Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
[linux-2.6] / drivers / usb / gadget / file_storage.c
1 /*
2  * file_storage.c -- File-backed USB Storage Gadget, for USB development
3  *
4  * Copyright (C) 2003-2007 Alan Stern
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions, and the following disclaimer,
12  *    without modification.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. The names of the above-listed copyright holders may not be used
17  *    to endorse or promote products derived from this software without
18  *    specific prior written permission.
19  *
20  * ALTERNATIVELY, this software may be distributed under the terms of the
21  * GNU General Public License ("GPL") as published by the Free Software
22  * Foundation, either version 2 of that License or (at your option) any
23  * later version.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
26  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
27  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
28  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
29  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
30  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
31  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
32  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
33  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
34  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
35  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36  */
37
38
39 /*
40  * The File-backed Storage Gadget acts as a USB Mass Storage device,
41  * appearing to the host as a disk drive.  In addition to providing an
42  * example of a genuinely useful gadget driver for a USB device, it also
43  * illustrates a technique of double-buffering for increased throughput.
44  * Last but not least, it gives an easy way to probe the behavior of the
45  * Mass Storage drivers in a USB host.
46  *
47  * Backing storage is provided by a regular file or a block device, specified
48  * by the "file" module parameter.  Access can be limited to read-only by
49  * setting the optional "ro" module parameter.  The gadget will indicate that
50  * it has removable media if the optional "removable" module parameter is set.
51  *
52  * The gadget supports the Control-Bulk (CB), Control-Bulk-Interrupt (CBI),
53  * and Bulk-Only (also known as Bulk-Bulk-Bulk or BBB) transports, selected
54  * by the optional "transport" module parameter.  It also supports the
55  * following protocols: RBC (0x01), ATAPI or SFF-8020i (0x02), QIC-157 (0c03),
56  * UFI (0x04), SFF-8070i (0x05), and transparent SCSI (0x06), selected by
57  * the optional "protocol" module parameter.  In addition, the default
58  * Vendor ID, Product ID, and release number can be overridden.
59  *
60  * There is support for multiple logical units (LUNs), each of which has
61  * its own backing file.  The number of LUNs can be set using the optional
62  * "luns" module parameter (anywhere from 1 to 8), and the corresponding
63  * files are specified using comma-separated lists for "file" and "ro".
64  * The default number of LUNs is taken from the number of "file" elements;
65  * it is 1 if "file" is not given.  If "removable" is not set then a backing
66  * file must be specified for each LUN.  If it is set, then an unspecified
67  * or empty backing filename means the LUN's medium is not loaded.
68  *
69  * Requirements are modest; only a bulk-in and a bulk-out endpoint are
70  * needed (an interrupt-out endpoint is also needed for CBI).  The memory
71  * requirement amounts to two 16K buffers, size configurable by a parameter.
72  * Support is included for both full-speed and high-speed operation.
73  *
74  * Note that the driver is slightly non-portable in that it assumes a
75  * single memory/DMA buffer will be useable for bulk-in, bulk-out, and
76  * interrupt-in endpoints.  With most device controllers this isn't an
77  * issue, but there may be some with hardware restrictions that prevent
78  * a buffer from being used by more than one endpoint.
79  *
80  * Module options:
81  *
82  *      file=filename[,filename...]
83  *                              Required if "removable" is not set, names of
84  *                                      the files or block devices used for
85  *                                      backing storage
86  *      ro=b[,b...]             Default false, booleans for read-only access
87  *      removable               Default false, boolean for removable media
88  *      luns=N                  Default N = number of filenames, number of
89  *                                      LUNs to support
90  *      stall                   Default determined according to the type of
91  *                                      USB device controller (usually true),
92  *                                      boolean to permit the driver to halt
93  *                                      bulk endpoints
94  *      transport=XXX           Default BBB, transport name (CB, CBI, or BBB)
95  *      protocol=YYY            Default SCSI, protocol name (RBC, 8020 or
96  *                                      ATAPI, QIC, UFI, 8070, or SCSI;
97  *                                      also 1 - 6)
98  *      vendor=0xVVVV           Default 0x0525 (NetChip), USB Vendor ID
99  *      product=0xPPPP          Default 0xa4a5 (FSG), USB Product ID
100  *      release=0xRRRR          Override the USB release number (bcdDevice)
101  *      buflen=N                Default N=16384, buffer size used (will be
102  *                                      rounded down to a multiple of
103  *                                      PAGE_CACHE_SIZE)
104  *
105  * If CONFIG_USB_FILE_STORAGE_TEST is not set, only the "file", "ro",
106  * "removable", "luns", and "stall" options are available; default values
107  * are used for everything else.
108  *
109  * The pathnames of the backing files and the ro settings are available in
110  * the attribute files "file" and "ro" in the lun<n> subdirectory of the
111  * gadget's sysfs directory.  If the "removable" option is set, writing to
112  * these files will simulate ejecting/loading the medium (writing an empty
113  * line means eject) and adjusting a write-enable tab.  Changes to the ro
114  * setting are not allowed when the medium is loaded.
115  *
116  * This gadget driver is heavily based on "Gadget Zero" by David Brownell.
117  * The driver's SCSI command interface was based on the "Information
118  * technology - Small Computer System Interface - 2" document from
119  * X3T9.2 Project 375D, Revision 10L, 7-SEP-93, available at
120  * <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.  The single exception
121  * is opcode 0x23 (READ FORMAT CAPACITIES), which was based on the
122  * "Universal Serial Bus Mass Storage Class UFI Command Specification"
123  * document, Revision 1.0, December 14, 1998, available at
124  * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
125  */
126
127
128 /*
129  *                              Driver Design
130  *
131  * The FSG driver is fairly straightforward.  There is a main kernel
132  * thread that handles most of the work.  Interrupt routines field
133  * callbacks from the controller driver: bulk- and interrupt-request
134  * completion notifications, endpoint-0 events, and disconnect events.
135  * Completion events are passed to the main thread by wakeup calls.  Many
136  * ep0 requests are handled at interrupt time, but SetInterface,
137  * SetConfiguration, and device reset requests are forwarded to the
138  * thread in the form of "exceptions" using SIGUSR1 signals (since they
139  * should interrupt any ongoing file I/O operations).
140  *
141  * The thread's main routine implements the standard command/data/status
142  * parts of a SCSI interaction.  It and its subroutines are full of tests
143  * for pending signals/exceptions -- all this polling is necessary since
144  * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
145  * indication that the driver really wants to be running in userspace.)
146  * An important point is that so long as the thread is alive it keeps an
147  * open reference to the backing file.  This will prevent unmounting
148  * the backing file's underlying filesystem and could cause problems
149  * during system shutdown, for example.  To prevent such problems, the
150  * thread catches INT, TERM, and KILL signals and converts them into
151  * an EXIT exception.
152  *
153  * In normal operation the main thread is started during the gadget's
154  * fsg_bind() callback and stopped during fsg_unbind().  But it can also
155  * exit when it receives a signal, and there's no point leaving the
156  * gadget running when the thread is dead.  So just before the thread
157  * exits, it deregisters the gadget driver.  This makes things a little
158  * tricky: The driver is deregistered at two places, and the exiting
159  * thread can indirectly call fsg_unbind() which in turn can tell the
160  * thread to exit.  The first problem is resolved through the use of the
161  * REGISTERED atomic bitflag; the driver will only be deregistered once.
162  * The second problem is resolved by having fsg_unbind() check
163  * fsg->state; it won't try to stop the thread if the state is already
164  * FSG_STATE_TERMINATED.
165  *
166  * To provide maximum throughput, the driver uses a circular pipeline of
167  * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
168  * arbitrarily long; in practice the benefits don't justify having more
169  * than 2 stages (i.e., double buffering).  But it helps to think of the
170  * pipeline as being a long one.  Each buffer head contains a bulk-in and
171  * a bulk-out request pointer (since the buffer can be used for both
172  * output and input -- directions always are given from the host's
173  * point of view) as well as a pointer to the buffer and various state
174  * variables.
175  *
176  * Use of the pipeline follows a simple protocol.  There is a variable
177  * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
178  * At any time that buffer head may still be in use from an earlier
179  * request, so each buffer head has a state variable indicating whether
180  * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
181  * buffer head to be EMPTY, filling the buffer either by file I/O or by
182  * USB I/O (during which the buffer head is BUSY), and marking the buffer
183  * head FULL when the I/O is complete.  Then the buffer will be emptied
184  * (again possibly by USB I/O, during which it is marked BUSY) and
185  * finally marked EMPTY again (possibly by a completion routine).
186  *
187  * A module parameter tells the driver to avoid stalling the bulk
188  * endpoints wherever the transport specification allows.  This is
189  * necessary for some UDCs like the SuperH, which cannot reliably clear a
190  * halt on a bulk endpoint.  However, under certain circumstances the
191  * Bulk-only specification requires a stall.  In such cases the driver
192  * will halt the endpoint and set a flag indicating that it should clear
193  * the halt in software during the next device reset.  Hopefully this
194  * will permit everything to work correctly.  Furthermore, although the
195  * specification allows the bulk-out endpoint to halt when the host sends
196  * too much data, implementing this would cause an unavoidable race.
197  * The driver will always use the "no-stall" approach for OUT transfers.
198  *
199  * One subtle point concerns sending status-stage responses for ep0
200  * requests.  Some of these requests, such as device reset, can involve
201  * interrupting an ongoing file I/O operation, which might take an
202  * arbitrarily long time.  During that delay the host might give up on
203  * the original ep0 request and issue a new one.  When that happens the
204  * driver should not notify the host about completion of the original
205  * request, as the host will no longer be waiting for it.  So the driver
206  * assigns to each ep0 request a unique tag, and it keeps track of the
207  * tag value of the request associated with a long-running exception
208  * (device-reset, interface-change, or configuration-change).  When the
209  * exception handler is finished, the status-stage response is submitted
210  * only if the current ep0 request tag is equal to the exception request
211  * tag.  Thus only the most recently received ep0 request will get a
212  * status-stage response.
213  *
214  * Warning: This driver source file is too long.  It ought to be split up
215  * into a header file plus about 3 separate .c files, to handle the details
216  * of the Gadget, USB Mass Storage, and SCSI protocols.
217  */
218
219
220 /* #define VERBOSE_DEBUG */
221 /* #define DUMP_MSGS */
222
223
224 #include <linux/blkdev.h>
225 #include <linux/completion.h>
226 #include <linux/dcache.h>
227 #include <linux/delay.h>
228 #include <linux/device.h>
229 #include <linux/fcntl.h>
230 #include <linux/file.h>
231 #include <linux/fs.h>
232 #include <linux/kref.h>
233 #include <linux/kthread.h>
234 #include <linux/limits.h>
235 #include <linux/rwsem.h>
236 #include <linux/slab.h>
237 #include <linux/spinlock.h>
238 #include <linux/string.h>
239 #include <linux/freezer.h>
240 #include <linux/utsname.h>
241
242 #include <linux/usb/ch9.h>
243 #include <linux/usb/gadget.h>
244
245 #include "gadget_chips.h"
246
247
248 /*-------------------------------------------------------------------------*/
249
250 #define DRIVER_DESC             "File-backed Storage Gadget"
251 #define DRIVER_NAME             "g_file_storage"
252 #define DRIVER_VERSION          "7 August 2007"
253
254 static const char longname[] = DRIVER_DESC;
255 static const char shortname[] = DRIVER_NAME;
256
257 MODULE_DESCRIPTION(DRIVER_DESC);
258 MODULE_AUTHOR("Alan Stern");
259 MODULE_LICENSE("Dual BSD/GPL");
260
261 /* Thanks to NetChip Technologies for donating this product ID.
262  *
263  * DO NOT REUSE THESE IDs with any other driver!!  Ever!!
264  * Instead:  allocate your own, using normal USB-IF procedures. */
265 #define DRIVER_VENDOR_ID        0x0525  // NetChip
266 #define DRIVER_PRODUCT_ID       0xa4a5  // Linux-USB File-backed Storage Gadget
267
268
269 /*
270  * This driver assumes self-powered hardware and has no way for users to
271  * trigger remote wakeup.  It uses autoconfiguration to select endpoints
272  * and endpoint addresses.
273  */
274
275
276 /*-------------------------------------------------------------------------*/
277
278 #ifdef DEBUG
279 #define LDBG(lun,fmt,args...) \
280         dev_dbg(&(lun)->dev , fmt , ## args)
281 #define MDBG(fmt,args...) \
282         printk(KERN_DEBUG DRIVER_NAME ": " fmt , ## args)
283 #else
284 #define LDBG(lun,fmt,args...) \
285         do { } while (0)
286 #define MDBG(fmt,args...) \
287         do { } while (0)
288 #undef VERBOSE_DEBUG
289 #undef DUMP_MSGS
290 #endif /* DEBUG */
291
292 #ifdef VERBOSE_DEBUG
293 #define VLDBG   LDBG
294 #else
295 #define VLDBG(lun,fmt,args...) \
296         do { } while (0)
297 #endif /* VERBOSE_DEBUG */
298
299 #define LERROR(lun,fmt,args...) \
300         dev_err(&(lun)->dev , fmt , ## args)
301 #define LWARN(lun,fmt,args...) \
302         dev_warn(&(lun)->dev , fmt , ## args)
303 #define LINFO(lun,fmt,args...) \
304         dev_info(&(lun)->dev , fmt , ## args)
305
306 #define MINFO(fmt,args...) \
307         printk(KERN_INFO DRIVER_NAME ": " fmt , ## args)
308
309 #define DBG(d, fmt, args...) \
310         dev_dbg(&(d)->gadget->dev , fmt , ## args)
311 #define VDBG(d, fmt, args...) \
312         dev_vdbg(&(d)->gadget->dev , fmt , ## args)
313 #define ERROR(d, fmt, args...) \
314         dev_err(&(d)->gadget->dev , fmt , ## args)
315 #define WARN(d, fmt, args...) \
316         dev_warn(&(d)->gadget->dev , fmt , ## args)
317 #define INFO(d, fmt, args...) \
318         dev_info(&(d)->gadget->dev , fmt , ## args)
319
320
321 /*-------------------------------------------------------------------------*/
322
323 /* Encapsulate the module parameter settings */
324
325 #define MAX_LUNS        8
326
327 static struct {
328         char            *file[MAX_LUNS];
329         int             ro[MAX_LUNS];
330         unsigned int    num_filenames;
331         unsigned int    num_ros;
332         unsigned int    nluns;
333
334         int             removable;
335         int             can_stall;
336
337         char            *transport_parm;
338         char            *protocol_parm;
339         unsigned short  vendor;
340         unsigned short  product;
341         unsigned short  release;
342         unsigned int    buflen;
343
344         int             transport_type;
345         char            *transport_name;
346         int             protocol_type;
347         char            *protocol_name;
348
349 } mod_data = {                                  // Default values
350         .transport_parm         = "BBB",
351         .protocol_parm          = "SCSI",
352         .removable              = 0,
353         .can_stall              = 1,
354         .vendor                 = DRIVER_VENDOR_ID,
355         .product                = DRIVER_PRODUCT_ID,
356         .release                = 0xffff,       // Use controller chip type
357         .buflen                 = 16384,
358         };
359
360
361 module_param_array_named(file, mod_data.file, charp, &mod_data.num_filenames,
362                 S_IRUGO);
363 MODULE_PARM_DESC(file, "names of backing files or devices");
364
365 module_param_array_named(ro, mod_data.ro, bool, &mod_data.num_ros, S_IRUGO);
366 MODULE_PARM_DESC(ro, "true to force read-only");
367
368 module_param_named(luns, mod_data.nluns, uint, S_IRUGO);
369 MODULE_PARM_DESC(luns, "number of LUNs");
370
371 module_param_named(removable, mod_data.removable, bool, S_IRUGO);
372 MODULE_PARM_DESC(removable, "true to simulate removable media");
373
374 module_param_named(stall, mod_data.can_stall, bool, S_IRUGO);
375 MODULE_PARM_DESC(stall, "false to prevent bulk stalls");
376
377
378 /* In the non-TEST version, only the module parameters listed above
379  * are available. */
380 #ifdef CONFIG_USB_FILE_STORAGE_TEST
381
382 module_param_named(transport, mod_data.transport_parm, charp, S_IRUGO);
383 MODULE_PARM_DESC(transport, "type of transport (BBB, CBI, or CB)");
384
385 module_param_named(protocol, mod_data.protocol_parm, charp, S_IRUGO);
386 MODULE_PARM_DESC(protocol, "type of protocol (RBC, 8020, QIC, UFI, "
387                 "8070, or SCSI)");
388
389 module_param_named(vendor, mod_data.vendor, ushort, S_IRUGO);
390 MODULE_PARM_DESC(vendor, "USB Vendor ID");
391
392 module_param_named(product, mod_data.product, ushort, S_IRUGO);
393 MODULE_PARM_DESC(product, "USB Product ID");
394
395 module_param_named(release, mod_data.release, ushort, S_IRUGO);
396 MODULE_PARM_DESC(release, "USB release number");
397
398 module_param_named(buflen, mod_data.buflen, uint, S_IRUGO);
399 MODULE_PARM_DESC(buflen, "I/O buffer size");
400
401 #endif /* CONFIG_USB_FILE_STORAGE_TEST */
402
403
404 /*-------------------------------------------------------------------------*/
405
406 /* USB protocol value = the transport method */
407 #define USB_PR_CBI      0x00            // Control/Bulk/Interrupt
408 #define USB_PR_CB       0x01            // Control/Bulk w/o interrupt
409 #define USB_PR_BULK     0x50            // Bulk-only
410
411 /* USB subclass value = the protocol encapsulation */
412 #define USB_SC_RBC      0x01            // Reduced Block Commands (flash)
413 #define USB_SC_8020     0x02            // SFF-8020i, MMC-2, ATAPI (CD-ROM)
414 #define USB_SC_QIC      0x03            // QIC-157 (tape)
415 #define USB_SC_UFI      0x04            // UFI (floppy)
416 #define USB_SC_8070     0x05            // SFF-8070i (removable)
417 #define USB_SC_SCSI     0x06            // Transparent SCSI
418
419 /* Bulk-only data structures */
420
421 /* Command Block Wrapper */
422 struct bulk_cb_wrap {
423         __le32  Signature;              // Contains 'USBC'
424         u32     Tag;                    // Unique per command id
425         __le32  DataTransferLength;     // Size of the data
426         u8      Flags;                  // Direction in bit 7
427         u8      Lun;                    // LUN (normally 0)
428         u8      Length;                 // Of the CDB, <= MAX_COMMAND_SIZE
429         u8      CDB[16];                // Command Data Block
430 };
431
432 #define USB_BULK_CB_WRAP_LEN    31
433 #define USB_BULK_CB_SIG         0x43425355      // Spells out USBC
434 #define USB_BULK_IN_FLAG        0x80
435
436 /* Command Status Wrapper */
437 struct bulk_cs_wrap {
438         __le32  Signature;              // Should = 'USBS'
439         u32     Tag;                    // Same as original command
440         __le32  Residue;                // Amount not transferred
441         u8      Status;                 // See below
442 };
443
444 #define USB_BULK_CS_WRAP_LEN    13
445 #define USB_BULK_CS_SIG         0x53425355      // Spells out 'USBS'
446 #define USB_STATUS_PASS         0
447 #define USB_STATUS_FAIL         1
448 #define USB_STATUS_PHASE_ERROR  2
449
450 /* Bulk-only class specific requests */
451 #define USB_BULK_RESET_REQUEST          0xff
452 #define USB_BULK_GET_MAX_LUN_REQUEST    0xfe
453
454
455 /* CBI Interrupt data structure */
456 struct interrupt_data {
457         u8      bType;
458         u8      bValue;
459 };
460
461 #define CBI_INTERRUPT_DATA_LEN          2
462
463 /* CBI Accept Device-Specific Command request */
464 #define USB_CBI_ADSC_REQUEST            0x00
465
466
467 #define MAX_COMMAND_SIZE        16      // Length of a SCSI Command Data Block
468
469 /* SCSI commands that we recognize */
470 #define SC_FORMAT_UNIT                  0x04
471 #define SC_INQUIRY                      0x12
472 #define SC_MODE_SELECT_6                0x15
473 #define SC_MODE_SELECT_10               0x55
474 #define SC_MODE_SENSE_6                 0x1a
475 #define SC_MODE_SENSE_10                0x5a
476 #define SC_PREVENT_ALLOW_MEDIUM_REMOVAL 0x1e
477 #define SC_READ_6                       0x08
478 #define SC_READ_10                      0x28
479 #define SC_READ_12                      0xa8
480 #define SC_READ_CAPACITY                0x25
481 #define SC_READ_FORMAT_CAPACITIES       0x23
482 #define SC_RELEASE                      0x17
483 #define SC_REQUEST_SENSE                0x03
484 #define SC_RESERVE                      0x16
485 #define SC_SEND_DIAGNOSTIC              0x1d
486 #define SC_START_STOP_UNIT              0x1b
487 #define SC_SYNCHRONIZE_CACHE            0x35
488 #define SC_TEST_UNIT_READY              0x00
489 #define SC_VERIFY                       0x2f
490 #define SC_WRITE_6                      0x0a
491 #define SC_WRITE_10                     0x2a
492 #define SC_WRITE_12                     0xaa
493
494 /* SCSI Sense Key/Additional Sense Code/ASC Qualifier values */
495 #define SS_NO_SENSE                             0
496 #define SS_COMMUNICATION_FAILURE                0x040800
497 #define SS_INVALID_COMMAND                      0x052000
498 #define SS_INVALID_FIELD_IN_CDB                 0x052400
499 #define SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE   0x052100
500 #define SS_LOGICAL_UNIT_NOT_SUPPORTED           0x052500
501 #define SS_MEDIUM_NOT_PRESENT                   0x023a00
502 #define SS_MEDIUM_REMOVAL_PREVENTED             0x055302
503 #define SS_NOT_READY_TO_READY_TRANSITION        0x062800
504 #define SS_RESET_OCCURRED                       0x062900
505 #define SS_SAVING_PARAMETERS_NOT_SUPPORTED      0x053900
506 #define SS_UNRECOVERED_READ_ERROR               0x031100
507 #define SS_WRITE_ERROR                          0x030c02
508 #define SS_WRITE_PROTECTED                      0x072700
509
510 #define SK(x)           ((u8) ((x) >> 16))      // Sense Key byte, etc.
511 #define ASC(x)          ((u8) ((x) >> 8))
512 #define ASCQ(x)         ((u8) (x))
513
514
515 /*-------------------------------------------------------------------------*/
516
517 /*
518  * These definitions will permit the compiler to avoid generating code for
519  * parts of the driver that aren't used in the non-TEST version.  Even gcc
520  * can recognize when a test of a constant expression yields a dead code
521  * path.
522  */
523
524 #ifdef CONFIG_USB_FILE_STORAGE_TEST
525
526 #define transport_is_bbb()      (mod_data.transport_type == USB_PR_BULK)
527 #define transport_is_cbi()      (mod_data.transport_type == USB_PR_CBI)
528 #define protocol_is_scsi()      (mod_data.protocol_type == USB_SC_SCSI)
529
530 #else
531
532 #define transport_is_bbb()      1
533 #define transport_is_cbi()      0
534 #define protocol_is_scsi()      1
535
536 #endif /* CONFIG_USB_FILE_STORAGE_TEST */
537
538
539 struct lun {
540         struct file     *filp;
541         loff_t          file_length;
542         loff_t          num_sectors;
543
544         unsigned int    ro : 1;
545         unsigned int    prevent_medium_removal : 1;
546         unsigned int    registered : 1;
547         unsigned int    info_valid : 1;
548
549         u32             sense_data;
550         u32             sense_data_info;
551         u32             unit_attention_data;
552
553         struct device   dev;
554 };
555
556 #define backing_file_is_open(curlun)    ((curlun)->filp != NULL)
557
558 static struct lun *dev_to_lun(struct device *dev)
559 {
560         return container_of(dev, struct lun, dev);
561 }
562
563
564 /* Big enough to hold our biggest descriptor */
565 #define EP0_BUFSIZE     256
566 #define DELAYED_STATUS  (EP0_BUFSIZE + 999)     // An impossibly large value
567
568 /* Number of buffers we will use.  2 is enough for double-buffering */
569 #define NUM_BUFFERS     2
570
571 enum fsg_buffer_state {
572         BUF_STATE_EMPTY = 0,
573         BUF_STATE_FULL,
574         BUF_STATE_BUSY
575 };
576
577 struct fsg_buffhd {
578         void                            *buf;
579         enum fsg_buffer_state           state;
580         struct fsg_buffhd               *next;
581
582         /* The NetChip 2280 is faster, and handles some protocol faults
583          * better, if we don't submit any short bulk-out read requests.
584          * So we will record the intended request length here. */
585         unsigned int                    bulk_out_intended_length;
586
587         struct usb_request              *inreq;
588         int                             inreq_busy;
589         struct usb_request              *outreq;
590         int                             outreq_busy;
591 };
592
593 enum fsg_state {
594         FSG_STATE_COMMAND_PHASE = -10,          // This one isn't used anywhere
595         FSG_STATE_DATA_PHASE,
596         FSG_STATE_STATUS_PHASE,
597
598         FSG_STATE_IDLE = 0,
599         FSG_STATE_ABORT_BULK_OUT,
600         FSG_STATE_RESET,
601         FSG_STATE_INTERFACE_CHANGE,
602         FSG_STATE_CONFIG_CHANGE,
603         FSG_STATE_DISCONNECT,
604         FSG_STATE_EXIT,
605         FSG_STATE_TERMINATED
606 };
607
608 enum data_direction {
609         DATA_DIR_UNKNOWN = 0,
610         DATA_DIR_FROM_HOST,
611         DATA_DIR_TO_HOST,
612         DATA_DIR_NONE
613 };
614
615 struct fsg_dev {
616         /* lock protects: state, all the req_busy's, and cbbuf_cmnd */
617         spinlock_t              lock;
618         struct usb_gadget       *gadget;
619
620         /* filesem protects: backing files in use */
621         struct rw_semaphore     filesem;
622
623         /* reference counting: wait until all LUNs are released */
624         struct kref             ref;
625
626         struct usb_ep           *ep0;           // Handy copy of gadget->ep0
627         struct usb_request      *ep0req;        // For control responses
628         unsigned int            ep0_req_tag;
629         const char              *ep0req_name;
630
631         struct usb_request      *intreq;        // For interrupt responses
632         int                     intreq_busy;
633         struct fsg_buffhd       *intr_buffhd;
634
635         unsigned int            bulk_out_maxpacket;
636         enum fsg_state          state;          // For exception handling
637         unsigned int            exception_req_tag;
638
639         u8                      config, new_config;
640
641         unsigned int            running : 1;
642         unsigned int            bulk_in_enabled : 1;
643         unsigned int            bulk_out_enabled : 1;
644         unsigned int            intr_in_enabled : 1;
645         unsigned int            phase_error : 1;
646         unsigned int            short_packet_received : 1;
647         unsigned int            bad_lun_okay : 1;
648
649         unsigned long           atomic_bitflags;
650 #define REGISTERED              0
651 #define CLEAR_BULK_HALTS        1
652 #define SUSPENDED               2
653
654         struct usb_ep           *bulk_in;
655         struct usb_ep           *bulk_out;
656         struct usb_ep           *intr_in;
657
658         struct fsg_buffhd       *next_buffhd_to_fill;
659         struct fsg_buffhd       *next_buffhd_to_drain;
660         struct fsg_buffhd       buffhds[NUM_BUFFERS];
661
662         int                     thread_wakeup_needed;
663         struct completion       thread_notifier;
664         struct task_struct      *thread_task;
665
666         int                     cmnd_size;
667         u8                      cmnd[MAX_COMMAND_SIZE];
668         enum data_direction     data_dir;
669         u32                     data_size;
670         u32                     data_size_from_cmnd;
671         u32                     tag;
672         unsigned int            lun;
673         u32                     residue;
674         u32                     usb_amount_left;
675
676         /* The CB protocol offers no way for a host to know when a command
677          * has completed.  As a result the next command may arrive early,
678          * and we will still have to handle it.  For that reason we need
679          * a buffer to store new commands when using CB (or CBI, which
680          * does not oblige a host to wait for command completion either). */
681         int                     cbbuf_cmnd_size;
682         u8                      cbbuf_cmnd[MAX_COMMAND_SIZE];
683
684         unsigned int            nluns;
685         struct lun              *luns;
686         struct lun              *curlun;
687 };
688
689 typedef void (*fsg_routine_t)(struct fsg_dev *);
690
691 static int exception_in_progress(struct fsg_dev *fsg)
692 {
693         return (fsg->state > FSG_STATE_IDLE);
694 }
695
696 /* Make bulk-out requests be divisible by the maxpacket size */
697 static void set_bulk_out_req_length(struct fsg_dev *fsg,
698                 struct fsg_buffhd *bh, unsigned int length)
699 {
700         unsigned int    rem;
701
702         bh->bulk_out_intended_length = length;
703         rem = length % fsg->bulk_out_maxpacket;
704         if (rem > 0)
705                 length += fsg->bulk_out_maxpacket - rem;
706         bh->outreq->length = length;
707 }
708
709 static struct fsg_dev                   *the_fsg;
710 static struct usb_gadget_driver         fsg_driver;
711
712 static void     close_backing_file(struct lun *curlun);
713 static void     close_all_backing_files(struct fsg_dev *fsg);
714
715
716 /*-------------------------------------------------------------------------*/
717
718 #ifdef DUMP_MSGS
719
720 static void dump_msg(struct fsg_dev *fsg, const char *label,
721                 const u8 *buf, unsigned int length)
722 {
723         if (length < 512) {
724                 DBG(fsg, "%s, length %u:\n", label, length);
725                 print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_OFFSET,
726                                 16, 1, buf, length, 0);
727         }
728 }
729
730 static void dump_cdb(struct fsg_dev *fsg)
731 {}
732
733 #else
734
735 static void dump_msg(struct fsg_dev *fsg, const char *label,
736                 const u8 *buf, unsigned int length)
737 {}
738
739 #ifdef VERBOSE_DEBUG
740
741 static void dump_cdb(struct fsg_dev *fsg)
742 {
743         print_hex_dump(KERN_DEBUG, "SCSI CDB: ", DUMP_PREFIX_NONE,
744                         16, 1, fsg->cmnd, fsg->cmnd_size, 0);
745 }
746
747 #else
748
749 static void dump_cdb(struct fsg_dev *fsg)
750 {}
751
752 #endif /* VERBOSE_DEBUG */
753 #endif /* DUMP_MSGS */
754
755
756 static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
757 {
758         const char      *name;
759
760         if (ep == fsg->bulk_in)
761                 name = "bulk-in";
762         else if (ep == fsg->bulk_out)
763                 name = "bulk-out";
764         else
765                 name = ep->name;
766         DBG(fsg, "%s set halt\n", name);
767         return usb_ep_set_halt(ep);
768 }
769
770
771 /*-------------------------------------------------------------------------*/
772
773 /* Routines for unaligned data access */
774
775 static u16 get_be16(u8 *buf)
776 {
777         return ((u16) buf[0] << 8) | ((u16) buf[1]);
778 }
779
780 static u32 get_be32(u8 *buf)
781 {
782         return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) |
783                         ((u32) buf[2] << 8) | ((u32) buf[3]);
784 }
785
786 static void put_be16(u8 *buf, u16 val)
787 {
788         buf[0] = val >> 8;
789         buf[1] = val;
790 }
791
792 static void put_be32(u8 *buf, u32 val)
793 {
794         buf[0] = val >> 24;
795         buf[1] = val >> 16;
796         buf[2] = val >> 8;
797         buf[3] = val & 0xff;
798 }
799
800
801 /*-------------------------------------------------------------------------*/
802
803 /*
804  * DESCRIPTORS ... most are static, but strings and (full) configuration
805  * descriptors are built on demand.  Also the (static) config and interface
806  * descriptors are adjusted during fsg_bind().
807  */
808 #define STRING_MANUFACTURER     1
809 #define STRING_PRODUCT          2
810 #define STRING_SERIAL           3
811 #define STRING_CONFIG           4
812 #define STRING_INTERFACE        5
813
814 /* There is only one configuration. */
815 #define CONFIG_VALUE            1
816
817 static struct usb_device_descriptor
818 device_desc = {
819         .bLength =              sizeof device_desc,
820         .bDescriptorType =      USB_DT_DEVICE,
821
822         .bcdUSB =               __constant_cpu_to_le16(0x0200),
823         .bDeviceClass =         USB_CLASS_PER_INTERFACE,
824
825         /* The next three values can be overridden by module parameters */
826         .idVendor =             __constant_cpu_to_le16(DRIVER_VENDOR_ID),
827         .idProduct =            __constant_cpu_to_le16(DRIVER_PRODUCT_ID),
828         .bcdDevice =            __constant_cpu_to_le16(0xffff),
829
830         .iManufacturer =        STRING_MANUFACTURER,
831         .iProduct =             STRING_PRODUCT,
832         .iSerialNumber =        STRING_SERIAL,
833         .bNumConfigurations =   1,
834 };
835
836 static struct usb_config_descriptor
837 config_desc = {
838         .bLength =              sizeof config_desc,
839         .bDescriptorType =      USB_DT_CONFIG,
840
841         /* wTotalLength computed by usb_gadget_config_buf() */
842         .bNumInterfaces =       1,
843         .bConfigurationValue =  CONFIG_VALUE,
844         .iConfiguration =       STRING_CONFIG,
845         .bmAttributes =         USB_CONFIG_ATT_ONE | USB_CONFIG_ATT_SELFPOWER,
846         .bMaxPower =            1,      // self-powered
847 };
848
849 static struct usb_otg_descriptor
850 otg_desc = {
851         .bLength =              sizeof(otg_desc),
852         .bDescriptorType =      USB_DT_OTG,
853
854         .bmAttributes =         USB_OTG_SRP,
855 };
856
857 /* There is only one interface. */
858
859 static struct usb_interface_descriptor
860 intf_desc = {
861         .bLength =              sizeof intf_desc,
862         .bDescriptorType =      USB_DT_INTERFACE,
863
864         .bNumEndpoints =        2,              // Adjusted during fsg_bind()
865         .bInterfaceClass =      USB_CLASS_MASS_STORAGE,
866         .bInterfaceSubClass =   USB_SC_SCSI,    // Adjusted during fsg_bind()
867         .bInterfaceProtocol =   USB_PR_BULK,    // Adjusted during fsg_bind()
868         .iInterface =           STRING_INTERFACE,
869 };
870
871 /* Three full-speed endpoint descriptors: bulk-in, bulk-out,
872  * and interrupt-in. */
873
874 static struct usb_endpoint_descriptor
875 fs_bulk_in_desc = {
876         .bLength =              USB_DT_ENDPOINT_SIZE,
877         .bDescriptorType =      USB_DT_ENDPOINT,
878
879         .bEndpointAddress =     USB_DIR_IN,
880         .bmAttributes =         USB_ENDPOINT_XFER_BULK,
881         /* wMaxPacketSize set by autoconfiguration */
882 };
883
884 static struct usb_endpoint_descriptor
885 fs_bulk_out_desc = {
886         .bLength =              USB_DT_ENDPOINT_SIZE,
887         .bDescriptorType =      USB_DT_ENDPOINT,
888
889         .bEndpointAddress =     USB_DIR_OUT,
890         .bmAttributes =         USB_ENDPOINT_XFER_BULK,
891         /* wMaxPacketSize set by autoconfiguration */
892 };
893
894 static struct usb_endpoint_descriptor
895 fs_intr_in_desc = {
896         .bLength =              USB_DT_ENDPOINT_SIZE,
897         .bDescriptorType =      USB_DT_ENDPOINT,
898
899         .bEndpointAddress =     USB_DIR_IN,
900         .bmAttributes =         USB_ENDPOINT_XFER_INT,
901         .wMaxPacketSize =       __constant_cpu_to_le16(2),
902         .bInterval =            32,     // frames -> 32 ms
903 };
904
905 static const struct usb_descriptor_header *fs_function[] = {
906         (struct usb_descriptor_header *) &otg_desc,
907         (struct usb_descriptor_header *) &intf_desc,
908         (struct usb_descriptor_header *) &fs_bulk_in_desc,
909         (struct usb_descriptor_header *) &fs_bulk_out_desc,
910         (struct usb_descriptor_header *) &fs_intr_in_desc,
911         NULL,
912 };
913 #define FS_FUNCTION_PRE_EP_ENTRIES      2
914
915
916 /*
917  * USB 2.0 devices need to expose both high speed and full speed
918  * descriptors, unless they only run at full speed.
919  *
920  * That means alternate endpoint descriptors (bigger packets)
921  * and a "device qualifier" ... plus more construction options
922  * for the config descriptor.
923  */
924 static struct usb_qualifier_descriptor
925 dev_qualifier = {
926         .bLength =              sizeof dev_qualifier,
927         .bDescriptorType =      USB_DT_DEVICE_QUALIFIER,
928
929         .bcdUSB =               __constant_cpu_to_le16(0x0200),
930         .bDeviceClass =         USB_CLASS_PER_INTERFACE,
931
932         .bNumConfigurations =   1,
933 };
934
935 static struct usb_endpoint_descriptor
936 hs_bulk_in_desc = {
937         .bLength =              USB_DT_ENDPOINT_SIZE,
938         .bDescriptorType =      USB_DT_ENDPOINT,
939
940         /* bEndpointAddress copied from fs_bulk_in_desc during fsg_bind() */
941         .bmAttributes =         USB_ENDPOINT_XFER_BULK,
942         .wMaxPacketSize =       __constant_cpu_to_le16(512),
943 };
944
945 static struct usb_endpoint_descriptor
946 hs_bulk_out_desc = {
947         .bLength =              USB_DT_ENDPOINT_SIZE,
948         .bDescriptorType =      USB_DT_ENDPOINT,
949
950         /* bEndpointAddress copied from fs_bulk_out_desc during fsg_bind() */
951         .bmAttributes =         USB_ENDPOINT_XFER_BULK,
952         .wMaxPacketSize =       __constant_cpu_to_le16(512),
953         .bInterval =            1,      // NAK every 1 uframe
954 };
955
956 static struct usb_endpoint_descriptor
957 hs_intr_in_desc = {
958         .bLength =              USB_DT_ENDPOINT_SIZE,
959         .bDescriptorType =      USB_DT_ENDPOINT,
960
961         /* bEndpointAddress copied from fs_intr_in_desc during fsg_bind() */
962         .bmAttributes =         USB_ENDPOINT_XFER_INT,
963         .wMaxPacketSize =       __constant_cpu_to_le16(2),
964         .bInterval =            9,      // 2**(9-1) = 256 uframes -> 32 ms
965 };
966
967 static const struct usb_descriptor_header *hs_function[] = {
968         (struct usb_descriptor_header *) &otg_desc,
969         (struct usb_descriptor_header *) &intf_desc,
970         (struct usb_descriptor_header *) &hs_bulk_in_desc,
971         (struct usb_descriptor_header *) &hs_bulk_out_desc,
972         (struct usb_descriptor_header *) &hs_intr_in_desc,
973         NULL,
974 };
975 #define HS_FUNCTION_PRE_EP_ENTRIES      2
976
977 /* Maxpacket and other transfer characteristics vary by speed. */
978 static struct usb_endpoint_descriptor *
979 ep_desc(struct usb_gadget *g, struct usb_endpoint_descriptor *fs,
980                 struct usb_endpoint_descriptor *hs)
981 {
982         if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
983                 return hs;
984         return fs;
985 }
986
987
988 /* The CBI specification limits the serial string to 12 uppercase hexadecimal
989  * characters. */
990 static char                             manufacturer[64];
991 static char                             serial[13];
992
993 /* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
994 static struct usb_string                strings[] = {
995         {STRING_MANUFACTURER,   manufacturer},
996         {STRING_PRODUCT,        longname},
997         {STRING_SERIAL,         serial},
998         {STRING_CONFIG,         "Self-powered"},
999         {STRING_INTERFACE,      "Mass Storage"},
1000         {}
1001 };
1002
1003 static struct usb_gadget_strings        stringtab = {
1004         .language       = 0x0409,               // en-us
1005         .strings        = strings,
1006 };
1007
1008
1009 /*
1010  * Config descriptors must agree with the code that sets configurations
1011  * and with code managing interfaces and their altsettings.  They must
1012  * also handle different speeds and other-speed requests.
1013  */
1014 static int populate_config_buf(struct usb_gadget *gadget,
1015                 u8 *buf, u8 type, unsigned index)
1016 {
1017         enum usb_device_speed                   speed = gadget->speed;
1018         int                                     len;
1019         const struct usb_descriptor_header      **function;
1020
1021         if (index > 0)
1022                 return -EINVAL;
1023
1024         if (gadget_is_dualspeed(gadget) && type == USB_DT_OTHER_SPEED_CONFIG)
1025                 speed = (USB_SPEED_FULL + USB_SPEED_HIGH) - speed;
1026         if (gadget_is_dualspeed(gadget) && speed == USB_SPEED_HIGH)
1027                 function = hs_function;
1028         else
1029                 function = fs_function;
1030
1031         /* for now, don't advertise srp-only devices */
1032         if (!gadget_is_otg(gadget))
1033                 function++;
1034
1035         len = usb_gadget_config_buf(&config_desc, buf, EP0_BUFSIZE, function);
1036         ((struct usb_config_descriptor *) buf)->bDescriptorType = type;
1037         return len;
1038 }
1039
1040
1041 /*-------------------------------------------------------------------------*/
1042
1043 /* These routines may be called in process context or in_irq */
1044
1045 /* Caller must hold fsg->lock */
1046 static void wakeup_thread(struct fsg_dev *fsg)
1047 {
1048         /* Tell the main thread that something has happened */
1049         fsg->thread_wakeup_needed = 1;
1050         if (fsg->thread_task)
1051                 wake_up_process(fsg->thread_task);
1052 }
1053
1054
1055 static void raise_exception(struct fsg_dev *fsg, enum fsg_state new_state)
1056 {
1057         unsigned long           flags;
1058
1059         /* Do nothing if a higher-priority exception is already in progress.
1060          * If a lower-or-equal priority exception is in progress, preempt it
1061          * and notify the main thread by sending it a signal. */
1062         spin_lock_irqsave(&fsg->lock, flags);
1063         if (fsg->state <= new_state) {
1064                 fsg->exception_req_tag = fsg->ep0_req_tag;
1065                 fsg->state = new_state;
1066                 if (fsg->thread_task)
1067                         send_sig_info(SIGUSR1, SEND_SIG_FORCED,
1068                                         fsg->thread_task);
1069         }
1070         spin_unlock_irqrestore(&fsg->lock, flags);
1071 }
1072
1073
1074 /*-------------------------------------------------------------------------*/
1075
1076 /* The disconnect callback and ep0 routines.  These always run in_irq,
1077  * except that ep0_queue() is called in the main thread to acknowledge
1078  * completion of various requests: set config, set interface, and
1079  * Bulk-only device reset. */
1080
1081 static void fsg_disconnect(struct usb_gadget *gadget)
1082 {
1083         struct fsg_dev          *fsg = get_gadget_data(gadget);
1084
1085         DBG(fsg, "disconnect or port reset\n");
1086         raise_exception(fsg, FSG_STATE_DISCONNECT);
1087 }
1088
1089
1090 static int ep0_queue(struct fsg_dev *fsg)
1091 {
1092         int     rc;
1093
1094         rc = usb_ep_queue(fsg->ep0, fsg->ep0req, GFP_ATOMIC);
1095         if (rc != 0 && rc != -ESHUTDOWN) {
1096
1097                 /* We can't do much more than wait for a reset */
1098                 WARN(fsg, "error in submission: %s --> %d\n",
1099                                 fsg->ep0->name, rc);
1100         }
1101         return rc;
1102 }
1103
1104 static void ep0_complete(struct usb_ep *ep, struct usb_request *req)
1105 {
1106         struct fsg_dev          *fsg = ep->driver_data;
1107
1108         if (req->actual > 0)
1109                 dump_msg(fsg, fsg->ep0req_name, req->buf, req->actual);
1110         if (req->status || req->actual != req->length)
1111                 DBG(fsg, "%s --> %d, %u/%u\n", __FUNCTION__,
1112                                 req->status, req->actual, req->length);
1113         if (req->status == -ECONNRESET)         // Request was cancelled
1114                 usb_ep_fifo_flush(ep);
1115
1116         if (req->status == 0 && req->context)
1117                 ((fsg_routine_t) (req->context))(fsg);
1118 }
1119
1120
1121 /*-------------------------------------------------------------------------*/
1122
1123 /* Bulk and interrupt endpoint completion handlers.
1124  * These always run in_irq. */
1125
1126 static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
1127 {
1128         struct fsg_dev          *fsg = ep->driver_data;
1129         struct fsg_buffhd       *bh = req->context;
1130
1131         if (req->status || req->actual != req->length)
1132                 DBG(fsg, "%s --> %d, %u/%u\n", __FUNCTION__,
1133                                 req->status, req->actual, req->length);
1134         if (req->status == -ECONNRESET)         // Request was cancelled
1135                 usb_ep_fifo_flush(ep);
1136
1137         /* Hold the lock while we update the request and buffer states */
1138         smp_wmb();
1139         spin_lock(&fsg->lock);
1140         bh->inreq_busy = 0;
1141         bh->state = BUF_STATE_EMPTY;
1142         wakeup_thread(fsg);
1143         spin_unlock(&fsg->lock);
1144 }
1145
1146 static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
1147 {
1148         struct fsg_dev          *fsg = ep->driver_data;
1149         struct fsg_buffhd       *bh = req->context;
1150
1151         dump_msg(fsg, "bulk-out", req->buf, req->actual);
1152         if (req->status || req->actual != bh->bulk_out_intended_length)
1153                 DBG(fsg, "%s --> %d, %u/%u\n", __FUNCTION__,
1154                                 req->status, req->actual,
1155                                 bh->bulk_out_intended_length);
1156         if (req->status == -ECONNRESET)         // Request was cancelled
1157                 usb_ep_fifo_flush(ep);
1158
1159         /* Hold the lock while we update the request and buffer states */
1160         smp_wmb();
1161         spin_lock(&fsg->lock);
1162         bh->outreq_busy = 0;
1163         bh->state = BUF_STATE_FULL;
1164         wakeup_thread(fsg);
1165         spin_unlock(&fsg->lock);
1166 }
1167
1168
1169 #ifdef CONFIG_USB_FILE_STORAGE_TEST
1170 static void intr_in_complete(struct usb_ep *ep, struct usb_request *req)
1171 {
1172         struct fsg_dev          *fsg = ep->driver_data;
1173         struct fsg_buffhd       *bh = req->context;
1174
1175         if (req->status || req->actual != req->length)
1176                 DBG(fsg, "%s --> %d, %u/%u\n", __FUNCTION__,
1177                                 req->status, req->actual, req->length);
1178         if (req->status == -ECONNRESET)         // Request was cancelled
1179                 usb_ep_fifo_flush(ep);
1180
1181         /* Hold the lock while we update the request and buffer states */
1182         smp_wmb();
1183         spin_lock(&fsg->lock);
1184         fsg->intreq_busy = 0;
1185         bh->state = BUF_STATE_EMPTY;
1186         wakeup_thread(fsg);
1187         spin_unlock(&fsg->lock);
1188 }
1189
1190 #else
1191 static void intr_in_complete(struct usb_ep *ep, struct usb_request *req)
1192 {}
1193 #endif /* CONFIG_USB_FILE_STORAGE_TEST */
1194
1195
1196 /*-------------------------------------------------------------------------*/
1197
1198 /* Ep0 class-specific handlers.  These always run in_irq. */
1199
1200 #ifdef CONFIG_USB_FILE_STORAGE_TEST
1201 static void received_cbi_adsc(struct fsg_dev *fsg, struct fsg_buffhd *bh)
1202 {
1203         struct usb_request      *req = fsg->ep0req;
1204         static u8               cbi_reset_cmnd[6] = {
1205                         SC_SEND_DIAGNOSTIC, 4, 0xff, 0xff, 0xff, 0xff};
1206
1207         /* Error in command transfer? */
1208         if (req->status || req->length != req->actual ||
1209                         req->actual < 6 || req->actual > MAX_COMMAND_SIZE) {
1210
1211                 /* Not all controllers allow a protocol stall after
1212                  * receiving control-out data, but we'll try anyway. */
1213                 fsg_set_halt(fsg, fsg->ep0);
1214                 return;                 // Wait for reset
1215         }
1216
1217         /* Is it the special reset command? */
1218         if (req->actual >= sizeof cbi_reset_cmnd &&
1219                         memcmp(req->buf, cbi_reset_cmnd,
1220                                 sizeof cbi_reset_cmnd) == 0) {
1221
1222                 /* Raise an exception to stop the current operation
1223                  * and reinitialize our state. */
1224                 DBG(fsg, "cbi reset request\n");
1225                 raise_exception(fsg, FSG_STATE_RESET);
1226                 return;
1227         }
1228
1229         VDBG(fsg, "CB[I] accept device-specific command\n");
1230         spin_lock(&fsg->lock);
1231
1232         /* Save the command for later */
1233         if (fsg->cbbuf_cmnd_size)
1234                 WARN(fsg, "CB[I] overwriting previous command\n");
1235         fsg->cbbuf_cmnd_size = req->actual;
1236         memcpy(fsg->cbbuf_cmnd, req->buf, fsg->cbbuf_cmnd_size);
1237
1238         wakeup_thread(fsg);
1239         spin_unlock(&fsg->lock);
1240 }
1241
1242 #else
1243 static void received_cbi_adsc(struct fsg_dev *fsg, struct fsg_buffhd *bh)
1244 {}
1245 #endif /* CONFIG_USB_FILE_STORAGE_TEST */
1246
1247
1248 static int class_setup_req(struct fsg_dev *fsg,
1249                 const struct usb_ctrlrequest *ctrl)
1250 {
1251         struct usb_request      *req = fsg->ep0req;
1252         int                     value = -EOPNOTSUPP;
1253         u16                     w_index = le16_to_cpu(ctrl->wIndex);
1254         u16                     w_value = le16_to_cpu(ctrl->wValue);
1255         u16                     w_length = le16_to_cpu(ctrl->wLength);
1256
1257         if (!fsg->config)
1258                 return value;
1259
1260         /* Handle Bulk-only class-specific requests */
1261         if (transport_is_bbb()) {
1262                 switch (ctrl->bRequest) {
1263
1264                 case USB_BULK_RESET_REQUEST:
1265                         if (ctrl->bRequestType != (USB_DIR_OUT |
1266                                         USB_TYPE_CLASS | USB_RECIP_INTERFACE))
1267                                 break;
1268                         if (w_index != 0 || w_value != 0) {
1269                                 value = -EDOM;
1270                                 break;
1271                         }
1272
1273                         /* Raise an exception to stop the current operation
1274                          * and reinitialize our state. */
1275                         DBG(fsg, "bulk reset request\n");
1276                         raise_exception(fsg, FSG_STATE_RESET);
1277                         value = DELAYED_STATUS;
1278                         break;
1279
1280                 case USB_BULK_GET_MAX_LUN_REQUEST:
1281                         if (ctrl->bRequestType != (USB_DIR_IN |
1282                                         USB_TYPE_CLASS | USB_RECIP_INTERFACE))
1283                                 break;
1284                         if (w_index != 0 || w_value != 0) {
1285                                 value = -EDOM;
1286                                 break;
1287                         }
1288                         VDBG(fsg, "get max LUN\n");
1289                         *(u8 *) req->buf = fsg->nluns - 1;
1290                         value = 1;
1291                         break;
1292                 }
1293         }
1294
1295         /* Handle CBI class-specific requests */
1296         else {
1297                 switch (ctrl->bRequest) {
1298
1299                 case USB_CBI_ADSC_REQUEST:
1300                         if (ctrl->bRequestType != (USB_DIR_OUT |
1301                                         USB_TYPE_CLASS | USB_RECIP_INTERFACE))
1302                                 break;
1303                         if (w_index != 0 || w_value != 0) {
1304                                 value = -EDOM;
1305                                 break;
1306                         }
1307                         if (w_length > MAX_COMMAND_SIZE) {
1308                                 value = -EOVERFLOW;
1309                                 break;
1310                         }
1311                         value = w_length;
1312                         fsg->ep0req->context = received_cbi_adsc;
1313                         break;
1314                 }
1315         }
1316
1317         if (value == -EOPNOTSUPP)
1318                 VDBG(fsg,
1319                         "unknown class-specific control req "
1320                         "%02x.%02x v%04x i%04x l%u\n",
1321                         ctrl->bRequestType, ctrl->bRequest,
1322                         le16_to_cpu(ctrl->wValue), w_index, w_length);
1323         return value;
1324 }
1325
1326
1327 /*-------------------------------------------------------------------------*/
1328
1329 /* Ep0 standard request handlers.  These always run in_irq. */
1330
1331 static int standard_setup_req(struct fsg_dev *fsg,
1332                 const struct usb_ctrlrequest *ctrl)
1333 {
1334         struct usb_request      *req = fsg->ep0req;
1335         int                     value = -EOPNOTSUPP;
1336         u16                     w_index = le16_to_cpu(ctrl->wIndex);
1337         u16                     w_value = le16_to_cpu(ctrl->wValue);
1338
1339         /* Usually this just stores reply data in the pre-allocated ep0 buffer,
1340          * but config change events will also reconfigure hardware. */
1341         switch (ctrl->bRequest) {
1342
1343         case USB_REQ_GET_DESCRIPTOR:
1344                 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD |
1345                                 USB_RECIP_DEVICE))
1346                         break;
1347                 switch (w_value >> 8) {
1348
1349                 case USB_DT_DEVICE:
1350                         VDBG(fsg, "get device descriptor\n");
1351                         value = sizeof device_desc;
1352                         memcpy(req->buf, &device_desc, value);
1353                         break;
1354                 case USB_DT_DEVICE_QUALIFIER:
1355                         VDBG(fsg, "get device qualifier\n");
1356                         if (!gadget_is_dualspeed(fsg->gadget))
1357                                 break;
1358                         value = sizeof dev_qualifier;
1359                         memcpy(req->buf, &dev_qualifier, value);
1360                         break;
1361
1362                 case USB_DT_OTHER_SPEED_CONFIG:
1363                         VDBG(fsg, "get other-speed config descriptor\n");
1364                         if (!gadget_is_dualspeed(fsg->gadget))
1365                                 break;
1366                         goto get_config;
1367                 case USB_DT_CONFIG:
1368                         VDBG(fsg, "get configuration descriptor\n");
1369 get_config:
1370                         value = populate_config_buf(fsg->gadget,
1371                                         req->buf,
1372                                         w_value >> 8,
1373                                         w_value & 0xff);
1374                         break;
1375
1376                 case USB_DT_STRING:
1377                         VDBG(fsg, "get string descriptor\n");
1378
1379                         /* wIndex == language code */
1380                         value = usb_gadget_get_string(&stringtab,
1381                                         w_value & 0xff, req->buf);
1382                         break;
1383                 }
1384                 break;
1385
1386         /* One config, two speeds */
1387         case USB_REQ_SET_CONFIGURATION:
1388                 if (ctrl->bRequestType != (USB_DIR_OUT | USB_TYPE_STANDARD |
1389                                 USB_RECIP_DEVICE))
1390                         break;
1391                 VDBG(fsg, "set configuration\n");
1392                 if (w_value == CONFIG_VALUE || w_value == 0) {
1393                         fsg->new_config = w_value;
1394
1395                         /* Raise an exception to wipe out previous transaction
1396                          * state (queued bufs, etc) and set the new config. */
1397                         raise_exception(fsg, FSG_STATE_CONFIG_CHANGE);
1398                         value = DELAYED_STATUS;
1399                 }
1400                 break;
1401         case USB_REQ_GET_CONFIGURATION:
1402                 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD |
1403                                 USB_RECIP_DEVICE))
1404                         break;
1405                 VDBG(fsg, "get configuration\n");
1406                 *(u8 *) req->buf = fsg->config;
1407                 value = 1;
1408                 break;
1409
1410         case USB_REQ_SET_INTERFACE:
1411                 if (ctrl->bRequestType != (USB_DIR_OUT| USB_TYPE_STANDARD |
1412                                 USB_RECIP_INTERFACE))
1413                         break;
1414                 if (fsg->config && w_index == 0) {
1415
1416                         /* Raise an exception to wipe out previous transaction
1417                          * state (queued bufs, etc) and install the new
1418                          * interface altsetting. */
1419                         raise_exception(fsg, FSG_STATE_INTERFACE_CHANGE);
1420                         value = DELAYED_STATUS;
1421                 }
1422                 break;
1423         case USB_REQ_GET_INTERFACE:
1424                 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD |
1425                                 USB_RECIP_INTERFACE))
1426                         break;
1427                 if (!fsg->config)
1428                         break;
1429                 if (w_index != 0) {
1430                         value = -EDOM;
1431                         break;
1432                 }
1433                 VDBG(fsg, "get interface\n");
1434                 *(u8 *) req->buf = 0;
1435                 value = 1;
1436                 break;
1437
1438         default:
1439                 VDBG(fsg,
1440                         "unknown control req %02x.%02x v%04x i%04x l%u\n",
1441                         ctrl->bRequestType, ctrl->bRequest,
1442                         w_value, w_index, le16_to_cpu(ctrl->wLength));
1443         }
1444
1445         return value;
1446 }
1447
1448
1449 static int fsg_setup(struct usb_gadget *gadget,
1450                 const struct usb_ctrlrequest *ctrl)
1451 {
1452         struct fsg_dev          *fsg = get_gadget_data(gadget);
1453         int                     rc;
1454         int                     w_length = le16_to_cpu(ctrl->wLength);
1455
1456         ++fsg->ep0_req_tag;             // Record arrival of a new request
1457         fsg->ep0req->context = NULL;
1458         fsg->ep0req->length = 0;
1459         dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));
1460
1461         if ((ctrl->bRequestType & USB_TYPE_MASK) == USB_TYPE_CLASS)
1462                 rc = class_setup_req(fsg, ctrl);
1463         else
1464                 rc = standard_setup_req(fsg, ctrl);
1465
1466         /* Respond with data/status or defer until later? */
1467         if (rc >= 0 && rc != DELAYED_STATUS) {
1468                 rc = min(rc, w_length);
1469                 fsg->ep0req->length = rc;
1470                 fsg->ep0req->zero = rc < w_length;
1471                 fsg->ep0req_name = (ctrl->bRequestType & USB_DIR_IN ?
1472                                 "ep0-in" : "ep0-out");
1473                 rc = ep0_queue(fsg);
1474         }
1475
1476         /* Device either stalls (rc < 0) or reports success */
1477         return rc;
1478 }
1479
1480
1481 /*-------------------------------------------------------------------------*/
1482
1483 /* All the following routines run in process context */
1484
1485
1486 /* Use this for bulk or interrupt transfers, not ep0 */
1487 static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
1488                 struct usb_request *req, int *pbusy,
1489                 enum fsg_buffer_state *state)
1490 {
1491         int     rc;
1492
1493         if (ep == fsg->bulk_in)
1494                 dump_msg(fsg, "bulk-in", req->buf, req->length);
1495         else if (ep == fsg->intr_in)
1496                 dump_msg(fsg, "intr-in", req->buf, req->length);
1497
1498         spin_lock_irq(&fsg->lock);
1499         *pbusy = 1;
1500         *state = BUF_STATE_BUSY;
1501         spin_unlock_irq(&fsg->lock);
1502         rc = usb_ep_queue(ep, req, GFP_KERNEL);
1503         if (rc != 0) {
1504                 *pbusy = 0;
1505                 *state = BUF_STATE_EMPTY;
1506
1507                 /* We can't do much more than wait for a reset */
1508
1509                 /* Note: currently the net2280 driver fails zero-length
1510                  * submissions if DMA is enabled. */
1511                 if (rc != -ESHUTDOWN && !(rc == -EOPNOTSUPP &&
1512                                                 req->length == 0))
1513                         WARN(fsg, "error in submission: %s --> %d\n",
1514                                         ep->name, rc);
1515         }
1516 }
1517
1518
1519 static int sleep_thread(struct fsg_dev *fsg)
1520 {
1521         int     rc = 0;
1522
1523         /* Wait until a signal arrives or we are woken up */
1524         for (;;) {
1525                 try_to_freeze();
1526                 set_current_state(TASK_INTERRUPTIBLE);
1527                 if (signal_pending(current)) {
1528                         rc = -EINTR;
1529                         break;
1530                 }
1531                 if (fsg->thread_wakeup_needed)
1532                         break;
1533                 schedule();
1534         }
1535         __set_current_state(TASK_RUNNING);
1536         fsg->thread_wakeup_needed = 0;
1537         return rc;
1538 }
1539
1540
1541 /*-------------------------------------------------------------------------*/
1542
1543 static int do_read(struct fsg_dev *fsg)
1544 {
1545         struct lun              *curlun = fsg->curlun;
1546         u32                     lba;
1547         struct fsg_buffhd       *bh;
1548         int                     rc;
1549         u32                     amount_left;
1550         loff_t                  file_offset, file_offset_tmp;
1551         unsigned int            amount;
1552         unsigned int            partial_page;
1553         ssize_t                 nread;
1554
1555         /* Get the starting Logical Block Address and check that it's
1556          * not too big */
1557         if (fsg->cmnd[0] == SC_READ_6)
1558                 lba = (fsg->cmnd[1] << 16) | get_be16(&fsg->cmnd[2]);
1559         else {
1560                 lba = get_be32(&fsg->cmnd[2]);
1561
1562                 /* We allow DPO (Disable Page Out = don't save data in the
1563                  * cache) and FUA (Force Unit Access = don't read from the
1564                  * cache), but we don't implement them. */
1565                 if ((fsg->cmnd[1] & ~0x18) != 0) {
1566                         curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1567                         return -EINVAL;
1568                 }
1569         }
1570         if (lba >= curlun->num_sectors) {
1571                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1572                 return -EINVAL;
1573         }
1574         file_offset = ((loff_t) lba) << 9;
1575
1576         /* Carry out the file reads */
1577         amount_left = fsg->data_size_from_cmnd;
1578         if (unlikely(amount_left == 0))
1579                 return -EIO;            // No default reply
1580
1581         for (;;) {
1582
1583                 /* Figure out how much we need to read:
1584                  * Try to read the remaining amount.
1585                  * But don't read more than the buffer size.
1586                  * And don't try to read past the end of the file.
1587                  * Finally, if we're not at a page boundary, don't read past
1588                  *      the next page.
1589                  * If this means reading 0 then we were asked to read past
1590                  *      the end of file. */
1591                 amount = min((unsigned int) amount_left, mod_data.buflen);
1592                 amount = min((loff_t) amount,
1593                                 curlun->file_length - file_offset);
1594                 partial_page = file_offset & (PAGE_CACHE_SIZE - 1);
1595                 if (partial_page > 0)
1596                         amount = min(amount, (unsigned int) PAGE_CACHE_SIZE -
1597                                         partial_page);
1598
1599                 /* Wait for the next buffer to become available */
1600                 bh = fsg->next_buffhd_to_fill;
1601                 while (bh->state != BUF_STATE_EMPTY) {
1602                         rc = sleep_thread(fsg);
1603                         if (rc)
1604                                 return rc;
1605                 }
1606
1607                 /* If we were asked to read past the end of file,
1608                  * end with an empty buffer. */
1609                 if (amount == 0) {
1610                         curlun->sense_data =
1611                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1612                         curlun->sense_data_info = file_offset >> 9;
1613                         curlun->info_valid = 1;
1614                         bh->inreq->length = 0;
1615                         bh->state = BUF_STATE_FULL;
1616                         break;
1617                 }
1618
1619                 /* Perform the read */
1620                 file_offset_tmp = file_offset;
1621                 nread = vfs_read(curlun->filp,
1622                                 (char __user *) bh->buf,
1623                                 amount, &file_offset_tmp);
1624                 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1625                                 (unsigned long long) file_offset,
1626                                 (int) nread);
1627                 if (signal_pending(current))
1628                         return -EINTR;
1629
1630                 if (nread < 0) {
1631                         LDBG(curlun, "error in file read: %d\n",
1632                                         (int) nread);
1633                         nread = 0;
1634                 } else if (nread < amount) {
1635                         LDBG(curlun, "partial file read: %d/%u\n",
1636                                         (int) nread, amount);
1637                         nread -= (nread & 511); // Round down to a block
1638                 }
1639                 file_offset  += nread;
1640                 amount_left  -= nread;
1641                 fsg->residue -= nread;
1642                 bh->inreq->length = nread;
1643                 bh->state = BUF_STATE_FULL;
1644
1645                 /* If an error occurred, report it and its position */
1646                 if (nread < amount) {
1647                         curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1648                         curlun->sense_data_info = file_offset >> 9;
1649                         curlun->info_valid = 1;
1650                         break;
1651                 }
1652
1653                 if (amount_left == 0)
1654                         break;          // No more left to read
1655
1656                 /* Send this buffer and go read some more */
1657                 bh->inreq->zero = 0;
1658                 start_transfer(fsg, fsg->bulk_in, bh->inreq,
1659                                 &bh->inreq_busy, &bh->state);
1660                 fsg->next_buffhd_to_fill = bh->next;
1661         }
1662
1663         return -EIO;            // No default reply
1664 }
1665
1666
1667 /*-------------------------------------------------------------------------*/
1668
1669 static int do_write(struct fsg_dev *fsg)
1670 {
1671         struct lun              *curlun = fsg->curlun;
1672         u32                     lba;
1673         struct fsg_buffhd       *bh;
1674         int                     get_some_more;
1675         u32                     amount_left_to_req, amount_left_to_write;
1676         loff_t                  usb_offset, file_offset, file_offset_tmp;
1677         unsigned int            amount;
1678         unsigned int            partial_page;
1679         ssize_t                 nwritten;
1680         int                     rc;
1681
1682         if (curlun->ro) {
1683                 curlun->sense_data = SS_WRITE_PROTECTED;
1684                 return -EINVAL;
1685         }
1686         curlun->filp->f_flags &= ~O_SYNC;       // Default is not to wait
1687
1688         /* Get the starting Logical Block Address and check that it's
1689          * not too big */
1690         if (fsg->cmnd[0] == SC_WRITE_6)
1691                 lba = (fsg->cmnd[1] << 16) | get_be16(&fsg->cmnd[2]);
1692         else {
1693                 lba = get_be32(&fsg->cmnd[2]);
1694
1695                 /* We allow DPO (Disable Page Out = don't save data in the
1696                  * cache) and FUA (Force Unit Access = write directly to the
1697                  * medium).  We don't implement DPO; we implement FUA by
1698                  * performing synchronous output. */
1699                 if ((fsg->cmnd[1] & ~0x18) != 0) {
1700                         curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1701                         return -EINVAL;
1702                 }
1703                 if (fsg->cmnd[1] & 0x08)        // FUA
1704                         curlun->filp->f_flags |= O_SYNC;
1705         }
1706         if (lba >= curlun->num_sectors) {
1707                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1708                 return -EINVAL;
1709         }
1710
1711         /* Carry out the file writes */
1712         get_some_more = 1;
1713         file_offset = usb_offset = ((loff_t) lba) << 9;
1714         amount_left_to_req = amount_left_to_write = fsg->data_size_from_cmnd;
1715
1716         while (amount_left_to_write > 0) {
1717
1718                 /* Queue a request for more data from the host */
1719                 bh = fsg->next_buffhd_to_fill;
1720                 if (bh->state == BUF_STATE_EMPTY && get_some_more) {
1721
1722                         /* Figure out how much we want to get:
1723                          * Try to get the remaining amount.
1724                          * But don't get more than the buffer size.
1725                          * And don't try to go past the end of the file.
1726                          * If we're not at a page boundary,
1727                          *      don't go past the next page.
1728                          * If this means getting 0, then we were asked
1729                          *      to write past the end of file.
1730                          * Finally, round down to a block boundary. */
1731                         amount = min(amount_left_to_req, mod_data.buflen);
1732                         amount = min((loff_t) amount, curlun->file_length -
1733                                         usb_offset);
1734                         partial_page = usb_offset & (PAGE_CACHE_SIZE - 1);
1735                         if (partial_page > 0)
1736                                 amount = min(amount,
1737         (unsigned int) PAGE_CACHE_SIZE - partial_page);
1738
1739                         if (amount == 0) {
1740                                 get_some_more = 0;
1741                                 curlun->sense_data =
1742                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1743                                 curlun->sense_data_info = usb_offset >> 9;
1744                                 curlun->info_valid = 1;
1745                                 continue;
1746                         }
1747                         amount -= (amount & 511);
1748                         if (amount == 0) {
1749
1750                                 /* Why were we were asked to transfer a
1751                                  * partial block? */
1752                                 get_some_more = 0;
1753                                 continue;
1754                         }
1755
1756                         /* Get the next buffer */
1757                         usb_offset += amount;
1758                         fsg->usb_amount_left -= amount;
1759                         amount_left_to_req -= amount;
1760                         if (amount_left_to_req == 0)
1761                                 get_some_more = 0;
1762
1763                         /* amount is always divisible by 512, hence by
1764                          * the bulk-out maxpacket size */
1765                         bh->outreq->length = bh->bulk_out_intended_length =
1766                                         amount;
1767                         bh->outreq->short_not_ok = 1;
1768                         start_transfer(fsg, fsg->bulk_out, bh->outreq,
1769                                         &bh->outreq_busy, &bh->state);
1770                         fsg->next_buffhd_to_fill = bh->next;
1771                         continue;
1772                 }
1773
1774                 /* Write the received data to the backing file */
1775                 bh = fsg->next_buffhd_to_drain;
1776                 if (bh->state == BUF_STATE_EMPTY && !get_some_more)
1777                         break;                  // We stopped early
1778                 if (bh->state == BUF_STATE_FULL) {
1779                         smp_rmb();
1780                         fsg->next_buffhd_to_drain = bh->next;
1781                         bh->state = BUF_STATE_EMPTY;
1782
1783                         /* Did something go wrong with the transfer? */
1784                         if (bh->outreq->status != 0) {
1785                                 curlun->sense_data = SS_COMMUNICATION_FAILURE;
1786                                 curlun->sense_data_info = file_offset >> 9;
1787                                 curlun->info_valid = 1;
1788                                 break;
1789                         }
1790
1791                         amount = bh->outreq->actual;
1792                         if (curlun->file_length - file_offset < amount) {
1793                                 LERROR(curlun,
1794         "write %u @ %llu beyond end %llu\n",
1795         amount, (unsigned long long) file_offset,
1796         (unsigned long long) curlun->file_length);
1797                                 amount = curlun->file_length - file_offset;
1798                         }
1799
1800                         /* Perform the write */
1801                         file_offset_tmp = file_offset;
1802                         nwritten = vfs_write(curlun->filp,
1803                                         (char __user *) bh->buf,
1804                                         amount, &file_offset_tmp);
1805                         VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
1806                                         (unsigned long long) file_offset,
1807                                         (int) nwritten);
1808                         if (signal_pending(current))
1809                                 return -EINTR;          // Interrupted!
1810
1811                         if (nwritten < 0) {
1812                                 LDBG(curlun, "error in file write: %d\n",
1813                                                 (int) nwritten);
1814                                 nwritten = 0;
1815                         } else if (nwritten < amount) {
1816                                 LDBG(curlun, "partial file write: %d/%u\n",
1817                                                 (int) nwritten, amount);
1818                                 nwritten -= (nwritten & 511);
1819                                                 // Round down to a block
1820                         }
1821                         file_offset += nwritten;
1822                         amount_left_to_write -= nwritten;
1823                         fsg->residue -= nwritten;
1824
1825                         /* If an error occurred, report it and its position */
1826                         if (nwritten < amount) {
1827                                 curlun->sense_data = SS_WRITE_ERROR;
1828                                 curlun->sense_data_info = file_offset >> 9;
1829                                 curlun->info_valid = 1;
1830                                 break;
1831                         }
1832
1833                         /* Did the host decide to stop early? */
1834                         if (bh->outreq->actual != bh->outreq->length) {
1835                                 fsg->short_packet_received = 1;
1836                                 break;
1837                         }
1838                         continue;
1839                 }
1840
1841                 /* Wait for something to happen */
1842                 rc = sleep_thread(fsg);
1843                 if (rc)
1844                         return rc;
1845         }
1846
1847         return -EIO;            // No default reply
1848 }
1849
1850
1851 /*-------------------------------------------------------------------------*/
1852
1853 /* Sync the file data, don't bother with the metadata.
1854  * This code was copied from fs/buffer.c:sys_fdatasync(). */
1855 static int fsync_sub(struct lun *curlun)
1856 {
1857         struct file     *filp = curlun->filp;
1858         struct inode    *inode;
1859         int             rc, err;
1860
1861         if (curlun->ro || !filp)
1862                 return 0;
1863         if (!filp->f_op->fsync)
1864                 return -EINVAL;
1865
1866         inode = filp->f_path.dentry->d_inode;
1867         mutex_lock(&inode->i_mutex);
1868         rc = filemap_fdatawrite(inode->i_mapping);
1869         err = filp->f_op->fsync(filp, filp->f_path.dentry, 1);
1870         if (!rc)
1871                 rc = err;
1872         err = filemap_fdatawait(inode->i_mapping);
1873         if (!rc)
1874                 rc = err;
1875         mutex_unlock(&inode->i_mutex);
1876         VLDBG(curlun, "fdatasync -> %d\n", rc);
1877         return rc;
1878 }
1879
1880 static void fsync_all(struct fsg_dev *fsg)
1881 {
1882         int     i;
1883
1884         for (i = 0; i < fsg->nluns; ++i)
1885                 fsync_sub(&fsg->luns[i]);
1886 }
1887
1888 static int do_synchronize_cache(struct fsg_dev *fsg)
1889 {
1890         struct lun      *curlun = fsg->curlun;
1891         int             rc;
1892
1893         /* We ignore the requested LBA and write out all file's
1894          * dirty data buffers. */
1895         rc = fsync_sub(curlun);
1896         if (rc)
1897                 curlun->sense_data = SS_WRITE_ERROR;
1898         return 0;
1899 }
1900
1901
1902 /*-------------------------------------------------------------------------*/
1903
1904 static void invalidate_sub(struct lun *curlun)
1905 {
1906         struct file     *filp = curlun->filp;
1907         struct inode    *inode = filp->f_path.dentry->d_inode;
1908         unsigned long   rc;
1909
1910         rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
1911         VLDBG(curlun, "invalidate_inode_pages -> %ld\n", rc);
1912 }
1913
1914 static int do_verify(struct fsg_dev *fsg)
1915 {
1916         struct lun              *curlun = fsg->curlun;
1917         u32                     lba;
1918         u32                     verification_length;
1919         struct fsg_buffhd       *bh = fsg->next_buffhd_to_fill;
1920         loff_t                  file_offset, file_offset_tmp;
1921         u32                     amount_left;
1922         unsigned int            amount;
1923         ssize_t                 nread;
1924
1925         /* Get the starting Logical Block Address and check that it's
1926          * not too big */
1927         lba = get_be32(&fsg->cmnd[2]);
1928         if (lba >= curlun->num_sectors) {
1929                 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1930                 return -EINVAL;
1931         }
1932
1933         /* We allow DPO (Disable Page Out = don't save data in the
1934          * cache) but we don't implement it. */
1935         if ((fsg->cmnd[1] & ~0x10) != 0) {
1936                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1937                 return -EINVAL;
1938         }
1939
1940         verification_length = get_be16(&fsg->cmnd[7]);
1941         if (unlikely(verification_length == 0))
1942                 return -EIO;            // No default reply
1943
1944         /* Prepare to carry out the file verify */
1945         amount_left = verification_length << 9;
1946         file_offset = ((loff_t) lba) << 9;
1947
1948         /* Write out all the dirty buffers before invalidating them */
1949         fsync_sub(curlun);
1950         if (signal_pending(current))
1951                 return -EINTR;
1952
1953         invalidate_sub(curlun);
1954         if (signal_pending(current))
1955                 return -EINTR;
1956
1957         /* Just try to read the requested blocks */
1958         while (amount_left > 0) {
1959
1960                 /* Figure out how much we need to read:
1961                  * Try to read the remaining amount, but not more than
1962                  * the buffer size.
1963                  * And don't try to read past the end of the file.
1964                  * If this means reading 0 then we were asked to read
1965                  * past the end of file. */
1966                 amount = min((unsigned int) amount_left, mod_data.buflen);
1967                 amount = min((loff_t) amount,
1968                                 curlun->file_length - file_offset);
1969                 if (amount == 0) {
1970                         curlun->sense_data =
1971                                         SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1972                         curlun->sense_data_info = file_offset >> 9;
1973                         curlun->info_valid = 1;
1974                         break;
1975                 }
1976
1977                 /* Perform the read */
1978                 file_offset_tmp = file_offset;
1979                 nread = vfs_read(curlun->filp,
1980                                 (char __user *) bh->buf,
1981                                 amount, &file_offset_tmp);
1982                 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
1983                                 (unsigned long long) file_offset,
1984                                 (int) nread);
1985                 if (signal_pending(current))
1986                         return -EINTR;
1987
1988                 if (nread < 0) {
1989                         LDBG(curlun, "error in file verify: %d\n",
1990                                         (int) nread);
1991                         nread = 0;
1992                 } else if (nread < amount) {
1993                         LDBG(curlun, "partial file verify: %d/%u\n",
1994                                         (int) nread, amount);
1995                         nread -= (nread & 511); // Round down to a sector
1996                 }
1997                 if (nread == 0) {
1998                         curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1999                         curlun->sense_data_info = file_offset >> 9;
2000                         curlun->info_valid = 1;
2001                         break;
2002                 }
2003                 file_offset += nread;
2004                 amount_left -= nread;
2005         }
2006         return 0;
2007 }
2008
2009
2010 /*-------------------------------------------------------------------------*/
2011
2012 static int do_inquiry(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2013 {
2014         u8      *buf = (u8 *) bh->buf;
2015
2016         static char vendor_id[] = "Linux   ";
2017         static char product_id[] = "File-Stor Gadget";
2018
2019         if (!fsg->curlun) {             // Unsupported LUNs are okay
2020                 fsg->bad_lun_okay = 1;
2021                 memset(buf, 0, 36);
2022                 buf[0] = 0x7f;          // Unsupported, no device-type
2023                 return 36;
2024         }
2025
2026         memset(buf, 0, 8);      // Non-removable, direct-access device
2027         if (mod_data.removable)
2028                 buf[1] = 0x80;
2029         buf[2] = 2;             // ANSI SCSI level 2
2030         buf[3] = 2;             // SCSI-2 INQUIRY data format
2031         buf[4] = 31;            // Additional length
2032                                 // No special options
2033         sprintf(buf + 8, "%-8s%-16s%04x", vendor_id, product_id,
2034                         mod_data.release);
2035         return 36;
2036 }
2037
2038
2039 static int do_request_sense(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2040 {
2041         struct lun      *curlun = fsg->curlun;
2042         u8              *buf = (u8 *) bh->buf;
2043         u32             sd, sdinfo;
2044         int             valid;
2045
2046         /*
2047          * From the SCSI-2 spec., section 7.9 (Unit attention condition):
2048          *
2049          * If a REQUEST SENSE command is received from an initiator
2050          * with a pending unit attention condition (before the target
2051          * generates the contingent allegiance condition), then the
2052          * target shall either:
2053          *   a) report any pending sense data and preserve the unit
2054          *      attention condition on the logical unit, or,
2055          *   b) report the unit attention condition, may discard any
2056          *      pending sense data, and clear the unit attention
2057          *      condition on the logical unit for that initiator.
2058          *
2059          * FSG normally uses option a); enable this code to use option b).
2060          */
2061 #if 0
2062         if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
2063                 curlun->sense_data = curlun->unit_attention_data;
2064                 curlun->unit_attention_data = SS_NO_SENSE;
2065         }
2066 #endif
2067
2068         if (!curlun) {          // Unsupported LUNs are okay
2069                 fsg->bad_lun_okay = 1;
2070                 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
2071                 sdinfo = 0;
2072                 valid = 0;
2073         } else {
2074                 sd = curlun->sense_data;
2075                 sdinfo = curlun->sense_data_info;
2076                 valid = curlun->info_valid << 7;
2077                 curlun->sense_data = SS_NO_SENSE;
2078                 curlun->sense_data_info = 0;
2079                 curlun->info_valid = 0;
2080         }
2081
2082         memset(buf, 0, 18);
2083         buf[0] = valid | 0x70;                  // Valid, current error
2084         buf[2] = SK(sd);
2085         put_be32(&buf[3], sdinfo);              // Sense information
2086         buf[7] = 18 - 8;                        // Additional sense length
2087         buf[12] = ASC(sd);
2088         buf[13] = ASCQ(sd);
2089         return 18;
2090 }
2091
2092
2093 static int do_read_capacity(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2094 {
2095         struct lun      *curlun = fsg->curlun;
2096         u32             lba = get_be32(&fsg->cmnd[2]);
2097         int             pmi = fsg->cmnd[8];
2098         u8              *buf = (u8 *) bh->buf;
2099
2100         /* Check the PMI and LBA fields */
2101         if (pmi > 1 || (pmi == 0 && lba != 0)) {
2102                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2103                 return -EINVAL;
2104         }
2105
2106         put_be32(&buf[0], curlun->num_sectors - 1);     // Max logical block
2107         put_be32(&buf[4], 512);                         // Block length
2108         return 8;
2109 }
2110
2111
2112 static int do_mode_sense(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2113 {
2114         struct lun      *curlun = fsg->curlun;
2115         int             mscmnd = fsg->cmnd[0];
2116         u8              *buf = (u8 *) bh->buf;
2117         u8              *buf0 = buf;
2118         int             pc, page_code;
2119         int             changeable_values, all_pages;
2120         int             valid_page = 0;
2121         int             len, limit;
2122
2123         if ((fsg->cmnd[1] & ~0x08) != 0) {              // Mask away DBD
2124                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2125                 return -EINVAL;
2126         }
2127         pc = fsg->cmnd[2] >> 6;
2128         page_code = fsg->cmnd[2] & 0x3f;
2129         if (pc == 3) {
2130                 curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
2131                 return -EINVAL;
2132         }
2133         changeable_values = (pc == 1);
2134         all_pages = (page_code == 0x3f);
2135
2136         /* Write the mode parameter header.  Fixed values are: default
2137          * medium type, no cache control (DPOFUA), and no block descriptors.
2138          * The only variable value is the WriteProtect bit.  We will fill in
2139          * the mode data length later. */
2140         memset(buf, 0, 8);
2141         if (mscmnd == SC_MODE_SENSE_6) {
2142                 buf[2] = (curlun->ro ? 0x80 : 0x00);            // WP, DPOFUA
2143                 buf += 4;
2144                 limit = 255;
2145         } else {                        // SC_MODE_SENSE_10
2146                 buf[3] = (curlun->ro ? 0x80 : 0x00);            // WP, DPOFUA
2147                 buf += 8;
2148                 limit = 65535;          // Should really be mod_data.buflen
2149         }
2150
2151         /* No block descriptors */
2152
2153         /* The mode pages, in numerical order.  The only page we support
2154          * is the Caching page. */
2155         if (page_code == 0x08 || all_pages) {
2156                 valid_page = 1;
2157                 buf[0] = 0x08;          // Page code
2158                 buf[1] = 10;            // Page length
2159                 memset(buf+2, 0, 10);   // None of the fields are changeable
2160
2161                 if (!changeable_values) {
2162                         buf[2] = 0x04;  // Write cache enable,
2163                                         // Read cache not disabled
2164                                         // No cache retention priorities
2165                         put_be16(&buf[4], 0xffff);  // Don't disable prefetch
2166                                         // Minimum prefetch = 0
2167                         put_be16(&buf[8], 0xffff);  // Maximum prefetch
2168                         put_be16(&buf[10], 0xffff); // Maximum prefetch ceiling
2169                 }
2170                 buf += 12;
2171         }
2172
2173         /* Check that a valid page was requested and the mode data length
2174          * isn't too long. */
2175         len = buf - buf0;
2176         if (!valid_page || len > limit) {
2177                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2178                 return -EINVAL;
2179         }
2180
2181         /*  Store the mode data length */
2182         if (mscmnd == SC_MODE_SENSE_6)
2183                 buf0[0] = len - 1;
2184         else
2185                 put_be16(buf0, len - 2);
2186         return len;
2187 }
2188
2189
2190 static int do_start_stop(struct fsg_dev *fsg)
2191 {
2192         struct lun      *curlun = fsg->curlun;
2193         int             loej, start;
2194
2195         if (!mod_data.removable) {
2196                 curlun->sense_data = SS_INVALID_COMMAND;
2197                 return -EINVAL;
2198         }
2199
2200         // int immed = fsg->cmnd[1] & 0x01;
2201         loej = fsg->cmnd[4] & 0x02;
2202         start = fsg->cmnd[4] & 0x01;
2203
2204 #ifdef CONFIG_USB_FILE_STORAGE_TEST
2205         if ((fsg->cmnd[1] & ~0x01) != 0 ||              // Mask away Immed
2206                         (fsg->cmnd[4] & ~0x03) != 0) {  // Mask LoEj, Start
2207                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2208                 return -EINVAL;
2209         }
2210
2211         if (!start) {
2212
2213                 /* Are we allowed to unload the media? */
2214                 if (curlun->prevent_medium_removal) {
2215                         LDBG(curlun, "unload attempt prevented\n");
2216                         curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED;
2217                         return -EINVAL;
2218                 }
2219                 if (loej) {             // Simulate an unload/eject
2220                         up_read(&fsg->filesem);
2221                         down_write(&fsg->filesem);
2222                         close_backing_file(curlun);
2223                         up_write(&fsg->filesem);
2224                         down_read(&fsg->filesem);
2225                 }
2226         } else {
2227
2228                 /* Our emulation doesn't support mounting; the medium is
2229                  * available for use as soon as it is loaded. */
2230                 if (!backing_file_is_open(curlun)) {
2231                         curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
2232                         return -EINVAL;
2233                 }
2234         }
2235 #endif
2236         return 0;
2237 }
2238
2239
2240 static int do_prevent_allow(struct fsg_dev *fsg)
2241 {
2242         struct lun      *curlun = fsg->curlun;
2243         int             prevent;
2244
2245         if (!mod_data.removable) {
2246                 curlun->sense_data = SS_INVALID_COMMAND;
2247                 return -EINVAL;
2248         }
2249
2250         prevent = fsg->cmnd[4] & 0x01;
2251         if ((fsg->cmnd[4] & ~0x01) != 0) {              // Mask away Prevent
2252                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2253                 return -EINVAL;
2254         }
2255
2256         if (curlun->prevent_medium_removal && !prevent)
2257                 fsync_sub(curlun);
2258         curlun->prevent_medium_removal = prevent;
2259         return 0;
2260 }
2261
2262
2263 static int do_read_format_capacities(struct fsg_dev *fsg,
2264                         struct fsg_buffhd *bh)
2265 {
2266         struct lun      *curlun = fsg->curlun;
2267         u8              *buf = (u8 *) bh->buf;
2268
2269         buf[0] = buf[1] = buf[2] = 0;
2270         buf[3] = 8;             // Only the Current/Maximum Capacity Descriptor
2271         buf += 4;
2272
2273         put_be32(&buf[0], curlun->num_sectors);         // Number of blocks
2274         put_be32(&buf[4], 512);                         // Block length
2275         buf[4] = 0x02;                                  // Current capacity
2276         return 12;
2277 }
2278
2279
2280 static int do_mode_select(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2281 {
2282         struct lun      *curlun = fsg->curlun;
2283
2284         /* We don't support MODE SELECT */
2285         curlun->sense_data = SS_INVALID_COMMAND;
2286         return -EINVAL;
2287 }
2288
2289
2290 /*-------------------------------------------------------------------------*/
2291
2292 static int halt_bulk_in_endpoint(struct fsg_dev *fsg)
2293 {
2294         int     rc;
2295
2296         rc = fsg_set_halt(fsg, fsg->bulk_in);
2297         if (rc == -EAGAIN)
2298                 VDBG(fsg, "delayed bulk-in endpoint halt\n");
2299         while (rc != 0) {
2300                 if (rc != -EAGAIN) {
2301                         WARN(fsg, "usb_ep_set_halt -> %d\n", rc);
2302                         rc = 0;
2303                         break;
2304                 }
2305
2306                 /* Wait for a short time and then try again */
2307                 if (msleep_interruptible(100) != 0)
2308                         return -EINTR;
2309                 rc = usb_ep_set_halt(fsg->bulk_in);
2310         }
2311         return rc;
2312 }
2313
2314 static int pad_with_zeros(struct fsg_dev *fsg)
2315 {
2316         struct fsg_buffhd       *bh = fsg->next_buffhd_to_fill;
2317         u32                     nkeep = bh->inreq->length;
2318         u32                     nsend;
2319         int                     rc;
2320
2321         bh->state = BUF_STATE_EMPTY;            // For the first iteration
2322         fsg->usb_amount_left = nkeep + fsg->residue;
2323         while (fsg->usb_amount_left > 0) {
2324
2325                 /* Wait for the next buffer to be free */
2326                 while (bh->state != BUF_STATE_EMPTY) {
2327                         rc = sleep_thread(fsg);
2328                         if (rc)
2329                                 return rc;
2330                 }
2331
2332                 nsend = min(fsg->usb_amount_left, (u32) mod_data.buflen);
2333                 memset(bh->buf + nkeep, 0, nsend - nkeep);
2334                 bh->inreq->length = nsend;
2335                 bh->inreq->zero = 0;
2336                 start_transfer(fsg, fsg->bulk_in, bh->inreq,
2337                                 &bh->inreq_busy, &bh->state);
2338                 bh = fsg->next_buffhd_to_fill = bh->next;
2339                 fsg->usb_amount_left -= nsend;
2340                 nkeep = 0;
2341         }
2342         return 0;
2343 }
2344
2345 static int throw_away_data(struct fsg_dev *fsg)
2346 {
2347         struct fsg_buffhd       *bh;
2348         u32                     amount;
2349         int                     rc;
2350
2351         while ((bh = fsg->next_buffhd_to_drain)->state != BUF_STATE_EMPTY ||
2352                         fsg->usb_amount_left > 0) {
2353
2354                 /* Throw away the data in a filled buffer */
2355                 if (bh->state == BUF_STATE_FULL) {
2356                         smp_rmb();
2357                         bh->state = BUF_STATE_EMPTY;
2358                         fsg->next_buffhd_to_drain = bh->next;
2359
2360                         /* A short packet or an error ends everything */
2361                         if (bh->outreq->actual != bh->outreq->length ||
2362                                         bh->outreq->status != 0) {
2363                                 raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT);
2364                                 return -EINTR;
2365                         }
2366                         continue;
2367                 }
2368
2369                 /* Try to submit another request if we need one */
2370                 bh = fsg->next_buffhd_to_fill;
2371                 if (bh->state == BUF_STATE_EMPTY && fsg->usb_amount_left > 0) {
2372                         amount = min(fsg->usb_amount_left,
2373                                         (u32) mod_data.buflen);
2374
2375                         /* amount is always divisible by 512, hence by
2376                          * the bulk-out maxpacket size */
2377                         bh->outreq->length = bh->bulk_out_intended_length =
2378                                         amount;
2379                         bh->outreq->short_not_ok = 1;
2380                         start_transfer(fsg, fsg->bulk_out, bh->outreq,
2381                                         &bh->outreq_busy, &bh->state);
2382                         fsg->next_buffhd_to_fill = bh->next;
2383                         fsg->usb_amount_left -= amount;
2384                         continue;
2385                 }
2386
2387                 /* Otherwise wait for something to happen */
2388                 rc = sleep_thread(fsg);
2389                 if (rc)
2390                         return rc;
2391         }
2392         return 0;
2393 }
2394
2395
2396 static int finish_reply(struct fsg_dev *fsg)
2397 {
2398         struct fsg_buffhd       *bh = fsg->next_buffhd_to_fill;
2399         int                     rc = 0;
2400
2401         switch (fsg->data_dir) {
2402         case DATA_DIR_NONE:
2403                 break;                  // Nothing to send
2404
2405         /* If we don't know whether the host wants to read or write,
2406          * this must be CB or CBI with an unknown command.  We mustn't
2407          * try to send or receive any data.  So stall both bulk pipes
2408          * if we can and wait for a reset. */
2409         case DATA_DIR_UNKNOWN:
2410                 if (mod_data.can_stall) {
2411                         fsg_set_halt(fsg, fsg->bulk_out);
2412                         rc = halt_bulk_in_endpoint(fsg);
2413                 }
2414                 break;
2415
2416         /* All but the last buffer of data must have already been sent */
2417         case DATA_DIR_TO_HOST:
2418                 if (fsg->data_size == 0)
2419                         ;               // Nothing to send
2420
2421                 /* If there's no residue, simply send the last buffer */
2422                 else if (fsg->residue == 0) {
2423                         bh->inreq->zero = 0;
2424                         start_transfer(fsg, fsg->bulk_in, bh->inreq,
2425                                         &bh->inreq_busy, &bh->state);
2426                         fsg->next_buffhd_to_fill = bh->next;
2427                 }
2428
2429                 /* There is a residue.  For CB and CBI, simply mark the end
2430                  * of the data with a short packet.  However, if we are
2431                  * allowed to stall, there was no data at all (residue ==
2432                  * data_size), and the command failed (invalid LUN or
2433                  * sense data is set), then halt the bulk-in endpoint
2434                  * instead. */
2435                 else if (!transport_is_bbb()) {
2436                         if (mod_data.can_stall &&
2437                                         fsg->residue == fsg->data_size &&
2438         (!fsg->curlun || fsg->curlun->sense_data != SS_NO_SENSE)) {
2439                                 bh->state = BUF_STATE_EMPTY;
2440                                 rc = halt_bulk_in_endpoint(fsg);
2441                         } else {
2442                                 bh->inreq->zero = 1;
2443                                 start_transfer(fsg, fsg->bulk_in, bh->inreq,
2444                                                 &bh->inreq_busy, &bh->state);
2445                                 fsg->next_buffhd_to_fill = bh->next;
2446                         }
2447                 }
2448
2449                 /* For Bulk-only, if we're allowed to stall then send the
2450                  * short packet and halt the bulk-in endpoint.  If we can't
2451                  * stall, pad out the remaining data with 0's. */
2452                 else {
2453                         if (mod_data.can_stall) {
2454                                 bh->inreq->zero = 1;
2455                                 start_transfer(fsg, fsg->bulk_in, bh->inreq,
2456                                                 &bh->inreq_busy, &bh->state);
2457                                 fsg->next_buffhd_to_fill = bh->next;
2458                                 rc = halt_bulk_in_endpoint(fsg);
2459                         } else
2460                                 rc = pad_with_zeros(fsg);
2461                 }
2462                 break;
2463
2464         /* We have processed all we want from the data the host has sent.
2465          * There may still be outstanding bulk-out requests. */
2466         case DATA_DIR_FROM_HOST:
2467                 if (fsg->residue == 0)
2468                         ;               // Nothing to receive
2469
2470                 /* Did the host stop sending unexpectedly early? */
2471                 else if (fsg->short_packet_received) {
2472                         raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT);
2473                         rc = -EINTR;
2474                 }
2475
2476                 /* We haven't processed all the incoming data.  Even though
2477                  * we may be allowed to stall, doing so would cause a race.
2478                  * The controller may already have ACK'ed all the remaining
2479                  * bulk-out packets, in which case the host wouldn't see a
2480                  * STALL.  Not realizing the endpoint was halted, it wouldn't
2481                  * clear the halt -- leading to problems later on. */
2482 #if 0
2483                 else if (mod_data.can_stall) {
2484                         fsg_set_halt(fsg, fsg->bulk_out);
2485                         raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT);
2486                         rc = -EINTR;
2487                 }
2488 #endif
2489
2490                 /* We can't stall.  Read in the excess data and throw it
2491                  * all away. */
2492                 else
2493                         rc = throw_away_data(fsg);
2494                 break;
2495         }
2496         return rc;
2497 }
2498
2499
2500 static int send_status(struct fsg_dev *fsg)
2501 {
2502         struct lun              *curlun = fsg->curlun;
2503         struct fsg_buffhd       *bh;
2504         int                     rc;
2505         u8                      status = USB_STATUS_PASS;
2506         u32                     sd, sdinfo = 0;
2507
2508         /* Wait for the next buffer to become available */
2509         bh = fsg->next_buffhd_to_fill;
2510         while (bh->state != BUF_STATE_EMPTY) {
2511                 rc = sleep_thread(fsg);
2512                 if (rc)
2513                         return rc;
2514         }
2515
2516         if (curlun) {
2517                 sd = curlun->sense_data;
2518                 sdinfo = curlun->sense_data_info;
2519         } else if (fsg->bad_lun_okay)
2520                 sd = SS_NO_SENSE;
2521         else
2522                 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
2523
2524         if (fsg->phase_error) {
2525                 DBG(fsg, "sending phase-error status\n");
2526                 status = USB_STATUS_PHASE_ERROR;
2527                 sd = SS_INVALID_COMMAND;
2528         } else if (sd != SS_NO_SENSE) {
2529                 DBG(fsg, "sending command-failure status\n");
2530                 status = USB_STATUS_FAIL;
2531                 VDBG(fsg, "  sense data: SK x%02x, ASC x%02x, ASCQ x%02x;"
2532                                 "  info x%x\n",
2533                                 SK(sd), ASC(sd), ASCQ(sd), sdinfo);
2534         }
2535
2536         if (transport_is_bbb()) {
2537                 struct bulk_cs_wrap     *csw = bh->buf;
2538
2539                 /* Store and send the Bulk-only CSW */
2540                 csw->Signature = __constant_cpu_to_le32(USB_BULK_CS_SIG);
2541                 csw->Tag = fsg->tag;
2542                 csw->Residue = cpu_to_le32(fsg->residue);
2543                 csw->Status = status;
2544
2545                 bh->inreq->length = USB_BULK_CS_WRAP_LEN;
2546                 bh->inreq->zero = 0;
2547                 start_transfer(fsg, fsg->bulk_in, bh->inreq,
2548                                 &bh->inreq_busy, &bh->state);
2549
2550         } else if (mod_data.transport_type == USB_PR_CB) {
2551
2552                 /* Control-Bulk transport has no status phase! */
2553                 return 0;
2554
2555         } else {                        // USB_PR_CBI
2556                 struct interrupt_data   *buf = bh->buf;
2557
2558                 /* Store and send the Interrupt data.  UFI sends the ASC
2559                  * and ASCQ bytes.  Everything else sends a Type (which
2560                  * is always 0) and the status Value. */
2561                 if (mod_data.protocol_type == USB_SC_UFI) {
2562                         buf->bType = ASC(sd);
2563                         buf->bValue = ASCQ(sd);
2564                 } else {
2565                         buf->bType = 0;
2566                         buf->bValue = status;
2567                 }
2568                 fsg->intreq->length = CBI_INTERRUPT_DATA_LEN;
2569
2570                 fsg->intr_buffhd = bh;          // Point to the right buffhd
2571                 fsg->intreq->buf = bh->inreq->buf;
2572                 fsg->intreq->context = bh;
2573                 start_transfer(fsg, fsg->intr_in, fsg->intreq,
2574                                 &fsg->intreq_busy, &bh->state);
2575         }
2576
2577         fsg->next_buffhd_to_fill = bh->next;
2578         return 0;
2579 }
2580
2581
2582 /*-------------------------------------------------------------------------*/
2583
2584 /* Check whether the command is properly formed and whether its data size
2585  * and direction agree with the values we already have. */
2586 static int check_command(struct fsg_dev *fsg, int cmnd_size,
2587                 enum data_direction data_dir, unsigned int mask,
2588                 int needs_medium, const char *name)
2589 {
2590         int                     i;
2591         int                     lun = fsg->cmnd[1] >> 5;
2592         static const char       dirletter[4] = {'u', 'o', 'i', 'n'};
2593         char                    hdlen[20];
2594         struct lun              *curlun;
2595
2596         /* Adjust the expected cmnd_size for protocol encapsulation padding.
2597          * Transparent SCSI doesn't pad. */
2598         if (protocol_is_scsi())
2599                 ;
2600
2601         /* There's some disagreement as to whether RBC pads commands or not.
2602          * We'll play it safe and accept either form. */
2603         else if (mod_data.protocol_type == USB_SC_RBC) {
2604                 if (fsg->cmnd_size == 12)
2605                         cmnd_size = 12;
2606
2607         /* All the other protocols pad to 12 bytes */
2608         } else
2609                 cmnd_size = 12;
2610
2611         hdlen[0] = 0;
2612         if (fsg->data_dir != DATA_DIR_UNKNOWN)
2613                 sprintf(hdlen, ", H%c=%u", dirletter[(int) fsg->data_dir],
2614                                 fsg->data_size);
2615         VDBG(fsg, "SCSI command: %s;  Dc=%d, D%c=%u;  Hc=%d%s\n",
2616                         name, cmnd_size, dirletter[(int) data_dir],
2617                         fsg->data_size_from_cmnd, fsg->cmnd_size, hdlen);
2618
2619         /* We can't reply at all until we know the correct data direction
2620          * and size. */
2621         if (fsg->data_size_from_cmnd == 0)
2622                 data_dir = DATA_DIR_NONE;
2623         if (fsg->data_dir == DATA_DIR_UNKNOWN) {        // CB or CBI
2624                 fsg->data_dir = data_dir;
2625                 fsg->data_size = fsg->data_size_from_cmnd;
2626
2627         } else {                                        // Bulk-only
2628                 if (fsg->data_size < fsg->data_size_from_cmnd) {
2629
2630                         /* Host data size < Device data size is a phase error.
2631                          * Carry out the command, but only transfer as much
2632                          * as we are allowed. */
2633                         fsg->data_size_from_cmnd = fsg->data_size;
2634                         fsg->phase_error = 1;
2635                 }
2636         }
2637         fsg->residue = fsg->usb_amount_left = fsg->data_size;
2638
2639         /* Conflicting data directions is a phase error */
2640         if (fsg->data_dir != data_dir && fsg->data_size_from_cmnd > 0) {
2641                 fsg->phase_error = 1;
2642                 return -EINVAL;
2643         }
2644
2645         /* Verify the length of the command itself */
2646         if (cmnd_size != fsg->cmnd_size) {
2647
2648                 /* Special case workaround: MS-Windows issues REQUEST SENSE
2649                  * with cbw->Length == 12 (it should be 6). */
2650                 if (fsg->cmnd[0] == SC_REQUEST_SENSE && fsg->cmnd_size == 12)
2651                         cmnd_size = fsg->cmnd_size;
2652                 else {
2653                         fsg->phase_error = 1;
2654                         return -EINVAL;
2655                 }
2656         }
2657
2658         /* Check that the LUN values are consistent */
2659         if (transport_is_bbb()) {
2660                 if (fsg->lun != lun)
2661                         DBG(fsg, "using LUN %d from CBW, "
2662                                         "not LUN %d from CDB\n",
2663                                         fsg->lun, lun);
2664         } else
2665                 fsg->lun = lun;         // Use LUN from the command
2666
2667         /* Check the LUN */
2668         if (fsg->lun >= 0 && fsg->lun < fsg->nluns) {
2669                 fsg->curlun = curlun = &fsg->luns[fsg->lun];
2670                 if (fsg->cmnd[0] != SC_REQUEST_SENSE) {
2671                         curlun->sense_data = SS_NO_SENSE;
2672                         curlun->sense_data_info = 0;
2673                         curlun->info_valid = 0;
2674                 }
2675         } else {
2676                 fsg->curlun = curlun = NULL;
2677                 fsg->bad_lun_okay = 0;
2678
2679                 /* INQUIRY and REQUEST SENSE commands are explicitly allowed
2680                  * to use unsupported LUNs; all others may not. */
2681                 if (fsg->cmnd[0] != SC_INQUIRY &&
2682                                 fsg->cmnd[0] != SC_REQUEST_SENSE) {
2683                         DBG(fsg, "unsupported LUN %d\n", fsg->lun);
2684                         return -EINVAL;
2685                 }
2686         }
2687
2688         /* If a unit attention condition exists, only INQUIRY and
2689          * REQUEST SENSE commands are allowed; anything else must fail. */
2690         if (curlun && curlun->unit_attention_data != SS_NO_SENSE &&
2691                         fsg->cmnd[0] != SC_INQUIRY &&
2692                         fsg->cmnd[0] != SC_REQUEST_SENSE) {
2693                 curlun->sense_data = curlun->unit_attention_data;
2694                 curlun->unit_attention_data = SS_NO_SENSE;
2695                 return -EINVAL;
2696         }
2697
2698         /* Check that only command bytes listed in the mask are non-zero */
2699         fsg->cmnd[1] &= 0x1f;                   // Mask away the LUN
2700         for (i = 1; i < cmnd_size; ++i) {
2701                 if (fsg->cmnd[i] && !(mask & (1 << i))) {
2702                         if (curlun)
2703                                 curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
2704                         return -EINVAL;
2705                 }
2706         }
2707
2708         /* If the medium isn't mounted and the command needs to access
2709          * it, return an error. */
2710         if (curlun && !backing_file_is_open(curlun) && needs_medium) {
2711                 curlun->sense_data = SS_MEDIUM_NOT_PRESENT;
2712                 return -EINVAL;
2713         }
2714
2715         return 0;
2716 }
2717
2718
2719 static int do_scsi_command(struct fsg_dev *fsg)
2720 {
2721         struct fsg_buffhd       *bh;
2722         int                     rc;
2723         int                     reply = -EINVAL;
2724         int                     i;
2725         static char             unknown[16];
2726
2727         dump_cdb(fsg);
2728
2729         /* Wait for the next buffer to become available for data or status */
2730         bh = fsg->next_buffhd_to_drain = fsg->next_buffhd_to_fill;
2731         while (bh->state != BUF_STATE_EMPTY) {
2732                 rc = sleep_thread(fsg);
2733                 if (rc)
2734                         return rc;
2735         }
2736         fsg->phase_error = 0;
2737         fsg->short_packet_received = 0;
2738
2739         down_read(&fsg->filesem);       // We're using the backing file
2740         switch (fsg->cmnd[0]) {
2741
2742         case SC_INQUIRY:
2743                 fsg->data_size_from_cmnd = fsg->cmnd[4];
2744                 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST,
2745                                 (1<<4), 0,
2746                                 "INQUIRY")) == 0)
2747                         reply = do_inquiry(fsg, bh);
2748                 break;
2749
2750         case SC_MODE_SELECT_6:
2751                 fsg->data_size_from_cmnd = fsg->cmnd[4];
2752                 if ((reply = check_command(fsg, 6, DATA_DIR_FROM_HOST,
2753                                 (1<<1) | (1<<4), 0,
2754                                 "MODE SELECT(6)")) == 0)
2755                         reply = do_mode_select(fsg, bh);
2756                 break;
2757
2758         case SC_MODE_SELECT_10:
2759                 fsg->data_size_from_cmnd = get_be16(&fsg->cmnd[7]);
2760                 if ((reply = check_command(fsg, 10, DATA_DIR_FROM_HOST,
2761                                 (1<<1) | (3<<7), 0,
2762                                 "MODE SELECT(10)")) == 0)
2763                         reply = do_mode_select(fsg, bh);
2764                 break;
2765
2766         case SC_MODE_SENSE_6:
2767                 fsg->data_size_from_cmnd = fsg->cmnd[4];
2768                 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST,
2769                                 (1<<1) | (1<<2) | (1<<4), 0,
2770                                 "MODE SENSE(6)")) == 0)
2771                         reply = do_mode_sense(fsg, bh);
2772                 break;
2773
2774         case SC_MODE_SENSE_10:
2775                 fsg->data_size_from_cmnd = get_be16(&fsg->cmnd[7]);
2776                 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST,
2777                                 (1<<1) | (1<<2) | (3<<7), 0,
2778                                 "MODE SENSE(10)")) == 0)
2779                         reply = do_mode_sense(fsg, bh);
2780                 break;
2781
2782         case SC_PREVENT_ALLOW_MEDIUM_REMOVAL:
2783                 fsg->data_size_from_cmnd = 0;
2784                 if ((reply = check_command(fsg, 6, DATA_DIR_NONE,
2785                                 (1<<4), 0,
2786                                 "PREVENT-ALLOW MEDIUM REMOVAL")) == 0)
2787                         reply = do_prevent_allow(fsg);
2788                 break;
2789
2790         case SC_READ_6:
2791                 i = fsg->cmnd[4];
2792                 fsg->data_size_from_cmnd = (i == 0 ? 256 : i) << 9;
2793                 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST,
2794                                 (7<<1) | (1<<4), 1,
2795                                 "READ(6)")) == 0)
2796                         reply = do_read(fsg);
2797                 break;
2798
2799         case SC_READ_10:
2800                 fsg->data_size_from_cmnd = get_be16(&fsg->cmnd[7]) << 9;
2801                 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST,
2802                                 (1<<1) | (0xf<<2) | (3<<7), 1,
2803                                 "READ(10)")) == 0)
2804                         reply = do_read(fsg);
2805                 break;
2806
2807         case SC_READ_12:
2808                 fsg->data_size_from_cmnd = get_be32(&fsg->cmnd[6]) << 9;
2809                 if ((reply = check_command(fsg, 12, DATA_DIR_TO_HOST,
2810                                 (1<<1) | (0xf<<2) | (0xf<<6), 1,
2811                                 "READ(12)")) == 0)
2812                         reply = do_read(fsg);
2813                 break;
2814
2815         case SC_READ_CAPACITY:
2816                 fsg->data_size_from_cmnd = 8;
2817                 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST,
2818                                 (0xf<<2) | (1<<8), 1,
2819                                 "READ CAPACITY")) == 0)
2820                         reply = do_read_capacity(fsg, bh);
2821                 break;
2822
2823         case SC_READ_FORMAT_CAPACITIES:
2824                 fsg->data_size_from_cmnd = get_be16(&fsg->cmnd[7]);
2825                 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST,
2826                                 (3<<7), 1,
2827                                 "READ FORMAT CAPACITIES")) == 0)
2828                         reply = do_read_format_capacities(fsg, bh);
2829                 break;
2830
2831         case SC_REQUEST_SENSE:
2832                 fsg->data_size_from_cmnd = fsg->cmnd[4];
2833                 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST,
2834                                 (1<<4), 0,
2835                                 "REQUEST SENSE")) == 0)
2836                         reply = do_request_sense(fsg, bh);
2837                 break;
2838
2839         case SC_START_STOP_UNIT:
2840                 fsg->data_size_from_cmnd = 0;
2841                 if ((reply = check_command(fsg, 6, DATA_DIR_NONE,
2842                                 (1<<1) | (1<<4), 0,
2843                                 "START-STOP UNIT")) == 0)
2844                         reply = do_start_stop(fsg);
2845                 break;
2846
2847         case SC_SYNCHRONIZE_CACHE:
2848                 fsg->data_size_from_cmnd = 0;
2849                 if ((reply = check_command(fsg, 10, DATA_DIR_NONE,
2850                                 (0xf<<2) | (3<<7), 1,
2851                                 "SYNCHRONIZE CACHE")) == 0)
2852                         reply = do_synchronize_cache(fsg);
2853                 break;
2854
2855         case SC_TEST_UNIT_READY:
2856                 fsg->data_size_from_cmnd = 0;
2857                 reply = check_command(fsg, 6, DATA_DIR_NONE,
2858                                 0, 1,
2859                                 "TEST UNIT READY");
2860                 break;
2861
2862         /* Although optional, this command is used by MS-Windows.  We
2863          * support a minimal version: BytChk must be 0. */
2864         case SC_VERIFY:
2865                 fsg->data_size_from_cmnd = 0;
2866                 if ((reply = check_command(fsg, 10, DATA_DIR_NONE,
2867                                 (1<<1) | (0xf<<2) | (3<<7), 1,
2868                                 "VERIFY")) == 0)
2869                         reply = do_verify(fsg);
2870                 break;
2871
2872         case SC_WRITE_6:
2873                 i = fsg->cmnd[4];
2874                 fsg->data_size_from_cmnd = (i == 0 ? 256 : i) << 9;
2875                 if ((reply = check_command(fsg, 6, DATA_DIR_FROM_HOST,
2876                                 (7<<1) | (1<<4), 1,
2877                                 "WRITE(6)")) == 0)
2878                         reply = do_write(fsg);
2879                 break;
2880
2881         case SC_WRITE_10:
2882                 fsg->data_size_from_cmnd = get_be16(&fsg->cmnd[7]) << 9;
2883                 if ((reply = check_command(fsg, 10, DATA_DIR_FROM_HOST,
2884                                 (1<<1) | (0xf<<2) | (3<<7), 1,
2885                                 "WRITE(10)")) == 0)
2886                         reply = do_write(fsg);
2887                 break;
2888
2889         case SC_WRITE_12:
2890                 fsg->data_size_from_cmnd = get_be32(&fsg->cmnd[6]) << 9;
2891                 if ((reply = check_command(fsg, 12, DATA_DIR_FROM_HOST,
2892                                 (1<<1) | (0xf<<2) | (0xf<<6), 1,
2893                                 "WRITE(12)")) == 0)
2894                         reply = do_write(fsg);
2895                 break;
2896
2897         /* Some mandatory commands that we recognize but don't implement.
2898          * They don't mean much in this setting.  It's left as an exercise
2899          * for anyone interested to implement RESERVE and RELEASE in terms
2900          * of Posix locks. */
2901         case SC_FORMAT_UNIT:
2902         case SC_RELEASE:
2903         case SC_RESERVE:
2904         case SC_SEND_DIAGNOSTIC:
2905                 // Fall through
2906
2907         default:
2908                 fsg->data_size_from_cmnd = 0;
2909                 sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]);
2910                 if ((reply = check_command(fsg, fsg->cmnd_size,
2911                                 DATA_DIR_UNKNOWN, 0xff, 0, unknown)) == 0) {
2912                         fsg->curlun->sense_data = SS_INVALID_COMMAND;
2913                         reply = -EINVAL;
2914                 }
2915                 break;
2916         }
2917         up_read(&fsg->filesem);
2918
2919         if (reply == -EINTR || signal_pending(current))
2920                 return -EINTR;
2921
2922         /* Set up the single reply buffer for finish_reply() */
2923         if (reply == -EINVAL)
2924                 reply = 0;              // Error reply length
2925         if (reply >= 0 && fsg->data_dir == DATA_DIR_TO_HOST) {
2926                 reply = min((u32) reply, fsg->data_size_from_cmnd);
2927                 bh->inreq->length = reply;
2928                 bh->state = BUF_STATE_FULL;
2929                 fsg->residue -= reply;
2930         }                               // Otherwise it's already set
2931
2932         return 0;
2933 }
2934
2935
2936 /*-------------------------------------------------------------------------*/
2937
2938 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
2939 {
2940         struct usb_request      *req = bh->outreq;
2941         struct bulk_cb_wrap     *cbw = req->buf;
2942
2943         /* Was this a real packet? */
2944         if (req->status)
2945                 return -EINVAL;
2946
2947         /* Is the CBW valid? */
2948         if (req->actual != USB_BULK_CB_WRAP_LEN ||
2949                         cbw->Signature != __constant_cpu_to_le32(
2950                                 USB_BULK_CB_SIG)) {
2951                 DBG(fsg, "invalid CBW: len %u sig 0x%x\n",
2952                                 req->actual,
2953                                 le32_to_cpu(cbw->Signature));
2954
2955                 /* The Bulk-only spec says we MUST stall the bulk pipes!
2956                  * If we want to avoid stalls, set a flag so that we will
2957                  * clear the endpoint halts at the next reset. */
2958                 if (!mod_data.can_stall)
2959                         set_bit(CLEAR_BULK_HALTS, &fsg->atomic_bitflags);
2960                 fsg_set_halt(fsg, fsg->bulk_out);
2961                 halt_bulk_in_endpoint(fsg);
2962                 return -EINVAL;
2963         }
2964
2965         /* Is the CBW meaningful? */
2966         if (cbw->Lun >= MAX_LUNS || cbw->Flags & ~USB_BULK_IN_FLAG ||
2967                         cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) {
2968                 DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, "
2969                                 "cmdlen %u\n",
2970                                 cbw->Lun, cbw->Flags, cbw->Length);
2971
2972                 /* We can do anything we want here, so let's stall the
2973                  * bulk pipes if we are allowed to. */
2974                 if (mod_data.can_stall) {
2975                         fsg_set_halt(fsg, fsg->bulk_out);
2976                         halt_bulk_in_endpoint(fsg);
2977                 }
2978                 return -EINVAL;
2979         }
2980
2981         /* Save the command for later */
2982         fsg->cmnd_size = cbw->Length;
2983         memcpy(fsg->cmnd, cbw->CDB, fsg->cmnd_size);
2984         if (cbw->Flags & USB_BULK_IN_FLAG)
2985                 fsg->data_dir = DATA_DIR_TO_HOST;
2986         else
2987                 fsg->data_dir = DATA_DIR_FROM_HOST;
2988         fsg->data_size = le32_to_cpu(cbw->DataTransferLength);
2989         if (fsg->data_size == 0)
2990                 fsg->data_dir = DATA_DIR_NONE;
2991         fsg->lun = cbw->Lun;
2992         fsg->tag = cbw->Tag;
2993         return 0;
2994 }
2995
2996
2997 static int get_next_command(struct fsg_dev *fsg)
2998 {
2999         struct fsg_buffhd       *bh;
3000         int                     rc = 0;
3001
3002         if (transport_is_bbb()) {
3003
3004                 /* Wait for the next buffer to become available */
3005                 bh = fsg->next_buffhd_to_fill;
3006                 while (bh->state != BUF_STATE_EMPTY) {
3007                         rc = sleep_thread(fsg);
3008                         if (rc)
3009                                 return rc;
3010                 }
3011
3012                 /* Queue a request to read a Bulk-only CBW */
3013                 set_bulk_out_req_length(fsg, bh, USB_BULK_CB_WRAP_LEN);
3014                 bh->outreq->short_not_ok = 1;
3015                 start_transfer(fsg, fsg->bulk_out, bh->outreq,
3016                                 &bh->outreq_busy, &bh->state);
3017
3018                 /* We will drain the buffer in software, which means we
3019                  * can reuse it for the next filling.  No need to advance
3020                  * next_buffhd_to_fill. */
3021
3022                 /* Wait for the CBW to arrive */
3023                 while (bh->state != BUF_STATE_FULL) {
3024                         rc = sleep_thread(fsg);
3025                         if (rc)
3026                                 return rc;
3027                 }
3028                 smp_rmb();
3029                 rc = received_cbw(fsg, bh);
3030                 bh->state = BUF_STATE_EMPTY;
3031
3032         } else {                // USB_PR_CB or USB_PR_CBI
3033
3034                 /* Wait for the next command to arrive */
3035                 while (fsg->cbbuf_cmnd_size == 0) {
3036                         rc = sleep_thread(fsg);
3037                         if (rc)
3038                                 return rc;
3039                 }
3040
3041                 /* Is the previous status interrupt request still busy?
3042                  * The host is allowed to skip reading the status,
3043                  * so we must cancel it. */
3044                 if (fsg->intreq_busy)
3045                         usb_ep_dequeue(fsg->intr_in, fsg->intreq);
3046
3047                 /* Copy the command and mark the buffer empty */
3048                 fsg->data_dir = DATA_DIR_UNKNOWN;
3049                 spin_lock_irq(&fsg->lock);
3050                 fsg->cmnd_size = fsg->cbbuf_cmnd_size;
3051                 memcpy(fsg->cmnd, fsg->cbbuf_cmnd, fsg->cmnd_size);
3052                 fsg->cbbuf_cmnd_size = 0;
3053                 spin_unlock_irq(&fsg->lock);
3054         }
3055         return rc;
3056 }
3057
3058
3059 /*-------------------------------------------------------------------------*/
3060
3061 static int enable_endpoint(struct fsg_dev *fsg, struct usb_ep *ep,
3062                 const struct usb_endpoint_descriptor *d)
3063 {
3064         int     rc;
3065
3066         ep->driver_data = fsg;
3067         rc = usb_ep_enable(ep, d);
3068         if (rc)
3069                 ERROR(fsg, "can't enable %s, result %d\n", ep->name, rc);
3070         return rc;
3071 }
3072
3073 static int alloc_request(struct fsg_dev *fsg, struct usb_ep *ep,
3074                 struct usb_request **preq)
3075 {
3076         *preq = usb_ep_alloc_request(ep, GFP_ATOMIC);
3077         if (*preq)
3078                 return 0;
3079         ERROR(fsg, "can't allocate request for %s\n", ep->name);
3080         return -ENOMEM;
3081 }
3082
3083 /*
3084  * Reset interface setting and re-init endpoint state (toggle etc).
3085  * Call with altsetting < 0 to disable the interface.  The only other
3086  * available altsetting is 0, which enables the interface.
3087  */
3088 static int do_set_interface(struct fsg_dev *fsg, int altsetting)
3089 {
3090         int     rc = 0;
3091         int     i;
3092         const struct usb_endpoint_descriptor    *d;
3093
3094         if (fsg->running)
3095                 DBG(fsg, "reset interface\n");
3096
3097 reset:
3098         /* Deallocate the requests */
3099         for (i = 0; i < NUM_BUFFERS; ++i) {
3100                 struct fsg_buffhd *bh = &fsg->buffhds[i];
3101
3102                 if (bh->inreq) {
3103                         usb_ep_free_request(fsg->bulk_in, bh->inreq);
3104                         bh->inreq = NULL;
3105                 }
3106                 if (bh->outreq) {
3107                         usb_ep_free_request(fsg->bulk_out, bh->outreq);
3108                         bh->outreq = NULL;
3109                 }
3110         }
3111         if (fsg->intreq) {
3112                 usb_ep_free_request(fsg->intr_in, fsg->intreq);
3113                 fsg->intreq = NULL;
3114         }
3115
3116         /* Disable the endpoints */
3117         if (fsg->bulk_in_enabled) {
3118                 usb_ep_disable(fsg->bulk_in);
3119                 fsg->bulk_in_enabled = 0;
3120         }
3121         if (fsg->bulk_out_enabled) {
3122                 usb_ep_disable(fsg->bulk_out);
3123                 fsg->bulk_out_enabled = 0;
3124         }
3125         if (fsg->intr_in_enabled) {
3126                 usb_ep_disable(fsg->intr_in);
3127                 fsg->intr_in_enabled = 0;
3128         }
3129
3130         fsg->running = 0;
3131         if (altsetting < 0 || rc != 0)
3132                 return rc;
3133
3134         DBG(fsg, "set interface %d\n", altsetting);
3135
3136         /* Enable the endpoints */
3137         d = ep_desc(fsg->gadget, &fs_bulk_in_desc, &hs_bulk_in_desc);
3138         if ((rc = enable_endpoint(fsg, fsg->bulk_in, d)) != 0)
3139                 goto reset;
3140         fsg->bulk_in_enabled = 1;
3141
3142         d = ep_desc(fsg->gadget, &fs_bulk_out_desc, &hs_bulk_out_desc);
3143         if ((rc = enable_endpoint(fsg, fsg->bulk_out, d)) != 0)
3144                 goto reset;
3145         fsg->bulk_out_enabled = 1;
3146         fsg->bulk_out_maxpacket = le16_to_cpu(d->wMaxPacketSize);
3147
3148         if (transport_is_cbi()) {
3149                 d = ep_desc(fsg->gadget, &fs_intr_in_desc, &hs_intr_in_desc);
3150                 if ((rc = enable_endpoint(fsg, fsg->intr_in, d)) != 0)
3151                         goto reset;
3152                 fsg->intr_in_enabled = 1;
3153         }
3154
3155         /* Allocate the requests */
3156         for (i = 0; i < NUM_BUFFERS; ++i) {
3157                 struct fsg_buffhd       *bh = &fsg->buffhds[i];
3158
3159                 if ((rc = alloc_request(fsg, fsg->bulk_in, &bh->inreq)) != 0)
3160                         goto reset;
3161                 if ((rc = alloc_request(fsg, fsg->bulk_out, &bh->outreq)) != 0)
3162                         goto reset;
3163                 bh->inreq->buf = bh->outreq->buf = bh->buf;
3164                 bh->inreq->context = bh->outreq->context = bh;
3165                 bh->inreq->complete = bulk_in_complete;
3166                 bh->outreq->complete = bulk_out_complete;
3167         }
3168         if (transport_is_cbi()) {
3169                 if ((rc = alloc_request(fsg, fsg->intr_in, &fsg->intreq)) != 0)
3170                         goto reset;
3171                 fsg->intreq->complete = intr_in_complete;
3172         }
3173
3174         fsg->running = 1;
3175         for (i = 0; i < fsg->nluns; ++i)
3176                 fsg->luns[i].unit_attention_data = SS_RESET_OCCURRED;
3177         return rc;
3178 }
3179
3180
3181 /*
3182  * Change our operational configuration.  This code must agree with the code
3183  * that returns config descriptors, and with interface altsetting code.
3184  *
3185  * It's also responsible for power management interactions.  Some
3186  * configurations might not work with our current power sources.
3187  * For now we just assume the gadget is always self-powered.
3188  */
3189 static int do_set_config(struct fsg_dev *fsg, u8 new_config)
3190 {
3191         int     rc = 0;
3192
3193         /* Disable the single interface */
3194         if (fsg->config != 0) {
3195                 DBG(fsg, "reset config\n");
3196                 fsg->config = 0;
3197                 rc = do_set_interface(fsg, -1);
3198         }
3199
3200         /* Enable the interface */
3201         if (new_config != 0) {
3202                 fsg->config = new_config;
3203                 if ((rc = do_set_interface(fsg, 0)) != 0)
3204                         fsg->config = 0;        // Reset on errors
3205                 else {
3206                         char *speed;
3207
3208                         switch (fsg->gadget->speed) {
3209                         case USB_SPEED_LOW:     speed = "low";  break;
3210                         case USB_SPEED_FULL:    speed = "full"; break;
3211                         case USB_SPEED_HIGH:    speed = "high"; break;
3212                         default:                speed = "?";    break;
3213                         }
3214                         INFO(fsg, "%s speed config #%d\n", speed, fsg->config);
3215                 }
3216         }
3217         return rc;
3218 }
3219
3220
3221 /*-------------------------------------------------------------------------*/
3222
3223 static void handle_exception(struct fsg_dev *fsg)
3224 {
3225         siginfo_t               info;
3226         int                     sig;
3227         int                     i;
3228         int                     num_active;
3229         struct fsg_buffhd       *bh;
3230         enum fsg_state          old_state;
3231         u8                      new_config;
3232         struct lun              *curlun;
3233         unsigned int            exception_req_tag;
3234         int                     rc;
3235
3236         /* Clear the existing signals.  Anything but SIGUSR1 is converted
3237          * into a high-priority EXIT exception. */
3238         for (;;) {
3239                 sig = dequeue_signal_lock(current, &current->blocked, &info);
3240                 if (!sig)
3241                         break;
3242                 if (sig != SIGUSR1) {
3243                         if (fsg->state < FSG_STATE_EXIT)
3244                                 DBG(fsg, "Main thread exiting on signal\n");
3245                         raise_exception(fsg, FSG_STATE_EXIT);
3246                 }
3247         }
3248
3249         /* Cancel all the pending transfers */
3250         if (fsg->intreq_busy)
3251                 usb_ep_dequeue(fsg->intr_in, fsg->intreq);
3252         for (i = 0; i < NUM_BUFFERS; ++i) {
3253                 bh = &fsg->buffhds[i];
3254                 if (bh->inreq_busy)
3255                         usb_ep_dequeue(fsg->bulk_in, bh->inreq);
3256                 if (bh->outreq_busy)
3257                         usb_ep_dequeue(fsg->bulk_out, bh->outreq);
3258         }
3259
3260         /* Wait until everything is idle */
3261         for (;;) {
3262                 num_active = fsg->intreq_busy;
3263                 for (i = 0; i < NUM_BUFFERS; ++i) {
3264                         bh = &fsg->buffhds[i];
3265                         num_active += bh->inreq_busy + bh->outreq_busy;
3266                 }
3267                 if (num_active == 0)
3268                         break;
3269                 if (sleep_thread(fsg))
3270                         return;
3271         }
3272
3273         /* Clear out the controller's fifos */
3274         if (fsg->bulk_in_enabled)
3275                 usb_ep_fifo_flush(fsg->bulk_in);
3276         if (fsg->bulk_out_enabled)
3277                 usb_ep_fifo_flush(fsg->bulk_out);
3278         if (fsg->intr_in_enabled)
3279                 usb_ep_fifo_flush(fsg->intr_in);
3280
3281         /* Reset the I/O buffer states and pointers, the SCSI
3282          * state, and the exception.  Then invoke the handler. */
3283         spin_lock_irq(&fsg->lock);
3284
3285         for (i = 0; i < NUM_BUFFERS; ++i) {
3286                 bh = &fsg->buffhds[i];
3287                 bh->state = BUF_STATE_EMPTY;
3288         }
3289         fsg->next_buffhd_to_fill = fsg->next_buffhd_to_drain =
3290                         &fsg->buffhds[0];
3291
3292         exception_req_tag = fsg->exception_req_tag;
3293         new_config = fsg->new_config;
3294         old_state = fsg->state;
3295
3296         if (old_state == FSG_STATE_ABORT_BULK_OUT)
3297                 fsg->state = FSG_STATE_STATUS_PHASE;
3298         else {
3299                 for (i = 0; i < fsg->nluns; ++i) {
3300                         curlun = &fsg->luns[i];
3301                         curlun->prevent_medium_removal = 0;
3302                         curlun->sense_data = curlun->unit_attention_data =
3303                                         SS_NO_SENSE;
3304                         curlun->sense_data_info = 0;
3305                         curlun->info_valid = 0;
3306                 }
3307                 fsg->state = FSG_STATE_IDLE;
3308         }
3309         spin_unlock_irq(&fsg->lock);
3310
3311         /* Carry out any extra actions required for the exception */
3312         switch (old_state) {
3313         default:
3314                 break;
3315
3316         case FSG_STATE_ABORT_BULK_OUT:
3317                 send_status(fsg);
3318                 spin_lock_irq(&fsg->lock);
3319                 if (fsg->state == FSG_STATE_STATUS_PHASE)
3320                         fsg->state = FSG_STATE_IDLE;
3321                 spin_unlock_irq(&fsg->lock);
3322                 break;
3323
3324         case FSG_STATE_RESET:
3325                 /* In case we were forced against our will to halt a
3326                  * bulk endpoint, clear the halt now.  (The SuperH UDC
3327                  * requires this.) */
3328                 if (test_and_clear_bit(CLEAR_BULK_HALTS,
3329                                 &fsg->atomic_bitflags)) {
3330                         usb_ep_clear_halt(fsg->bulk_in);
3331                         usb_ep_clear_halt(fsg->bulk_out);
3332                 }
3333
3334                 if (transport_is_bbb()) {
3335                         if (fsg->ep0_req_tag == exception_req_tag)
3336                                 ep0_queue(fsg); // Complete the status stage
3337
3338                 } else if (transport_is_cbi())
3339                         send_status(fsg);       // Status by interrupt pipe
3340
3341                 /* Technically this should go here, but it would only be
3342                  * a waste of time.  Ditto for the INTERFACE_CHANGE and
3343                  * CONFIG_CHANGE cases. */
3344                 // for (i = 0; i < fsg->nluns; ++i)
3345                 //      fsg->luns[i].unit_attention_data = SS_RESET_OCCURRED;
3346                 break;
3347
3348         case FSG_STATE_INTERFACE_CHANGE:
3349                 rc = do_set_interface(fsg, 0);
3350                 if (fsg->ep0_req_tag != exception_req_tag)
3351                         break;
3352                 if (rc != 0)                    // STALL on errors
3353                         fsg_set_halt(fsg, fsg->ep0);
3354                 else                            // Complete the status stage
3355                         ep0_queue(fsg);
3356                 break;
3357
3358         case FSG_STATE_CONFIG_CHANGE:
3359                 rc = do_set_config(fsg, new_config);
3360                 if (fsg->ep0_req_tag != exception_req_tag)
3361                         break;
3362                 if (rc != 0)                    // STALL on errors
3363                         fsg_set_halt(fsg, fsg->ep0);
3364                 else                            // Complete the status stage
3365                         ep0_queue(fsg);
3366                 break;
3367
3368         case FSG_STATE_DISCONNECT:
3369                 fsync_all(fsg);
3370                 do_set_config(fsg, 0);          // Unconfigured state
3371                 break;
3372
3373         case FSG_STATE_EXIT:
3374         case FSG_STATE_TERMINATED:
3375                 do_set_config(fsg, 0);                  // Free resources
3376                 spin_lock_irq(&fsg->lock);
3377                 fsg->state = FSG_STATE_TERMINATED;      // Stop the thread
3378                 spin_unlock_irq(&fsg->lock);
3379                 break;
3380         }
3381 }
3382
3383
3384 /*-------------------------------------------------------------------------*/
3385
3386 static int fsg_main_thread(void *fsg_)
3387 {
3388         struct fsg_dev          *fsg = fsg_;
3389
3390         /* Allow the thread to be killed by a signal, but set the signal mask
3391          * to block everything but INT, TERM, KILL, and USR1. */
3392         allow_signal(SIGINT);
3393         allow_signal(SIGTERM);
3394         allow_signal(SIGKILL);
3395         allow_signal(SIGUSR1);
3396
3397         /* Allow the thread to be frozen */
3398         set_freezable();
3399
3400         /* Arrange for userspace references to be interpreted as kernel
3401          * pointers.  That way we can pass a kernel pointer to a routine
3402          * that expects a __user pointer and it will work okay. */
3403         set_fs(get_ds());
3404
3405         /* The main loop */
3406         while (fsg->state != FSG_STATE_TERMINATED) {
3407                 if (exception_in_progress(fsg) || signal_pending(current)) {
3408                         handle_exception(fsg);
3409                         continue;
3410                 }
3411
3412                 if (!fsg->running) {
3413                         sleep_thread(fsg);
3414                         continue;
3415                 }
3416
3417                 if (get_next_command(fsg))
3418                         continue;
3419
3420                 spin_lock_irq(&fsg->lock);
3421                 if (!exception_in_progress(fsg))
3422                         fsg->state = FSG_STATE_DATA_PHASE;
3423                 spin_unlock_irq(&fsg->lock);
3424
3425                 if (do_scsi_command(fsg) || finish_reply(fsg))
3426                         continue;
3427
3428                 spin_lock_irq(&fsg->lock);
3429                 if (!exception_in_progress(fsg))
3430                         fsg->state = FSG_STATE_STATUS_PHASE;
3431                 spin_unlock_irq(&fsg->lock);
3432
3433                 if (send_status(fsg))
3434                         continue;
3435
3436                 spin_lock_irq(&fsg->lock);
3437                 if (!exception_in_progress(fsg))
3438                         fsg->state = FSG_STATE_IDLE;
3439                 spin_unlock_irq(&fsg->lock);
3440                 }
3441
3442         spin_lock_irq(&fsg->lock);
3443         fsg->thread_task = NULL;
3444         spin_unlock_irq(&fsg->lock);
3445
3446         /* In case we are exiting because of a signal, unregister the
3447          * gadget driver and close the backing file. */
3448         if (test_and_clear_bit(REGISTERED, &fsg->atomic_bitflags)) {
3449                 usb_gadget_unregister_driver(&fsg_driver);
3450                 close_all_backing_files(fsg);
3451         }
3452
3453         /* Let the unbind and cleanup routines know the thread has exited */
3454         complete_and_exit(&fsg->thread_notifier, 0);
3455 }
3456
3457
3458 /*-------------------------------------------------------------------------*/
3459
3460 /* If the next two routines are called while the gadget is registered,
3461  * the caller must own fsg->filesem for writing. */
3462
3463 static int open_backing_file(struct lun *curlun, const char *filename)
3464 {
3465         int                             ro;
3466         struct file                     *filp = NULL;
3467         int                             rc = -EINVAL;
3468         struct inode                    *inode = NULL;
3469         loff_t                          size;
3470         loff_t                          num_sectors;
3471
3472         /* R/W if we can, R/O if we must */
3473         ro = curlun->ro;
3474         if (!ro) {
3475                 filp = filp_open(filename, O_RDWR | O_LARGEFILE, 0);
3476                 if (-EROFS == PTR_ERR(filp))
3477                         ro = 1;
3478         }
3479         if (ro)
3480                 filp = filp_open(filename, O_RDONLY | O_LARGEFILE, 0);
3481         if (IS_ERR(filp)) {
3482                 LINFO(curlun, "unable to open backing file: %s\n", filename);
3483                 return PTR_ERR(filp);
3484         }
3485
3486         if (!(filp->f_mode & FMODE_WRITE))
3487                 ro = 1;
3488
3489         if (filp->f_path.dentry)
3490                 inode = filp->f_path.dentry->d_inode;
3491         if (inode && S_ISBLK(inode->i_mode)) {
3492                 if (bdev_read_only(inode->i_bdev))
3493                         ro = 1;
3494         } else if (!inode || !S_ISREG(inode->i_mode)) {
3495                 LINFO(curlun, "invalid file type: %s\n", filename);
3496                 goto out;
3497         }
3498
3499         /* If we can't read the file, it's no good.
3500          * If we can't write the file, use it read-only. */
3501         if (!filp->f_op || !(filp->f_op->read || filp->f_op->aio_read)) {
3502                 LINFO(curlun, "file not readable: %s\n", filename);
3503                 goto out;
3504         }
3505         if (!(filp->f_op->write || filp->f_op->aio_write))
3506                 ro = 1;
3507
3508         size = i_size_read(inode->i_mapping->host);
3509         if (size < 0) {
3510                 LINFO(curlun, "unable to find file size: %s\n", filename);
3511                 rc = (int) size;
3512                 goto out;
3513         }
3514         num_sectors = size >> 9;        // File size in 512-byte sectors
3515         if (num_sectors == 0) {
3516                 LINFO(curlun, "file too small: %s\n", filename);
3517                 rc = -ETOOSMALL;
3518                 goto out;
3519         }
3520
3521         get_file(filp);
3522         curlun->ro = ro;
3523         curlun->filp = filp;
3524         curlun->file_length = size;
3525         curlun->num_sectors = num_sectors;
3526         LDBG(curlun, "open backing file: %s\n", filename);
3527         rc = 0;
3528
3529 out:
3530         filp_close(filp, current->files);
3531         return rc;
3532 }
3533
3534
3535 static void close_backing_file(struct lun *curlun)
3536 {
3537         if (curlun->filp) {
3538                 LDBG(curlun, "close backing file\n");
3539                 fput(curlun->filp);
3540                 curlun->filp = NULL;
3541         }
3542 }
3543
3544 static void close_all_backing_files(struct fsg_dev *fsg)
3545 {
3546         int     i;
3547
3548         for (i = 0; i < fsg->nluns; ++i)
3549                 close_backing_file(&fsg->luns[i]);
3550 }
3551
3552
3553 static ssize_t show_ro(struct device *dev, struct device_attribute *attr, char *buf)
3554 {
3555         struct lun      *curlun = dev_to_lun(dev);
3556
3557         return sprintf(buf, "%d\n", curlun->ro);
3558 }
3559
3560 static ssize_t show_file(struct device *dev, struct device_attribute *attr,
3561                 char *buf)
3562 {
3563         struct lun      *curlun = dev_to_lun(dev);
3564         struct fsg_dev  *fsg = dev_get_drvdata(dev);
3565         char            *p;
3566         ssize_t         rc;
3567
3568         down_read(&fsg->filesem);
3569         if (backing_file_is_open(curlun)) {     // Get the complete pathname
3570                 p = d_path(curlun->filp->f_path.dentry,
3571                                 curlun->filp->f_path.mnt, buf, PAGE_SIZE - 1);
3572                 if (IS_ERR(p))
3573                         rc = PTR_ERR(p);
3574                 else {
3575                         rc = strlen(p);
3576                         memmove(buf, p, rc);
3577                         buf[rc] = '\n';         // Add a newline
3578                         buf[++rc] = 0;
3579                 }
3580         } else {                                // No file, return 0 bytes
3581                 *buf = 0;
3582                 rc = 0;
3583         }
3584         up_read(&fsg->filesem);
3585         return rc;
3586 }
3587
3588
3589 static ssize_t store_ro(struct device *dev, struct device_attribute *attr,
3590                 const char *buf, size_t count)
3591 {
3592         ssize_t         rc = count;
3593         struct lun      *curlun = dev_to_lun(dev);
3594         struct fsg_dev  *fsg = dev_get_drvdata(dev);
3595         int             i;
3596
3597         if (sscanf(buf, "%d", &i) != 1)
3598                 return -EINVAL;
3599
3600         /* Allow the write-enable status to change only while the backing file
3601          * is closed. */
3602         down_read(&fsg->filesem);
3603         if (backing_file_is_open(curlun)) {
3604                 LDBG(curlun, "read-only status change prevented\n");
3605                 rc = -EBUSY;
3606         } else {
3607                 curlun->ro = !!i;
3608                 LDBG(curlun, "read-only status set to %d\n", curlun->ro);
3609         }
3610         up_read(&fsg->filesem);
3611         return rc;
3612 }
3613
3614 static ssize_t store_file(struct device *dev, struct device_attribute *attr,
3615                 const char *buf, size_t count)
3616 {
3617         struct lun      *curlun = dev_to_lun(dev);
3618         struct fsg_dev  *fsg = dev_get_drvdata(dev);
3619         int             rc = 0;
3620
3621         if (curlun->prevent_medium_removal && backing_file_is_open(curlun)) {
3622                 LDBG(curlun, "eject attempt prevented\n");
3623                 return -EBUSY;                          // "Door is locked"
3624         }
3625
3626         /* Remove a trailing newline */
3627         if (count > 0 && buf[count-1] == '\n')
3628                 ((char *) buf)[count-1] = 0;            // Ugh!
3629
3630         /* Eject current medium */
3631         down_write(&fsg->filesem);
3632         if (backing_file_is_open(curlun)) {
3633                 close_backing_file(curlun);
3634                 curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
3635         }
3636
3637         /* Load new medium */
3638         if (count > 0 && buf[0]) {
3639                 rc = open_backing_file(curlun, buf);
3640                 if (rc == 0)
3641                         curlun->unit_attention_data =
3642                                         SS_NOT_READY_TO_READY_TRANSITION;
3643         }
3644         up_write(&fsg->filesem);
3645         return (rc < 0 ? rc : count);
3646 }
3647
3648
3649 /* The write permissions and store_xxx pointers are set in fsg_bind() */
3650 static DEVICE_ATTR(ro, 0444, show_ro, NULL);
3651 static DEVICE_ATTR(file, 0444, show_file, NULL);
3652
3653
3654 /*-------------------------------------------------------------------------*/
3655
3656 static void fsg_release(struct kref *ref)
3657 {
3658         struct fsg_dev  *fsg = container_of(ref, struct fsg_dev, ref);
3659
3660         kfree(fsg->luns);
3661         kfree(fsg);
3662 }
3663
3664 static void lun_release(struct device *dev)
3665 {
3666         struct fsg_dev  *fsg = dev_get_drvdata(dev);
3667
3668         kref_put(&fsg->ref, fsg_release);
3669 }
3670
3671 static void /* __init_or_exit */ fsg_unbind(struct usb_gadget *gadget)
3672 {
3673         struct fsg_dev          *fsg = get_gadget_data(gadget);
3674         int                     i;
3675         struct lun              *curlun;
3676         struct usb_request      *req = fsg->ep0req;
3677
3678         DBG(fsg, "unbind\n");
3679         clear_bit(REGISTERED, &fsg->atomic_bitflags);
3680
3681         /* Unregister the sysfs attribute files and the LUNs */
3682         for (i = 0; i < fsg->nluns; ++i) {
3683                 curlun = &fsg->luns[i];
3684                 if (curlun->registered) {
3685                         device_remove_file(&curlun->dev, &dev_attr_ro);
3686                         device_remove_file(&curlun->dev, &dev_attr_file);
3687                         device_unregister(&curlun->dev);
3688                         curlun->registered = 0;
3689                 }
3690         }
3691
3692         /* If the thread isn't already dead, tell it to exit now */
3693         if (fsg->state != FSG_STATE_TERMINATED) {
3694                 raise_exception(fsg, FSG_STATE_EXIT);
3695                 wait_for_completion(&fsg->thread_notifier);
3696
3697                 /* The cleanup routine waits for this completion also */
3698                 complete(&fsg->thread_notifier);
3699         }
3700
3701         /* Free the data buffers */
3702         for (i = 0; i < NUM_BUFFERS; ++i)
3703                 kfree(fsg->buffhds[i].buf);
3704
3705         /* Free the request and buffer for endpoint 0 */
3706         if (req) {
3707                 kfree(req->buf);
3708                 usb_ep_free_request(fsg->ep0, req);
3709         }
3710
3711         set_gadget_data(gadget, NULL);
3712 }
3713
3714
3715 static int __init check_parameters(struct fsg_dev *fsg)
3716 {
3717         int     prot;
3718         int     gcnum;
3719
3720         /* Store the default values */
3721         mod_data.transport_type = USB_PR_BULK;
3722         mod_data.transport_name = "Bulk-only";
3723         mod_data.protocol_type = USB_SC_SCSI;
3724         mod_data.protocol_name = "Transparent SCSI";
3725
3726         if (gadget_is_sh(fsg->gadget))
3727                 mod_data.can_stall = 0;
3728
3729         if (mod_data.release == 0xffff) {       // Parameter wasn't set
3730                 /* The sa1100 controller is not supported */
3731                 if (gadget_is_sa1100(fsg->gadget))
3732                         gcnum = -1;
3733                 else
3734                         gcnum = usb_gadget_controller_number(fsg->gadget);
3735                 if (gcnum >= 0)
3736                         mod_data.release = 0x0300 + gcnum;
3737                 else {
3738                         WARN(fsg, "controller '%s' not recognized\n",
3739                                 fsg->gadget->name);
3740                         mod_data.release = 0x0399;
3741                 }
3742         }
3743
3744         prot = simple_strtol(mod_data.protocol_parm, NULL, 0);
3745
3746 #ifdef CONFIG_USB_FILE_STORAGE_TEST
3747         if (strnicmp(mod_data.transport_parm, "BBB", 10) == 0) {
3748                 ;               // Use default setting
3749         } else if (strnicmp(mod_data.transport_parm, "CB", 10) == 0) {
3750                 mod_data.transport_type = USB_PR_CB;
3751                 mod_data.transport_name = "Control-Bulk";
3752         } else if (strnicmp(mod_data.transport_parm, "CBI", 10) == 0) {
3753                 mod_data.transport_type = USB_PR_CBI;
3754                 mod_data.transport_name = "Control-Bulk-Interrupt";
3755         } else {
3756                 ERROR(fsg, "invalid transport: %s\n", mod_data.transport_parm);
3757                 return -EINVAL;
3758         }
3759
3760         if (strnicmp(mod_data.protocol_parm, "SCSI", 10) == 0 ||
3761                         prot == USB_SC_SCSI) {
3762                 ;               // Use default setting
3763         } else if (strnicmp(mod_data.protocol_parm, "RBC", 10) == 0 ||
3764                         prot == USB_SC_RBC) {
3765                 mod_data.protocol_type = USB_SC_RBC;
3766                 mod_data.protocol_name = "RBC";
3767         } else if (strnicmp(mod_data.protocol_parm, "8020", 4) == 0 ||
3768                         strnicmp(mod_data.protocol_parm, "ATAPI", 10) == 0 ||
3769                         prot == USB_SC_8020) {
3770                 mod_data.protocol_type = USB_SC_8020;
3771                 mod_data.protocol_name = "8020i (ATAPI)";
3772         } else if (strnicmp(mod_data.protocol_parm, "QIC", 3) == 0 ||
3773                         prot == USB_SC_QIC) {
3774                 mod_data.protocol_type = USB_SC_QIC;
3775                 mod_data.protocol_name = "QIC-157";
3776         } else if (strnicmp(mod_data.protocol_parm, "UFI", 10) == 0 ||
3777                         prot == USB_SC_UFI) {
3778                 mod_data.protocol_type = USB_SC_UFI;
3779                 mod_data.protocol_name = "UFI";
3780         } else if (strnicmp(mod_data.protocol_parm, "8070", 4) == 0 ||
3781                         prot == USB_SC_8070) {
3782                 mod_data.protocol_type = USB_SC_8070;
3783                 mod_data.protocol_name = "8070i";
3784         } else {
3785                 ERROR(fsg, "invalid protocol: %s\n", mod_data.protocol_parm);
3786                 return -EINVAL;
3787         }
3788
3789         mod_data.buflen &= PAGE_CACHE_MASK;
3790         if (mod_data.buflen <= 0) {
3791                 ERROR(fsg, "invalid buflen\n");
3792                 return -ETOOSMALL;
3793         }
3794 #endif /* CONFIG_USB_FILE_STORAGE_TEST */
3795
3796         return 0;
3797 }
3798
3799
3800 static int __init fsg_bind(struct usb_gadget *gadget)
3801 {
3802         struct fsg_dev          *fsg = the_fsg;
3803         int                     rc;
3804         int                     i;
3805         struct lun              *curlun;
3806         struct usb_ep           *ep;
3807         struct usb_request      *req;
3808         char                    *pathbuf, *p;
3809
3810         fsg->gadget = gadget;
3811         set_gadget_data(gadget, fsg);
3812         fsg->ep0 = gadget->ep0;
3813         fsg->ep0->driver_data = fsg;
3814
3815         if ((rc = check_parameters(fsg)) != 0)
3816                 goto out;
3817
3818         if (mod_data.removable) {       // Enable the store_xxx attributes
3819                 dev_attr_ro.attr.mode = dev_attr_file.attr.mode = 0644;
3820                 dev_attr_ro.store = store_ro;
3821                 dev_attr_file.store = store_file;
3822         }
3823
3824         /* Find out how many LUNs there should be */
3825         i = mod_data.nluns;
3826         if (i == 0)
3827                 i = max(mod_data.num_filenames, 1u);
3828         if (i > MAX_LUNS) {
3829                 ERROR(fsg, "invalid number of LUNs: %d\n", i);
3830                 rc = -EINVAL;
3831                 goto out;
3832         }
3833
3834         /* Create the LUNs, open their backing files, and register the
3835          * LUN devices in sysfs. */
3836         fsg->luns = kzalloc(i * sizeof(struct lun), GFP_KERNEL);
3837         if (!fsg->luns) {
3838                 rc = -ENOMEM;
3839                 goto out;
3840         }
3841         fsg->nluns = i;
3842
3843         for (i = 0; i < fsg->nluns; ++i) {
3844                 curlun = &fsg->luns[i];
3845                 curlun->ro = mod_data.ro[i];
3846                 curlun->dev.release = lun_release;
3847                 curlun->dev.parent = &gadget->dev;
3848                 curlun->dev.driver = &fsg_driver.driver;
3849                 dev_set_drvdata(&curlun->dev, fsg);
3850                 snprintf(curlun->dev.bus_id, BUS_ID_SIZE,
3851                                 "%s-lun%d", gadget->dev.bus_id, i);
3852
3853                 if ((rc = device_register(&curlun->dev)) != 0) {
3854                         INFO(fsg, "failed to register LUN%d: %d\n", i, rc);
3855                         goto out;
3856                 }
3857                 if ((rc = device_create_file(&curlun->dev,
3858                                         &dev_attr_ro)) != 0 ||
3859                                 (rc = device_create_file(&curlun->dev,
3860                                         &dev_attr_file)) != 0) {
3861                         device_unregister(&curlun->dev);
3862                         goto out;
3863                 }
3864                 curlun->registered = 1;
3865                 kref_get(&fsg->ref);
3866
3867                 if (mod_data.file[i] && *mod_data.file[i]) {
3868                         if ((rc = open_backing_file(curlun,
3869                                         mod_data.file[i])) != 0)
3870                                 goto out;
3871                 } else if (!mod_data.removable) {
3872                         ERROR(fsg, "no file given for LUN%d\n", i);
3873                         rc = -EINVAL;
3874                         goto out;
3875                 }
3876         }
3877
3878         /* Find all the endpoints we will use */
3879         usb_ep_autoconfig_reset(gadget);
3880         ep = usb_ep_autoconfig(gadget, &fs_bulk_in_desc);
3881         if (!ep)
3882                 goto autoconf_fail;
3883         ep->driver_data = fsg;          // claim the endpoint
3884         fsg->bulk_in = ep;
3885
3886         ep = usb_ep_autoconfig(gadget, &fs_bulk_out_desc);
3887         if (!ep)
3888                 goto autoconf_fail;
3889         ep->driver_data = fsg;          // claim the endpoint
3890         fsg->bulk_out = ep;
3891
3892         if (transport_is_cbi()) {
3893                 ep = usb_ep_autoconfig(gadget, &fs_intr_in_desc);
3894                 if (!ep)
3895                         goto autoconf_fail;
3896                 ep->driver_data = fsg;          // claim the endpoint
3897                 fsg->intr_in = ep;
3898         }
3899
3900         /* Fix up the descriptors */
3901         device_desc.bMaxPacketSize0 = fsg->ep0->maxpacket;
3902         device_desc.idVendor = cpu_to_le16(mod_data.vendor);
3903         device_desc.idProduct = cpu_to_le16(mod_data.product);
3904         device_desc.bcdDevice = cpu_to_le16(mod_data.release);
3905
3906         i = (transport_is_cbi() ? 3 : 2);       // Number of endpoints
3907         intf_desc.bNumEndpoints = i;
3908         intf_desc.bInterfaceSubClass = mod_data.protocol_type;
3909         intf_desc.bInterfaceProtocol = mod_data.transport_type;
3910         fs_function[i + FS_FUNCTION_PRE_EP_ENTRIES] = NULL;
3911
3912         if (gadget_is_dualspeed(gadget)) {
3913                 hs_function[i + HS_FUNCTION_PRE_EP_ENTRIES] = NULL;
3914
3915                 /* Assume ep0 uses the same maxpacket value for both speeds */
3916                 dev_qualifier.bMaxPacketSize0 = fsg->ep0->maxpacket;
3917
3918                 /* Assume endpoint addresses are the same for both speeds */
3919                 hs_bulk_in_desc.bEndpointAddress =
3920                                 fs_bulk_in_desc.bEndpointAddress;
3921                 hs_bulk_out_desc.bEndpointAddress =
3922                                 fs_bulk_out_desc.bEndpointAddress;
3923                 hs_intr_in_desc.bEndpointAddress =
3924                                 fs_intr_in_desc.bEndpointAddress;
3925         }
3926
3927         if (gadget_is_otg(gadget))
3928                 otg_desc.bmAttributes |= USB_OTG_HNP;
3929
3930         rc = -ENOMEM;
3931
3932         /* Allocate the request and buffer for endpoint 0 */
3933         fsg->ep0req = req = usb_ep_alloc_request(fsg->ep0, GFP_KERNEL);
3934         if (!req)
3935                 goto out;
3936         req->buf = kmalloc(EP0_BUFSIZE, GFP_KERNEL);
3937         if (!req->buf)
3938                 goto out;
3939         req->complete = ep0_complete;
3940
3941         /* Allocate the data buffers */
3942         for (i = 0; i < NUM_BUFFERS; ++i) {
3943                 struct fsg_buffhd       *bh = &fsg->buffhds[i];
3944
3945                 /* Allocate for the bulk-in endpoint.  We assume that
3946                  * the buffer will also work with the bulk-out (and
3947                  * interrupt-in) endpoint. */
3948                 bh->buf = kmalloc(mod_data.buflen, GFP_KERNEL);
3949                 if (!bh->buf)
3950                         goto out;
3951                 bh->next = bh + 1;
3952         }
3953         fsg->buffhds[NUM_BUFFERS - 1].next = &fsg->buffhds[0];
3954
3955         /* This should reflect the actual gadget power source */
3956         usb_gadget_set_selfpowered(gadget);
3957
3958         snprintf(manufacturer, sizeof manufacturer, "%s %s with %s",
3959                         init_utsname()->sysname, init_utsname()->release,
3960                         gadget->name);
3961
3962         /* On a real device, serial[] would be loaded from permanent
3963          * storage.  We just encode it from the driver version string. */
3964         for (i = 0; i < sizeof(serial) - 2; i += 2) {
3965                 unsigned char           c = DRIVER_VERSION[i / 2];
3966
3967                 if (!c)
3968                         break;
3969                 sprintf(&serial[i], "%02X", c);
3970         }
3971
3972         fsg->thread_task = kthread_create(fsg_main_thread, fsg,
3973                         "file-storage-gadget");
3974         if (IS_ERR(fsg->thread_task)) {
3975                 rc = PTR_ERR(fsg->thread_task);
3976                 goto out;
3977         }
3978
3979         INFO(fsg, DRIVER_DESC ", version: " DRIVER_VERSION "\n");
3980         INFO(fsg, "Number of LUNs=%d\n", fsg->nluns);
3981
3982         pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
3983         for (i = 0; i < fsg->nluns; ++i) {
3984                 curlun = &fsg->luns[i];
3985                 if (backing_file_is_open(curlun)) {
3986                         p = NULL;
3987                         if (pathbuf) {
3988                                 p = d_path(curlun->filp->f_path.dentry,
3989                                         curlun->filp->f_path.mnt,
3990                                         pathbuf, PATH_MAX);
3991                                 if (IS_ERR(p))
3992                                         p = NULL;
3993                         }
3994                         LINFO(curlun, "ro=%d, file: %s\n",
3995                                         curlun->ro, (p ? p : "(error)"));
3996                 }
3997         }
3998         kfree(pathbuf);
3999
4000         DBG(fsg, "transport=%s (x%02x)\n",
4001                         mod_data.transport_name, mod_data.transport_type);
4002         DBG(fsg, "protocol=%s (x%02x)\n",
4003                         mod_data.protocol_name, mod_data.protocol_type);
4004         DBG(fsg, "VendorID=x%04x, ProductID=x%04x, Release=x%04x\n",
4005                         mod_data.vendor, mod_data.product, mod_data.release);
4006         DBG(fsg, "removable=%d, stall=%d, buflen=%u\n",
4007                         mod_data.removable, mod_data.can_stall,
4008                         mod_data.buflen);
4009         DBG(fsg, "I/O thread pid: %d\n", task_pid_nr(fsg->thread_task));
4010
4011         set_bit(REGISTERED, &fsg->atomic_bitflags);
4012
4013         /* Tell the thread to start working */
4014         wake_up_process(fsg->thread_task);
4015         return 0;
4016
4017 autoconf_fail:
4018         ERROR(fsg, "unable to autoconfigure all endpoints\n");
4019         rc = -ENOTSUPP;
4020
4021 out:
4022         fsg->state = FSG_STATE_TERMINATED;      // The thread is dead
4023         fsg_unbind(gadget);
4024         close_all_backing_files(fsg);
4025         return rc;
4026 }
4027
4028
4029 /*-------------------------------------------------------------------------*/
4030
4031 static void fsg_suspend(struct usb_gadget *gadget)
4032 {
4033         struct fsg_dev          *fsg = get_gadget_data(gadget);
4034
4035         DBG(fsg, "suspend\n");
4036         set_bit(SUSPENDED, &fsg->atomic_bitflags);
4037 }
4038
4039 static void fsg_resume(struct usb_gadget *gadget)
4040 {
4041         struct fsg_dev          *fsg = get_gadget_data(gadget);
4042
4043         DBG(fsg, "resume\n");
4044         clear_bit(SUSPENDED, &fsg->atomic_bitflags);
4045 }
4046
4047
4048 /*-------------------------------------------------------------------------*/
4049
4050 static struct usb_gadget_driver         fsg_driver = {
4051 #ifdef CONFIG_USB_GADGET_DUALSPEED
4052         .speed          = USB_SPEED_HIGH,
4053 #else
4054         .speed          = USB_SPEED_FULL,
4055 #endif
4056         .function       = (char *) longname,
4057         .bind           = fsg_bind,
4058         .unbind         = fsg_unbind,
4059         .disconnect     = fsg_disconnect,
4060         .setup          = fsg_setup,
4061         .suspend        = fsg_suspend,
4062         .resume         = fsg_resume,
4063
4064         .driver         = {
4065                 .name           = (char *) shortname,
4066                 .owner          = THIS_MODULE,
4067                 // .release = ...
4068                 // .suspend = ...
4069                 // .resume = ...
4070         },
4071 };
4072
4073
4074 static int __init fsg_alloc(void)
4075 {
4076         struct fsg_dev          *fsg;
4077
4078         fsg = kzalloc(sizeof *fsg, GFP_KERNEL);
4079         if (!fsg)
4080                 return -ENOMEM;
4081         spin_lock_init(&fsg->lock);
4082         init_rwsem(&fsg->filesem);
4083         kref_init(&fsg->ref);
4084         init_completion(&fsg->thread_notifier);
4085
4086         the_fsg = fsg;
4087         return 0;
4088 }
4089
4090
4091 static int __init fsg_init(void)
4092 {
4093         int             rc;
4094         struct fsg_dev  *fsg;
4095
4096         if ((rc = fsg_alloc()) != 0)
4097                 return rc;
4098         fsg = the_fsg;
4099         if ((rc = usb_gadget_register_driver(&fsg_driver)) != 0)
4100                 kref_put(&fsg->ref, fsg_release);
4101         return rc;
4102 }
4103 module_init(fsg_init);
4104
4105
4106 static void __exit fsg_cleanup(void)
4107 {
4108         struct fsg_dev  *fsg = the_fsg;
4109
4110         /* Unregister the driver iff the thread hasn't already done so */
4111         if (test_and_clear_bit(REGISTERED, &fsg->atomic_bitflags))
4112                 usb_gadget_unregister_driver(&fsg_driver);
4113
4114         /* Wait for the thread to finish up */
4115         wait_for_completion(&fsg->thread_notifier);
4116
4117         close_all_backing_files(fsg);
4118         kref_put(&fsg->ref, fsg_release);
4119 }
4120 module_exit(fsg_cleanup);