(struct fsg_common *common, enum fsg_state new_state,
 396                               void *arg)
 397 {
 398         unsigned long           flags;
 399 
 400         /*
 401          * Do nothing if a higher-priority exception is already in progress.
 402          * If a lower-or-equal priority exception is in progress, preempt it
 403          * and notify the main thread by sending it a signal.
 404          */
 405         spin_lock_irqsave(&common->lock, flags);
 406         if (common->state <= new_state) {
 407                 common->exception_req_tag = common->ep0_req_tag;
 408                 common->state = new_state;
 409                 common->exception_arg = arg;
 410                 if (common->thread_task)
 411                         send_sig_info(SIGUSR1, SEND_SIG_PRIV,
 412                                       common->thread_task);
 413         }
 414         spin_unlock_irqrestore(&common->lock, flags);
 415 }
 416 
 417 static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 418 {
 419         __raise_exception(common, new_state, NULL);
 420 }
 421 
 422 /*-------------------------------------------------------------------------*/
 423 
 424 static int ep0_queue(struct fsg_common *common)
 425 {
 426         int     rc;
 427 
 428         rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 429         common->ep0->driver_data = common;
 430         if (rc != 0 && rc != -ESHUTDOWN) {
 431                 /* We can't do much more than wait for a reset */
 432                 WARNING(common, "error in submission: %s --> %d\n",
 433                         common->ep0->name, rc);
 434         }
 435         return rc;
 436 }
 437 
 438 
 439 /*-------------------------------------------------------------------------*/
 440 
 441 /* Completion handlers. These always run in_irq. */
 442 
 443 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 444 {
 445         struct fsg_common       *common = ep->driver_data;
 446         struct fsg_buffhd       *bh = req->context;
 447 
 448         if (req->status || req->actual != req->length)
 449                 DBG(common, "%s --> %d, %u/%u\n", __func__,
 450                     req->status, req->actual, req->length);
 451         if (req->status == -ECONNRESET)         /* Request was cancelled */
 452                 usb_ep_fifo_flush(ep);
 453 
 454         /* Synchronize with the smp_load_acquire() in sleep_thread() */
 455         smp_store_release(&bh->state, BUF_STATE_EMPTY);
 456         wake_up(&common->io_wait);
 457 }
 458 
 459 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 460 {
 461         struct fsg_common       *common = ep->driver_data;
 462         struct fsg_buffhd       *bh = req->context;
 463 
 464         dump_msg(common, "bulk-out", req->buf, req->actual);
 465         if (req->status || req->actual != bh->bulk_out_intended_length)
 466                 DBG(common, "%s --> %d, %u/%u\n", __func__,
 467                     req->status, req->actual, bh->bulk_out_intended_length);
 468         if (req->status == -ECONNRESET)         /* Request was cancelled */
 469                 usb_ep_fifo_flush(ep);
 470 
 471         /* Synchronize with the smp_load_acquire() in sleep_thread() */
 472         smp_store_release(&bh->state, BUF_STATE_FULL);
 473         wake_up(&common->io_wait);
 474 }
 475 
 476 static int _fsg_common_get_max_lun(struct fsg_common *common)
 477 {
 478         int i = ARRAY_SIZE(common->luns) - 1;
 479 
 480         while (i >= 0 && !common->luns[i])
 481                 --i;
 482 
 483         return i;
 484 }
 485 
 486 static int fsg_setup(struct usb_function *f,
 487                      const struct usb_ctrlrequest *ctrl)
 488 {
 489         struct fsg_dev          *fsg = fsg_from_func(f);
 490         struct usb_request      *req = fsg->common->ep0req;
 491         u16                     w_index = le16_to_cpu(ctrl->wIndex);
 492         u16                     w_value = le16_to_cpu(ctrl->wValue);
 493         u16                     w_length = le16_to_cpu(ctrl->wLength);
 494 
 495         if (!fsg_is_set(fsg->common))
 496                 return -EOPNOTSUPP;
 497 
 498         ++fsg->common->ep0_req_tag;     /* Record arrival of a new request */
 499         req->context = NULL;
 500         req->length = 0;
 501         dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 502 
 503         switch (ctrl->bRequest) {
 504 
 505         case US_BULK_RESET_REQUEST:
 506                 if (ctrl->bRequestType !=
 507                     (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 508                         break;
 509                 if (w_index != fsg->interface_number || w_value != 0 ||
 510                                 w_length != 0)
 511                         return -EDOM;
 512 
 513                 /*
 514                  * Raise an exception to stop the current operation
 515                  * and reinitialize our state.
 516                  */
 517                 DBG(fsg, "bulk reset request\n");
 518                 raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
 519                 return USB_GADGET_DELAYED_STATUS;
 520 
 521         case US_BULK_GET_MAX_LUN:
 522                 if (ctrl->bRequestType !=
 523                     (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 524                         break;
 525                 if (w_index != fsg->interface_number || w_value != 0 ||
 526                                 w_length != 1)
 527                         return -EDOM;
 528                 VDBG(fsg, "get max LUN\n");
 529                 *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
 530 
 531                 /* Respond with data/status */
 532                 req->length = min((u16)1, w_length);
 533                 return ep0_queue(fsg->common);
 534         }
 535 
 536         VDBG(fsg,
 537              "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 538              ctrl->bRequestType, ctrl->bRequest,
 539              le16_to_cpu(ctrl->wValue), w_index, w_length);
 540         return -EOPNOTSUPP;
 541 }
 542 
 543 
 544 /*-------------------------------------------------------------------------*/
 545 
 546 /* All the following routines run in process context */
 547 
 548 /* Use this for bulk or interrupt transfers, not ep0 */
 549 static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 550                            struct usb_request *req)
 551 {
 552         int     rc;
 553 
 554         if (ep == fsg->bulk_in)
 555                 dump_msg(fsg, "bulk-in", req->buf, req->length);
 556 
 557         rc = usb_ep_queue(ep, req, GFP_KERNEL);
 558         if (rc) {
 559 
 560                 /* We can't do much more than wait for a reset */
 561                 req->status = rc;
 562 
 563                 /*
 564                  * Note: currently the net2280 driver fails zero-length
 565                  * submissions if DMA is enabled.
 566                  */
 567                 if (rc != -ESHUTDOWN &&
 568                                 !(rc == -EOPNOTSUPP && req->length == 0))
 569                         WARNING(fsg, "error in submission: %s --> %d\n",
 570                                         ep->name, rc);
 571         }
 572         return rc;
 573 }
 574 
 575 static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 576 {
 577         if (!fsg_is_set(common))
 578                 return false;
 579         bh->state = BUF_STATE_SENDING;
 580         if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
 581                 bh->state = BUF_STATE_EMPTY;
 582         return true;
 583 }
 584 
 585 static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 586 {
 587         if (!fsg_is_set(common))
 588                 return false;
 589         bh->state = BUF_STATE_RECEIVING;
 590         if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
 591                 bh->state = BUF_STATE_FULL;
 592         return true;
 593 }
 594 
 595 static int sleep_thread(struct fsg_common *common, bool can_freeze,
 596                 struct fsg_buffhd *bh)
 597 {
 598         int     rc;
 599 
 600         /* Wait until a signal arrives or bh is no longer busy */
 601         if (can_freeze)
 602                 /*
 603                  * synchronize with the smp_store_release(&bh->state) in
 604                  * bulk_in_complete() or bulk_out_complete()
 605                  */
 606                 rc = wait_event_freezable(common->io_wait,
 607                                 bh && smp_load_acquire(&bh->state) >=
 608                                         BUF_STATE_EMPTY);
 609         else
 610                 rc = wait_event_interruptible(common->io_wait,
 611                                 bh && smp_load_acquire(&bh->state) >=
 612                                         BUF_STATE_EMPTY);
 613         return rc ? -EINTR : 0;
 614 }
 615 
 616 
 617 /*-------------------------------------------------------------------------*/
 618 
 619 static int do_read(struct fsg_common *common)
 620 {
 621         struct fsg_lun          *curlun = common->curlun;
 622         u32                     lba;
 623         struct fsg_buffhd       *bh;
 624         int                     rc;
 625         u32                     amount_left;
 626         loff_t                  file_offset, file_offset_tmp;
 627         unsigned int            amount;
 628         ssize_t                 nread;
 629 
 630         /*
 631          * Get the starting Logical Block Address and check that it's
 632          * not too big.
 633          */
 634         if (common->cmnd[0] == READ_6)
 635                 lba = get_unaligned_be24(&common->cmnd[1]);
 636         else {
 637                 lba = get_unaligned_be32(&common->cmnd[2]);
 638 
 639                 /*
 640                  * We allow DPO (Disable Page Out = don't save data in the
 641                  * cache) and FUA (Force Unit Access = don't read from the
 642                  * cache), but we don't implement them.
 643                  */
 644                 if ((common->cmnd[1] & ~0x18) != 0) {
 645                         curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 646                         return -EINVAL;
 647                 }
 648         }
 649         if (lba >= curlun->num_sectors) {
 650                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 651                 return -EINVAL;
 652         }
 653         file_offset = ((loff_t) lba) << curlun->blkbits;
 654 
 655         /* Carry out the file reads */
 656         amount_left = common->data_size_from_cmnd;
 657         if (unlikely(amount_left == 0))
 658                 return -EIO;            /* No default reply */
 659 
 660         for (;;) {
 661                 /*
 662                  * Figure out how much we need to read:
 663                  * Try to read the remaining amount.
 664                  * But don't read more than the buffer size.
 665                  * And don't try to read past the end of the file.
 666                  */
 667                 amount = min(amount_left, FSG_BUFLEN);
 668                 amount = min((loff_t)amount,
 669                              curlun->file_length - file_offset);
 670 
 671                 /* Wait for the next buffer to become available */
 672                 bh = common->next_buffhd_to_fill;
 673                 rc = sleep_thread(common, false, bh);
 674                 if (rc)
 675                         return rc;
 676 
 677                 /*
 678                  * If we were asked to read past the end of file,
 679                  * end with an empty buffer.
 680                  */
 681                 if (amount == 0) {
 682                         curlun->sense_data =
 683                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 684                         curlun->sense_data_info =
 685                                         file_offset >> curlun->blkbits;
 686                         curlun->info_valid = 1;
 687                         bh->inreq->length = 0;
 688                         bh->state = BUF_STATE_FULL;
 689                         break;
 690                 }
 691 
 692                 /* Perform the read */
 693                 file_offset_tmp = file_offset;
 694                 nread = kernel_read(curlun->filp, bh->buf, amount,
 695                                 &file_offset_tmp);
 696                 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 697                       (unsigned long long)file_offset, (int)nread);
 698                 if (signal_pending(current))
 699                         return -EINTR;
 700 
 701                 if (nread < 0) {
 702                         LDBG(curlun, "error in file read: %d\n", (int)nread);
 703                         nread = 0;
 704                 } else if (nread < amount) {
 705                         LDBG(curlun, "partial file read: %d/%u\n",
 706                              (int)nread, amount);
 707                         nread = round_down(nread, curlun->blksize);
 708                 }
 709                 file_offset  += nread;
 710                 amount_left  -= nread;
 711                 common->residue -= nread;
 712 
 713                 /*
 714                  * Except at the end of the transfer, nread will be
 715                  * equal to the buffer size, which is divisible by the
 716                  * bulk-in maxpacket size.
 717                  */
 718                 bh->inreq->length = nread;
 719                 bh->state = BUF_STATE_FULL;
 720 
 721                 /* If an error occurred, report it and its position */
 722                 if (nread < amount) {
 723                         curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 724                         curlun->sense_data_info =
 725                                         file_offset >> curlun->blkbits;
 726                         curlun->info_valid = 1;
 727                         break;
 728                 }
 729 
 730                 if (amount_left == 0)
 731                         break;          /* No more left to read */
 732 
 733                 /* Send this buffer and go read some more */
 734                 bh->inreq->zero = 0;
 735                 if (!start_in_transfer(common, bh))
 736                         /* Don't know what to do if common->fsg is NULL */
 737                         return -EIO;
 738                 common->next_buffhd_to_fill = bh->next;
 739         }
 740 
 741         return -EIO;            /* No default reply */
 742 }
 743 
 744 
 745 /*-------------------------------------------------------------------------*/
 746 
 747 static int do_write(struct fsg_common *common)
 748 {
 749         struct fsg_lun          *curlun = common->curlun;
 750         u32                     lba;
 751         struct fsg_buffhd       *bh;
 752         int                     get_some_more;
 753         u32                     amount_left_to_req, amount_left_to_write;
 754         loff_t                  usb_offset, file_offset, file_offset_tmp;
 755         unsigned int            amount;
 756         ssize_t                 nwritten;
 757         int                     rc;
 758 
 759         if (curlun->ro) {
 760                 curlun->sense_data = SS_WRITE_PROTECTED;
 761                 return -EINVAL;
 762         }
 763         spin_lock(&curlun->filp->f_lock);
 764         curlun->filp->f_flags &= ~O_SYNC;       /* Default is not to wait */
 765         spin_unlock(&curlun->filp->f_lock);
 766 
 767         /*
 768          * Get the starting Logical Block Address and check that it's
 769          * not too big
 770          */
 771         if (common->cmnd[0] == WRITE_6)
 772                 lba = get_unaligned_be24(&common->cmnd[1]);
 773         else {
 774                 lba = get_unaligned_be32(&common->cmnd[2]);
 775 
 776                 /*
 777                  * We allow DPO (Disable Page Out = don't save data in the
 778                  * cache) and FUA (Force Unit Access = write directly to the
 779                  * medium).  We don't implement DPO; we implement FUA by
 780                  * performing synchronous output.
 781                  */
 782                 if (common->cmnd[1] & ~0x18) {
 783                         curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 784                         return -EINVAL;
 785                 }
 786                 if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 787                         spin_lock(&curlun->filp->f_lock);
 788                         curlun->filp->f_flags |= O_SYNC;
 789                         spin_unlock(&curlun->filp->f_lock);
 790                 }
 791         }
 792         if (lba >= curlun->num_sectors) {
 793                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 794                 return -EINVAL;
 795         }
 796 
 797         /* Carry out the file writes */
 798         get_some_more = 1;
 799         file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
 800         amount_left_to_req = common->data_size_from_cmnd;
 801         amount_left_to_write = common->data_size_from_cmnd;
 802 
 803         while (amount_left_to_write > 0) {
 804 
 805                 /* Queue a request for more data from the host */
 806                 bh = common->next_buffhd_to_fill;
 807                 if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 808 
 809                         /*
 810                          * Figure out how much we want to get:
 811                          * Try to get the remaining amount,
 812                          * but not more than the buffer size.
 813                          */
 814                         amount = min(amount_left_to_req, FSG_BUFLEN);
 815 
 816                         /* Beyond the end of the backing file? */
 817                         if (usb_offset >= curlun->file_length) {
 818                                 get_some_more = 0;
 819                                 curlun->sense_data =
 820                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 821                                 curlun->sense_data_info =
 822                                         usb_offset >> curlun->blkbits;
 823                                 curlun->info_valid = 1;
 824                                 continue;
 825                         }
 826 
 827                         /* Get the next buffer */
 828                         usb_offset += amount;
 829                         common->usb_amount_left -= amount;
 830                         amount_left_to_req -= amount;
 831                         if (amount_left_to_req == 0)
 832                                 get_some_more = 0;
 833 
 834                         /*
 835                          * Except at the end of the transfer, amount will be
 836                          * equal to the buffer size, which is divisible by
 837                          * the bulk-out maxpacket size.
 838                          */
 839                         set_bulk_out_req_length(common, bh, amount);
 840                         if (!start_out_transfer(common, bh))
 841                                 /* Dunno what to do if common->fsg is NULL */
 842                                 return -EIO;
 843                         common->next_buffhd_to_fill = bh->next;
 844                         continue;
 845                 }
 846 
 847                 /* Write the received data to the backing file */
 848                 bh = common->next_buffhd_to_drain;
 849                 if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 850                         break;                  /* We stopped early */
 851 
 852                 /* Wait for the data to be received */
 853                 rc = sleep_thread(common, false, bh);
 854                 if (rc)
 855                         return rc;
 856 
 857                 common->next_buffhd_to_drain = bh->next;
 858                 bh->state = BUF_STATE_EMPTY;
 859 
 860                 /* Did something go wrong with the transfer? */
 861                 if (bh->outreq->status != 0) {
 862                         curlun->sense_data = SS_COMMUNICATION_FAILURE;
 863                         curlun->sense_data_info =
 864                                         file_offset >> curlun->blkbits;
 865                         curlun->info_valid = 1;
 866                         break;
 867                 }
 868 
 869                 amount = bh->outreq->actual;
 870                 if (curlun->file_length - file_offset < amount) {
 871                         LERROR(curlun, "write %u @ %llu beyond end %llu\n",
 872                                        amount, (unsigned long long)file_offset,
 873                                        (unsigned long long)curlun->file_length);
 874                         amount = curlun->file_length - file_offset;
 875                 }
 876 
 877                 /*
 878                  * Don't accept excess data.  The spec doesn't say
 879                  * what to do in this case.  We'll ignore the error.
 880                  */
 881                 amount = min(amount, bh->bulk_out_intended_length);
 882 
 883                 /* Don't write a partial block */
 884                 amount = round_down(amount, curlun->blksize);
 885                 if (amount == 0)
 886                         goto empty_write;
 887 
 888                 /* Perform the write */
 889                 file_offset_tmp = file_offset;
 890                 nwritten = kernel_write(curlun->filp, bh->buf, amount,
 891                                 &file_offset_tmp);
 892                 VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
 893                                 (unsigned long long)file_offset, (int)nwritten);
 894                 if (signal_pending(current))
 895                         return -EINTR;          /* Interrupted! */
 896 
 897                 if (nwritten < 0) {
 898                         LDBG(curlun, "error in file write: %d\n",
 899                                         (int) nwritten);
 900                         nwritten = 0;
 901                 } else if (nwritten < amount) {
 902                         LDBG(curlun, "partial file write: %d/%u\n",
 903                                         (int) nwritten, amount);
 904                         nwritten = round_down(nwritten, curlun->blksize);
 905                 }
 906                 file_offset += nwritten;
 907                 amount_left_to_write -= nwritten;
 908                 common->residue -= nwritten;
 909 
 910                 /* If an error occurred, report it and its position */
 911                 if (nwritten < amount) {
 912                         curlun->sense_data = SS_WRITE_ERROR;
 913                         curlun->sense_data_info =
 914                                         file_offset >> curlun->blkbits;
 915                         curlun->info_valid = 1;
 916                         break;
 917                 }
 918 
 919  empty_write:
 920                 /* Did the host decide to stop early? */
 921                 if (bh->outreq->actual < bh->bulk_out_intended_length) {
 922                         common->short_packet_received = 1;
 923                         break;
 924                 }
 925         }
 926 
 927         return -EIO;            /* No default reply */
 928 }
 929 
 930 
 931 /*-------------------------------------------------------------------------*/
 932 
 933 static int do_synchronize_cache(struct fsg_common *common)
 934 {
 935         struct fsg_lun  *curlun = common->curlun;
 936         int             rc;
 937 
 938         /* We ignore the requested LBA and write out all file's
 939          * dirty data buffers. */
 940         rc = fsg_lun_fsync_sub(curlun);
 941         if (rc)
 942                 curlun->sense_data = SS_WRITE_ERROR;
 943         return 0;
 944 }
 945 
 946 
 947 /*-------------------------------------------------------------------------*/
 948 
 949 static void invalidate_sub(struct fsg_lun *curlun)
 950 {
 951         struct file     *filp = curlun->filp;
 952         struct inode    *inode = file_inode(filp);
 953         unsigned long   rc;
 954 
 955         rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
 956         VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
 957 }
 958 
 959 static int do_verify(struct fsg_common *common)
 960 {
 961         struct fsg_lun          *curlun = common->curlun;
 962         u32                     lba;
 963         u32                     verification_length;
 964         struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
 965         loff_t                  file_offset, file_offset_tmp;
 966         u32                     amount_left;
 967         unsigned int            amount;
 968         ssize_t                 nread;
 969 
 970         /*
 971          * Get the starting Logical Block Address and check that it's
 972          * not too big.
 973          */
 974         lba = get_unaligned_be32(&common->cmnd[2]);
 975         if (lba >= curlun->num_sectors) {
 976                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 977                 return -EINVAL;
 978         }
 979 
 980         /*
 981          * We allow DPO (Disable Page Out = don't save data in the
 982          * cache) but we don't implement it.
 983          */
 984         if (common->cmnd[1] & ~0x10) {
 985                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 986                 return -EINVAL;
 987         }
 988 
 989         verification_length = get_unaligned_be16(&common->cmnd[7]);
 990         if (unlikely(verification_length == 0))
 991                 return -EIO;            /* No default reply */
 992 
 993         /* Prepare to carry out the file verify */
 994         amount_left = verification_length << curlun->blkbits;
 995         file_offset = ((loff_t) lba) << curlun->blkbits;
 996 
 997         /* Write out all the dirty buffers before invalidating them */
 998         fsg_lun_fsync_sub(curlun);
 999         if (signal_pending(current))
1000                 return -EINTR;
1001 
1002         invalidate_sub(curlun);
1003         if (signal_pending(current))
1004                 return -EINTR;
1005 
1006         /* Just try to read the requested blocks */
1007         while (amount_left > 0) {
1008                 /*
1009                  * Figure out how much we need to read:
1010                  * Try to read the remaining amount, but not more than
1011                  * the buffer size.
1012                  * And don't try to read past the end of the file.
1013                  */
1014                 amount = min(amount_left, FSG_BUFLEN);
1015                 amount = min((loff_t)amount,
1016                              curlun->file_length - file_offset);
1017                 if (amount == 0) {
1018                         curlun->sense_data =
1019                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1020                         curlun->sense_data_info =
1021                                 file_offset >> curlun->blkbits;
1022                         curlun->info_valid = 1;
1023                         break;
1024                 }
1025 
1026                 /* Perform the read */
1027                 file_offset_tmp = file_offset;
1028                 nread = kernel_read(curlun->filp, bh->buf, amount,
1029                                 &file_offset_tmp);
1030                 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1031                                 (unsigned long long) file_offset,
1032                                 (int) nread);
1033                 if (signal_pending(current))
1034                         return -EINTR;
1035 
1036                 if (nread < 0) {
1037                         LDBG(curlun, "error in file verify: %d\n", (int)nread);
1038                         nread = 0;
1039                 } else if (nread < amount) {
1040                         LDBG(curlun, "partial file verify: %d/%u\n",
1041                              (int)nread, amount);
1042                         nread = round_down(nread, curlun->blksize);
1043                 }
1044                 if (nread == 0) {
1045                         curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1046                         curlun->sense_data_info =
1047                                 file_offset >> curlun->blkbits;
1048                         curlun->info_valid = 1;
1049                         break;
1050                 }
1051                 file_offset += nread;
1052                 amount_left -= nread;
1053         }
1054         return 0;
1055 }
1056 
1057 
1058 /*-------------------------------------------------------------------------*/
1059 
1060 static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1061 {
1062         struct fsg_lun *curlun = common->curlun;
1063         u8      *buf = (u8 *) bh->buf;
1064 
1065         if (!curlun) {          /* Unsupported LUNs are okay */
1066                 common->bad_lun_okay = 1;
1067                 memset(buf, 0, 36);
1068                 buf[0] = TYPE_NO_LUN;   /* Unsupported, no device-type */
1069                 buf[4] = 31;            /* Additional length */
1070                 return 36;
1071         }
1072 
1073         buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1074         buf[1] = curlun->removable ? 0x80 : 0;
1075         buf[2] = 2;             /* ANSI SCSI level 2 */
1076         buf[3] = 2;             /* SCSI-2 INQUIRY data format */
1077         buf[4] = 31;            /* Additional length */
1078         buf[5] = 0;             /* No special options */
1079         buf[6] = 0;
1080         buf[7] = 0;
1081         if (curlun->inquiry_string[0])
1082                 memcpy(buf + 8, curlun->inquiry_string,
1083                        sizeof(curlun->inquiry_string));
1084         else
1085                 memcpy(buf + 8, common->inquiry_string,
1086                        sizeof(common->inquiry_string));
1087         return 36;
1088 }
1089 
1090 static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1091 {
1092         struct fsg_lun  *curlun = common->curlun;
1093         u8              *buf = (u8 *) bh->buf;
1094         u32             sd, sdinfo;
1095         int             valid;
1096 
1097         /*
1098          * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1099          *
1100          * If a REQUEST SENSE command is received from an initiator
1101          * with a pending unit attention condition (before the target
1102          * generates the contingent allegiance condition), then the
1103          * target shall either:
1104          *   a) report any pending sense data and preserve the unit
1105          *      attention condition on the logical unit, or,
1106          *   b) report the unit attention condition, may discard any
1107          *      pending sense data, and clear the unit attention
1108          *      condition on the logical unit for that initiator.
1109          *
1110          * FSG normally uses option a); enable this code to use option b).
1111          */
1112 #if 0
1113         if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1114                 curlun->sense_data = curlun->unit_attention_data;
1115                 curlun->unit_attention_data = SS_NO_SENSE;
1116         }
1117 #endif
1118 
1119         if (!curlun) {          /* Unsupported LUNs are okay */
1120                 common->bad_lun_okay = 1;
1121                 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1122                 sdinfo = 0;
1123                 valid = 0;
1124         } else {
1125                 sd = curlun->sense_data;
1126                 sdinfo = curlun->sense_data_info;
1127                 valid = curlun->info_valid << 7;
1128                 curlun->sense_data = SS_NO_SENSE;
1129                 curlun->sense_data_info = 0;
1130                 curlun->info_valid = 0;
1131         }
1132 
1133         memset(buf, 0, 18);
1134         buf[0] = valid | 0x70;                  /* Valid, current error */
1135         buf[2] = SK(sd);
1136         put_unaligned_be32(sdinfo, &buf[3]);    /* Sense information */
1137         buf[7] = 18 - 8;                        /* Additional sense length */
1138         buf[12] = ASC(sd);
1139         buf[13] = ASCQ(sd);
1140         return 18;
1141 }
1142 
1143 static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1144 {
1145         struct fsg_lun  *curlun = common->curlun;
1146         u32             lba = get_unaligned_be32(&common->cmnd[2]);
1147         int             pmi = common->cmnd[8];
1148         u8              *buf = (u8 *)bh->buf;
1149 
1150         /* Check the PMI and LBA fields */
1151         if (pmi > 1 || (pmi == 0 && lba != 0)) {
1152                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1153                 return -EINVAL;
1154         }
1155 
1156         put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1157                                                 /* Max logical block */
1158         put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1159         return 8;
1160 }
1161 
1162 static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1163 {
1164         struct fsg_lun  *curlun = common->curlun;
1165         int             msf = common->cmnd[1] & 0x02;
1166         u32             lba = get_unaligned_be32(&common->cmnd[2]);
1167         u8              *buf = (u8 *)bh->buf;
1168 
1169         if (common->cmnd[1] & ~0x02) {          /* Mask away MSF */
1170                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1171                 return -EINVAL;
1172         }
1173         if (lba >= curlun->num_sectors) {
1174                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1175                 return -EINVAL;
1176         }
1177 
1178         memset(buf, 0, 8);
1179         buf[0] = 0x01;          /* 2048 bytes of user data, rest is EC */
1180         store_cdrom_address(&buf[4], msf, lba);
1181         return 8;
1182 }
1183 
1184 static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1185 {
1186         struct fsg_lun  *curlun = common->curlun;
1187         int             msf = common->cmnd[1] & 0x02;
1188         int             start_track = common->cmnd[6];
1189         u8              *buf = (u8 *)bh->buf;
1190 
1191         if ((common->cmnd[1] & ~0x02) != 0 ||   /* Mask away MSF */
1192                         start_track > 1) {
1193                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1194                 return -EINVAL;
1195         }
1196 
1197         memset(buf, 0, 20);
1198         buf[1] = (20-2);                /* TOC data length */
1199         buf[2] = 1;                     /* First track number */
1200         buf[3] = 1;                     /* Last track number */
1201         buf[5] = 0x16;                  /* Data track, copying allowed */
1202         buf[6] = 0x01;                  /* Only track is number 1 */
1203         store_cdrom_address(&buf[8], msf, 0);
1204 
1205         buf[13] = 0x16;                 /* Lead-out track is data */
1206         buf[14] = 0xAA;                 /* Lead-out track number */
1207         store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1208         return 20;
1209 }
1210 
1211 static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1212 {
1213         struct fsg_lun  *curlun = common->curlun;
1214         int             mscmnd = common->cmnd[0];
1215         u8              *buf = (u8 *) bh->buf;
1216         u8              *buf0 = buf;
1217         int             pc, page_code;
1218         int             changeable_values, all_pages;
1219         int             valid_page = 0;
1220         int             len, limit;
1221 
1222         if ((common->cmnd[1] & ~0x08) != 0) {   /* Mask away DBD */
1223                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1224                 return -EINVAL;
1225         }
1226         pc = common->cmnd[2] >> 6;
1227         page_code = common->cmnd[2] & 0x3f;
1228         if (pc == 3) {
1229                 curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1230                 return -EINVAL;
1231         }
1232         changeable_values = (pc == 1);
1233         all_pages = (page_code == 0x3f);
1234 
1235         /*
1236          * Write the mode parameter header.  Fixed values are: default
1237          * medium type, no cache control (DPOFUA), and no block descriptors.
1238          * The only variable value is the WriteProtect bit.  We will fill in
1239          * the mode data length later.
1240          */
1241         memset(buf, 0, 8);
1242         if (mscmnd == MODE_SENSE) {
1243                 buf[2] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1244                 buf += 4;
1245                 limit = 255;
1246         } else {                        /* MODE_SENSE_10 */
1247                 buf[3] = (curlun->ro ? 0x80 : 0x00);            /* WP, DPOFUA */
1248                 buf += 8;
1249                 limit = 65535;          /* Should really be FSG_BUFLEN */
1250         }
1251 
1252         /* No block descriptors */
1253 
1254         /*
1255          * The mode pages, in numerical order.  The only page we support
1256          * is the Caching page.
1257          */
1258         if (page_code == 0x08 || all_pages) {
1259                 valid_page = 1;
1260                 buf[0] = 0x08;          /* Page code */
1261                 buf[1] = 10;            /* Page length */
1262                 memset(buf+2, 0, 10);   /* None of the fields are changeable */
1263 
1264                 if (!changeable_values) {
1265                         buf[2] = 0x04;  /* Write cache enable, */
1266                                         /* Read cache not disabled */
1267                                         /* No cache retention priorities */
1268                         put_unaligned_be16(0xffff, &buf[4]);
1269                                         /* Don't disable prefetch */
1270                                         /* Minimum prefetch = 0 */
1271                         put_unaligned_be16(0xffff, &buf[8]);
1272                                         /* Maximum prefetch */
1273                         put_unaligned_be16(0xffff, &buf[10]);
1274                                         /* Maximum prefetch ceiling */
1275                 }
1276                 buf += 12;
1277         }
1278 
1279         /*
1280          * Check that a valid page was requested and the mode data length
1281          * isn't too long.
1282          */
1283         len = buf - buf0;
1284         if (!valid_page || len > limit) {
1285                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1286                 return -EINVAL;
1287         }
1288 
1289         /*  Store the mode data length */
1290         if (mscmnd == MODE_SENSE)
1291                 buf0[0] = len - 1;
1292         else
1293                 put_unaligned_be16(len - 2, buf0);
1294         return len;
1295 }
1296 
1297 static int do_start_stop(struct fsg_common *common)
1298 {
1299         struct fsg_lun  *curlun = common->curlun;
1300         int             loej, start;
1301 
1302         if (!curlun) {
1303                 return -EINVAL;
1304         } else if (!curlun->removable) {
1305                 curlun->sense_data = SS_INVALID_COMMAND;
1306                 return -EINVAL;
1307         } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1308                    (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1309                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1310                 return -EINVAL;
1311         }
1312 
1313         loej  = common->cmnd[4] & 0x02;
1314         start = common->cmnd[4] & 0x01;
1315 
1316         /*
1317          * Our emulation doesn't support mounting; the medium is
1318          * available for use as soon as it is loaded.
1319          */
1320         if (start) {
1321                 if (!fsg_lun_is_open(curlun)) {
1322                         curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1323                         return -EINVAL;
1324                 }
1325                 return 0;
1326         }
1327 
1328         /* Are we allowed to unload the media? */
1329         if (curlun->prevent_medium_removal) {
1330                 LDBG(curlun, "unload attempt prevented\n");
1331                 curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1332                 return -EINVAL;
1333         }
1334 
1335         if (!loej)
1336                 return 0;
1337 
1338         up_read(&common->filesem);
1339         down_write(&common->filesem);
1340         fsg_lun_close(curlun);
1341         up_write(&common->filesem);
1342         down_read(&common->filesem);
1343 
1344         return 0;
1345 }
1346 
1347 static int do_prevent_allow(struct fsg_common *common)
1348 {
1349         struct fsg_lun  *curlun = common->curlun;
1350         int             prevent;
1351 
1352         if (!common->curlun) {
1353                 return -EINVAL;
1354         } else if (!common->curlun->removable) {
1355                 common->curlun->sense_data = SS_INVALID_COMMAND;
1356                 return -EINVAL;
1357         }
1358 
1359         prevent = common->cmnd[4] & 0x01;
1360         if ((common->cmnd[4] & ~0x01) != 0) {   /* Mask away Prevent */
1361                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1362                 return -EINVAL;
1363         }
1364 
1365         if (curlun->prevent_medium_removal && !prevent)
1366                 fsg_lun_fsync_sub(curlun);
1367         curlun->prevent_medium_removal = prevent;
1368         return 0;
1369 }
1370 
1371 static int do_read_format_capacities(struct fsg_common *common,
1372                         struct fsg_buffhd *bh)
1373 {
1374         struct fsg_lun  *curlun = common->curlun;
1375         u8              *buf = (u8 *) bh->buf;
1376 
1377         buf[0] = buf[1] = buf[2] = 0;
1378         buf[3] = 8;     /* Only the Current/Maximum Capacity Descriptor */
1379         buf += 4;
1380 
1381         put_unaligned_be32(curlun->num_sectors, &buf[0]);
1382                                                 /* Number of blocks */
1383         put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1384         buf[4] = 0x02;                          /* Current capacity */
1385         return 12;
1386 }
1387 
1388 static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1389 {
1390         struct fsg_lun  *curlun = common->curlun;
1391 
1392         /* We don't support MODE SELECT */
1393         if (curlun)
1394                 curlun->sense_data = SS_INVALID_COMMAND;
1395         return -EINVAL;
1396 }
1397 
1398 
1399 /*-------------------------------------------------------------------------*/
1400 
1401 static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1402 {
1403         int     rc;
1404 
1405         rc = fsg_set_halt(fsg, fsg->bulk_in);
1406         if (rc == -EAGAIN)
1407                 VDBG(fsg, "delayed bulk-in endpoint halt\n");
1408         while (rc != 0) {
1409                 if (rc != -EAGAIN) {
1410                         WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1411                         rc = 0;
1412                         break;
1413                 }
1414 
1415                 /* Wait for a short time and then try again */
1416                 if (msleep_interruptible(100) != 0)
1417                         return -EINTR;
1418                 rc = usb_ep_set_halt(fsg->bulk_in);
1419         }
1420         return rc;
1421 }
1422 
1423 static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1424 {
1425         int     rc;
1426 
1427         DBG(fsg, "bulk-in set wedge\n");
1428         rc = usb_ep_set_wedge(fsg->bulk_in);
1429         if (rc == -EAGAIN)
1430                 VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1431         while (rc != 0) {
1432                 if (rc != -EAGAIN) {
1433                         WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1434                         rc = 0;
1435                         break;
1436                 }
1437 
1438                 /* Wait for a short time and then try again */
1439                 if (msleep_interruptible(100) != 0)
1440                         return -EINTR;
1441                 rc = usb_ep_set_wedge(fsg->bulk_in);
1442         }
1443         return rc;
1444 }
1445 
1446 static int throw_away_data(struct fsg_common *common)
1447 {
1448         struct fsg_buffhd       *bh, *bh2;
1449         u32                     amount;
1450         int                     rc;
1451 
1452         for (bh = common->next_buffhd_to_drain;
1453              bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1454              bh = common->next_buffhd_to_drain) {
1455 
1456                 /* Try to submit another request if we need one */
1457                 bh2 = common->next_buffhd_to_fill;
1458                 if (bh2->state == BUF_STATE_EMPTY &&
1459                                 common->usb_amount_left > 0) {
1460                         amount = min(common->usb_amount_left, FSG_BUFLEN);
1461 
1462                         /*
1463                          * Except at the end of the transfer, amount will be
1464                          * equal to the buffer size, which is divisible by
1465                          * the bulk-out maxpacket size.
1466                          */
1467                         set_bulk_out_req_length(common, bh2, amount);
1468                         if (!start_out_transfer(common, bh2))
1469                                 /* Dunno what to do if common->fsg is NULL */
1470                                 return -EIO;
1471                         common->next_buffhd_to_fill = bh2->next;
1472                         common->usb_amount_left -= amount;
1473                         continue;
1474                 }
1475 
1476                 /* Wait for the data to be received */
1477                 rc = sleep_thread(common, false, bh);
1478                 if (rc)
1479                         return rc;
1480 
1481                 /* Throw away the data in a filled buffer */
1482                 bh->state = BUF_STATE_EMPTY;
1483                 common->next_buffhd_to_drain = bh->next;
1484 
1485                 /* A short packet or an error ends everything */
1486                 if (bh->outreq->actual < bh->bulk_out_intended_length ||
1487                                 bh->outreq->status != 0) {
1488                         raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1489                         return -EINTR;
1490                 }
1491         }
1492         return 0;
1493 }
1494 
1495 static int finish_reply(struct fsg_common *common)
1496 {
1497         struct fsg_buffhd       *bh = common->next_buffhd_to_fill;
1498         int                     rc = 0;
1499 
1500         switch (common->data_dir) {
1501         case DATA_DIR_NONE:
1502                 break;                  /* Nothing to send */
1503 
1504         /*
1505          * If we don't know whether the host wants to read or write,
1506          * this must be CB or CBI with an unknown command.  We mustn't
1507          * try to send or receive any data.  So stall both bulk pipes
1508          * if we can and wait for a reset.
1509          */
1510         case DATA_DIR_UNKNOWN:
1511                 if (!common->can_stall) {
1512                         /* Nothing */
1513                 } else if (fsg_is_set(common)) {
1514                         fsg_set_halt(common->fsg, common->fsg->bulk_out);
1515                         rc = halt_bulk_in_endpoint(common->fsg);
1516                 } else {
1517                         /* Don't know what to do if common->fsg is NULL */
1518                         rc = -EIO;
1519                 }
1520                 break;
1521 
1522         /* All but the last buffer of data must have already been sent */
1523         case DATA_DIR_TO_HOST:
1524                 if (common->data_size == 0) {
1525                         /* Nothing to send */
1526 
1527                 /* Don't know what to do if common->fsg is NULL */
1528                 } else if (!fsg_is_set(common)) {
1529                         rc = -EIO;
1530 
1531                 /* If there's no residue, simply send the last buffer */
1532                 } else if (common->residue == 0) {
1533                         bh->inreq->zero = 0;
1534                         if (!start_in_transfer(common, bh))
1535                                 return -EIO;
1536                         common->next_buffhd_to_fill = bh->next;
1537 
1538                 /*
1539                  * For Bulk-only, mark the end of the data with a short
1540                  * packet.  If we are allowed to stall, halt the bulk-in
1541                  * endpoint.  (Note: This violates the Bulk-Only Transport
1542                  * specification, which requires us to pad the data if we
1543                  * don't halt the endpoint.  Presumably nobody will mind.)
1544                  */
1545                 } else {
1546                         bh->inreq->zero = 1;
1547                         if (!start_in_transfer(common, bh))
1548                                 rc = -EIO;
1549                         common->next_buffhd_to_fill = bh->next;
1550                         if (common->can_stall)
1551                                 rc = halt_bulk_in_endpoint(common->fsg);
1552                 }
1553                 break;
1554 
1555         /*
1556          * We have processed all we want from the data the host has sent.
1557          * There may still be outstanding bulk-out requests.
1558          */
1559         case DATA_DIR_FROM_HOST:
1560                 if (common->residue == 0) {
1561                         /* Nothing to receive */
1562 
1563                 /* Did the host stop sending unexpectedly early? */
1564                 } else if (common->short_packet_received) {
1565                         raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1566                         rc = -EINTR;
1567 
1568                 /*
1569                  * We haven't processed all the incoming data.  Even though
1570                  * we may be allowed to stall, doing so would cause a race.
1571                  * The controller may already have ACK'ed all the remaining
1572                  * bulk-out packets, in which case the host wouldn't see a
1573                  * STALL.  Not realizing the endpoint was halted, it wouldn't
1574                  * clear the halt -- leading to problems later on.
1575                  */
1576 #if 0
1577                 } else if (common->can_stall) {
1578                         if (fsg_is_set(common))
1579                                 fsg_set_halt(common->fsg,
1580                                              common->fsg->bulk_out);
1581                         raise_exception(common, FSG_STATE_ABORT_BULK_OUT);
1582                         rc = -EINTR;
1583 #endif
1584 
1585                 /*
1586                  * We can't stall.  Read in the excess data and throw it
1587                  * all away.
1588                  */
1589                 } else {
1590                         rc = throw_away_data(common);
1591                 }
1592                 break;
1593         }
1594         return rc;
1595 }
1596 
1597 static void send_status(struct fsg_common *common)
1598 {
1599         struct fsg_lun          *curlun = common->curlun;
1600         struct fsg_buffhd       *bh;
1601         struct bulk_cs_wrap     *csw;
1602         int                     rc;
1603         u8                      status = US_BULK_STAT_OK;
1604         u32                     sd, sdinfo = 0;
1605 
1606         /* Wait for the next buffer to become available */
1607         bh = common->next_buffhd_to_fill;
1608         rc = sleep_thread(common, false, bh);
1609         if (rc)
1610                 return;
1611 
1612         if (curlun) {
1613                 sd = curlun->sense_data;
1614                 sdinfo = curlun->sense_data_info;
1615         } else if (common->bad_lun_okay)
1616                 sd = SS_NO_SENSE;
1617         else
1618                 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1619 
1620         if (common->phase_error) {
1621                 DBG(common, "sending phase-error status\n");
1622                 status = US_BULK_STAT_PHASE;
1623                 sd = SS_INVALID_COMMAND;
1624         } else if (sd != SS_NO_SENSE) {
1625                 DBG(common, "sending command-failure status\n");
1626                 status = US_BULK_STAT_FAIL;
1627                 VDBG(common, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
1628                                 "  info x%x\n",
1629                                 SK(sd), ASC(sd), ASCQ(sd), sdinfo);
1630         }
1631 
1632         /* Store and send the Bulk-only CSW */
1633         csw = (void *)bh->buf;
1634 
1635         csw->Signature = cpu_to_le32(US_BULK_CS_SIGN);
1636         csw->Tag = common->tag;
1637         csw->Residue = cpu_to_le32(common->residue);
1638         csw->Status = status;
1639 
1640         bh->inreq->length = US_BULK_CS_WRAP_LEN;
1641         bh->inreq->zero = 0;
1642         if (!start_in_transfer(common, bh))
1643                 /* Don't know what to do if common->fsg is NULL */
1644                 return;
1645 
1646         common->next_buffhd_to_fill = bh->next;
1647         return;
1648 }
1649 
1650 
1651 /*-------------------------------------------------------------------------*/
1652 
1653 /*
1654  * Check whether the command is properly formed and whether its data size
1655  * and direction agree with the values we already have.
1656  */
1657 static int check_command(struct fsg_common *common, int cmnd_size,
1658                          enum data_direction data_dir, unsigned int mask,
1659                          int needs_medium, const char *name)
1660 {
1661         int                     i;
1662         unsigned int            lun = common->cmnd[1] >> 5;
1663         static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
1664         char                    hdlen[20];
1665         struct fsg_lun          *curlun;
1666 
1667         hdlen[0] = 0;
1668         if (common->data_dir != DATA_DIR_UNKNOWN)
1669                 sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir],
1670                         common->data_size);
1671         VDBG(common, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
1672              name, cmnd_size, dirletter[(int) data_dir],
1673              common->data_size_from_cmnd, common->cmnd_size, hdlen);
1674 
1675         /*
1676          * We can't reply at all until we know the correct data direction
1677          * and size.
1678          */
1679         if (common->data_size_from_cmnd == 0)
1680                 data_dir = DATA_DIR_NONE;
1681         if (common->data_size < common->data_size_from_cmnd) {
1682                 /*
1683                  * Host data size < Device data size is a phase error.
1684                  * Carry out the command, but only transfer as much as
1685                  * we are allowed.
1686                  */
1687                 common->data_size_from_cmnd = common->data_size;
1688                 common->phase_error = 1;
1689         }
1690         common->residue = common->data_size;
1691         common->usb_amount_left = common->data_size;
1692 
1693         /* Conflicting data directions is a phase error */
1694         if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) {
1695                 common->phase_error = 1;
1696                 return -EINVAL;
1697         }
1698 
1699         /* Verify the length of the command itself */
1700         if (cmnd_size != common->cmnd_size) {
1701 
1702                 /*
1703                  * Special case workaround: There are plenty of buggy SCSI
1704                  * implementations. Many have issues with cbw->Length
1705                  * field passing a wrong command size. For those cases we
1706                  * always try to work around the problem by using the length
1707                  * sent by the host side provided it is at least as large
1708                  * as the correct command length.
1709                  * Examples of such cases would be MS-Windows, which issues
1710                  * REQUEST SENSE with cbw->Length == 12 where it should
1711                  * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and
1712                  * REQUEST SENSE with cbw->Length == 10 where it should
1713                  * be 6 as well.
1714                  */
1715                 if (cmnd_size <= common->cmnd_size) {
1716                         DBG(common, "%s is buggy! Expected length %d "
1717                             "but we got %d\n", name,
1718                             cmnd_size, common->cmnd_size);
1719                         cmnd_size = common->cmnd_size;
1720                 } else {
1721                         common->phase_error = 1;
1722                         return -EINVAL;
1723                 }
1724         }
1725 
1726         /* Check that the LUN values are consistent */
1727         if (common->lun != lun)
1728                 DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n",
1729                     common->lun, lun);
1730 
1731         /* Check the LUN */
1732         curlun = common->curlun;
1733         if (curlun) {
1734                 if (common->cmnd[0] != REQUEST_SENSE) {
1735                         curlun->sense_data = SS_NO_SENSE;
1736                         curlun->sense_data_info = 0;
1737                         curlun->info_valid = 0;
1738                 }
1739         } else {
1740                 common->bad_lun_okay = 0;
1741 
1742                 /*
1743                  * INQUIRY and REQUEST SENSE commands are explicitly allowed
1744                  * to use unsupported LUNs; all others may not.
1745                  */
1746                 if (common->cmnd[0] != INQUIRY &&
1747                     common->cmnd[0] != REQUEST_SENSE) {
1748                         DBG(common, "unsupported LUN %u\n", common->lun);
1749                         return -EINVAL;
1750                 }
1751         }
1752 
1753         /*
1754          * If a unit attention condition exists, only INQUIRY and
1755          * REQUEST SENSE commands are allowed; anything else must fail.
1756          */
1757         if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
1758             common->cmnd[0] != INQUIRY &&
1759             common->cmnd[0] != REQUEST_SENSE) {
1760                 curlun->sense_data = curlun->unit_attention_data;
1761                 curlun->unit_attention_data = SS_NO_SENSE;
1762                 return -EINVAL;
1763         }
1764 
1765         /* Check that only command bytes listed in the mask are non-zero */
1766         common->cmnd[1] &= 0x1f;                        /* Mask away the LUN */
1767         for (i = 1; i < cmnd_size; ++i) {
1768                 if (common->cmnd[i] && !(mask & (1 << i))) {
1769                         if (curlun)
1770                                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1771                         return -EINVAL;
1772                 }
1773         }
1774 
1775         /* If the medium isn't mounted and the command needs to access
1776          * it, return an error. */
1777         if (curlun && !fsg_lun_is_open(curlun) && needs_medium) {
1778                 curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1779                 return -EINVAL;
1780         }
1781 
1782         return 0;
1783 }
1784 
1785 /* wrapper of check_command for data size in blocks handling */
1786 static int check_command_size_in_blocks(struct fsg_common *common,
1787                 int cmnd_size, enum data_direction data_dir,
1788                 unsigned int mask, int needs_medium, const char *name)
1789 {
1790         if (common->curlun)
1791                 common->data_size_from_cmnd <<= common->curlun->blkbits;
1792         return check_command(common, cmnd_size, data_dir,
1793                         mask, needs_medium, name);
1794 }
1795 
1796 static int do_scsi_command(struct fsg_common *common)
1797 {
1798         struct fsg_buffhd       *bh;
1799         int                     rc;
1800         int                     reply = -EINVAL;
1801         int                     i;
1802         static char             unknown[16];
1803 
1804         dump_cdb(common);
1805 
1806         /* Wait for the next buffer to become available for data or status */
1807         bh = common->next_buffhd_to_fill;
1808         common->next_buffhd_to_drain = bh;
1809         rc = sleep_thread(common, false, bh);
1810         if (rc)
1811                 return rc;
1812 
1813         common->phase_error = 0;
1814         common->short_packet_received = 0;
1815 
1816         down_read(&common->filesem);    /* We're using the backing file */
1817         switch (common->cmnd[0]) {
1818 
1819         case INQUIRY:
1820                 common->data_size_from_cmnd = common->cmnd[4];
1821                 reply = check_command(common, 6, DATA_DIR_TO_HOST,
1822                                       (1<<4), 0,
1823                                       "INQUIRY");
1824                 if (reply == 0)
1825                         reply = do_inquiry(common, bh);
1826                 break;
1827 
1828         case MODE_SELECT:
1829                 common->data_size_from_cmnd = common->cmnd[4];
1830                 reply = check_command(common, 6, DATA_DIR_FROM_HOST,
1831                                       (1<<1) | (1<<4), 0,
1832                                       "MODE SELECT(6)");
1833                 if (reply == 0)
1834                         reply = do_mode_select(common, bh);
1835                 break;
1836 
1837         case MODE_SELECT_10:
1838                 common->data_size_from_cmnd =
1839                         get_unaligned_be16(&common->cmnd[7]);
1840                 reply = check_command(common, 10, DATA_DIR_FROM_HOST,
1841                                       (1<<1) | (3<<7), 0,
1842                                       "MODE SELECT(10)");
1843                 if (reply == 0)
1844                         reply = do_mode_select(common, bh);
1845                 break;
1846 
1847         case MODE_SENSE:
1848                 common->data_size_from_cmnd = common->cmnd[4];
1849                 reply = check_command(common, 6, DATA_DIR_TO_HOST,
1850                                       (1<<1) | (1<<2) | (1<<4), 0,
1851                                       "MODE SENSE(6)");
1852                 if (reply == 0)
1853                         reply = do_mode_sense(common, bh);
1854                 break;
1855 
1856         case MODE_SENSE_10:
1857                 common->data_size_from_cmnd =
1858                         get_unaligned_be16(&common->cmnd[7]);
1859                 reply = check_command(common, 10, DATA_DIR_TO_HOST,
1860                                       (1<<1) | (1<<2) | (3<<7), 0,
1861                                       "MODE SENSE(10)");
1862                 if (reply == 0)
1863                         reply = do_mode_sense(common, bh);
1864                 break;
1865 
1866         case ALLOW_MEDIUM_REMOVAL:
1867                 common->data_size_from_cmnd = 0;
1868                 reply = check_command(common, 6, DATA_DIR_NONE,
1869                                       (1<<4), 0,
1870                                       "PREVENT-ALLOW MEDIUM REMOVAL");
1871                 if (reply == 0)
1872                         reply = do_prevent_allow(common);
1873                 break;
1874 
1875         case READ_6:
1876                 i = common->cmnd[4];
1877                 common->data_size_from_cmnd = (i == 0) ? 256 : i;
1878                 reply = check_command_size_in_blocks(common, 6,
1879                                       DATA_DIR_TO_HOST,
1880                                       (7<<1) | (1<<4), 1,
1881                                       "READ(6)");
1882                 if (reply == 0)
1883                         reply = do_read(common);
1884                 break;
1885 
1886         case READ_10:
1887                 common->data_size_from_cmnd =
1888                                 get_unaligned_be16(&common->cmnd[7]);
1889                 reply = check_command_size_in_blocks(common, 10,
1890                                       DATA_DIR_TO_HOST,
1891                                       (1<<1) | (0xf<<2) | (3<<7), 1,
1892                                       "READ(10)");
1893                 if (reply == 0)
1894                         reply = do_read(common);
1895                 break;
1896 
1897         case READ_12:
1898                 common->data_size_from_cmnd =
1899                                 get_unaligned_be32(&common->cmnd[6]);
1900                 reply = check_command_size_in_blocks(common, 12,
1901                                       DATA_DIR_TO_HOST,
1902                                       (1<<1) | (0xf<<2) | (0xf<<6), 1,
1903                                       "READ(12)");
1904                 if (reply == 0)
1905                         reply = do_read(common);
1906                 break;
1907 
1908         case READ_CAPACITY:
1909                 common->data_size_from_cmnd = 8;
1910                 reply = check_command(common, 10, DATA_DIR_TO_HOST,
1911                                       (0xf<<2) | (1<<8), 1,
1912                                       "READ CAPACITY");
1913                 if (reply == 0)
1914                         reply = do_read_capacity(common, bh);
1915                 break;
1916 
1917         case READ_HEADER:
1918                 if (!common->curlun || !common->curlun->cdrom)
1919                         goto unknown_cmnd;
1920                 common->data_size_from_cmnd =
1921                         get_unaligned_be16(&common->cmnd[7]);
1922                 reply = check_command(common, 10, DATA_DIR_TO_HOST,
1923                                       (3<<7) | (0x1f<<1), 1,
1924                                       "READ HEADER");
1925                 if (reply == 0)
1926                         reply = do_read_header(common, bh);
1927                 break;
1928 
1929         case READ_TOC:
1930                 if (!common->curlun || !common->curlun->cdrom)
1931                         goto unknown_cmnd;
1932                 common->data_size_from_cmnd =
1933                         get_unaligned_be16(&common->cmnd[7]);
1934                 reply = check_command(common, 10, DATA_DIR_TO_HOST,
1935                                       (7<<6) | (1<<1), 1,
1936                                       "READ TOC");
1937                 if (reply == 0)
1938                         reply = do_read_toc(common, bh);
1939                 break;
1940 
1941         case READ_FORMAT_CAPACITIES:
1942                 common->data_size_from_cmnd =
1943                         get_unaligned_be16(&common->cmnd[7]);
1944                 reply = check_command(common, 10, DATA_DIR_TO_HOST,
1945                                       (3<<7), 1,
1946                                       "READ FORMAT CAPACITIES");
1947                 if (reply == 0)
1948                         reply = do_read_format_capacities(common, bh);
1949                 break;
1950 
1951         case REQUEST_SENSE:
1952                 common->data_size_from_cmnd = common->cmnd[4];
1953                 reply = check_command(common, 6, DATA_DIR_TO_HOST,
1954                                       (1<<4), 0,
1955                                       "REQUEST SENSE");
1956                 if (reply == 0)
1957                         reply = do_request_sense(common, bh);
1958                 break;
1959 
1960         case START_STOP:
1961                 common->data_size_from_cmnd = 0;
1962                 reply = check_command(common, 6, DATA_DIR_NONE,
1963                                       (1<<1) | (1<<4), 0,
1964                                       "START-STOP UNIT");
1965                 if (reply == 0)
1966                         reply = do_start_stop(common);
1967                 break;
1968 
1969         case SYNCHRONIZE_CACHE:
1970                 common->data_size_from_cmnd = 0;
1971                 reply = check_command(common, 10, DATA_DIR_NONE,
1972                                       (0xf<<2) | (3<<7), 1,
1973                                       "SYNCHRONIZE CACHE");
1974                 if (reply == 0)
1975                         reply = do_synchronize_cache(common);
1976                 break;
1977 
1978         case TEST_UNIT_READY:
1979                 common->data_size_from_cmnd = 0;
1980                 reply = check_command(common, 6, DATA_DIR_NONE,
1981                                 0, 1,
1982                                 "TEST UNIT READY");
1983                 break;
1984 
1985         /*
1986          * Although optional, this command is used by MS-Windows.  We
1987          * support a minimal version: BytChk must be 0.
1988          */
1989         case VERIFY:
1990                 common->data_size_from_cmnd = 0;
1991                 reply = check_command(common, 10, DATA_DIR_NONE,
1992                                       (1<<1) | (0xf<<2) | (3<<7), 1,
1993                                       "VERIFY");
1994                 if (reply == 0)
1995                         reply = do_verify(common);
1996                 break;
1997 
1998         case WRITE_6:
1999                 i = common->cmnd[4];
2000                 common->data_size_from_cmnd = (i == 0) ? 256 : i;
2001                 reply = check_command_size_in_blocks(common, 6,
2002                                       DATA_DIR_FROM_HOST,
2003                                       (7<<1) | (1<<4), 1,
2004                                       "WRITE(6)");
2005                 if (reply == 0)
2006                         reply = do_write(common);
2007                 break;
2008 
2009         case WRITE_10:
2010                 common->data_size_from_cmnd =
2011                                 get_unaligned_be16(&common->cmnd[7]);
2012                 reply = check_command_size_in_blocks(common, 10,
2013                                       DATA_DIR_FROM_HOST,
2014                                       (1<<1) | (0xf<<2) | (3<<7), 1,
2015                                       "WRITE(10)");
2016                 if (reply == 0)
2017                         reply = do_write(common);
2018                 break;
2019 
2020         case WRITE_12:
2021                 common->data_size_from_cmnd =
2022                                 get_unaligned_be32(&common->cmnd[6]);
2023                 reply = check_command_size_in_blocks(common, 12,
2024                                       DATA_DIR_FROM_HOST,
2025                                       (1<<1) | (0xf<<2) | (0xf<<6), 1,
2026                                       "WRITE(12)");
2027                 if (reply == 0)
2028                         reply = do_write(common);
2029                 break;
2030 
2031         /*
2032          * Some mandatory commands that we recognize but don't implement.
2033          * They don't mean much in this setting.  It's left as an exercise
2034          * for anyone interested to implement RESERVE and RELEASE in terms
2035          * of Posix locks.
2036          */
2037         case FORMAT_UNIT:
2038         case RELEASE:
2039         case RESERVE:
2040         case SEND_DIAGNOSTIC:
2041                 /* Fall through */
2042 
2043         default:
2044 unknown_cmnd:
2045                 common->data_size_from_cmnd = 0;
2046                 sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
2047                 reply = check_command(common, common->cmnd_size,
2048                                       DATA_DIR_UNKNOWN, ~0, 0, unknown);
2049                 if (reply == 0) {
2050                         common->curlun->sense_data = SS_INVALID_COMMAND;
2051                         reply = -EINVAL;
2052                 }
2053                 break;
2054         }
2055         up_read(&common->filesem);
2056 
2057         if (reply == -EINTR || signal_pending(current))
2058                 return -EINTR;
2059 
2060         /* Set up the single reply buffer for finish_reply() */
2061         if (reply == -EINVAL)
2062                 reply = 0;              /* Error reply length */
2063         if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) {
2064                 reply = min((u32)reply, common->data_size_from_cmnd);
2065                 bh->inreq->length = reply;
2066                 bh->state = BUF_STATE_FULL;
2067                 common->residue -= reply;
2068         }                               /* Otherwise it's already set */
2069 
2070         return 0;
2071 }
2072 
2073 
2074 /*-------------------------------------------------------------------------*/
2075 
2076 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2077 {
2078         struct usb_request      *req = bh->outreq;
2079         struct bulk_cb_wrap     *cbw = req->buf;
2080         struct fsg_common       *common = fsg->common;
2081 
2082         /* Was this a real packet?  Should it be ignored? */
2083         if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags))
2084                 return -EINVAL;
2085 
2086         /* Is the CBW valid? */
2087         if (req->actual != US_BULK_CB_WRAP_LEN ||
2088                         cbw->Signature != cpu_to_le32(
2089                                 US_BULK_CB_SIGN)) {
2090                 DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2091                                 req->actual,
2092                                 le32_to_cpu(cbw->Signature));
2093 
2094                 /*
2095                  * The Bulk-only spec says we MUST stall the IN endpoint
2096                  * (6.6.1), so it's unavoidable.  It also says we must
2097                  * retain this state until the next reset, but there's
2098                  * no way to tell the controller driver it should ignore
2099                  * Clear-Feature(HALT) requests.
2100                  *
2101                  * We aren't required to halt the OUT endpoint; instead
2102                  * we can simply accept and discard any data received
2103                  * until the next reset.
2104                  */
2105                 wedge_bulk_in_endpoint(fsg);
2106                 set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2107                 return -EINVAL;
2108         }
2109 
2110         /* Is the CBW meaningful? */
2111         if (cbw->Lun >= ARRAY_SIZE(common->luns) ||
2112             cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 ||
2113             cbw->Length > MAX_COMMAND_SIZE) {
2114                 DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2115                                 "cmdlen %u\n",
2116                                 cbw->Lun, cbw->Flags, cbw->Length);
2117 
2118                 /*
2119                  * We can do anything we want here, so let's stall the
2120                  * bulk pipes if we are allowed to.
2121                  */
2122                 if (common->can_stall) {
2123                         fsg_set_halt(fsg, fsg->bulk_out);
2124                         halt_bulk_in_endpoint(fsg);
2125                 }
2126                 return -EINVAL;
2127         }
2128 
2129         /* Save the command for later */
2130         common->cmnd_size = cbw->Length;
2131         memcpy(common->cmnd, cbw->CDB, common->cmnd_size);
2132         if (cbw->Flags & US_BULK_FLAG_IN)
2133                 common->data_dir = DATA_DIR_TO_HOST;
2134         else
2135                 common->data_dir = DATA_DIR_FROM_HOST;
2136         common->data_size = le32_to_cpu(cbw->DataTransferLength);
2137         if (common->data_size == 0)
2138                 common->data_dir = DATA_DIR_NONE;
2139         common->lun = cbw->Lun;
2140         if (common->lun < ARRAY_SIZE(common->luns))
2141                 common->curlun = common->luns[common->lun];
2142         else
2143                 common->curlun = NULL;
2144         common->tag = cbw->Tag;
2145         return 0;
2146 }
2147 
2148 static int get_next_command(struct fsg_common *common)
2149 {
2150         struct fsg_buffhd       *bh;
2151         int                     rc = 0;
2152 
2153         /* Wait for the next buffer to become available */
2154         bh = common->next_buffhd_to_fill;
2155         rc = sleep_thread(common, true, bh);
2156         if (rc)
2157                 return rc;
2158 
2159         /* Queue a request to read a Bulk-only CBW */
2160         set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN);
2161         if (!start_out_transfer(common, bh))
2162                 /* Don't know what to do if common->fsg is NULL */
2163                 return -EIO;
2164 
2165         /*
2166          * We will drain the buffer in software, which means we
2167          * can reuse it for the next filling.  No need to advance
2168          * next_buffhd_to_fill.
2169          */
2170 
2171         /* Wait for the CBW to arrive */
2172         rc = sleep_thread(common, true, bh);
2173         if (rc)
2174                 return rc;
2175 
2176         rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO;
2177         bh->state = BUF_STATE_EMPTY;
2178 
2179         return rc;
2180 }
2181 
2182 
2183 /*-------------------------------------------------------------------------*/
2184 
2185 static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2186                 struct usb_request **preq)
2187 {
2188         *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
2189         if (*preq)
2190                 return 0;
2191         ERROR(common, "can't allocate request for %s\n", ep->name);
2192         return -ENOMEM;
2193 }
2194 
2195 /* Reset interface setting and re-init endpoint state (toggle etc). */
2196 static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2197 {
2198         struct fsg_dev *fsg;
2199         int i, rc = 0;
2200 
2201         if (common->running)
2202                 DBG(common, "reset interface\n");
2203 
2204 reset:
2205         /* Deallocate the requests */
2206         if (common->fsg) {
2207                 fsg = common->fsg;
2208 
2209                 for (i = 0; i < common->fsg_num_buffers; ++i) {
2210                         struct fsg_buffhd *bh = &common->buffhds[i];
2211 
2212                         if (bh->inreq) {
2213                                 usb_ep_free_request(fsg->bulk_in, bh->inreq);
2214                                 bh->inreq = NULL;
2215                         }
2216                         if (bh->outreq) {
2217                                 usb_ep_free_request(fsg->bulk_out, bh->outreq);
2218                                 bh->outreq = NULL;
2219                         }
2220                 }
2221 
2222                 /* Disable the endpoints */
2223                 if (fsg->bulk_in_enabled) {
2224                         usb_ep_disable(fsg->bulk_in);
2225                         fsg->bulk_in_enabled = 0;
2226                 }
2227                 if (fsg->bulk_out_enabled) {
2228                         usb_ep_disable(fsg->bulk_out);
2229                         fsg->bulk_out_enabled = 0;
2230                 }
2231 
2232                 common->fsg = NULL;
2233                 wake_up(&common->fsg_wait);
2234         }
2235 
2236         common->running = 0;
2237         if (!new_fsg || rc)
2238                 return rc;
2239 
2240         common->fsg = new_fsg;
2241         fsg = common->fsg;
2242 
2243         /* Enable the endpoints */
2244         rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in);
2245         if (rc)
2246                 goto reset;
2247         rc = usb_ep_enable(fsg->bulk_in);
2248         if (rc)
2249                 goto reset;
2250         fsg->bulk_in->driver_data = common;
2251         fsg->bulk_in_enabled = 1;
2252 
2253         rc = config_ep_by_speed(common->gadget, &(fsg->function),
2254                                 fsg->bulk_out);
2255         if (rc)
2256                 goto reset;
2257         rc = usb_ep_enable(fsg->bulk_out);
2258         if (rc)
2259                 goto reset;
2260         fsg->bulk_out->driver_data = common;
2261         fsg->bulk_out_enabled = 1;
2262         common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc);
2263         clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2264 
2265         /* Allocate the requests */
2266         for (i = 0; i < common->fsg_num_buffers; ++i) {
2267                 struct fsg_buffhd       *bh = &common->buffhds[i];
2268 
2269                 rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2270                 if (rc)
2271                         goto reset;
2272                 rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2273                 if (rc)
2274                         goto reset;
2275                 bh->inreq->buf = bh->outreq->buf = bh->buf;
2276                 bh->inreq->context = bh->outreq->context = bh;
2277                 bh->inreq->complete = bulk_in_complete;
2278                 bh->outreq->complete = bulk_out_complete;
2279         }
2280 
2281         common->running = 1;
2282         for (i = 0; i < ARRAY_SIZE(common->luns); ++i)
2283                 if (common->luns[i])
2284                         common->luns[i]->unit_attention_data =
2285                                 SS_RESET_OCCURRED;
2286         return rc;
2287 }
2288 
2289 
2290 /****************************** ALT CONFIGS ******************************/
2291 
2292 static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2293 {
2294         struct fsg_dev *fsg = fsg_from_func(f);
2295 
2296         __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg);
2297         return USB_GADGET_DELAYED_STATUS;
2298 }
2299 
2300 static void fsg_disable(struct usb_function *f)
2301 {
2302         struct fsg_dev *fsg = fsg_from_func(f);
2303 
2304         __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
2305 }
2306 
2307 
2308 /*-------------------------------------------------------------------------*/
2309 
2310 static void handle_exception(struct fsg_common *common)
2311 {
2312         int                     i;
2313         struct fsg_buffhd       *bh;
2314         enum fsg_state          old_state;
2315         struct fsg_lun          *curlun;
2316         unsigned int            exception_req_tag;
2317         struct fsg_dev          *new_fsg;
2318 
2319         /*
2320          * Clear the existing signals.  Anything but SIGUSR1 is converted
2321          * into a high-priority EXIT exception.
2322          */
2323         for (;;) {
2324                 int sig = kernel_dequeue_signal();
2325                 if (!sig)
2326                         break;
2327                 if (sig != SIGUSR1) {
2328                         spin_lock_irq(&common->lock);
2329                         if (common->state < FSG_STATE_EXIT)
2330                                 DBG(common, "Main thread exiting on signal\n");
2331                         common->state = FSG_STATE_EXIT;
2332                         spin_unlock_irq(&common->lock);
2333                 }
2334         }
2335 
2336         /* Cancel all the pending transfers */
2337         if (likely(common->fsg)) {
2338                 for (i = 0; i < common->fsg_num_buffers; ++i) {
2339                         bh = &common->buffhds[i];
2340                         if (bh->state == BUF_STATE_SENDING)
2341                                 usb_ep_dequeue(common->fsg->bulk_in, bh->inreq);
2342                         if (bh->state == BUF_STATE_RECEIVING)
2343                                 usb_ep_dequeue(common->fsg->bulk_out,
2344                                                bh->outreq);
2345 
2346                         /* Wait for a transfer to become idle */
2347                         if (sleep_thread(common, false, bh))
2348                                 return;
2349                 }
2350 
2351                 /* Clear out the controller's fifos */
2352                 if (common->fsg->bulk_in_enabled)
2353                         usb_ep_fifo_flush(common->fsg->bulk_in);
2354                 if (common->fsg->bulk_out_enabled)
2355                         usb_ep_fifo_flush(common->fsg->bulk_out);
2356         }
2357 
2358         /*
2359          * Reset the I/O buffer states and pointers, the SCSI
2360          * state, and the exception.  Then invoke the handler.
2361          */
2362         spin_lock_irq(&common->lock);
2363 
2364         for (i = 0; i < common->fsg_num_buffers; ++i) {
2365                 bh = &common->buffhds[i];
2366                 bh->state = BUF_STATE_EMPTY;
2367         }
2368         common->next_buffhd_to_fill = &common->buffhds[0];
2369         common->next_buffhd_to_drain = &common->buffhds[0];
2370         exception_req_tag = common->exception_req_tag;
2371         new_fsg = common->exception_arg;
2372         old_state = common->state;
2373         common->state = FSG_STATE_NORMAL;
2374 
2375         if (old_state != FSG_STATE_ABORT_BULK_OUT) {
2376                 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2377                         curlun = common->luns[i];
2378                         if (!curlun)
2379                                 continue;
2380                         curlun->prevent_medium_removal = 0;
2381                         curlun->sense_data = SS_NO_SENSE;
2382                         curlun->unit_attention_data = SS_NO_SENSE;
2383                         curlun->sense_data_info = 0;
2384                         curlun->info_valid = 0;
2385                 }
2386         }
2387         spin_unlock_irq(&common->lock);
2388 
2389         /* Carry out any extra actions required for the exception */
2390         switch (old_state) {
2391         case FSG_STATE_NORMAL:
2392                 break;
2393 
2394         case FSG_STATE_ABORT_BULK_OUT:
2395                 send_status(common);
2396                 break;
2397 
2398         case FSG_STATE_PROTOCOL_RESET:
2399                 /*
2400                  * In case we were forced against our will to halt a
2401                  * bulk endpoint, clear the halt now.  (The SuperH UDC
2402                  * requires this.)
2403                  */
2404                 if (!fsg_is_set(common))
2405                         break;
2406                 if (test_and_clear_bit(IGNORE_BULK_OUT,
2407                                        &common->fsg->atomic_bitflags))
2408                         usb_ep_clear_halt(common->fsg->bulk_in);
2409 
2410                 if (common->ep0_req_tag == exception_req_tag)
2411                         ep0_queue(common);      /* Complete the status stage */
2412 
2413                 /*
2414                  * Technically this should go here, but it would only be
2415                  * a waste of time.  Ditto for the INTERFACE_CHANGE and
2416                  * CONFIG_CHANGE cases.
2417                  */
2418                 /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */
2419                 /*      if (common->luns[i]) */
2420                 /*              common->luns[i]->unit_attention_data = */
2421                 /*                      SS_RESET_OCCURRED;  */
2422                 break;
2423 
2424         case FSG_STATE_CONFIG_CHANGE:
2425                 do_set_interface(common, new_fsg);
2426                 if (new_fsg)
2427                         usb_composite_setup_continue(common->cdev);
2428                 break;
2429 
2430         case FSG_STATE_EXIT:
2431                 do_set_interface(common, NULL);         /* Free resources */
2432                 spin_lock_irq(&common->lock);
2433                 common->state = FSG_STATE_TERMINATED;   /* Stop the thread */
2434                 spin_unlock_irq(&common->lock);
2435                 break;
2436 
2437         case FSG_STATE_TERMINATED:
2438                 break;
2439         }
2440 }
2441 
2442 
2443 /*-------------------------------------------------------------------------*/
2444 
2445 static int fsg_main_thread(void *common_)
2446 {
2447         struct fsg_common       *common = common_;
2448         int                     i;
2449 
2450         /*
2451          * Allow the thread to be killed by a signal, but set the signal mask
2452          * to block everything but INT, TERM, KILL, and USR1.
2453          */
2454         allow_signal(SIGINT);
2455         allow_signal(SIGTERM);
2456         allow_signal(SIGKILL);
2457         allow_signal(SIGUSR1);
2458 
2459         /* Allow the thread to be frozen */
2460         set_freezable();
2461 
2462         /* The main loop */
2463         while (common->state != FSG_STATE_TERMINATED) {
2464                 if (exception_in_progress(common) || signal_pending(current)) {
2465                         handle_exception(common);
2466                         continue;
2467                 }
2468 
2469                 if (!common->running) {
2470                         sleep_thread(common, true, NULL);
2471                         continue;
2472                 }
2473 
2474                 if (get_next_command(common) || exception_in_progress(common))
2475                         continue;
2476                 if (do_scsi_command(common) || exception_in_progress(common))
2477                         continue;
2478                 if (finish_reply(common) || exception_in_progress(common))
2479                         continue;
2480                 send_status(common);
2481         }
2482 
2483         spin_lock_irq(&common->lock);
2484         common->thread_task = NULL;
2485         spin_unlock_irq(&common->lock);
2486 
2487         /* Eject media from all LUNs */
2488 
2489         down_write(&common->filesem);
2490         for (i = 0; i < ARRAY_SIZE(common->luns); i++) {
2491                 struct fsg_lun *curlun = common->luns[i];
2492 
2493                 if (curlun && fsg_lun_is_open(curlun))
2494                         fsg_lun_close(curlun);
2495         }
2496         up_write(&common->filesem);
2497 
2498         /* Let fsg_unbind() know the thread has exited */
2499         complete_and_exit(&common->thread_notifier, 0);
2500 }
2501 
2502 
2503 /*************************** DEVICE ATTRIBUTES ***************************/
2504 
2505 static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf)
2506 {
2507         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2508 
2509         return fsg_show_ro(curlun, buf);
2510 }
2511 
2512 static ssize_t nofua_show(struct device *dev, struct device_attribute *attr,
2513                           char *buf)
2514 {
2515         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2516 
2517         return fsg_show_nofua(curlun, buf);
2518 }
2519 
2520 static ssize_t file_show(struct device *dev, struct device_attribute *attr,
2521                          char *buf)
2522 {
2523         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2524         struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2525 
2526         return fsg_show_file(curlun, filesem, buf);
2527 }
2528 
2529 static ssize_t ro_store(struct device *dev, struct device_attribute *attr,
2530                         const char *buf, size_t count)
2531 {
2532         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2533         struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2534 
2535         return fsg_store_ro(curlun, filesem, buf, count);
2536 }
2537 
2538 static ssize_t nofua_store(struct device *dev, struct device_attribute *attr,
2539                            const char *buf, size_t count)
2540 {
2541         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2542 
2543         return fsg_store_nofua(curlun, buf, count);
2544 }
2545 
2546 static ssize_t file_store(struct device *dev, struct device_attribute *attr,
2547                           const char *buf, size_t count)
2548 {
2549         struct fsg_lun          *curlun = fsg_lun_from_dev(dev);
2550         struct rw_semaphore     *filesem = dev_get_drvdata(dev);
2551 
2552         return fsg_store_file(curlun, filesem, buf, count);
2553 }
2554 
2555 static DEVICE_ATTR_RW(nofua);
2556 /* mode wil be set in fsg_lun_attr_is_visible() */
2557 static DEVICE_ATTR(ro, 0, ro_show, ro_store);
2558 static DEVICE_ATTR(file, 0, file_show, file_store);
2559 
2560 /****************************** FSG COMMON ******************************/
2561 
2562 static void fsg_lun_release(struct device *dev)
2563 {
2564         /* Nothing needs to be done */
2565 }
2566 
2567 static struct fsg_common *fsg_common_setup(struct fsg_common *common)
2568 {
2569         if (!common) {
2570                 common = kzalloc(sizeof(*common), GFP_KERNEL);
2571                 if (!common)
2572                         return ERR_PTR(-ENOMEM);
2573                 common->free_storage_on_release = 1;
2574         } else {
2575                 common->free_storage_on_release = 0;
2576         }
2577         init_rwsem(&common->filesem);
2578         spin_lock_init(&common->lock);
2579         init_completion(&common->thread_notifier);
2580         init_waitqueue_head(&common->io_wait);
2581         init_waitqueue_head(&common->fsg_wait);
2582         common->state = FSG_STATE_TERMINATED;
2583         memset(common->luns, 0, sizeof(common->luns));
2584 
2585         return common;
2586 }
2587 
2588 void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs)
2589 {
2590         common->sysfs = sysfs;
2591 }
2592 EXPORT_SYMBOL_GPL(fsg_common_set_sysfs);
2593 
2594 static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n)
2595 {
2596         if (buffhds) {
2597                 struct fsg_buffhd *bh = buffhds;
2598                 while (n--) {
2599                         kfree(bh->buf);
2600                         ++bh;
2601                 }
2602                 kfree(buffhds);
2603         }
2604 }
2605 
2606 int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n)
2607 {
2608         struct fsg_buffhd *bh, *buffhds;
2609         int i;
2610 
2611         buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL);
2612         if (!buffhds)
2613                 return -ENOMEM;
2614 
2615         /* Data buffers cyclic list */
2616         bh = buffhds;
2617         i = n;
2618         goto buffhds_first_it;
2619         do {
2620                 bh->next = bh + 1;
2621                 ++bh;
2622 buffhds_first_it:
2623                 bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL);
2624                 if (unlikely(!bh->buf))
2625                         goto error_release;
2626         } while (--i);
2627         bh->next = buffhds;
2628 
2629         _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2630         common->fsg_num_buffers = n;
2631         common->buffhds = buffhds;
2632 
2633         return 0;
2634 
2635 error_release:
2636         /*
2637          * "buf"s pointed to by heads after n - i are NULL
2638          * so releasing them won't hurt
2639          */
2640         _fsg_common_free_buffers(buffhds, n);
2641 
2642         return -ENOMEM;
2643 }
2644 EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers);
2645 
2646 void fsg_common_remove_lun(struct fsg_lun *lun)
2647 {
2648         if (device_is_registered(&lun->dev))
2649                 device_unregister(&lun->dev);
2650         fsg_lun_close(lun);
2651         kfree(lun);
2652 }
2653 EXPORT_SYMBOL_GPL(fsg_common_remove_lun);
2654 
2655 static void _fsg_common_remove_luns(struct fsg_common *common, int n)
2656 {
2657         int i;
2658 
2659         for (i = 0; i < n; ++i)
2660                 if (common->luns[i]) {
2661                         fsg_common_remove_lun(common->luns[i]);
2662                         common->luns[i] = NULL;
2663                 }
2664 }
2665 
2666 void fsg_common_remove_luns(struct fsg_common *common)
2667 {
2668         _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns));
2669 }
2670 EXPORT_SYMBOL_GPL(fsg_common_remove_luns);
2671 
2672 void fsg_common_free_buffers(struct fsg_common *common)
2673 {
2674         _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2675         common->buffhds = NULL;
2676 }
2677 EXPORT_SYMBOL_GPL(fsg_common_free_buffers);
2678 
2679 int fsg_common_set_cdev(struct fsg_common *common,
2680                          struct usb_composite_dev *cdev, bool can_stall)
2681 {
2682         struct usb_string *us;
2683 
2684         common->gadget = cdev->gadget;
2685         common->ep0 = cdev->gadget->ep0;
2686         common->ep0req = cdev->req;
2687         common->cdev = cdev;
2688 
2689         us = usb_gstrings_attach(cdev, fsg_strings_array,
2690                                  ARRAY_SIZE(fsg_strings));
2691         if (IS_ERR(us))
2692                 return PTR_ERR(us);
2693 
2694         fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id;
2695 
2696         /*
2697          * Some peripheral controllers are known not to be able to
2698          * halt bulk endpoints correctly.  If one of them is present,
2699          * disable stalls.
2700          */
2701         common->can_stall = can_stall &&
2702                         gadget_is_stall_supported(common->gadget);
2703 
2704         return 0;
2705 }
2706 EXPORT_SYMBOL_GPL(fsg_common_set_cdev);
2707 
2708 static struct attribute *fsg_lun_dev_attrs[] = {
2709         &dev_attr_ro.attr,
2710         &dev_attr_file.attr,
2711         &dev_attr_nofua.attr,
2712         NULL
2713 };
2714 
2715 static umode_t fsg_lun_dev_is_visible(struct kobject *kobj,
2716                                       struct attribute *attr, int idx)
2717 {
2718         struct device *dev = kobj_to_dev(kobj);
2719         struct fsg_lun *lun = fsg_lun_from_dev(dev);
2720 
2721         if (attr == &dev_attr_ro.attr)
2722                 return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO);
2723         if (attr == &dev_attr_file.attr)
2724                 return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO;
2725         return attr->mode;
2726 }
2727 
2728 static const struct attribute_group fsg_lun_dev_group = {
2729         .attrs = fsg_lun_dev_attrs,
2730         .is_visible = fsg_lun_dev_is_visible,
2731 };
2732 
2733 static const struct attribute_group *fsg_lun_dev_groups[] = {
2734         &fsg_lun_dev_group,
2735         NULL
2736 };
2737 
2738 int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg,
2739                           unsigned int id, const char *name,
2740                           const char **name_pfx)
2741 {
2742         struct fsg_lun *lun;
2743         char *pathbuf, *p;
2744         int rc = -ENOMEM;
2745 
2746         if (id >= ARRAY_SIZE(common->luns))
2747                 return -ENODEV;
2748 
2749         if (common->luns[id])
2750                 return -EBUSY;
2751 
2752         if (!cfg->filename && !cfg->removable) {
2753                 pr_err("no file given for LUN%d\n", id);
2754                 return -EINVAL;
2755         }
2756 
2757         lun = kzalloc(sizeof(*lun), GFP_KERNEL);
2758         if (!lun)
2759                 return -ENOMEM;
2760 
2761         lun->name_pfx = name_pfx;
2762 
2763         lun->cdrom = !!cfg->cdrom;
2764         lun->ro = cfg->cdrom || cfg->ro;
2765         lun->initially_ro = lun->ro;
2766         lun->removable = !!cfg->removable;
2767 
2768         if (!common->sysfs) {
2769                 /* we DON'T own the name!*/
2770                 lun->name = name;
2771         } else {
2772                 lun->dev.release = fsg_lun_release;
2773                 lun->dev.parent = &common->gadget->dev;
2774                 lun->dev.groups = fsg_lun_dev_groups;
2775                 dev_set_drvdata(&lun->dev, &common->filesem);
2776                 dev_set_name(&lun->dev, "%s", name);
2777                 lun->name = dev_name(&lun->dev);
2778 
2779                 rc = device_register(&lun->dev);
2780                 if (rc) {
2781                         pr_info("failed to register LUN%d: %d\n", id, rc);
2782                         put_device(&lun->dev);
2783                         goto error_sysfs;
2784                 }
2785         }
2786 
2787         common->luns[id] = lun;
2788 
2789         if (cfg->filename) {
2790                 rc = fsg_lun_open(lun, cfg->filename);
2791                 if (rc)
2792                         goto error_lun;
2793         }
2794 
2795         pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
2796         p = "(no medium)";
2797         if (fsg_lun_is_open(lun)) {
2798                 p = "(error)";
2799                 if (pathbuf) {
2800                         p = file_path(lun->filp, pathbuf, PATH_MAX);
2801                         if (IS_ERR(p))
2802                                 p = "(error)";
2803                 }
2804         }
2805         pr_info("LUN: %s%s%sfile: %s\n",
2806               lun->removable ? "removable " : "",
2807               lun->ro ? "read only " : "",
2808               lun->cdrom ? "CD-ROM " : "",
2809               p);
2810         kfree(pathbuf);
2811 
2812         return 0;
2813 
2814 error_lun:
2815         if (device_is_registered(&lun->dev))
2816                 device_unregister(&lun->dev);
2817         fsg_lun_close(lun);
2818         common->luns[id] = NULL;
2819 error_sysfs:
2820         kfree(lun);
2821         return rc;
2822 }
2823 EXPORT_SYMBOL_GPL(fsg_common_create_lun);
2824 
2825 int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg)
2826 {
2827         char buf[8]; /* enough for 100000000 different numbers, decimal */
2828         int i, rc;
2829 
2830         fsg_common_remove_luns(common);
2831 
2832         for (i = 0; i < cfg->nluns; ++i) {
2833                 snprintf(buf, sizeof(buf), "lun%d", i);
2834                 rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL);
2835                 if (rc)
2836                         goto fail;
2837         }
2838 
2839         pr_info("Number of LUNs=%d\n", cfg->nluns);
2840 
2841         return 0;
2842 
2843 fail:
2844         _fsg_common_remove_luns(common, i);
2845         return rc;
2846 }
2847 EXPORT_SYMBOL_GPL(fsg_common_create_luns);
2848 
2849 void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
2850                                    const char *pn)
2851 {
2852         int i;
2853 
2854         /* Prepare inquiryString */
2855         i = get_default_bcdDevice();
2856         snprintf(common->inquiry_string, sizeof(common->inquiry_string),
2857                  "%-8s%-16s%04x", vn ?: "Linux",
2858                  /* Assume product name dependent on the first LUN */
2859                  pn ?: ((*common->luns)->cdrom
2860                      ? "File-CD Gadget"
2861                      : "File-Stor Gadget"),
2862                  i);
2863 }
2864 EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
2865 
2866 static void fsg_common_release(struct fsg_common *common)
2867 {
2868         int i;
2869 
2870         /* If the thread isn't already dead, tell it to exit now */
2871         if (common->state != FSG_STATE_TERMINATED) {
2872                 raise_exception(common, FSG_STATE_EXIT);
2873                 wait_for_completion(&common->thread_notifier);
2874         }
2875 
2876         for (i = 0; i < ARRAY_SIZE(common->luns); ++i) {
2877                 struct fsg_lun *lun = common->luns[i];
2878                 if (!lun)
2879                         continue;
2880                 fsg_lun_close(lun);
2881                 if (device_is_registered(&lun->dev))
2882                         device_unregister(&lun->dev);
2883                 kfree(lun);
2884         }
2885 
2886         _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers);
2887         if (common->free_storage_on_release)
2888                 kfree(common);
2889 }
2890 
2891 
2892 /*-------------------------------------------------------------------------*/
2893 
2894 static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
2895 {
2896         struct fsg_dev          *fsg = fsg_from_func(f);
2897         struct fsg_common       *common = fsg->common;
2898         struct usb_gadget       *gadget = c->cdev->gadget;
2899         int                     i;
2900         struct usb_ep           *ep;
2901         unsigned                max_burst;
2902         int                     ret;
2903         struct fsg_opts         *opts;
2904 
2905         /* Don't allow to bind if we don't have at least one LUN */
2906         ret = _fsg_common_get_max_lun(common);
2907         if (ret < 0) {
2908                 pr_err("There should be at least one LUN.\n");
2909                 return -EINVAL;
2910         }
2911 
2912         opts = fsg_opts_from_func_inst(f->fi);
2913         if (!opts->no_configfs) {
2914                 ret = fsg_common_set_cdev(fsg->common, c->cdev,
2915                                           fsg->common->can_stall);
2916                 if (ret)
2917                         return ret;
2918                 fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
2919         }
2920 
2921         if (!common->thread_task) {
2922                 common->state = FSG_STATE_NORMAL;
2923                 common->thread_task =
2924                         kthread_create(fsg_main_thread, common, "file-storage");
2925                 if (IS_ERR(common->thread_task)) {
2926                         ret = PTR_ERR(common->thread_task);
2927                         common->thread_task = NULL;
2928                         common->state = FSG_STATE_TERMINATED;
2929                         return ret;
2930                 }
2931                 DBG(common, "I/O thread pid: %d\n",
2932                     task_pid_nr(common->thread_task));
2933                 wake_up_process(common->thread_task);
2934         }
2935 
2936         fsg->gadget = gadget;
2937 
2938         /* New interface */
2939         i = usb_interface_id(c, f);
2940         if (i < 0)
2941                 goto fail;
2942         fsg_intf_desc.bInterfaceNumber = i;
2943         fsg->interface_number = i;
2944 
2945         /* Find all the endpoints we will use */
2946         ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
2947         if (!ep)
2948                 goto autoconf_fail;
2949         fsg->bulk_in = ep;
2950 
2951         ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
2952         if (!ep)
2953                 goto autoconf_fail;
2954         fsg->bulk_out = ep;
2955 
2956         /* Assume endpoint addresses are the same for both speeds */
2957         fsg_hs_bulk_in_desc.bEndpointAddress =
2958                 fsg_fs_bulk_in_desc.bEndpointAddress;
2959         fsg_hs_bulk_out_desc.bEndpointAddress =
2960                 fsg_fs_bulk_out_desc.bEndpointAddress;
2961 
2962         /* Calculate bMaxBurst, we know packet size is 1024 */
2963         max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
2964 
2965         fsg_ss_bulk_in_desc.bEndpointAddress =
2966                 fsg_fs_bulk_in_desc.bEndpointAddress;
2967         fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
2968 
2969         fsg_ss_bulk_out_desc.bEndpointAddress =
2970                 fsg_fs_bulk_out_desc.bEndpointAddress;
2971         fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
2972 
2973         ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
2974                         fsg_ss_function, fsg_ss_function);
2975         if (ret)
2976                 goto autoconf_fail;
2977 
2978         return 0;
2979 
2980 autoconf_fail:
2981         ERROR(fsg, "unable to autoconfigure all endpoints\n");
2982         i = -ENOTSUPP;
2983 fail:
2984         /* terminate the thread */
2985         if (fsg->common->state != FSG_STATE_TERMINATED) {
2986                 raise_exception(fsg->common, FSG_STATE_EXIT);
2987                 wait_for_completion(&fsg->common->thread_notifier);
2988         }
2989         return i;
2990 }
2991 
2992 /****************************** ALLOCATE FUNCTION *************************/
2993 
2994 static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2995 {
2996         struct fsg_dev          *fsg = fsg_from_func(f);
2997         struct fsg_common       *common = fsg->common;
2998 
2999         DBG(fsg, "unbind\n");
3000         if (fsg->common->fsg == fsg) {
3001                 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
3002                 /* FIXME: make interruptible or killable somehow? */
3003                 wait_event(common->fsg_wait, common->fsg != fsg);
3004         }
3005 
3006         usb_free_all_descriptors(&fsg->function);
3007 }
3008 
3009 static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item)
3010 {
3011         return container_of(to_config_group(item), struct fsg_lun_opts, group);
3012 }
3013 
3014 static inline struct fsg_opts *to_fsg_opts(struct config_item *item)
3015 {
3016         return container_of(to_config_group(item), struct fsg_opts,
3017                             func_inst.group);
3018 }
3019 
3020 static void fsg_lun_attr_release(struct config_item *item)
3021 {
3022         struct fsg_lun_opts *lun_opts;
3023 
3024         lun_opts = to_fsg_lun_opts(item);
3025         kfree(lun_opts);
3026 }
3027 
3028 static struct configfs_item_operations fsg_lun_item_ops = {
3029         .release                = fsg_lun_attr_release,
3030 };
3031 
3032 static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page)
3033 {
3034         struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3035         struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3036 
3037         return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page);
3038 }
3039 
3040 static ssize_t fsg_lun_opts_file_store(struct config_item *item,
3041                                        const char *page, size_t len)
3042 {
3043         struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3044         struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3045 
3046         return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len);
3047 }
3048 
3049 CONFIGFS_ATTR(fsg_lun_opts_, file);
3050 
3051 static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page)
3052 {
3053         return fsg_show_ro(to_fsg_lun_opts(item)->lun, page);
3054 }
3055 
3056 static ssize_t fsg_lun_opts_ro_store(struct config_item *item,
3057                                        const char *page, size_t len)
3058 {
3059         struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3060         struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3061 
3062         return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len);
3063 }
3064 
3065 CONFIGFS_ATTR(fsg_lun_opts_, ro);
3066 
3067 static ssize_t fsg_lun_opts_removable_show(struct config_item *item,
3068                                            char *page)
3069 {
3070         return fsg_show_removable(to_fsg_lun_opts(item)->lun, page);
3071 }
3072 
3073 static ssize_t fsg_lun_opts_removable_store(struct config_item *item,
3074                                        const char *page, size_t len)
3075 {
3076         return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len);
3077 }
3078 
3079 CONFIGFS_ATTR(fsg_lun_opts_, removable);
3080 
3081 static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page)
3082 {
3083         return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page);
3084 }
3085 
3086 static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item,
3087                                        const char *page, size_t len)
3088 {
3089         struct fsg_lun_opts *opts = to_fsg_lun_opts(item);
3090         struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent);
3091 
3092         return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page,
3093                                len);
3094 }
3095 
3096 CONFIGFS_ATTR(fsg_lun_opts_, cdrom);
3097 
3098 static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page)
3099 {
3100         return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page);
3101 }
3102 
3103 static ssize_t fsg_lun_opts_nofua_store(struct config_item *item,
3104                                        const char *page, size_t len)
3105 {
3106         return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len);
3107 }
3108 
3109 CONFIGFS_ATTR(fsg_lun_opts_, nofua);
3110 
3111 static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item,
3112                                                 char *page)
3113 {
3114         return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page);
3115 }
3116 
3117 static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item,
3118                                                  const char *page, size_t len)
3119 {
3120         return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len);
3121 }
3122 
3123 CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string);
3124 
3125 static struct configfs_attribute *fsg_lun_attrs[] = {
3126         &fsg_lun_opts_attr_file,
3127         &fsg_lun_opts_attr_ro,
3128         &fsg_lun_opts_attr_removable,
3129         &fsg_lun_opts_attr_cdrom,
3130         &fsg_lun_opts_attr_nofua,
3131         &fsg_lun_opts_attr_inquiry_string,
3132         NULL,
3133 };
3134 
3135 static const struct config_item_type fsg_lun_type = {
3136         .ct_item_ops    = &fsg_lun_item_ops,
3137         .ct_attrs       = fsg_lun_attrs,
3138         .ct_owner       = THIS_MODULE,
3139 };
3140 
3141 static struct config_group *fsg_lun_make(struct config_group *group,
3142                                          const char *name)
3143 {
3144         struct fsg_lun_opts *opts;
3145         struct fsg_opts *fsg_opts;
3146         struct fsg_lun_config config;
3147         char *num_str;
3148         u8 num;
3149         int ret;
3150 
3151         num_str = strchr(name, '.');
3152         if (!num_str) {
3153                 pr_err("Unable to locate . in LUN.NUMBER\n");
3154                 return ERR_PTR(-EINVAL);
3155         }
3156         num_str++;
3157 
3158         ret = kstrtou8(num_str, 0, &num);
3159         if (ret)
3160                 return ERR_PTR(ret);
3161 
3162         fsg_opts = to_fsg_opts(&group->cg_item);
3163         if (num >= FSG_MAX_LUNS)
3164                 return ERR_PTR(-ERANGE);
3165         num = array_index_nospec(num, FSG_MAX_LUNS);
3166 
3167         mutex_lock(&fsg_opts->lock);
3168         if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
3169                 ret = -EBUSY;
3170                 goto out;
3171         }
3172 
3173         opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3174         if (!opts) {
3175                 ret = -ENOMEM;
3176                 goto out;
3177         }
3178 
3179         memset(&config, 0, sizeof(config));
3180         config.removable = true;
3181 
3182         ret = fsg_common_create_lun(fsg_opts->common, &config, num, name,
3183                                     (const char **)&group->cg_item.ci_name);
3184         if (ret) {
3185                 kfree(opts);
3186                 goto out;
3187         }
3188         opts->lun = fsg_opts->common->luns[num];
3189         opts->lun_id = num;
3190         mutex_unlock(&fsg_opts->lock);
3191 
3192         config_group_init_type_name(&opts->group, name, &fsg_lun_type);
3193 
3194         return &opts->group;
3195 out:
3196         mutex_unlock(&fsg_opts->lock);
3197         return ERR_PTR(ret);
3198 }
3199 
3200 static void fsg_lun_drop(struct config_group *group, struct config_item *item)
3201 {
3202         struct fsg_lun_opts *lun_opts;
3203         struct fsg_opts *fsg_opts;
3204 
3205         lun_opts = to_fsg_lun_opts(item);
3206         fsg_opts = to_fsg_opts(&group->cg_item);
3207 
3208         mutex_lock(&fsg_opts->lock);
3209         if (fsg_opts->refcnt) {
3210                 struct config_item *gadget;
3211 
3212                 gadget = group->cg_item.ci_parent->ci_parent;
3213                 unregister_gadget_item(gadget);
3214         }
3215 
3216         fsg_common_remove_lun(lun_opts->lun);
3217         fsg_opts->common->luns[lun_opts->lun_id] = NULL;
3218         lun_opts->lun_id = 0;
3219         mutex_unlock(&fsg_opts->lock);
3220 
3221         config_item_put(item);
3222 }
3223 
3224 static void fsg_attr_release(struct config_item *item)
3225 {
3226         struct fsg_opts *opts = to_fsg_opts(item);
3227 
3228         usb_put_function_instance(&opts->func_inst);
3229 }
3230 
3231 static struct configfs_item_operations fsg_item_ops = {
3232         .release                = fsg_attr_release,
3233 };
3234 
3235 static ssize_t fsg_opts_stall_show(struct config_item *item, char *page)
3236 {
3237         struct fsg_opts *opts = to_fsg_opts(item);
3238         int result;
3239 
3240         mutex_lock(&opts->lock);
3241         result = sprintf(page, "%d", opts->common->can_stall);
3242         mutex_unlock(&opts->lock);
3243 
3244         return result;
3245 }
3246 
3247 static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page,
3248                                     size_t len)
3249 {
3250         struct fsg_opts *opts = to_fsg_opts(item);
3251         int ret;
3252         bool stall;
3253 
3254         mutex_lock(&opts->lock);
3255 
3256         if (opts->refcnt) {
3257                 mutex_unlock(&opts->lock);
3258                 return -EBUSY;
3259         }
3260 
3261         ret = strtobool(page, &stall);
3262         if (!ret) {
3263                 opts->common->can_stall = stall;
3264                 ret = len;
3265         }
3266 
3267         mutex_unlock(&opts->lock);
3268 
3269         return ret;
3270 }
3271 
3272 CONFIGFS_ATTR(fsg_opts_, stall);
3273 
3274 #ifdef CONFIG_USB_GADGET_DEBUG_FILES
3275 static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page)
3276 {
3277         struct fsg_opts *opts = to_fsg_opts(item);
3278         int result;
3279 
3280         mutex_lock(&opts->lock);
3281         result = sprintf(page, "%d", opts->common->fsg_num_buffers);
3282         mutex_unlock(&opts->lock);
3283 
3284         return result;
3285 }
3286 
3287 static ssize_t fsg_opts_num_buffers_store(struct config_item *item,
3288                                           const char *page, size_t len)
3289 {
3290         struct fsg_opts *opts = to_fsg_opts(item);
3291         int ret;
3292         u8 num;
3293 
3294         mutex_lock(&opts->lock);
3295         if (opts->refcnt) {
3296                 ret = -EBUSY;
3297                 goto end;
3298         }
3299         ret = kstrtou8(page, 0, &num);
3300         if (ret)
3301                 goto end;
3302 
3303         ret = fsg_common_set_num_buffers(opts->common, num);
3304         if (ret)
3305                 goto end;
3306         ret = len;
3307 
3308 end:
3309         mutex_unlock(&opts->lock);
3310         return ret;
3311 }
3312 
3313 CONFIGFS_ATTR(fsg_opts_, num_buffers);
3314 #endif
3315 
3316 static struct configfs_attribute *fsg_attrs[] = {
3317         &fsg_opts_attr_stall,
3318 #ifdef CONFIG_USB_GADGET_DEBUG_FILES
3319         &fsg_opts_attr_num_buffers,
3320 #endif
3321         NULL,
3322 };
3323 
3324 static struct configfs_group_operations fsg_group_ops = {
3325         .make_group     = fsg_lun_make,
3326         .drop_item      = fsg_lun_drop,
3327 };
3328 
3329 static const struct config_item_type fsg_func_type = {
3330         .ct_item_ops    = &fsg_item_ops,
3331         .ct_group_ops   = &fsg_group_ops,
3332         .ct_attrs       = fsg_attrs,
3333         .ct_owner       = THIS_MODULE,
3334 };
3335 
3336 static void fsg_free_inst(struct usb_function_instance *fi)
3337 {
3338         struct fsg_opts *opts;
3339 
3340         opts = fsg_opts_from_func_inst(fi);
3341         fsg_common_release(opts->common);
3342         kfree(opts);
3343 }
3344 
3345 static struct usb_function_instance *fsg_alloc_inst(void)
3346 {
3347         struct fsg_opts *opts;
3348         struct fsg_lun_config config;
3349         int rc;
3350 
3351         opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3352         if (!opts)
3353                 return ERR_PTR(-ENOMEM);
3354         mutex_init(&opts->lock);
3355         opts->func_inst.free_func_inst = fsg_free_inst;
3356         opts->common = fsg_common_setup(opts->common);
3357         if (IS_ERR(opts->common)) {
3358                 rc = PTR_ERR(opts->common);
3359                 goto release_opts;
3360         }
3361 
3362         rc = fsg_common_set_num_buffers(opts->common,
3363                                         CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS);
3364         if (rc)
3365                 goto release_common;
3366 
3367         pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n");
3368 
3369         memset(&config, 0, sizeof(config));
3370         config.removable = true;
3371         rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0",
3372                         (const char **)&opts->func_inst.group.cg_item.ci_name);
3373         if (rc)
3374                 goto release_buffers;
3375 
3376         opts->lun0.lun = opts->common->luns[0];
3377         opts->lun0.lun_id = 0;
3378 
3379         config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type);
3380 
3381         config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type);
3382         configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group);
3383 
3384         return &opts->func_inst;
3385 
3386 release_buffers:
3387         fsg_common_free_buffers(opts->common);
3388 release_common:
3389         kfree(opts->common);
3390 release_opts:
3391         kfree(opts);
3392         return ERR_PTR(rc);
3393 }
3394 
3395 static void fsg_free(struct usb_function *f)
3396 {
3397         struct fsg_dev *fsg;
3398         struct fsg_opts *opts;
3399 
3400         fsg = container_of(f, struct fsg_dev, function);
3401         opts = container_of(f->fi, struct fsg_opts, func_inst);
3402 
3403         mutex_lock(&opts->lock);
3404         opts->refcnt--;
3405         mutex_unlock(&opts->lock);
3406 
3407         kfree(fsg);
3408 }
3409 
3410 static struct usb_function *fsg_alloc(struct usb_function_instance *fi)
3411 {
3412         struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3413         struct fsg_common *common = opts->common;
3414         struct fsg_dev *fsg;
3415 
3416         fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3417         if (unlikely(!fsg))
3418                 return ERR_PTR(-ENOMEM);
3419 
3420         mutex_lock(&opts->lock);
3421         opts->refcnt++;
3422         mutex_unlock(&opts->lock);
3423 
3424         fsg->function.name      = FSG_DRIVER_DESC;
3425         fsg->function.bind      = fsg_bind;
3426         fsg->function.unbind    = fsg_unbind;
3427         fsg->function.setup     = fsg_setup;
3428         fsg->function.set_alt   = fsg_set_alt;
3429         fsg->function.disable   = fsg_disable;
3430         fsg->function.free_func = fsg_free;
3431 
3432         fsg->common               = common;
3433 
3434         return &fsg->function;
3435 }
3436 
3437 DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc);
3438 MODULE_LICENSE("GPL");
3439 MODULE_AUTHOR("Michal Nazarewicz");
3440 
3441 /************************* Module parameters *************************/
3442 
3443 
3444 void fsg_config_from_params(struct fsg_config *cfg,
3445                        const struct fsg_module_parameters *params,
3446                        unsigned int fsg_num_buffers)
3447 {
3448         struct fsg_lun_config *lun;
3449         unsigned i;
3450 
3451         /* Configure LUNs */
3452         cfg->nluns =
3453                 min(params->luns ?: (params->file_count ?: 1u),
3454                     (unsigned)FSG_MAX_LUNS);
3455         for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) {
3456                 lun->ro = !!params->ro[i];
3457                 lun->cdrom = !!params->cdrom[i];
3458                 lun->removable = !!params->removable[i];
3459                 lun->filename =
3460                         params->file_count > i && params->file[i][0]
3461                         ? params->file[i]
3462                         : NULL;
3463         }
3464 
3465         /* Let MSF use defaults */
3466         cfg->vendor_name = NULL;
3467         cfg->product_name = NULL;
3468 
3469         cfg->ops = NULL;
3470         cfg->private_data = NULL;
3471 
3472         /* Finalise */
3473         cfg->can_stall = params->stall;
3474         cfg->fsg_num_buffers = fsg_num_buffers;
3475 }
3476 EXPORT_SYMBOL_GPL(fsg_config_from_params);