1 // SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) 2 /* 3 * f_mass_storage.c -- Mass Storage USB Composite Function 4 * 5 * Copyright (C) 2003-2008 Alan Stern 6 * Copyright (C) 2009 Samsung Electronics 7 * Author: Michal Nazarewicz <mina86@mina86.com> 8 * All rights reserved. 9 */ 10 11 /* 12 * The Mass Storage Function acts as a USB Mass Storage device, 13 * appearing to the host as a disk drive or as a CD-ROM drive. In 14 * addition to providing an example of a genuinely useful composite 15 * function for a USB device, it also illustrates a technique of 16 * double-buffering for increased throughput. 17 * 18 * For more information about MSF and in particular its module 19 * parameters and sysfs interface read the 20 * <Documentation/usb/mass-storage.rst> file. 21 */ 22 23 /* 24 * MSF is configured by specifying a fsg_config structure. It has the 25 * following fields: 26 * 27 * nluns Number of LUNs function have (anywhere from 1 28 * to FSG_MAX_LUNS). 29 * luns An array of LUN configuration values. This 30 * should be filled for each LUN that 31 * function will include (ie. for "nluns" 32 * LUNs). Each element of the array has 33 * the following fields: 34 * ->filename The path to the backing file for the LUN. 35 * Required if LUN is not marked as 36 * removable. 37 * ->ro Flag specifying access to the LUN shall be 38 * read-only. This is implied if CD-ROM 39 * emulation is enabled as well as when 40 * it was impossible to open "filename" 41 * in R/W mode. 42 * ->removable Flag specifying that LUN shall be indicated as 43 * being removable. 44 * ->cdrom Flag specifying that LUN shall be reported as 45 * being a CD-ROM. 46 * ->nofua Flag specifying that FUA flag in SCSI WRITE(10,12) 47 * commands for this LUN shall be ignored. 48 * 49 * vendor_name 50 * product_name 51 * release Information used as a reply to INQUIRY 52 * request. To use default set to NULL, 53 * NULL, 0xffff respectively. The first 54 * field should be 8 and the second 16 55 * characters or less. 56 * 57 * can_stall Set to permit function to halt bulk endpoints. 58 * Disabled on some USB devices known not 59 * to work correctly. You should set it 60 * to true. 61 * 62 * If "removable" is not set for a LUN then a backing file must be 63 * specified. If it is set, then NULL filename means the LUN's medium 64 * is not loaded (an empty string as "filename" in the fsg_config 65 * structure causes error). The CD-ROM emulation includes a single 66 * data track and no audio tracks; hence there need be only one 67 * backing file per LUN. 68 * 69 * This function is heavily based on "File-backed Storage Gadget" by 70 * Alan Stern which in turn is heavily based on "Gadget Zero" by David 71 * Brownell. The driver's SCSI command interface was based on the 72 * "Information technology - Small Computer System Interface - 2" 73 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93, 74 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>. 75 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which 76 * was based on the "Universal Serial Bus Mass Storage Class UFI 77 * Command Specification" document, Revision 1.0, December 14, 1998, 78 * available at 79 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>. 80 */ 81 82 /* 83 * Driver Design 84 * 85 * The MSF is fairly straightforward. There is a main kernel 86 * thread that handles most of the work. Interrupt routines field 87 * callbacks from the controller driver: bulk- and interrupt-request 88 * completion notifications, endpoint-0 events, and disconnect events. 89 * Completion events are passed to the main thread by wakeup calls. Many 90 * ep0 requests are handled at interrupt time, but SetInterface, 91 * SetConfiguration, and device reset requests are forwarded to the 92 * thread in the form of "exceptions" using SIGUSR1 signals (since they 93 * should interrupt any ongoing file I/O operations). 94 * 95 * The thread's main routine implements the standard command/data/status 96 * parts of a SCSI interaction. It and its subroutines are full of tests 97 * for pending signals/exceptions -- all this polling is necessary since 98 * the kernel has no setjmp/longjmp equivalents. (Maybe this is an 99 * indication that the driver really wants to be running in userspace.) 100 * An important point is that so long as the thread is alive it keeps an 101 * open reference to the backing file. This will prevent unmounting 102 * the backing file's underlying filesystem and could cause problems 103 * during system shutdown, for example. To prevent such problems, the 104 * thread catches INT, TERM, and KILL signals and converts them into 105 * an EXIT exception. 106 * 107 * In normal operation the main thread is started during the gadget's 108 * fsg_bind() callback and stopped during fsg_unbind(). But it can 109 * also exit when it receives a signal, and there's no point leaving 110 * the gadget running when the thread is dead. As of this moment, MSF 111 * provides no way to deregister the gadget when thread dies -- maybe 112 * a callback functions is needed. 113 * 114 * To provide maximum throughput, the driver uses a circular pipeline of 115 * buffer heads (struct fsg_buffhd). In principle the pipeline can be 116 * arbitrarily long; in practice the benefits don't justify having more 117 * than 2 stages (i.e., double buffering). But it helps to think of the 118 * pipeline as being a long one. Each buffer head contains a bulk-in and 119 * a bulk-out request pointer (since the buffer can be used for both 120 * output and input -- directions always are given from the host's 121 * point of view) as well as a pointer to the buffer and various state 122 * variables. 123 * 124 * Use of the pipeline follows a simple protocol. There is a variable 125 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use. 126 * At any time that buffer head may still be in use from an earlier 127 * request, so each buffer head has a state variable indicating whether 128 * it is EMPTY, FULL, or BUSY. Typical use involves waiting for the 129 * buffer head to be EMPTY, filling the buffer either by file I/O or by 130 * USB I/O (during which the buffer head is BUSY), and marking the buffer 131 * head FULL when the I/O is complete. Then the buffer will be emptied 132 * (again possibly by USB I/O, during which it is marked BUSY) and 133 * finally marked EMPTY again (possibly by a completion routine). 134 * 135 * A module parameter tells the driver to avoid stalling the bulk 136 * endpoints wherever the transport specification allows. This is 137 * necessary for some UDCs like the SuperH, which cannot reliably clear a 138 * halt on a bulk endpoint. However, under certain circumstances the 139 * Bulk-only specification requires a stall. In such cases the driver 140 * will halt the endpoint and set a flag indicating that it should clear 141 * the halt in software during the next device reset. Hopefully this 142 * will permit everything to work correctly. Furthermore, although the 143 * specification allows the bulk-out endpoint to halt when the host sends 144 * too much data, implementing this would cause an unavoidable race. 145 * The driver will always use the "no-stall" approach for OUT transfers. 146 * 147 * One subtle point concerns sending status-stage responses for ep0 148 * requests. Some of these requests, such as device reset, can involve 149 * interrupting an ongoing file I/O operation, which might take an 150 * arbitrarily long time. During that delay the host might give up on 151 * the original ep0 request and issue a new one. When that happens the 152 * driver should not notify the host about completion of the original 153 * request, as the host will no longer be waiting for it. So the driver 154 * assigns to each ep0 request a unique tag, and it keeps track of the 155 * tag value of the request associated with a long-running exception 156 * (device-reset, interface-change, or configuration-change). When the 157 * exception handler is finished, the status-stage response is submitted 158 * only if the current ep0 request tag is equal to the exception request 159 * tag. Thus only the most recently received ep0 request will get a 160 * status-stage response. 161 * 162 * Warning: This driver source file is too long. It ought to be split up 163 * into a header file plus about 3 separate .c files, to handle the details 164 * of the Gadget, USB Mass Storage, and SCSI protocols. 165 */ 166 167 168 /* #define VERBOSE_DEBUG */ 169 /* #define DUMP_MSGS */ 170 171 #include <linux/blkdev.h> 172 #include <linux/completion.h> 173 #include <linux/dcache.h> 174 #include <linux/delay.h> 175 #include <linux/device.h> 176 #include <linux/fcntl.h> 177 #include <linux/file.h> 178 #include <linux/fs.h> 179 #include <linux/kthread.h> 180 #include <linux/sched/signal.h> 181 #include <linux/limits.h> 182 #include <linux/pagemap.h> 183 #include <linux/rwsem.h> 184 #include <linux/slab.h> 185 #include <linux/spinlock.h> 186 #include <linux/string.h> 187 #include <linux/freezer.h> 188 #include <linux/module.h> 189 #include <linux/uaccess.h> 190 #include <asm/unaligned.h> 191 192 #include <linux/usb/ch9.h> 193 #include <linux/usb/gadget.h> 194 #include <linux/usb/composite.h> 195 196 #include <linux/nospec.h> 197 198 #include "configfs.h" 199 200 201 /*------------------------------------------------------------------------*/ 202 203 #define FSG_DRIVER_DESC "Mass Storage Function" 204 #define FSG_DRIVER_VERSION "2009/09/11" 205 206 static const char fsg_string_interface[] = "Mass Storage"; 207 208 #include "storage_common.h" 209 #include "f_mass_storage.h" 210 211 /* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */ 212 static struct usb_string fsg_strings[] = { 213 {FSG_STRING_INTERFACE, fsg_string_interface}, 214 {} 215 }; 216 217 static struct usb_gadget_strings fsg_stringtab = { 218 .language = 0x0409, /* en-us */ 219 .strings = fsg_strings, 220 }; 221 222 static struct usb_gadget_strings *fsg_strings_array[] = { 223 &fsg_stringtab, 224 NULL, 225 }; 226 227 /*-------------------------------------------------------------------------*/ 228 229 struct fsg_dev; 230 struct fsg_common; 231 232 /* Data shared by all the FSG instances. */ 233 struct fsg_common { 234 struct usb_gadget *gadget; 235 struct usb_composite_dev *cdev; 236 struct fsg_dev *fsg; 237 wait_queue_head_t io_wait; 238 wait_queue_head_t fsg_wait; 239 240 /* filesem protects: backing files in use */ 241 struct rw_semaphore filesem; 242 243 /* lock protects: state and thread_task */ 244 spinlock_t lock; 245 246 struct usb_ep *ep0; /* Copy of gadget->ep0 */ 247 struct usb_request *ep0req; /* Copy of cdev->req */ 248 unsigned int ep0_req_tag; 249 250 struct fsg_buffhd *next_buffhd_to_fill; 251 struct fsg_buffhd *next_buffhd_to_drain; 252 struct fsg_buffhd *buffhds; 253 unsigned int fsg_num_buffers; 254 255 int cmnd_size; 256 u8 cmnd[MAX_COMMAND_SIZE]; 257 258 unsigned int lun; 259 struct fsg_lun *luns[FSG_MAX_LUNS]; 260 struct fsg_lun *curlun; 261 262 unsigned int bulk_out_maxpacket; 263 enum fsg_state state; /* For exception handling */ 264 unsigned int exception_req_tag; 265 void *exception_arg; 266 267 enum data_direction data_dir; 268 u32 data_size; 269 u32 data_size_from_cmnd; 270 u32 tag; 271 u32 residue; 272 u32 usb_amount_left; 273 274 unsigned int can_stall:1; 275 unsigned int free_storage_on_release:1; 276 unsigned int phase_error:1; 277 unsigned int short_packet_received:1; 278 unsigned int bad_lun_okay:1; 279 unsigned int running:1; 280 unsigned int sysfs:1; 281 282 struct completion thread_notifier; 283 struct task_struct *thread_task; 284 285 /* Gadget's private data. */ 286 void *private_data; 287 288 char inquiry_string[INQUIRY_STRING_LEN]; 289 }; 290 291 struct fsg_dev { 292 struct usb_function function; 293 struct usb_gadget *gadget; /* Copy of cdev->gadget */ 294 struct fsg_common *common; 295 296 u16 interface_number; 297 298 unsigned int bulk_in_enabled:1; 299 unsigned int bulk_out_enabled:1; 300 301 unsigned long atomic_bitflags; 302 #define IGNORE_BULK_OUT 0 303 304 struct usb_ep *bulk_in; 305 struct usb_ep *bulk_out; 306 }; 307 308 static inline int __fsg_is_set(struct fsg_common *common, 309 const char *func, unsigned line) 310 { 311 if (common->fsg) 312 return 1; 313 ERROR(common, "common->fsg is NULL in %s at %u\n", func, line); 314 WARN_ON(1); 315 return 0; 316 } 317 318 #define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__)) 319 320 static inline struct fsg_dev *fsg_from_func(struct usb_function *f) 321 { 322 return container_of(f, struct fsg_dev, function); 323 } 324 325 static int exception_in_progress(struct fsg_common *common) 326 { 327 return common->state > FSG_STATE_NORMAL; 328 } 329 330 /* Make bulk-out requests be divisible by the maxpacket size */ 331 static void set_bulk_out_req_length(struct fsg_common *common, 332 struct fsg_buffhd *bh, unsigned int length) 333 { 334 unsigned int rem; 335 336 bh->bulk_out_intended_length = length; 337 rem = length % common->bulk_out_maxpacket; 338 if (rem > 0) 339 length += common->bulk_out_maxpacket - rem; 340 bh->outreq->length = length; 341 } 342 343 344 /*-------------------------------------------------------------------------*/ 345 346 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep) 347 { 348 const char *name; 349 350 if (ep == fsg->bulk_in) 351 name = "bulk-in"; 352 else if (ep == fsg->bulk_out) 353 name = "bulk-out"; 354 else 355 name = ep->name; 356 DBG(fsg, "%s set halt\n", name); 357 return usb_ep_set_halt(ep); 358 } 359 360 361 /*-------------------------------------------------------------------------*/ 362 363 /* These routines may be called in process context or in_irq */ 364 365 static void __raise_exception(struct fsg_common *common, enum fsg_state new_state, 366 void *arg) 367 { 368 unsigned long flags; 369 370 /* 371 * Do nothing if a higher-priority exception is already in progress. 372 * If a lower-or-equal priority exception is in progress, preempt it 373 * and notify the main thread by sending it a signal. 374 */ 375 spin_lock_irqsave(&common->lock, flags); 376 if (common->state <= new_state) { 377 common->exception_req_tag = common->ep0_req_tag; 378 common->state = new_state; 379 common->exception_arg = arg; 380 if (common->thread_task) 381 send_sig_info(SIGUSR1, SEND_SIG_PRIV, 382 common->thread_task); 383 } 384 spin_unlock_irqrestore(&common->lock, flags); 385 } 386 387 static void raise_exception(struct fsg_common *common, enum fsg_state new_state) 388 { 389 __raise_exception(common, new_state, NULL); 390 } 391 392 /*-------------------------------------------------------------------------*/ 393 394 static int ep0_queue(struct fsg_common *common) 395 { 396 int rc; 397 398 rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC); 399 common->ep0->driver_data = common; 400 if (rc != 0 && rc != -ESHUTDOWN) { 401 /* We can't do much more than wait for a reset */ 402 WARNING(common, "error in submission: %s --> %d\n", 403 common->ep0->name, rc); 404 } 405 return rc; 406 } 407 408 409 /*-------------------------------------------------------------------------*/ 410 411 /* Completion handlers. These always run in_irq. */ 412 413 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req) 414 { 415 struct fsg_common *common = ep->driver_data; 416 struct fsg_buffhd *bh = req->context; 417 418 if (req->status || req->actual != req->length) 419 DBG(common, "%s --> %d, %u/%u\n", __func__, 420 req->status, req->actual, req->length); 421 if (req->status == -ECONNRESET) /* Request was cancelled */ 422 usb_ep_fifo_flush(ep); 423 424 /* Synchronize with the smp_load_acquire() in sleep_thread() */ 425 smp_store_release(&bh->state, BUF_STATE_EMPTY); 426 wake_up(&common->io_wait); 427 } 428 429 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req) 430 { 431 struct fsg_common *common = ep->driver_data; 432 struct fsg_buffhd *bh = req->context; 433 434 dump_msg(common, "bulk-out", req->buf, req->actual); 435 if (req->status || req->actual != bh->bulk_out_intended_length) 436 DBG(common, "%s --> %d, %u/%u\n", __func__, 437 req->status, req->actual, bh->bulk_out_intended_length); 438 if (req->status == -ECONNRESET) /* Request was cancelled */ 439 usb_ep_fifo_flush(ep); 440 441 /* Synchronize with the smp_load_acquire() in sleep_thread() */ 442 smp_store_release(&bh->state, BUF_STATE_FULL); 443 wake_up(&common->io_wait); 444 } 445 446 static int _fsg_common_get_max_lun(struct fsg_common *common) 447 { 448 int i = ARRAY_SIZE(common->luns) - 1; 449 450 while (i >= 0 && !common->luns[i]) 451 --i; 452 453 return i; 454 } 455 456 static int fsg_setup(struct usb_function *f, 457 const struct usb_ctrlrequest *ctrl) 458 { 459 struct fsg_dev *fsg = fsg_from_func(f); 460 struct usb_request *req = fsg->common->ep0req; 461 u16 w_index = le16_to_cpu(ctrl->wIndex); 462 u16 w_value = le16_to_cpu(ctrl->wValue); 463 u16 w_length = le16_to_cpu(ctrl->wLength); 464 465 if (!fsg_is_set(fsg->common)) 466 return -EOPNOTSUPP; 467 468 ++fsg->common->ep0_req_tag; /* Record arrival of a new request */ 469 req->context = NULL; 470 req->length = 0; 471 dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl)); 472 473 switch (ctrl->bRequest) { 474 475 case US_BULK_RESET_REQUEST: 476 if (ctrl->bRequestType != 477 (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 478 break; 479 if (w_index != fsg->interface_number || w_value != 0 || 480 w_length != 0) 481 return -EDOM; 482 483 /* 484 * Raise an exception to stop the current operation 485 * and reinitialize our state. 486 */ 487 DBG(fsg, "bulk reset request\n"); 488 raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET); 489 return USB_GADGET_DELAYED_STATUS; 490 491 case US_BULK_GET_MAX_LUN: 492 if (ctrl->bRequestType != 493 (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 494 break; 495 if (w_index != fsg->interface_number || w_value != 0 || 496 w_length != 1) 497 return -EDOM; 498 VDBG(fsg, "get max LUN\n"); 499 *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common); 500 501 /* Respond with data/status */ 502 req->length = min((u16)1, w_length); 503 return ep0_queue(fsg->common); 504 } 505 506 VDBG(fsg, 507 "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n", 508 ctrl->bRequestType, ctrl->bRequest, 509 le16_to_cpu(ctrl->wValue), w_index, w_length); 510 return -EOPNOTSUPP; 511 } 512 513 514 /*-------------------------------------------------------------------------*/ 515 516 /* All the following routines run in process context */ 517 518 /* Use this for bulk or interrupt transfers, not ep0 */ 519 static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep, 520 struct usb_request *req) 521 { 522 int rc; 523 524 if (ep == fsg->bulk_in) 525 dump_msg(fsg, "bulk-in", req->buf, req->length); 526 527 rc = usb_ep_queue(ep, req, GFP_KERNEL); 528 if (rc) { 529 530 /* We can't do much more than wait for a reset */ 531 req->status = rc; 532 533 /* 534 * Note: currently the net2280 driver fails zero-length 535 * submissions if DMA is enabled. 536 */ 537 if (rc != -ESHUTDOWN && 538 !(rc == -EOPNOTSUPP && req->length == 0)) 539 WARNING(fsg, "error in submission: %s --> %d\n", 540 ep->name, rc); 541 } 542 return rc; 543 } 544 545 static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh) 546 { 547 if (!fsg_is_set(common)) 548 return false; 549 bh->state = BUF_STATE_SENDING; 550 if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) 551 bh->state = BUF_STATE_EMPTY; 552 return true; 553 } 554 555 static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh) 556 { 557 if (!fsg_is_set(common)) 558 return false; 559 bh->state = BUF_STATE_RECEIVING; 560 if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) 561 bh->state = BUF_STATE_FULL; 562 return true; 563 } 564 565 static int sleep_thread(struct fsg_common *common, bool can_freeze, 566 struct fsg_buffhd *bh) 567 { 568 int rc; 569 570 /* Wait until a signal arrives or bh is no longer busy */ 571 if (can_freeze) 572 /* 573 * synchronize with the smp_store_release(&bh->state) in 574 * bulk_in_complete() or bulk_out_complete() 575 */ 576 rc = wait_event_freezable(common->io_wait, 577 bh && smp_load_acquire(&bh->state) >= 578 BUF_STATE_EMPTY); 579 else 580 rc = wait_event_interruptible(common->io_wait, 581 bh && smp_load_acquire(&bh->state) >= 582 BUF_STATE_EMPTY); 583 return rc ? -EINTR : 0; 584 } 585 586 587 /*-------------------------------------------------------------------------*/ 588 589 static int do_read(struct fsg_common *common) 590 { 591 struct fsg_lun *curlun = common->curlun; 592 u64 lba; 593 struct fsg_buffhd *bh; 594 int rc; 595 u32 amount_left; 596 loff_t file_offset, file_offset_tmp; 597 unsigned int amount; 598 ssize_t nread; 599 600 /* 601 * Get the starting Logical Block Address and check that it's 602 * not too big. 603 */ 604 if (common->cmnd[0] == READ_6) 605 lba = get_unaligned_be24(&common->cmnd[1]); 606 else { 607 if (common->cmnd[0] == READ_16) 608 lba = get_unaligned_be64(&common->cmnd[2]); 609 else /* READ_10 or READ_12 */ 610 lba = get_unaligned_be32(&common->cmnd[2]); 611 612 /* 613 * We allow DPO (Disable Page Out = don't save data in the 614 * cache) and FUA (Force Unit Access = don't read from the 615 * cache), but we don't implement them. 616 */ 617 if ((common->cmnd[1] & ~0x18) != 0) { 618 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 619 return -EINVAL; 620 } 621 } 622 if (lba >= curlun->num_sectors) { 623 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 624 return -EINVAL; 625 } 626 file_offset = ((loff_t) lba) << curlun->blkbits; 627 628 /* Carry out the file reads */ 629 amount_left = common->data_size_from_cmnd; 630 if (unlikely(amount_left == 0)) 631 return -EIO; /* No default reply */ 632 633 for (;;) { 634 /* 635 * Figure out how much we need to read: 636 * Try to read the remaining amount. 637 * But don't read more than the buffer size. 638 * And don't try to read past the end of the file. 639 */ 640 amount = min(amount_left, FSG_BUFLEN); 641 amount = min((loff_t)amount, 642 curlun->file_length - file_offset); 643 644 /* Wait for the next buffer to become available */ 645 bh = common->next_buffhd_to_fill; 646 rc = sleep_thread(common, false, bh); 647 if (rc) 648 return rc; 649 650 /* 651 * If we were asked to read past the end of file, 652 * end with an empty buffer. 653 */ 654 if (amount == 0) { 655 curlun->sense_data = 656 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 657 curlun->sense_data_info = 658 file_offset >> curlun->blkbits; 659 curlun->info_valid = 1; 660 bh->inreq->length = 0; 661 bh->state = BUF_STATE_FULL; 662 break; 663 } 664 665 /* Perform the read */ 666 file_offset_tmp = file_offset; 667 nread = kernel_read(curlun->filp, bh->buf, amount, 668 &file_offset_tmp); 669 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 670 (unsigned long long)file_offset, (int)nread); 671 if (signal_pending(current)) 672 return -EINTR; 673 674 if (nread < 0) { 675 LDBG(curlun, "error in file read: %d\n", (int)nread); 676 nread = 0; 677 } else if (nread < amount) { 678 LDBG(curlun, "partial file read: %d/%u\n", 679 (int)nread, amount); 680 nread = round_down(nread, curlun->blksize); 681 } 682 file_offset += nread; 683 amount_left -= nread; 684 common->residue -= nread; 685 686 /* 687 * Except at the end of the transfer, nread will be 688 * equal to the buffer size, which is divisible by the 689 * bulk-in maxpacket size. 690 */ 691 bh->inreq->length = nread; 692 bh->state = BUF_STATE_FULL; 693 694 /* If an error occurred, report it and its position */ 695 if (nread < amount) { 696 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 697 curlun->sense_data_info = 698 file_offset >> curlun->blkbits; 699 curlun->info_valid = 1; 700 break; 701 } 702 703 if (amount_left == 0) 704 break; /* No more left to read */ 705 706 /* Send this buffer and go read some more */ 707 bh->inreq->zero = 0; 708 if (!start_in_transfer(common, bh)) 709 /* Don't know what to do if common->fsg is NULL */ 710 return -EIO; 711 common->next_buffhd_to_fill = bh->next; 712 } 713 714 return -EIO; /* No default reply */ 715 } 716 717 718 /*-------------------------------------------------------------------------*/ 719 720 static int do_write(struct fsg_common *common) 721 { 722 struct fsg_lun *curlun = common->curlun; 723 u64 lba; 724 struct fsg_buffhd *bh; 725 int get_some_more; 726 u32 amount_left_to_req, amount_left_to_write; 727 loff_t usb_offset, file_offset, file_offset_tmp; 728 unsigned int amount; 729 ssize_t nwritten; 730 int rc; 731 732 if (curlun->ro) { 733 curlun->sense_data = SS_WRITE_PROTECTED; 734 return -EINVAL; 735 } 736 spin_lock(&curlun->filp->f_lock); 737 curlun->filp->f_flags &= ~O_SYNC; /* Default is not to wait */ 738 spin_unlock(&curlun->filp->f_lock); 739 740 /* 741 * Get the starting Logical Block Address and check that it's 742 * not too big 743 */ 744 if (common->cmnd[0] == WRITE_6) 745 lba = get_unaligned_be24(&common->cmnd[1]); 746 else { 747 if (common->cmnd[0] == WRITE_16) 748 lba = get_unaligned_be64(&common->cmnd[2]); 749 else /* WRITE_10 or WRITE_12 */ 750 lba = get_unaligned_be32(&common->cmnd[2]); 751 752 /* 753 * We allow DPO (Disable Page Out = don't save data in the 754 * cache) and FUA (Force Unit Access = write directly to the 755 * medium). We don't implement DPO; we implement FUA by 756 * performing synchronous output. 757 */ 758 if (common->cmnd[1] & ~0x18) { 759 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 760 return -EINVAL; 761 } 762 if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */ 763 spin_lock(&curlun->filp->f_lock); 764 curlun->filp->f_flags |= O_SYNC; 765 spin_unlock(&curlun->filp->f_lock); 766 } 767 } 768 if (lba >= curlun->num_sectors) { 769 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 770 return -EINVAL; 771 } 772 773 /* Carry out the file writes */ 774 get_some_more = 1; 775 file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits; 776 amount_left_to_req = common->data_size_from_cmnd; 777 amount_left_to_write = common->data_size_from_cmnd; 778 779 while (amount_left_to_write > 0) { 780 781 /* Queue a request for more data from the host */ 782 bh = common->next_buffhd_to_fill; 783 if (bh->state == BUF_STATE_EMPTY && get_some_more) { 784 785 /* 786 * Figure out how much we want to get: 787 * Try to get the remaining amount, 788 * but not more than the buffer size. 789 */ 790 amount = min(amount_left_to_req, FSG_BUFLEN); 791 792 /* Beyond the end of the backing file? */ 793 if (usb_offset >= curlun->file_length) { 794 get_some_more = 0; 795 curlun->sense_data = 796 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 797 curlun->sense_data_info = 798 usb_offset >> curlun->blkbits; 799 curlun->info_valid = 1; 800 continue; 801 } 802 803 /* Get the next buffer */ 804 usb_offset += amount; 805 common->usb_amount_left -= amount; 806 amount_left_to_req -= amount; 807 if (amount_left_to_req == 0) 808 get_some_more = 0; 809 810 /* 811 * Except at the end of the transfer, amount will be 812 * equal to the buffer size, which is divisible by 813 * the bulk-out maxpacket size. 814 */ 815 set_bulk_out_req_length(common, bh, amount); 816 if (!start_out_transfer(common, bh)) 817 /* Dunno what to do if common->fsg is NULL */ 818 return -EIO; 819 common->next_buffhd_to_fill = bh->next; 820 continue; 821 } 822 823 /* Write the received data to the backing file */ 824 bh = common->next_buffhd_to_drain; 825 if (bh->state == BUF_STATE_EMPTY && !get_some_more) 826 break; /* We stopped early */ 827 828 /* Wait for the data to be received */ 829 rc = sleep_thread(common, false, bh); 830 if (rc) 831 return rc; 832 833 common->next_buffhd_to_drain = bh->next; 834 bh->state = BUF_STATE_EMPTY; 835 836 /* Did something go wrong with the transfer? */ 837 if (bh->outreq->status != 0) { 838 curlun->sense_data = SS_COMMUNICATION_FAILURE; 839 curlun->sense_data_info = 840 file_offset >> curlun->blkbits; 841 curlun->info_valid = 1; 842 break; 843 } 844 845 amount = bh->outreq->actual; 846 if (curlun->file_length - file_offset < amount) { 847 LERROR(curlun, "write %u @ %llu beyond end %llu\n", 848 amount, (unsigned long long)file_offset, 849 (unsigned long long)curlun->file_length); 850 amount = curlun->file_length - file_offset; 851 } 852 853 /* 854 * Don't accept excess data. The spec doesn't say 855 * what to do in this case. We'll ignore the error. 856 */ 857 amount = min(amount, bh->bulk_out_intended_length); 858 859 /* Don't write a partial block */ 860 amount = round_down(amount, curlun->blksize); 861 if (amount == 0) 862 goto empty_write; 863 864 /* Perform the write */ 865 file_offset_tmp = file_offset; 866 nwritten = kernel_write(curlun->filp, bh->buf, amount, 867 &file_offset_tmp); 868 VLDBG(curlun, "file write %u @ %llu -> %d\n", amount, 869 (unsigned long long)file_offset, (int)nwritten); 870 if (signal_pending(current)) 871 return -EINTR; /* Interrupted! */ 872 873 if (nwritten < 0) { 874 LDBG(curlun, "error in file write: %d\n", 875 (int) nwritten); 876 nwritten = 0; 877 } else if (nwritten < amount) { 878 LDBG(curlun, "partial file write: %d/%u\n", 879 (int) nwritten, amount); 880 nwritten = round_down(nwritten, curlun->blksize); 881 } 882 file_offset += nwritten; 883 amount_left_to_write -= nwritten; 884 common->residue -= nwritten; 885 886 /* If an error occurred, report it and its position */ 887 if (nwritten < amount) { 888 curlun->sense_data = SS_WRITE_ERROR; 889 curlun->sense_data_info = 890 file_offset >> curlun->blkbits; 891 curlun->info_valid = 1; 892 break; 893 } 894 895 empty_write: 896 /* Did the host decide to stop early? */ 897 if (bh->outreq->actual < bh->bulk_out_intended_length) { 898 common->short_packet_received = 1; 899 break; 900 } 901 } 902 903 return -EIO; /* No default reply */ 904 } 905 906 907 /*-------------------------------------------------------------------------*/ 908 909 static int do_synchronize_cache(struct fsg_common *common) 910 { 911 struct fsg_lun *curlun = common->curlun; 912 int rc; 913 914 /* We ignore the requested LBA and write out all file's 915 * dirty data buffers. */ 916 rc = fsg_lun_fsync_sub(curlun); 917 if (rc) 918 curlun->sense_data = SS_WRITE_ERROR; 919 return 0; 920 } 921 922 923 /*-------------------------------------------------------------------------*/ 924 925 static void invalidate_sub(struct fsg_lun *curlun) 926 { 927 struct file *filp = curlun->filp; 928 struct inode *inode = file_inode(filp); 929 unsigned long rc; 930 931 rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); 932 VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); 933 } 934 935 static int do_verify(struct fsg_common *common) 936 { 937 struct fsg_lun *curlun = common->curlun; 938 u32 lba; 939 u32 verification_length; 940 struct fsg_buffhd *bh = common->next_buffhd_to_fill; 941 loff_t file_offset, file_offset_tmp; 942 u32 amount_left; 943 unsigned int amount; 944 ssize_t nread; 945 946 /* 947 * Get the starting Logical Block Address and check that it's 948 * not too big. 949 */ 950 lba = get_unaligned_be32(&common->cmnd[2]); 951 if (lba >= curlun->num_sectors) { 952 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 953 return -EINVAL; 954 } 955 956 /* 957 * We allow DPO (Disable Page Out = don't save data in the 958 * cache) but we don't implement it. 959 */ 960 if (common->cmnd[1] & ~0x10) { 961 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 962 return -EINVAL; 963 } 964 965 verification_length = get_unaligned_be16(&common->cmnd[7]); 966 if (unlikely(verification_length == 0)) 967 return -EIO; /* No default reply */ 968 969 /* Prepare to carry out the file verify */ 970 amount_left = verification_length << curlun->blkbits; 971 file_offset = ((loff_t) lba) << curlun->blkbits; 972 973 /* Write out all the dirty buffers before invalidating them */ 974 fsg_lun_fsync_sub(curlun); 975 if (signal_pending(current)) 976 return -EINTR; 977 978 invalidate_sub(curlun); 979 if (signal_pending(current)) 980 return -EINTR; 981 982 /* Just try to read the requested blocks */ 983 while (amount_left > 0) { 984 /* 985 * Figure out how much we need to read: 986 * Try to read the remaining amount, but not more than 987 * the buffer size. 988 * And don't try to read past the end of the file. 989 */ 990 amount = min(amount_left, FSG_BUFLEN); 991 amount = min((loff_t)amount, 992 curlun->file_length - file_offset); 993 if (amount == 0) { 994 curlun->sense_data = 995 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 996 curlun->sense_data_info = 997 file_offset >> curlun->blkbits; 998 curlun->info_valid = 1; 999 break; 1000 } 1001 1002 /* Perform the read */ 1003 file_offset_tmp = file_offset; 1004 nread = kernel_read(curlun->filp, bh->buf, amount, 1005 &file_offset_tmp); 1006 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 1007 (unsigned long long) file_offset, 1008 (int) nread); 1009 if (signal_pending(current)) 1010 return -EINTR; 1011 1012 if (nread < 0) { 1013 LDBG(curlun, "error in file verify: %d\n", (int)nread); 1014 nread = 0; 1015 } else if (nread < amount) { 1016 LDBG(curlun, "partial file verify: %d/%u\n", 1017 (int)nread, amount); 1018 nread = round_down(nread, curlun->blksize); 1019 } 1020 if (nread == 0) { 1021 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 1022 curlun->sense_data_info = 1023 file_offset >> curlun->blkbits; 1024 curlun->info_valid = 1; 1025 break; 1026 } 1027 file_offset += nread; 1028 amount_left -= nread; 1029 } 1030 return 0; 1031 } 1032 1033 1034 /*-------------------------------------------------------------------------*/ 1035 1036 static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh) 1037 { 1038 struct fsg_lun *curlun = common->curlun; 1039 u8 *buf = (u8 *) bh->buf; 1040 1041 if (!curlun) { /* Unsupported LUNs are okay */ 1042 common->bad_lun_okay = 1; 1043 memset(buf, 0, 36); 1044 buf[0] = TYPE_NO_LUN; /* Unsupported, no device-type */ 1045 buf[4] = 31; /* Additional length */ 1046 return 36; 1047 } 1048 1049 buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK; 1050 buf[1] = curlun->removable ? 0x80 : 0; 1051 buf[2] = 2; /* ANSI SCSI level 2 */ 1052 buf[3] = 2; /* SCSI-2 INQUIRY data format */ 1053 buf[4] = 31; /* Additional length */ 1054 buf[5] = 0; /* No special options */ 1055 buf[6] = 0; 1056 buf[7] = 0; 1057 if (curlun->inquiry_string[0]) 1058 memcpy(buf + 8, curlun->inquiry_string, 1059 sizeof(curlun->inquiry_string)); 1060 else 1061 memcpy(buf + 8, common->inquiry_string, 1062 sizeof(common->inquiry_string)); 1063 return 36; 1064 } 1065 1066 static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh) 1067 { 1068 struct fsg_lun *curlun = common->curlun; 1069 u8 *buf = (u8 *) bh->buf; 1070 u32 sd, sdinfo; 1071 int valid; 1072 1073 /* 1074 * From the SCSI-2 spec., section 7.9 (Unit attention condition): 1075 * 1076 * If a REQUEST SENSE command is received from an initiator 1077 * with a pending unit attention condition (before the target 1078 * generates the contingent allegiance condition), then the 1079 * target shall either: 1080 * a) report any pending sense data and preserve the unit 1081 * attention condition on the logical unit, or, 1082 * b) report the unit attention condition, may discard any 1083 * pending sense data, and clear the unit attention 1084 * condition on the logical unit for that initiator. 1085 * 1086 * FSG normally uses option a); enable this code to use option b). 1087 */ 1088 #if 0 1089 if (curlun && curlun->unit_attention_data != SS_NO_SENSE) { 1090 curlun->sense_data = curlun->unit_attention_data; 1091 curlun->unit_attention_data = SS_NO_SENSE; 1092 } 1093 #endif 1094 1095 if (!curlun) { /* Unsupported LUNs are okay */ 1096 common->bad_lun_okay = 1; 1097 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 1098 sdinfo = 0; 1099 valid = 0; 1100 } else { 1101 sd = curlun->sense_data; 1102 sdinfo = curlun->sense_data_info; 1103 valid = curlun->info_valid << 7; 1104 curlun->sense_data = SS_NO_SENSE; 1105 curlun->sense_data_info = 0; 1106 curlun->info_valid = 0; 1107 } 1108 1109 memset(buf, 0, 18); 1110 buf[0] = valid | 0x70; /* Valid, current error */ 1111 buf[2] = SK(sd); 1112 put_unaligned_be32(sdinfo, &buf[3]); /* Sense information */ 1113 buf[7] = 18 - 8; /* Additional sense length */ 1114 buf[12] = ASC(sd); 1115 buf[13] = ASCQ(sd); 1116 return 18; 1117 } 1118 1119 static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh) 1120 { 1121 struct fsg_lun *curlun = common->curlun; 1122 u32 lba = get_unaligned_be32(&common->cmnd[2]); 1123 int pmi = common->cmnd[8]; 1124 u8 *buf = (u8 *)bh->buf; 1125 u32 max_lba; 1126 1127 /* Check the PMI and LBA fields */ 1128 if (pmi > 1 || (pmi == 0 && lba != 0)) { 1129 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1130 return -EINVAL; 1131 } 1132 1133 if (curlun->num_sectors < 0x100000000ULL) 1134 max_lba = curlun->num_sectors - 1; 1135 else 1136 max_lba = 0xffffffff; 1137 put_unaligned_be32(max_lba, &buf[0]); /* Max logical block */ 1138 put_unaligned_be32(curlun->blksize, &buf[4]); /* Block length */ 1139 return 8; 1140 } 1141 1142 static int do_read_capacity_16(struct fsg_common *common, struct fsg_buffhd *bh) 1143 { 1144 struct fsg_lun *curlun = common->curlun; 1145 u64 lba = get_unaligned_be64(&common->cmnd[2]); 1146 int pmi = common->cmnd[14]; 1147 u8 *buf = (u8 *)bh->buf; 1148 1149 /* Check the PMI and LBA fields */ 1150 if (pmi > 1 || (pmi == 0 && lba != 0)) { 1151 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1152 return -EINVAL; 1153 } 1154 1155 put_unaligned_be64(curlun->num_sectors - 1, &buf[0]); 1156 /* Max logical block */ 1157 put_unaligned_be32(curlun->blksize, &buf[8]); /* Block length */ 1158 1159 /* It is safe to keep other fields zeroed */ 1160 memset(&buf[12], 0, 32 - 12); 1161 return 32; 1162 } 1163 1164 static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh) 1165 { 1166 struct fsg_lun *curlun = common->curlun; 1167 int msf = common->cmnd[1] & 0x02; 1168 u32 lba = get_unaligned_be32(&common->cmnd[2]); 1169 u8 *buf = (u8 *)bh->buf; 1170 1171 if (common->cmnd[1] & ~0x02) { /* Mask away MSF */ 1172 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1173 return -EINVAL; 1174 } 1175 if (lba >= curlun->num_sectors) { 1176 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1177 return -EINVAL; 1178 } 1179 1180 memset(buf, 0, 8); 1181 buf[0] = 0x01; /* 2048 bytes of user data, rest is EC */ 1182 store_cdrom_address(&buf[4], msf, lba); 1183 return 8; 1184 } 1185 1186 static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh) 1187 { 1188 struct fsg_lun *curlun = common->curlun; 1189 int msf = common->cmnd[1] & 0x02; 1190 int start_track = common->cmnd[6]; 1191 u8 *buf = (u8 *)bh->buf; 1192 u8 format; 1193 int i, len; 1194 1195 format = common->cmnd[2] & 0xf; 1196 1197 if ((common->cmnd[1] & ~0x02) != 0 || /* Mask away MSF */ 1198 (start_track > 1 && format != 0x1)) { 1199 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1200 return -EINVAL; 1201 } 1202 1203 /* 1204 * Check if CDB is old style SFF-8020i 1205 * i.e. format is in 2 MSBs of byte 9 1206 * Mac OS-X host sends us this. 1207 */ 1208 if (format == 0) 1209 format = (common->cmnd[9] >> 6) & 0x3; 1210 1211 switch (format) { 1212 case 0: /* Formatted TOC */ 1213 case 1: /* Multi-session info */ 1214 len = 4 + 2*8; /* 4 byte header + 2 descriptors */ 1215 memset(buf, 0, len); 1216 buf[1] = len - 2; /* TOC Length excludes length field */ 1217 buf[2] = 1; /* First track number */ 1218 buf[3] = 1; /* Last track number */ 1219 buf[5] = 0x16; /* Data track, copying allowed */ 1220 buf[6] = 0x01; /* Only track is number 1 */ 1221 store_cdrom_address(&buf[8], msf, 0); 1222 1223 buf[13] = 0x16; /* Lead-out track is data */ 1224 buf[14] = 0xAA; /* Lead-out track number */ 1225 store_cdrom_address(&buf[16], msf, curlun->num_sectors); 1226 return len; 1227 1228 case 2: 1229 /* Raw TOC */ 1230 len = 4 + 3*11; /* 4 byte header + 3 descriptors */ 1231 memset(buf, 0, len); /* Header + A0, A1 & A2 descriptors */ 1232 buf[1] = len - 2; /* TOC Length excludes length field */ 1233 buf[2] = 1; /* First complete session */ 1234 buf[3] = 1; /* Last complete session */ 1235 1236 buf += 4; 1237 /* fill in A0, A1 and A2 points */ 1238 for (i = 0; i < 3; i++) { 1239 buf[0] = 1; /* Session number */ 1240 buf[1] = 0x16; /* Data track, copying allowed */ 1241 /* 2 - Track number 0 -> TOC */ 1242 buf[3] = 0xA0 + i; /* A0, A1, A2 point */ 1243 /* 4, 5, 6 - Min, sec, frame is zero */ 1244 buf[8] = 1; /* Pmin: last track number */ 1245 buf += 11; /* go to next track descriptor */ 1246 } 1247 buf -= 11; /* go back to A2 descriptor */ 1248 1249 /* For A2, 7, 8, 9, 10 - zero, Pmin, Psec, Pframe of Lead out */ 1250 store_cdrom_address(&buf[7], msf, curlun->num_sectors); 1251 return len; 1252 1253 default: 1254 /* PMA, ATIP, CD-TEXT not supported/required */ 1255 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1256 return -EINVAL; 1257 } 1258 } 1259 1260 static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh) 1261 { 1262 struct fsg_lun *curlun = common->curlun; 1263 int mscmnd = common->cmnd[0]; 1264 u8 *buf = (u8 *) bh->buf; 1265 u8 *buf0 = buf; 1266 int pc, page_code; 1267 int changeable_values, all_pages; 1268 int valid_page = 0; 1269 int len, limit; 1270 1271 if ((common->cmnd[1] & ~0x08) != 0) { /* Mask away DBD */ 1272 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1273 return -EINVAL; 1274 } 1275 pc = common->cmnd[2] >> 6; 1276 page_code = common->cmnd[2] & 0x3f; 1277 if (pc == 3) { 1278 curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED; 1279 return -EINVAL; 1280 } 1281 changeable_values = (pc == 1); 1282 all_pages = (page_code == 0x3f); 1283 1284 /* 1285 * Write the mode parameter header. Fixed values are: default 1286 * medium type, no cache control (DPOFUA), and no block descriptors. 1287 * The only variable value is the WriteProtect bit. We will fill in 1288 * the mode data length later. 1289 */ 1290 memset(buf, 0, 8); 1291 if (mscmnd == MODE_SENSE) { 1292 buf[2] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */ 1293 buf += 4; 1294 limit = 255; 1295 } else { /* MODE_SENSE_10 */ 1296 buf[3] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */ 1297 buf += 8; 1298 limit = 65535; /* Should really be FSG_BUFLEN */ 1299 } 1300 1301 /* No block descriptors */ 1302 1303 /* 1304 * The mode pages, in numerical order. The only page we support 1305 * is the Caching page. 1306 */ 1307 if (page_code == 0x08 || all_pages) { 1308 valid_page = 1; 1309 buf[0] = 0x08; /* Page code */ 1310 buf[1] = 10; /* Page length */ 1311 memset(buf+2, 0, 10); /* None of the fields are changeable */ 1312 1313 if (!changeable_values) { 1314 buf[2] = 0x04; /* Write cache enable, */ 1315 /* Read cache not disabled */ 1316 /* No cache retention priorities */ 1317 put_unaligned_be16(0xffff, &buf[4]); 1318 /* Don't disable prefetch */ 1319 /* Minimum prefetch = 0 */ 1320 put_unaligned_be16(0xffff, &buf[8]); 1321 /* Maximum prefetch */ 1322 put_unaligned_be16(0xffff, &buf[10]); 1323 /* Maximum prefetch ceiling */ 1324 } 1325 buf += 12; 1326 } 1327 1328 /* 1329 * Check that a valid page was requested and the mode data length 1330 * isn't too long. 1331 */ 1332 len = buf - buf0; 1333 if (!valid_page || len > limit) { 1334 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1335 return -EINVAL; 1336 } 1337 1338 /* Store the mode data length */ 1339 if (mscmnd == MODE_SENSE) 1340 buf0[0] = len - 1; 1341 else 1342 put_unaligned_be16(len - 2, buf0); 1343 return len; 1344 } 1345 1346 static int do_start_stop(struct fsg_common *common) 1347 { 1348 struct fsg_lun *curlun = common->curlun; 1349 int loej, start; 1350 1351 if (!curlun) { 1352 return -EINVAL; 1353 } else if (!curlun->removable) { 1354 curlun->sense_data = SS_INVALID_COMMAND; 1355 return -EINVAL; 1356 } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */ 1357 (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */ 1358 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1359 return -EINVAL; 1360 } 1361 1362 loej = common->cmnd[4] & 0x02; 1363 start = common->cmnd[4] & 0x01; 1364 1365 /* 1366 * Our emulation doesn't support mounting; the medium is 1367 * available for use as soon as it is loaded. 1368 */ 1369 if (start) { 1370 if (!fsg_lun_is_open(curlun)) { 1371 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 1372 return -EINVAL; 1373 } 1374 return 0; 1375 } 1376 1377 /* Are we allowed to unload the media? */ 1378 if (curlun->prevent_medium_removal) { 1379 LDBG(curlun, "unload attempt prevented\n"); 1380 curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED; 1381 return -EINVAL; 1382 } 1383 1384 if (!loej) 1385 return 0; 1386 1387 up_read(&common->filesem); 1388 down_write(&common->filesem); 1389 fsg_lun_close(curlun); 1390 up_write(&common->filesem); 1391 down_read(&common->filesem); 1392 1393 return 0; 1394 } 1395 1396 static int do_prevent_allow(struct fsg_common *common) 1397 { 1398 struct fsg_lun *curlun = common->curlun; 1399 int prevent; 1400 1401 if (!common->curlun) { 1402 return -EINVAL; 1403 } else if (!common->curlun->removable) { 1404 common->curlun->sense_data = SS_INVALID_COMMAND; 1405 return -EINVAL; 1406 } 1407 1408 prevent = common->cmnd[4] & 0x01; 1409 if ((common->cmnd[4] & ~0x01) != 0) { /* Mask away Prevent */ 1410 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1411 return -EINVAL; 1412 } 1413 1414 if (curlun->prevent_medium_removal && !prevent) 1415 fsg_lun_fsync_sub(curlun); 1416 curlun->prevent_medium_removal = prevent; 1417 return 0; 1418 } 1419 1420 static int do_read_format_capacities(struct fsg_common *common, 1421 struct fsg_buffhd *bh) 1422 { 1423 struct fsg_lun *curlun = common->curlun; 1424 u8 *buf = (u8 *) bh->buf; 1425 1426 buf[0] = buf[1] = buf[2] = 0; 1427 buf[3] = 8; /* Only the Current/Maximum Capacity Descriptor */ 1428 buf += 4; 1429 1430 put_unaligned_be32(curlun->num_sectors, &buf[0]); 1431 /* Number of blocks */ 1432 put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */ 1433 buf[4] = 0x02; /* Current capacity */ 1434 return 12; 1435 } 1436 1437 static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh) 1438 { 1439 struct fsg_lun *curlun = common->curlun; 1440 1441 /* We don't support MODE SELECT */ 1442 if (curlun) 1443 curlun->sense_data = SS_INVALID_COMMAND; 1444 return -EINVAL; 1445 } 1446 1447 1448 /*-------------------------------------------------------------------------*/ 1449 1450 static int halt_bulk_in_endpoint(struct fsg_dev *fsg) 1451 { 1452 int rc; 1453 1454 rc = fsg_set_halt(fsg, fsg->bulk_in); 1455 if (rc == -EAGAIN) 1456 VDBG(fsg, "delayed bulk-in endpoint halt\n"); 1457 while (rc != 0) { 1458 if (rc != -EAGAIN) { 1459 WARNING(fsg, "usb_ep_set_halt -> %d\n", rc); 1460 rc = 0; 1461 break; 1462 } 1463 1464 /* Wait for a short time and then try again */ 1465 if (msleep_interruptible(100) != 0) 1466 return -EINTR; 1467 rc = usb_ep_set_halt(fsg->bulk_in); 1468 } 1469 return rc; 1470 } 1471 1472 static int wedge_bulk_in_endpoint(struct fsg_dev *fsg) 1473 { 1474 int rc; 1475 1476 DBG(fsg, "bulk-in set wedge\n"); 1477 rc = usb_ep_set_wedge(fsg->bulk_in); 1478 if (rc == -EAGAIN) 1479 VDBG(fsg, "delayed bulk-in endpoint wedge\n"); 1480 while (rc != 0) { 1481 if (rc != -EAGAIN) { 1482 WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc); 1483 rc = 0; 1484 break; 1485 } 1486 1487 /* Wait for a short time and then try again */ 1488 if (msleep_interruptible(100) != 0) 1489 return -EINTR; 1490 rc = usb_ep_set_wedge(fsg->bulk_in); 1491 } 1492 return rc; 1493 } 1494 1495 static int throw_away_data(struct fsg_common *common) 1496 { 1497 struct fsg_buffhd *bh, *bh2; 1498 u32 amount; 1499 int rc; 1500 1501 for (bh = common->next_buffhd_to_drain; 1502 bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0; 1503 bh = common->next_buffhd_to_drain) { 1504 1505 /* Try to submit another request if we need one */ 1506 bh2 = common->next_buffhd_to_fill; 1507 if (bh2->state == BUF_STATE_EMPTY && 1508 common->usb_amount_left > 0) { 1509 amount = min(common->usb_amount_left, FSG_BUFLEN); 1510 1511 /* 1512 * Except at the end of the transfer, amount will be 1513 * equal to the buffer size, which is divisible by 1514 * the bulk-out maxpacket size. 1515 */ 1516 set_bulk_out_req_length(common, bh2, amount); 1517 if (!start_out_transfer(common, bh2)) 1518 /* Dunno what to do if common->fsg is NULL */ 1519 return -EIO; 1520 common->next_buffhd_to_fill = bh2->next; 1521 common->usb_amount_left -= amount; 1522 continue; 1523 } 1524 1525 /* Wait for the data to be received */ 1526 rc = sleep_thread(common, false, bh); 1527 if (rc) 1528 return rc; 1529 1530 /* Throw away the data in a filled buffer */ 1531 bh->state = BUF_STATE_EMPTY; 1532 common->next_buffhd_to_drain = bh->next; 1533 1534 /* A short packet or an error ends everything */ 1535 if (bh->outreq->actual < bh->bulk_out_intended_length || 1536 bh->outreq->status != 0) { 1537 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1538 return -EINTR; 1539 } 1540 } 1541 return 0; 1542 } 1543 1544 static int finish_reply(struct fsg_common *common) 1545 { 1546 struct fsg_buffhd *bh = common->next_buffhd_to_fill; 1547 int rc = 0; 1548 1549 switch (common->data_dir) { 1550 case DATA_DIR_NONE: 1551 break; /* Nothing to send */ 1552 1553 /* 1554 * If we don't know whether the host wants to read or write, 1555 * this must be CB or CBI with an unknown command. We mustn't 1556 * try to send or receive any data. So stall both bulk pipes 1557 * if we can and wait for a reset. 1558 */ 1559 case DATA_DIR_UNKNOWN: 1560 if (!common->can_stall) { 1561 /* Nothing */ 1562 } else if (fsg_is_set(common)) { 1563 fsg_set_halt(common->fsg, common->fsg->bulk_out); 1564 rc = halt_bulk_in_endpoint(common->fsg); 1565 } else { 1566 /* Don't know what to do if common->fsg is NULL */ 1567 rc = -EIO; 1568 } 1569 break; 1570 1571 /* All but the last buffer of data must have already been sent */ 1572 case DATA_DIR_TO_HOST: 1573 if (common->data_size == 0) { 1574 /* Nothing to send */ 1575 1576 /* Don't know what to do if common->fsg is NULL */ 1577 } else if (!fsg_is_set(common)) { 1578 rc = -EIO; 1579 1580 /* If there's no residue, simply send the last buffer */ 1581 } else if (common->residue == 0) { 1582 bh->inreq->zero = 0; 1583 if (!start_in_transfer(common, bh)) 1584 return -EIO; 1585 common->next_buffhd_to_fill = bh->next; 1586 1587 /* 1588 * For Bulk-only, mark the end of the data with a short 1589 * packet. If we are allowed to stall, halt the bulk-in 1590 * endpoint. (Note: This violates the Bulk-Only Transport 1591 * specification, which requires us to pad the data if we 1592 * don't halt the endpoint. Presumably nobody will mind.) 1593 */ 1594 } else { 1595 bh->inreq->zero = 1; 1596 if (!start_in_transfer(common, bh)) 1597 rc = -EIO; 1598 common->next_buffhd_to_fill = bh->next; 1599 if (common->can_stall) 1600 rc = halt_bulk_in_endpoint(common->fsg); 1601 } 1602 break; 1603 1604 /* 1605 * We have processed all we want from the data the host has sent. 1606 * There may still be outstanding bulk-out requests. 1607 */ 1608 case DATA_DIR_FROM_HOST: 1609 if (common->residue == 0) { 1610 /* Nothing to receive */ 1611 1612 /* Did the host stop sending unexpectedly early? */ 1613 } else if (common->short_packet_received) { 1614 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1615 rc = -EINTR; 1616 1617 /* 1618 * We haven't processed all the incoming data. Even though 1619 * we may be allowed to stall, doing so would cause a race. 1620 * The controller may already have ACK'ed all the remaining 1621 * bulk-out packets, in which case the host wouldn't see a 1622 * STALL. Not realizing the endpoint was halted, it wouldn't 1623 * clear the halt -- leading to problems later on. 1624 */ 1625 #if 0 1626 } else if (common->can_stall) { 1627 if (fsg_is_set(common)) 1628 fsg_set_halt(common->fsg, 1629 common->fsg->bulk_out); 1630 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1631 rc = -EINTR; 1632 #endif 1633 1634 /* 1635 * We can't stall. Read in the excess data and throw it 1636 * all away. 1637 */ 1638 } else { 1639 rc = throw_away_data(common); 1640 } 1641 break; 1642 } 1643 return rc; 1644 } 1645 1646 static void send_status(struct fsg_common *common) 1647 { 1648 struct fsg_lun *curlun = common->curlun; 1649 struct fsg_buffhd *bh; 1650 struct bulk_cs_wrap *csw; 1651 int rc; 1652 u8 status = US_BULK_STAT_OK; 1653 u32 sd, sdinfo = 0; 1654 1655 /* Wait for the next buffer to become available */ 1656 bh = common->next_buffhd_to_fill; 1657 rc = sleep_thread(common, false, bh); 1658 if (rc) 1659 return; 1660 1661 if (curlun) { 1662 sd = curlun->sense_data; 1663 sdinfo = curlun->sense_data_info; 1664 } else if (common->bad_lun_okay) 1665 sd = SS_NO_SENSE; 1666 else 1667 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 1668 1669 if (common->phase_error) { 1670 DBG(common, "sending phase-error status\n"); 1671 status = US_BULK_STAT_PHASE; 1672 sd = SS_INVALID_COMMAND; 1673 } else if (sd != SS_NO_SENSE) { 1674 DBG(common, "sending command-failure status\n"); 1675 status = US_BULK_STAT_FAIL; 1676 VDBG(common, " sense data: SK x%02x, ASC x%02x, ASCQ x%02x;" 1677 " info x%x\n", 1678 SK(sd), ASC(sd), ASCQ(sd), sdinfo); 1679 } 1680 1681 /* Store and send the Bulk-only CSW */ 1682 csw = (void *)bh->buf; 1683 1684 csw->Signature = cpu_to_le32(US_BULK_CS_SIGN); 1685 csw->Tag = common->tag; 1686 csw->Residue = cpu_to_le32(common->residue); 1687 csw->Status = status; 1688 1689 bh->inreq->length = US_BULK_CS_WRAP_LEN; 1690 bh->inreq->zero = 0; 1691 if (!start_in_transfer(common, bh)) 1692 /* Don't know what to do if common->fsg is NULL */ 1693 return; 1694 1695 common->next_buffhd_to_fill = bh->next; 1696 return; 1697 } 1698 1699 1700 /*-------------------------------------------------------------------------*/ 1701 1702 /* 1703 * Check whether the command is properly formed and whether its data size 1704 * and direction agree with the values we already have. 1705 */ 1706 static int check_command(struct fsg_common *common, int cmnd_size, 1707 enum data_direction data_dir, unsigned int mask, 1708 int needs_medium, const char *name) 1709 { 1710 int i; 1711 unsigned int lun = common->cmnd[1] >> 5; 1712 static const char dirletter[4] = {'u', 'o', 'i', 'n'}; 1713 char hdlen[20]; 1714 struct fsg_lun *curlun; 1715 1716 hdlen[0] = 0; 1717 if (common->data_dir != DATA_DIR_UNKNOWN) 1718 sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir], 1719 common->data_size); 1720 VDBG(common, "SCSI command: %s; Dc=%d, D%c=%u; Hc=%d%s\n", 1721 name, cmnd_size, dirletter[(int) data_dir], 1722 common->data_size_from_cmnd, common->cmnd_size, hdlen); 1723 1724 /* 1725 * We can't reply at all until we know the correct data direction 1726 * and size. 1727 */ 1728 if (common->data_size_from_cmnd == 0) 1729 data_dir = DATA_DIR_NONE; 1730 if (common->data_size < common->data_size_from_cmnd) { 1731 /* 1732 * Host data size < Device data size is a phase error. 1733 * Carry out the command, but only transfer as much as 1734 * we are allowed. 1735 */ 1736 common->data_size_from_cmnd = common->data_size; 1737 common->phase_error = 1; 1738 } 1739 common->residue = common->data_size; 1740 common->usb_amount_left = common->data_size; 1741 1742 /* Conflicting data directions is a phase error */ 1743 if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) { 1744 common->phase_error = 1; 1745 return -EINVAL; 1746 } 1747 1748 /* Verify the length of the command itself */ 1749 if (cmnd_size != common->cmnd_size) { 1750 1751 /* 1752 * Special case workaround: There are plenty of buggy SCSI 1753 * implementations. Many have issues with cbw->Length 1754 * field passing a wrong command size. For those cases we 1755 * always try to work around the problem by using the length 1756 * sent by the host side provided it is at least as large 1757 * as the correct command length. 1758 * Examples of such cases would be MS-Windows, which issues 1759 * REQUEST SENSE with cbw->Length == 12 where it should 1760 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and 1761 * REQUEST SENSE with cbw->Length == 10 where it should 1762 * be 6 as well. 1763 */ 1764 if (cmnd_size <= common->cmnd_size) { 1765 DBG(common, "%s is buggy! Expected length %d " 1766 "but we got %d\n", name, 1767 cmnd_size, common->cmnd_size); 1768 cmnd_size = common->cmnd_size; 1769 } else { 1770 common->phase_error = 1; 1771 return -EINVAL; 1772 } 1773 } 1774 1775 /* Check that the LUN values are consistent */ 1776 if (common->lun != lun) 1777 DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n", 1778 common->lun, lun); 1779 1780 /* Check the LUN */ 1781 curlun = common->curlun; 1782 if (curlun) { 1783 if (common->cmnd[0] != REQUEST_SENSE) { 1784 curlun->sense_data = SS_NO_SENSE; 1785 curlun->sense_data_info = 0; 1786 curlun->info_valid = 0; 1787 } 1788 } else { 1789 common->bad_lun_okay = 0; 1790 1791 /* 1792 * INQUIRY and REQUEST SENSE commands are explicitly allowed 1793 * to use unsupported LUNs; all others may not. 1794 */ 1795 if (common->cmnd[0] != INQUIRY && 1796 common->cmnd[0] != REQUEST_SENSE) { 1797 DBG(common, "unsupported LUN %u\n", common->lun); 1798 return -EINVAL; 1799 } 1800 } 1801 1802 /* 1803 * If a unit attention condition exists, only INQUIRY and 1804 * REQUEST SENSE commands are allowed; anything else must fail. 1805 */ 1806 if (curlun && curlun->unit_attention_data != SS_NO_SENSE && 1807 common->cmnd[0] != INQUIRY && 1808 common->cmnd[0] != REQUEST_SENSE) { 1809 curlun->sense_data = curlun->unit_attention_data; 1810 curlun->unit_attention_data = SS_NO_SENSE; 1811 return -EINVAL; 1812 } 1813 1814 /* Check that only command bytes listed in the mask are non-zero */ 1815 common->cmnd[1] &= 0x1f; /* Mask away the LUN */ 1816 for (i = 1; i < cmnd_size; ++i) { 1817 if (common->cmnd[i] && !(mask & (1 << i))) { 1818 if (curlun) 1819 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1820 return -EINVAL; 1821 } 1822 } 1823 1824 /* If the medium isn't mounted and the command needs to access 1825 * it, return an error. */ 1826 if (curlun && !fsg_lun_is_open(curlun) && needs_medium) { 1827 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 1828 return -EINVAL; 1829 } 1830 1831 return 0; 1832 } 1833 1834 /* wrapper of check_command for data size in blocks handling */ 1835 static int check_command_size_in_blocks(struct fsg_common *common, 1836 int cmnd_size, enum data_direction data_dir, 1837 unsigned int mask, int needs_medium, const char *name) 1838 { 1839 if (common->curlun) 1840 common->data_size_from_cmnd <<= common->curlun->blkbits; 1841 return check_command(common, cmnd_size, data_dir, 1842 mask, needs_medium, name); 1843 } 1844 1845 static int do_scsi_command(struct fsg_common *common) 1846 { 1847 struct fsg_buffhd *bh; 1848 int rc; 1849 int reply = -EINVAL; 1850 int i; 1851 static char unknown[16]; 1852 1853 dump_cdb(common); 1854 1855 /* Wait for the next buffer to become available for data or status */ 1856 bh = common->next_buffhd_to_fill; 1857 common->next_buffhd_to_drain = bh; 1858 rc = sleep_thread(common, false, bh); 1859 if (rc) 1860 return rc; 1861 1862 common->phase_error = 0; 1863 common->short_packet_received = 0; 1864 1865 down_read(&common->filesem); /* We're using the backing file */ 1866 switch (common->cmnd[0]) { 1867 1868 case INQUIRY: 1869 common->data_size_from_cmnd = common->cmnd[4]; 1870 reply = check_command(common, 6, DATA_DIR_TO_HOST, 1871 (1<<4), 0, 1872 "INQUIRY"); 1873 if (reply == 0) 1874 reply = do_inquiry(common, bh); 1875 break; 1876 1877 case MODE_SELECT: 1878 common->data_size_from_cmnd = common->cmnd[4]; 1879 reply = check_command(common, 6, DATA_DIR_FROM_HOST, 1880 (1<<1) | (1<<4), 0, 1881 "MODE SELECT(6)"); 1882 if (reply == 0) 1883 reply = do_mode_select(common, bh); 1884 break; 1885 1886 case MODE_SELECT_10: 1887 common->data_size_from_cmnd = 1888 get_unaligned_be16(&common->cmnd[7]); 1889 reply = check_command(common, 10, DATA_DIR_FROM_HOST, 1890 (1<<1) | (3<<7), 0, 1891 "MODE SELECT(10)"); 1892 if (reply == 0) 1893 reply = do_mode_select(common, bh); 1894 break; 1895 1896 case MODE_SENSE: 1897 common->data_size_from_cmnd = common->cmnd[4]; 1898 reply = check_command(common, 6, DATA_DIR_TO_HOST, 1899 (1<<1) | (1<<2) | (1<<4), 0, 1900 "MODE SENSE(6)"); 1901 if (reply == 0) 1902 reply = do_mode_sense(common, bh); 1903 break; 1904 1905 case MODE_SENSE_10: 1906 common->data_size_from_cmnd = 1907 get_unaligned_be16(&common->cmnd[7]); 1908 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1909 (1<<1) | (1<<2) | (3<<7), 0, 1910 "MODE SENSE(10)"); 1911 if (reply == 0) 1912 reply = do_mode_sense(common, bh); 1913 break; 1914 1915 case ALLOW_MEDIUM_REMOVAL: 1916 common->data_size_from_cmnd = 0; 1917 reply = check_command(common, 6, DATA_DIR_NONE, 1918 (1<<4), 0, 1919 "PREVENT-ALLOW MEDIUM REMOVAL"); 1920 if (reply == 0) 1921 reply = do_prevent_allow(common); 1922 break; 1923 1924 case READ_6: 1925 i = common->cmnd[4]; 1926 common->data_size_from_cmnd = (i == 0) ? 256 : i; 1927 reply = check_command_size_in_blocks(common, 6, 1928 DATA_DIR_TO_HOST, 1929 (7<<1) | (1<<4), 1, 1930 "READ(6)"); 1931 if (reply == 0) 1932 reply = do_read(common); 1933 break; 1934 1935 case READ_10: 1936 common->data_size_from_cmnd = 1937 get_unaligned_be16(&common->cmnd[7]); 1938 reply = check_command_size_in_blocks(common, 10, 1939 DATA_DIR_TO_HOST, 1940 (1<<1) | (0xf<<2) | (3<<7), 1, 1941 "READ(10)"); 1942 if (reply == 0) 1943 reply = do_read(common); 1944 break; 1945 1946 case READ_12: 1947 common->data_size_from_cmnd = 1948 get_unaligned_be32(&common->cmnd[6]); 1949 reply = check_command_size_in_blocks(common, 12, 1950 DATA_DIR_TO_HOST, 1951 (1<<1) | (0xf<<2) | (0xf<<6), 1, 1952 "READ(12)"); 1953 if (reply == 0) 1954 reply = do_read(common); 1955 break; 1956 1957 case READ_16: 1958 common->data_size_from_cmnd = 1959 get_unaligned_be32(&common->cmnd[10]); 1960 reply = check_command_size_in_blocks(common, 16, 1961 DATA_DIR_TO_HOST, 1962 (1<<1) | (0xff<<2) | (0xf<<10), 1, 1963 "READ(16)"); 1964 if (reply == 0) 1965 reply = do_read(common); 1966 break; 1967 1968 case READ_CAPACITY: 1969 common->data_size_from_cmnd = 8; 1970 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1971 (0xf<<2) | (1<<8), 1, 1972 "READ CAPACITY"); 1973 if (reply == 0) 1974 reply = do_read_capacity(common, bh); 1975 break; 1976 1977 case READ_HEADER: 1978 if (!common->curlun || !common->curlun->cdrom) 1979 goto unknown_cmnd; 1980 common->data_size_from_cmnd = 1981 get_unaligned_be16(&common->cmnd[7]); 1982 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1983 (3<<7) | (0x1f<<1), 1, 1984 "READ HEADER"); 1985 if (reply == 0) 1986 reply = do_read_header(common, bh); 1987 break; 1988 1989 case READ_TOC: 1990 if (!common->curlun || !common->curlun->cdrom) 1991 goto unknown_cmnd; 1992 common->data_size_from_cmnd = 1993 get_unaligned_be16(&common->cmnd[7]); 1994 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1995 (0xf<<6) | (3<<1), 1, 1996 "READ TOC"); 1997 if (reply == 0) 1998 reply = do_read_toc(common, bh); 1999 break; 2000 2001 case READ_FORMAT_CAPACITIES: 2002 common->data_size_from_cmnd = 2003 get_unaligned_be16(&common->cmnd[7]); 2004 reply = check_command(common, 10, DATA_DIR_TO_HOST, 2005 (3<<7), 1, 2006 "READ FORMAT CAPACITIES"); 2007 if (reply == 0) 2008 reply = do_read_format_capacities(common, bh); 2009 break; 2010 2011 case REQUEST_SENSE: 2012 common->data_size_from_cmnd = common->cmnd[4]; 2013 reply = check_command(common, 6, DATA_DIR_TO_HOST, 2014 (1<<4), 0, 2015 "REQUEST SENSE"); 2016 if (reply == 0) 2017 reply = do_request_sense(common, bh); 2018 break; 2019 2020 case SERVICE_ACTION_IN_16: 2021 switch (common->cmnd[1] & 0x1f) { 2022 2023 case SAI_READ_CAPACITY_16: 2024 common->data_size_from_cmnd = 2025 get_unaligned_be32(&common->cmnd[10]); 2026 reply = check_command(common, 16, DATA_DIR_TO_HOST, 2027 (1<<1) | (0xff<<2) | (0xf<<10) | 2028 (1<<14), 1, 2029 "READ CAPACITY(16)"); 2030 if (reply == 0) 2031 reply = do_read_capacity_16(common, bh); 2032 break; 2033 2034 default: 2035 goto unknown_cmnd; 2036 } 2037 break; 2038 2039 case START_STOP: 2040 common->data_size_from_cmnd = 0; 2041 reply = check_command(common, 6, DATA_DIR_NONE, 2042 (1<<1) | (1<<4), 0, 2043 "START-STOP UNIT"); 2044 if (reply == 0) 2045 reply = do_start_stop(common); 2046 break; 2047 2048 case SYNCHRONIZE_CACHE: 2049 common->data_size_from_cmnd = 0; 2050 reply = check_command(common, 10, DATA_DIR_NONE, 2051 (0xf<<2) | (3<<7), 1, 2052 "SYNCHRONIZE CACHE"); 2053 if (reply == 0) 2054 reply = do_synchronize_cache(common); 2055 break; 2056 2057 case TEST_UNIT_READY: 2058 common->data_size_from_cmnd = 0; 2059 reply = check_command(common, 6, DATA_DIR_NONE, 2060 0, 1, 2061 "TEST UNIT READY"); 2062 break; 2063 2064 /* 2065 * Although optional, this command is used by MS-Windows. We 2066 * support a minimal version: BytChk must be 0. 2067 */ 2068 case VERIFY: 2069 common->data_size_from_cmnd = 0; 2070 reply = check_command(common, 10, DATA_DIR_NONE, 2071 (1<<1) | (0xf<<2) | (3<<7), 1, 2072 "VERIFY"); 2073 if (reply == 0) 2074 reply = do_verify(common); 2075 break; 2076 2077 case WRITE_6: 2078 i = common->cmnd[4]; 2079 common->data_size_from_cmnd = (i == 0) ? 256 : i; 2080 reply = check_command_size_in_blocks(common, 6, 2081 DATA_DIR_FROM_HOST, 2082 (7<<1) | (1<<4), 1, 2083 "WRITE(6)"); 2084 if (reply == 0) 2085 reply = do_write(common); 2086 break; 2087 2088 case WRITE_10: 2089 common->data_size_from_cmnd = 2090 get_unaligned_be16(&common->cmnd[7]); 2091 reply = check_command_size_in_blocks(common, 10, 2092 DATA_DIR_FROM_HOST, 2093 (1<<1) | (0xf<<2) | (3<<7), 1, 2094 "WRITE(10)"); 2095 if (reply == 0) 2096 reply = do_write(common); 2097 break; 2098 2099 case WRITE_12: 2100 common->data_size_from_cmnd = 2101 get_unaligned_be32(&common->cmnd[6]); 2102 reply = check_command_size_in_blocks(common, 12, 2103 DATA_DIR_FROM_HOST, 2104 (1<<1) | (0xf<<2) | (0xf<<6), 1, 2105 "WRITE(12)"); 2106 if (reply == 0) 2107 reply = do_write(common); 2108 break; 2109 2110 case WRITE_16: 2111 common->data_size_from_cmnd = 2112 get_unaligned_be32(&common->cmnd[10]); 2113 reply = check_command_size_in_blocks(common, 16, 2114 DATA_DIR_FROM_HOST, 2115 (1<<1) | (0xff<<2) | (0xf<<10), 1, 2116 "WRITE(16)"); 2117 if (reply == 0) 2118 reply = do_write(common); 2119 break; 2120 2121 /* 2122 * Some mandatory commands that we recognize but don't implement. 2123 * They don't mean much in this setting. It's left as an exercise 2124 * for anyone interested to implement RESERVE and RELEASE in terms 2125 * of Posix locks. 2126 */ 2127 case FORMAT_UNIT: 2128 case RELEASE: 2129 case RESERVE: 2130 case SEND_DIAGNOSTIC: 2131 2132 default: 2133 unknown_cmnd: 2134 common->data_size_from_cmnd = 0; 2135 sprintf(unknown, "Unknown x%02x", common->cmnd[0]); 2136 reply = check_command(common, common->cmnd_size, 2137 DATA_DIR_UNKNOWN, ~0, 0, unknown); 2138 if (reply == 0) { 2139 common->curlun->sense_data = SS_INVALID_COMMAND; 2140 reply = -EINVAL; 2141 } 2142 break; 2143 } 2144 up_read(&common->filesem); 2145 2146 if (reply == -EINTR || signal_pending(current)) 2147 return -EINTR; 2148 2149 /* Set up the single reply buffer for finish_reply() */ 2150 if (reply == -EINVAL) 2151 reply = 0; /* Error reply length */ 2152 if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) { 2153 reply = min((u32)reply, common->data_size_from_cmnd); 2154 bh->inreq->length = reply; 2155 bh->state = BUF_STATE_FULL; 2156 common->residue -= reply; 2157 } /* Otherwise it's already set */ 2158 2159 return 0; 2160 } 2161 2162 2163 /*-------------------------------------------------------------------------*/ 2164 2165 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh) 2166 { 2167 struct usb_request *req = bh->outreq; 2168 struct bulk_cb_wrap *cbw = req->buf; 2169 struct fsg_common *common = fsg->common; 2170 2171 /* Was this a real packet? Should it be ignored? */ 2172 if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags)) 2173 return -EINVAL; 2174 2175 /* Is the CBW valid? */ 2176 if (req->actual != US_BULK_CB_WRAP_LEN || 2177 cbw->Signature != cpu_to_le32( 2178 US_BULK_CB_SIGN)) { 2179 DBG(fsg, "invalid CBW: len %u sig 0x%x\n", 2180 req->actual, 2181 le32_to_cpu(cbw->Signature)); 2182 2183 /* 2184 * The Bulk-only spec says we MUST stall the IN endpoint 2185 * (6.6.1), so it's unavoidable. It also says we must 2186 * retain this state until the next reset, but there's 2187 * no way to tell the controller driver it should ignore 2188 * Clear-Feature(HALT) requests. 2189 * 2190 * We aren't required to halt the OUT endpoint; instead 2191 * we can simply accept and discard any data received 2192 * until the next reset. 2193 */ 2194 wedge_bulk_in_endpoint(fsg); 2195 set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2196 return -EINVAL; 2197 } 2198 2199 /* Is the CBW meaningful? */ 2200 if (cbw->Lun >= ARRAY_SIZE(common->luns) || 2201 cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 || 2202 cbw->Length > MAX_COMMAND_SIZE) { 2203 DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, " 2204 "cmdlen %u\n", 2205 cbw->Lun, cbw->Flags, cbw->Length); 2206 2207 /* 2208 * We can do anything we want here, so let's stall the 2209 * bulk pipes if we are allowed to. 2210 */ 2211 if (common->can_stall) { 2212 fsg_set_halt(fsg, fsg->bulk_out); 2213 halt_bulk_in_endpoint(fsg); 2214 } 2215 return -EINVAL; 2216 } 2217 2218 /* Save the command for later */ 2219 common->cmnd_size = cbw->Length; 2220 memcpy(common->cmnd, cbw->CDB, common->cmnd_size); 2221 if (cbw->Flags & US_BULK_FLAG_IN) 2222 common->data_dir = DATA_DIR_TO_HOST; 2223 else 2224 common->data_dir = DATA_DIR_FROM_HOST; 2225 common->data_size = le32_to_cpu(cbw->DataTransferLength); 2226 if (common->data_size == 0) 2227 common->data_dir = DATA_DIR_NONE; 2228 common->lun = cbw->Lun; 2229 if (common->lun < ARRAY_SIZE(common->luns)) 2230 common->curlun = common->luns[common->lun]; 2231 else 2232 common->curlun = NULL; 2233 common->tag = cbw->Tag; 2234 return 0; 2235 } 2236 2237 static int get_next_command(struct fsg_common *common) 2238 { 2239 struct fsg_buffhd *bh; 2240 int rc = 0; 2241 2242 /* Wait for the next buffer to become available */ 2243 bh = common->next_buffhd_to_fill; 2244 rc = sleep_thread(common, true, bh); 2245 if (rc) 2246 return rc; 2247 2248 /* Queue a request to read a Bulk-only CBW */ 2249 set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN); 2250 if (!start_out_transfer(common, bh)) 2251 /* Don't know what to do if common->fsg is NULL */ 2252 return -EIO; 2253 2254 /* 2255 * We will drain the buffer in software, which means we 2256 * can reuse it for the next filling. No need to advance 2257 * next_buffhd_to_fill. 2258 */ 2259 2260 /* Wait for the CBW to arrive */ 2261 rc = sleep_thread(common, true, bh); 2262 if (rc) 2263 return rc; 2264 2265 rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO; 2266 bh->state = BUF_STATE_EMPTY; 2267 2268 return rc; 2269 } 2270 2271 2272 /*-------------------------------------------------------------------------*/ 2273 2274 static int alloc_request(struct fsg_common *common, struct usb_ep *ep, 2275 struct usb_request **preq) 2276 { 2277 *preq = usb_ep_alloc_request(ep, GFP_ATOMIC); 2278 if (*preq) 2279 return 0; 2280 ERROR(common, "can't allocate request for %s\n", ep->name); 2281 return -ENOMEM; 2282 } 2283 2284 /* Reset interface setting and re-init endpoint state (toggle etc). */ 2285 static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg) 2286 { 2287 struct fsg_dev *fsg; 2288 int i, rc = 0; 2289 2290 if (common->running) 2291 DBG(common, "reset interface\n"); 2292 2293 reset: 2294 /* Deallocate the requests */ 2295 if (common->fsg) { 2296 fsg = common->fsg; 2297 2298 for (i = 0; i < common->fsg_num_buffers; ++i) { 2299 struct fsg_buffhd *bh = &common->buffhds[i]; 2300 2301 if (bh->inreq) { 2302 usb_ep_free_request(fsg->bulk_in, bh->inreq); 2303 bh->inreq = NULL; 2304 } 2305 if (bh->outreq) { 2306 usb_ep_free_request(fsg->bulk_out, bh->outreq); 2307 bh->outreq = NULL; 2308 } 2309 } 2310 2311 /* Disable the endpoints */ 2312 if (fsg->bulk_in_enabled) { 2313 usb_ep_disable(fsg->bulk_in); 2314 fsg->bulk_in_enabled = 0; 2315 } 2316 if (fsg->bulk_out_enabled) { 2317 usb_ep_disable(fsg->bulk_out); 2318 fsg->bulk_out_enabled = 0; 2319 } 2320 2321 common->fsg = NULL; 2322 wake_up(&common->fsg_wait); 2323 } 2324 2325 common->running = 0; 2326 if (!new_fsg || rc) 2327 return rc; 2328 2329 common->fsg = new_fsg; 2330 fsg = common->fsg; 2331 2332 /* Enable the endpoints */ 2333 rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); 2334 if (rc) 2335 goto reset; 2336 rc = usb_ep_enable(fsg->bulk_in); 2337 if (rc) 2338 goto reset; 2339 fsg->bulk_in->driver_data = common; 2340 fsg->bulk_in_enabled = 1; 2341 2342 rc = config_ep_by_speed(common->gadget, &(fsg->function), 2343 fsg->bulk_out); 2344 if (rc) 2345 goto reset; 2346 rc = usb_ep_enable(fsg->bulk_out); 2347 if (rc) 2348 goto reset; 2349 fsg->bulk_out->driver_data = common; 2350 fsg->bulk_out_enabled = 1; 2351 common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc); 2352 clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2353 2354 /* Allocate the requests */ 2355 for (i = 0; i < common->fsg_num_buffers; ++i) { 2356 struct fsg_buffhd *bh = &common->buffhds[i]; 2357 2358 rc = alloc_request(common, fsg->bulk_in, &bh->inreq); 2359 if (rc) 2360 goto reset; 2361 rc = alloc_request(common, fsg->bulk_out, &bh->outreq); 2362 if (rc) 2363 goto reset; 2364 bh->inreq->buf = bh->outreq->buf = bh->buf; 2365 bh->inreq->context = bh->outreq->context = bh; 2366 bh->inreq->complete = bulk_in_complete; 2367 bh->outreq->complete = bulk_out_complete; 2368 } 2369 2370 common->running = 1; 2371 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) 2372 if (common->luns[i]) 2373 common->luns[i]->unit_attention_data = 2374 SS_RESET_OCCURRED; 2375 return rc; 2376 } 2377 2378 2379 /****************************** ALT CONFIGS ******************************/ 2380 2381 static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 2382 { 2383 struct fsg_dev *fsg = fsg_from_func(f); 2384 2385 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg); 2386 return USB_GADGET_DELAYED_STATUS; 2387 } 2388 2389 static void fsg_disable(struct usb_function *f) 2390 { 2391 struct fsg_dev *fsg = fsg_from_func(f); 2392 2393 /* Disable the endpoints */ 2394 if (fsg->bulk_in_enabled) { 2395 usb_ep_disable(fsg->bulk_in); 2396 fsg->bulk_in_enabled = 0; 2397 } 2398 if (fsg->bulk_out_enabled) { 2399 usb_ep_disable(fsg->bulk_out); 2400 fsg->bulk_out_enabled = 0; 2401 } 2402 2403 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); 2404 } 2405 2406 2407 /*-------------------------------------------------------------------------*/ 2408 2409 static void handle_exception(struct fsg_common *common) 2410 { 2411 int i; 2412 struct fsg_buffhd *bh; 2413 enum fsg_state old_state; 2414 struct fsg_lun *curlun; 2415 unsigned int exception_req_tag; 2416 struct fsg_dev *new_fsg; 2417 2418 /* 2419 * Clear the existing signals. Anything but SIGUSR1 is converted 2420 * into a high-priority EXIT exception. 2421 */ 2422 for (;;) { 2423 int sig = kernel_dequeue_signal(); 2424 if (!sig) 2425 break; 2426 if (sig != SIGUSR1) { 2427 spin_lock_irq(&common->lock); 2428 if (common->state < FSG_STATE_EXIT) 2429 DBG(common, "Main thread exiting on signal\n"); 2430 common->state = FSG_STATE_EXIT; 2431 spin_unlock_irq(&common->lock); 2432 } 2433 } 2434 2435 /* Cancel all the pending transfers */ 2436 if (likely(common->fsg)) { 2437 for (i = 0; i < common->fsg_num_buffers; ++i) { 2438 bh = &common->buffhds[i]; 2439 if (bh->state == BUF_STATE_SENDING) 2440 usb_ep_dequeue(common->fsg->bulk_in, bh->inreq); 2441 if (bh->state == BUF_STATE_RECEIVING) 2442 usb_ep_dequeue(common->fsg->bulk_out, 2443 bh->outreq); 2444 2445 /* Wait for a transfer to become idle */ 2446 if (sleep_thread(common, false, bh)) 2447 return; 2448 } 2449 2450 /* Clear out the controller's fifos */ 2451 if (common->fsg->bulk_in_enabled) 2452 usb_ep_fifo_flush(common->fsg->bulk_in); 2453 if (common->fsg->bulk_out_enabled) 2454 usb_ep_fifo_flush(common->fsg->bulk_out); 2455 } 2456 2457 /* 2458 * Reset the I/O buffer states and pointers, the SCSI 2459 * state, and the exception. Then invoke the handler. 2460 */ 2461 spin_lock_irq(&common->lock); 2462 2463 for (i = 0; i < common->fsg_num_buffers; ++i) { 2464 bh = &common->buffhds[i]; 2465 bh->state = BUF_STATE_EMPTY; 2466 } 2467 common->next_buffhd_to_fill = &common->buffhds[0]; 2468 common->next_buffhd_to_drain = &common->buffhds[0]; 2469 exception_req_tag = common->exception_req_tag; 2470 new_fsg = common->exception_arg; 2471 old_state = common->state; 2472 common->state = FSG_STATE_NORMAL; 2473 2474 if (old_state != FSG_STATE_ABORT_BULK_OUT) { 2475 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) { 2476 curlun = common->luns[i]; 2477 if (!curlun) 2478 continue; 2479 curlun->prevent_medium_removal = 0; 2480 curlun->sense_data = SS_NO_SENSE; 2481 curlun->unit_attention_data = SS_NO_SENSE; 2482 curlun->sense_data_info = 0; 2483 curlun->info_valid = 0; 2484 } 2485 } 2486 spin_unlock_irq(&common->lock); 2487 2488 /* Carry out any extra actions required for the exception */ 2489 switch (old_state) { 2490 case FSG_STATE_NORMAL: 2491 break; 2492 2493 case FSG_STATE_ABORT_BULK_OUT: 2494 send_status(common); 2495 break; 2496 2497 case FSG_STATE_PROTOCOL_RESET: 2498 /* 2499 * In case we were forced against our will to halt a 2500 * bulk endpoint, clear the halt now. (The SuperH UDC 2501 * requires this.) 2502 */ 2503 if (!fsg_is_set(common)) 2504 break; 2505 if (test_and_clear_bit(IGNORE_BULK_OUT, 2506 &common->fsg->atomic_bitflags)) 2507 usb_ep_clear_halt(common->fsg->bulk_in); 2508 2509 if (common->ep0_req_tag == exception_req_tag) 2510 ep0_queue(common); /* Complete the status stage */ 2511 2512 /* 2513 * Technically this should go here, but it would only be 2514 * a waste of time. Ditto for the INTERFACE_CHANGE and 2515 * CONFIG_CHANGE cases. 2516 */ 2517 /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */ 2518 /* if (common->luns[i]) */ 2519 /* common->luns[i]->unit_attention_data = */ 2520 /* SS_RESET_OCCURRED; */ 2521 break; 2522 2523 case FSG_STATE_CONFIG_CHANGE: 2524 do_set_interface(common, new_fsg); 2525 if (new_fsg) 2526 usb_composite_setup_continue(common->cdev); 2527 break; 2528 2529 case FSG_STATE_EXIT: 2530 do_set_interface(common, NULL); /* Free resources */ 2531 spin_lock_irq(&common->lock); 2532 common->state = FSG_STATE_TERMINATED; /* Stop the thread */ 2533 spin_unlock_irq(&common->lock); 2534 break; 2535 2536 case FSG_STATE_TERMINATED: 2537 break; 2538 } 2539 } 2540 2541 2542 /*-------------------------------------------------------------------------*/ 2543 2544 static int fsg_main_thread(void *common_) 2545 { 2546 struct fsg_common *common = common_; 2547 int i; 2548 2549 /* 2550 * Allow the thread to be killed by a signal, but set the signal mask 2551 * to block everything but INT, TERM, KILL, and USR1. 2552 */ 2553 allow_signal(SIGINT); 2554 allow_signal(SIGTERM); 2555 allow_signal(SIGKILL); 2556 allow_signal(SIGUSR1); 2557 2558 /* Allow the thread to be frozen */ 2559 set_freezable(); 2560 2561 /* The main loop */ 2562 while (common->state != FSG_STATE_TERMINATED) { 2563 if (exception_in_progress(common) || signal_pending(current)) { 2564 handle_exception(common); 2565 continue; 2566 } 2567 2568 if (!common->running) { 2569 sleep_thread(common, true, NULL); 2570 continue; 2571 } 2572 2573 if (get_next_command(common) || exception_in_progress(common)) 2574 continue; 2575 if (do_scsi_command(common) || exception_in_progress(common)) 2576 continue; 2577 if (finish_reply(common) || exception_in_progress(common)) 2578 continue; 2579 send_status(common); 2580 } 2581 2582 spin_lock_irq(&common->lock); 2583 common->thread_task = NULL; 2584 spin_unlock_irq(&common->lock); 2585 2586 /* Eject media from all LUNs */ 2587 2588 down_write(&common->filesem); 2589 for (i = 0; i < ARRAY_SIZE(common->luns); i++) { 2590 struct fsg_lun *curlun = common->luns[i]; 2591 2592 if (curlun && fsg_lun_is_open(curlun)) 2593 fsg_lun_close(curlun); 2594 } 2595 up_write(&common->filesem); 2596 2597 /* Let fsg_unbind() know the thread has exited */ 2598 kthread_complete_and_exit(&common->thread_notifier, 0); 2599 } 2600 2601 2602 /*************************** DEVICE ATTRIBUTES ***************************/ 2603 2604 static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf) 2605 { 2606 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2607 2608 return fsg_show_ro(curlun, buf); 2609 } 2610 2611 static ssize_t nofua_show(struct device *dev, struct device_attribute *attr, 2612 char *buf) 2613 { 2614 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2615 2616 return fsg_show_nofua(curlun, buf); 2617 } 2618 2619 static ssize_t file_show(struct device *dev, struct device_attribute *attr, 2620 char *buf) 2621 { 2622 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2623 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2624 2625 return fsg_show_file(curlun, filesem, buf); 2626 } 2627 2628 static ssize_t ro_store(struct device *dev, struct device_attribute *attr, 2629 const char *buf, size_t count) 2630 { 2631 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2632 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2633 2634 return fsg_store_ro(curlun, filesem, buf, count); 2635 } 2636 2637 static ssize_t nofua_store(struct device *dev, struct device_attribute *attr, 2638 const char *buf, size_t count) 2639 { 2640 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2641 2642 return fsg_store_nofua(curlun, buf, count); 2643 } 2644 2645 static ssize_t file_store(struct device *dev, struct device_attribute *attr, 2646 const char *buf, size_t count) 2647 { 2648 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2649 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2650 2651 return fsg_store_file(curlun, filesem, buf, count); 2652 } 2653 2654 static ssize_t forced_eject_store(struct device *dev, 2655 struct device_attribute *attr, 2656 const char *buf, size_t count) 2657 { 2658 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2659 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2660 2661 return fsg_store_forced_eject(curlun, filesem, buf, count); 2662 } 2663 2664 static DEVICE_ATTR_RW(nofua); 2665 /* mode wil be set in fsg_lun_attr_is_visible() */ 2666 static DEVICE_ATTR(ro, 0, ro_show, ro_store); 2667 static DEVICE_ATTR(file, 0, file_show, file_store); 2668 static DEVICE_ATTR_WO(forced_eject); 2669 2670 /****************************** FSG COMMON ******************************/ 2671 2672 static void fsg_lun_release(struct device *dev) 2673 { 2674 /* Nothing needs to be done */ 2675 } 2676 2677 static struct fsg_common *fsg_common_setup(struct fsg_common *common) 2678 { 2679 if (!common) { 2680 common = kzalloc(sizeof(*common), GFP_KERNEL); 2681 if (!common) 2682 return ERR_PTR(-ENOMEM); 2683 common->free_storage_on_release = 1; 2684 } else { 2685 common->free_storage_on_release = 0; 2686 } 2687 init_rwsem(&common->filesem); 2688 spin_lock_init(&common->lock); 2689 init_completion(&common->thread_notifier); 2690 init_waitqueue_head(&common->io_wait); 2691 init_waitqueue_head(&common->fsg_wait); 2692 common->state = FSG_STATE_TERMINATED; 2693 memset(common->luns, 0, sizeof(common->luns)); 2694 2695 return common; 2696 } 2697 2698 void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs) 2699 { 2700 common->sysfs = sysfs; 2701 } 2702 EXPORT_SYMBOL_GPL(fsg_common_set_sysfs); 2703 2704 static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n) 2705 { 2706 if (buffhds) { 2707 struct fsg_buffhd *bh = buffhds; 2708 while (n--) { 2709 kfree(bh->buf); 2710 ++bh; 2711 } 2712 kfree(buffhds); 2713 } 2714 } 2715 2716 int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n) 2717 { 2718 struct fsg_buffhd *bh, *buffhds; 2719 int i; 2720 2721 buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL); 2722 if (!buffhds) 2723 return -ENOMEM; 2724 2725 /* Data buffers cyclic list */ 2726 bh = buffhds; 2727 i = n; 2728 goto buffhds_first_it; 2729 do { 2730 bh->next = bh + 1; 2731 ++bh; 2732 buffhds_first_it: 2733 bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL); 2734 if (unlikely(!bh->buf)) 2735 goto error_release; 2736 } while (--i); 2737 bh->next = buffhds; 2738 2739 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 2740 common->fsg_num_buffers = n; 2741 common->buffhds = buffhds; 2742 2743 return 0; 2744 2745 error_release: 2746 /* 2747 * "buf"s pointed to by heads after n - i are NULL 2748 * so releasing them won't hurt 2749 */ 2750 _fsg_common_free_buffers(buffhds, n); 2751 2752 return -ENOMEM; 2753 } 2754 EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers); 2755 2756 void fsg_common_remove_lun(struct fsg_lun *lun) 2757 { 2758 if (device_is_registered(&lun->dev)) 2759 device_unregister(&lun->dev); 2760 fsg_lun_close(lun); 2761 kfree(lun); 2762 } 2763 EXPORT_SYMBOL_GPL(fsg_common_remove_lun); 2764 2765 static void _fsg_common_remove_luns(struct fsg_common *common, int n) 2766 { 2767 int i; 2768 2769 for (i = 0; i < n; ++i) 2770 if (common->luns[i]) { 2771 fsg_common_remove_lun(common->luns[i]); 2772 common->luns[i] = NULL; 2773 } 2774 } 2775 2776 void fsg_common_remove_luns(struct fsg_common *common) 2777 { 2778 _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns)); 2779 } 2780 EXPORT_SYMBOL_GPL(fsg_common_remove_luns); 2781 2782 void fsg_common_free_buffers(struct fsg_common *common) 2783 { 2784 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 2785 common->buffhds = NULL; 2786 } 2787 EXPORT_SYMBOL_GPL(fsg_common_free_buffers); 2788 2789 int fsg_common_set_cdev(struct fsg_common *common, 2790 struct usb_composite_dev *cdev, bool can_stall) 2791 { 2792 struct usb_string *us; 2793 2794 common->gadget = cdev->gadget; 2795 common->ep0 = cdev->gadget->ep0; 2796 common->ep0req = cdev->req; 2797 common->cdev = cdev; 2798 2799 us = usb_gstrings_attach(cdev, fsg_strings_array, 2800 ARRAY_SIZE(fsg_strings)); 2801 if (IS_ERR(us)) 2802 return PTR_ERR(us); 2803 2804 fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id; 2805 2806 /* 2807 * Some peripheral controllers are known not to be able to 2808 * halt bulk endpoints correctly. If one of them is present, 2809 * disable stalls. 2810 */ 2811 common->can_stall = can_stall && 2812 gadget_is_stall_supported(common->gadget); 2813 2814 return 0; 2815 } 2816 EXPORT_SYMBOL_GPL(fsg_common_set_cdev); 2817 2818 static struct attribute *fsg_lun_dev_attrs[] = { 2819 &dev_attr_ro.attr, 2820 &dev_attr_file.attr, 2821 &dev_attr_nofua.attr, 2822 &dev_attr_forced_eject.attr, 2823 NULL 2824 }; 2825 2826 static umode_t fsg_lun_dev_is_visible(struct kobject *kobj, 2827 struct attribute *attr, int idx) 2828 { 2829 struct device *dev = kobj_to_dev(kobj); 2830 struct fsg_lun *lun = fsg_lun_from_dev(dev); 2831 2832 if (attr == &dev_attr_ro.attr) 2833 return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO); 2834 if (attr == &dev_attr_file.attr) 2835 return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO; 2836 return attr->mode; 2837 } 2838 2839 static const struct attribute_group fsg_lun_dev_group = { 2840 .attrs = fsg_lun_dev_attrs, 2841 .is_visible = fsg_lun_dev_is_visible, 2842 }; 2843 2844 static const struct attribute_group *fsg_lun_dev_groups[] = { 2845 &fsg_lun_dev_group, 2846 NULL 2847 }; 2848 2849 int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg, 2850 unsigned int id, const char *name, 2851 const char **name_pfx) 2852 { 2853 struct fsg_lun *lun; 2854 char *pathbuf, *p; 2855 int rc = -ENOMEM; 2856 2857 if (id >= ARRAY_SIZE(common->luns)) 2858 return -ENODEV; 2859 2860 if (common->luns[id]) 2861 return -EBUSY; 2862 2863 if (!cfg->filename && !cfg->removable) { 2864 pr_err("no file given for LUN%d\n", id); 2865 return -EINVAL; 2866 } 2867 2868 lun = kzalloc(sizeof(*lun), GFP_KERNEL); 2869 if (!lun) 2870 return -ENOMEM; 2871 2872 lun->name_pfx = name_pfx; 2873 2874 lun->cdrom = !!cfg->cdrom; 2875 lun->ro = cfg->cdrom || cfg->ro; 2876 lun->initially_ro = lun->ro; 2877 lun->removable = !!cfg->removable; 2878 2879 if (!common->sysfs) { 2880 /* we DON'T own the name!*/ 2881 lun->name = name; 2882 } else { 2883 lun->dev.release = fsg_lun_release; 2884 lun->dev.parent = &common->gadget->dev; 2885 lun->dev.groups = fsg_lun_dev_groups; 2886 dev_set_drvdata(&lun->dev, &common->filesem); 2887 dev_set_name(&lun->dev, "%s", name); 2888 lun->name = dev_name(&lun->dev); 2889 2890 rc = device_register(&lun->dev); 2891 if (rc) { 2892 pr_info("failed to register LUN%d: %d\n", id, rc); 2893 put_device(&lun->dev); 2894 goto error_sysfs; 2895 } 2896 } 2897 2898 common->luns[id] = lun; 2899 2900 if (cfg->filename) { 2901 rc = fsg_lun_open(lun, cfg->filename); 2902 if (rc) 2903 goto error_lun; 2904 } 2905 2906 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); 2907 p = "(no medium)"; 2908 if (fsg_lun_is_open(lun)) { 2909 p = "(error)"; 2910 if (pathbuf) { 2911 p = file_path(lun->filp, pathbuf, PATH_MAX); 2912 if (IS_ERR(p)) 2913 p = "(error)"; 2914 } 2915 } 2916 pr_info("LUN: %s%s%sfile: %s\n", 2917 lun->removable ? "removable " : "", 2918 lun->ro ? "read only " : "", 2919 lun->cdrom ? "CD-ROM " : "", 2920 p); 2921 kfree(pathbuf); 2922 2923 return 0; 2924 2925 error_lun: 2926 if (device_is_registered(&lun->dev)) 2927 device_unregister(&lun->dev); 2928 fsg_lun_close(lun); 2929 common->luns[id] = NULL; 2930 error_sysfs: 2931 kfree(lun); 2932 return rc; 2933 } 2934 EXPORT_SYMBOL_GPL(fsg_common_create_lun); 2935 2936 int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg) 2937 { 2938 char buf[8]; /* enough for 100000000 different numbers, decimal */ 2939 int i, rc; 2940 2941 fsg_common_remove_luns(common); 2942 2943 for (i = 0; i < cfg->nluns; ++i) { 2944 snprintf(buf, sizeof(buf), "lun%d", i); 2945 rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL); 2946 if (rc) 2947 goto fail; 2948 } 2949 2950 pr_info("Number of LUNs=%d\n", cfg->nluns); 2951 2952 return 0; 2953 2954 fail: 2955 _fsg_common_remove_luns(common, i); 2956 return rc; 2957 } 2958 EXPORT_SYMBOL_GPL(fsg_common_create_luns); 2959 2960 void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn, 2961 const char *pn) 2962 { 2963 int i; 2964 2965 /* Prepare inquiryString */ 2966 i = get_default_bcdDevice(); 2967 snprintf(common->inquiry_string, sizeof(common->inquiry_string), 2968 "%-8s%-16s%04x", vn ?: "Linux", 2969 /* Assume product name dependent on the first LUN */ 2970 pn ?: ((*common->luns)->cdrom 2971 ? "File-CD Gadget" 2972 : "File-Stor Gadget"), 2973 i); 2974 } 2975 EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string); 2976 2977 static void fsg_common_release(struct fsg_common *common) 2978 { 2979 int i; 2980 2981 /* If the thread isn't already dead, tell it to exit now */ 2982 if (common->state != FSG_STATE_TERMINATED) { 2983 raise_exception(common, FSG_STATE_EXIT); 2984 wait_for_completion(&common->thread_notifier); 2985 } 2986 2987 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) { 2988 struct fsg_lun *lun = common->luns[i]; 2989 if (!lun) 2990 continue; 2991 fsg_lun_close(lun); 2992 if (device_is_registered(&lun->dev)) 2993 device_unregister(&lun->dev); 2994 kfree(lun); 2995 } 2996 2997 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 2998 if (common->free_storage_on_release) 2999 kfree(common); 3000 } 3001 3002 3003 /*-------------------------------------------------------------------------*/ 3004 3005 static int fsg_bind(struct usb_configuration *c, struct usb_function *f) 3006 { 3007 struct fsg_dev *fsg = fsg_from_func(f); 3008 struct fsg_common *common = fsg->common; 3009 struct usb_gadget *gadget = c->cdev->gadget; 3010 int i; 3011 struct usb_ep *ep; 3012 unsigned max_burst; 3013 int ret; 3014 struct fsg_opts *opts; 3015 3016 /* Don't allow to bind if we don't have at least one LUN */ 3017 ret = _fsg_common_get_max_lun(common); 3018 if (ret < 0) { 3019 pr_err("There should be at least one LUN.\n"); 3020 return -EINVAL; 3021 } 3022 3023 opts = fsg_opts_from_func_inst(f->fi); 3024 if (!opts->no_configfs) { 3025 ret = fsg_common_set_cdev(fsg->common, c->cdev, 3026 fsg->common->can_stall); 3027 if (ret) 3028 return ret; 3029 fsg_common_set_inquiry_string(fsg->common, NULL, NULL); 3030 } 3031 3032 if (!common->thread_task) { 3033 common->state = FSG_STATE_NORMAL; 3034 common->thread_task = 3035 kthread_create(fsg_main_thread, common, "file-storage"); 3036 if (IS_ERR(common->thread_task)) { 3037 ret = PTR_ERR(common->thread_task); 3038 common->thread_task = NULL; 3039 common->state = FSG_STATE_TERMINATED; 3040 return ret; 3041 } 3042 DBG(common, "I/O thread pid: %d\n", 3043 task_pid_nr(common->thread_task)); 3044 wake_up_process(common->thread_task); 3045 } 3046 3047 fsg->gadget = gadget; 3048 3049 /* New interface */ 3050 i = usb_interface_id(c, f); 3051 if (i < 0) 3052 goto fail; 3053 fsg_intf_desc.bInterfaceNumber = i; 3054 fsg->interface_number = i; 3055 3056 /* Find all the endpoints we will use */ 3057 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc); 3058 if (!ep) 3059 goto autoconf_fail; 3060 fsg->bulk_in = ep; 3061 3062 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc); 3063 if (!ep) 3064 goto autoconf_fail; 3065 fsg->bulk_out = ep; 3066 3067 /* Assume endpoint addresses are the same for both speeds */ 3068 fsg_hs_bulk_in_desc.bEndpointAddress = 3069 fsg_fs_bulk_in_desc.bEndpointAddress; 3070 fsg_hs_bulk_out_desc.bEndpointAddress = 3071 fsg_fs_bulk_out_desc.bEndpointAddress; 3072 3073 /* Calculate bMaxBurst, we know packet size is 1024 */ 3074 max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15); 3075 3076 fsg_ss_bulk_in_desc.bEndpointAddress = 3077 fsg_fs_bulk_in_desc.bEndpointAddress; 3078 fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst; 3079 3080 fsg_ss_bulk_out_desc.bEndpointAddress = 3081 fsg_fs_bulk_out_desc.bEndpointAddress; 3082 fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst; 3083 3084 ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function, 3085 fsg_ss_function, fsg_ss_function); 3086 if (ret) 3087 goto autoconf_fail; 3088 3089 return 0; 3090 3091 autoconf_fail: 3092 ERROR(fsg, "unable to autoconfigure all endpoints\n"); 3093 i = -ENOTSUPP; 3094 fail: 3095 /* terminate the thread */ 3096 if (fsg->common->state != FSG_STATE_TERMINATED) { 3097 raise_exception(fsg->common, FSG_STATE_EXIT); 3098 wait_for_completion(&fsg->common->thread_notifier); 3099 } 3100 return i; 3101 } 3102 3103 /****************************** ALLOCATE FUNCTION *************************/ 3104 3105 static void fsg_unbind(struct usb_configuration *c, struct usb_function *f) 3106 { 3107 struct fsg_dev *fsg = fsg_from_func(f); 3108 struct fsg_common *common = fsg->common; 3109 3110 DBG(fsg, "unbind\n"); 3111 if (fsg->common->fsg == fsg) { 3112 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); 3113 /* FIXME: make interruptible or killable somehow? */ 3114 wait_event(common->fsg_wait, common->fsg != fsg); 3115 } 3116 3117 usb_free_all_descriptors(&fsg->function); 3118 } 3119 3120 static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item) 3121 { 3122 return container_of(to_config_group(item), struct fsg_lun_opts, group); 3123 } 3124 3125 static inline struct fsg_opts *to_fsg_opts(struct config_item *item) 3126 { 3127 return container_of(to_config_group(item), struct fsg_opts, 3128 func_inst.group); 3129 } 3130 3131 static void fsg_lun_attr_release(struct config_item *item) 3132 { 3133 struct fsg_lun_opts *lun_opts; 3134 3135 lun_opts = to_fsg_lun_opts(item); 3136 kfree(lun_opts); 3137 } 3138 3139 static struct configfs_item_operations fsg_lun_item_ops = { 3140 .release = fsg_lun_attr_release, 3141 }; 3142 3143 static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page) 3144 { 3145 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3146 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3147 3148 return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page); 3149 } 3150 3151 static ssize_t fsg_lun_opts_file_store(struct config_item *item, 3152 const char *page, size_t len) 3153 { 3154 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3155 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3156 3157 return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len); 3158 } 3159 3160 CONFIGFS_ATTR(fsg_lun_opts_, file); 3161 3162 static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page) 3163 { 3164 return fsg_show_ro(to_fsg_lun_opts(item)->lun, page); 3165 } 3166 3167 static ssize_t fsg_lun_opts_ro_store(struct config_item *item, 3168 const char *page, size_t len) 3169 { 3170 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3171 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3172 3173 return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len); 3174 } 3175 3176 CONFIGFS_ATTR(fsg_lun_opts_, ro); 3177 3178 static ssize_t fsg_lun_opts_removable_show(struct config_item *item, 3179 char *page) 3180 { 3181 return fsg_show_removable(to_fsg_lun_opts(item)->lun, page); 3182 } 3183 3184 static ssize_t fsg_lun_opts_removable_store(struct config_item *item, 3185 const char *page, size_t len) 3186 { 3187 return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len); 3188 } 3189 3190 CONFIGFS_ATTR(fsg_lun_opts_, removable); 3191 3192 static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page) 3193 { 3194 return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page); 3195 } 3196 3197 static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item, 3198 const char *page, size_t len) 3199 { 3200 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3201 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3202 3203 return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page, 3204 len); 3205 } 3206 3207 CONFIGFS_ATTR(fsg_lun_opts_, cdrom); 3208 3209 static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page) 3210 { 3211 return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page); 3212 } 3213 3214 static ssize_t fsg_lun_opts_nofua_store(struct config_item *item, 3215 const char *page, size_t len) 3216 { 3217 return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len); 3218 } 3219 3220 CONFIGFS_ATTR(fsg_lun_opts_, nofua); 3221 3222 static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item, 3223 char *page) 3224 { 3225 return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page); 3226 } 3227 3228 static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item, 3229 const char *page, size_t len) 3230 { 3231 return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len); 3232 } 3233 3234 CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string); 3235 3236 static ssize_t fsg_lun_opts_forced_eject_store(struct config_item *item, 3237 const char *page, size_t len) 3238 { 3239 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3240 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3241 3242 return fsg_store_forced_eject(opts->lun, &fsg_opts->common->filesem, 3243 page, len); 3244 } 3245 3246 CONFIGFS_ATTR_WO(fsg_lun_opts_, forced_eject); 3247 3248 static struct configfs_attribute *fsg_lun_attrs[] = { 3249 &fsg_lun_opts_attr_file, 3250 &fsg_lun_opts_attr_ro, 3251 &fsg_lun_opts_attr_removable, 3252 &fsg_lun_opts_attr_cdrom, 3253 &fsg_lun_opts_attr_nofua, 3254 &fsg_lun_opts_attr_inquiry_string, 3255 &fsg_lun_opts_attr_forced_eject, 3256 NULL, 3257 }; 3258 3259 static const struct config_item_type fsg_lun_type = { 3260 .ct_item_ops = &fsg_lun_item_ops, 3261 .ct_attrs = fsg_lun_attrs, 3262 .ct_owner = THIS_MODULE, 3263 }; 3264 3265 static struct config_group *fsg_lun_make(struct config_group *group, 3266 const char *name) 3267 { 3268 struct fsg_lun_opts *opts; 3269 struct fsg_opts *fsg_opts; 3270 struct fsg_lun_config config; 3271 char *num_str; 3272 u8 num; 3273 int ret; 3274 3275 num_str = strchr(name, '.'); 3276 if (!num_str) { 3277 pr_err("Unable to locate . in LUN.NUMBER\n"); 3278 return ERR_PTR(-EINVAL); 3279 } 3280 num_str++; 3281 3282 ret = kstrtou8(num_str, 0, &num); 3283 if (ret) 3284 return ERR_PTR(ret); 3285 3286 fsg_opts = to_fsg_opts(&group->cg_item); 3287 if (num >= FSG_MAX_LUNS) 3288 return ERR_PTR(-ERANGE); 3289 num = array_index_nospec(num, FSG_MAX_LUNS); 3290 3291 mutex_lock(&fsg_opts->lock); 3292 if (fsg_opts->refcnt || fsg_opts->common->luns[num]) { 3293 ret = -EBUSY; 3294 goto out; 3295 } 3296 3297 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3298 if (!opts) { 3299 ret = -ENOMEM; 3300 goto out; 3301 } 3302 3303 memset(&config, 0, sizeof(config)); 3304 config.removable = true; 3305 3306 ret = fsg_common_create_lun(fsg_opts->common, &config, num, name, 3307 (const char **)&group->cg_item.ci_name); 3308 if (ret) { 3309 kfree(opts); 3310 goto out; 3311 } 3312 opts->lun = fsg_opts->common->luns[num]; 3313 opts->lun_id = num; 3314 mutex_unlock(&fsg_opts->lock); 3315 3316 config_group_init_type_name(&opts->group, name, &fsg_lun_type); 3317 3318 return &opts->group; 3319 out: 3320 mutex_unlock(&fsg_opts->lock); 3321 return ERR_PTR(ret); 3322 } 3323 3324 static void fsg_lun_drop(struct config_group *group, struct config_item *item) 3325 { 3326 struct fsg_lun_opts *lun_opts; 3327 struct fsg_opts *fsg_opts; 3328 3329 lun_opts = to_fsg_lun_opts(item); 3330 fsg_opts = to_fsg_opts(&group->cg_item); 3331 3332 mutex_lock(&fsg_opts->lock); 3333 if (fsg_opts->refcnt) { 3334 struct config_item *gadget; 3335 3336 gadget = group->cg_item.ci_parent->ci_parent; 3337 unregister_gadget_item(gadget); 3338 } 3339 3340 fsg_common_remove_lun(lun_opts->lun); 3341 fsg_opts->common->luns[lun_opts->lun_id] = NULL; 3342 lun_opts->lun_id = 0; 3343 mutex_unlock(&fsg_opts->lock); 3344 3345 config_item_put(item); 3346 } 3347 3348 static void fsg_attr_release(struct config_item *item) 3349 { 3350 struct fsg_opts *opts = to_fsg_opts(item); 3351 3352 usb_put_function_instance(&opts->func_inst); 3353 } 3354 3355 static struct configfs_item_operations fsg_item_ops = { 3356 .release = fsg_attr_release, 3357 }; 3358 3359 static ssize_t fsg_opts_stall_show(struct config_item *item, char *page) 3360 { 3361 struct fsg_opts *opts = to_fsg_opts(item); 3362 int result; 3363 3364 mutex_lock(&opts->lock); 3365 result = sprintf(page, "%d", opts->common->can_stall); 3366 mutex_unlock(&opts->lock); 3367 3368 return result; 3369 } 3370 3371 static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page, 3372 size_t len) 3373 { 3374 struct fsg_opts *opts = to_fsg_opts(item); 3375 int ret; 3376 bool stall; 3377 3378 mutex_lock(&opts->lock); 3379 3380 if (opts->refcnt) { 3381 mutex_unlock(&opts->lock); 3382 return -EBUSY; 3383 } 3384 3385 ret = strtobool(page, &stall); 3386 if (!ret) { 3387 opts->common->can_stall = stall; 3388 ret = len; 3389 } 3390 3391 mutex_unlock(&opts->lock); 3392 3393 return ret; 3394 } 3395 3396 CONFIGFS_ATTR(fsg_opts_, stall); 3397 3398 #ifdef CONFIG_USB_GADGET_DEBUG_FILES 3399 static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page) 3400 { 3401 struct fsg_opts *opts = to_fsg_opts(item); 3402 int result; 3403 3404 mutex_lock(&opts->lock); 3405 result = sprintf(page, "%d", opts->common->fsg_num_buffers); 3406 mutex_unlock(&opts->lock); 3407 3408 return result; 3409 } 3410 3411 static ssize_t fsg_opts_num_buffers_store(struct config_item *item, 3412 const char *page, size_t len) 3413 { 3414 struct fsg_opts *opts = to_fsg_opts(item); 3415 int ret; 3416 u8 num; 3417 3418 mutex_lock(&opts->lock); 3419 if (opts->refcnt) { 3420 ret = -EBUSY; 3421 goto end; 3422 } 3423 ret = kstrtou8(page, 0, &num); 3424 if (ret) 3425 goto end; 3426 3427 ret = fsg_common_set_num_buffers(opts->common, num); 3428 if (ret) 3429 goto end; 3430 ret = len; 3431 3432 end: 3433 mutex_unlock(&opts->lock); 3434 return ret; 3435 } 3436 3437 CONFIGFS_ATTR(fsg_opts_, num_buffers); 3438 #endif 3439 3440 static struct configfs_attribute *fsg_attrs[] = { 3441 &fsg_opts_attr_stall, 3442 #ifdef CONFIG_USB_GADGET_DEBUG_FILES 3443 &fsg_opts_attr_num_buffers, 3444 #endif 3445 NULL, 3446 }; 3447 3448 static struct configfs_group_operations fsg_group_ops = { 3449 .make_group = fsg_lun_make, 3450 .drop_item = fsg_lun_drop, 3451 }; 3452 3453 static const struct config_item_type fsg_func_type = { 3454 .ct_item_ops = &fsg_item_ops, 3455 .ct_group_ops = &fsg_group_ops, 3456 .ct_attrs = fsg_attrs, 3457 .ct_owner = THIS_MODULE, 3458 }; 3459 3460 static void fsg_free_inst(struct usb_function_instance *fi) 3461 { 3462 struct fsg_opts *opts; 3463 3464 opts = fsg_opts_from_func_inst(fi); 3465 fsg_common_release(opts->common); 3466 kfree(opts); 3467 } 3468 3469 static struct usb_function_instance *fsg_alloc_inst(void) 3470 { 3471 struct fsg_opts *opts; 3472 struct fsg_lun_config config; 3473 int rc; 3474 3475 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3476 if (!opts) 3477 return ERR_PTR(-ENOMEM); 3478 mutex_init(&opts->lock); 3479 opts->func_inst.free_func_inst = fsg_free_inst; 3480 opts->common = fsg_common_setup(opts->common); 3481 if (IS_ERR(opts->common)) { 3482 rc = PTR_ERR(opts->common); 3483 goto release_opts; 3484 } 3485 3486 rc = fsg_common_set_num_buffers(opts->common, 3487 CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS); 3488 if (rc) 3489 goto release_common; 3490 3491 pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n"); 3492 3493 memset(&config, 0, sizeof(config)); 3494 config.removable = true; 3495 rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0", 3496 (const char **)&opts->func_inst.group.cg_item.ci_name); 3497 if (rc) 3498 goto release_buffers; 3499 3500 opts->lun0.lun = opts->common->luns[0]; 3501 opts->lun0.lun_id = 0; 3502 3503 config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type); 3504 3505 config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type); 3506 configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group); 3507 3508 return &opts->func_inst; 3509 3510 release_buffers: 3511 fsg_common_free_buffers(opts->common); 3512 release_common: 3513 kfree(opts->common); 3514 release_opts: 3515 kfree(opts); 3516 return ERR_PTR(rc); 3517 } 3518 3519 static void fsg_free(struct usb_function *f) 3520 { 3521 struct fsg_dev *fsg; 3522 struct fsg_opts *opts; 3523 3524 fsg = container_of(f, struct fsg_dev, function); 3525 opts = container_of(f->fi, struct fsg_opts, func_inst); 3526 3527 mutex_lock(&opts->lock); 3528 opts->refcnt--; 3529 mutex_unlock(&opts->lock); 3530 3531 kfree(fsg); 3532 } 3533 3534 static struct usb_function *fsg_alloc(struct usb_function_instance *fi) 3535 { 3536 struct fsg_opts *opts = fsg_opts_from_func_inst(fi); 3537 struct fsg_common *common = opts->common; 3538 struct fsg_dev *fsg; 3539 3540 fsg = kzalloc(sizeof(*fsg), GFP_KERNEL); 3541 if (unlikely(!fsg)) 3542 return ERR_PTR(-ENOMEM); 3543 3544 mutex_lock(&opts->lock); 3545 opts->refcnt++; 3546 mutex_unlock(&opts->lock); 3547 3548 fsg->function.name = FSG_DRIVER_DESC; 3549 fsg->function.bind = fsg_bind; 3550 fsg->function.unbind = fsg_unbind; 3551 fsg->function.setup = fsg_setup; 3552 fsg->function.set_alt = fsg_set_alt; 3553 fsg->function.disable = fsg_disable; 3554 fsg->function.free_func = fsg_free; 3555 3556 fsg->common = common; 3557 3558 return &fsg->function; 3559 } 3560 3561 DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc); 3562 MODULE_LICENSE("GPL"); 3563 MODULE_AUTHOR("Michal Nazarewicz"); 3564 3565 /************************* Module parameters *************************/ 3566 3567 3568 void fsg_config_from_params(struct fsg_config *cfg, 3569 const struct fsg_module_parameters *params, 3570 unsigned int fsg_num_buffers) 3571 { 3572 struct fsg_lun_config *lun; 3573 unsigned i; 3574 3575 /* Configure LUNs */ 3576 cfg->nluns = 3577 min(params->luns ?: (params->file_count ?: 1u), 3578 (unsigned)FSG_MAX_LUNS); 3579 for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) { 3580 lun->ro = !!params->ro[i]; 3581 lun->cdrom = !!params->cdrom[i]; 3582 lun->removable = !!params->removable[i]; 3583 lun->filename = 3584 params->file_count > i && params->file[i][0] 3585 ? params->file[i] 3586 : NULL; 3587 } 3588 3589 /* Let MSF use defaults */ 3590 cfg->vendor_name = NULL; 3591 cfg->product_name = NULL; 3592 3593 cfg->ops = NULL; 3594 cfg->private_data = NULL; 3595 3596 /* Finalise */ 3597 cfg->can_stall = params->stall; 3598 cfg->fsg_num_buffers = fsg_num_buffers; 3599 } 3600 EXPORT_SYMBOL_GPL(fsg_config_from_params); 3601