1 // SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) 2 /* 3 * f_mass_storage.c -- Mass Storage USB Composite Function 4 * 5 * Copyright (C) 2003-2008 Alan Stern 6 * Copyright (C) 2009 Samsung Electronics 7 * Author: Michal Nazarewicz <mina86@mina86.com> 8 * All rights reserved. 9 */ 10 11 /* 12 * The Mass Storage Function acts as a USB Mass Storage device, 13 * appearing to the host as a disk drive or as a CD-ROM drive. In 14 * addition to providing an example of a genuinely useful composite 15 * function for a USB device, it also illustrates a technique of 16 * double-buffering for increased throughput. 17 * 18 * For more information about MSF and in particular its module 19 * parameters and sysfs interface read the 20 * <Documentation/usb/mass-storage.rst> file. 21 */ 22 23 /* 24 * MSF is configured by specifying a fsg_config structure. It has the 25 * following fields: 26 * 27 * nluns Number of LUNs function have (anywhere from 1 28 * to FSG_MAX_LUNS). 29 * luns An array of LUN configuration values. This 30 * should be filled for each LUN that 31 * function will include (ie. for "nluns" 32 * LUNs). Each element of the array has 33 * the following fields: 34 * ->filename The path to the backing file for the LUN. 35 * Required if LUN is not marked as 36 * removable. 37 * ->ro Flag specifying access to the LUN shall be 38 * read-only. This is implied if CD-ROM 39 * emulation is enabled as well as when 40 * it was impossible to open "filename" 41 * in R/W mode. 42 * ->removable Flag specifying that LUN shall be indicated as 43 * being removable. 44 * ->cdrom Flag specifying that LUN shall be reported as 45 * being a CD-ROM. 46 * ->nofua Flag specifying that FUA flag in SCSI WRITE(10,12) 47 * commands for this LUN shall be ignored. 48 * 49 * vendor_name 50 * product_name 51 * release Information used as a reply to INQUIRY 52 * request. To use default set to NULL, 53 * NULL, 0xffff respectively. The first 54 * field should be 8 and the second 16 55 * characters or less. 56 * 57 * can_stall Set to permit function to halt bulk endpoints. 58 * Disabled on some USB devices known not 59 * to work correctly. You should set it 60 * to true. 61 * 62 * If "removable" is not set for a LUN then a backing file must be 63 * specified. If it is set, then NULL filename means the LUN's medium 64 * is not loaded (an empty string as "filename" in the fsg_config 65 * structure causes error). The CD-ROM emulation includes a single 66 * data track and no audio tracks; hence there need be only one 67 * backing file per LUN. 68 * 69 * This function is heavily based on "File-backed Storage Gadget" by 70 * Alan Stern which in turn is heavily based on "Gadget Zero" by David 71 * Brownell. The driver's SCSI command interface was based on the 72 * "Information technology - Small Computer System Interface - 2" 73 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93, 74 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>. 75 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which 76 * was based on the "Universal Serial Bus Mass Storage Class UFI 77 * Command Specification" document, Revision 1.0, December 14, 1998, 78 * available at 79 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>. 80 */ 81 82 /* 83 * Driver Design 84 * 85 * The MSF is fairly straightforward. There is a main kernel 86 * thread that handles most of the work. Interrupt routines field 87 * callbacks from the controller driver: bulk- and interrupt-request 88 * completion notifications, endpoint-0 events, and disconnect events. 89 * Completion events are passed to the main thread by wakeup calls. Many 90 * ep0 requests are handled at interrupt time, but SetInterface, 91 * SetConfiguration, and device reset requests are forwarded to the 92 * thread in the form of "exceptions" using SIGUSR1 signals (since they 93 * should interrupt any ongoing file I/O operations). 94 * 95 * The thread's main routine implements the standard command/data/status 96 * parts of a SCSI interaction. It and its subroutines are full of tests 97 * for pending signals/exceptions -- all this polling is necessary since 98 * the kernel has no setjmp/longjmp equivalents. (Maybe this is an 99 * indication that the driver really wants to be running in userspace.) 100 * An important point is that so long as the thread is alive it keeps an 101 * open reference to the backing file. This will prevent unmounting 102 * the backing file's underlying filesystem and could cause problems 103 * during system shutdown, for example. To prevent such problems, the 104 * thread catches INT, TERM, and KILL signals and converts them into 105 * an EXIT exception. 106 * 107 * In normal operation the main thread is started during the gadget's 108 * fsg_bind() callback and stopped during fsg_unbind(). But it can 109 * also exit when it receives a signal, and there's no point leaving 110 * the gadget running when the thread is dead. As of this moment, MSF 111 * provides no way to deregister the gadget when thread dies -- maybe 112 * a callback functions is needed. 113 * 114 * To provide maximum throughput, the driver uses a circular pipeline of 115 * buffer heads (struct fsg_buffhd). In principle the pipeline can be 116 * arbitrarily long; in practice the benefits don't justify having more 117 * than 2 stages (i.e., double buffering). But it helps to think of the 118 * pipeline as being a long one. Each buffer head contains a bulk-in and 119 * a bulk-out request pointer (since the buffer can be used for both 120 * output and input -- directions always are given from the host's 121 * point of view) as well as a pointer to the buffer and various state 122 * variables. 123 * 124 * Use of the pipeline follows a simple protocol. There is a variable 125 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use. 126 * At any time that buffer head may still be in use from an earlier 127 * request, so each buffer head has a state variable indicating whether 128 * it is EMPTY, FULL, or BUSY. Typical use involves waiting for the 129 * buffer head to be EMPTY, filling the buffer either by file I/O or by 130 * USB I/O (during which the buffer head is BUSY), and marking the buffer 131 * head FULL when the I/O is complete. Then the buffer will be emptied 132 * (again possibly by USB I/O, during which it is marked BUSY) and 133 * finally marked EMPTY again (possibly by a completion routine). 134 * 135 * A module parameter tells the driver to avoid stalling the bulk 136 * endpoints wherever the transport specification allows. This is 137 * necessary for some UDCs like the SuperH, which cannot reliably clear a 138 * halt on a bulk endpoint. However, under certain circumstances the 139 * Bulk-only specification requires a stall. In such cases the driver 140 * will halt the endpoint and set a flag indicating that it should clear 141 * the halt in software during the next device reset. Hopefully this 142 * will permit everything to work correctly. Furthermore, although the 143 * specification allows the bulk-out endpoint to halt when the host sends 144 * too much data, implementing this would cause an unavoidable race. 145 * The driver will always use the "no-stall" approach for OUT transfers. 146 * 147 * One subtle point concerns sending status-stage responses for ep0 148 * requests. Some of these requests, such as device reset, can involve 149 * interrupting an ongoing file I/O operation, which might take an 150 * arbitrarily long time. During that delay the host might give up on 151 * the original ep0 request and issue a new one. When that happens the 152 * driver should not notify the host about completion of the original 153 * request, as the host will no longer be waiting for it. So the driver 154 * assigns to each ep0 request a unique tag, and it keeps track of the 155 * tag value of the request associated with a long-running exception 156 * (device-reset, interface-change, or configuration-change). When the 157 * exception handler is finished, the status-stage response is submitted 158 * only if the current ep0 request tag is equal to the exception request 159 * tag. Thus only the most recently received ep0 request will get a 160 * status-stage response. 161 * 162 * Warning: This driver source file is too long. It ought to be split up 163 * into a header file plus about 3 separate .c files, to handle the details 164 * of the Gadget, USB Mass Storage, and SCSI protocols. 165 */ 166 167 168 /* #define VERBOSE_DEBUG */ 169 /* #define DUMP_MSGS */ 170 171 #include <linux/blkdev.h> 172 #include <linux/completion.h> 173 #include <linux/dcache.h> 174 #include <linux/delay.h> 175 #include <linux/device.h> 176 #include <linux/fcntl.h> 177 #include <linux/file.h> 178 #include <linux/fs.h> 179 #include <linux/kthread.h> 180 #include <linux/sched/signal.h> 181 #include <linux/limits.h> 182 #include <linux/pagemap.h> 183 #include <linux/rwsem.h> 184 #include <linux/slab.h> 185 #include <linux/spinlock.h> 186 #include <linux/string.h> 187 #include <linux/freezer.h> 188 #include <linux/module.h> 189 #include <linux/uaccess.h> 190 #include <asm/unaligned.h> 191 192 #include <linux/usb/ch9.h> 193 #include <linux/usb/gadget.h> 194 #include <linux/usb/composite.h> 195 196 #include <linux/nospec.h> 197 198 #include "configfs.h" 199 200 201 /*------------------------------------------------------------------------*/ 202 203 #define FSG_DRIVER_DESC "Mass Storage Function" 204 #define FSG_DRIVER_VERSION "2009/09/11" 205 206 static const char fsg_string_interface[] = "Mass Storage"; 207 208 #include "storage_common.h" 209 #include "f_mass_storage.h" 210 211 /* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */ 212 static struct usb_string fsg_strings[] = { 213 {FSG_STRING_INTERFACE, fsg_string_interface}, 214 {} 215 }; 216 217 static struct usb_gadget_strings fsg_stringtab = { 218 .language = 0x0409, /* en-us */ 219 .strings = fsg_strings, 220 }; 221 222 static struct usb_gadget_strings *fsg_strings_array[] = { 223 &fsg_stringtab, 224 NULL, 225 }; 226 227 /*-------------------------------------------------------------------------*/ 228 229 struct fsg_dev; 230 struct fsg_common; 231 232 /* Data shared by all the FSG instances. */ 233 struct fsg_common { 234 struct usb_gadget *gadget; 235 struct usb_composite_dev *cdev; 236 struct fsg_dev *fsg; 237 wait_queue_head_t io_wait; 238 wait_queue_head_t fsg_wait; 239 240 /* filesem protects: backing files in use */ 241 struct rw_semaphore filesem; 242 243 /* lock protects: state and thread_task */ 244 spinlock_t lock; 245 246 struct usb_ep *ep0; /* Copy of gadget->ep0 */ 247 struct usb_request *ep0req; /* Copy of cdev->req */ 248 unsigned int ep0_req_tag; 249 250 struct fsg_buffhd *next_buffhd_to_fill; 251 struct fsg_buffhd *next_buffhd_to_drain; 252 struct fsg_buffhd *buffhds; 253 unsigned int fsg_num_buffers; 254 255 int cmnd_size; 256 u8 cmnd[MAX_COMMAND_SIZE]; 257 258 unsigned int lun; 259 struct fsg_lun *luns[FSG_MAX_LUNS]; 260 struct fsg_lun *curlun; 261 262 unsigned int bulk_out_maxpacket; 263 enum fsg_state state; /* For exception handling */ 264 unsigned int exception_req_tag; 265 void *exception_arg; 266 267 enum data_direction data_dir; 268 u32 data_size; 269 u32 data_size_from_cmnd; 270 u32 tag; 271 u32 residue; 272 u32 usb_amount_left; 273 274 unsigned int can_stall:1; 275 unsigned int free_storage_on_release:1; 276 unsigned int phase_error:1; 277 unsigned int short_packet_received:1; 278 unsigned int bad_lun_okay:1; 279 unsigned int running:1; 280 unsigned int sysfs:1; 281 282 struct completion thread_notifier; 283 struct task_struct *thread_task; 284 285 /* Gadget's private data. */ 286 void *private_data; 287 288 char inquiry_string[INQUIRY_STRING_LEN]; 289 }; 290 291 struct fsg_dev { 292 struct usb_function function; 293 struct usb_gadget *gadget; /* Copy of cdev->gadget */ 294 struct fsg_common *common; 295 296 u16 interface_number; 297 298 unsigned int bulk_in_enabled:1; 299 unsigned int bulk_out_enabled:1; 300 301 unsigned long atomic_bitflags; 302 #define IGNORE_BULK_OUT 0 303 304 struct usb_ep *bulk_in; 305 struct usb_ep *bulk_out; 306 }; 307 308 static inline int __fsg_is_set(struct fsg_common *common, 309 const char *func, unsigned line) 310 { 311 if (common->fsg) 312 return 1; 313 ERROR(common, "common->fsg is NULL in %s at %u\n", func, line); 314 WARN_ON(1); 315 return 0; 316 } 317 318 #define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__)) 319 320 static inline struct fsg_dev *fsg_from_func(struct usb_function *f) 321 { 322 return container_of(f, struct fsg_dev, function); 323 } 324 325 static int exception_in_progress(struct fsg_common *common) 326 { 327 return common->state > FSG_STATE_NORMAL; 328 } 329 330 /* Make bulk-out requests be divisible by the maxpacket size */ 331 static void set_bulk_out_req_length(struct fsg_common *common, 332 struct fsg_buffhd *bh, unsigned int length) 333 { 334 unsigned int rem; 335 336 bh->bulk_out_intended_length = length; 337 rem = length % common->bulk_out_maxpacket; 338 if (rem > 0) 339 length += common->bulk_out_maxpacket - rem; 340 bh->outreq->length = length; 341 } 342 343 344 /*-------------------------------------------------------------------------*/ 345 346 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep) 347 { 348 const char *name; 349 350 if (ep == fsg->bulk_in) 351 name = "bulk-in"; 352 else if (ep == fsg->bulk_out) 353 name = "bulk-out"; 354 else 355 name = ep->name; 356 DBG(fsg, "%s set halt\n", name); 357 return usb_ep_set_halt(ep); 358 } 359 360 361 /*-------------------------------------------------------------------------*/ 362 363 /* These routines may be called in process context or in_irq */ 364 365 static void __raise_exception(struct fsg_common *common, enum fsg_state new_state, 366 void *arg) 367 { 368 unsigned long flags; 369 370 /* 371 * Do nothing if a higher-priority exception is already in progress. 372 * If a lower-or-equal priority exception is in progress, preempt it 373 * and notify the main thread by sending it a signal. 374 */ 375 spin_lock_irqsave(&common->lock, flags); 376 if (common->state <= new_state) { 377 common->exception_req_tag = common->ep0_req_tag; 378 common->state = new_state; 379 common->exception_arg = arg; 380 if (common->thread_task) 381 send_sig_info(SIGUSR1, SEND_SIG_PRIV, 382 common->thread_task); 383 } 384 spin_unlock_irqrestore(&common->lock, flags); 385 } 386 387 static void raise_exception(struct fsg_common *common, enum fsg_state new_state) 388 { 389 __raise_exception(common, new_state, NULL); 390 } 391 392 /*-------------------------------------------------------------------------*/ 393 394 static int ep0_queue(struct fsg_common *common) 395 { 396 int rc; 397 398 rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC); 399 common->ep0->driver_data = common; 400 if (rc != 0 && rc != -ESHUTDOWN) { 401 /* We can't do much more than wait for a reset */ 402 WARNING(common, "error in submission: %s --> %d\n", 403 common->ep0->name, rc); 404 } 405 return rc; 406 } 407 408 409 /*-------------------------------------------------------------------------*/ 410 411 /* Completion handlers. These always run in_irq. */ 412 413 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req) 414 { 415 struct fsg_common *common = ep->driver_data; 416 struct fsg_buffhd *bh = req->context; 417 418 if (req->status || req->actual != req->length) 419 DBG(common, "%s --> %d, %u/%u\n", __func__, 420 req->status, req->actual, req->length); 421 if (req->status == -ECONNRESET) /* Request was cancelled */ 422 usb_ep_fifo_flush(ep); 423 424 /* Synchronize with the smp_load_acquire() in sleep_thread() */ 425 smp_store_release(&bh->state, BUF_STATE_EMPTY); 426 wake_up(&common->io_wait); 427 } 428 429 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req) 430 { 431 struct fsg_common *common = ep->driver_data; 432 struct fsg_buffhd *bh = req->context; 433 434 dump_msg(common, "bulk-out", req->buf, req->actual); 435 if (req->status || req->actual != bh->bulk_out_intended_length) 436 DBG(common, "%s --> %d, %u/%u\n", __func__, 437 req->status, req->actual, bh->bulk_out_intended_length); 438 if (req->status == -ECONNRESET) /* Request was cancelled */ 439 usb_ep_fifo_flush(ep); 440 441 /* Synchronize with the smp_load_acquire() in sleep_thread() */ 442 smp_store_release(&bh->state, BUF_STATE_FULL); 443 wake_up(&common->io_wait); 444 } 445 446 static int _fsg_common_get_max_lun(struct fsg_common *common) 447 { 448 int i = ARRAY_SIZE(common->luns) - 1; 449 450 while (i >= 0 && !common->luns[i]) 451 --i; 452 453 return i; 454 } 455 456 static int fsg_setup(struct usb_function *f, 457 const struct usb_ctrlrequest *ctrl) 458 { 459 struct fsg_dev *fsg = fsg_from_func(f); 460 struct usb_request *req = fsg->common->ep0req; 461 u16 w_index = le16_to_cpu(ctrl->wIndex); 462 u16 w_value = le16_to_cpu(ctrl->wValue); 463 u16 w_length = le16_to_cpu(ctrl->wLength); 464 465 if (!fsg_is_set(fsg->common)) 466 return -EOPNOTSUPP; 467 468 ++fsg->common->ep0_req_tag; /* Record arrival of a new request */ 469 req->context = NULL; 470 req->length = 0; 471 dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl)); 472 473 switch (ctrl->bRequest) { 474 475 case US_BULK_RESET_REQUEST: 476 if (ctrl->bRequestType != 477 (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 478 break; 479 if (w_index != fsg->interface_number || w_value != 0 || 480 w_length != 0) 481 return -EDOM; 482 483 /* 484 * Raise an exception to stop the current operation 485 * and reinitialize our state. 486 */ 487 DBG(fsg, "bulk reset request\n"); 488 raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET); 489 return USB_GADGET_DELAYED_STATUS; 490 491 case US_BULK_GET_MAX_LUN: 492 if (ctrl->bRequestType != 493 (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 494 break; 495 if (w_index != fsg->interface_number || w_value != 0 || 496 w_length != 1) 497 return -EDOM; 498 VDBG(fsg, "get max LUN\n"); 499 *(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common); 500 501 /* Respond with data/status */ 502 req->length = min((u16)1, w_length); 503 return ep0_queue(fsg->common); 504 } 505 506 VDBG(fsg, 507 "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n", 508 ctrl->bRequestType, ctrl->bRequest, 509 le16_to_cpu(ctrl->wValue), w_index, w_length); 510 return -EOPNOTSUPP; 511 } 512 513 514 /*-------------------------------------------------------------------------*/ 515 516 /* All the following routines run in process context */ 517 518 /* Use this for bulk or interrupt transfers, not ep0 */ 519 static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep, 520 struct usb_request *req) 521 { 522 int rc; 523 524 if (ep == fsg->bulk_in) 525 dump_msg(fsg, "bulk-in", req->buf, req->length); 526 527 rc = usb_ep_queue(ep, req, GFP_KERNEL); 528 if (rc) { 529 530 /* We can't do much more than wait for a reset */ 531 req->status = rc; 532 533 /* 534 * Note: currently the net2280 driver fails zero-length 535 * submissions if DMA is enabled. 536 */ 537 if (rc != -ESHUTDOWN && 538 !(rc == -EOPNOTSUPP && req->length == 0)) 539 WARNING(fsg, "error in submission: %s --> %d\n", 540 ep->name, rc); 541 } 542 return rc; 543 } 544 545 static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh) 546 { 547 if (!fsg_is_set(common)) 548 return false; 549 bh->state = BUF_STATE_SENDING; 550 if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) 551 bh->state = BUF_STATE_EMPTY; 552 return true; 553 } 554 555 static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh) 556 { 557 if (!fsg_is_set(common)) 558 return false; 559 bh->state = BUF_STATE_RECEIVING; 560 if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) 561 bh->state = BUF_STATE_FULL; 562 return true; 563 } 564 565 static int sleep_thread(struct fsg_common *common, bool can_freeze, 566 struct fsg_buffhd *bh) 567 { 568 int rc; 569 570 /* Wait until a signal arrives or bh is no longer busy */ 571 if (can_freeze) 572 /* 573 * synchronize with the smp_store_release(&bh->state) in 574 * bulk_in_complete() or bulk_out_complete() 575 */ 576 rc = wait_event_freezable(common->io_wait, 577 bh && smp_load_acquire(&bh->state) >= 578 BUF_STATE_EMPTY); 579 else 580 rc = wait_event_interruptible(common->io_wait, 581 bh && smp_load_acquire(&bh->state) >= 582 BUF_STATE_EMPTY); 583 return rc ? -EINTR : 0; 584 } 585 586 587 /*-------------------------------------------------------------------------*/ 588 589 static int do_read(struct fsg_common *common) 590 { 591 struct fsg_lun *curlun = common->curlun; 592 u64 lba; 593 struct fsg_buffhd *bh; 594 int rc; 595 u32 amount_left; 596 loff_t file_offset, file_offset_tmp; 597 unsigned int amount; 598 ssize_t nread; 599 600 /* 601 * Get the starting Logical Block Address and check that it's 602 * not too big. 603 */ 604 if (common->cmnd[0] == READ_6) 605 lba = get_unaligned_be24(&common->cmnd[1]); 606 else { 607 if (common->cmnd[0] == READ_16) 608 lba = get_unaligned_be64(&common->cmnd[2]); 609 else /* READ_10 or READ_12 */ 610 lba = get_unaligned_be32(&common->cmnd[2]); 611 612 /* 613 * We allow DPO (Disable Page Out = don't save data in the 614 * cache) and FUA (Force Unit Access = don't read from the 615 * cache), but we don't implement them. 616 */ 617 if ((common->cmnd[1] & ~0x18) != 0) { 618 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 619 return -EINVAL; 620 } 621 } 622 if (lba >= curlun->num_sectors) { 623 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 624 return -EINVAL; 625 } 626 file_offset = ((loff_t) lba) << curlun->blkbits; 627 628 /* Carry out the file reads */ 629 amount_left = common->data_size_from_cmnd; 630 if (unlikely(amount_left == 0)) 631 return -EIO; /* No default reply */ 632 633 for (;;) { 634 /* 635 * Figure out how much we need to read: 636 * Try to read the remaining amount. 637 * But don't read more than the buffer size. 638 * And don't try to read past the end of the file. 639 */ 640 amount = min(amount_left, FSG_BUFLEN); 641 amount = min((loff_t)amount, 642 curlun->file_length - file_offset); 643 644 /* Wait for the next buffer to become available */ 645 bh = common->next_buffhd_to_fill; 646 rc = sleep_thread(common, false, bh); 647 if (rc) 648 return rc; 649 650 /* 651 * If we were asked to read past the end of file, 652 * end with an empty buffer. 653 */ 654 if (amount == 0) { 655 curlun->sense_data = 656 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 657 curlun->sense_data_info = 658 file_offset >> curlun->blkbits; 659 curlun->info_valid = 1; 660 bh->inreq->length = 0; 661 bh->state = BUF_STATE_FULL; 662 break; 663 } 664 665 /* Perform the read */ 666 file_offset_tmp = file_offset; 667 nread = kernel_read(curlun->filp, bh->buf, amount, 668 &file_offset_tmp); 669 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 670 (unsigned long long)file_offset, (int)nread); 671 if (signal_pending(current)) 672 return -EINTR; 673 674 if (nread < 0) { 675 LDBG(curlun, "error in file read: %d\n", (int)nread); 676 nread = 0; 677 } else if (nread < amount) { 678 LDBG(curlun, "partial file read: %d/%u\n", 679 (int)nread, amount); 680 nread = round_down(nread, curlun->blksize); 681 } 682 file_offset += nread; 683 amount_left -= nread; 684 common->residue -= nread; 685 686 /* 687 * Except at the end of the transfer, nread will be 688 * equal to the buffer size, which is divisible by the 689 * bulk-in maxpacket size. 690 */ 691 bh->inreq->length = nread; 692 bh->state = BUF_STATE_FULL; 693 694 /* If an error occurred, report it and its position */ 695 if (nread < amount) { 696 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 697 curlun->sense_data_info = 698 file_offset >> curlun->blkbits; 699 curlun->info_valid = 1; 700 break; 701 } 702 703 if (amount_left == 0) 704 break; /* No more left to read */ 705 706 /* Send this buffer and go read some more */ 707 bh->inreq->zero = 0; 708 if (!start_in_transfer(common, bh)) 709 /* Don't know what to do if common->fsg is NULL */ 710 return -EIO; 711 common->next_buffhd_to_fill = bh->next; 712 } 713 714 return -EIO; /* No default reply */ 715 } 716 717 718 /*-------------------------------------------------------------------------*/ 719 720 static int do_write(struct fsg_common *common) 721 { 722 struct fsg_lun *curlun = common->curlun; 723 u64 lba; 724 struct fsg_buffhd *bh; 725 int get_some_more; 726 u32 amount_left_to_req, amount_left_to_write; 727 loff_t usb_offset, file_offset, file_offset_tmp; 728 unsigned int amount; 729 ssize_t nwritten; 730 int rc; 731 732 if (curlun->ro) { 733 curlun->sense_data = SS_WRITE_PROTECTED; 734 return -EINVAL; 735 } 736 spin_lock(&curlun->filp->f_lock); 737 curlun->filp->f_flags &= ~O_SYNC; /* Default is not to wait */ 738 spin_unlock(&curlun->filp->f_lock); 739 740 /* 741 * Get the starting Logical Block Address and check that it's 742 * not too big 743 */ 744 if (common->cmnd[0] == WRITE_6) 745 lba = get_unaligned_be24(&common->cmnd[1]); 746 else { 747 if (common->cmnd[0] == WRITE_16) 748 lba = get_unaligned_be64(&common->cmnd[2]); 749 else /* WRITE_10 or WRITE_12 */ 750 lba = get_unaligned_be32(&common->cmnd[2]); 751 752 /* 753 * We allow DPO (Disable Page Out = don't save data in the 754 * cache) and FUA (Force Unit Access = write directly to the 755 * medium). We don't implement DPO; we implement FUA by 756 * performing synchronous output. 757 */ 758 if (common->cmnd[1] & ~0x18) { 759 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 760 return -EINVAL; 761 } 762 if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */ 763 spin_lock(&curlun->filp->f_lock); 764 curlun->filp->f_flags |= O_SYNC; 765 spin_unlock(&curlun->filp->f_lock); 766 } 767 } 768 if (lba >= curlun->num_sectors) { 769 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 770 return -EINVAL; 771 } 772 773 /* Carry out the file writes */ 774 get_some_more = 1; 775 file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits; 776 amount_left_to_req = common->data_size_from_cmnd; 777 amount_left_to_write = common->data_size_from_cmnd; 778 779 while (amount_left_to_write > 0) { 780 781 /* Queue a request for more data from the host */ 782 bh = common->next_buffhd_to_fill; 783 if (bh->state == BUF_STATE_EMPTY && get_some_more) { 784 785 /* 786 * Figure out how much we want to get: 787 * Try to get the remaining amount, 788 * but not more than the buffer size. 789 */ 790 amount = min(amount_left_to_req, FSG_BUFLEN); 791 792 /* Beyond the end of the backing file? */ 793 if (usb_offset >= curlun->file_length) { 794 get_some_more = 0; 795 curlun->sense_data = 796 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 797 curlun->sense_data_info = 798 usb_offset >> curlun->blkbits; 799 curlun->info_valid = 1; 800 continue; 801 } 802 803 /* Get the next buffer */ 804 usb_offset += amount; 805 common->usb_amount_left -= amount; 806 amount_left_to_req -= amount; 807 if (amount_left_to_req == 0) 808 get_some_more = 0; 809 810 /* 811 * Except at the end of the transfer, amount will be 812 * equal to the buffer size, which is divisible by 813 * the bulk-out maxpacket size. 814 */ 815 set_bulk_out_req_length(common, bh, amount); 816 if (!start_out_transfer(common, bh)) 817 /* Dunno what to do if common->fsg is NULL */ 818 return -EIO; 819 common->next_buffhd_to_fill = bh->next; 820 continue; 821 } 822 823 /* Write the received data to the backing file */ 824 bh = common->next_buffhd_to_drain; 825 if (bh->state == BUF_STATE_EMPTY && !get_some_more) 826 break; /* We stopped early */ 827 828 /* Wait for the data to be received */ 829 rc = sleep_thread(common, false, bh); 830 if (rc) 831 return rc; 832 833 common->next_buffhd_to_drain = bh->next; 834 bh->state = BUF_STATE_EMPTY; 835 836 /* Did something go wrong with the transfer? */ 837 if (bh->outreq->status != 0) { 838 curlun->sense_data = SS_COMMUNICATION_FAILURE; 839 curlun->sense_data_info = 840 file_offset >> curlun->blkbits; 841 curlun->info_valid = 1; 842 break; 843 } 844 845 amount = bh->outreq->actual; 846 if (curlun->file_length - file_offset < amount) { 847 LERROR(curlun, "write %u @ %llu beyond end %llu\n", 848 amount, (unsigned long long)file_offset, 849 (unsigned long long)curlun->file_length); 850 amount = curlun->file_length - file_offset; 851 } 852 853 /* 854 * Don't accept excess data. The spec doesn't say 855 * what to do in this case. We'll ignore the error. 856 */ 857 amount = min(amount, bh->bulk_out_intended_length); 858 859 /* Don't write a partial block */ 860 amount = round_down(amount, curlun->blksize); 861 if (amount == 0) 862 goto empty_write; 863 864 /* Perform the write */ 865 file_offset_tmp = file_offset; 866 nwritten = kernel_write(curlun->filp, bh->buf, amount, 867 &file_offset_tmp); 868 VLDBG(curlun, "file write %u @ %llu -> %d\n", amount, 869 (unsigned long long)file_offset, (int)nwritten); 870 if (signal_pending(current)) 871 return -EINTR; /* Interrupted! */ 872 873 if (nwritten < 0) { 874 LDBG(curlun, "error in file write: %d\n", 875 (int) nwritten); 876 nwritten = 0; 877 } else if (nwritten < amount) { 878 LDBG(curlun, "partial file write: %d/%u\n", 879 (int) nwritten, amount); 880 nwritten = round_down(nwritten, curlun->blksize); 881 } 882 file_offset += nwritten; 883 amount_left_to_write -= nwritten; 884 common->residue -= nwritten; 885 886 /* If an error occurred, report it and its position */ 887 if (nwritten < amount) { 888 curlun->sense_data = SS_WRITE_ERROR; 889 curlun->sense_data_info = 890 file_offset >> curlun->blkbits; 891 curlun->info_valid = 1; 892 break; 893 } 894 895 empty_write: 896 /* Did the host decide to stop early? */ 897 if (bh->outreq->actual < bh->bulk_out_intended_length) { 898 common->short_packet_received = 1; 899 break; 900 } 901 } 902 903 return -EIO; /* No default reply */ 904 } 905 906 907 /*-------------------------------------------------------------------------*/ 908 909 static int do_synchronize_cache(struct fsg_common *common) 910 { 911 struct fsg_lun *curlun = common->curlun; 912 int rc; 913 914 /* We ignore the requested LBA and write out all file's 915 * dirty data buffers. */ 916 rc = fsg_lun_fsync_sub(curlun); 917 if (rc) 918 curlun->sense_data = SS_WRITE_ERROR; 919 return 0; 920 } 921 922 923 /*-------------------------------------------------------------------------*/ 924 925 static void invalidate_sub(struct fsg_lun *curlun) 926 { 927 struct file *filp = curlun->filp; 928 struct inode *inode = file_inode(filp); 929 unsigned long rc; 930 931 rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); 932 VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); 933 } 934 935 static int do_verify(struct fsg_common *common) 936 { 937 struct fsg_lun *curlun = common->curlun; 938 u32 lba; 939 u32 verification_length; 940 struct fsg_buffhd *bh = common->next_buffhd_to_fill; 941 loff_t file_offset, file_offset_tmp; 942 u32 amount_left; 943 unsigned int amount; 944 ssize_t nread; 945 946 /* 947 * Get the starting Logical Block Address and check that it's 948 * not too big. 949 */ 950 lba = get_unaligned_be32(&common->cmnd[2]); 951 if (lba >= curlun->num_sectors) { 952 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 953 return -EINVAL; 954 } 955 956 /* 957 * We allow DPO (Disable Page Out = don't save data in the 958 * cache) but we don't implement it. 959 */ 960 if (common->cmnd[1] & ~0x10) { 961 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 962 return -EINVAL; 963 } 964 965 verification_length = get_unaligned_be16(&common->cmnd[7]); 966 if (unlikely(verification_length == 0)) 967 return -EIO; /* No default reply */ 968 969 /* Prepare to carry out the file verify */ 970 amount_left = verification_length << curlun->blkbits; 971 file_offset = ((loff_t) lba) << curlun->blkbits; 972 973 /* Write out all the dirty buffers before invalidating them */ 974 fsg_lun_fsync_sub(curlun); 975 if (signal_pending(current)) 976 return -EINTR; 977 978 invalidate_sub(curlun); 979 if (signal_pending(current)) 980 return -EINTR; 981 982 /* Just try to read the requested blocks */ 983 while (amount_left > 0) { 984 /* 985 * Figure out how much we need to read: 986 * Try to read the remaining amount, but not more than 987 * the buffer size. 988 * And don't try to read past the end of the file. 989 */ 990 amount = min(amount_left, FSG_BUFLEN); 991 amount = min((loff_t)amount, 992 curlun->file_length - file_offset); 993 if (amount == 0) { 994 curlun->sense_data = 995 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 996 curlun->sense_data_info = 997 file_offset >> curlun->blkbits; 998 curlun->info_valid = 1; 999 break; 1000 } 1001 1002 /* Perform the read */ 1003 file_offset_tmp = file_offset; 1004 nread = kernel_read(curlun->filp, bh->buf, amount, 1005 &file_offset_tmp); 1006 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 1007 (unsigned long long) file_offset, 1008 (int) nread); 1009 if (signal_pending(current)) 1010 return -EINTR; 1011 1012 if (nread < 0) { 1013 LDBG(curlun, "error in file verify: %d\n", (int)nread); 1014 nread = 0; 1015 } else if (nread < amount) { 1016 LDBG(curlun, "partial file verify: %d/%u\n", 1017 (int)nread, amount); 1018 nread = round_down(nread, curlun->blksize); 1019 } 1020 if (nread == 0) { 1021 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 1022 curlun->sense_data_info = 1023 file_offset >> curlun->blkbits; 1024 curlun->info_valid = 1; 1025 break; 1026 } 1027 file_offset += nread; 1028 amount_left -= nread; 1029 } 1030 return 0; 1031 } 1032 1033 1034 /*-------------------------------------------------------------------------*/ 1035 1036 static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh) 1037 { 1038 struct fsg_lun *curlun = common->curlun; 1039 u8 *buf = (u8 *) bh->buf; 1040 1041 if (!curlun) { /* Unsupported LUNs are okay */ 1042 common->bad_lun_okay = 1; 1043 memset(buf, 0, 36); 1044 buf[0] = TYPE_NO_LUN; /* Unsupported, no device-type */ 1045 buf[4] = 31; /* Additional length */ 1046 return 36; 1047 } 1048 1049 buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK; 1050 buf[1] = curlun->removable ? 0x80 : 0; 1051 buf[2] = 2; /* ANSI SCSI level 2 */ 1052 buf[3] = 2; /* SCSI-2 INQUIRY data format */ 1053 buf[4] = 31; /* Additional length */ 1054 buf[5] = 0; /* No special options */ 1055 buf[6] = 0; 1056 buf[7] = 0; 1057 if (curlun->inquiry_string[0]) 1058 memcpy(buf + 8, curlun->inquiry_string, 1059 sizeof(curlun->inquiry_string)); 1060 else 1061 memcpy(buf + 8, common->inquiry_string, 1062 sizeof(common->inquiry_string)); 1063 return 36; 1064 } 1065 1066 static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh) 1067 { 1068 struct fsg_lun *curlun = common->curlun; 1069 u8 *buf = (u8 *) bh->buf; 1070 u32 sd, sdinfo; 1071 int valid; 1072 1073 /* 1074 * From the SCSI-2 spec., section 7.9 (Unit attention condition): 1075 * 1076 * If a REQUEST SENSE command is received from an initiator 1077 * with a pending unit attention condition (before the target 1078 * generates the contingent allegiance condition), then the 1079 * target shall either: 1080 * a) report any pending sense data and preserve the unit 1081 * attention condition on the logical unit, or, 1082 * b) report the unit attention condition, may discard any 1083 * pending sense data, and clear the unit attention 1084 * condition on the logical unit for that initiator. 1085 * 1086 * FSG normally uses option a); enable this code to use option b). 1087 */ 1088 #if 0 1089 if (curlun && curlun->unit_attention_data != SS_NO_SENSE) { 1090 curlun->sense_data = curlun->unit_attention_data; 1091 curlun->unit_attention_data = SS_NO_SENSE; 1092 } 1093 #endif 1094 1095 if (!curlun) { /* Unsupported LUNs are okay */ 1096 common->bad_lun_okay = 1; 1097 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 1098 sdinfo = 0; 1099 valid = 0; 1100 } else { 1101 sd = curlun->sense_data; 1102 sdinfo = curlun->sense_data_info; 1103 valid = curlun->info_valid << 7; 1104 curlun->sense_data = SS_NO_SENSE; 1105 curlun->sense_data_info = 0; 1106 curlun->info_valid = 0; 1107 } 1108 1109 memset(buf, 0, 18); 1110 buf[0] = valid | 0x70; /* Valid, current error */ 1111 buf[2] = SK(sd); 1112 put_unaligned_be32(sdinfo, &buf[3]); /* Sense information */ 1113 buf[7] = 18 - 8; /* Additional sense length */ 1114 buf[12] = ASC(sd); 1115 buf[13] = ASCQ(sd); 1116 return 18; 1117 } 1118 1119 static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh) 1120 { 1121 struct fsg_lun *curlun = common->curlun; 1122 u32 lba = get_unaligned_be32(&common->cmnd[2]); 1123 int pmi = common->cmnd[8]; 1124 u8 *buf = (u8 *)bh->buf; 1125 u32 max_lba; 1126 1127 /* Check the PMI and LBA fields */ 1128 if (pmi > 1 || (pmi == 0 && lba != 0)) { 1129 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1130 return -EINVAL; 1131 } 1132 1133 if (curlun->num_sectors < 0x100000000ULL) 1134 max_lba = curlun->num_sectors - 1; 1135 else 1136 max_lba = 0xffffffff; 1137 put_unaligned_be32(max_lba, &buf[0]); /* Max logical block */ 1138 put_unaligned_be32(curlun->blksize, &buf[4]); /* Block length */ 1139 return 8; 1140 } 1141 1142 static int do_read_capacity_16(struct fsg_common *common, struct fsg_buffhd *bh) 1143 { 1144 struct fsg_lun *curlun = common->curlun; 1145 u64 lba = get_unaligned_be64(&common->cmnd[2]); 1146 int pmi = common->cmnd[14]; 1147 u8 *buf = (u8 *)bh->buf; 1148 1149 /* Check the PMI and LBA fields */ 1150 if (pmi > 1 || (pmi == 0 && lba != 0)) { 1151 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1152 return -EINVAL; 1153 } 1154 1155 put_unaligned_be64(curlun->num_sectors - 1, &buf[0]); 1156 /* Max logical block */ 1157 put_unaligned_be32(curlun->blksize, &buf[8]); /* Block length */ 1158 1159 /* It is safe to keep other fields zeroed */ 1160 memset(&buf[12], 0, 32 - 12); 1161 return 32; 1162 } 1163 1164 static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh) 1165 { 1166 struct fsg_lun *curlun = common->curlun; 1167 int msf = common->cmnd[1] & 0x02; 1168 u32 lba = get_unaligned_be32(&common->cmnd[2]); 1169 u8 *buf = (u8 *)bh->buf; 1170 1171 if (common->cmnd[1] & ~0x02) { /* Mask away MSF */ 1172 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1173 return -EINVAL; 1174 } 1175 if (lba >= curlun->num_sectors) { 1176 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1177 return -EINVAL; 1178 } 1179 1180 memset(buf, 0, 8); 1181 buf[0] = 0x01; /* 2048 bytes of user data, rest is EC */ 1182 store_cdrom_address(&buf[4], msf, lba); 1183 return 8; 1184 } 1185 1186 static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh) 1187 { 1188 struct fsg_lun *curlun = common->curlun; 1189 int msf = common->cmnd[1] & 0x02; 1190 int start_track = common->cmnd[6]; 1191 u8 *buf = (u8 *)bh->buf; 1192 u8 format; 1193 int i, len; 1194 1195 format = common->cmnd[2] & 0xf; 1196 1197 if ((common->cmnd[1] & ~0x02) != 0 || /* Mask away MSF */ 1198 (start_track > 1 && format != 0x1)) { 1199 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1200 return -EINVAL; 1201 } 1202 1203 /* 1204 * Check if CDB is old style SFF-8020i 1205 * i.e. format is in 2 MSBs of byte 9 1206 * Mac OS-X host sends us this. 1207 */ 1208 if (format == 0) 1209 format = (common->cmnd[9] >> 6) & 0x3; 1210 1211 switch (format) { 1212 case 0: /* Formatted TOC */ 1213 case 1: /* Multi-session info */ 1214 len = 4 + 2*8; /* 4 byte header + 2 descriptors */ 1215 memset(buf, 0, len); 1216 buf[1] = len - 2; /* TOC Length excludes length field */ 1217 buf[2] = 1; /* First track number */ 1218 buf[3] = 1; /* Last track number */ 1219 buf[5] = 0x16; /* Data track, copying allowed */ 1220 buf[6] = 0x01; /* Only track is number 1 */ 1221 store_cdrom_address(&buf[8], msf, 0); 1222 1223 buf[13] = 0x16; /* Lead-out track is data */ 1224 buf[14] = 0xAA; /* Lead-out track number */ 1225 store_cdrom_address(&buf[16], msf, curlun->num_sectors); 1226 return len; 1227 1228 case 2: 1229 /* Raw TOC */ 1230 len = 4 + 3*11; /* 4 byte header + 3 descriptors */ 1231 memset(buf, 0, len); /* Header + A0, A1 & A2 descriptors */ 1232 buf[1] = len - 2; /* TOC Length excludes length field */ 1233 buf[2] = 1; /* First complete session */ 1234 buf[3] = 1; /* Last complete session */ 1235 1236 buf += 4; 1237 /* fill in A0, A1 and A2 points */ 1238 for (i = 0; i < 3; i++) { 1239 buf[0] = 1; /* Session number */ 1240 buf[1] = 0x16; /* Data track, copying allowed */ 1241 /* 2 - Track number 0 -> TOC */ 1242 buf[3] = 0xA0 + i; /* A0, A1, A2 point */ 1243 /* 4, 5, 6 - Min, sec, frame is zero */ 1244 buf[8] = 1; /* Pmin: last track number */ 1245 buf += 11; /* go to next track descriptor */ 1246 } 1247 buf -= 11; /* go back to A2 descriptor */ 1248 1249 /* For A2, 7, 8, 9, 10 - zero, Pmin, Psec, Pframe of Lead out */ 1250 store_cdrom_address(&buf[7], msf, curlun->num_sectors); 1251 return len; 1252 1253 default: 1254 /* PMA, ATIP, CD-TEXT not supported/required */ 1255 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1256 return -EINVAL; 1257 } 1258 } 1259 1260 static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh) 1261 { 1262 struct fsg_lun *curlun = common->curlun; 1263 int mscmnd = common->cmnd[0]; 1264 u8 *buf = (u8 *) bh->buf; 1265 u8 *buf0 = buf; 1266 int pc, page_code; 1267 int changeable_values, all_pages; 1268 int valid_page = 0; 1269 int len, limit; 1270 1271 if ((common->cmnd[1] & ~0x08) != 0) { /* Mask away DBD */ 1272 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1273 return -EINVAL; 1274 } 1275 pc = common->cmnd[2] >> 6; 1276 page_code = common->cmnd[2] & 0x3f; 1277 if (pc == 3) { 1278 curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED; 1279 return -EINVAL; 1280 } 1281 changeable_values = (pc == 1); 1282 all_pages = (page_code == 0x3f); 1283 1284 /* 1285 * Write the mode parameter header. Fixed values are: default 1286 * medium type, no cache control (DPOFUA), and no block descriptors. 1287 * The only variable value is the WriteProtect bit. We will fill in 1288 * the mode data length later. 1289 */ 1290 memset(buf, 0, 8); 1291 if (mscmnd == MODE_SENSE) { 1292 buf[2] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */ 1293 buf += 4; 1294 limit = 255; 1295 } else { /* MODE_SENSE_10 */ 1296 buf[3] = (curlun->ro ? 0x80 : 0x00); /* WP, DPOFUA */ 1297 buf += 8; 1298 limit = 65535; /* Should really be FSG_BUFLEN */ 1299 } 1300 1301 /* No block descriptors */ 1302 1303 /* 1304 * The mode pages, in numerical order. The only page we support 1305 * is the Caching page. 1306 */ 1307 if (page_code == 0x08 || all_pages) { 1308 valid_page = 1; 1309 buf[0] = 0x08; /* Page code */ 1310 buf[1] = 10; /* Page length */ 1311 memset(buf+2, 0, 10); /* None of the fields are changeable */ 1312 1313 if (!changeable_values) { 1314 buf[2] = 0x04; /* Write cache enable, */ 1315 /* Read cache not disabled */ 1316 /* No cache retention priorities */ 1317 put_unaligned_be16(0xffff, &buf[4]); 1318 /* Don't disable prefetch */ 1319 /* Minimum prefetch = 0 */ 1320 put_unaligned_be16(0xffff, &buf[8]); 1321 /* Maximum prefetch */ 1322 put_unaligned_be16(0xffff, &buf[10]); 1323 /* Maximum prefetch ceiling */ 1324 } 1325 buf += 12; 1326 } 1327 1328 /* 1329 * Check that a valid page was requested and the mode data length 1330 * isn't too long. 1331 */ 1332 len = buf - buf0; 1333 if (!valid_page || len > limit) { 1334 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1335 return -EINVAL; 1336 } 1337 1338 /* Store the mode data length */ 1339 if (mscmnd == MODE_SENSE) 1340 buf0[0] = len - 1; 1341 else 1342 put_unaligned_be16(len - 2, buf0); 1343 return len; 1344 } 1345 1346 static int do_start_stop(struct fsg_common *common) 1347 { 1348 struct fsg_lun *curlun = common->curlun; 1349 int loej, start; 1350 1351 if (!curlun) { 1352 return -EINVAL; 1353 } else if (!curlun->removable) { 1354 curlun->sense_data = SS_INVALID_COMMAND; 1355 return -EINVAL; 1356 } else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */ 1357 (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */ 1358 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1359 return -EINVAL; 1360 } 1361 1362 loej = common->cmnd[4] & 0x02; 1363 start = common->cmnd[4] & 0x01; 1364 1365 /* 1366 * Our emulation doesn't support mounting; the medium is 1367 * available for use as soon as it is loaded. 1368 */ 1369 if (start) { 1370 if (!fsg_lun_is_open(curlun)) { 1371 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 1372 return -EINVAL; 1373 } 1374 return 0; 1375 } 1376 1377 /* Are we allowed to unload the media? */ 1378 if (curlun->prevent_medium_removal) { 1379 LDBG(curlun, "unload attempt prevented\n"); 1380 curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED; 1381 return -EINVAL; 1382 } 1383 1384 if (!loej) 1385 return 0; 1386 1387 up_read(&common->filesem); 1388 down_write(&common->filesem); 1389 fsg_lun_close(curlun); 1390 up_write(&common->filesem); 1391 down_read(&common->filesem); 1392 1393 return 0; 1394 } 1395 1396 static int do_prevent_allow(struct fsg_common *common) 1397 { 1398 struct fsg_lun *curlun = common->curlun; 1399 int prevent; 1400 1401 if (!common->curlun) { 1402 return -EINVAL; 1403 } else if (!common->curlun->removable) { 1404 common->curlun->sense_data = SS_INVALID_COMMAND; 1405 return -EINVAL; 1406 } 1407 1408 prevent = common->cmnd[4] & 0x01; 1409 if ((common->cmnd[4] & ~0x01) != 0) { /* Mask away Prevent */ 1410 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1411 return -EINVAL; 1412 } 1413 1414 if (curlun->prevent_medium_removal && !prevent) 1415 fsg_lun_fsync_sub(curlun); 1416 curlun->prevent_medium_removal = prevent; 1417 return 0; 1418 } 1419 1420 static int do_read_format_capacities(struct fsg_common *common, 1421 struct fsg_buffhd *bh) 1422 { 1423 struct fsg_lun *curlun = common->curlun; 1424 u8 *buf = (u8 *) bh->buf; 1425 1426 buf[0] = buf[1] = buf[2] = 0; 1427 buf[3] = 8; /* Only the Current/Maximum Capacity Descriptor */ 1428 buf += 4; 1429 1430 put_unaligned_be32(curlun->num_sectors, &buf[0]); 1431 /* Number of blocks */ 1432 put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */ 1433 buf[4] = 0x02; /* Current capacity */ 1434 return 12; 1435 } 1436 1437 static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh) 1438 { 1439 struct fsg_lun *curlun = common->curlun; 1440 1441 /* We don't support MODE SELECT */ 1442 if (curlun) 1443 curlun->sense_data = SS_INVALID_COMMAND; 1444 return -EINVAL; 1445 } 1446 1447 1448 /*-------------------------------------------------------------------------*/ 1449 1450 static int halt_bulk_in_endpoint(struct fsg_dev *fsg) 1451 { 1452 int rc; 1453 1454 rc = fsg_set_halt(fsg, fsg->bulk_in); 1455 if (rc == -EAGAIN) 1456 VDBG(fsg, "delayed bulk-in endpoint halt\n"); 1457 while (rc != 0) { 1458 if (rc != -EAGAIN) { 1459 WARNING(fsg, "usb_ep_set_halt -> %d\n", rc); 1460 rc = 0; 1461 break; 1462 } 1463 1464 /* Wait for a short time and then try again */ 1465 if (msleep_interruptible(100) != 0) 1466 return -EINTR; 1467 rc = usb_ep_set_halt(fsg->bulk_in); 1468 } 1469 return rc; 1470 } 1471 1472 static int wedge_bulk_in_endpoint(struct fsg_dev *fsg) 1473 { 1474 int rc; 1475 1476 DBG(fsg, "bulk-in set wedge\n"); 1477 rc = usb_ep_set_wedge(fsg->bulk_in); 1478 if (rc == -EAGAIN) 1479 VDBG(fsg, "delayed bulk-in endpoint wedge\n"); 1480 while (rc != 0) { 1481 if (rc != -EAGAIN) { 1482 WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc); 1483 rc = 0; 1484 break; 1485 } 1486 1487 /* Wait for a short time and then try again */ 1488 if (msleep_interruptible(100) != 0) 1489 return -EINTR; 1490 rc = usb_ep_set_wedge(fsg->bulk_in); 1491 } 1492 return rc; 1493 } 1494 1495 static int throw_away_data(struct fsg_common *common) 1496 { 1497 struct fsg_buffhd *bh, *bh2; 1498 u32 amount; 1499 int rc; 1500 1501 for (bh = common->next_buffhd_to_drain; 1502 bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0; 1503 bh = common->next_buffhd_to_drain) { 1504 1505 /* Try to submit another request if we need one */ 1506 bh2 = common->next_buffhd_to_fill; 1507 if (bh2->state == BUF_STATE_EMPTY && 1508 common->usb_amount_left > 0) { 1509 amount = min(common->usb_amount_left, FSG_BUFLEN); 1510 1511 /* 1512 * Except at the end of the transfer, amount will be 1513 * equal to the buffer size, which is divisible by 1514 * the bulk-out maxpacket size. 1515 */ 1516 set_bulk_out_req_length(common, bh2, amount); 1517 if (!start_out_transfer(common, bh2)) 1518 /* Dunno what to do if common->fsg is NULL */ 1519 return -EIO; 1520 common->next_buffhd_to_fill = bh2->next; 1521 common->usb_amount_left -= amount; 1522 continue; 1523 } 1524 1525 /* Wait for the data to be received */ 1526 rc = sleep_thread(common, false, bh); 1527 if (rc) 1528 return rc; 1529 1530 /* Throw away the data in a filled buffer */ 1531 bh->state = BUF_STATE_EMPTY; 1532 common->next_buffhd_to_drain = bh->next; 1533 1534 /* A short packet or an error ends everything */ 1535 if (bh->outreq->actual < bh->bulk_out_intended_length || 1536 bh->outreq->status != 0) { 1537 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1538 return -EINTR; 1539 } 1540 } 1541 return 0; 1542 } 1543 1544 static int finish_reply(struct fsg_common *common) 1545 { 1546 struct fsg_buffhd *bh = common->next_buffhd_to_fill; 1547 int rc = 0; 1548 1549 switch (common->data_dir) { 1550 case DATA_DIR_NONE: 1551 break; /* Nothing to send */ 1552 1553 /* 1554 * If we don't know whether the host wants to read or write, 1555 * this must be CB or CBI with an unknown command. We mustn't 1556 * try to send or receive any data. So stall both bulk pipes 1557 * if we can and wait for a reset. 1558 */ 1559 case DATA_DIR_UNKNOWN: 1560 if (!common->can_stall) { 1561 /* Nothing */ 1562 } else if (fsg_is_set(common)) { 1563 fsg_set_halt(common->fsg, common->fsg->bulk_out); 1564 rc = halt_bulk_in_endpoint(common->fsg); 1565 } else { 1566 /* Don't know what to do if common->fsg is NULL */ 1567 rc = -EIO; 1568 } 1569 break; 1570 1571 /* All but the last buffer of data must have already been sent */ 1572 case DATA_DIR_TO_HOST: 1573 if (common->data_size == 0) { 1574 /* Nothing to send */ 1575 1576 /* Don't know what to do if common->fsg is NULL */ 1577 } else if (!fsg_is_set(common)) { 1578 rc = -EIO; 1579 1580 /* If there's no residue, simply send the last buffer */ 1581 } else if (common->residue == 0) { 1582 bh->inreq->zero = 0; 1583 if (!start_in_transfer(common, bh)) 1584 return -EIO; 1585 common->next_buffhd_to_fill = bh->next; 1586 1587 /* 1588 * For Bulk-only, mark the end of the data with a short 1589 * packet. If we are allowed to stall, halt the bulk-in 1590 * endpoint. (Note: This violates the Bulk-Only Transport 1591 * specification, which requires us to pad the data if we 1592 * don't halt the endpoint. Presumably nobody will mind.) 1593 */ 1594 } else { 1595 bh->inreq->zero = 1; 1596 if (!start_in_transfer(common, bh)) 1597 rc = -EIO; 1598 common->next_buffhd_to_fill = bh->next; 1599 if (common->can_stall) 1600 rc = halt_bulk_in_endpoint(common->fsg); 1601 } 1602 break; 1603 1604 /* 1605 * We have processed all we want from the data the host has sent. 1606 * There may still be outstanding bulk-out requests. 1607 */ 1608 case DATA_DIR_FROM_HOST: 1609 if (common->residue == 0) { 1610 /* Nothing to receive */ 1611 1612 /* Did the host stop sending unexpectedly early? */ 1613 } else if (common->short_packet_received) { 1614 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1615 rc = -EINTR; 1616 1617 /* 1618 * We haven't processed all the incoming data. Even though 1619 * we may be allowed to stall, doing so would cause a race. 1620 * The controller may already have ACK'ed all the remaining 1621 * bulk-out packets, in which case the host wouldn't see a 1622 * STALL. Not realizing the endpoint was halted, it wouldn't 1623 * clear the halt -- leading to problems later on. 1624 */ 1625 #if 0 1626 } else if (common->can_stall) { 1627 if (fsg_is_set(common)) 1628 fsg_set_halt(common->fsg, 1629 common->fsg->bulk_out); 1630 raise_exception(common, FSG_STATE_ABORT_BULK_OUT); 1631 rc = -EINTR; 1632 #endif 1633 1634 /* 1635 * We can't stall. Read in the excess data and throw it 1636 * all away. 1637 */ 1638 } else { 1639 rc = throw_away_data(common); 1640 } 1641 break; 1642 } 1643 return rc; 1644 } 1645 1646 static void send_status(struct fsg_common *common) 1647 { 1648 struct fsg_lun *curlun = common->curlun; 1649 struct fsg_buffhd *bh; 1650 struct bulk_cs_wrap *csw; 1651 int rc; 1652 u8 status = US_BULK_STAT_OK; 1653 u32 sd, sdinfo = 0; 1654 1655 /* Wait for the next buffer to become available */ 1656 bh = common->next_buffhd_to_fill; 1657 rc = sleep_thread(common, false, bh); 1658 if (rc) 1659 return; 1660 1661 if (curlun) { 1662 sd = curlun->sense_data; 1663 sdinfo = curlun->sense_data_info; 1664 } else if (common->bad_lun_okay) 1665 sd = SS_NO_SENSE; 1666 else 1667 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 1668 1669 if (common->phase_error) { 1670 DBG(common, "sending phase-error status\n"); 1671 status = US_BULK_STAT_PHASE; 1672 sd = SS_INVALID_COMMAND; 1673 } else if (sd != SS_NO_SENSE) { 1674 DBG(common, "sending command-failure status\n"); 1675 status = US_BULK_STAT_FAIL; 1676 VDBG(common, " sense data: SK x%02x, ASC x%02x, ASCQ x%02x;" 1677 " info x%x\n", 1678 SK(sd), ASC(sd), ASCQ(sd), sdinfo); 1679 } 1680 1681 /* Store and send the Bulk-only CSW */ 1682 csw = (void *)bh->buf; 1683 1684 csw->Signature = cpu_to_le32(US_BULK_CS_SIGN); 1685 csw->Tag = common->tag; 1686 csw->Residue = cpu_to_le32(common->residue); 1687 csw->Status = status; 1688 1689 bh->inreq->length = US_BULK_CS_WRAP_LEN; 1690 bh->inreq->zero = 0; 1691 if (!start_in_transfer(common, bh)) 1692 /* Don't know what to do if common->fsg is NULL */ 1693 return; 1694 1695 common->next_buffhd_to_fill = bh->next; 1696 return; 1697 } 1698 1699 1700 /*-------------------------------------------------------------------------*/ 1701 1702 /* 1703 * Check whether the command is properly formed and whether its data size 1704 * and direction agree with the values we already have. 1705 */ 1706 static int check_command(struct fsg_common *common, int cmnd_size, 1707 enum data_direction data_dir, unsigned int mask, 1708 int needs_medium, const char *name) 1709 { 1710 int i; 1711 unsigned int lun = common->cmnd[1] >> 5; 1712 static const char dirletter[4] = {'u', 'o', 'i', 'n'}; 1713 char hdlen[20]; 1714 struct fsg_lun *curlun; 1715 1716 hdlen[0] = 0; 1717 if (common->data_dir != DATA_DIR_UNKNOWN) 1718 sprintf(hdlen, ", H%c=%u", dirletter[(int) common->data_dir], 1719 common->data_size); 1720 VDBG(common, "SCSI command: %s; Dc=%d, D%c=%u; Hc=%d%s\n", 1721 name, cmnd_size, dirletter[(int) data_dir], 1722 common->data_size_from_cmnd, common->cmnd_size, hdlen); 1723 1724 /* 1725 * We can't reply at all until we know the correct data direction 1726 * and size. 1727 */ 1728 if (common->data_size_from_cmnd == 0) 1729 data_dir = DATA_DIR_NONE; 1730 if (common->data_size < common->data_size_from_cmnd) { 1731 /* 1732 * Host data size < Device data size is a phase error. 1733 * Carry out the command, but only transfer as much as 1734 * we are allowed. 1735 */ 1736 common->data_size_from_cmnd = common->data_size; 1737 common->phase_error = 1; 1738 } 1739 common->residue = common->data_size; 1740 common->usb_amount_left = common->data_size; 1741 1742 /* Conflicting data directions is a phase error */ 1743 if (common->data_dir != data_dir && common->data_size_from_cmnd > 0) { 1744 common->phase_error = 1; 1745 return -EINVAL; 1746 } 1747 1748 /* Verify the length of the command itself */ 1749 if (cmnd_size != common->cmnd_size) { 1750 1751 /* 1752 * Special case workaround: There are plenty of buggy SCSI 1753 * implementations. Many have issues with cbw->Length 1754 * field passing a wrong command size. For those cases we 1755 * always try to work around the problem by using the length 1756 * sent by the host side provided it is at least as large 1757 * as the correct command length. 1758 * Examples of such cases would be MS-Windows, which issues 1759 * REQUEST SENSE with cbw->Length == 12 where it should 1760 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and 1761 * REQUEST SENSE with cbw->Length == 10 where it should 1762 * be 6 as well. 1763 */ 1764 if (cmnd_size <= common->cmnd_size) { 1765 DBG(common, "%s is buggy! Expected length %d " 1766 "but we got %d\n", name, 1767 cmnd_size, common->cmnd_size); 1768 cmnd_size = common->cmnd_size; 1769 } else { 1770 common->phase_error = 1; 1771 return -EINVAL; 1772 } 1773 } 1774 1775 /* Check that the LUN values are consistent */ 1776 if (common->lun != lun) 1777 DBG(common, "using LUN %u from CBW, not LUN %u from CDB\n", 1778 common->lun, lun); 1779 1780 /* Check the LUN */ 1781 curlun = common->curlun; 1782 if (curlun) { 1783 if (common->cmnd[0] != REQUEST_SENSE) { 1784 curlun->sense_data = SS_NO_SENSE; 1785 curlun->sense_data_info = 0; 1786 curlun->info_valid = 0; 1787 } 1788 } else { 1789 common->bad_lun_okay = 0; 1790 1791 /* 1792 * INQUIRY and REQUEST SENSE commands are explicitly allowed 1793 * to use unsupported LUNs; all others may not. 1794 */ 1795 if (common->cmnd[0] != INQUIRY && 1796 common->cmnd[0] != REQUEST_SENSE) { 1797 DBG(common, "unsupported LUN %u\n", common->lun); 1798 return -EINVAL; 1799 } 1800 } 1801 1802 /* 1803 * If a unit attention condition exists, only INQUIRY and 1804 * REQUEST SENSE commands are allowed; anything else must fail. 1805 */ 1806 if (curlun && curlun->unit_attention_data != SS_NO_SENSE && 1807 common->cmnd[0] != INQUIRY && 1808 common->cmnd[0] != REQUEST_SENSE) { 1809 curlun->sense_data = curlun->unit_attention_data; 1810 curlun->unit_attention_data = SS_NO_SENSE; 1811 return -EINVAL; 1812 } 1813 1814 /* Check that only command bytes listed in the mask are non-zero */ 1815 common->cmnd[1] &= 0x1f; /* Mask away the LUN */ 1816 for (i = 1; i < cmnd_size; ++i) { 1817 if (common->cmnd[i] && !(mask & (1 << i))) { 1818 if (curlun) 1819 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1820 return -EINVAL; 1821 } 1822 } 1823 1824 /* If the medium isn't mounted and the command needs to access 1825 * it, return an error. */ 1826 if (curlun && !fsg_lun_is_open(curlun) && needs_medium) { 1827 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 1828 return -EINVAL; 1829 } 1830 1831 return 0; 1832 } 1833 1834 /* wrapper of check_command for data size in blocks handling */ 1835 static int check_command_size_in_blocks(struct fsg_common *common, 1836 int cmnd_size, enum data_direction data_dir, 1837 unsigned int mask, int needs_medium, const char *name) 1838 { 1839 if (common->curlun) 1840 common->data_size_from_cmnd <<= common->curlun->blkbits; 1841 return check_command(common, cmnd_size, data_dir, 1842 mask, needs_medium, name); 1843 } 1844 1845 static int do_scsi_command(struct fsg_common *common) 1846 { 1847 struct fsg_buffhd *bh; 1848 int rc; 1849 int reply = -EINVAL; 1850 int i; 1851 static char unknown[16]; 1852 1853 dump_cdb(common); 1854 1855 /* Wait for the next buffer to become available for data or status */ 1856 bh = common->next_buffhd_to_fill; 1857 common->next_buffhd_to_drain = bh; 1858 rc = sleep_thread(common, false, bh); 1859 if (rc) 1860 return rc; 1861 1862 common->phase_error = 0; 1863 common->short_packet_received = 0; 1864 1865 down_read(&common->filesem); /* We're using the backing file */ 1866 switch (common->cmnd[0]) { 1867 1868 case INQUIRY: 1869 common->data_size_from_cmnd = common->cmnd[4]; 1870 reply = check_command(common, 6, DATA_DIR_TO_HOST, 1871 (1<<4), 0, 1872 "INQUIRY"); 1873 if (reply == 0) 1874 reply = do_inquiry(common, bh); 1875 break; 1876 1877 case MODE_SELECT: 1878 common->data_size_from_cmnd = common->cmnd[4]; 1879 reply = check_command(common, 6, DATA_DIR_FROM_HOST, 1880 (1<<1) | (1<<4), 0, 1881 "MODE SELECT(6)"); 1882 if (reply == 0) 1883 reply = do_mode_select(common, bh); 1884 break; 1885 1886 case MODE_SELECT_10: 1887 common->data_size_from_cmnd = 1888 get_unaligned_be16(&common->cmnd[7]); 1889 reply = check_command(common, 10, DATA_DIR_FROM_HOST, 1890 (1<<1) | (3<<7), 0, 1891 "MODE SELECT(10)"); 1892 if (reply == 0) 1893 reply = do_mode_select(common, bh); 1894 break; 1895 1896 case MODE_SENSE: 1897 common->data_size_from_cmnd = common->cmnd[4]; 1898 reply = check_command(common, 6, DATA_DIR_TO_HOST, 1899 (1<<1) | (1<<2) | (1<<4), 0, 1900 "MODE SENSE(6)"); 1901 if (reply == 0) 1902 reply = do_mode_sense(common, bh); 1903 break; 1904 1905 case MODE_SENSE_10: 1906 common->data_size_from_cmnd = 1907 get_unaligned_be16(&common->cmnd[7]); 1908 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1909 (1<<1) | (1<<2) | (3<<7), 0, 1910 "MODE SENSE(10)"); 1911 if (reply == 0) 1912 reply = do_mode_sense(common, bh); 1913 break; 1914 1915 case ALLOW_MEDIUM_REMOVAL: 1916 common->data_size_from_cmnd = 0; 1917 reply = check_command(common, 6, DATA_DIR_NONE, 1918 (1<<4), 0, 1919 "PREVENT-ALLOW MEDIUM REMOVAL"); 1920 if (reply == 0) 1921 reply = do_prevent_allow(common); 1922 break; 1923 1924 case READ_6: 1925 i = common->cmnd[4]; 1926 common->data_size_from_cmnd = (i == 0) ? 256 : i; 1927 reply = check_command_size_in_blocks(common, 6, 1928 DATA_DIR_TO_HOST, 1929 (7<<1) | (1<<4), 1, 1930 "READ(6)"); 1931 if (reply == 0) 1932 reply = do_read(common); 1933 break; 1934 1935 case READ_10: 1936 common->data_size_from_cmnd = 1937 get_unaligned_be16(&common->cmnd[7]); 1938 reply = check_command_size_in_blocks(common, 10, 1939 DATA_DIR_TO_HOST, 1940 (1<<1) | (0xf<<2) | (3<<7), 1, 1941 "READ(10)"); 1942 if (reply == 0) 1943 reply = do_read(common); 1944 break; 1945 1946 case READ_12: 1947 common->data_size_from_cmnd = 1948 get_unaligned_be32(&common->cmnd[6]); 1949 reply = check_command_size_in_blocks(common, 12, 1950 DATA_DIR_TO_HOST, 1951 (1<<1) | (0xf<<2) | (0xf<<6), 1, 1952 "READ(12)"); 1953 if (reply == 0) 1954 reply = do_read(common); 1955 break; 1956 1957 case READ_16: 1958 common->data_size_from_cmnd = 1959 get_unaligned_be32(&common->cmnd[10]); 1960 reply = check_command_size_in_blocks(common, 16, 1961 DATA_DIR_TO_HOST, 1962 (1<<1) | (0xff<<2) | (0xf<<10), 1, 1963 "READ(16)"); 1964 if (reply == 0) 1965 reply = do_read(common); 1966 break; 1967 1968 case READ_CAPACITY: 1969 common->data_size_from_cmnd = 8; 1970 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1971 (0xf<<2) | (1<<8), 1, 1972 "READ CAPACITY"); 1973 if (reply == 0) 1974 reply = do_read_capacity(common, bh); 1975 break; 1976 1977 case READ_HEADER: 1978 if (!common->curlun || !common->curlun->cdrom) 1979 goto unknown_cmnd; 1980 common->data_size_from_cmnd = 1981 get_unaligned_be16(&common->cmnd[7]); 1982 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1983 (3<<7) | (0x1f<<1), 1, 1984 "READ HEADER"); 1985 if (reply == 0) 1986 reply = do_read_header(common, bh); 1987 break; 1988 1989 case READ_TOC: 1990 if (!common->curlun || !common->curlun->cdrom) 1991 goto unknown_cmnd; 1992 common->data_size_from_cmnd = 1993 get_unaligned_be16(&common->cmnd[7]); 1994 reply = check_command(common, 10, DATA_DIR_TO_HOST, 1995 (0xf<<6) | (3<<1), 1, 1996 "READ TOC"); 1997 if (reply == 0) 1998 reply = do_read_toc(common, bh); 1999 break; 2000 2001 case READ_FORMAT_CAPACITIES: 2002 common->data_size_from_cmnd = 2003 get_unaligned_be16(&common->cmnd[7]); 2004 reply = check_command(common, 10, DATA_DIR_TO_HOST, 2005 (3<<7), 1, 2006 "READ FORMAT CAPACITIES"); 2007 if (reply == 0) 2008 reply = do_read_format_capacities(common, bh); 2009 break; 2010 2011 case REQUEST_SENSE: 2012 common->data_size_from_cmnd = common->cmnd[4]; 2013 reply = check_command(common, 6, DATA_DIR_TO_HOST, 2014 (1<<4), 0, 2015 "REQUEST SENSE"); 2016 if (reply == 0) 2017 reply = do_request_sense(common, bh); 2018 break; 2019 2020 case SERVICE_ACTION_IN_16: 2021 switch (common->cmnd[1] & 0x1f) { 2022 2023 case SAI_READ_CAPACITY_16: 2024 common->data_size_from_cmnd = 2025 get_unaligned_be32(&common->cmnd[10]); 2026 reply = check_command(common, 16, DATA_DIR_TO_HOST, 2027 (1<<1) | (0xff<<2) | (0xf<<10) | 2028 (1<<14), 1, 2029 "READ CAPACITY(16)"); 2030 if (reply == 0) 2031 reply = do_read_capacity_16(common, bh); 2032 break; 2033 2034 default: 2035 goto unknown_cmnd; 2036 } 2037 break; 2038 2039 case START_STOP: 2040 common->data_size_from_cmnd = 0; 2041 reply = check_command(common, 6, DATA_DIR_NONE, 2042 (1<<1) | (1<<4), 0, 2043 "START-STOP UNIT"); 2044 if (reply == 0) 2045 reply = do_start_stop(common); 2046 break; 2047 2048 case SYNCHRONIZE_CACHE: 2049 common->data_size_from_cmnd = 0; 2050 reply = check_command(common, 10, DATA_DIR_NONE, 2051 (0xf<<2) | (3<<7), 1, 2052 "SYNCHRONIZE CACHE"); 2053 if (reply == 0) 2054 reply = do_synchronize_cache(common); 2055 break; 2056 2057 case TEST_UNIT_READY: 2058 common->data_size_from_cmnd = 0; 2059 reply = check_command(common, 6, DATA_DIR_NONE, 2060 0, 1, 2061 "TEST UNIT READY"); 2062 break; 2063 2064 /* 2065 * Although optional, this command is used by MS-Windows. We 2066 * support a minimal version: BytChk must be 0. 2067 */ 2068 case VERIFY: 2069 common->data_size_from_cmnd = 0; 2070 reply = check_command(common, 10, DATA_DIR_NONE, 2071 (1<<1) | (0xf<<2) | (3<<7), 1, 2072 "VERIFY"); 2073 if (reply == 0) 2074 reply = do_verify(common); 2075 break; 2076 2077 case WRITE_6: 2078 i = common->cmnd[4]; 2079 common->data_size_from_cmnd = (i == 0) ? 256 : i; 2080 reply = check_command_size_in_blocks(common, 6, 2081 DATA_DIR_FROM_HOST, 2082 (7<<1) | (1<<4), 1, 2083 "WRITE(6)"); 2084 if (reply == 0) 2085 reply = do_write(common); 2086 break; 2087 2088 case WRITE_10: 2089 common->data_size_from_cmnd = 2090 get_unaligned_be16(&common->cmnd[7]); 2091 reply = check_command_size_in_blocks(common, 10, 2092 DATA_DIR_FROM_HOST, 2093 (1<<1) | (0xf<<2) | (3<<7), 1, 2094 "WRITE(10)"); 2095 if (reply == 0) 2096 reply = do_write(common); 2097 break; 2098 2099 case WRITE_12: 2100 common->data_size_from_cmnd = 2101 get_unaligned_be32(&common->cmnd[6]); 2102 reply = check_command_size_in_blocks(common, 12, 2103 DATA_DIR_FROM_HOST, 2104 (1<<1) | (0xf<<2) | (0xf<<6), 1, 2105 "WRITE(12)"); 2106 if (reply == 0) 2107 reply = do_write(common); 2108 break; 2109 2110 case WRITE_16: 2111 common->data_size_from_cmnd = 2112 get_unaligned_be32(&common->cmnd[10]); 2113 reply = check_command_size_in_blocks(common, 16, 2114 DATA_DIR_FROM_HOST, 2115 (1<<1) | (0xff<<2) | (0xf<<10), 1, 2116 "WRITE(16)"); 2117 if (reply == 0) 2118 reply = do_write(common); 2119 break; 2120 2121 /* 2122 * Some mandatory commands that we recognize but don't implement. 2123 * They don't mean much in this setting. It's left as an exercise 2124 * for anyone interested to implement RESERVE and RELEASE in terms 2125 * of Posix locks. 2126 */ 2127 case FORMAT_UNIT: 2128 case RELEASE: 2129 case RESERVE: 2130 case SEND_DIAGNOSTIC: 2131 2132 default: 2133 unknown_cmnd: 2134 common->data_size_from_cmnd = 0; 2135 sprintf(unknown, "Unknown x%02x", common->cmnd[0]); 2136 reply = check_command(common, common->cmnd_size, 2137 DATA_DIR_UNKNOWN, ~0, 0, unknown); 2138 if (reply == 0) { 2139 common->curlun->sense_data = SS_INVALID_COMMAND; 2140 reply = -EINVAL; 2141 } 2142 break; 2143 } 2144 up_read(&common->filesem); 2145 2146 if (reply == -EINTR || signal_pending(current)) 2147 return -EINTR; 2148 2149 /* Set up the single reply buffer for finish_reply() */ 2150 if (reply == -EINVAL) 2151 reply = 0; /* Error reply length */ 2152 if (reply >= 0 && common->data_dir == DATA_DIR_TO_HOST) { 2153 reply = min((u32)reply, common->data_size_from_cmnd); 2154 bh->inreq->length = reply; 2155 bh->state = BUF_STATE_FULL; 2156 common->residue -= reply; 2157 } /* Otherwise it's already set */ 2158 2159 return 0; 2160 } 2161 2162 2163 /*-------------------------------------------------------------------------*/ 2164 2165 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh) 2166 { 2167 struct usb_request *req = bh->outreq; 2168 struct bulk_cb_wrap *cbw = req->buf; 2169 struct fsg_common *common = fsg->common; 2170 2171 /* Was this a real packet? Should it be ignored? */ 2172 if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags)) 2173 return -EINVAL; 2174 2175 /* Is the CBW valid? */ 2176 if (req->actual != US_BULK_CB_WRAP_LEN || 2177 cbw->Signature != cpu_to_le32( 2178 US_BULK_CB_SIGN)) { 2179 DBG(fsg, "invalid CBW: len %u sig 0x%x\n", 2180 req->actual, 2181 le32_to_cpu(cbw->Signature)); 2182 2183 /* 2184 * The Bulk-only spec says we MUST stall the IN endpoint 2185 * (6.6.1), so it's unavoidable. It also says we must 2186 * retain this state until the next reset, but there's 2187 * no way to tell the controller driver it should ignore 2188 * Clear-Feature(HALT) requests. 2189 * 2190 * We aren't required to halt the OUT endpoint; instead 2191 * we can simply accept and discard any data received 2192 * until the next reset. 2193 */ 2194 wedge_bulk_in_endpoint(fsg); 2195 set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2196 return -EINVAL; 2197 } 2198 2199 /* Is the CBW meaningful? */ 2200 if (cbw->Lun >= ARRAY_SIZE(common->luns) || 2201 cbw->Flags & ~US_BULK_FLAG_IN || cbw->Length <= 0 || 2202 cbw->Length > MAX_COMMAND_SIZE) { 2203 DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, " 2204 "cmdlen %u\n", 2205 cbw->Lun, cbw->Flags, cbw->Length); 2206 2207 /* 2208 * We can do anything we want here, so let's stall the 2209 * bulk pipes if we are allowed to. 2210 */ 2211 if (common->can_stall) { 2212 fsg_set_halt(fsg, fsg->bulk_out); 2213 halt_bulk_in_endpoint(fsg); 2214 } 2215 return -EINVAL; 2216 } 2217 2218 /* Save the command for later */ 2219 common->cmnd_size = cbw->Length; 2220 memcpy(common->cmnd, cbw->CDB, common->cmnd_size); 2221 if (cbw->Flags & US_BULK_FLAG_IN) 2222 common->data_dir = DATA_DIR_TO_HOST; 2223 else 2224 common->data_dir = DATA_DIR_FROM_HOST; 2225 common->data_size = le32_to_cpu(cbw->DataTransferLength); 2226 if (common->data_size == 0) 2227 common->data_dir = DATA_DIR_NONE; 2228 common->lun = cbw->Lun; 2229 if (common->lun < ARRAY_SIZE(common->luns)) 2230 common->curlun = common->luns[common->lun]; 2231 else 2232 common->curlun = NULL; 2233 common->tag = cbw->Tag; 2234 return 0; 2235 } 2236 2237 static int get_next_command(struct fsg_common *common) 2238 { 2239 struct fsg_buffhd *bh; 2240 int rc = 0; 2241 2242 /* Wait for the next buffer to become available */ 2243 bh = common->next_buffhd_to_fill; 2244 rc = sleep_thread(common, true, bh); 2245 if (rc) 2246 return rc; 2247 2248 /* Queue a request to read a Bulk-only CBW */ 2249 set_bulk_out_req_length(common, bh, US_BULK_CB_WRAP_LEN); 2250 if (!start_out_transfer(common, bh)) 2251 /* Don't know what to do if common->fsg is NULL */ 2252 return -EIO; 2253 2254 /* 2255 * We will drain the buffer in software, which means we 2256 * can reuse it for the next filling. No need to advance 2257 * next_buffhd_to_fill. 2258 */ 2259 2260 /* Wait for the CBW to arrive */ 2261 rc = sleep_thread(common, true, bh); 2262 if (rc) 2263 return rc; 2264 2265 rc = fsg_is_set(common) ? received_cbw(common->fsg, bh) : -EIO; 2266 bh->state = BUF_STATE_EMPTY; 2267 2268 return rc; 2269 } 2270 2271 2272 /*-------------------------------------------------------------------------*/ 2273 2274 static int alloc_request(struct fsg_common *common, struct usb_ep *ep, 2275 struct usb_request **preq) 2276 { 2277 *preq = usb_ep_alloc_request(ep, GFP_ATOMIC); 2278 if (*preq) 2279 return 0; 2280 ERROR(common, "can't allocate request for %s\n", ep->name); 2281 return -ENOMEM; 2282 } 2283 2284 /* Reset interface setting and re-init endpoint state (toggle etc). */ 2285 static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg) 2286 { 2287 struct fsg_dev *fsg; 2288 int i, rc = 0; 2289 2290 if (common->running) 2291 DBG(common, "reset interface\n"); 2292 2293 reset: 2294 /* Deallocate the requests */ 2295 if (common->fsg) { 2296 fsg = common->fsg; 2297 2298 for (i = 0; i < common->fsg_num_buffers; ++i) { 2299 struct fsg_buffhd *bh = &common->buffhds[i]; 2300 2301 if (bh->inreq) { 2302 usb_ep_free_request(fsg->bulk_in, bh->inreq); 2303 bh->inreq = NULL; 2304 } 2305 if (bh->outreq) { 2306 usb_ep_free_request(fsg->bulk_out, bh->outreq); 2307 bh->outreq = NULL; 2308 } 2309 } 2310 2311 /* Disable the endpoints */ 2312 if (fsg->bulk_in_enabled) { 2313 usb_ep_disable(fsg->bulk_in); 2314 fsg->bulk_in_enabled = 0; 2315 } 2316 if (fsg->bulk_out_enabled) { 2317 usb_ep_disable(fsg->bulk_out); 2318 fsg->bulk_out_enabled = 0; 2319 } 2320 2321 common->fsg = NULL; 2322 wake_up(&common->fsg_wait); 2323 } 2324 2325 common->running = 0; 2326 if (!new_fsg || rc) 2327 return rc; 2328 2329 common->fsg = new_fsg; 2330 fsg = common->fsg; 2331 2332 /* Enable the endpoints */ 2333 rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); 2334 if (rc) 2335 goto reset; 2336 rc = usb_ep_enable(fsg->bulk_in); 2337 if (rc) 2338 goto reset; 2339 fsg->bulk_in->driver_data = common; 2340 fsg->bulk_in_enabled = 1; 2341 2342 rc = config_ep_by_speed(common->gadget, &(fsg->function), 2343 fsg->bulk_out); 2344 if (rc) 2345 goto reset; 2346 rc = usb_ep_enable(fsg->bulk_out); 2347 if (rc) 2348 goto reset; 2349 fsg->bulk_out->driver_data = common; 2350 fsg->bulk_out_enabled = 1; 2351 common->bulk_out_maxpacket = usb_endpoint_maxp(fsg->bulk_out->desc); 2352 clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2353 2354 /* Allocate the requests */ 2355 for (i = 0; i < common->fsg_num_buffers; ++i) { 2356 struct fsg_buffhd *bh = &common->buffhds[i]; 2357 2358 rc = alloc_request(common, fsg->bulk_in, &bh->inreq); 2359 if (rc) 2360 goto reset; 2361 rc = alloc_request(common, fsg->bulk_out, &bh->outreq); 2362 if (rc) 2363 goto reset; 2364 bh->inreq->buf = bh->outreq->buf = bh->buf; 2365 bh->inreq->context = bh->outreq->context = bh; 2366 bh->inreq->complete = bulk_in_complete; 2367 bh->outreq->complete = bulk_out_complete; 2368 } 2369 2370 common->running = 1; 2371 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) 2372 if (common->luns[i]) 2373 common->luns[i]->unit_attention_data = 2374 SS_RESET_OCCURRED; 2375 return rc; 2376 } 2377 2378 2379 /****************************** ALT CONFIGS ******************************/ 2380 2381 static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 2382 { 2383 struct fsg_dev *fsg = fsg_from_func(f); 2384 2385 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg); 2386 return USB_GADGET_DELAYED_STATUS; 2387 } 2388 2389 static void fsg_disable(struct usb_function *f) 2390 { 2391 struct fsg_dev *fsg = fsg_from_func(f); 2392 2393 /* Disable the endpoints */ 2394 if (fsg->bulk_in_enabled) { 2395 usb_ep_disable(fsg->bulk_in); 2396 fsg->bulk_in_enabled = 0; 2397 } 2398 if (fsg->bulk_out_enabled) { 2399 usb_ep_disable(fsg->bulk_out); 2400 fsg->bulk_out_enabled = 0; 2401 } 2402 2403 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); 2404 } 2405 2406 2407 /*-------------------------------------------------------------------------*/ 2408 2409 static void handle_exception(struct fsg_common *common) 2410 { 2411 int i; 2412 struct fsg_buffhd *bh; 2413 enum fsg_state old_state; 2414 struct fsg_lun *curlun; 2415 unsigned int exception_req_tag; 2416 struct fsg_dev *new_fsg; 2417 2418 /* 2419 * Clear the existing signals. Anything but SIGUSR1 is converted 2420 * into a high-priority EXIT exception. 2421 */ 2422 for (;;) { 2423 int sig = kernel_dequeue_signal(); 2424 if (!sig) 2425 break; 2426 if (sig != SIGUSR1) { 2427 spin_lock_irq(&common->lock); 2428 if (common->state < FSG_STATE_EXIT) 2429 DBG(common, "Main thread exiting on signal\n"); 2430 common->state = FSG_STATE_EXIT; 2431 spin_unlock_irq(&common->lock); 2432 } 2433 } 2434 2435 /* Cancel all the pending transfers */ 2436 if (likely(common->fsg)) { 2437 for (i = 0; i < common->fsg_num_buffers; ++i) { 2438 bh = &common->buffhds[i]; 2439 if (bh->state == BUF_STATE_SENDING) 2440 usb_ep_dequeue(common->fsg->bulk_in, bh->inreq); 2441 if (bh->state == BUF_STATE_RECEIVING) 2442 usb_ep_dequeue(common->fsg->bulk_out, 2443 bh->outreq); 2444 2445 /* Wait for a transfer to become idle */ 2446 if (sleep_thread(common, false, bh)) 2447 return; 2448 } 2449 2450 /* Clear out the controller's fifos */ 2451 if (common->fsg->bulk_in_enabled) 2452 usb_ep_fifo_flush(common->fsg->bulk_in); 2453 if (common->fsg->bulk_out_enabled) 2454 usb_ep_fifo_flush(common->fsg->bulk_out); 2455 } 2456 2457 /* 2458 * Reset the I/O buffer states and pointers, the SCSI 2459 * state, and the exception. Then invoke the handler. 2460 */ 2461 spin_lock_irq(&common->lock); 2462 2463 for (i = 0; i < common->fsg_num_buffers; ++i) { 2464 bh = &common->buffhds[i]; 2465 bh->state = BUF_STATE_EMPTY; 2466 } 2467 common->next_buffhd_to_fill = &common->buffhds[0]; 2468 common->next_buffhd_to_drain = &common->buffhds[0]; 2469 exception_req_tag = common->exception_req_tag; 2470 new_fsg = common->exception_arg; 2471 old_state = common->state; 2472 common->state = FSG_STATE_NORMAL; 2473 2474 if (old_state != FSG_STATE_ABORT_BULK_OUT) { 2475 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) { 2476 curlun = common->luns[i]; 2477 if (!curlun) 2478 continue; 2479 curlun->prevent_medium_removal = 0; 2480 curlun->sense_data = SS_NO_SENSE; 2481 curlun->unit_attention_data = SS_NO_SENSE; 2482 curlun->sense_data_info = 0; 2483 curlun->info_valid = 0; 2484 } 2485 } 2486 spin_unlock_irq(&common->lock); 2487 2488 /* Carry out any extra actions required for the exception */ 2489 switch (old_state) { 2490 case FSG_STATE_NORMAL: 2491 break; 2492 2493 case FSG_STATE_ABORT_BULK_OUT: 2494 send_status(common); 2495 break; 2496 2497 case FSG_STATE_PROTOCOL_RESET: 2498 /* 2499 * In case we were forced against our will to halt a 2500 * bulk endpoint, clear the halt now. (The SuperH UDC 2501 * requires this.) 2502 */ 2503 if (!fsg_is_set(common)) 2504 break; 2505 if (test_and_clear_bit(IGNORE_BULK_OUT, 2506 &common->fsg->atomic_bitflags)) 2507 usb_ep_clear_halt(common->fsg->bulk_in); 2508 2509 if (common->ep0_req_tag == exception_req_tag) 2510 ep0_queue(common); /* Complete the status stage */ 2511 2512 /* 2513 * Technically this should go here, but it would only be 2514 * a waste of time. Ditto for the INTERFACE_CHANGE and 2515 * CONFIG_CHANGE cases. 2516 */ 2517 /* for (i = 0; i < common->ARRAY_SIZE(common->luns); ++i) */ 2518 /* if (common->luns[i]) */ 2519 /* common->luns[i]->unit_attention_data = */ 2520 /* SS_RESET_OCCURRED; */ 2521 break; 2522 2523 case FSG_STATE_CONFIG_CHANGE: 2524 do_set_interface(common, new_fsg); 2525 if (new_fsg) 2526 usb_composite_setup_continue(common->cdev); 2527 break; 2528 2529 case FSG_STATE_EXIT: 2530 do_set_interface(common, NULL); /* Free resources */ 2531 spin_lock_irq(&common->lock); 2532 common->state = FSG_STATE_TERMINATED; /* Stop the thread */ 2533 spin_unlock_irq(&common->lock); 2534 break; 2535 2536 case FSG_STATE_TERMINATED: 2537 break; 2538 } 2539 } 2540 2541 2542 /*-------------------------------------------------------------------------*/ 2543 2544 static int fsg_main_thread(void *common_) 2545 { 2546 struct fsg_common *common = common_; 2547 int i; 2548 2549 /* 2550 * Allow the thread to be killed by a signal, but set the signal mask 2551 * to block everything but INT, TERM, KILL, and USR1. 2552 */ 2553 allow_signal(SIGINT); 2554 allow_signal(SIGTERM); 2555 allow_signal(SIGKILL); 2556 allow_signal(SIGUSR1); 2557 2558 /* Allow the thread to be frozen */ 2559 set_freezable(); 2560 2561 /* The main loop */ 2562 while (common->state != FSG_STATE_TERMINATED) { 2563 if (exception_in_progress(common) || signal_pending(current)) { 2564 handle_exception(common); 2565 continue; 2566 } 2567 2568 if (!common->running) { 2569 sleep_thread(common, true, NULL); 2570 continue; 2571 } 2572 2573 if (get_next_command(common) || exception_in_progress(common)) 2574 continue; 2575 if (do_scsi_command(common) || exception_in_progress(common)) 2576 continue; 2577 if (finish_reply(common) || exception_in_progress(common)) 2578 continue; 2579 send_status(common); 2580 } 2581 2582 spin_lock_irq(&common->lock); 2583 common->thread_task = NULL; 2584 spin_unlock_irq(&common->lock); 2585 2586 /* Eject media from all LUNs */ 2587 2588 down_write(&common->filesem); 2589 for (i = 0; i < ARRAY_SIZE(common->luns); i++) { 2590 struct fsg_lun *curlun = common->luns[i]; 2591 2592 if (curlun && fsg_lun_is_open(curlun)) 2593 fsg_lun_close(curlun); 2594 } 2595 up_write(&common->filesem); 2596 2597 /* Let fsg_unbind() know the thread has exited */ 2598 kthread_complete_and_exit(&common->thread_notifier, 0); 2599 } 2600 2601 2602 /*************************** DEVICE ATTRIBUTES ***************************/ 2603 2604 static ssize_t ro_show(struct device *dev, struct device_attribute *attr, char *buf) 2605 { 2606 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2607 2608 return fsg_show_ro(curlun, buf); 2609 } 2610 2611 static ssize_t nofua_show(struct device *dev, struct device_attribute *attr, 2612 char *buf) 2613 { 2614 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2615 2616 return fsg_show_nofua(curlun, buf); 2617 } 2618 2619 static ssize_t file_show(struct device *dev, struct device_attribute *attr, 2620 char *buf) 2621 { 2622 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2623 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2624 2625 return fsg_show_file(curlun, filesem, buf); 2626 } 2627 2628 static ssize_t ro_store(struct device *dev, struct device_attribute *attr, 2629 const char *buf, size_t count) 2630 { 2631 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2632 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2633 2634 return fsg_store_ro(curlun, filesem, buf, count); 2635 } 2636 2637 static ssize_t nofua_store(struct device *dev, struct device_attribute *attr, 2638 const char *buf, size_t count) 2639 { 2640 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2641 2642 return fsg_store_nofua(curlun, buf, count); 2643 } 2644 2645 static ssize_t file_store(struct device *dev, struct device_attribute *attr, 2646 const char *buf, size_t count) 2647 { 2648 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2649 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2650 2651 return fsg_store_file(curlun, filesem, buf, count); 2652 } 2653 2654 static ssize_t forced_eject_store(struct device *dev, 2655 struct device_attribute *attr, 2656 const char *buf, size_t count) 2657 { 2658 struct fsg_lun *curlun = fsg_lun_from_dev(dev); 2659 struct rw_semaphore *filesem = dev_get_drvdata(dev); 2660 2661 return fsg_store_forced_eject(curlun, filesem, buf, count); 2662 } 2663 2664 static DEVICE_ATTR_RW(nofua); 2665 static DEVICE_ATTR_WO(forced_eject); 2666 2667 /* 2668 * Mode of the ro and file attribute files will be overridden in 2669 * fsg_lun_dev_is_visible() depending on if this is a cdrom, or if it is a 2670 * removable device. 2671 */ 2672 static DEVICE_ATTR_RW(ro); 2673 static DEVICE_ATTR_RW(file); 2674 2675 /****************************** FSG COMMON ******************************/ 2676 2677 static void fsg_lun_release(struct device *dev) 2678 { 2679 /* Nothing needs to be done */ 2680 } 2681 2682 static struct fsg_common *fsg_common_setup(struct fsg_common *common) 2683 { 2684 if (!common) { 2685 common = kzalloc(sizeof(*common), GFP_KERNEL); 2686 if (!common) 2687 return ERR_PTR(-ENOMEM); 2688 common->free_storage_on_release = 1; 2689 } else { 2690 common->free_storage_on_release = 0; 2691 } 2692 init_rwsem(&common->filesem); 2693 spin_lock_init(&common->lock); 2694 init_completion(&common->thread_notifier); 2695 init_waitqueue_head(&common->io_wait); 2696 init_waitqueue_head(&common->fsg_wait); 2697 common->state = FSG_STATE_TERMINATED; 2698 memset(common->luns, 0, sizeof(common->luns)); 2699 2700 return common; 2701 } 2702 2703 void fsg_common_set_sysfs(struct fsg_common *common, bool sysfs) 2704 { 2705 common->sysfs = sysfs; 2706 } 2707 EXPORT_SYMBOL_GPL(fsg_common_set_sysfs); 2708 2709 static void _fsg_common_free_buffers(struct fsg_buffhd *buffhds, unsigned n) 2710 { 2711 if (buffhds) { 2712 struct fsg_buffhd *bh = buffhds; 2713 while (n--) { 2714 kfree(bh->buf); 2715 ++bh; 2716 } 2717 kfree(buffhds); 2718 } 2719 } 2720 2721 int fsg_common_set_num_buffers(struct fsg_common *common, unsigned int n) 2722 { 2723 struct fsg_buffhd *bh, *buffhds; 2724 int i; 2725 2726 buffhds = kcalloc(n, sizeof(*buffhds), GFP_KERNEL); 2727 if (!buffhds) 2728 return -ENOMEM; 2729 2730 /* Data buffers cyclic list */ 2731 bh = buffhds; 2732 i = n; 2733 goto buffhds_first_it; 2734 do { 2735 bh->next = bh + 1; 2736 ++bh; 2737 buffhds_first_it: 2738 bh->buf = kmalloc(FSG_BUFLEN, GFP_KERNEL); 2739 if (unlikely(!bh->buf)) 2740 goto error_release; 2741 } while (--i); 2742 bh->next = buffhds; 2743 2744 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 2745 common->fsg_num_buffers = n; 2746 common->buffhds = buffhds; 2747 2748 return 0; 2749 2750 error_release: 2751 /* 2752 * "buf"s pointed to by heads after n - i are NULL 2753 * so releasing them won't hurt 2754 */ 2755 _fsg_common_free_buffers(buffhds, n); 2756 2757 return -ENOMEM; 2758 } 2759 EXPORT_SYMBOL_GPL(fsg_common_set_num_buffers); 2760 2761 void fsg_common_remove_lun(struct fsg_lun *lun) 2762 { 2763 if (device_is_registered(&lun->dev)) 2764 device_unregister(&lun->dev); 2765 fsg_lun_close(lun); 2766 kfree(lun); 2767 } 2768 EXPORT_SYMBOL_GPL(fsg_common_remove_lun); 2769 2770 static void _fsg_common_remove_luns(struct fsg_common *common, int n) 2771 { 2772 int i; 2773 2774 for (i = 0; i < n; ++i) 2775 if (common->luns[i]) { 2776 fsg_common_remove_lun(common->luns[i]); 2777 common->luns[i] = NULL; 2778 } 2779 } 2780 2781 void fsg_common_remove_luns(struct fsg_common *common) 2782 { 2783 _fsg_common_remove_luns(common, ARRAY_SIZE(common->luns)); 2784 } 2785 EXPORT_SYMBOL_GPL(fsg_common_remove_luns); 2786 2787 void fsg_common_free_buffers(struct fsg_common *common) 2788 { 2789 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 2790 common->buffhds = NULL; 2791 } 2792 EXPORT_SYMBOL_GPL(fsg_common_free_buffers); 2793 2794 int fsg_common_set_cdev(struct fsg_common *common, 2795 struct usb_composite_dev *cdev, bool can_stall) 2796 { 2797 struct usb_string *us; 2798 2799 common->gadget = cdev->gadget; 2800 common->ep0 = cdev->gadget->ep0; 2801 common->ep0req = cdev->req; 2802 common->cdev = cdev; 2803 2804 us = usb_gstrings_attach(cdev, fsg_strings_array, 2805 ARRAY_SIZE(fsg_strings)); 2806 if (IS_ERR(us)) 2807 return PTR_ERR(us); 2808 2809 fsg_intf_desc.iInterface = us[FSG_STRING_INTERFACE].id; 2810 2811 /* 2812 * Some peripheral controllers are known not to be able to 2813 * halt bulk endpoints correctly. If one of them is present, 2814 * disable stalls. 2815 */ 2816 common->can_stall = can_stall && 2817 gadget_is_stall_supported(common->gadget); 2818 2819 return 0; 2820 } 2821 EXPORT_SYMBOL_GPL(fsg_common_set_cdev); 2822 2823 static struct attribute *fsg_lun_dev_attrs[] = { 2824 &dev_attr_ro.attr, 2825 &dev_attr_file.attr, 2826 &dev_attr_nofua.attr, 2827 &dev_attr_forced_eject.attr, 2828 NULL 2829 }; 2830 2831 static umode_t fsg_lun_dev_is_visible(struct kobject *kobj, 2832 struct attribute *attr, int idx) 2833 { 2834 struct device *dev = kobj_to_dev(kobj); 2835 struct fsg_lun *lun = fsg_lun_from_dev(dev); 2836 2837 if (attr == &dev_attr_ro.attr) 2838 return lun->cdrom ? S_IRUGO : (S_IWUSR | S_IRUGO); 2839 if (attr == &dev_attr_file.attr) 2840 return lun->removable ? (S_IWUSR | S_IRUGO) : S_IRUGO; 2841 return attr->mode; 2842 } 2843 2844 static const struct attribute_group fsg_lun_dev_group = { 2845 .attrs = fsg_lun_dev_attrs, 2846 .is_visible = fsg_lun_dev_is_visible, 2847 }; 2848 2849 static const struct attribute_group *fsg_lun_dev_groups[] = { 2850 &fsg_lun_dev_group, 2851 NULL 2852 }; 2853 2854 int fsg_common_create_lun(struct fsg_common *common, struct fsg_lun_config *cfg, 2855 unsigned int id, const char *name, 2856 const char **name_pfx) 2857 { 2858 struct fsg_lun *lun; 2859 char *pathbuf, *p; 2860 int rc = -ENOMEM; 2861 2862 if (id >= ARRAY_SIZE(common->luns)) 2863 return -ENODEV; 2864 2865 if (common->luns[id]) 2866 return -EBUSY; 2867 2868 if (!cfg->filename && !cfg->removable) { 2869 pr_err("no file given for LUN%d\n", id); 2870 return -EINVAL; 2871 } 2872 2873 lun = kzalloc(sizeof(*lun), GFP_KERNEL); 2874 if (!lun) 2875 return -ENOMEM; 2876 2877 lun->name_pfx = name_pfx; 2878 2879 lun->cdrom = !!cfg->cdrom; 2880 lun->ro = cfg->cdrom || cfg->ro; 2881 lun->initially_ro = lun->ro; 2882 lun->removable = !!cfg->removable; 2883 2884 if (!common->sysfs) { 2885 /* we DON'T own the name!*/ 2886 lun->name = name; 2887 } else { 2888 lun->dev.release = fsg_lun_release; 2889 lun->dev.parent = &common->gadget->dev; 2890 lun->dev.groups = fsg_lun_dev_groups; 2891 dev_set_drvdata(&lun->dev, &common->filesem); 2892 dev_set_name(&lun->dev, "%s", name); 2893 lun->name = dev_name(&lun->dev); 2894 2895 rc = device_register(&lun->dev); 2896 if (rc) { 2897 pr_info("failed to register LUN%d: %d\n", id, rc); 2898 put_device(&lun->dev); 2899 goto error_sysfs; 2900 } 2901 } 2902 2903 common->luns[id] = lun; 2904 2905 if (cfg->filename) { 2906 rc = fsg_lun_open(lun, cfg->filename); 2907 if (rc) 2908 goto error_lun; 2909 } 2910 2911 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); 2912 p = "(no medium)"; 2913 if (fsg_lun_is_open(lun)) { 2914 p = "(error)"; 2915 if (pathbuf) { 2916 p = file_path(lun->filp, pathbuf, PATH_MAX); 2917 if (IS_ERR(p)) 2918 p = "(error)"; 2919 } 2920 } 2921 pr_info("LUN: %s%s%sfile: %s\n", 2922 lun->removable ? "removable " : "", 2923 lun->ro ? "read only " : "", 2924 lun->cdrom ? "CD-ROM " : "", 2925 p); 2926 kfree(pathbuf); 2927 2928 return 0; 2929 2930 error_lun: 2931 if (device_is_registered(&lun->dev)) 2932 device_unregister(&lun->dev); 2933 fsg_lun_close(lun); 2934 common->luns[id] = NULL; 2935 error_sysfs: 2936 kfree(lun); 2937 return rc; 2938 } 2939 EXPORT_SYMBOL_GPL(fsg_common_create_lun); 2940 2941 int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg) 2942 { 2943 char buf[8]; /* enough for 100000000 different numbers, decimal */ 2944 int i, rc; 2945 2946 fsg_common_remove_luns(common); 2947 2948 for (i = 0; i < cfg->nluns; ++i) { 2949 snprintf(buf, sizeof(buf), "lun%d", i); 2950 rc = fsg_common_create_lun(common, &cfg->luns[i], i, buf, NULL); 2951 if (rc) 2952 goto fail; 2953 } 2954 2955 pr_info("Number of LUNs=%d\n", cfg->nluns); 2956 2957 return 0; 2958 2959 fail: 2960 _fsg_common_remove_luns(common, i); 2961 return rc; 2962 } 2963 EXPORT_SYMBOL_GPL(fsg_common_create_luns); 2964 2965 void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn, 2966 const char *pn) 2967 { 2968 int i; 2969 2970 /* Prepare inquiryString */ 2971 i = get_default_bcdDevice(); 2972 snprintf(common->inquiry_string, sizeof(common->inquiry_string), 2973 "%-8s%-16s%04x", vn ?: "Linux", 2974 /* Assume product name dependent on the first LUN */ 2975 pn ?: ((*common->luns)->cdrom 2976 ? "File-CD Gadget" 2977 : "File-Stor Gadget"), 2978 i); 2979 } 2980 EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string); 2981 2982 static void fsg_common_release(struct fsg_common *common) 2983 { 2984 int i; 2985 2986 /* If the thread isn't already dead, tell it to exit now */ 2987 if (common->state != FSG_STATE_TERMINATED) { 2988 raise_exception(common, FSG_STATE_EXIT); 2989 wait_for_completion(&common->thread_notifier); 2990 } 2991 2992 for (i = 0; i < ARRAY_SIZE(common->luns); ++i) { 2993 struct fsg_lun *lun = common->luns[i]; 2994 if (!lun) 2995 continue; 2996 fsg_lun_close(lun); 2997 if (device_is_registered(&lun->dev)) 2998 device_unregister(&lun->dev); 2999 kfree(lun); 3000 } 3001 3002 _fsg_common_free_buffers(common->buffhds, common->fsg_num_buffers); 3003 if (common->free_storage_on_release) 3004 kfree(common); 3005 } 3006 3007 3008 /*-------------------------------------------------------------------------*/ 3009 3010 static int fsg_bind(struct usb_configuration *c, struct usb_function *f) 3011 { 3012 struct fsg_dev *fsg = fsg_from_func(f); 3013 struct fsg_common *common = fsg->common; 3014 struct usb_gadget *gadget = c->cdev->gadget; 3015 int i; 3016 struct usb_ep *ep; 3017 unsigned max_burst; 3018 int ret; 3019 struct fsg_opts *opts; 3020 3021 /* Don't allow to bind if we don't have at least one LUN */ 3022 ret = _fsg_common_get_max_lun(common); 3023 if (ret < 0) { 3024 pr_err("There should be at least one LUN.\n"); 3025 return -EINVAL; 3026 } 3027 3028 opts = fsg_opts_from_func_inst(f->fi); 3029 if (!opts->no_configfs) { 3030 ret = fsg_common_set_cdev(fsg->common, c->cdev, 3031 fsg->common->can_stall); 3032 if (ret) 3033 return ret; 3034 fsg_common_set_inquiry_string(fsg->common, NULL, NULL); 3035 } 3036 3037 if (!common->thread_task) { 3038 common->state = FSG_STATE_NORMAL; 3039 common->thread_task = 3040 kthread_create(fsg_main_thread, common, "file-storage"); 3041 if (IS_ERR(common->thread_task)) { 3042 ret = PTR_ERR(common->thread_task); 3043 common->thread_task = NULL; 3044 common->state = FSG_STATE_TERMINATED; 3045 return ret; 3046 } 3047 DBG(common, "I/O thread pid: %d\n", 3048 task_pid_nr(common->thread_task)); 3049 wake_up_process(common->thread_task); 3050 } 3051 3052 fsg->gadget = gadget; 3053 3054 /* New interface */ 3055 i = usb_interface_id(c, f); 3056 if (i < 0) 3057 goto fail; 3058 fsg_intf_desc.bInterfaceNumber = i; 3059 fsg->interface_number = i; 3060 3061 /* Find all the endpoints we will use */ 3062 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc); 3063 if (!ep) 3064 goto autoconf_fail; 3065 fsg->bulk_in = ep; 3066 3067 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc); 3068 if (!ep) 3069 goto autoconf_fail; 3070 fsg->bulk_out = ep; 3071 3072 /* Assume endpoint addresses are the same for both speeds */ 3073 fsg_hs_bulk_in_desc.bEndpointAddress = 3074 fsg_fs_bulk_in_desc.bEndpointAddress; 3075 fsg_hs_bulk_out_desc.bEndpointAddress = 3076 fsg_fs_bulk_out_desc.bEndpointAddress; 3077 3078 /* Calculate bMaxBurst, we know packet size is 1024 */ 3079 max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15); 3080 3081 fsg_ss_bulk_in_desc.bEndpointAddress = 3082 fsg_fs_bulk_in_desc.bEndpointAddress; 3083 fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst; 3084 3085 fsg_ss_bulk_out_desc.bEndpointAddress = 3086 fsg_fs_bulk_out_desc.bEndpointAddress; 3087 fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst; 3088 3089 ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function, 3090 fsg_ss_function, fsg_ss_function); 3091 if (ret) 3092 goto autoconf_fail; 3093 3094 return 0; 3095 3096 autoconf_fail: 3097 ERROR(fsg, "unable to autoconfigure all endpoints\n"); 3098 i = -ENOTSUPP; 3099 fail: 3100 /* terminate the thread */ 3101 if (fsg->common->state != FSG_STATE_TERMINATED) { 3102 raise_exception(fsg->common, FSG_STATE_EXIT); 3103 wait_for_completion(&fsg->common->thread_notifier); 3104 } 3105 return i; 3106 } 3107 3108 /****************************** ALLOCATE FUNCTION *************************/ 3109 3110 static void fsg_unbind(struct usb_configuration *c, struct usb_function *f) 3111 { 3112 struct fsg_dev *fsg = fsg_from_func(f); 3113 struct fsg_common *common = fsg->common; 3114 3115 DBG(fsg, "unbind\n"); 3116 if (fsg->common->fsg == fsg) { 3117 __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL); 3118 /* FIXME: make interruptible or killable somehow? */ 3119 wait_event(common->fsg_wait, common->fsg != fsg); 3120 } 3121 3122 usb_free_all_descriptors(&fsg->function); 3123 } 3124 3125 static inline struct fsg_lun_opts *to_fsg_lun_opts(struct config_item *item) 3126 { 3127 return container_of(to_config_group(item), struct fsg_lun_opts, group); 3128 } 3129 3130 static inline struct fsg_opts *to_fsg_opts(struct config_item *item) 3131 { 3132 return container_of(to_config_group(item), struct fsg_opts, 3133 func_inst.group); 3134 } 3135 3136 static void fsg_lun_attr_release(struct config_item *item) 3137 { 3138 struct fsg_lun_opts *lun_opts; 3139 3140 lun_opts = to_fsg_lun_opts(item); 3141 kfree(lun_opts); 3142 } 3143 3144 static struct configfs_item_operations fsg_lun_item_ops = { 3145 .release = fsg_lun_attr_release, 3146 }; 3147 3148 static ssize_t fsg_lun_opts_file_show(struct config_item *item, char *page) 3149 { 3150 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3151 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3152 3153 return fsg_show_file(opts->lun, &fsg_opts->common->filesem, page); 3154 } 3155 3156 static ssize_t fsg_lun_opts_file_store(struct config_item *item, 3157 const char *page, size_t len) 3158 { 3159 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3160 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3161 3162 return fsg_store_file(opts->lun, &fsg_opts->common->filesem, page, len); 3163 } 3164 3165 CONFIGFS_ATTR(fsg_lun_opts_, file); 3166 3167 static ssize_t fsg_lun_opts_ro_show(struct config_item *item, char *page) 3168 { 3169 return fsg_show_ro(to_fsg_lun_opts(item)->lun, page); 3170 } 3171 3172 static ssize_t fsg_lun_opts_ro_store(struct config_item *item, 3173 const char *page, size_t len) 3174 { 3175 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3176 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3177 3178 return fsg_store_ro(opts->lun, &fsg_opts->common->filesem, page, len); 3179 } 3180 3181 CONFIGFS_ATTR(fsg_lun_opts_, ro); 3182 3183 static ssize_t fsg_lun_opts_removable_show(struct config_item *item, 3184 char *page) 3185 { 3186 return fsg_show_removable(to_fsg_lun_opts(item)->lun, page); 3187 } 3188 3189 static ssize_t fsg_lun_opts_removable_store(struct config_item *item, 3190 const char *page, size_t len) 3191 { 3192 return fsg_store_removable(to_fsg_lun_opts(item)->lun, page, len); 3193 } 3194 3195 CONFIGFS_ATTR(fsg_lun_opts_, removable); 3196 3197 static ssize_t fsg_lun_opts_cdrom_show(struct config_item *item, char *page) 3198 { 3199 return fsg_show_cdrom(to_fsg_lun_opts(item)->lun, page); 3200 } 3201 3202 static ssize_t fsg_lun_opts_cdrom_store(struct config_item *item, 3203 const char *page, size_t len) 3204 { 3205 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3206 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3207 3208 return fsg_store_cdrom(opts->lun, &fsg_opts->common->filesem, page, 3209 len); 3210 } 3211 3212 CONFIGFS_ATTR(fsg_lun_opts_, cdrom); 3213 3214 static ssize_t fsg_lun_opts_nofua_show(struct config_item *item, char *page) 3215 { 3216 return fsg_show_nofua(to_fsg_lun_opts(item)->lun, page); 3217 } 3218 3219 static ssize_t fsg_lun_opts_nofua_store(struct config_item *item, 3220 const char *page, size_t len) 3221 { 3222 return fsg_store_nofua(to_fsg_lun_opts(item)->lun, page, len); 3223 } 3224 3225 CONFIGFS_ATTR(fsg_lun_opts_, nofua); 3226 3227 static ssize_t fsg_lun_opts_inquiry_string_show(struct config_item *item, 3228 char *page) 3229 { 3230 return fsg_show_inquiry_string(to_fsg_lun_opts(item)->lun, page); 3231 } 3232 3233 static ssize_t fsg_lun_opts_inquiry_string_store(struct config_item *item, 3234 const char *page, size_t len) 3235 { 3236 return fsg_store_inquiry_string(to_fsg_lun_opts(item)->lun, page, len); 3237 } 3238 3239 CONFIGFS_ATTR(fsg_lun_opts_, inquiry_string); 3240 3241 static ssize_t fsg_lun_opts_forced_eject_store(struct config_item *item, 3242 const char *page, size_t len) 3243 { 3244 struct fsg_lun_opts *opts = to_fsg_lun_opts(item); 3245 struct fsg_opts *fsg_opts = to_fsg_opts(opts->group.cg_item.ci_parent); 3246 3247 return fsg_store_forced_eject(opts->lun, &fsg_opts->common->filesem, 3248 page, len); 3249 } 3250 3251 CONFIGFS_ATTR_WO(fsg_lun_opts_, forced_eject); 3252 3253 static struct configfs_attribute *fsg_lun_attrs[] = { 3254 &fsg_lun_opts_attr_file, 3255 &fsg_lun_opts_attr_ro, 3256 &fsg_lun_opts_attr_removable, 3257 &fsg_lun_opts_attr_cdrom, 3258 &fsg_lun_opts_attr_nofua, 3259 &fsg_lun_opts_attr_inquiry_string, 3260 &fsg_lun_opts_attr_forced_eject, 3261 NULL, 3262 }; 3263 3264 static const struct config_item_type fsg_lun_type = { 3265 .ct_item_ops = &fsg_lun_item_ops, 3266 .ct_attrs = fsg_lun_attrs, 3267 .ct_owner = THIS_MODULE, 3268 }; 3269 3270 static struct config_group *fsg_lun_make(struct config_group *group, 3271 const char *name) 3272 { 3273 struct fsg_lun_opts *opts; 3274 struct fsg_opts *fsg_opts; 3275 struct fsg_lun_config config; 3276 char *num_str; 3277 u8 num; 3278 int ret; 3279 3280 num_str = strchr(name, '.'); 3281 if (!num_str) { 3282 pr_err("Unable to locate . in LUN.NUMBER\n"); 3283 return ERR_PTR(-EINVAL); 3284 } 3285 num_str++; 3286 3287 ret = kstrtou8(num_str, 0, &num); 3288 if (ret) 3289 return ERR_PTR(ret); 3290 3291 fsg_opts = to_fsg_opts(&group->cg_item); 3292 if (num >= FSG_MAX_LUNS) 3293 return ERR_PTR(-ERANGE); 3294 num = array_index_nospec(num, FSG_MAX_LUNS); 3295 3296 mutex_lock(&fsg_opts->lock); 3297 if (fsg_opts->refcnt || fsg_opts->common->luns[num]) { 3298 ret = -EBUSY; 3299 goto out; 3300 } 3301 3302 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3303 if (!opts) { 3304 ret = -ENOMEM; 3305 goto out; 3306 } 3307 3308 memset(&config, 0, sizeof(config)); 3309 config.removable = true; 3310 3311 ret = fsg_common_create_lun(fsg_opts->common, &config, num, name, 3312 (const char **)&group->cg_item.ci_name); 3313 if (ret) { 3314 kfree(opts); 3315 goto out; 3316 } 3317 opts->lun = fsg_opts->common->luns[num]; 3318 opts->lun_id = num; 3319 mutex_unlock(&fsg_opts->lock); 3320 3321 config_group_init_type_name(&opts->group, name, &fsg_lun_type); 3322 3323 return &opts->group; 3324 out: 3325 mutex_unlock(&fsg_opts->lock); 3326 return ERR_PTR(ret); 3327 } 3328 3329 static void fsg_lun_drop(struct config_group *group, struct config_item *item) 3330 { 3331 struct fsg_lun_opts *lun_opts; 3332 struct fsg_opts *fsg_opts; 3333 3334 lun_opts = to_fsg_lun_opts(item); 3335 fsg_opts = to_fsg_opts(&group->cg_item); 3336 3337 mutex_lock(&fsg_opts->lock); 3338 if (fsg_opts->refcnt) { 3339 struct config_item *gadget; 3340 3341 gadget = group->cg_item.ci_parent->ci_parent; 3342 unregister_gadget_item(gadget); 3343 } 3344 3345 fsg_common_remove_lun(lun_opts->lun); 3346 fsg_opts->common->luns[lun_opts->lun_id] = NULL; 3347 lun_opts->lun_id = 0; 3348 mutex_unlock(&fsg_opts->lock); 3349 3350 config_item_put(item); 3351 } 3352 3353 static void fsg_attr_release(struct config_item *item) 3354 { 3355 struct fsg_opts *opts = to_fsg_opts(item); 3356 3357 usb_put_function_instance(&opts->func_inst); 3358 } 3359 3360 static struct configfs_item_operations fsg_item_ops = { 3361 .release = fsg_attr_release, 3362 }; 3363 3364 static ssize_t fsg_opts_stall_show(struct config_item *item, char *page) 3365 { 3366 struct fsg_opts *opts = to_fsg_opts(item); 3367 int result; 3368 3369 mutex_lock(&opts->lock); 3370 result = sprintf(page, "%d", opts->common->can_stall); 3371 mutex_unlock(&opts->lock); 3372 3373 return result; 3374 } 3375 3376 static ssize_t fsg_opts_stall_store(struct config_item *item, const char *page, 3377 size_t len) 3378 { 3379 struct fsg_opts *opts = to_fsg_opts(item); 3380 int ret; 3381 bool stall; 3382 3383 mutex_lock(&opts->lock); 3384 3385 if (opts->refcnt) { 3386 mutex_unlock(&opts->lock); 3387 return -EBUSY; 3388 } 3389 3390 ret = strtobool(page, &stall); 3391 if (!ret) { 3392 opts->common->can_stall = stall; 3393 ret = len; 3394 } 3395 3396 mutex_unlock(&opts->lock); 3397 3398 return ret; 3399 } 3400 3401 CONFIGFS_ATTR(fsg_opts_, stall); 3402 3403 #ifdef CONFIG_USB_GADGET_DEBUG_FILES 3404 static ssize_t fsg_opts_num_buffers_show(struct config_item *item, char *page) 3405 { 3406 struct fsg_opts *opts = to_fsg_opts(item); 3407 int result; 3408 3409 mutex_lock(&opts->lock); 3410 result = sprintf(page, "%d", opts->common->fsg_num_buffers); 3411 mutex_unlock(&opts->lock); 3412 3413 return result; 3414 } 3415 3416 static ssize_t fsg_opts_num_buffers_store(struct config_item *item, 3417 const char *page, size_t len) 3418 { 3419 struct fsg_opts *opts = to_fsg_opts(item); 3420 int ret; 3421 u8 num; 3422 3423 mutex_lock(&opts->lock); 3424 if (opts->refcnt) { 3425 ret = -EBUSY; 3426 goto end; 3427 } 3428 ret = kstrtou8(page, 0, &num); 3429 if (ret) 3430 goto end; 3431 3432 ret = fsg_common_set_num_buffers(opts->common, num); 3433 if (ret) 3434 goto end; 3435 ret = len; 3436 3437 end: 3438 mutex_unlock(&opts->lock); 3439 return ret; 3440 } 3441 3442 CONFIGFS_ATTR(fsg_opts_, num_buffers); 3443 #endif 3444 3445 static struct configfs_attribute *fsg_attrs[] = { 3446 &fsg_opts_attr_stall, 3447 #ifdef CONFIG_USB_GADGET_DEBUG_FILES 3448 &fsg_opts_attr_num_buffers, 3449 #endif 3450 NULL, 3451 }; 3452 3453 static struct configfs_group_operations fsg_group_ops = { 3454 .make_group = fsg_lun_make, 3455 .drop_item = fsg_lun_drop, 3456 }; 3457 3458 static const struct config_item_type fsg_func_type = { 3459 .ct_item_ops = &fsg_item_ops, 3460 .ct_group_ops = &fsg_group_ops, 3461 .ct_attrs = fsg_attrs, 3462 .ct_owner = THIS_MODULE, 3463 }; 3464 3465 static void fsg_free_inst(struct usb_function_instance *fi) 3466 { 3467 struct fsg_opts *opts; 3468 3469 opts = fsg_opts_from_func_inst(fi); 3470 fsg_common_release(opts->common); 3471 kfree(opts); 3472 } 3473 3474 static struct usb_function_instance *fsg_alloc_inst(void) 3475 { 3476 struct fsg_opts *opts; 3477 struct fsg_lun_config config; 3478 int rc; 3479 3480 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3481 if (!opts) 3482 return ERR_PTR(-ENOMEM); 3483 mutex_init(&opts->lock); 3484 opts->func_inst.free_func_inst = fsg_free_inst; 3485 opts->common = fsg_common_setup(opts->common); 3486 if (IS_ERR(opts->common)) { 3487 rc = PTR_ERR(opts->common); 3488 goto release_opts; 3489 } 3490 3491 rc = fsg_common_set_num_buffers(opts->common, 3492 CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS); 3493 if (rc) 3494 goto release_common; 3495 3496 pr_info(FSG_DRIVER_DESC ", version: " FSG_DRIVER_VERSION "\n"); 3497 3498 memset(&config, 0, sizeof(config)); 3499 config.removable = true; 3500 rc = fsg_common_create_lun(opts->common, &config, 0, "lun.0", 3501 (const char **)&opts->func_inst.group.cg_item.ci_name); 3502 if (rc) 3503 goto release_buffers; 3504 3505 opts->lun0.lun = opts->common->luns[0]; 3506 opts->lun0.lun_id = 0; 3507 3508 config_group_init_type_name(&opts->func_inst.group, "", &fsg_func_type); 3509 3510 config_group_init_type_name(&opts->lun0.group, "lun.0", &fsg_lun_type); 3511 configfs_add_default_group(&opts->lun0.group, &opts->func_inst.group); 3512 3513 return &opts->func_inst; 3514 3515 release_buffers: 3516 fsg_common_free_buffers(opts->common); 3517 release_common: 3518 kfree(opts->common); 3519 release_opts: 3520 kfree(opts); 3521 return ERR_PTR(rc); 3522 } 3523 3524 static void fsg_free(struct usb_function *f) 3525 { 3526 struct fsg_dev *fsg; 3527 struct fsg_opts *opts; 3528 3529 fsg = container_of(f, struct fsg_dev, function); 3530 opts = container_of(f->fi, struct fsg_opts, func_inst); 3531 3532 mutex_lock(&opts->lock); 3533 opts->refcnt--; 3534 mutex_unlock(&opts->lock); 3535 3536 kfree(fsg); 3537 } 3538 3539 static struct usb_function *fsg_alloc(struct usb_function_instance *fi) 3540 { 3541 struct fsg_opts *opts = fsg_opts_from_func_inst(fi); 3542 struct fsg_common *common = opts->common; 3543 struct fsg_dev *fsg; 3544 3545 fsg = kzalloc(sizeof(*fsg), GFP_KERNEL); 3546 if (unlikely(!fsg)) 3547 return ERR_PTR(-ENOMEM); 3548 3549 mutex_lock(&opts->lock); 3550 opts->refcnt++; 3551 mutex_unlock(&opts->lock); 3552 3553 fsg->function.name = FSG_DRIVER_DESC; 3554 fsg->function.bind = fsg_bind; 3555 fsg->function.unbind = fsg_unbind; 3556 fsg->function.setup = fsg_setup; 3557 fsg->function.set_alt = fsg_set_alt; 3558 fsg->function.disable = fsg_disable; 3559 fsg->function.free_func = fsg_free; 3560 3561 fsg->common = common; 3562 3563 return &fsg->function; 3564 } 3565 3566 DECLARE_USB_FUNCTION_INIT(mass_storage, fsg_alloc_inst, fsg_alloc); 3567 MODULE_LICENSE("GPL"); 3568 MODULE_AUTHOR("Michal Nazarewicz"); 3569 3570 /************************* Module parameters *************************/ 3571 3572 3573 void fsg_config_from_params(struct fsg_config *cfg, 3574 const struct fsg_module_parameters *params, 3575 unsigned int fsg_num_buffers) 3576 { 3577 struct fsg_lun_config *lun; 3578 unsigned i; 3579 3580 /* Configure LUNs */ 3581 cfg->nluns = 3582 min(params->luns ?: (params->file_count ?: 1u), 3583 (unsigned)FSG_MAX_LUNS); 3584 for (i = 0, lun = cfg->luns; i < cfg->nluns; ++i, ++lun) { 3585 lun->ro = !!params->ro[i]; 3586 lun->cdrom = !!params->cdrom[i]; 3587 lun->removable = !!params->removable[i]; 3588 lun->filename = 3589 params->file_count > i && params->file[i][0] 3590 ? params->file[i] 3591 : NULL; 3592 } 3593 3594 /* Let MSF use defaults */ 3595 cfg->vendor_name = NULL; 3596 cfg->product_name = NULL; 3597 3598 cfg->ops = NULL; 3599 cfg->private_data = NULL; 3600 3601 /* Finalise */ 3602 cfg->can_stall = params->stall; 3603 cfg->fsg_num_buffers = fsg_num_buffers; 3604 } 3605 EXPORT_SYMBOL_GPL(fsg_config_from_params); 3606