PageRenderTime 169ms CodeModel.GetById 14ms app.highlight 126ms RepoModel.GetById 16ms app.codeStats 1ms

/drivers/usb/gadget/f_mass_storage.c

https://bitbucket.org/cyanogenmod/android_kernel_asus_tf300t
C | 3173 lines | 2053 code | 421 blank | 699 comment | 474 complexity | 7ae2a02f05aea8f0c3ca979e9574fb03 MD5 | raw file
Possible License(s): LGPL-2.0, AGPL-1.0, GPL-2.0

Large files files are truncated, but you can click here to view the full file

   1/*
   2 * f_mass_storage.c -- Mass Storage USB Composite Function
   3 *
   4 * Copyright (C) 2003-2008 Alan Stern
   5 * Copyright (C) 2009 Samsung Electronics
   6 *                    Author: Michal Nazarewicz <m.nazarewicz@samsung.com>
   7 * All rights reserved.
   8 *
   9 * Redistribution and use in source and binary forms, with or without
  10 * modification, are permitted provided that the following conditions
  11 * are met:
  12 * 1. Redistributions of source code must retain the above copyright
  13 *    notice, this list of conditions, and the following disclaimer,
  14 *    without modification.
  15 * 2. Redistributions in binary form must reproduce the above copyright
  16 *    notice, this list of conditions and the following disclaimer in the
  17 *    documentation and/or other materials provided with the distribution.
  18 * 3. The names of the above-listed copyright holders may not be used
  19 *    to endorse or promote products derived from this software without
  20 *    specific prior written permission.
  21 *
  22 * ALTERNATIVELY, this software may be distributed under the terms of the
  23 * GNU General Public License ("GPL") as published by the Free Software
  24 * Foundation, either version 2 of that License or (at your option) any
  25 * later version.
  26 *
  27 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  28 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
  29 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  30 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  31 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  32 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  33 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  34 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  36 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  37 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  38 */
  39
  40/*
  41 * The Mass Storage Function acts as a USB Mass Storage device,
  42 * appearing to the host as a disk drive or as a CD-ROM drive.  In
  43 * addition to providing an example of a genuinely useful composite
  44 * function for a USB device, it also illustrates a technique of
  45 * double-buffering for increased throughput.
  46 *
  47 * Function supports multiple logical units (LUNs).  Backing storage
  48 * for each LUN is provided by a regular file or a block device.
  49 * Access for each LUN can be limited to read-only.  Moreover, the
  50 * function can indicate that LUN is removable and/or CD-ROM.  (The
  51 * later implies read-only access.)
  52 *
  53 * MSF is configured by specifying a fsg_config structure.  It has the
  54 * following fields:
  55 *
  56 *	nluns		Number of LUNs function have (anywhere from 1
  57 *				to FSG_MAX_LUNS which is 8).
  58 *	luns		An array of LUN configuration values.  This
  59 *				should be filled for each LUN that
  60 *				function will include (ie. for "nluns"
  61 *				LUNs).  Each element of the array has
  62 *				the following fields:
  63 *	->filename	The path to the backing file for the LUN.
  64 *				Required if LUN is not marked as
  65 *				removable.
  66 *	->ro		Flag specifying access to the LUN shall be
  67 *				read-only.  This is implied if CD-ROM
  68 *				emulation is enabled as well as when
  69 *				it was impossible to open "filename"
  70 *				in R/W mode.
  71 *	->removable	Flag specifying that LUN shall be indicated as
  72 *				being removable.
  73 *	->cdrom		Flag specifying that LUN shall be reported as
  74 *				being a CD-ROM.
  75 *	->nofua		Flag specifying that FUA flag in SCSI WRITE(10,12)
  76 *				commands for this LUN shall be ignored.
  77 *
  78 *	lun_name_format	A printf-like format for names of the LUN
  79 *				devices.  This determines how the
  80 *				directory in sysfs will be named.
  81 *				Unless you are using several MSFs in
  82 *				a single gadget (as opposed to single
  83 *				MSF in many configurations) you may
  84 *				leave it as NULL (in which case
  85 *				"lun%d" will be used).  In the format
  86 *				you can use "%d" to index LUNs for
  87 *				MSF's with more than one LUN.  (Beware
  88 *				that there is only one integer given
  89 *				as an argument for the format and
  90 *				specifying invalid format may cause
  91 *				unspecified behaviour.)
  92 *	thread_name	Name of the kernel thread process used by the
  93 *				MSF.  You can safely set it to NULL
  94 *				(in which case default "file-storage"
  95 *				will be used).
  96 *
  97 *	vendor_name
  98 *	product_name
  99 *	release		Information used as a reply to INQUIRY
 100 *				request.  To use default set to NULL,
 101 *				NULL, 0xffff respectively.  The first
 102 *				field should be 8 and the second 16
 103 *				characters or less.
 104 *
 105 *	can_stall	Set to permit function to halt bulk endpoints.
 106 *				Disabled on some USB devices known not
 107 *				to work correctly.  You should set it
 108 *				to true.
 109 *
 110 * If "removable" is not set for a LUN then a backing file must be
 111 * specified.  If it is set, then NULL filename means the LUN's medium
 112 * is not loaded (an empty string as "filename" in the fsg_config
 113 * structure causes error).  The CD-ROM emulation includes a single
 114 * data track and no audio tracks; hence there need be only one
 115 * backing file per LUN.  Note also that the CD-ROM block length is
 116 * set to 512 rather than the more common value 2048.
 117 *
 118 *
 119 * MSF includes support for module parameters.  If gadget using it
 120 * decides to use it, the following module parameters will be
 121 * available:
 122 *
 123 *	file=filename[,filename...]
 124 *			Names of the files or block devices used for
 125 *				backing storage.
 126 *	ro=b[,b...]	Default false, boolean for read-only access.
 127 *	removable=b[,b...]
 128 *			Default true, boolean for removable media.
 129 *	cdrom=b[,b...]	Default false, boolean for whether to emulate
 130 *				a CD-ROM drive.
 131 *	nofua=b[,b...]	Default false, booleans for ignore FUA flag
 132 *				in SCSI WRITE(10,12) commands
 133 *	luns=N		Default N = number of filenames, number of
 134 *				LUNs to support.
 135 *	stall		Default determined according to the type of
 136 *				USB device controller (usually true),
 137 *				boolean to permit the driver to halt
 138 *				bulk endpoints.
 139 *
 140 * The module parameters may be prefixed with some string.  You need
 141 * to consult gadget's documentation or source to verify whether it is
 142 * using those module parameters and if it does what are the prefixes
 143 * (look for FSG_MODULE_PARAMETERS() macro usage, what's inside it is
 144 * the prefix).
 145 *
 146 *
 147 * Requirements are modest; only a bulk-in and a bulk-out endpoint are
 148 * needed.  The memory requirement amounts to two 16K buffers, size
 149 * configurable by a parameter.  Support is included for both
 150 * full-speed and high-speed operation.
 151 *
 152 * Note that the driver is slightly non-portable in that it assumes a
 153 * single memory/DMA buffer will be useable for bulk-in, bulk-out, and
 154 * interrupt-in endpoints.  With most device controllers this isn't an
 155 * issue, but there may be some with hardware restrictions that prevent
 156 * a buffer from being used by more than one endpoint.
 157 *
 158 *
 159 * The pathnames of the backing files and the ro settings are
 160 * available in the attribute files "file" and "ro" in the lun<n> (or
 161 * to be more precise in a directory which name comes from
 162 * "lun_name_format" option!) subdirectory of the gadget's sysfs
 163 * directory.  If the "removable" option is set, writing to these
 164 * files will simulate ejecting/loading the medium (writing an empty
 165 * line means eject) and adjusting a write-enable tab.  Changes to the
 166 * ro setting are not allowed when the medium is loaded or if CD-ROM
 167 * emulation is being used.
 168 *
 169 * When a LUN receive an "eject" SCSI request (Start/Stop Unit),
 170 * if the LUN is removable, the backing file is released to simulate
 171 * ejection.
 172 *
 173 *
 174 * This function is heavily based on "File-backed Storage Gadget" by
 175 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 176 * Brownell.  The driver's SCSI command interface was based on the
 177 * "Information technology - Small Computer System Interface - 2"
 178 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 179 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 180 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 181 * was based on the "Universal Serial Bus Mass Storage Class UFI
 182 * Command Specification" document, Revision 1.0, December 14, 1998,
 183 * available at
 184 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 185 */
 186
 187/*
 188 *				Driver Design
 189 *
 190 * The MSF is fairly straightforward.  There is a main kernel
 191 * thread that handles most of the work.  Interrupt routines field
 192 * callbacks from the controller driver: bulk- and interrupt-request
 193 * completion notifications, endpoint-0 events, and disconnect events.
 194 * Completion events are passed to the main thread by wakeup calls.  Many
 195 * ep0 requests are handled at interrupt time, but SetInterface,
 196 * SetConfiguration, and device reset requests are forwarded to the
 197 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 198 * should interrupt any ongoing file I/O operations).
 199 *
 200 * The thread's main routine implements the standard command/data/status
 201 * parts of a SCSI interaction.  It and its subroutines are full of tests
 202 * for pending signals/exceptions -- all this polling is necessary since
 203 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 204 * indication that the driver really wants to be running in userspace.)
 205 * An important point is that so long as the thread is alive it keeps an
 206 * open reference to the backing file.  This will prevent unmounting
 207 * the backing file's underlying filesystem and could cause problems
 208 * during system shutdown, for example.  To prevent such problems, the
 209 * thread catches INT, TERM, and KILL signals and converts them into
 210 * an EXIT exception.
 211 *
 212 * In normal operation the main thread is started during the gadget's
 213 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 214 * also exit when it receives a signal, and there's no point leaving
 215 * the gadget running when the thread is dead.  At of this moment, MSF
 216 * provides no way to deregister the gadget when thread dies -- maybe
 217 * a callback functions is needed.
 218 *
 219 * To provide maximum throughput, the driver uses a circular pipeline of
 220 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 221 * arbitrarily long; in practice the benefits don't justify having more
 222 * than 2 stages (i.e., double buffering).  But it helps to think of the
 223 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 224 * a bulk-out request pointer (since the buffer can be used for both
 225 * output and input -- directions always are given from the host's
 226 * point of view) as well as a pointer to the buffer and various state
 227 * variables.
 228 *
 229 * Use of the pipeline follows a simple protocol.  There is a variable
 230 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 231 * At any time that buffer head may still be in use from an earlier
 232 * request, so each buffer head has a state variable indicating whether
 233 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 234 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 235 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 236 * head FULL when the I/O is complete.  Then the buffer will be emptied
 237 * (again possibly by USB I/O, during which it is marked BUSY) and
 238 * finally marked EMPTY again (possibly by a completion routine).
 239 *
 240 * A module parameter tells the driver to avoid stalling the bulk
 241 * endpoints wherever the transport specification allows.  This is
 242 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 243 * halt on a bulk endpoint.  However, under certain circumstances the
 244 * Bulk-only specification requires a stall.  In such cases the driver
 245 * will halt the endpoint and set a flag indicating that it should clear
 246 * the halt in software during the next device reset.  Hopefully this
 247 * will permit everything to work correctly.  Furthermore, although the
 248 * specification allows the bulk-out endpoint to halt when the host sends
 249 * too much data, implementing this would cause an unavoidable race.
 250 * The driver will always use the "no-stall" approach for OUT transfers.
 251 *
 252 * One subtle point concerns sending status-stage responses for ep0
 253 * requests.  Some of these requests, such as device reset, can involve
 254 * interrupting an ongoing file I/O operation, which might take an
 255 * arbitrarily long time.  During that delay the host might give up on
 256 * the original ep0 request and issue a new one.  When that happens the
 257 * driver should not notify the host about completion of the original
 258 * request, as the host will no longer be waiting for it.  So the driver
 259 * assigns to each ep0 request a unique tag, and it keeps track of the
 260 * tag value of the request associated with a long-running exception
 261 * (device-reset, interface-change, or configuration-change).  When the
 262 * exception handler is finished, the status-stage response is submitted
 263 * only if the current ep0 request tag is equal to the exception request
 264 * tag.  Thus only the most recently received ep0 request will get a
 265 * status-stage response.
 266 *
 267 * Warning: This driver source file is too long.  It ought to be split up
 268 * into a header file plus about 3 separate .c files, to handle the details
 269 * of the Gadget, USB Mass Storage, and SCSI protocols.
 270 */
 271
 272
 273/* #define VERBOSE_DEBUG */
 274/* #define DUMP_MSGS */
 275
 276#include <linux/blkdev.h>
 277#include <linux/completion.h>
 278#include <linux/dcache.h>
 279#include <linux/delay.h>
 280#include <linux/device.h>
 281#include <linux/fcntl.h>
 282#include <linux/file.h>
 283#include <linux/fs.h>
 284#include <linux/kref.h>
 285#include <linux/kthread.h>
 286#include <linux/limits.h>
 287#include <linux/rwsem.h>
 288#include <linux/slab.h>
 289#include <linux/spinlock.h>
 290#include <linux/string.h>
 291#include <linux/freezer.h>
 292#include <linux/utsname.h>
 293
 294#include <linux/usb/ch9.h>
 295#include <linux/usb/gadget.h>
 296#include <linux/usb/composite.h>
 297
 298#include "gadget_chips.h"
 299
 300
 301/*------------------------------------------------------------------------*/
 302
 303#define FSG_DRIVER_DESC		"Mass Storage Function"
 304#define FSG_DRIVER_VERSION	"2009/09/11"
 305
 306static const char fsg_string_interface[] = "Mass Storage";
 307
 308#define FSG_NO_INTR_EP 1
 309#define FSG_NO_DEVICE_STRINGS    1
 310#define FSG_NO_OTG               1
 311#define FSG_NO_INTR_EP           1
 312
 313#include "storage_common.c"
 314
 315
 316/*-------------------------------------------------------------------------*/
 317
 318struct fsg_dev;
 319struct fsg_common;
 320
 321/* FSF callback functions */
 322struct fsg_operations {
 323	/*
 324	 * Callback function to call when thread exits.  If no
 325	 * callback is set or it returns value lower then zero MSF
 326	 * will force eject all LUNs it operates on (including those
 327	 * marked as non-removable or with prevent_medium_removal flag
 328	 * set).
 329	 */
 330	int (*thread_exits)(struct fsg_common *common);
 331
 332	/*
 333	 * Called prior to ejection.  Negative return means error,
 334	 * zero means to continue with ejection, positive means not to
 335	 * eject.
 336	 */
 337	int (*pre_eject)(struct fsg_common *common,
 338			 struct fsg_lun *lun, int num);
 339	/*
 340	 * Called after ejection.  Negative return means error, zero
 341	 * or positive is just a success.
 342	 */
 343	int (*post_eject)(struct fsg_common *common,
 344			  struct fsg_lun *lun, int num);
 345};
 346
 347/* Data shared by all the FSG instances. */
 348struct fsg_common {
 349	struct usb_gadget	*gadget;
 350	struct usb_composite_dev *cdev;
 351	struct fsg_dev		*fsg, *new_fsg;
 352	wait_queue_head_t	fsg_wait;
 353
 354	/* filesem protects: backing files in use */
 355	struct rw_semaphore	filesem;
 356
 357	/* lock protects: state, all the req_busy's */
 358	spinlock_t		lock;
 359
 360	struct usb_ep		*ep0;		/* Copy of gadget->ep0 */
 361	struct usb_request	*ep0req;	/* Copy of cdev->req */
 362	unsigned int		ep0_req_tag;
 363
 364	struct fsg_buffhd	*next_buffhd_to_fill;
 365	struct fsg_buffhd	*next_buffhd_to_drain;
 366	struct fsg_buffhd	buffhds[FSG_NUM_BUFFERS];
 367
 368	int			cmnd_size;
 369	u8			cmnd[MAX_COMMAND_SIZE];
 370
 371	unsigned int		nluns;
 372	unsigned int		lun;
 373	struct fsg_lun		*luns;
 374	struct fsg_lun		*curlun;
 375
 376	unsigned int		bulk_out_maxpacket;
 377	enum fsg_state		state;		/* For exception handling */
 378	unsigned int		exception_req_tag;
 379
 380	enum data_direction	data_dir;
 381	u32			data_size;
 382	u32			data_size_from_cmnd;
 383	u32			tag;
 384	u32			residue;
 385	u32			usb_amount_left;
 386
 387	unsigned int		can_stall:1;
 388	unsigned int		free_storage_on_release:1;
 389	unsigned int		phase_error:1;
 390	unsigned int		short_packet_received:1;
 391	unsigned int		bad_lun_okay:1;
 392	unsigned int		running:1;
 393
 394	int			thread_wakeup_needed;
 395	struct completion	thread_notifier;
 396	struct task_struct	*thread_task;
 397
 398	/* Callback functions. */
 399	const struct fsg_operations	*ops;
 400	/* Gadget's private data. */
 401	void			*private_data;
 402
 403	/*
 404	 * Vendor (8 chars), product (16 chars), release (4
 405	 * hexadecimal digits) and NUL byte
 406	 */
 407	char inquiry_string[8 + 16 + 4 + 1];
 408
 409	struct kref		ref;
 410};
 411
 412struct fsg_config {
 413	unsigned nluns;
 414	struct fsg_lun_config {
 415		const char *filename;
 416		char ro;
 417		char removable;
 418		char cdrom;
 419		char nofua;
 420	} luns[FSG_MAX_LUNS];
 421
 422	const char		*lun_name_format;
 423	const char		*thread_name;
 424
 425	/* Callback functions. */
 426	const struct fsg_operations	*ops;
 427	/* Gadget's private data. */
 428	void			*private_data;
 429
 430	const char *vendor_name;		/*  8 characters or less */
 431	const char *product_name;		/* 16 characters or less */
 432	u16 release;
 433
 434	char			can_stall;
 435};
 436
 437struct fsg_dev {
 438	struct usb_function	function;
 439	struct usb_gadget	*gadget;	/* Copy of cdev->gadget */
 440	struct fsg_common	*common;
 441
 442	u16			interface_number;
 443
 444	unsigned int		bulk_in_enabled:1;
 445	unsigned int		bulk_out_enabled:1;
 446
 447	unsigned long		atomic_bitflags;
 448#define IGNORE_BULK_OUT		0
 449
 450	struct usb_ep		*bulk_in;
 451	struct usb_ep		*bulk_out;
 452};
 453
 454static inline int __fsg_is_set(struct fsg_common *common,
 455			       const char *func, unsigned line)
 456{
 457	if (common->fsg)
 458		return 1;
 459	ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
 460	WARN_ON(1);
 461	return 0;
 462}
 463
 464#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
 465
 466static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
 467{
 468	return container_of(f, struct fsg_dev, function);
 469}
 470
 471typedef void (*fsg_routine_t)(struct fsg_dev *);
 472
 473static int exception_in_progress(struct fsg_common *common)
 474{
 475	return common->state > FSG_STATE_IDLE;
 476}
 477
 478/* Make bulk-out requests be divisible by the maxpacket size */
 479static void set_bulk_out_req_length(struct fsg_common *common,
 480				    struct fsg_buffhd *bh, unsigned int length)
 481{
 482	unsigned int	rem;
 483
 484	bh->bulk_out_intended_length = length;
 485	rem = length % common->bulk_out_maxpacket;
 486	if (rem > 0)
 487		length += common->bulk_out_maxpacket - rem;
 488	bh->outreq->length = length;
 489}
 490
 491
 492/*-------------------------------------------------------------------------*/
 493
 494static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
 495{
 496	const char	*name;
 497
 498	if (ep == fsg->bulk_in)
 499		name = "bulk-in";
 500	else if (ep == fsg->bulk_out)
 501		name = "bulk-out";
 502	else
 503		name = ep->name;
 504	DBG(fsg, "%s set halt\n", name);
 505	return usb_ep_set_halt(ep);
 506}
 507
 508
 509/*-------------------------------------------------------------------------*/
 510
 511/* These routines may be called in process context or in_irq */
 512
 513/* Caller must hold fsg->lock */
 514static void wakeup_thread(struct fsg_common *common)
 515{
 516	/* Tell the main thread that something has happened */
 517	common->thread_wakeup_needed = 1;
 518	if (common->thread_task)
 519		wake_up_process(common->thread_task);
 520}
 521
 522static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
 523{
 524	unsigned long		flags;
 525
 526	/*
 527	 * Do nothing if a higher-priority exception is already in progress.
 528	 * If a lower-or-equal priority exception is in progress, preempt it
 529	 * and notify the main thread by sending it a signal.
 530	 */
 531	spin_lock_irqsave(&common->lock, flags);
 532	if (common->state <= new_state) {
 533		common->exception_req_tag = common->ep0_req_tag;
 534		common->state = new_state;
 535		if (common->thread_task)
 536			send_sig_info(SIGUSR1, SEND_SIG_FORCED,
 537				      common->thread_task);
 538	}
 539	spin_unlock_irqrestore(&common->lock, flags);
 540}
 541
 542
 543/*-------------------------------------------------------------------------*/
 544
 545static int ep0_queue(struct fsg_common *common)
 546{
 547	int	rc;
 548
 549	rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
 550	common->ep0->driver_data = common;
 551	if (rc != 0 && rc != -ESHUTDOWN) {
 552		/* We can't do much more than wait for a reset */
 553		WARNING(common, "error in submission: %s --> %d\n",
 554			common->ep0->name, rc);
 555	}
 556	return rc;
 557}
 558
 559
 560/*-------------------------------------------------------------------------*/
 561
 562/* Completion handlers. These always run in_irq. */
 563
 564static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
 565{
 566	struct fsg_common	*common = ep->driver_data;
 567	struct fsg_buffhd	*bh = req->context;
 568
 569	if (req->status || req->actual != req->length)
 570		DBG(common, "%s --> %d, %u/%u\n", __func__,
 571		    req->status, req->actual, req->length);
 572	if (req->status == -ECONNRESET)		/* Request was cancelled */
 573		usb_ep_fifo_flush(ep);
 574
 575	/* Hold the lock while we update the request and buffer states */
 576	smp_wmb();
 577	spin_lock(&common->lock);
 578	bh->inreq_busy = 0;
 579	bh->state = BUF_STATE_EMPTY;
 580	wakeup_thread(common);
 581	spin_unlock(&common->lock);
 582}
 583
 584static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
 585{
 586	struct fsg_common	*common = ep->driver_data;
 587	struct fsg_buffhd	*bh = req->context;
 588
 589	dump_msg(common, "bulk-out", req->buf, req->actual);
 590	if (req->status || req->actual != bh->bulk_out_intended_length)
 591		DBG(common, "%s --> %d, %u/%u\n", __func__,
 592		    req->status, req->actual, bh->bulk_out_intended_length);
 593	if (req->status == -ECONNRESET)		/* Request was cancelled */
 594		usb_ep_fifo_flush(ep);
 595
 596	/* Hold the lock while we update the request and buffer states */
 597	smp_wmb();
 598	spin_lock(&common->lock);
 599	bh->outreq_busy = 0;
 600	bh->state = BUF_STATE_FULL;
 601	wakeup_thread(common);
 602	spin_unlock(&common->lock);
 603}
 604
 605static int fsg_setup(struct usb_function *f,
 606		     const struct usb_ctrlrequest *ctrl)
 607{
 608	struct fsg_dev		*fsg = fsg_from_func(f);
 609	struct usb_request	*req = fsg->common->ep0req;
 610	u16			w_index = le16_to_cpu(ctrl->wIndex);
 611	u16			w_value = le16_to_cpu(ctrl->wValue);
 612	u16			w_length = le16_to_cpu(ctrl->wLength);
 613
 614	if (!fsg_is_set(fsg->common))
 615		return -EOPNOTSUPP;
 616
 617	++fsg->common->ep0_req_tag;	/* Record arrival of a new request */
 618	req->context = NULL;
 619	req->length = 0;
 620	dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
 621
 622	switch (ctrl->bRequest) {
 623
 624	case USB_BULK_RESET_REQUEST:
 625		if (ctrl->bRequestType !=
 626		    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 627			break;
 628		if (w_index != fsg->interface_number || w_value != 0)
 629			return -EDOM;
 630
 631		/*
 632		 * Raise an exception to stop the current operation
 633		 * and reinitialize our state.
 634		 */
 635		DBG(fsg, "bulk reset request\n");
 636		raise_exception(fsg->common, FSG_STATE_RESET);
 637		return DELAYED_STATUS;
 638
 639	case USB_BULK_GET_MAX_LUN_REQUEST:
 640		if (ctrl->bRequestType !=
 641		    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
 642			break;
 643		if (w_index != fsg->interface_number || w_value != 0)
 644			return -EDOM;
 645		VDBG(fsg, "get max LUN\n");
 646		*(u8 *)req->buf = fsg->common->nluns - 1;
 647
 648		/* Respond with data/status */
 649		req->length = min((u16)1, w_length);
 650		return ep0_queue(fsg->common);
 651	}
 652
 653	VDBG(fsg,
 654	     "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
 655	     ctrl->bRequestType, ctrl->bRequest,
 656	     le16_to_cpu(ctrl->wValue), w_index, w_length);
 657	return -EOPNOTSUPP;
 658}
 659
 660
 661/*-------------------------------------------------------------------------*/
 662
 663/* All the following routines run in process context */
 664
 665/* Use this for bulk or interrupt transfers, not ep0 */
 666static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
 667			   struct usb_request *req, int *pbusy,
 668			   enum fsg_buffer_state *state)
 669{
 670	int	rc;
 671
 672	if (ep == fsg->bulk_in)
 673		dump_msg(fsg, "bulk-in", req->buf, req->length);
 674
 675	spin_lock_irq(&fsg->common->lock);
 676	*pbusy = 1;
 677	*state = BUF_STATE_BUSY;
 678	spin_unlock_irq(&fsg->common->lock);
 679	rc = usb_ep_queue(ep, req, GFP_KERNEL);
 680	if (rc != 0) {
 681		*pbusy = 0;
 682		*state = BUF_STATE_EMPTY;
 683
 684		/* We can't do much more than wait for a reset */
 685
 686		/*
 687		 * Note: currently the net2280 driver fails zero-length
 688		 * submissions if DMA is enabled.
 689		 */
 690		if (rc != -ESHUTDOWN &&
 691		    !(rc == -EOPNOTSUPP && req->length == 0))
 692			WARNING(fsg, "error in submission: %s --> %d\n",
 693				ep->name, rc);
 694	}
 695}
 696
 697static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 698{
 699	if (!fsg_is_set(common))
 700		return false;
 701	start_transfer(common->fsg, common->fsg->bulk_in,
 702		       bh->inreq, &bh->inreq_busy, &bh->state);
 703	return true;
 704}
 705
 706static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
 707{
 708	if (!fsg_is_set(common))
 709		return false;
 710	start_transfer(common->fsg, common->fsg->bulk_out,
 711		       bh->outreq, &bh->outreq_busy, &bh->state);
 712	return true;
 713}
 714
 715static int sleep_thread(struct fsg_common *common)
 716{
 717	int	rc = 0;
 718
 719	/* Wait until a signal arrives or we are woken up */
 720	for (;;) {
 721		try_to_freeze();
 722		set_current_state(TASK_INTERRUPTIBLE);
 723		if (signal_pending(current)) {
 724			rc = -EINTR;
 725			break;
 726		}
 727		if (common->thread_wakeup_needed)
 728			break;
 729		schedule();
 730	}
 731	__set_current_state(TASK_RUNNING);
 732	common->thread_wakeup_needed = 0;
 733	return rc;
 734}
 735
 736
 737/*-------------------------------------------------------------------------*/
 738
 739static int do_read(struct fsg_common *common)
 740{
 741	struct fsg_lun		*curlun = common->curlun;
 742	u32			lba;
 743	struct fsg_buffhd	*bh;
 744	int			rc;
 745	u32			amount_left;
 746	loff_t			file_offset, file_offset_tmp;
 747	unsigned int		amount;
 748	unsigned int		partial_page;
 749	ssize_t			nread;
 750
 751	/*
 752	 * Get the starting Logical Block Address and check that it's
 753	 * not too big.
 754	 */
 755	if (common->cmnd[0] == READ_6)
 756		lba = get_unaligned_be24(&common->cmnd[1]);
 757	else {
 758		lba = get_unaligned_be32(&common->cmnd[2]);
 759
 760		/*
 761		 * We allow DPO (Disable Page Out = don't save data in the
 762		 * cache) and FUA (Force Unit Access = don't read from the
 763		 * cache), but we don't implement them.
 764		 */
 765		if ((common->cmnd[1] & ~0x18) != 0) {
 766			curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 767			return -EINVAL;
 768		}
 769	}
 770	if (lba >= curlun->num_sectors) {
 771		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 772		return -EINVAL;
 773	}
 774	file_offset = ((loff_t) lba) << 9;
 775
 776	/* Carry out the file reads */
 777	amount_left = common->data_size_from_cmnd;
 778	if (unlikely(amount_left == 0))
 779		return -EIO;		/* No default reply */
 780
 781	for (;;) {
 782		/*
 783		 * Figure out how much we need to read:
 784		 * Try to read the remaining amount.
 785		 * But don't read more than the buffer size.
 786		 * And don't try to read past the end of the file.
 787		 * Finally, if we're not at a page boundary, don't read past
 788		 *	the next page.
 789		 * If this means reading 0 then we were asked to read past
 790		 *	the end of file.
 791		 */
 792		amount = min(amount_left, FSG_BUFLEN);
 793		amount = min((loff_t)amount,
 794			     curlun->file_length - file_offset);
 795		partial_page = file_offset & (PAGE_CACHE_SIZE - 1);
 796		if (partial_page > 0)
 797			amount = min(amount, (unsigned int)PAGE_CACHE_SIZE -
 798					     partial_page);
 799
 800		/* Wait for the next buffer to become available */
 801		bh = common->next_buffhd_to_fill;
 802		while (bh->state != BUF_STATE_EMPTY) {
 803			rc = sleep_thread(common);
 804			if (rc)
 805				return rc;
 806		}
 807
 808		/*
 809		 * If we were asked to read past the end of file,
 810		 * end with an empty buffer.
 811		 */
 812		if (amount == 0) {
 813			curlun->sense_data =
 814					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 815			curlun->sense_data_info = file_offset >> 9;
 816			curlun->info_valid = 1;
 817			bh->inreq->length = 0;
 818			bh->state = BUF_STATE_FULL;
 819			break;
 820		}
 821
 822		/* Perform the read */
 823		file_offset_tmp = file_offset;
 824		nread = vfs_read(curlun->filp,
 825				 (char __user *)bh->buf,
 826				 amount, &file_offset_tmp);
 827		VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
 828		      (unsigned long long)file_offset, (int)nread);
 829		if (signal_pending(current))
 830			return -EINTR;
 831
 832		if (nread < 0) {
 833			LDBG(curlun, "error in file read: %d\n", (int)nread);
 834			nread = 0;
 835		} else if (nread < amount) {
 836			LDBG(curlun, "partial file read: %d/%u\n",
 837			     (int)nread, amount);
 838			nread -= (nread & 511);	/* Round down to a block */
 839		}
 840		file_offset  += nread;
 841		amount_left  -= nread;
 842		common->residue -= nread;
 843		bh->inreq->length = nread;
 844		bh->state = BUF_STATE_FULL;
 845
 846		/* If an error occurred, report it and its position */
 847		if (nread < amount) {
 848			curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
 849			curlun->sense_data_info = file_offset >> 9;
 850			curlun->info_valid = 1;
 851			break;
 852		}
 853
 854		if (amount_left == 0)
 855			break;		/* No more left to read */
 856
 857		/* Send this buffer and go read some more */
 858		bh->inreq->zero = 0;
 859		if (!start_in_transfer(common, bh))
 860			/* Don't know what to do if common->fsg is NULL */
 861			return -EIO;
 862		common->next_buffhd_to_fill = bh->next;
 863	}
 864
 865	return -EIO;		/* No default reply */
 866}
 867
 868
 869/*-------------------------------------------------------------------------*/
 870
 871static int do_write(struct fsg_common *common)
 872{
 873	struct fsg_lun		*curlun = common->curlun;
 874	u32			lba;
 875	struct fsg_buffhd	*bh;
 876	int			get_some_more;
 877	u32			amount_left_to_req, amount_left_to_write;
 878	loff_t			usb_offset, file_offset, file_offset_tmp;
 879	unsigned int		amount;
 880	unsigned int		partial_page;
 881	ssize_t			nwritten;
 882	int			rc;
 883
 884	if (curlun->ro) {
 885		curlun->sense_data = SS_WRITE_PROTECTED;
 886		return -EINVAL;
 887	}
 888	spin_lock(&curlun->filp->f_lock);
 889	curlun->filp->f_flags &= ~O_SYNC;	/* Default is not to wait */
 890	spin_unlock(&curlun->filp->f_lock);
 891
 892	/*
 893	 * Get the starting Logical Block Address and check that it's
 894	 * not too big
 895	 */
 896	if (common->cmnd[0] == WRITE_6)
 897		lba = get_unaligned_be24(&common->cmnd[1]);
 898	else {
 899		lba = get_unaligned_be32(&common->cmnd[2]);
 900
 901		/*
 902		 * We allow DPO (Disable Page Out = don't save data in the
 903		 * cache) and FUA (Force Unit Access = write directly to the
 904		 * medium).  We don't implement DPO; we implement FUA by
 905		 * performing synchronous output.
 906		 */
 907		if (common->cmnd[1] & ~0x18) {
 908			curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
 909			return -EINVAL;
 910		}
 911		if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
 912			spin_lock(&curlun->filp->f_lock);
 913			curlun->filp->f_flags |= O_SYNC;
 914			spin_unlock(&curlun->filp->f_lock);
 915		}
 916	}
 917	if (lba >= curlun->num_sectors) {
 918		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 919		return -EINVAL;
 920	}
 921
 922	/* Carry out the file writes */
 923	get_some_more = 1;
 924	file_offset = usb_offset = ((loff_t) lba) << 9;
 925	amount_left_to_req = common->data_size_from_cmnd;
 926	amount_left_to_write = common->data_size_from_cmnd;
 927
 928	while (amount_left_to_write > 0) {
 929
 930		/* Queue a request for more data from the host */
 931		bh = common->next_buffhd_to_fill;
 932		if (bh->state == BUF_STATE_EMPTY && get_some_more) {
 933
 934			/*
 935			 * Figure out how much we want to get:
 936			 * Try to get the remaining amount.
 937			 * But don't get more than the buffer size.
 938			 * And don't try to go past the end of the file.
 939			 * If we're not at a page boundary,
 940			 *	don't go past the next page.
 941			 * If this means getting 0, then we were asked
 942			 *	to write past the end of file.
 943			 * Finally, round down to a block boundary.
 944			 */
 945			amount = min(amount_left_to_req, FSG_BUFLEN);
 946			amount = min((loff_t)amount,
 947				     curlun->file_length - usb_offset);
 948			partial_page = usb_offset & (PAGE_CACHE_SIZE - 1);
 949			if (partial_page > 0)
 950				amount = min(amount,
 951	(unsigned int)PAGE_CACHE_SIZE - partial_page);
 952
 953			if (amount == 0) {
 954				get_some_more = 0;
 955				curlun->sense_data =
 956					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
 957				curlun->sense_data_info = usb_offset >> 9;
 958				curlun->info_valid = 1;
 959				continue;
 960			}
 961			amount -= amount & 511;
 962			if (amount == 0) {
 963
 964				/*
 965				 * Why were we were asked to transfer a
 966				 * partial block?
 967				 */
 968				get_some_more = 0;
 969				continue;
 970			}
 971
 972			/* Get the next buffer */
 973			usb_offset += amount;
 974			common->usb_amount_left -= amount;
 975			amount_left_to_req -= amount;
 976			if (amount_left_to_req == 0)
 977				get_some_more = 0;
 978
 979			/*
 980			 * amount is always divisible by 512, hence by
 981			 * the bulk-out maxpacket size
 982			 */
 983			bh->outreq->length = amount;
 984			bh->bulk_out_intended_length = amount;
 985			bh->outreq->short_not_ok = 1;
 986			if (!start_out_transfer(common, bh))
 987				/* Dunno what to do if common->fsg is NULL */
 988				return -EIO;
 989			common->next_buffhd_to_fill = bh->next;
 990			continue;
 991		}
 992
 993		/* Write the received data to the backing file */
 994		bh = common->next_buffhd_to_drain;
 995		if (bh->state == BUF_STATE_EMPTY && !get_some_more)
 996			break;			/* We stopped early */
 997		if (bh->state == BUF_STATE_FULL) {
 998			smp_rmb();
 999			common->next_buffhd_to_drain = bh->next;
1000			bh->state = BUF_STATE_EMPTY;
1001
1002			/* Did something go wrong with the transfer? */
1003			if (bh->outreq->status != 0) {
1004				curlun->sense_data = SS_COMMUNICATION_FAILURE;
1005				curlun->sense_data_info = file_offset >> 9;
1006				curlun->info_valid = 1;
1007				break;
1008			}
1009
1010			amount = bh->outreq->actual;
1011			if (curlun->file_length - file_offset < amount) {
1012				LERROR(curlun,
1013				       "write %u @ %llu beyond end %llu\n",
1014				       amount, (unsigned long long)file_offset,
1015				       (unsigned long long)curlun->file_length);
1016				amount = curlun->file_length - file_offset;
1017			}
1018
1019			/* Perform the write */
1020			file_offset_tmp = file_offset;
1021			nwritten = vfs_write(curlun->filp,
1022					     (char __user *)bh->buf,
1023					     amount, &file_offset_tmp);
1024			VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
1025			      (unsigned long long)file_offset, (int)nwritten);
1026			if (signal_pending(current))
1027				return -EINTR;		/* Interrupted! */
1028
1029			if (nwritten < 0) {
1030				LDBG(curlun, "error in file write: %d\n",
1031				     (int)nwritten);
1032				nwritten = 0;
1033			} else if (nwritten < amount) {
1034				LDBG(curlun, "partial file write: %d/%u\n",
1035				     (int)nwritten, amount);
1036				nwritten -= (nwritten & 511);
1037				/* Round down to a block */
1038			}
1039			file_offset += nwritten;
1040			amount_left_to_write -= nwritten;
1041			common->residue -= nwritten;
1042
1043			/* If an error occurred, report it and its position */
1044			if (nwritten < amount) {
1045				curlun->sense_data = SS_WRITE_ERROR;
1046				curlun->sense_data_info = file_offset >> 9;
1047				curlun->info_valid = 1;
1048				break;
1049			}
1050
1051			/* Did the host decide to stop early? */
1052			if (bh->outreq->actual != bh->outreq->length) {
1053				common->short_packet_received = 1;
1054				break;
1055			}
1056			continue;
1057		}
1058
1059		/* Wait for something to happen */
1060		rc = sleep_thread(common);
1061		if (rc)
1062			return rc;
1063	}
1064
1065	return -EIO;		/* No default reply */
1066}
1067
1068
1069/*-------------------------------------------------------------------------*/
1070
1071static int do_synchronize_cache(struct fsg_common *common)
1072{
1073	struct fsg_lun	*curlun = common->curlun;
1074	int		rc;
1075
1076	/* We ignore the requested LBA and write out all file's
1077	 * dirty data buffers. */
1078	rc = fsg_lun_fsync_sub(curlun);
1079	if (rc)
1080		curlun->sense_data = SS_WRITE_ERROR;
1081	return 0;
1082}
1083
1084
1085/*-------------------------------------------------------------------------*/
1086
1087static void invalidate_sub(struct fsg_lun *curlun)
1088{
1089	struct file	*filp = curlun->filp;
1090	struct inode	*inode = filp->f_path.dentry->d_inode;
1091	unsigned long	rc;
1092
1093	rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
1094	VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
1095}
1096
1097static int do_verify(struct fsg_common *common)
1098{
1099	struct fsg_lun		*curlun = common->curlun;
1100	u32			lba;
1101	u32			verification_length;
1102	struct fsg_buffhd	*bh = common->next_buffhd_to_fill;
1103	loff_t			file_offset, file_offset_tmp;
1104	u32			amount_left;
1105	unsigned int		amount;
1106	ssize_t			nread;
1107
1108	/*
1109	 * Get the starting Logical Block Address and check that it's
1110	 * not too big.
1111	 */
1112	lba = get_unaligned_be32(&common->cmnd[2]);
1113	if (lba >= curlun->num_sectors) {
1114		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1115		return -EINVAL;
1116	}
1117
1118	/*
1119	 * We allow DPO (Disable Page Out = don't save data in the
1120	 * cache) but we don't implement it.
1121	 */
1122	if (common->cmnd[1] & ~0x10) {
1123		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1124		return -EINVAL;
1125	}
1126
1127	verification_length = get_unaligned_be16(&common->cmnd[7]);
1128	if (unlikely(verification_length == 0))
1129		return -EIO;		/* No default reply */
1130
1131	/* Prepare to carry out the file verify */
1132	amount_left = verification_length << 9;
1133	file_offset = ((loff_t) lba) << 9;
1134
1135	/* Write out all the dirty buffers before invalidating them */
1136	fsg_lun_fsync_sub(curlun);
1137	if (signal_pending(current))
1138		return -EINTR;
1139
1140	invalidate_sub(curlun);
1141	if (signal_pending(current))
1142		return -EINTR;
1143
1144	/* Just try to read the requested blocks */
1145	while (amount_left > 0) {
1146		/*
1147		 * Figure out how much we need to read:
1148		 * Try to read the remaining amount, but not more than
1149		 * the buffer size.
1150		 * And don't try to read past the end of the file.
1151		 * If this means reading 0 then we were asked to read
1152		 * past the end of file.
1153		 */
1154		amount = min(amount_left, FSG_BUFLEN);
1155		amount = min((loff_t)amount,
1156			     curlun->file_length - file_offset);
1157		if (amount == 0) {
1158			curlun->sense_data =
1159					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1160			curlun->sense_data_info = file_offset >> 9;
1161			curlun->info_valid = 1;
1162			break;
1163		}
1164
1165		/* Perform the read */
1166		file_offset_tmp = file_offset;
1167		nread = vfs_read(curlun->filp,
1168				(char __user *) bh->buf,
1169				amount, &file_offset_tmp);
1170		VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1171				(unsigned long long) file_offset,
1172				(int) nread);
1173		if (signal_pending(current))
1174			return -EINTR;
1175
1176		if (nread < 0) {
1177			LDBG(curlun, "error in file verify: %d\n", (int)nread);
1178			nread = 0;
1179		} else if (nread < amount) {
1180			LDBG(curlun, "partial file verify: %d/%u\n",
1181			     (int)nread, amount);
1182			nread -= nread & 511;	/* Round down to a sector */
1183		}
1184		if (nread == 0) {
1185			curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1186			curlun->sense_data_info = file_offset >> 9;
1187			curlun->info_valid = 1;
1188			break;
1189		}
1190		file_offset += nread;
1191		amount_left -= nread;
1192	}
1193	return 0;
1194}
1195
1196
1197/*-------------------------------------------------------------------------*/
1198
1199static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1200{
1201	struct fsg_lun *curlun = common->curlun;
1202	u8	*buf = (u8 *) bh->buf;
1203
1204	if (!curlun) {		/* Unsupported LUNs are okay */
1205		common->bad_lun_okay = 1;
1206		memset(buf, 0, 36);
1207		buf[0] = 0x7f;		/* Unsupported, no device-type */
1208		buf[4] = 31;		/* Additional length */
1209		return 36;
1210	}
1211
1212	buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1213	buf[1] = curlun->removable ? 0x80 : 0;
1214	buf[2] = 2;		/* ANSI SCSI level 2 */
1215	buf[3] = 2;		/* SCSI-2 INQUIRY data format */
1216	buf[4] = 31;		/* Additional length */
1217	buf[5] = 0;		/* No special options */
1218	buf[6] = 0;
1219	buf[7] = 0;
1220	memcpy(buf + 8, common->inquiry_string, sizeof common->inquiry_string);
1221	return 36;
1222}
1223
1224static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1225{
1226	struct fsg_lun	*curlun = common->curlun;
1227	u8		*buf = (u8 *) bh->buf;
1228	u32		sd, sdinfo;
1229	int		valid;
1230
1231	/*
1232	 * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1233	 *
1234	 * If a REQUEST SENSE command is received from an initiator
1235	 * with a pending unit attention condition (before the target
1236	 * generates the contingent allegiance condition), then the
1237	 * target shall either:
1238	 *   a) report any pending sense data and preserve the unit
1239	 *	attention condition on the logical unit, or,
1240	 *   b) report the unit attention condition, may discard any
1241	 *	pending sense data, and clear the unit attention
1242	 *	condition on the logical unit for that initiator.
1243	 *
1244	 * FSG normally uses option a); enable this code to use option b).
1245	 */
1246#if 0
1247	if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
1248		curlun->sense_data = curlun->unit_attention_data;
1249		curlun->unit_attention_data = SS_NO_SENSE;
1250	}
1251#endif
1252
1253	if (!curlun) {		/* Unsupported LUNs are okay */
1254		common->bad_lun_okay = 1;
1255		sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1256		sdinfo = 0;
1257		valid = 0;
1258	} else {
1259		sd = curlun->sense_data;
1260		sdinfo = curlun->sense_data_info;
1261		valid = curlun->info_valid << 7;
1262		curlun->sense_data = SS_NO_SENSE;
1263		curlun->sense_data_info = 0;
1264		curlun->info_valid = 0;
1265	}
1266
1267	memset(buf, 0, 18);
1268	buf[0] = valid | 0x70;			/* Valid, current error */
1269	buf[2] = SK(sd);
1270	put_unaligned_be32(sdinfo, &buf[3]);	/* Sense information */
1271	buf[7] = 18 - 8;			/* Additional sense length */
1272	buf[12] = ASC(sd);
1273	buf[13] = ASCQ(sd);
1274	return 18;
1275}
1276
1277static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1278{
1279	struct fsg_lun	*curlun = common->curlun;
1280	u32		lba = get_unaligned_be32(&common->cmnd[2]);
1281	int		pmi = common->cmnd[8];
1282	u8		*buf = (u8 *)bh->buf;
1283
1284	/* Check the PMI and LBA fields */
1285	if (pmi > 1 || (pmi == 0 && lba != 0)) {
1286		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1287		return -EINVAL;
1288	}
1289
1290	put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
1291						/* Max logical block */
1292	put_unaligned_be32(512, &buf[4]);	/* Block length */
1293	return 8;
1294}
1295
1296static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1297{
1298	struct fsg_lun	*curlun = common->curlun;
1299	int		msf = common->cmnd[1] & 0x02;
1300	u32		lba = get_unaligned_be32(&common->cmnd[2]);
1301	u8		*buf = (u8 *)bh->buf;
1302
1303	if (common->cmnd[1] & ~0x02) {		/* Mask away MSF */
1304		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1305		return -EINVAL;
1306	}
1307	if (lba >= curlun->num_sectors) {
1308		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1309		return -EINVAL;
1310	}
1311
1312	memset(buf, 0, 8);
1313	buf[0] = 0x01;		/* 2048 bytes of user data, rest is EC */
1314	store_cdrom_address(&buf[4], msf, lba);
1315	return 8;
1316}
1317
1318static int do_read_toc(struct fsg_common *common, struct fsg_buffhd *bh)
1319{
1320	struct fsg_lun	*curlun = common->curlun;
1321	int		msf = common->cmnd[1] & 0x02;
1322	int		start_track = common->cmnd[6];
1323	u8		*buf = (u8 *)bh->buf;
1324
1325	if ((common->cmnd[1] & ~0x02) != 0 ||	/* Mask away MSF */
1326			start_track > 1) {
1327		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1328		return -EINVAL;
1329	}
1330
1331	memset(buf, 0, 20);
1332	buf[1] = (20-2);		/* TOC data length */
1333	buf[2] = 1;			/* First track number */
1334	buf[3] = 1;			/* Last track number */
1335	buf[5] = 0x16;			/* Data track, copying allowed */
1336	buf[6] = 0x01;			/* Only track is number 1 */
1337	store_cdrom_address(&buf[8], msf, 0);
1338
1339	buf[13] = 0x16;			/* Lead-out track is data */
1340	buf[14] = 0xAA;			/* Lead-out track number */
1341	store_cdrom_address(&buf[16], msf, curlun->num_sectors);
1342	return 20;
1343}
1344
1345static int do_mode_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1346{
1347	struct fsg_lun	*curlun = common->curlun;
1348	int		mscmnd = common->cmnd[0];
1349	u8		*buf = (u8 *) bh->buf;
1350	u8		*buf0 = buf;
1351	int		pc, page_code;
1352	int		changeable_values, all_pages;
1353	int		valid_page = 0;
1354	int		len, limit;
1355
1356	if ((common->cmnd[1] & ~0x08) != 0) {	/* Mask away DBD */
1357		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1358		return -EINVAL;
1359	}
1360	pc = common->cmnd[2] >> 6;
1361	page_code = common->cmnd[2] & 0x3f;
1362	if (pc == 3) {
1363		curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1364		return -EINVAL;
1365	}
1366	changeable_values = (pc == 1);
1367	all_pages = (page_code == 0x3f);
1368
1369	/*
1370	 * Write the mode parameter header.  Fixed values are: default
1371	 * medium type, no cache control (DPOFUA), and no block descriptors.
1372	 * The only variable value is the WriteProtect bit.  We will fill in
1373	 * the mode data length later.
1374	 */
1375	memset(buf, 0, 8);
1376	if (mscmnd == MODE_SENSE) {
1377		buf[2] = (curlun->ro ? 0x80 : 0x00);		/* WP, DPOFUA */
1378		buf += 4;
1379		limit = 255;
1380	} else {			/* MODE_SENSE_10 */
1381		buf[3] = (curlun->ro ? 0x80 : 0x00);		/* WP, DPOFUA */
1382		buf += 8;
1383		limit = 65535;		/* Should really be FSG_BUFLEN */
1384	}
1385
1386	/* No block descriptors */
1387
1388	/*
1389	 * The mode pages, in numerical order.  The only page we support
1390	 * is the Caching page.
1391	 */
1392	if (page_code == 0x08 || all_pages) {
1393		valid_page = 1;
1394		buf[0] = 0x08;		/* Page code */
1395		buf[1] = 10;		/* Page length */
1396		memset(buf+2, 0, 10);	/* None of the fields are changeable */
1397
1398		if (!changeable_values) {
1399			buf[2] = 0x04;	/* Write cache enable, */
1400					/* Read cache not disabled */
1401					/* No cache retention priorities */
1402			put_unaligned_be16(0xffff, &buf[4]);
1403					/* Don't disable prefetch */
1404					/* Minimum prefetch = 0 */
1405			put_unaligned_be16(0xffff, &buf[8]);
1406					/* Maximum prefetch */
1407			put_unaligned_be16(0xffff, &buf[10]);
1408					/* Maximum prefetch ceiling */
1409		}
1410		buf += 12;
1411	}
1412
1413	/*
1414	 * Check that a valid page was requested and the mode data length
1415	 * isn't too long.
1416	 */
1417	len = buf - buf0;
1418	if (!valid_page || len > limit) {
1419		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1420		return -EINVAL;
1421	}
1422
1423	/*  Store the mode data length */
1424	if (mscmnd == MODE_SENSE)
1425		buf0[0] = len - 1;
1426	else
1427		put_unaligned_be16(len - 2, buf0);
1428	return len;
1429}
1430
1431static int do_start_stop(struct fsg_common *common)
1432{
1433	struct fsg_lun	*curlun = common->curlun;
1434	int		loej, start;
1435
1436	if (!curlun) {
1437		return -EINVAL;
1438	} else if (!curlun->removable) {
1439		curlun->sense_data = SS_INVALID_COMMAND;
1440		return -EINVAL;
1441	} else if ((common->cmnd[1] & ~0x01) != 0 || /* Mask away Immed */
1442		   (common->cmnd[4] & ~0x03) != 0) { /* Mask LoEj, Start */
1443		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1444		return -EINVAL;
1445	}
1446
1447	loej  = common->cmnd[4] & 0x02;
1448	start = common->cmnd[4] & 0x01;
1449
1450	/*
1451	 * Our emulation doesn't support mounting; the medium is
1452	 * available for use as soon as it is loaded.
1453	 */
1454	if (start) {
1455		if (!fsg_lun_is_open(curlun)) {
1456			curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1457			return -EINVAL;
1458		}
1459		return 0;
1460	}
1461
1462	/* Are we allowed to unload the media? */
1463	if (curlun->prevent_medium_removal) {
1464		LDBG(curlun, "unload attempt prevented\n");
1465		curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
1466		return -EINVAL;
1467	}
1468
1469	if (!loej)
1470		return 0;
1471
1472	/* Simulate an unload/eject */
1473	if (common->ops && common->ops->pre_eject) {
1474		int r = common->ops->pre_eject(common, curlun,
1475					       curlun - common->luns);
1476		if (unlikely(r < 0))
1477			return r;
1478		else if (r)
1479			return 0;
1480	}
1481
1482	up_read(&common->filesem);
1483	down_write(&common->filesem);
1484	fsg_lun_close(curlun);
1485	up_write(&common->filesem);
1486	down_read(&common->filesem);
1487
1488	return common->ops && common->ops->post_eject
1489		? min(0, common->ops->post_eject(common, curlun,
1490						 curlun - common->luns))
1491		: 0;
1492}
1493
1494static int do_prevent_allow(struct fsg_common *common)
1495{
1496	struct fsg_lun	*curlun = common->curlun;
1497	int		prevent;
1498
1499	if (!common->curlun) {
1500		return -EINVAL;
1501	} else if (!common->curlun->removable) {
1502		common->curlun->sense_data = SS_INVALID_COMMAND;
1503		return -EINVAL;
1504	}
1505
1506	prevent = common->cmnd[4] & 0x01;
1507	if ((common->cmnd[4] & ~0x01) != 0) {	/* Mask away Prevent */
1508		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1509		return -EINVAL;
1510	}
1511
1512	if (curlun->prevent_medium_removal && !prevent)
1513		fsg_lun_fsync_sub(curlun);
1514	curlun->prevent_medium_removal = prevent;
1515	return 0;
1516}
1517
1518static int do_read_format_capacities(struct fsg_common *common,
1519			struct fsg_buffhd *bh)
1520{
1521	struct fsg_lun	*curlun = common->curlun;
1522	u8		*buf = (u8 *) bh->buf;
1523
1524	buf[0] = buf[1] = buf[2] = 0;
1525	buf[3] = 8;	/* Only the Current/Maximum Capacity Descriptor */
1526	buf += 4;
1527
1528	put_unaligned_be32(curlun->num_sectors, &buf[0]);
1529						/* Number of blocks */
1530	put_unaligned_be32(512, &buf[4]);	/* Block length */
1531	buf[4] = 0x02;				/* Current capacity */
1532	return 12;
1533}
1534
1535static int do_mode_select(struct fsg_common *common, struct fsg_buffhd *bh)
1536{
1537	struct fsg_lun	*curlun = common->curlun;
1538
1539	/* We don't support MODE SELECT */
1540	if (curlun)
1541		curlun->sense_data = SS_INVALID_COMMAND;
1542	return -EINVAL;
1543}
1544
1545
1546/*-------------------------------------------------------------------------*/
1547
1548static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
1549{
1550	int	rc;
1551
1552	rc = fsg_set_halt(fsg, fsg->bulk_in);
1553	if (rc == -EAGAIN)
1554		VDBG(fsg, "delayed bulk-in endpoint halt\n");
1555	while (rc != 0) {
1556		if (rc != -EAGAIN) {
1557			WARNING(fsg, "usb_ep_set_halt -> %d\n", rc);
1558			rc = 0;
1559			break;
1560		}
1561
1562		/* Wait for a short time and then try again */
1563		if (msleep_interruptible(100) != 0)
1564			return -EINTR;
1565		rc = usb_ep_set_halt(fsg->bulk_in);
1566	}
1567	return rc;
1568}
1569
1570static int wedge_bulk_in_endpoint(struct fsg_dev *fsg)
1571{
1572	int	rc;
1573
1574	DBG(fsg, "bulk-in set wedge\n");
1575	rc = usb_ep_set_wedge(fsg->bulk_in);
1576	if (rc == -EAGAIN)
1577		VDBG(fsg, "delayed bulk-in endpoint wedge\n");
1578	while (rc != 0) {
1579		if (rc != -EAGAIN) {
1580			WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc);
1581			rc = 0;
1582			break;
1583		}
1584
1585		/* Wait for a short time and then try again */
1586		if (msleep_interruptible(100) != 0)
1587			return -EINTR;
1588		rc = usb_ep_set_wedge(fsg->bulk_in);
1589	}
1590	return rc;
1591}
1592
1593static int throw_away_data(struct fsg_common *common)
1594{
1595	struct fsg_buffhd	*bh;
1596	u32			amount;
1597	int			rc;
1598
1599	for (bh = common->next_buffhd_to_drain;
1600	     bh->state != BUF_STATE_EMPTY || common->usb_amount_left > 0;
1601	     bh = common->next_buffhd_to_drain) {
1602
1603		/* Throw away the data in a filled buffer */
1604		if (bh->state == BUF_STATE_FULL) {
1605			smp_rmb();
1606			bh->state = BUF_STATE_EMPTY;
1607			common->next_buffhd_to_drain = bh->next;
1608
1609			/* A short packet or an error ends everything */
1610			if (bh->outreq->actual != bh->outreq->length ||
1611			    bh->outreq->status != 0) {
1612				raise_exception(common,
1613						FSG_STATE_ABORT_BULK_OUT);
1614				return -EINTR;
1615			}
1616			continue;
1617		}
1618
1619		/* Try to submit another request if we need one */
1620		bh = common->next_buffhd_to_fill;
1621		if (bh->state == BUF_STATE_EMPTY
1622		 && common->usb_amount_left > 0) {
1623			amount = min(common->usb_amount_left, FSG_BUFLEN);
1624
1625			/*
1626			 * amount is always divisible by 512, hence by
1627			 * the bulk-out maxpacket size.
1628			 */
1629			bh->outreq->length = amount;
1630			bh->bulk_out_intended_length = amount;
1631			bh->outreq->short_not_ok = 1;
1632			if (!start_out_transfer(common, bh))
1633				/* Dunno what to do if common->fsg is NULL */
1634				return -EIO;
1635			common->next_buffhd_to_fill = bh->next;
1636			common->usb_amount_left -= amount;
1637			continue;
1638		}
1639
1640		/* Otherwise wait for something to happen */
1641		rc = sleep_thread(common);
1642		if (rc)
1643			return rc;
1644	}
1645	return 0;
1646}
1647
1648static int finish_reply(struct fsg_common *common)
1649{
1650	struct fsg_buffhd	*bh = common->next_buffhd_to_fill;
1651	int			rc = 0;
1652
1653	switch (common->data_dir) {
1654	case DATA_DIR_NONE:
1655		break;			/* Nothing to send */
1656
1657	/*
1658	 * If we don't know whether the host wants to read or write,
1659	 * this must be CB or CBI with an unknown command.  We…

Large files files are truncated, but you can click here to view the full file