1/* 2 * file_storage.c -- File-backed USB Storage Gadget, for USB development 3 * 4 * Copyright (C) 2003-2008 Alan Stern 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions, and the following disclaimer, 12 * without modification. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The names of the above-listed copyright holders may not be used 17 * to endorse or promote products derived from this software without 18 * specific prior written permission. 19 * 20 * ALTERNATIVELY, this software may be distributed under the terms of the 21 * GNU General Public License ("GPL") as published by the Free Software 22 * Foundation, either version 2 of that License or (at your option) any 23 * later version. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 26 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 27 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 29 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 30 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 31 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 32 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 34 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 35 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 39/* 40 * The File-backed Storage Gadget acts as a USB Mass Storage device, 41 * appearing to the host as a disk drive or as a CD-ROM drive. In addition 42 * to providing an example of a genuinely useful gadget driver for a USB 43 * device, it also illustrates a technique of double-buffering for increased 44 * throughput. Last but not least, it gives an easy way to probe the 45 * behavior of the Mass Storage drivers in a USB host. 46 * 47 * Backing storage is provided by a regular file or a block device, specified 48 * by the "file" module parameter. Access can be limited to read-only by 49 * setting the optional "ro" module parameter. (For CD-ROM emulation, 50 * access is always read-only.) The gadget will indicate that it has 51 * removable media if the optional "removable" module parameter is set. 52 * 53 * The gadget supports the Control-Bulk (CB), Control-Bulk-Interrupt (CBI), 54 * and Bulk-Only (also known as Bulk-Bulk-Bulk or BBB) transports, selected 55 * by the optional "transport" module parameter. It also supports the 56 * following protocols: RBC (0x01), ATAPI or SFF-8020i (0x02), QIC-157 (0c03), 57 * UFI (0x04), SFF-8070i (0x05), and transparent SCSI (0x06), selected by 58 * the optional "protocol" module parameter. In addition, the default 59 * Vendor ID, Product ID, release number and serial number can be overridden. 60 * 61 * There is support for multiple logical units (LUNs), each of which has 62 * its own backing file. The number of LUNs can be set using the optional 63 * "luns" module parameter (anywhere from 1 to 8), and the corresponding 64 * files are specified using comma-separated lists for "file" and "ro". 65 * The default number of LUNs is taken from the number of "file" elements; 66 * it is 1 if "file" is not given. If "removable" is not set then a backing 67 * file must be specified for each LUN. If it is set, then an unspecified 68 * or empty backing filename means the LUN's medium is not loaded. Ideally 69 * each LUN would be settable independently as a disk drive or a CD-ROM 70 * drive, but currently all LUNs have to be the same type. The CD-ROM 71 * emulation includes a single data track and no audio tracks; hence there 72 * need be only one backing file per LUN. 73 * 74 * Requirements are modest; only a bulk-in and a bulk-out endpoint are 75 * needed (an interrupt-out endpoint is also needed for CBI). The memory 76 * requirement amounts to two 16K buffers, size configurable by a parameter. 77 * Support is included for both full-speed and high-speed operation. 78 * 79 * Note that the driver is slightly non-portable in that it assumes a 80 * single memory/DMA buffer will be useable for bulk-in, bulk-out, and 81 * interrupt-in endpoints. With most device controllers this isn't an 82 * issue, but there may be some with hardware restrictions that prevent 83 * a buffer from being used by more than one endpoint. 84 * 85 * Module options: 86 * 87 * file=filename[,filename...] 88 * Required if "removable" is not set, names of 89 * the files or block devices used for 90 * backing storage 91 * serial=HHHH... Required serial number (string of hex chars) 92 * ro=b[,b...] Default false, booleans for read-only access 93 * removable Default false, boolean for removable media 94 * luns=N Default N = number of filenames, number of 95 * LUNs to support 96 * nofua=b[,b...] Default false, booleans for ignore FUA flag 97 * in SCSI WRITE(10,12) commands 98 * stall Default determined according to the type of 99 * USB device controller (usually true), 100 * boolean to permit the driver to halt 101 * bulk endpoints 102 * cdrom Default false, boolean for whether to emulate 103 * a CD-ROM drive 104 * transport=XXX Default BBB, transport name (CB, CBI, or BBB) 105 * protocol=YYY Default SCSI, protocol name (RBC, 8020 or 106 * ATAPI, QIC, UFI, 8070, or SCSI; 107 * also 1 - 6) 108 * vendor=0xVVVV Default 0x0525 (NetChip), USB Vendor ID 109 * product=0xPPPP Default 0xa4a5 (FSG), USB Product ID 110 * release=0xRRRR Override the USB release number (bcdDevice) 111 * buflen=N Default N=16384, buffer size used (will be 112 * rounded down to a multiple of 113 * PAGE_CACHE_SIZE) 114 * 115 * If CONFIG_USB_FILE_STORAGE_TEST is not set, only the "file", "serial", "ro", 116 * "removable", "luns", "nofua", "stall", and "cdrom" options are available; 117 * default values are used for everything else. 118 * 119 * The pathnames of the backing files and the ro settings are available in 120 * the attribute files "file", "nofua", and "ro" in the lun<n> subdirectory of 121 * the gadget's sysfs directory. If the "removable" option is set, writing to 122 * these files will simulate ejecting/loading the medium (writing an empty 123 * line means eject) and adjusting a write-enable tab. Changes to the ro 124 * setting are not allowed when the medium is loaded or if CD-ROM emulation 125 * is being used. 126 * 127 * This gadget driver is heavily based on "Gadget Zero" by David Brownell. 128 * The driver's SCSI command interface was based on the "Information 129 * technology - Small Computer System Interface - 2" document from 130 * X3T9.2 Project 375D, Revision 10L, 7-SEP-93, available at 131 * <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>. The single exception 132 * is opcode 0x23 (READ FORMAT CAPACITIES), which was based on the 133 * "Universal Serial Bus Mass Storage Class UFI Command Specification" 134 * document, Revision 1.0, December 14, 1998, available at 135 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>. 136 */ 137 138 139/* 140 * Driver Design 141 * 142 * The FSG driver is fairly straightforward. There is a main kernel 143 * thread that handles most of the work. Interrupt routines field 144 * callbacks from the controller driver: bulk- and interrupt-request 145 * completion notifications, endpoint-0 events, and disconnect events. 146 * Completion events are passed to the main thread by wakeup calls. Many 147 * ep0 requests are handled at interrupt time, but SetInterface, 148 * SetConfiguration, and device reset requests are forwarded to the 149 * thread in the form of "exceptions" using SIGUSR1 signals (since they 150 * should interrupt any ongoing file I/O operations). 151 * 152 * The thread's main routine implements the standard command/data/status 153 * parts of a SCSI interaction. It and its subroutines are full of tests 154 * for pending signals/exceptions -- all this polling is necessary since 155 * the kernel has no setjmp/longjmp equivalents. (Maybe this is an 156 * indication that the driver really wants to be running in userspace.) 157 * An important point is that so long as the thread is alive it keeps an 158 * open reference to the backing file. This will prevent unmounting 159 * the backing file's underlying filesystem and could cause problems 160 * during system shutdown, for example. To prevent such problems, the 161 * thread catches INT, TERM, and KILL signals and converts them into 162 * an EXIT exception. 163 * 164 * In normal operation the main thread is started during the gadget's 165 * fsg_bind() callback and stopped during fsg_unbind(). But it can also 166 * exit when it receives a signal, and there's no point leaving the 167 * gadget running when the thread is dead. So just before the thread 168 * exits, it deregisters the gadget driver. This makes things a little 169 * tricky: The driver is deregistered at two places, and the exiting 170 * thread can indirectly call fsg_unbind() which in turn can tell the 171 * thread to exit. The first problem is resolved through the use of the 172 * REGISTERED atomic bitflag; the driver will only be deregistered once. 173 * The second problem is resolved by having fsg_unbind() check 174 * fsg->state; it won't try to stop the thread if the state is already 175 * FSG_STATE_TERMINATED. 176 * 177 * To provide maximum throughput, the driver uses a circular pipeline of 178 * buffer heads (struct fsg_buffhd). In principle the pipeline can be 179 * arbitrarily long; in practice the benefits don't justify having more 180 * than 2 stages (i.e., double buffering). But it helps to think of the 181 * pipeline as being a long one. Each buffer head contains a bulk-in and 182 * a bulk-out request pointer (since the buffer can be used for both 183 * output and input -- directions always are given from the host's 184 * point of view) as well as a pointer to the buffer and various state 185 * variables. 186 * 187 * Use of the pipeline follows a simple protocol. There is a variable 188 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use. 189 * At any time that buffer head may still be in use from an earlier 190 * request, so each buffer head has a state variable indicating whether 191 * it is EMPTY, FULL, or BUSY. Typical use involves waiting for the 192 * buffer head to be EMPTY, filling the buffer either by file I/O or by 193 * USB I/O (during which the buffer head is BUSY), and marking the buffer 194 * head FULL when the I/O is complete. Then the buffer will be emptied 195 * (again possibly by USB I/O, during which it is marked BUSY) and 196 * finally marked EMPTY again (possibly by a completion routine). 197 * 198 * A module parameter tells the driver to avoid stalling the bulk 199 * endpoints wherever the transport specification allows. This is 200 * necessary for some UDCs like the SuperH, which cannot reliably clear a 201 * halt on a bulk endpoint. However, under certain circumstances the 202 * Bulk-only specification requires a stall. In such cases the driver 203 * will halt the endpoint and set a flag indicating that it should clear 204 * the halt in software during the next device reset. Hopefully this 205 * will permit everything to work correctly. Furthermore, although the 206 * specification allows the bulk-out endpoint to halt when the host sends 207 * too much data, implementing this would cause an unavoidable race. 208 * The driver will always use the "no-stall" approach for OUT transfers. 209 * 210 * One subtle point concerns sending status-stage responses for ep0 211 * requests. Some of these requests, such as device reset, can involve 212 * interrupting an ongoing file I/O operation, which might take an 213 * arbitrarily long time. During that delay the host might give up on 214 * the original ep0 request and issue a new one. When that happens the 215 * driver should not notify the host about completion of the original 216 * request, as the host will no longer be waiting for it. So the driver 217 * assigns to each ep0 request a unique tag, and it keeps track of the 218 * tag value of the request associated with a long-running exception 219 * (device-reset, interface-change, or configuration-change). When the 220 * exception handler is finished, the status-stage response is submitted 221 * only if the current ep0 request tag is equal to the exception request 222 * tag. Thus only the most recently received ep0 request will get a 223 * status-stage response. 224 * 225 * Warning: This driver source file is too long. It ought to be split up 226 * into a header file plus about 3 separate .c files, to handle the details 227 * of the Gadget, USB Mass Storage, and SCSI protocols. 228 */ 229 230 231/* #define VERBOSE_DEBUG */ 232/* #define DUMP_MSGS */ 233 234 235#include <linux/blkdev.h> 236#include <linux/completion.h> 237#include <linux/dcache.h> 238#include <linux/delay.h> 239#include <linux/device.h> 240#include <linux/fcntl.h> 241#include <linux/file.h> 242#include <linux/fs.h> 243#include <linux/kref.h> 244#include <linux/kthread.h> 245#include <linux/limits.h> 246#include <linux/module.h> 247#include <linux/rwsem.h> 248#include <linux/slab.h> 249#include <linux/spinlock.h> 250#include <linux/string.h> 251#include <linux/freezer.h> 252#include <linux/utsname.h> 253 254#include <linux/usb/ch9.h> 255#include <linux/usb/gadget.h> 256 257#include "gadget_chips.h" 258 259 260 261/* 262 * Kbuild is not very cooperative with respect to linking separately 263 * compiled library objects into one module. So for now we won't use 264 * separate compilation ... ensuring init/exit sections work to shrink 265 * the runtime footprint, and giving us at least some parts of what 266 * a "gcc --combine ... part1.c part2.c part3.c ... " build would. 267 */ 268#include "usbstring.c" 269#include "config.c" 270#include "epautoconf.c" 271 272/*-------------------------------------------------------------------------*/ 273 274#define DRIVER_DESC "File-backed Storage Gadget" 275#define DRIVER_NAME "g_file_storage" 276#define DRIVER_VERSION "1 September 2010" 277 278static char fsg_string_manufacturer[64]; 279static const char fsg_string_product[] = DRIVER_DESC; 280static const char fsg_string_config[] = "Self-powered"; 281static const char fsg_string_interface[] = "Mass Storage"; 282 283 284#include "storage_common.c" 285 286 287MODULE_DESCRIPTION(DRIVER_DESC); 288MODULE_AUTHOR("Alan Stern"); 289MODULE_LICENSE("Dual BSD/GPL"); 290 291/* 292 * This driver assumes self-powered hardware and has no way for users to 293 * trigger remote wakeup. It uses autoconfiguration to select endpoints 294 * and endpoint addresses. 295 */ 296 297 298/*-------------------------------------------------------------------------*/ 299 300 301/* Encapsulate the module parameter settings */ 302 303static struct { 304 char *file[FSG_MAX_LUNS]; 305 char *serial; 306 bool ro[FSG_MAX_LUNS]; 307 bool nofua[FSG_MAX_LUNS]; 308 unsigned int num_filenames; 309 unsigned int num_ros; 310 unsigned int num_nofuas; 311 unsigned int nluns; 312 313 bool removable; 314 bool can_stall; 315 bool cdrom; 316 317 char *transport_parm; 318 char *protocol_parm; 319 unsigned short vendor; 320 unsigned short product; 321 unsigned short release; 322 unsigned int buflen; 323 324 int transport_type; 325 char *transport_name; 326 int protocol_type; 327 char *protocol_name; 328 329} mod_data = { // Default values 330 .transport_parm = "BBB", 331 .protocol_parm = "SCSI", 332 .removable = 0, 333 .can_stall = 1, 334 .cdrom = 0, 335 .vendor = FSG_VENDOR_ID, 336 .product = FSG_PRODUCT_ID, 337 .release = 0xffff, // Use controller chip type 338 .buflen = 16384, 339 }; 340 341 342module_param_array_named(file, mod_data.file, charp, &mod_data.num_filenames, 343 S_IRUGO); 344MODULE_PARM_DESC(file, "names of backing files or devices"); 345 346module_param_named(serial, mod_data.serial, charp, S_IRUGO); 347MODULE_PARM_DESC(serial, "USB serial number"); 348 349module_param_array_named(ro, mod_data.ro, bool, &mod_data.num_ros, S_IRUGO); 350MODULE_PARM_DESC(ro, "true to force read-only"); 351 352module_param_array_named(nofua, mod_data.nofua, bool, &mod_data.num_nofuas, 353 S_IRUGO); 354MODULE_PARM_DESC(nofua, "true to ignore SCSI WRITE(10,12) FUA bit"); 355 356module_param_named(luns, mod_data.nluns, uint, S_IRUGO); 357MODULE_PARM_DESC(luns, "number of LUNs"); 358 359module_param_named(removable, mod_data.removable, bool, S_IRUGO); 360MODULE_PARM_DESC(removable, "true to simulate removable media"); 361 362module_param_named(stall, mod_data.can_stall, bool, S_IRUGO); 363MODULE_PARM_DESC(stall, "false to prevent bulk stalls"); 364 365module_param_named(cdrom, mod_data.cdrom, bool, S_IRUGO); 366MODULE_PARM_DESC(cdrom, "true to emulate cdrom instead of disk"); 367 368/* In the non-TEST version, only the module parameters listed above 369 * are available. */ 370#ifdef CONFIG_USB_FILE_STORAGE_TEST 371 372module_param_named(transport, mod_data.transport_parm, charp, S_IRUGO); 373MODULE_PARM_DESC(transport, "type of transport (BBB, CBI, or CB)"); 374 375module_param_named(protocol, mod_data.protocol_parm, charp, S_IRUGO); 376MODULE_PARM_DESC(protocol, "type of protocol (RBC, 8020, QIC, UFI, " 377 "8070, or SCSI)"); 378 379module_param_named(vendor, mod_data.vendor, ushort, S_IRUGO); 380MODULE_PARM_DESC(vendor, "USB Vendor ID"); 381 382module_param_named(product, mod_data.product, ushort, S_IRUGO); 383MODULE_PARM_DESC(product, "USB Product ID"); 384 385module_param_named(release, mod_data.release, ushort, S_IRUGO); 386MODULE_PARM_DESC(release, "USB release number"); 387 388module_param_named(buflen, mod_data.buflen, uint, S_IRUGO); 389MODULE_PARM_DESC(buflen, "I/O buffer size"); 390 391#endif /* CONFIG_USB_FILE_STORAGE_TEST */ 392 393 394/* 395 * These definitions will permit the compiler to avoid generating code for 396 * parts of the driver that aren't used in the non-TEST version. Even gcc 397 * can recognize when a test of a constant expression yields a dead code 398 * path. 399 */ 400 401#ifdef CONFIG_USB_FILE_STORAGE_TEST 402 403#define transport_is_bbb() (mod_data.transport_type == USB_PR_BULK) 404#define transport_is_cbi() (mod_data.transport_type == USB_PR_CBI) 405#define protocol_is_scsi() (mod_data.protocol_type == USB_SC_SCSI) 406 407#else 408 409#define transport_is_bbb() 1 410#define transport_is_cbi() 0 411#define protocol_is_scsi() 1 412 413#endif /* CONFIG_USB_FILE_STORAGE_TEST */ 414 415 416/*-------------------------------------------------------------------------*/ 417 418 419struct fsg_dev { 420 /* lock protects: state, all the req_busy's, and cbbuf_cmnd */ 421 spinlock_t lock; 422 struct usb_gadget *gadget; 423 424 /* filesem protects: backing files in use */ 425 struct rw_semaphore filesem; 426 427 /* reference counting: wait until all LUNs are released */ 428 struct kref ref; 429 430 struct usb_ep *ep0; // Handy copy of gadget->ep0 431 struct usb_request *ep0req; // For control responses 432 unsigned int ep0_req_tag; 433 const char *ep0req_name; 434 435 struct usb_request *intreq; // For interrupt responses 436 int intreq_busy; 437 struct fsg_buffhd *intr_buffhd; 438 439 unsigned int bulk_out_maxpacket; 440 enum fsg_state state; // For exception handling 441 unsigned int exception_req_tag; 442 443 u8 config, new_config; 444 445 unsigned int running : 1; 446 unsigned int bulk_in_enabled : 1; 447 unsigned int bulk_out_enabled : 1; 448 unsigned int intr_in_enabled : 1; 449 unsigned int phase_error : 1; 450 unsigned int short_packet_received : 1; 451 unsigned int bad_lun_okay : 1; 452 453 unsigned long atomic_bitflags; 454#define REGISTERED 0 455#define IGNORE_BULK_OUT 1 456#define SUSPENDED 2 457 458 struct usb_ep *bulk_in; 459 struct usb_ep *bulk_out; 460 struct usb_ep *intr_in; 461 462 struct fsg_buffhd *next_buffhd_to_fill; 463 struct fsg_buffhd *next_buffhd_to_drain; 464 465 int thread_wakeup_needed; 466 struct completion thread_notifier; 467 struct task_struct *thread_task; 468 469 int cmnd_size; 470 u8 cmnd[MAX_COMMAND_SIZE]; 471 enum data_direction data_dir; 472 u32 data_size; 473 u32 data_size_from_cmnd; 474 u32 tag; 475 unsigned int lun; 476 u32 residue; 477 u32 usb_amount_left; 478 479 /* The CB protocol offers no way for a host to know when a command 480 * has completed. As a result the next command may arrive early, 481 * and we will still have to handle it. For that reason we need 482 * a buffer to store new commands when using CB (or CBI, which 483 * does not oblige a host to wait for command completion either). */ 484 int cbbuf_cmnd_size; 485 u8 cbbuf_cmnd[MAX_COMMAND_SIZE]; 486 487 unsigned int nluns; 488 struct fsg_lun *luns; 489 struct fsg_lun *curlun; 490 /* Must be the last entry */ 491 struct fsg_buffhd buffhds[]; 492}; 493 494typedef void (*fsg_routine_t)(struct fsg_dev *); 495 496static int exception_in_progress(struct fsg_dev *fsg) 497{ 498 return (fsg->state > FSG_STATE_IDLE); 499} 500 501/* Make bulk-out requests be divisible by the maxpacket size */ 502static void set_bulk_out_req_length(struct fsg_dev *fsg, 503 struct fsg_buffhd *bh, unsigned int length) 504{ 505 unsigned int rem; 506 507 bh->bulk_out_intended_length = length; 508 rem = length % fsg->bulk_out_maxpacket; 509 if (rem > 0) 510 length += fsg->bulk_out_maxpacket - rem; 511 bh->outreq->length = length; 512} 513 514static struct fsg_dev *the_fsg; 515static struct usb_gadget_driver fsg_driver; 516 517 518/*-------------------------------------------------------------------------*/ 519 520static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep) 521{ 522 const char *name; 523 524 if (ep == fsg->bulk_in) 525 name = "bulk-in"; 526 else if (ep == fsg->bulk_out) 527 name = "bulk-out"; 528 else 529 name = ep->name; 530 DBG(fsg, "%s set halt\n", name); 531 return usb_ep_set_halt(ep); 532} 533 534 535/*-------------------------------------------------------------------------*/ 536 537/* 538 * DESCRIPTORS ... most are static, but strings and (full) configuration 539 * descriptors are built on demand. Also the (static) config and interface 540 * descriptors are adjusted during fsg_bind(). 541 */ 542 543/* There is only one configuration. */ 544#define CONFIG_VALUE 1 545 546static struct usb_device_descriptor 547device_desc = { 548 .bLength = sizeof device_desc, 549 .bDescriptorType = USB_DT_DEVICE, 550 551 .bcdUSB = cpu_to_le16(0x0200), 552 .bDeviceClass = USB_CLASS_PER_INTERFACE, 553 554 /* The next three values can be overridden by module parameters */ 555 .idVendor = cpu_to_le16(FSG_VENDOR_ID), 556 .idProduct = cpu_to_le16(FSG_PRODUCT_ID), 557 .bcdDevice = cpu_to_le16(0xffff), 558 559 .iManufacturer = FSG_STRING_MANUFACTURER, 560 .iProduct = FSG_STRING_PRODUCT, 561 .iSerialNumber = FSG_STRING_SERIAL, 562 .bNumConfigurations = 1, 563}; 564 565static struct usb_config_descriptor 566config_desc = { 567 .bLength = sizeof config_desc, 568 .bDescriptorType = USB_DT_CONFIG, 569 570 /* wTotalLength computed by usb_gadget_config_buf() */ 571 .bNumInterfaces = 1, 572 .bConfigurationValue = CONFIG_VALUE, 573 .iConfiguration = FSG_STRING_CONFIG, 574 .bmAttributes = USB_CONFIG_ATT_ONE | USB_CONFIG_ATT_SELFPOWER, 575 .bMaxPower = CONFIG_USB_GADGET_VBUS_DRAW / 2, 576}; 577 578 579static struct usb_qualifier_descriptor 580dev_qualifier = { 581 .bLength = sizeof dev_qualifier, 582 .bDescriptorType = USB_DT_DEVICE_QUALIFIER, 583 584 .bcdUSB = cpu_to_le16(0x0200), 585 .bDeviceClass = USB_CLASS_PER_INTERFACE, 586 587 .bNumConfigurations = 1, 588}; 589 590static int populate_bos(struct fsg_dev *fsg, u8 *buf) 591{ 592 memcpy(buf, &fsg_bos_desc, USB_DT_BOS_SIZE); 593 buf += USB_DT_BOS_SIZE; 594 595 memcpy(buf, &fsg_ext_cap_desc, USB_DT_USB_EXT_CAP_SIZE); 596 buf += USB_DT_USB_EXT_CAP_SIZE; 597 598 memcpy(buf, &fsg_ss_cap_desc, USB_DT_USB_SS_CAP_SIZE); 599 600 return USB_DT_BOS_SIZE + USB_DT_USB_SS_CAP_SIZE 601 + USB_DT_USB_EXT_CAP_SIZE; 602} 603 604/* 605 * Config descriptors must agree with the code that sets configurations 606 * and with code managing interfaces and their altsettings. They must 607 * also handle different speeds and other-speed requests. 608 */ 609static int populate_config_buf(struct usb_gadget *gadget, 610 u8 *buf, u8 type, unsigned index) 611{ 612 enum usb_device_speed speed = gadget->speed; 613 int len; 614 const struct usb_descriptor_header **function; 615 616 if (index > 0) 617 return -EINVAL; 618 619 if (gadget_is_dualspeed(gadget) && type == USB_DT_OTHER_SPEED_CONFIG) 620 speed = (USB_SPEED_FULL + USB_SPEED_HIGH) - speed; 621 function = gadget_is_dualspeed(gadget) && speed == USB_SPEED_HIGH 622 ? (const struct usb_descriptor_header **)fsg_hs_function 623 : (const struct usb_descriptor_header **)fsg_fs_function; 624 625 /* for now, don't advertise srp-only devices */ 626 if (!gadget_is_otg(gadget)) 627 function++; 628 629 len = usb_gadget_config_buf(&config_desc, buf, EP0_BUFSIZE, function); 630 ((struct usb_config_descriptor *) buf)->bDescriptorType = type; 631 return len; 632} 633 634 635/*-------------------------------------------------------------------------*/ 636 637/* These routines may be called in process context or in_irq */ 638 639/* Caller must hold fsg->lock */ 640static void wakeup_thread(struct fsg_dev *fsg) 641{ 642 /* Tell the main thread that something has happened */ 643 fsg->thread_wakeup_needed = 1; 644 if (fsg->thread_task) 645 wake_up_process(fsg->thread_task); 646} 647 648 649static void raise_exception(struct fsg_dev *fsg, enum fsg_state new_state) 650{ 651 unsigned long flags; 652 653 /* Do nothing if a higher-priority exception is already in progress. 654 * If a lower-or-equal priority exception is in progress, preempt it 655 * and notify the main thread by sending it a signal. */ 656 spin_lock_irqsave(&fsg->lock, flags); 657 if (fsg->state <= new_state) { 658 fsg->exception_req_tag = fsg->ep0_req_tag; 659 fsg->state = new_state; 660 if (fsg->thread_task) 661 send_sig_info(SIGUSR1, SEND_SIG_FORCED, 662 fsg->thread_task); 663 } 664 spin_unlock_irqrestore(&fsg->lock, flags); 665} 666 667 668/*-------------------------------------------------------------------------*/ 669 670/* The disconnect callback and ep0 routines. These always run in_irq, 671 * except that ep0_queue() is called in the main thread to acknowledge 672 * completion of various requests: set config, set interface, and 673 * Bulk-only device reset. */ 674 675static void fsg_disconnect(struct usb_gadget *gadget) 676{ 677 struct fsg_dev *fsg = get_gadget_data(gadget); 678 679 DBG(fsg, "disconnect or port reset\n"); 680 raise_exception(fsg, FSG_STATE_DISCONNECT); 681} 682 683 684static int ep0_queue(struct fsg_dev *fsg) 685{ 686 int rc; 687 688 rc = usb_ep_queue(fsg->ep0, fsg->ep0req, GFP_ATOMIC); 689 if (rc != 0 && rc != -ESHUTDOWN) { 690 691 /* We can't do much more than wait for a reset */ 692 WARNING(fsg, "error in submission: %s --> %d\n", 693 fsg->ep0->name, rc); 694 } 695 return rc; 696} 697 698static void ep0_complete(struct usb_ep *ep, struct usb_request *req) 699{ 700 struct fsg_dev *fsg = ep->driver_data; 701 702 if (req->actual > 0) 703 dump_msg(fsg, fsg->ep0req_name, req->buf, req->actual); 704 if (req->status || req->actual != req->length) 705 DBG(fsg, "%s --> %d, %u/%u\n", __func__, 706 req->status, req->actual, req->length); 707 if (req->status == -ECONNRESET) // Request was cancelled 708 usb_ep_fifo_flush(ep); 709 710 if (req->status == 0 && req->context) 711 ((fsg_routine_t) (req->context))(fsg); 712} 713 714 715/*-------------------------------------------------------------------------*/ 716 717/* Bulk and interrupt endpoint completion handlers. 718 * These always run in_irq. */ 719 720static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req) 721{ 722 struct fsg_dev *fsg = ep->driver_data; 723 struct fsg_buffhd *bh = req->context; 724 725 if (req->status || req->actual != req->length) 726 DBG(fsg, "%s --> %d, %u/%u\n", __func__, 727 req->status, req->actual, req->length); 728 if (req->status == -ECONNRESET) // Request was cancelled 729 usb_ep_fifo_flush(ep); 730 731 /* Hold the lock while we update the request and buffer states */ 732 smp_wmb(); 733 spin_lock(&fsg->lock); 734 bh->inreq_busy = 0; 735 bh->state = BUF_STATE_EMPTY; 736 wakeup_thread(fsg); 737 spin_unlock(&fsg->lock); 738} 739 740static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req) 741{ 742 struct fsg_dev *fsg = ep->driver_data; 743 struct fsg_buffhd *bh = req->context; 744 745 dump_msg(fsg, "bulk-out", req->buf, req->actual); 746 if (req->status || req->actual != bh->bulk_out_intended_length) 747 DBG(fsg, "%s --> %d, %u/%u\n", __func__, 748 req->status, req->actual, 749 bh->bulk_out_intended_length); 750 if (req->status == -ECONNRESET) // Request was cancelled 751 usb_ep_fifo_flush(ep); 752 753 /* Hold the lock while we update the request and buffer states */ 754 smp_wmb(); 755 spin_lock(&fsg->lock); 756 bh->outreq_busy = 0; 757 bh->state = BUF_STATE_FULL; 758 wakeup_thread(fsg); 759 spin_unlock(&fsg->lock); 760} 761 762 763#ifdef CONFIG_USB_FILE_STORAGE_TEST 764static void intr_in_complete(struct usb_ep *ep, struct usb_request *req) 765{ 766 struct fsg_dev *fsg = ep->driver_data; 767 struct fsg_buffhd *bh = req->context; 768 769 if (req->status || req->actual != req->length) 770 DBG(fsg, "%s --> %d, %u/%u\n", __func__, 771 req->status, req->actual, req->length); 772 if (req->status == -ECONNRESET) // Request was cancelled 773 usb_ep_fifo_flush(ep); 774 775 /* Hold the lock while we update the request and buffer states */ 776 smp_wmb(); 777 spin_lock(&fsg->lock); 778 fsg->intreq_busy = 0; 779 bh->state = BUF_STATE_EMPTY; 780 wakeup_thread(fsg); 781 spin_unlock(&fsg->lock); 782} 783 784#else 785static void intr_in_complete(struct usb_ep *ep, struct usb_request *req) 786{} 787#endif /* CONFIG_USB_FILE_STORAGE_TEST */ 788 789 790/*-------------------------------------------------------------------------*/ 791 792/* Ep0 class-specific handlers. These always run in_irq. */ 793 794#ifdef CONFIG_USB_FILE_STORAGE_TEST 795static void received_cbi_adsc(struct fsg_dev *fsg, struct fsg_buffhd *bh) 796{ 797 struct usb_request *req = fsg->ep0req; 798 static u8 cbi_reset_cmnd[6] = { 799 SEND_DIAGNOSTIC, 4, 0xff, 0xff, 0xff, 0xff}; 800 801 /* Error in command transfer? */ 802 if (req->status || req->length != req->actual || 803 req->actual < 6 || req->actual > MAX_COMMAND_SIZE) { 804 805 /* Not all controllers allow a protocol stall after 806 * receiving control-out data, but we'll try anyway. */ 807 fsg_set_halt(fsg, fsg->ep0); 808 return; // Wait for reset 809 } 810 811 /* Is it the special reset command? */ 812 if (req->actual >= sizeof cbi_reset_cmnd && 813 memcmp(req->buf, cbi_reset_cmnd, 814 sizeof cbi_reset_cmnd) == 0) { 815 816 /* Raise an exception to stop the current operation 817 * and reinitialize our state. */ 818 DBG(fsg, "cbi reset request\n"); 819 raise_exception(fsg, FSG_STATE_RESET); 820 return; 821 } 822 823 VDBG(fsg, "CB[I] accept device-specific command\n"); 824 spin_lock(&fsg->lock); 825 826 /* Save the command for later */ 827 if (fsg->cbbuf_cmnd_size) 828 WARNING(fsg, "CB[I] overwriting previous command\n"); 829 fsg->cbbuf_cmnd_size = req->actual; 830 memcpy(fsg->cbbuf_cmnd, req->buf, fsg->cbbuf_cmnd_size); 831 832 wakeup_thread(fsg); 833 spin_unlock(&fsg->lock); 834} 835 836#else 837static void received_cbi_adsc(struct fsg_dev *fsg, struct fsg_buffhd *bh) 838{} 839#endif /* CONFIG_USB_FILE_STORAGE_TEST */ 840 841 842static int class_setup_req(struct fsg_dev *fsg, 843 const struct usb_ctrlrequest *ctrl) 844{ 845 struct usb_request *req = fsg->ep0req; 846 int value = -EOPNOTSUPP; 847 u16 w_index = le16_to_cpu(ctrl->wIndex); 848 u16 w_value = le16_to_cpu(ctrl->wValue); 849 u16 w_length = le16_to_cpu(ctrl->wLength); 850 851 if (!fsg->config) 852 return value; 853 854 /* Handle Bulk-only class-specific requests */ 855 if (transport_is_bbb()) { 856 switch (ctrl->bRequest) { 857 858 case US_BULK_RESET_REQUEST: 859 if (ctrl->bRequestType != (USB_DIR_OUT | 860 USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 861 break; 862 if (w_index != 0 || w_value != 0 || w_length != 0) { 863 value = -EDOM; 864 break; 865 } 866 867 /* Raise an exception to stop the current operation 868 * and reinitialize our state. */ 869 DBG(fsg, "bulk reset request\n"); 870 raise_exception(fsg, FSG_STATE_RESET); 871 value = DELAYED_STATUS; 872 break; 873 874 case US_BULK_GET_MAX_LUN: 875 if (ctrl->bRequestType != (USB_DIR_IN | 876 USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 877 break; 878 if (w_index != 0 || w_value != 0 || w_length != 1) { 879 value = -EDOM; 880 break; 881 } 882 VDBG(fsg, "get max LUN\n"); 883 *(u8 *) req->buf = fsg->nluns - 1; 884 value = 1; 885 break; 886 } 887 } 888 889 /* Handle CBI class-specific requests */ 890 else { 891 switch (ctrl->bRequest) { 892 893 case USB_CBI_ADSC_REQUEST: 894 if (ctrl->bRequestType != (USB_DIR_OUT | 895 USB_TYPE_CLASS | USB_RECIP_INTERFACE)) 896 break; 897 if (w_index != 0 || w_value != 0) { 898 value = -EDOM; 899 break; 900 } 901 if (w_length > MAX_COMMAND_SIZE) { 902 value = -EOVERFLOW; 903 break; 904 } 905 value = w_length; 906 fsg->ep0req->context = received_cbi_adsc; 907 break; 908 } 909 } 910 911 if (value == -EOPNOTSUPP) 912 VDBG(fsg, 913 "unknown class-specific control req " 914 "%02x.%02x v%04x i%04x l%u\n", 915 ctrl->bRequestType, ctrl->bRequest, 916 le16_to_cpu(ctrl->wValue), w_index, w_length); 917 return value; 918} 919 920 921/*-------------------------------------------------------------------------*/ 922 923/* Ep0 standard request handlers. These always run in_irq. */ 924 925static int standard_setup_req(struct fsg_dev *fsg, 926 const struct usb_ctrlrequest *ctrl) 927{ 928 struct usb_request *req = fsg->ep0req; 929 int value = -EOPNOTSUPP; 930 u16 w_index = le16_to_cpu(ctrl->wIndex); 931 u16 w_value = le16_to_cpu(ctrl->wValue); 932 933 /* Usually this just stores reply data in the pre-allocated ep0 buffer, 934 * but config change events will also reconfigure hardware. */ 935 switch (ctrl->bRequest) { 936 937 case USB_REQ_GET_DESCRIPTOR: 938 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD | 939 USB_RECIP_DEVICE)) 940 break; 941 switch (w_value >> 8) { 942 943 case USB_DT_DEVICE: 944 VDBG(fsg, "get device descriptor\n"); 945 device_desc.bMaxPacketSize0 = fsg->ep0->maxpacket; 946 value = sizeof device_desc; 947 memcpy(req->buf, &device_desc, value); 948 break; 949 case USB_DT_DEVICE_QUALIFIER: 950 VDBG(fsg, "get device qualifier\n"); 951 if (!gadget_is_dualspeed(fsg->gadget) || 952 fsg->gadget->speed == USB_SPEED_SUPER) 953 break; 954 /* 955 * Assume ep0 uses the same maxpacket value for both 956 * speeds 957 */ 958 dev_qualifier.bMaxPacketSize0 = fsg->ep0->maxpacket; 959 value = sizeof dev_qualifier; 960 memcpy(req->buf, &dev_qualifier, value); 961 break; 962 963 case USB_DT_OTHER_SPEED_CONFIG: 964 VDBG(fsg, "get other-speed config descriptor\n"); 965 if (!gadget_is_dualspeed(fsg->gadget) || 966 fsg->gadget->speed == USB_SPEED_SUPER) 967 break; 968 goto get_config; 969 case USB_DT_CONFIG: 970 VDBG(fsg, "get configuration descriptor\n"); 971get_config: 972 value = populate_config_buf(fsg->gadget, 973 req->buf, 974 w_value >> 8, 975 w_value & 0xff); 976 break; 977 978 case USB_DT_STRING: 979 VDBG(fsg, "get string descriptor\n"); 980 981 /* wIndex == language code */ 982 value = usb_gadget_get_string(&fsg_stringtab, 983 w_value & 0xff, req->buf); 984 break; 985 986 case USB_DT_BOS: 987 VDBG(fsg, "get bos descriptor\n"); 988 989 if (gadget_is_superspeed(fsg->gadget)) 990 value = populate_bos(fsg, req->buf); 991 break; 992 } 993 994 break; 995 996 /* One config, two speeds */ 997 case USB_REQ_SET_CONFIGURATION: 998 if (ctrl->bRequestType != (USB_DIR_OUT | USB_TYPE_STANDARD | 999 USB_RECIP_DEVICE)) 1000 break; 1001 VDBG(fsg, "set configuration\n"); 1002 if (w_value == CONFIG_VALUE || w_value == 0) { 1003 fsg->new_config = w_value; 1004 1005 /* Raise an exception to wipe out previous transaction 1006 * state (queued bufs, etc) and set the new config. */ 1007 raise_exception(fsg, FSG_STATE_CONFIG_CHANGE); 1008 value = DELAYED_STATUS; 1009 } 1010 break; 1011 case USB_REQ_GET_CONFIGURATION: 1012 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD | 1013 USB_RECIP_DEVICE)) 1014 break; 1015 VDBG(fsg, "get configuration\n"); 1016 *(u8 *) req->buf = fsg->config; 1017 value = 1; 1018 break; 1019 1020 case USB_REQ_SET_INTERFACE: 1021 if (ctrl->bRequestType != (USB_DIR_OUT| USB_TYPE_STANDARD | 1022 USB_RECIP_INTERFACE)) 1023 break; 1024 if (fsg->config && w_index == 0) { 1025 1026 /* Raise an exception to wipe out previous transaction 1027 * state (queued bufs, etc) and install the new 1028 * interface altsetting. */ 1029 raise_exception(fsg, FSG_STATE_INTERFACE_CHANGE); 1030 value = DELAYED_STATUS; 1031 } 1032 break; 1033 case USB_REQ_GET_INTERFACE: 1034 if (ctrl->bRequestType != (USB_DIR_IN | USB_TYPE_STANDARD | 1035 USB_RECIP_INTERFACE)) 1036 break; 1037 if (!fsg->config) 1038 break; 1039 if (w_index != 0) { 1040 value = -EDOM; 1041 break; 1042 } 1043 VDBG(fsg, "get interface\n"); 1044 *(u8 *) req->buf = 0; 1045 value = 1; 1046 break; 1047 1048 default: 1049 VDBG(fsg, 1050 "unknown control req %02x.%02x v%04x i%04x l%u\n", 1051 ctrl->bRequestType, ctrl->bRequest, 1052 w_value, w_index, le16_to_cpu(ctrl->wLength)); 1053 } 1054 1055 return value; 1056} 1057 1058 1059static int fsg_setup(struct usb_gadget *gadget, 1060 const struct usb_ctrlrequest *ctrl) 1061{ 1062 struct fsg_dev *fsg = get_gadget_data(gadget); 1063 int rc; 1064 int w_length = le16_to_cpu(ctrl->wLength); 1065 1066 ++fsg->ep0_req_tag; // Record arrival of a new request 1067 fsg->ep0req->context = NULL; 1068 fsg->ep0req->length = 0; 1069 dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl)); 1070 1071 if ((ctrl->bRequestType & USB_TYPE_MASK) == USB_TYPE_CLASS) 1072 rc = class_setup_req(fsg, ctrl); 1073 else 1074 rc = standard_setup_req(fsg, ctrl); 1075 1076 /* Respond with data/status or defer until later? */ 1077 if (rc >= 0 && rc != DELAYED_STATUS) { 1078 rc = min(rc, w_length); 1079 fsg->ep0req->length = rc; 1080 fsg->ep0req->zero = rc < w_length; 1081 fsg->ep0req_name = (ctrl->bRequestType & USB_DIR_IN ? 1082 "ep0-in" : "ep0-out"); 1083 rc = ep0_queue(fsg); 1084 } 1085 1086 /* Device either stalls (rc < 0) or reports success */ 1087 return rc; 1088} 1089 1090 1091/*-------------------------------------------------------------------------*/ 1092 1093/* All the following routines run in process context */ 1094 1095 1096/* Use this for bulk or interrupt transfers, not ep0 */ 1097static void start_transfer(struct fsg_dev *fsg, struct usb_ep *ep, 1098 struct usb_request *req, int *pbusy, 1099 enum fsg_buffer_state *state) 1100{ 1101 int rc; 1102 1103 if (ep == fsg->bulk_in) 1104 dump_msg(fsg, "bulk-in", req->buf, req->length); 1105 else if (ep == fsg->intr_in) 1106 dump_msg(fsg, "intr-in", req->buf, req->length); 1107 1108 spin_lock_irq(&fsg->lock); 1109 *pbusy = 1; 1110 *state = BUF_STATE_BUSY; 1111 spin_unlock_irq(&fsg->lock); 1112 rc = usb_ep_queue(ep, req, GFP_KERNEL); 1113 if (rc != 0) { 1114 *pbusy = 0; 1115 *state = BUF_STATE_EMPTY; 1116 1117 /* We can't do much more than wait for a reset */ 1118 1119 /* Note: currently the net2280 driver fails zero-length 1120 * submissions if DMA is enabled. */ 1121 if (rc != -ESHUTDOWN && !(rc == -EOPNOTSUPP && 1122 req->length == 0)) 1123 WARNING(fsg, "error in submission: %s --> %d\n", 1124 ep->name, rc); 1125 } 1126} 1127 1128 1129static int sleep_thread(struct fsg_dev *fsg) 1130{ 1131 int rc = 0; 1132 1133 /* Wait until a signal arrives or we are woken up */ 1134 for (;;) { 1135 try_to_freeze(); 1136 set_current_state(TASK_INTERRUPTIBLE); 1137 if (signal_pending(current)) { 1138 rc = -EINTR; 1139 break; 1140 } 1141 if (fsg->thread_wakeup_needed) 1142 break; 1143 schedule(); 1144 } 1145 __set_current_state(TASK_RUNNING); 1146 fsg->thread_wakeup_needed = 0; 1147 return rc; 1148} 1149 1150 1151/*-------------------------------------------------------------------------*/ 1152 1153static int do_read(struct fsg_dev *fsg) 1154{ 1155 struct fsg_lun *curlun = fsg->curlun; 1156 u32 lba; 1157 struct fsg_buffhd *bh; 1158 int rc; 1159 u32 amount_left; 1160 loff_t file_offset, file_offset_tmp; 1161 unsigned int amount; 1162 ssize_t nread; 1163 1164 /* Get the starting Logical Block Address and check that it's 1165 * not too big */ 1166 if (fsg->cmnd[0] == READ_6) 1167 lba = get_unaligned_be24(&fsg->cmnd[1]); 1168 else { 1169 lba = get_unaligned_be32(&fsg->cmnd[2]); 1170 1171 /* We allow DPO (Disable Page Out = don't save data in the 1172 * cache) and FUA (Force Unit Access = don't read from the 1173 * cache), but we don't implement them. */ 1174 if ((fsg->cmnd[1] & ~0x18) != 0) { 1175 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1176 return -EINVAL; 1177 } 1178 } 1179 if (lba >= curlun->num_sectors) { 1180 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1181 return -EINVAL; 1182 } 1183 file_offset = ((loff_t) lba) << curlun->blkbits; 1184 1185 /* Carry out the file reads */ 1186 amount_left = fsg->data_size_from_cmnd; 1187 if (unlikely(amount_left == 0)) 1188 return -EIO; // No default reply 1189 1190 for (;;) { 1191 1192 /* Figure out how much we need to read: 1193 * Try to read the remaining amount. 1194 * But don't read more than the buffer size. 1195 * And don't try to read past the end of the file. 1196 */ 1197 amount = min((unsigned int) amount_left, mod_data.buflen); 1198 amount = min((loff_t) amount, 1199 curlun->file_length - file_offset); 1200 1201 /* Wait for the next buffer to become available */ 1202 bh = fsg->next_buffhd_to_fill; 1203 while (bh->state != BUF_STATE_EMPTY) { 1204 rc = sleep_thread(fsg); 1205 if (rc) 1206 return rc; 1207 } 1208 1209 /* If we were asked to read past the end of file, 1210 * end with an empty buffer. */ 1211 if (amount == 0) { 1212 curlun->sense_data = 1213 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1214 curlun->sense_data_info = file_offset >> curlun->blkbits; 1215 curlun->info_valid = 1; 1216 bh->inreq->length = 0; 1217 bh->state = BUF_STATE_FULL; 1218 break; 1219 } 1220 1221 /* Perform the read */ 1222 file_offset_tmp = file_offset; 1223 nread = vfs_read(curlun->filp, 1224 (char __user *) bh->buf, 1225 amount, &file_offset_tmp); 1226 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 1227 (unsigned long long) file_offset, 1228 (int) nread); 1229 if (signal_pending(current)) 1230 return -EINTR; 1231 1232 if (nread < 0) { 1233 LDBG(curlun, "error in file read: %d\n", 1234 (int) nread); 1235 nread = 0; 1236 } else if (nread < amount) { 1237 LDBG(curlun, "partial file read: %d/%u\n", 1238 (int) nread, amount); 1239 nread = round_down(nread, curlun->blksize); 1240 } 1241 file_offset += nread; 1242 amount_left -= nread; 1243 fsg->residue -= nread; 1244 1245 /* Except at the end of the transfer, nread will be 1246 * equal to the buffer size, which is divisible by the 1247 * bulk-in maxpacket size. 1248 */ 1249 bh->inreq->length = nread; 1250 bh->state = BUF_STATE_FULL; 1251 1252 /* If an error occurred, report it and its position */ 1253 if (nread < amount) { 1254 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 1255 curlun->sense_data_info = file_offset >> curlun->blkbits; 1256 curlun->info_valid = 1; 1257 break; 1258 } 1259 1260 if (amount_left == 0) 1261 break; // No more left to read 1262 1263 /* Send this buffer and go read some more */ 1264 bh->inreq->zero = 0; 1265 start_transfer(fsg, fsg->bulk_in, bh->inreq, 1266 &bh->inreq_busy, &bh->state); 1267 fsg->next_buffhd_to_fill = bh->next; 1268 } 1269 1270 return -EIO; // No default reply 1271} 1272 1273 1274/*-------------------------------------------------------------------------*/ 1275 1276static int do_write(struct fsg_dev *fsg) 1277{ 1278 struct fsg_lun *curlun = fsg->curlun; 1279 u32 lba; 1280 struct fsg_buffhd *bh; 1281 int get_some_more; 1282 u32 amount_left_to_req, amount_left_to_write; 1283 loff_t usb_offset, file_offset, file_offset_tmp; 1284 unsigned int amount; 1285 ssize_t nwritten; 1286 int rc; 1287 1288 if (curlun->ro) { 1289 curlun->sense_data = SS_WRITE_PROTECTED; 1290 return -EINVAL; 1291 } 1292 spin_lock(&curlun->filp->f_lock); 1293 curlun->filp->f_flags &= ~O_SYNC; // Default is not to wait 1294 spin_unlock(&curlun->filp->f_lock); 1295 1296 /* Get the starting Logical Block Address and check that it's 1297 * not too big */ 1298 if (fsg->cmnd[0] == WRITE_6) 1299 lba = get_unaligned_be24(&fsg->cmnd[1]); 1300 else { 1301 lba = get_unaligned_be32(&fsg->cmnd[2]); 1302 1303 /* We allow DPO (Disable Page Out = don't save data in the 1304 * cache) and FUA (Force Unit Access = write directly to the 1305 * medium). We don't implement DPO; we implement FUA by 1306 * performing synchronous output. */ 1307 if ((fsg->cmnd[1] & ~0x18) != 0) { 1308 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1309 return -EINVAL; 1310 } 1311 /* FUA */ 1312 if (!curlun->nofua && (fsg->cmnd[1] & 0x08)) { 1313 spin_lock(&curlun->filp->f_lock); 1314 curlun->filp->f_flags |= O_DSYNC; 1315 spin_unlock(&curlun->filp->f_lock); 1316 } 1317 } 1318 if (lba >= curlun->num_sectors) { 1319 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1320 return -EINVAL; 1321 } 1322 1323 /* Carry out the file writes */ 1324 get_some_more = 1; 1325 file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits; 1326 amount_left_to_req = amount_left_to_write = fsg->data_size_from_cmnd; 1327 1328 while (amount_left_to_write > 0) { 1329 1330 /* Queue a request for more data from the host */ 1331 bh = fsg->next_buffhd_to_fill; 1332 if (bh->state == BUF_STATE_EMPTY && get_some_more) { 1333 1334 /* Figure out how much we want to get: 1335 * Try to get the remaining amount, 1336 * but not more than the buffer size. 1337 */ 1338 amount = min(amount_left_to_req, mod_data.buflen); 1339 1340 /* Beyond the end of the backing file? */ 1341 if (usb_offset >= curlun->file_length) { 1342 get_some_more = 0; 1343 curlun->sense_data = 1344 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1345 curlun->sense_data_info = usb_offset >> curlun->blkbits; 1346 curlun->info_valid = 1; 1347 continue; 1348 } 1349 1350 /* Get the next buffer */ 1351 usb_offset += amount; 1352 fsg->usb_amount_left -= amount; 1353 amount_left_to_req -= amount; 1354 if (amount_left_to_req == 0) 1355 get_some_more = 0; 1356 1357 /* Except at the end of the transfer, amount will be 1358 * equal to the buffer size, which is divisible by 1359 * the bulk-out maxpacket size. 1360 */ 1361 set_bulk_out_req_length(fsg, bh, amount); 1362 start_transfer(fsg, fsg->bulk_out, bh->outreq, 1363 &bh->outreq_busy, &bh->state); 1364 fsg->next_buffhd_to_fill = bh->next; 1365 continue; 1366 } 1367 1368 /* Write the received data to the backing file */ 1369 bh = fsg->next_buffhd_to_drain; 1370 if (bh->state == BUF_STATE_EMPTY && !get_some_more) 1371 break; // We stopped early 1372 if (bh->state == BUF_STATE_FULL) { 1373 smp_rmb(); 1374 fsg->next_buffhd_to_drain = bh->next; 1375 bh->state = BUF_STATE_EMPTY; 1376 1377 /* Did something go wrong with the transfer? */ 1378 if (bh->outreq->status != 0) { 1379 curlun->sense_data = SS_COMMUNICATION_FAILURE; 1380 curlun->sense_data_info = file_offset >> curlun->blkbits; 1381 curlun->info_valid = 1; 1382 break; 1383 } 1384 1385 amount = bh->outreq->actual; 1386 if (curlun->file_length - file_offset < amount) { 1387 LERROR(curlun, 1388 "write %u @ %llu beyond end %llu\n", 1389 amount, (unsigned long long) file_offset, 1390 (unsigned long long) curlun->file_length); 1391 amount = curlun->file_length - file_offset; 1392 } 1393 1394 /* Don't accept excess data. The spec doesn't say 1395 * what to do in this case. We'll ignore the error. 1396 */ 1397 amount = min(amount, bh->bulk_out_intended_length); 1398 1399 /* Don't write a partial block */ 1400 amount = round_down(amount, curlun->blksize); 1401 if (amount == 0) 1402 goto empty_write; 1403 1404 /* Perform the write */ 1405 file_offset_tmp = file_offset; 1406 nwritten = vfs_write(curlun->filp, 1407 (char __user *) bh->buf, 1408 amount, &file_offset_tmp); 1409 VLDBG(curlun, "file write %u @ %llu -> %d\n", amount, 1410 (unsigned long long) file_offset, 1411 (int) nwritten); 1412 if (signal_pending(current)) 1413 return -EINTR; // Interrupted! 1414 1415 if (nwritten < 0) { 1416 LDBG(curlun, "error in file write: %d\n", 1417 (int) nwritten); 1418 nwritten = 0; 1419 } else if (nwritten < amount) { 1420 LDBG(curlun, "partial file write: %d/%u\n", 1421 (int) nwritten, amount); 1422 nwritten = round_down(nwritten, curlun->blksize); 1423 } 1424 file_offset += nwritten; 1425 amount_left_to_write -= nwritten; 1426 fsg->residue -= nwritten; 1427 1428 /* If an error occurred, report it and its position */ 1429 if (nwritten < amount) { 1430 curlun->sense_data = SS_WRITE_ERROR; 1431 curlun->sense_data_info = file_offset >> curlun->blkbits; 1432 curlun->info_valid = 1; 1433 break; 1434 } 1435 1436 empty_write: 1437 /* Did the host decide to stop early? */ 1438 if (bh->outreq->actual < bh->bulk_out_intended_length) { 1439 fsg->short_packet_received = 1; 1440 break; 1441 } 1442 continue; 1443 } 1444 1445 /* Wait for something to happen */ 1446 rc = sleep_thread(fsg); 1447 if (rc) 1448 return rc; 1449 } 1450 1451 return -EIO; // No default reply 1452} 1453 1454 1455/*-------------------------------------------------------------------------*/ 1456 1457static int do_synchronize_cache(struct fsg_dev *fsg) 1458{ 1459 struct fsg_lun *curlun = fsg->curlun; 1460 int rc; 1461 1462 /* We ignore the requested LBA and write out all file's 1463 * dirty data buffers. */ 1464 rc = fsg_lun_fsync_sub(curlun); 1465 if (rc) 1466 curlun->sense_data = SS_WRITE_ERROR; 1467 return 0; 1468} 1469 1470 1471/*-------------------------------------------------------------------------*/ 1472 1473static void invalidate_sub(struct fsg_lun *curlun) 1474{ 1475 struct file *filp = curlun->filp; 1476 struct inode *inode = filp->f_path.dentry->d_inode; 1477 unsigned long rc; 1478 1479 rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); 1480 VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); 1481} 1482 1483static int do_verify(struct fsg_dev *fsg) 1484{ 1485 struct fsg_lun *curlun = fsg->curlun; 1486 u32 lba; 1487 u32 verification_length; 1488 struct fsg_buffhd *bh = fsg->next_buffhd_to_fill; 1489 loff_t file_offset, file_offset_tmp; 1490 u32 amount_left; 1491 unsigned int amount; 1492 ssize_t nread; 1493 1494 /* Get the starting Logical Block Address and check that it's 1495 * not too big */ 1496 lba = get_unaligned_be32(&fsg->cmnd[2]); 1497 if (lba >= curlun->num_sectors) { 1498 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1499 return -EINVAL; 1500 } 1501 1502 /* We allow DPO (Disable Page Out = don't save data in the 1503 * cache) but we don't implement it. */ 1504 if ((fsg->cmnd[1] & ~0x10) != 0) { 1505 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1506 return -EINVAL; 1507 } 1508 1509 verification_length = get_unaligned_be16(&fsg->cmnd[7]); 1510 if (unlikely(verification_length == 0)) 1511 return -EIO; // No default reply 1512 1513 /* Prepare to carry out the file verify */ 1514 amount_left = verification_length << curlun->blkbits; 1515 file_offset = ((loff_t) lba) << curlun->blkbits; 1516 1517 /* Write out all the dirty buffers before invalidating them */ 1518 fsg_lun_fsync_sub(curlun); 1519 if (signal_pending(current)) 1520 return -EINTR; 1521 1522 invalidate_sub(curlun); 1523 if (signal_pending(current)) 1524 return -EINTR; 1525 1526 /* Just try to read the requested blocks */ 1527 while (amount_left > 0) { 1528 1529 /* Figure out how much we need to read: 1530 * Try to read the remaining amount, but not more than 1531 * the buffer size. 1532 * And don't try to read past the end of the file. 1533 */ 1534 amount = min((unsigned int) amount_left, mod_data.buflen); 1535 amount = min((loff_t) amount, 1536 curlun->file_length - file_offset); 1537 if (amount == 0) { 1538 curlun->sense_data = 1539 SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1540 curlun->sense_data_info = file_offset >> curlun->blkbits; 1541 curlun->info_valid = 1; 1542 break; 1543 } 1544 1545 /* Perform the read */ 1546 file_offset_tmp = file_offset; 1547 nread = vfs_read(curlun->filp, 1548 (char __user *) bh->buf, 1549 amount, &file_offset_tmp); 1550 VLDBG(curlun, "file read %u @ %llu -> %d\n", amount, 1551 (unsigned long long) file_offset, 1552 (int) nread); 1553 if (signal_pending(current)) 1554 return -EINTR; 1555 1556 if (nread < 0) { 1557 LDBG(curlun, "error in file verify: %d\n", 1558 (int) nread); 1559 nread = 0; 1560 } else if (nread < amount) { 1561 LDBG(curlun, "partial file verify: %d/%u\n", 1562 (int) nread, amount); 1563 nread = round_down(nread, curlun->blksize); 1564 } 1565 if (nread == 0) { 1566 curlun->sense_data = SS_UNRECOVERED_READ_ERROR; 1567 curlun->sense_data_info = file_offset >> curlun->blkbits; 1568 curlun->info_valid = 1; 1569 break; 1570 } 1571 file_offset += nread; 1572 amount_left -= nread; 1573 } 1574 return 0; 1575} 1576 1577 1578/*-------------------------------------------------------------------------*/ 1579 1580static int do_inquiry(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1581{ 1582 u8 *buf = (u8 *) bh->buf; 1583 1584 static char vendor_id[] = "Linux "; 1585 static char product_disk_id[] = "File-Stor Gadget"; 1586 static char product_cdrom_id[] = "File-CD Gadget "; 1587 1588 if (!fsg->curlun) { // Unsupported LUNs are okay 1589 fsg->bad_lun_okay = 1; 1590 memset(buf, 0, 36); 1591 buf[0] = 0x7f; // Unsupported, no device-type 1592 buf[4] = 31; // Additional length 1593 return 36; 1594 } 1595 1596 memset(buf, 0, 8); 1597 buf[0] = (mod_data.cdrom ? TYPE_ROM : TYPE_DISK); 1598 if (mod_data.removable) 1599 buf[1] = 0x80; 1600 buf[2] = 2; // ANSI SCSI level 2 1601 buf[3] = 2; // SCSI-2 INQUIRY data format 1602 buf[4] = 31; // Additional length 1603 // No special options 1604 sprintf(buf + 8, "%-8s%-16s%04x", vendor_id, 1605 (mod_data.cdrom ? product_cdrom_id : 1606 product_disk_id), 1607 mod_data.release); 1608 return 36; 1609} 1610 1611 1612static int do_request_sense(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1613{ 1614 struct fsg_lun *curlun = fsg->curlun; 1615 u8 *buf = (u8 *) bh->buf; 1616 u32 sd, sdinfo; 1617 int valid; 1618 1619 /* 1620 * From the SCSI-2 spec., section 7.9 (Unit attention condition): 1621 * 1622 * If a REQUEST SENSE command is received from an initiator 1623 * with a pending unit attention condition (before the target 1624 * generates the contingent allegiance condition), then the 1625 * target shall either: 1626 * a) report any pending sense data and preserve the unit 1627 * attention condition on the logical unit, or, 1628 * b) report the unit attention condition, may discard any 1629 * pending sense data, and clear the unit attention 1630 * condition on the logical unit for that initiator. 1631 * 1632 * FSG normally uses option a); enable this code to use option b). 1633 */ 1634#if 0 1635 if (curlun && curlun->unit_attention_data != SS_NO_SENSE) { 1636 curlun->sense_data = curlun->unit_attention_data; 1637 curlun->unit_attention_data = SS_NO_SENSE; 1638 } 1639#endif 1640 1641 if (!curlun) { // Unsupported LUNs are okay 1642 fsg->bad_lun_okay = 1; 1643 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 1644 sdinfo = 0; 1645 valid = 0; 1646 } else { 1647 sd = curlun->sense_data; 1648 sdinfo = curlun->sense_data_info; 1649 valid = curlun->info_valid << 7; 1650 curlun->sense_data = SS_NO_SENSE; 1651 curlun->sense_data_info = 0; 1652 curlun->info_valid = 0; 1653 } 1654 1655 memset(buf, 0, 18); 1656 buf[0] = valid | 0x70; // Valid, current error 1657 buf[2] = SK(sd); 1658 put_unaligned_be32(sdinfo, &buf[3]); /* Sense information */ 1659 buf[7] = 18 - 8; // Additional sense length 1660 buf[12] = ASC(sd); 1661 buf[13] = ASCQ(sd); 1662 return 18; 1663} 1664 1665 1666static int do_read_capacity(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1667{ 1668 struct fsg_lun *curlun = fsg->curlun; 1669 u32 lba = get_unaligned_be32(&fsg->cmnd[2]); 1670 int pmi = fsg->cmnd[8]; 1671 u8 *buf = (u8 *) bh->buf; 1672 1673 /* Check the PMI and LBA fields */ 1674 if (pmi > 1 || (pmi == 0 && lba != 0)) { 1675 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1676 return -EINVAL; 1677 } 1678 1679 put_unaligned_be32(curlun->num_sectors - 1, &buf[0]); 1680 /* Max logical block */ 1681 put_unaligned_be32(curlun->blksize, &buf[4]); /* Block length */ 1682 return 8; 1683} 1684 1685 1686static int do_read_header(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1687{ 1688 struct fsg_lun *curlun = fsg->curlun; 1689 int msf = fsg->cmnd[1] & 0x02; 1690 u32 lba = get_unaligned_be32(&fsg->cmnd[2]); 1691 u8 *buf = (u8 *) bh->buf; 1692 1693 if ((fsg->cmnd[1] & ~0x02) != 0) { /* Mask away MSF */ 1694 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1695 return -EINVAL; 1696 } 1697 if (lba >= curlun->num_sectors) { 1698 curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE; 1699 return -EINVAL; 1700 } 1701 1702 memset(buf, 0, 8); 1703 buf[0] = 0x01; /* 2048 bytes of user data, rest is EC */ 1704 store_cdrom_address(&buf[4], msf, lba); 1705 return 8; 1706} 1707 1708 1709static int do_read_toc(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1710{ 1711 struct fsg_lun *curlun = fsg->curlun; 1712 int msf = fsg->cmnd[1] & 0x02; 1713 int start_track = fsg->cmnd[6]; 1714 u8 *buf = (u8 *) bh->buf; 1715 1716 if ((fsg->cmnd[1] & ~0x02) != 0 || /* Mask away MSF */ 1717 start_track > 1) { 1718 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1719 return -EINVAL; 1720 } 1721 1722 memset(buf, 0, 20); 1723 buf[1] = (20-2); /* TOC data length */ 1724 buf[2] = 1; /* First track number */ 1725 buf[3] = 1; /* Last track number */ 1726 buf[5] = 0x16; /* Data track, copying allowed */ 1727 buf[6] = 0x01; /* Only track is number 1 */ 1728 store_cdrom_address(&buf[8], msf, 0); 1729 1730 buf[13] = 0x16; /* Lead-out track is data */ 1731 buf[14] = 0xAA; /* Lead-out track number */ 1732 store_cdrom_address(&buf[16], msf, curlun->num_sectors); 1733 return 20; 1734} 1735 1736 1737static int do_mode_sense(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1738{ 1739 struct fsg_lun *curlun = fsg->curlun; 1740 int mscmnd = fsg->cmnd[0]; 1741 u8 *buf = (u8 *) bh->buf; 1742 u8 *buf0 = buf; 1743 int pc, page_code; 1744 int changeable_values, all_pages; 1745 int valid_page = 0; 1746 int len, limit; 1747 1748 if ((fsg->cmnd[1] & ~0x08) != 0) { // Mask away DBD 1749 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1750 return -EINVAL; 1751 } 1752 pc = fsg->cmnd[2] >> 6; 1753 page_code = fsg->cmnd[2] & 0x3f; 1754 if (pc == 3) { 1755 curlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED; 1756 return -EINVAL; 1757 } 1758 changeable_values = (pc == 1); 1759 all_pages = (page_code == 0x3f); 1760 1761 /* Write the mode parameter header. Fixed values are: default 1762 * medium type, no cache control (DPOFUA), and no block descriptors. 1763 * The only variable value is the WriteProtect bit. We will fill in 1764 * the mode data length later. */ 1765 memset(buf, 0, 8); 1766 if (mscmnd == MODE_SENSE) { 1767 buf[2] = (curlun->ro ? 0x80 : 0x00); // WP, DPOFUA 1768 buf += 4; 1769 limit = 255; 1770 } else { // MODE_SENSE_10 1771 buf[3] = (curlun->ro ? 0x80 : 0x00); // WP, DPOFUA 1772 buf += 8; 1773 limit = 65535; // Should really be mod_data.buflen 1774 } 1775 1776 /* No block descriptors */ 1777 1778 /* The mode pages, in numerical order. The only page we support 1779 * is the Caching page. */ 1780 if (page_code == 0x08 || all_pages) { 1781 valid_page = 1; 1782 buf[0] = 0x08; // Page code 1783 buf[1] = 10; // Page length 1784 memset(buf+2, 0, 10); // None of the fields are changeable 1785 1786 if (!changeable_values) { 1787 buf[2] = 0x04; // Write cache enable, 1788 // Read cache not disabled 1789 // No cache retention priorities 1790 put_unaligned_be16(0xffff, &buf[4]); 1791 /* Don't disable prefetch */ 1792 /* Minimum prefetch = 0 */ 1793 put_unaligned_be16(0xffff, &buf[8]); 1794 /* Maximum prefetch */ 1795 put_unaligned_be16(0xffff, &buf[10]); 1796 /* Maximum prefetch ceiling */ 1797 } 1798 buf += 12; 1799 } 1800 1801 /* Check that a valid page was requested and the mode data length 1802 * isn't too long. */ 1803 len = buf - buf0; 1804 if (!valid_page || len > limit) { 1805 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1806 return -EINVAL; 1807 } 1808 1809 /* Store the mode data length */ 1810 if (mscmnd == MODE_SENSE) 1811 buf0[0] = len - 1; 1812 else 1813 put_unaligned_be16(len - 2, buf0); 1814 return len; 1815} 1816 1817 1818static int do_start_stop(struct fsg_dev *fsg) 1819{ 1820 struct fsg_lun *curlun = fsg->curlun; 1821 int loej, start; 1822 1823 if (!mod_data.removable) { 1824 curlun->sense_data = SS_INVALID_COMMAND; 1825 return -EINVAL; 1826 } 1827 1828 // int immed = fsg->cmnd[1] & 0x01; 1829 loej = fsg->cmnd[4] & 0x02; 1830 start = fsg->cmnd[4] & 0x01; 1831 1832#ifdef CONFIG_USB_FILE_STORAGE_TEST 1833 if ((fsg->cmnd[1] & ~0x01) != 0 || // Mask away Immed 1834 (fsg->cmnd[4] & ~0x03) != 0) { // Mask LoEj, Start 1835 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1836 return -EINVAL; 1837 } 1838 1839 if (!start) { 1840 1841 /* Are we allowed to unload the media? */ 1842 if (curlun->prevent_medium_removal) { 1843 LDBG(curlun, "unload attempt prevented\n"); 1844 curlun->sense_data = SS_MEDIUM_REMOVAL_PREVENTED; 1845 return -EINVAL; 1846 } 1847 if (loej) { // Simulate an unload/eject 1848 up_read(&fsg->filesem); 1849 down_write(&fsg->filesem); 1850 fsg_lun_close(curlun); 1851 up_write(&fsg->filesem); 1852 down_read(&fsg->filesem); 1853 } 1854 } else { 1855 1856 /* Our emulation doesn't support mounting; the medium is 1857 * available for use as soon as it is loaded. */ 1858 if (!fsg_lun_is_open(curlun)) { 1859 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 1860 return -EINVAL; 1861 } 1862 } 1863#endif 1864 return 0; 1865} 1866 1867 1868static int do_prevent_allow(struct fsg_dev *fsg) 1869{ 1870 struct fsg_lun *curlun = fsg->curlun; 1871 int prevent; 1872 1873 if (!mod_data.removable) { 1874 curlun->sense_data = SS_INVALID_COMMAND; 1875 return -EINVAL; 1876 } 1877 1878 prevent = fsg->cmnd[4] & 0x01; 1879 if ((fsg->cmnd[4] & ~0x01) != 0) { // Mask away Prevent 1880 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 1881 return -EINVAL; 1882 } 1883 1884 if (curlun->prevent_medium_removal && !prevent) 1885 fsg_lun_fsync_sub(curlun); 1886 curlun->prevent_medium_removal = prevent; 1887 return 0; 1888} 1889 1890 1891static int do_read_format_capacities(struct fsg_dev *fsg, 1892 struct fsg_buffhd *bh) 1893{ 1894 struct fsg_lun *curlun = fsg->curlun; 1895 u8 *buf = (u8 *) bh->buf; 1896 1897 buf[0] = buf[1] = buf[2] = 0; 1898 buf[3] = 8; // Only the Current/Maximum Capacity Descriptor 1899 buf += 4; 1900 1901 put_unaligned_be32(curlun->num_sectors, &buf[0]); 1902 /* Number of blocks */ 1903 put_unaligned_be32(curlun->blksize, &buf[4]); /* Block length */ 1904 buf[4] = 0x02; /* Current capacity */ 1905 return 12; 1906} 1907 1908 1909static int do_mode_select(struct fsg_dev *fsg, struct fsg_buffhd *bh) 1910{ 1911 struct fsg_lun *curlun = fsg->curlun; 1912 1913 /* We don't support MODE SELECT */ 1914 curlun->sense_data = SS_INVALID_COMMAND; 1915 return -EINVAL; 1916} 1917 1918 1919/*-------------------------------------------------------------------------*/ 1920 1921static int halt_bulk_in_endpoint(struct fsg_dev *fsg) 1922{ 1923 int rc; 1924 1925 rc = fsg_set_halt(fsg, fsg->bulk_in); 1926 if (rc == -EAGAIN) 1927 VDBG(fsg, "delayed bulk-in endpoint halt\n"); 1928 while (rc != 0) { 1929 if (rc != -EAGAIN) { 1930 WARNING(fsg, "usb_ep_set_halt -> %d\n", rc); 1931 rc = 0; 1932 break; 1933 } 1934 1935 /* Wait for a short time and then try again */ 1936 if (msleep_interruptible(100) != 0) 1937 return -EINTR; 1938 rc = usb_ep_set_halt(fsg->bulk_in); 1939 } 1940 return rc; 1941} 1942 1943static int wedge_bulk_in_endpoint(struct fsg_dev *fsg) 1944{ 1945 int rc; 1946 1947 DBG(fsg, "bulk-in set wedge\n"); 1948 rc = usb_ep_set_wedge(fsg->bulk_in); 1949 if (rc == -EAGAIN) 1950 VDBG(fsg, "delayed bulk-in endpoint wedge\n"); 1951 while (rc != 0) { 1952 if (rc != -EAGAIN) { 1953 WARNING(fsg, "usb_ep_set_wedge -> %d\n", rc); 1954 rc = 0; 1955 break; 1956 } 1957 1958 /* Wait for a short time and then try again */ 1959 if (msleep_interruptible(100) != 0) 1960 return -EINTR; 1961 rc = usb_ep_set_wedge(fsg->bulk_in); 1962 } 1963 return rc; 1964} 1965 1966static int throw_away_data(struct fsg_dev *fsg) 1967{ 1968 struct fsg_buffhd *bh; 1969 u32 amount; 1970 int rc; 1971 1972 while ((bh = fsg->next_buffhd_to_drain)->state != BUF_STATE_EMPTY || 1973 fsg->usb_amount_left > 0) { 1974 1975 /* Throw away the data in a filled buffer */ 1976 if (bh->state == BUF_STATE_FULL) { 1977 smp_rmb(); 1978 bh->state = BUF_STATE_EMPTY; 1979 fsg->next_buffhd_to_drain = bh->next; 1980 1981 /* A short packet or an error ends everything */ 1982 if (bh->outreq->actual < bh->bulk_out_intended_length || 1983 bh->outreq->status != 0) { 1984 raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT); 1985 return -EINTR; 1986 } 1987 continue; 1988 } 1989 1990 /* Try to submit another request if we need one */ 1991 bh = fsg->next_buffhd_to_fill; 1992 if (bh->state == BUF_STATE_EMPTY && fsg->usb_amount_left > 0) { 1993 amount = min(fsg->usb_amount_left, 1994 (u32) mod_data.buflen); 1995 1996 /* Except at the end of the transfer, amount will be 1997 * equal to the buffer size, which is divisible by 1998 * the bulk-out maxpacket size. 1999 */ 2000 set_bulk_out_req_length(fsg, bh, amount); 2001 start_transfer(fsg, fsg->bulk_out, bh->outreq, 2002 &bh->outreq_busy, &bh->state); 2003 fsg->next_buffhd_to_fill = bh->next; 2004 fsg->usb_amount_left -= amount; 2005 continue; 2006 } 2007 2008 /* Otherwise wait for something to happen */ 2009 rc = sleep_thread(fsg); 2010 if (rc) 2011 return rc; 2012 } 2013 return 0; 2014} 2015 2016 2017static int finish_reply(struct fsg_dev *fsg) 2018{ 2019 struct fsg_buffhd *bh = fsg->next_buffhd_to_fill; 2020 int rc = 0; 2021 2022 switch (fsg->data_dir) { 2023 case DATA_DIR_NONE: 2024 break; // Nothing to send 2025 2026 /* If we don't know whether the host wants to read or write, 2027 * this must be CB or CBI with an unknown command. We mustn't 2028 * try to send or receive any data. So stall both bulk pipes 2029 * if we can and wait for a reset. */ 2030 case DATA_DIR_UNKNOWN: 2031 if (mod_data.can_stall) { 2032 fsg_set_halt(fsg, fsg->bulk_out); 2033 rc = halt_bulk_in_endpoint(fsg); 2034 } 2035 break; 2036 2037 /* All but the last buffer of data must have already been sent */ 2038 case DATA_DIR_TO_HOST: 2039 if (fsg->data_size == 0) 2040 ; // Nothing to send 2041 2042 /* If there's no residue, simply send the last buffer */ 2043 else if (fsg->residue == 0) { 2044 bh->inreq->zero = 0; 2045 start_transfer(fsg, fsg->bulk_in, bh->inreq, 2046 &bh->inreq_busy, &bh->state); 2047 fsg->next_buffhd_to_fill = bh->next; 2048 } 2049 2050 /* There is a residue. For CB and CBI, simply mark the end 2051 * of the data with a short packet. However, if we are 2052 * allowed to stall, there was no data at all (residue == 2053 * data_size), and the command failed (invalid LUN or 2054 * sense data is set), then halt the bulk-in endpoint 2055 * instead. */ 2056 else if (!transport_is_bbb()) { 2057 if (mod_data.can_stall && 2058 fsg->residue == fsg->data_size && 2059 (!fsg->curlun || fsg->curlun->sense_data != SS_NO_SENSE)) { 2060 bh->state = BUF_STATE_EMPTY; 2061 rc = halt_bulk_in_endpoint(fsg); 2062 } else { 2063 bh->inreq->zero = 1; 2064 start_transfer(fsg, fsg->bulk_in, bh->inreq, 2065 &bh->inreq_busy, &bh->state); 2066 fsg->next_buffhd_to_fill = bh->next; 2067 } 2068 } 2069 2070 /* 2071 * For Bulk-only, mark the end of the data with a short 2072 * packet. If we are allowed to stall, halt the bulk-in 2073 * endpoint. (Note: This violates the Bulk-Only Transport 2074 * specification, which requires us to pad the data if we 2075 * don't halt the endpoint. Presumably nobody will mind.) 2076 */ 2077 else { 2078 bh->inreq->zero = 1; 2079 start_transfer(fsg, fsg->bulk_in, bh->inreq, 2080 &bh->inreq_busy, &bh->state); 2081 fsg->next_buffhd_to_fill = bh->next; 2082 if (mod_data.can_stall) 2083 rc = halt_bulk_in_endpoint(fsg); 2084 } 2085 break; 2086 2087 /* We have processed all we want from the data the host has sent. 2088 * There may still be outstanding bulk-out requests. */ 2089 case DATA_DIR_FROM_HOST: 2090 if (fsg->residue == 0) 2091 ; // Nothing to receive 2092 2093 /* Did the host stop sending unexpectedly early? */ 2094 else if (fsg->short_packet_received) { 2095 raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT); 2096 rc = -EINTR; 2097 } 2098 2099 /* We haven't processed all the incoming data. Even though 2100 * we may be allowed to stall, doing so would cause a race. 2101 * The controller may already have ACK'ed all the remaining 2102 * bulk-out packets, in which case the host wouldn't see a 2103 * STALL. Not realizing the endpoint was halted, it wouldn't 2104 * clear the halt -- leading to problems later on. */ 2105#if 0 2106 else if (mod_data.can_stall) { 2107 fsg_set_halt(fsg, fsg->bulk_out); 2108 raise_exception(fsg, FSG_STATE_ABORT_BULK_OUT); 2109 rc = -EINTR; 2110 } 2111#endif 2112 2113 /* We can't stall. Read in the excess data and throw it 2114 * all away. */ 2115 else 2116 rc = throw_away_data(fsg); 2117 break; 2118 } 2119 return rc; 2120} 2121 2122 2123static int send_status(struct fsg_dev *fsg) 2124{ 2125 struct fsg_lun *curlun = fsg->curlun; 2126 struct fsg_buffhd *bh; 2127 int rc; 2128 u8 status = US_BULK_STAT_OK; 2129 u32 sd, sdinfo = 0; 2130 2131 /* Wait for the next buffer to become available */ 2132 bh = fsg->next_buffhd_to_fill; 2133 while (bh->state != BUF_STATE_EMPTY) { 2134 rc = sleep_thread(fsg); 2135 if (rc) 2136 return rc; 2137 } 2138 2139 if (curlun) { 2140 sd = curlun->sense_data; 2141 sdinfo = curlun->sense_data_info; 2142 } else if (fsg->bad_lun_okay) 2143 sd = SS_NO_SENSE; 2144 else 2145 sd = SS_LOGICAL_UNIT_NOT_SUPPORTED; 2146 2147 if (fsg->phase_error) { 2148 DBG(fsg, "sending phase-error status\n"); 2149 status = US_BULK_STAT_PHASE; 2150 sd = SS_INVALID_COMMAND; 2151 } else if (sd != SS_NO_SENSE) { 2152 DBG(fsg, "sending command-failure status\n"); 2153 status = US_BULK_STAT_FAIL; 2154 VDBG(fsg, " sense data: SK x%02x, ASC x%02x, ASCQ x%02x;" 2155 " info x%x\n", 2156 SK(sd), ASC(sd), ASCQ(sd), sdinfo); 2157 } 2158 2159 if (transport_is_bbb()) { 2160 struct bulk_cs_wrap *csw = bh->buf; 2161 2162 /* Store and send the Bulk-only CSW */ 2163 csw->Signature = cpu_to_le32(US_BULK_CS_SIGN); 2164 csw->Tag = fsg->tag; 2165 csw->Residue = cpu_to_le32(fsg->residue); 2166 csw->Status = status; 2167 2168 bh->inreq->length = US_BULK_CS_WRAP_LEN; 2169 bh->inreq->zero = 0; 2170 start_transfer(fsg, fsg->bulk_in, bh->inreq, 2171 &bh->inreq_busy, &bh->state); 2172 2173 } else if (mod_data.transport_type == USB_PR_CB) { 2174 2175 /* Control-Bulk transport has no status phase! */ 2176 return 0; 2177 2178 } else { // USB_PR_CBI 2179 struct interrupt_data *buf = bh->buf; 2180 2181 /* Store and send the Interrupt data. UFI sends the ASC 2182 * and ASCQ bytes. Everything else sends a Type (which 2183 * is always 0) and the status Value. */ 2184 if (mod_data.protocol_type == USB_SC_UFI) { 2185 buf->bType = ASC(sd); 2186 buf->bValue = ASCQ(sd); 2187 } else { 2188 buf->bType = 0; 2189 buf->bValue = status; 2190 } 2191 fsg->intreq->length = CBI_INTERRUPT_DATA_LEN; 2192 2193 fsg->intr_buffhd = bh; // Point to the right buffhd 2194 fsg->intreq->buf = bh->inreq->buf; 2195 fsg->intreq->context = bh; 2196 start_transfer(fsg, fsg->intr_in, fsg->intreq, 2197 &fsg->intreq_busy, &bh->state); 2198 } 2199 2200 fsg->next_buffhd_to_fill = bh->next; 2201 return 0; 2202} 2203 2204 2205/*-------------------------------------------------------------------------*/ 2206 2207/* Check whether the command is properly formed and whether its data size 2208 * and direction agree with the values we already have. */ 2209static int check_command(struct fsg_dev *fsg, int cmnd_size, 2210 enum data_direction data_dir, unsigned int mask, 2211 int needs_medium, const char *name) 2212{ 2213 int i; 2214 int lun = fsg->cmnd[1] >> 5; 2215 static const char dirletter[4] = {'u', 'o', 'i', 'n'}; 2216 char hdlen[20]; 2217 struct fsg_lun *curlun; 2218 2219 /* Adjust the expected cmnd_size for protocol encapsulation padding. 2220 * Transparent SCSI doesn't pad. */ 2221 if (protocol_is_scsi()) 2222 ; 2223 2224 /* There's some disagreement as to whether RBC pads commands or not. 2225 * We'll play it safe and accept either form. */ 2226 else if (mod_data.protocol_type == USB_SC_RBC) { 2227 if (fsg->cmnd_size == 12) 2228 cmnd_size = 12; 2229 2230 /* All the other protocols pad to 12 bytes */ 2231 } else 2232 cmnd_size = 12; 2233 2234 hdlen[0] = 0; 2235 if (fsg->data_dir != DATA_DIR_UNKNOWN) 2236 sprintf(hdlen, ", H%c=%u", dirletter[(int) fsg->data_dir], 2237 fsg->data_size); 2238 VDBG(fsg, "SCSI command: %s; Dc=%d, D%c=%u; Hc=%d%s\n", 2239 name, cmnd_size, dirletter[(int) data_dir], 2240 fsg->data_size_from_cmnd, fsg->cmnd_size, hdlen); 2241 2242 /* We can't reply at all until we know the correct data direction 2243 * and size. */ 2244 if (fsg->data_size_from_cmnd == 0) 2245 data_dir = DATA_DIR_NONE; 2246 if (fsg->data_dir == DATA_DIR_UNKNOWN) { // CB or CBI 2247 fsg->data_dir = data_dir; 2248 fsg->data_size = fsg->data_size_from_cmnd; 2249 2250 } else { // Bulk-only 2251 if (fsg->data_size < fsg->data_size_from_cmnd) { 2252 2253 /* Host data size < Device data size is a phase error. 2254 * Carry out the command, but only transfer as much 2255 * as we are allowed. */ 2256 fsg->data_size_from_cmnd = fsg->data_size; 2257 fsg->phase_error = 1; 2258 } 2259 } 2260 fsg->residue = fsg->usb_amount_left = fsg->data_size; 2261 2262 /* Conflicting data directions is a phase error */ 2263 if (fsg->data_dir != data_dir && fsg->data_size_from_cmnd > 0) { 2264 fsg->phase_error = 1; 2265 return -EINVAL; 2266 } 2267 2268 /* Verify the length of the command itself */ 2269 if (cmnd_size != fsg->cmnd_size) { 2270 2271 /* Special case workaround: There are plenty of buggy SCSI 2272 * implementations. Many have issues with cbw->Length 2273 * field passing a wrong command size. For those cases we 2274 * always try to work around the problem by using the length 2275 * sent by the host side provided it is at least as large 2276 * as the correct command length. 2277 * Examples of such cases would be MS-Windows, which issues 2278 * REQUEST SENSE with cbw->Length == 12 where it should 2279 * be 6, and xbox360 issuing INQUIRY, TEST UNIT READY and 2280 * REQUEST SENSE with cbw->Length == 10 where it should 2281 * be 6 as well. 2282 */ 2283 if (cmnd_size <= fsg->cmnd_size) { 2284 DBG(fsg, "%s is buggy! Expected length %d " 2285 "but we got %d\n", name, 2286 cmnd_size, fsg->cmnd_size); 2287 cmnd_size = fsg->cmnd_size; 2288 } else { 2289 fsg->phase_error = 1; 2290 return -EINVAL; 2291 } 2292 } 2293 2294 /* Check that the LUN values are consistent */ 2295 if (transport_is_bbb()) { 2296 if (fsg->lun != lun) 2297 DBG(fsg, "using LUN %d from CBW, " 2298 "not LUN %d from CDB\n", 2299 fsg->lun, lun); 2300 } 2301 2302 /* Check the LUN */ 2303 curlun = fsg->curlun; 2304 if (curlun) { 2305 if (fsg->cmnd[0] != REQUEST_SENSE) { 2306 curlun->sense_data = SS_NO_SENSE; 2307 curlun->sense_data_info = 0; 2308 curlun->info_valid = 0; 2309 } 2310 } else { 2311 fsg->bad_lun_okay = 0; 2312 2313 /* INQUIRY and REQUEST SENSE commands are explicitly allowed 2314 * to use unsupported LUNs; all others may not. */ 2315 if (fsg->cmnd[0] != INQUIRY && 2316 fsg->cmnd[0] != REQUEST_SENSE) { 2317 DBG(fsg, "unsupported LUN %d\n", fsg->lun); 2318 return -EINVAL; 2319 } 2320 } 2321 2322 /* If a unit attention condition exists, only INQUIRY and 2323 * REQUEST SENSE commands are allowed; anything else must fail. */ 2324 if (curlun && curlun->unit_attention_data != SS_NO_SENSE && 2325 fsg->cmnd[0] != INQUIRY && 2326 fsg->cmnd[0] != REQUEST_SENSE) { 2327 curlun->sense_data = curlun->unit_attention_data; 2328 curlun->unit_attention_data = SS_NO_SENSE; 2329 return -EINVAL; 2330 } 2331 2332 /* Check that only command bytes listed in the mask are non-zero */ 2333 fsg->cmnd[1] &= 0x1f; // Mask away the LUN 2334 for (i = 1; i < cmnd_size; ++i) { 2335 if (fsg->cmnd[i] && !(mask & (1 << i))) { 2336 if (curlun) 2337 curlun->sense_data = SS_INVALID_FIELD_IN_CDB; 2338 return -EINVAL; 2339 } 2340 } 2341 2342 /* If the medium isn't mounted and the command needs to access 2343 * it, return an error. */ 2344 if (curlun && !fsg_lun_is_open(curlun) && needs_medium) { 2345 curlun->sense_data = SS_MEDIUM_NOT_PRESENT; 2346 return -EINVAL; 2347 } 2348 2349 return 0; 2350} 2351 2352/* wrapper of check_command for data size in blocks handling */ 2353static int check_command_size_in_blocks(struct fsg_dev *fsg, int cmnd_size, 2354 enum data_direction data_dir, unsigned int mask, 2355 int needs_medium, const char *name) 2356{ 2357 if (fsg->curlun) 2358 fsg->data_size_from_cmnd <<= fsg->curlun->blkbits; 2359 return check_command(fsg, cmnd_size, data_dir, 2360 mask, needs_medium, name); 2361} 2362 2363static int do_scsi_command(struct fsg_dev *fsg) 2364{ 2365 struct fsg_buffhd *bh; 2366 int rc; 2367 int reply = -EINVAL; 2368 int i; 2369 static char unknown[16]; 2370 2371 dump_cdb(fsg); 2372 2373 /* Wait for the next buffer to become available for data or status */ 2374 bh = fsg->next_buffhd_to_drain = fsg->next_buffhd_to_fill; 2375 while (bh->state != BUF_STATE_EMPTY) { 2376 rc = sleep_thread(fsg); 2377 if (rc) 2378 return rc; 2379 } 2380 fsg->phase_error = 0; 2381 fsg->short_packet_received = 0; 2382 2383 down_read(&fsg->filesem); // We're using the backing file 2384 switch (fsg->cmnd[0]) { 2385 2386 case INQUIRY: 2387 fsg->data_size_from_cmnd = fsg->cmnd[4]; 2388 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST, 2389 (1<<4), 0, 2390 "INQUIRY")) == 0) 2391 reply = do_inquiry(fsg, bh); 2392 break; 2393 2394 case MODE_SELECT: 2395 fsg->data_size_from_cmnd = fsg->cmnd[4]; 2396 if ((reply = check_command(fsg, 6, DATA_DIR_FROM_HOST, 2397 (1<<1) | (1<<4), 0, 2398 "MODE SELECT(6)")) == 0) 2399 reply = do_mode_select(fsg, bh); 2400 break; 2401 2402 case MODE_SELECT_10: 2403 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2404 if ((reply = check_command(fsg, 10, DATA_DIR_FROM_HOST, 2405 (1<<1) | (3<<7), 0, 2406 "MODE SELECT(10)")) == 0) 2407 reply = do_mode_select(fsg, bh); 2408 break; 2409 2410 case MODE_SENSE: 2411 fsg->data_size_from_cmnd = fsg->cmnd[4]; 2412 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST, 2413 (1<<1) | (1<<2) | (1<<4), 0, 2414 "MODE SENSE(6)")) == 0) 2415 reply = do_mode_sense(fsg, bh); 2416 break; 2417 2418 case MODE_SENSE_10: 2419 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2420 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST, 2421 (1<<1) | (1<<2) | (3<<7), 0, 2422 "MODE SENSE(10)")) == 0) 2423 reply = do_mode_sense(fsg, bh); 2424 break; 2425 2426 case ALLOW_MEDIUM_REMOVAL: 2427 fsg->data_size_from_cmnd = 0; 2428 if ((reply = check_command(fsg, 6, DATA_DIR_NONE, 2429 (1<<4), 0, 2430 "PREVENT-ALLOW MEDIUM REMOVAL")) == 0) 2431 reply = do_prevent_allow(fsg); 2432 break; 2433 2434 case READ_6: 2435 i = fsg->cmnd[4]; 2436 fsg->data_size_from_cmnd = (i == 0) ? 256 : i; 2437 if ((reply = check_command_size_in_blocks(fsg, 6, 2438 DATA_DIR_TO_HOST, 2439 (7<<1) | (1<<4), 1, 2440 "READ(6)")) == 0) 2441 reply = do_read(fsg); 2442 break; 2443 2444 case READ_10: 2445 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2446 if ((reply = check_command_size_in_blocks(fsg, 10, 2447 DATA_DIR_TO_HOST, 2448 (1<<1) | (0xf<<2) | (3<<7), 1, 2449 "READ(10)")) == 0) 2450 reply = do_read(fsg); 2451 break; 2452 2453 case READ_12: 2454 fsg->data_size_from_cmnd = get_unaligned_be32(&fsg->cmnd[6]); 2455 if ((reply = check_command_size_in_blocks(fsg, 12, 2456 DATA_DIR_TO_HOST, 2457 (1<<1) | (0xf<<2) | (0xf<<6), 1, 2458 "READ(12)")) == 0) 2459 reply = do_read(fsg); 2460 break; 2461 2462 case READ_CAPACITY: 2463 fsg->data_size_from_cmnd = 8; 2464 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST, 2465 (0xf<<2) | (1<<8), 1, 2466 "READ CAPACITY")) == 0) 2467 reply = do_read_capacity(fsg, bh); 2468 break; 2469 2470 case READ_HEADER: 2471 if (!mod_data.cdrom) 2472 goto unknown_cmnd; 2473 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2474 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST, 2475 (3<<7) | (0x1f<<1), 1, 2476 "READ HEADER")) == 0) 2477 reply = do_read_header(fsg, bh); 2478 break; 2479 2480 case READ_TOC: 2481 if (!mod_data.cdrom) 2482 goto unknown_cmnd; 2483 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2484 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST, 2485 (7<<6) | (1<<1), 1, 2486 "READ TOC")) == 0) 2487 reply = do_read_toc(fsg, bh); 2488 break; 2489 2490 case READ_FORMAT_CAPACITIES: 2491 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2492 if ((reply = check_command(fsg, 10, DATA_DIR_TO_HOST, 2493 (3<<7), 1, 2494 "READ FORMAT CAPACITIES")) == 0) 2495 reply = do_read_format_capacities(fsg, bh); 2496 break; 2497 2498 case REQUEST_SENSE: 2499 fsg->data_size_from_cmnd = fsg->cmnd[4]; 2500 if ((reply = check_command(fsg, 6, DATA_DIR_TO_HOST, 2501 (1<<4), 0, 2502 "REQUEST SENSE")) == 0) 2503 reply = do_request_sense(fsg, bh); 2504 break; 2505 2506 case START_STOP: 2507 fsg->data_size_from_cmnd = 0; 2508 if ((reply = check_command(fsg, 6, DATA_DIR_NONE, 2509 (1<<1) | (1<<4), 0, 2510 "START-STOP UNIT")) == 0) 2511 reply = do_start_stop(fsg); 2512 break; 2513 2514 case SYNCHRONIZE_CACHE: 2515 fsg->data_size_from_cmnd = 0; 2516 if ((reply = check_command(fsg, 10, DATA_DIR_NONE, 2517 (0xf<<2) | (3<<7), 1, 2518 "SYNCHRONIZE CACHE")) == 0) 2519 reply = do_synchronize_cache(fsg); 2520 break; 2521 2522 case TEST_UNIT_READY: 2523 fsg->data_size_from_cmnd = 0; 2524 reply = check_command(fsg, 6, DATA_DIR_NONE, 2525 0, 1, 2526 "TEST UNIT READY"); 2527 break; 2528 2529 /* Although optional, this command is used by MS-Windows. We 2530 * support a minimal version: BytChk must be 0. */ 2531 case VERIFY: 2532 fsg->data_size_from_cmnd = 0; 2533 if ((reply = check_command(fsg, 10, DATA_DIR_NONE, 2534 (1<<1) | (0xf<<2) | (3<<7), 1, 2535 "VERIFY")) == 0) 2536 reply = do_verify(fsg); 2537 break; 2538 2539 case WRITE_6: 2540 i = fsg->cmnd[4]; 2541 fsg->data_size_from_cmnd = (i == 0) ? 256 : i; 2542 if ((reply = check_command_size_in_blocks(fsg, 6, 2543 DATA_DIR_FROM_HOST, 2544 (7<<1) | (1<<4), 1, 2545 "WRITE(6)")) == 0) 2546 reply = do_write(fsg); 2547 break; 2548 2549 case WRITE_10: 2550 fsg->data_size_from_cmnd = get_unaligned_be16(&fsg->cmnd[7]); 2551 if ((reply = check_command_size_in_blocks(fsg, 10, 2552 DATA_DIR_FROM_HOST, 2553 (1<<1) | (0xf<<2) | (3<<7), 1, 2554 "WRITE(10)")) == 0) 2555 reply = do_write(fsg); 2556 break; 2557 2558 case WRITE_12: 2559 fsg->data_size_from_cmnd = get_unaligned_be32(&fsg->cmnd[6]); 2560 if ((reply = check_command_size_in_blocks(fsg, 12, 2561 DATA_DIR_FROM_HOST, 2562 (1<<1) | (0xf<<2) | (0xf<<6), 1, 2563 "WRITE(12)")) == 0) 2564 reply = do_write(fsg); 2565 break; 2566 2567 /* Some mandatory commands that we recognize but don't implement. 2568 * They don't mean much in this setting. It's left as an exercise 2569 * for anyone interested to implement RESERVE and RELEASE in terms 2570 * of Posix locks. */ 2571 case FORMAT_UNIT: 2572 case RELEASE: 2573 case RESERVE: 2574 case SEND_DIAGNOSTIC: 2575 // Fall through 2576 2577 default: 2578 unknown_cmnd: 2579 fsg->data_size_from_cmnd = 0; 2580 sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]); 2581 if ((reply = check_command(fsg, fsg->cmnd_size, 2582 DATA_DIR_UNKNOWN, ~0, 0, unknown)) == 0) { 2583 fsg->curlun->sense_data = SS_INVALID_COMMAND; 2584 reply = -EINVAL; 2585 } 2586 break; 2587 } 2588 up_read(&fsg->filesem); 2589 2590 if (reply == -EINTR || signal_pending(current)) 2591 return -EINTR; 2592 2593 /* Set up the single reply buffer for finish_reply() */ 2594 if (reply == -EINVAL) 2595 reply = 0; // Error reply length 2596 if (reply >= 0 && fsg->data_dir == DATA_DIR_TO_HOST) { 2597 reply = min((u32) reply, fsg->data_size_from_cmnd); 2598 bh->inreq->length = reply; 2599 bh->state = BUF_STATE_FULL; 2600 fsg->residue -= reply; 2601 } // Otherwise it's already set 2602 2603 return 0; 2604} 2605 2606 2607/*-------------------------------------------------------------------------*/ 2608 2609static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh) 2610{ 2611 struct usb_request *req = bh->outreq; 2612 struct bulk_cb_wrap *cbw = req->buf; 2613 2614 /* Was this a real packet? Should it be ignored? */ 2615 if (req->status || test_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags)) 2616 return -EINVAL; 2617 2618 /* Is the CBW valid? */ 2619 if (req->actual != US_BULK_CB_WRAP_LEN || 2620 cbw->Signature != cpu_to_le32( 2621 US_BULK_CB_SIGN)) { 2622 DBG(fsg, "invalid CBW: len %u sig 0x%x\n", 2623 req->actual, 2624 le32_to_cpu(cbw->Signature)); 2625 2626 /* The Bulk-only spec says we MUST stall the IN endpoint 2627 * (6.6.1), so it's unavoidable. It also says we must 2628 * retain this state until the next reset, but there's 2629 * no way to tell the controller driver it should ignore 2630 * Clear-Feature(HALT) requests. 2631 * 2632 * We aren't required to halt the OUT endpoint; instead 2633 * we can simply accept and discard any data received 2634 * until the next reset. */ 2635 wedge_bulk_in_endpoint(fsg); 2636 set_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2637 return -EINVAL; 2638 } 2639 2640 /* Is the CBW meaningful? */ 2641 if (cbw->Lun >= FSG_MAX_LUNS || cbw->Flags & ~US_BULK_FLAG_IN || 2642 cbw->Length <= 0 || cbw->Length > MAX_COMMAND_SIZE) { 2643 DBG(fsg, "non-meaningful CBW: lun = %u, flags = 0x%x, " 2644 "cmdlen %u\n", 2645 cbw->Lun, cbw->Flags, cbw->Length); 2646 2647 /* We can do anything we want here, so let's stall the 2648 * bulk pipes if we are allowed to. */ 2649 if (mod_data.can_stall) { 2650 fsg_set_halt(fsg, fsg->bulk_out); 2651 halt_bulk_in_endpoint(fsg); 2652 } 2653 return -EINVAL; 2654 } 2655 2656 /* Save the command for later */ 2657 fsg->cmnd_size = cbw->Length; 2658 memcpy(fsg->cmnd, cbw->CDB, fsg->cmnd_size); 2659 if (cbw->Flags & US_BULK_FLAG_IN) 2660 fsg->data_dir = DATA_DIR_TO_HOST; 2661 else 2662 fsg->data_dir = DATA_DIR_FROM_HOST; 2663 fsg->data_size = le32_to_cpu(cbw->DataTransferLength); 2664 if (fsg->data_size == 0) 2665 fsg->data_dir = DATA_DIR_NONE; 2666 fsg->lun = cbw->Lun; 2667 fsg->tag = cbw->Tag; 2668 return 0; 2669} 2670 2671 2672static int get_next_command(struct fsg_dev *fsg) 2673{ 2674 struct fsg_buffhd *bh; 2675 int rc = 0; 2676 2677 if (transport_is_bbb()) { 2678 2679 /* Wait for the next buffer to become available */ 2680 bh = fsg->next_buffhd_to_fill; 2681 while (bh->state != BUF_STATE_EMPTY) { 2682 rc = sleep_thread(fsg); 2683 if (rc) 2684 return rc; 2685 } 2686 2687 /* Queue a request to read a Bulk-only CBW */ 2688 set_bulk_out_req_length(fsg, bh, US_BULK_CB_WRAP_LEN); 2689 start_transfer(fsg, fsg->bulk_out, bh->outreq, 2690 &bh->outreq_busy, &bh->state); 2691 2692 /* We will drain the buffer in software, which means we 2693 * can reuse it for the next filling. No need to advance 2694 * next_buffhd_to_fill. */ 2695 2696 /* Wait for the CBW to arrive */ 2697 while (bh->state != BUF_STATE_FULL) { 2698 rc = sleep_thread(fsg); 2699 if (rc) 2700 return rc; 2701 } 2702 smp_rmb(); 2703 rc = received_cbw(fsg, bh); 2704 bh->state = BUF_STATE_EMPTY; 2705 2706 } else { // USB_PR_CB or USB_PR_CBI 2707 2708 /* Wait for the next command to arrive */ 2709 while (fsg->cbbuf_cmnd_size == 0) { 2710 rc = sleep_thread(fsg); 2711 if (rc) 2712 return rc; 2713 } 2714 2715 /* Is the previous status interrupt request still busy? 2716 * The host is allowed to skip reading the status, 2717 * so we must cancel it. */ 2718 if (fsg->intreq_busy) 2719 usb_ep_dequeue(fsg->intr_in, fsg->intreq); 2720 2721 /* Copy the command and mark the buffer empty */ 2722 fsg->data_dir = DATA_DIR_UNKNOWN; 2723 spin_lock_irq(&fsg->lock); 2724 fsg->cmnd_size = fsg->cbbuf_cmnd_size; 2725 memcpy(fsg->cmnd, fsg->cbbuf_cmnd, fsg->cmnd_size); 2726 fsg->cbbuf_cmnd_size = 0; 2727 spin_unlock_irq(&fsg->lock); 2728 2729 /* Use LUN from the command */ 2730 fsg->lun = fsg->cmnd[1] >> 5; 2731 } 2732 2733 /* Update current lun */ 2734 if (fsg->lun >= 0 && fsg->lun < fsg->nluns) 2735 fsg->curlun = &fsg->luns[fsg->lun]; 2736 else 2737 fsg->curlun = NULL; 2738 2739 return rc; 2740} 2741 2742 2743/*-------------------------------------------------------------------------*/ 2744 2745static int enable_endpoint(struct fsg_dev *fsg, struct usb_ep *ep, 2746 const struct usb_endpoint_descriptor *d) 2747{ 2748 int rc; 2749 2750 ep->driver_data = fsg; 2751 ep->desc = d; 2752 rc = usb_ep_enable(ep); 2753 if (rc) 2754 ERROR(fsg, "can't enable %s, result %d\n", ep->name, rc); 2755 return rc; 2756} 2757 2758static int alloc_request(struct fsg_dev *fsg, struct usb_ep *ep, 2759 struct usb_request **preq) 2760{ 2761 *preq = usb_ep_alloc_request(ep, GFP_ATOMIC); 2762 if (*preq) 2763 return 0; 2764 ERROR(fsg, "can't allocate request for %s\n", ep->name); 2765 return -ENOMEM; 2766} 2767 2768/* 2769 * Reset interface setting and re-init endpoint state (toggle etc). 2770 * Call with altsetting < 0 to disable the interface. The only other 2771 * available altsetting is 0, which enables the interface. 2772 */ 2773static int do_set_interface(struct fsg_dev *fsg, int altsetting) 2774{ 2775 int rc = 0; 2776 int i; 2777 const struct usb_endpoint_descriptor *d; 2778 2779 if (fsg->running) 2780 DBG(fsg, "reset interface\n"); 2781 2782reset: 2783 /* Deallocate the requests */ 2784 for (i = 0; i < fsg_num_buffers; ++i) { 2785 struct fsg_buffhd *bh = &fsg->buffhds[i]; 2786 2787 if (bh->inreq) { 2788 usb_ep_free_request(fsg->bulk_in, bh->inreq); 2789 bh->inreq = NULL; 2790 } 2791 if (bh->outreq) { 2792 usb_ep_free_request(fsg->bulk_out, bh->outreq); 2793 bh->outreq = NULL; 2794 } 2795 } 2796 if (fsg->intreq) { 2797 usb_ep_free_request(fsg->intr_in, fsg->intreq); 2798 fsg->intreq = NULL; 2799 } 2800 2801 /* Disable the endpoints */ 2802 if (fsg->bulk_in_enabled) { 2803 usb_ep_disable(fsg->bulk_in); 2804 fsg->bulk_in_enabled = 0; 2805 } 2806 if (fsg->bulk_out_enabled) { 2807 usb_ep_disable(fsg->bulk_out); 2808 fsg->bulk_out_enabled = 0; 2809 } 2810 if (fsg->intr_in_enabled) { 2811 usb_ep_disable(fsg->intr_in); 2812 fsg->intr_in_enabled = 0; 2813 } 2814 2815 fsg->running = 0; 2816 if (altsetting < 0 || rc != 0) 2817 return rc; 2818 2819 DBG(fsg, "set interface %d\n", altsetting); 2820 2821 /* Enable the endpoints */ 2822 d = fsg_ep_desc(fsg->gadget, 2823 &fsg_fs_bulk_in_desc, &fsg_hs_bulk_in_desc, 2824 &fsg_ss_bulk_in_desc); 2825 if ((rc = enable_endpoint(fsg, fsg->bulk_in, d)) != 0) 2826 goto reset; 2827 fsg->bulk_in_enabled = 1; 2828 2829 d = fsg_ep_desc(fsg->gadget, 2830 &fsg_fs_bulk_out_desc, &fsg_hs_bulk_out_desc, 2831 &fsg_ss_bulk_out_desc); 2832 if ((rc = enable_endpoint(fsg, fsg->bulk_out, d)) != 0) 2833 goto reset; 2834 fsg->bulk_out_enabled = 1; 2835 fsg->bulk_out_maxpacket = usb_endpoint_maxp(d); 2836 clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2837 2838 if (transport_is_cbi()) { 2839 d = fsg_ep_desc(fsg->gadget, 2840 &fsg_fs_intr_in_desc, &fsg_hs_intr_in_desc, 2841 &fsg_ss_intr_in_desc); 2842 if ((rc = enable_endpoint(fsg, fsg->intr_in, d)) != 0) 2843 goto reset; 2844 fsg->intr_in_enabled = 1; 2845 } 2846 2847 /* Allocate the requests */ 2848 for (i = 0; i < fsg_num_buffers; ++i) { 2849 struct fsg_buffhd *bh = &fsg->buffhds[i]; 2850 2851 if ((rc = alloc_request(fsg, fsg->bulk_in, &bh->inreq)) != 0) 2852 goto reset; 2853 if ((rc = alloc_request(fsg, fsg->bulk_out, &bh->outreq)) != 0) 2854 goto reset; 2855 bh->inreq->buf = bh->outreq->buf = bh->buf; 2856 bh->inreq->context = bh->outreq->context = bh; 2857 bh->inreq->complete = bulk_in_complete; 2858 bh->outreq->complete = bulk_out_complete; 2859 } 2860 if (transport_is_cbi()) { 2861 if ((rc = alloc_request(fsg, fsg->intr_in, &fsg->intreq)) != 0) 2862 goto reset; 2863 fsg->intreq->complete = intr_in_complete; 2864 } 2865 2866 fsg->running = 1; 2867 for (i = 0; i < fsg->nluns; ++i) 2868 fsg->luns[i].unit_attention_data = SS_RESET_OCCURRED; 2869 return rc; 2870} 2871 2872 2873/* 2874 * Change our operational configuration. This code must agree with the code 2875 * that returns config descriptors, and with interface altsetting code. 2876 * 2877 * It's also responsible for power management interactions. Some 2878 * configurations might not work with our current power sources. 2879 * For now we just assume the gadget is always self-powered. 2880 */ 2881static int do_set_config(struct fsg_dev *fsg, u8 new_config) 2882{ 2883 int rc = 0; 2884 2885 /* Disable the single interface */ 2886 if (fsg->config != 0) { 2887 DBG(fsg, "reset config\n"); 2888 fsg->config = 0; 2889 rc = do_set_interface(fsg, -1); 2890 } 2891 2892 /* Enable the interface */ 2893 if (new_config != 0) { 2894 fsg->config = new_config; 2895 if ((rc = do_set_interface(fsg, 0)) != 0) 2896 fsg->config = 0; // Reset on errors 2897 else 2898 INFO(fsg, "%s config #%d\n", 2899 usb_speed_string(fsg->gadget->speed), 2900 fsg->config); 2901 } 2902 return rc; 2903} 2904 2905 2906/*-------------------------------------------------------------------------*/ 2907 2908static void handle_exception(struct fsg_dev *fsg) 2909{ 2910 siginfo_t info; 2911 int sig; 2912 int i; 2913 int num_active; 2914 struct fsg_buffhd *bh; 2915 enum fsg_state old_state; 2916 u8 new_config; 2917 struct fsg_lun *curlun; 2918 unsigned int exception_req_tag; 2919 int rc; 2920 2921 /* Clear the existing signals. Anything but SIGUSR1 is converted 2922 * into a high-priority EXIT exception. */ 2923 for (;;) { 2924 sig = dequeue_signal_lock(current, ¤t->blocked, &info); 2925 if (!sig) 2926 break; 2927 if (sig != SIGUSR1) { 2928 if (fsg->state < FSG_STATE_EXIT) 2929 DBG(fsg, "Main thread exiting on signal\n"); 2930 raise_exception(fsg, FSG_STATE_EXIT); 2931 } 2932 } 2933 2934 /* Cancel all the pending transfers */ 2935 if (fsg->intreq_busy) 2936 usb_ep_dequeue(fsg->intr_in, fsg->intreq); 2937 for (i = 0; i < fsg_num_buffers; ++i) { 2938 bh = &fsg->buffhds[i]; 2939 if (bh->inreq_busy) 2940 usb_ep_dequeue(fsg->bulk_in, bh->inreq); 2941 if (bh->outreq_busy) 2942 usb_ep_dequeue(fsg->bulk_out, bh->outreq); 2943 } 2944 2945 /* Wait until everything is idle */ 2946 for (;;) { 2947 num_active = fsg->intreq_busy; 2948 for (i = 0; i < fsg_num_buffers; ++i) { 2949 bh = &fsg->buffhds[i]; 2950 num_active += bh->inreq_busy + bh->outreq_busy; 2951 } 2952 if (num_active == 0) 2953 break; 2954 if (sleep_thread(fsg)) 2955 return; 2956 } 2957 2958 /* Clear out the controller's fifos */ 2959 if (fsg->bulk_in_enabled) 2960 usb_ep_fifo_flush(fsg->bulk_in); 2961 if (fsg->bulk_out_enabled) 2962 usb_ep_fifo_flush(fsg->bulk_out); 2963 if (fsg->intr_in_enabled) 2964 usb_ep_fifo_flush(fsg->intr_in); 2965 2966 /* Reset the I/O buffer states and pointers, the SCSI 2967 * state, and the exception. Then invoke the handler. */ 2968 spin_lock_irq(&fsg->lock); 2969 2970 for (i = 0; i < fsg_num_buffers; ++i) { 2971 bh = &fsg->buffhds[i]; 2972 bh->state = BUF_STATE_EMPTY; 2973 } 2974 fsg->next_buffhd_to_fill = fsg->next_buffhd_to_drain = 2975 &fsg->buffhds[0]; 2976 2977 exception_req_tag = fsg->exception_req_tag; 2978 new_config = fsg->new_config; 2979 old_state = fsg->state; 2980 2981 if (old_state == FSG_STATE_ABORT_BULK_OUT) 2982 fsg->state = FSG_STATE_STATUS_PHASE; 2983 else { 2984 for (i = 0; i < fsg->nluns; ++i) { 2985 curlun = &fsg->luns[i]; 2986 curlun->prevent_medium_removal = 0; 2987 curlun->sense_data = curlun->unit_attention_data = 2988 SS_NO_SENSE; 2989 curlun->sense_data_info = 0; 2990 curlun->info_valid = 0; 2991 } 2992 fsg->state = FSG_STATE_IDLE; 2993 } 2994 spin_unlock_irq(&fsg->lock); 2995 2996 /* Carry out any extra actions required for the exception */ 2997 switch (old_state) { 2998 default: 2999 break; 3000 3001 case FSG_STATE_ABORT_BULK_OUT: 3002 send_status(fsg); 3003 spin_lock_irq(&fsg->lock); 3004 if (fsg->state == FSG_STATE_STATUS_PHASE) 3005 fsg->state = FSG_STATE_IDLE; 3006 spin_unlock_irq(&fsg->lock); 3007 break; 3008 3009 case FSG_STATE_RESET: 3010 /* In case we were forced against our will to halt a 3011 * bulk endpoint, clear the halt now. (The SuperH UDC 3012 * requires this.) */ 3013 if (test_and_clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags)) 3014 usb_ep_clear_halt(fsg->bulk_in); 3015 3016 if (transport_is_bbb()) { 3017 if (fsg->ep0_req_tag == exception_req_tag) 3018 ep0_queue(fsg); // Complete the status stage 3019 3020 } else if (transport_is_cbi()) 3021 send_status(fsg); // Status by interrupt pipe 3022 3023 /* Technically this should go here, but it would only be 3024 * a waste of time. Ditto for the INTERFACE_CHANGE and 3025 * CONFIG_CHANGE cases. */ 3026 // for (i = 0; i < fsg->nluns; ++i) 3027 // fsg->luns[i].unit_attention_data = SS_RESET_OCCURRED; 3028 break; 3029 3030 case FSG_STATE_INTERFACE_CHANGE: 3031 rc = do_set_interface(fsg, 0); 3032 if (fsg->ep0_req_tag != exception_req_tag) 3033 break; 3034 if (rc != 0) // STALL on errors 3035 fsg_set_halt(fsg, fsg->ep0); 3036 else // Complete the status stage 3037 ep0_queue(fsg); 3038 break; 3039 3040 case FSG_STATE_CONFIG_CHANGE: 3041 rc = do_set_config(fsg, new_config); 3042 if (fsg->ep0_req_tag != exception_req_tag) 3043 break; 3044 if (rc != 0) // STALL on errors 3045 fsg_set_halt(fsg, fsg->ep0); 3046 else // Complete the status stage 3047 ep0_queue(fsg); 3048 break; 3049 3050 case FSG_STATE_DISCONNECT: 3051 for (i = 0; i < fsg->nluns; ++i) 3052 fsg_lun_fsync_sub(fsg->luns + i); 3053 do_set_config(fsg, 0); // Unconfigured state 3054 break; 3055 3056 case FSG_STATE_EXIT: 3057 case FSG_STATE_TERMINATED: 3058 do_set_config(fsg, 0); // Free resources 3059 spin_lock_irq(&fsg->lock); 3060 fsg->state = FSG_STATE_TERMINATED; // Stop the thread 3061 spin_unlock_irq(&fsg->lock); 3062 break; 3063 } 3064} 3065 3066 3067/*-------------------------------------------------------------------------*/ 3068 3069static int fsg_main_thread(void *fsg_) 3070{ 3071 struct fsg_dev *fsg = fsg_; 3072 3073 /* Allow the thread to be killed by a signal, but set the signal mask 3074 * to block everything but INT, TERM, KILL, and USR1. */ 3075 allow_signal(SIGINT); 3076 allow_signal(SIGTERM); 3077 allow_signal(SIGKILL); 3078 allow_signal(SIGUSR1); 3079 3080 /* Allow the thread to be frozen */ 3081 set_freezable(); 3082 3083 /* Arrange for userspace references to be interpreted as kernel 3084 * pointers. That way we can pass a kernel pointer to a routine 3085 * that expects a __user pointer and it will work okay. */ 3086 set_fs(get_ds()); 3087 3088 /* The main loop */ 3089 while (fsg->state != FSG_STATE_TERMINATED) { 3090 if (exception_in_progress(fsg) || signal_pending(current)) { 3091 handle_exception(fsg); 3092 continue; 3093 } 3094 3095 if (!fsg->running) { 3096 sleep_thread(fsg); 3097 continue; 3098 } 3099 3100 if (get_next_command(fsg)) 3101 continue; 3102 3103 spin_lock_irq(&fsg->lock); 3104 if (!exception_in_progress(fsg)) 3105 fsg->state = FSG_STATE_DATA_PHASE; 3106 spin_unlock_irq(&fsg->lock); 3107 3108 if (do_scsi_command(fsg) || finish_reply(fsg)) 3109 continue; 3110 3111 spin_lock_irq(&fsg->lock); 3112 if (!exception_in_progress(fsg)) 3113 fsg->state = FSG_STATE_STATUS_PHASE; 3114 spin_unlock_irq(&fsg->lock); 3115 3116 if (send_status(fsg)) 3117 continue; 3118 3119 spin_lock_irq(&fsg->lock); 3120 if (!exception_in_progress(fsg)) 3121 fsg->state = FSG_STATE_IDLE; 3122 spin_unlock_irq(&fsg->lock); 3123 } 3124 3125 spin_lock_irq(&fsg->lock); 3126 fsg->thread_task = NULL; 3127 spin_unlock_irq(&fsg->lock); 3128 3129 /* If we are exiting because of a signal, unregister the 3130 * gadget driver. */ 3131 if (test_and_clear_bit(REGISTERED, &fsg->atomic_bitflags)) 3132 usb_gadget_unregister_driver(&fsg_driver); 3133 3134 /* Let the unbind and cleanup routines know the thread has exited */ 3135 complete_and_exit(&fsg->thread_notifier, 0); 3136} 3137 3138 3139/*-------------------------------------------------------------------------*/ 3140 3141 3142/* The write permissions and store_xxx pointers are set in fsg_bind() */ 3143static DEVICE_ATTR(ro, 0444, fsg_show_ro, NULL); 3144static DEVICE_ATTR(nofua, 0644, fsg_show_nofua, NULL); 3145static DEVICE_ATTR(file, 0444, fsg_show_file, NULL); 3146 3147 3148/*-------------------------------------------------------------------------*/ 3149 3150static void fsg_release(struct kref *ref) 3151{ 3152 struct fsg_dev *fsg = container_of(ref, struct fsg_dev, ref); 3153 3154 kfree(fsg->luns); 3155 kfree(fsg); 3156} 3157 3158static void lun_release(struct device *dev) 3159{ 3160 struct rw_semaphore *filesem = dev_get_drvdata(dev); 3161 struct fsg_dev *fsg = 3162 container_of(filesem, struct fsg_dev, filesem); 3163 3164 kref_put(&fsg->ref, fsg_release); 3165} 3166 3167static void /* __init_or_exit */ fsg_unbind(struct usb_gadget *gadget) 3168{ 3169 struct fsg_dev *fsg = get_gadget_data(gadget); 3170 int i; 3171 struct fsg_lun *curlun; 3172 struct usb_request *req = fsg->ep0req; 3173 3174 DBG(fsg, "unbind\n"); 3175 clear_bit(REGISTERED, &fsg->atomic_bitflags); 3176 3177 /* If the thread isn't already dead, tell it to exit now */ 3178 if (fsg->state != FSG_STATE_TERMINATED) { 3179 raise_exception(fsg, FSG_STATE_EXIT); 3180 wait_for_completion(&fsg->thread_notifier); 3181 3182 /* The cleanup routine waits for this completion also */ 3183 complete(&fsg->thread_notifier); 3184 } 3185 3186 /* Unregister the sysfs attribute files and the LUNs */ 3187 for (i = 0; i < fsg->nluns; ++i) { 3188 curlun = &fsg->luns[i]; 3189 if (curlun->registered) { 3190 device_remove_file(&curlun->dev, &dev_attr_nofua); 3191 device_remove_file(&curlun->dev, &dev_attr_ro); 3192 device_remove_file(&curlun->dev, &dev_attr_file); 3193 fsg_lun_close(curlun); 3194 device_unregister(&curlun->dev); 3195 curlun->registered = 0; 3196 } 3197 } 3198 3199 /* Free the data buffers */ 3200 for (i = 0; i < fsg_num_buffers; ++i) 3201 kfree(fsg->buffhds[i].buf); 3202 3203 /* Free the request and buffer for endpoint 0 */ 3204 if (req) { 3205 kfree(req->buf); 3206 usb_ep_free_request(fsg->ep0, req); 3207 } 3208 3209 set_gadget_data(gadget, NULL); 3210} 3211 3212 3213static int __init check_parameters(struct fsg_dev *fsg) 3214{ 3215 int prot; 3216 int gcnum; 3217 3218 /* Store the default values */ 3219 mod_data.transport_type = USB_PR_BULK; 3220 mod_data.transport_name = "Bulk-only"; 3221 mod_data.protocol_type = USB_SC_SCSI; 3222 mod_data.protocol_name = "Transparent SCSI"; 3223 3224 /* Some peripheral controllers are known not to be able to 3225 * halt bulk endpoints correctly. If one of them is present, 3226 * disable stalls. 3227 */ 3228 if (gadget_is_at91(fsg->gadget)) 3229 mod_data.can_stall = 0; 3230 3231 if (mod_data.release == 0xffff) { // Parameter wasn't set 3232 gcnum = usb_gadget_controller_number(fsg->gadget); 3233 if (gcnum >= 0) 3234 mod_data.release = 0x0300 + gcnum; 3235 else { 3236 WARNING(fsg, "controller '%s' not recognized\n", 3237 fsg->gadget->name); 3238 mod_data.release = 0x0399; 3239 } 3240 } 3241 3242 prot = simple_strtol(mod_data.protocol_parm, NULL, 0); 3243 3244#ifdef CONFIG_USB_FILE_STORAGE_TEST 3245 if (strnicmp(mod_data.transport_parm, "BBB", 10) == 0) { 3246 ; // Use default setting 3247 } else if (strnicmp(mod_data.transport_parm, "CB", 10) == 0) { 3248 mod_data.transport_type = USB_PR_CB; 3249 mod_data.transport_name = "Control-Bulk"; 3250 } else if (strnicmp(mod_data.transport_parm, "CBI", 10) == 0) { 3251 mod_data.transport_type = USB_PR_CBI; 3252 mod_data.transport_name = "Control-Bulk-Interrupt"; 3253 } else { 3254 ERROR(fsg, "invalid transport: %s\n", mod_data.transport_parm); 3255 return -EINVAL; 3256 } 3257 3258 if (strnicmp(mod_data.protocol_parm, "SCSI", 10) == 0 || 3259 prot == USB_SC_SCSI) { 3260 ; // Use default setting 3261 } else if (strnicmp(mod_data.protocol_parm, "RBC", 10) == 0 || 3262 prot == USB_SC_RBC) { 3263 mod_data.protocol_type = USB_SC_RBC; 3264 mod_data.protocol_name = "RBC"; 3265 } else if (strnicmp(mod_data.protocol_parm, "8020", 4) == 0 || 3266 strnicmp(mod_data.protocol_parm, "ATAPI", 10) == 0 || 3267 prot == USB_SC_8020) { 3268 mod_data.protocol_type = USB_SC_8020; 3269 mod_data.protocol_name = "8020i (ATAPI)"; 3270 } else if (strnicmp(mod_data.protocol_parm, "QIC", 3) == 0 || 3271 prot == USB_SC_QIC) { 3272 mod_data.protocol_type = USB_SC_QIC; 3273 mod_data.protocol_name = "QIC-157"; 3274 } else if (strnicmp(mod_data.protocol_parm, "UFI", 10) == 0 || 3275 prot == USB_SC_UFI) { 3276 mod_data.protocol_type = USB_SC_UFI; 3277 mod_data.protocol_name = "UFI"; 3278 } else if (strnicmp(mod_data.protocol_parm, "8070", 4) == 0 || 3279 prot == USB_SC_8070) { 3280 mod_data.protocol_type = USB_SC_8070; 3281 mod_data.protocol_name = "8070i"; 3282 } else { 3283 ERROR(fsg, "invalid protocol: %s\n", mod_data.protocol_parm); 3284 return -EINVAL; 3285 } 3286 3287 mod_data.buflen &= PAGE_CACHE_MASK; 3288 if (mod_data.buflen <= 0) { 3289 ERROR(fsg, "invalid buflen\n"); 3290 return -ETOOSMALL; 3291 } 3292 3293#endif /* CONFIG_USB_FILE_STORAGE_TEST */ 3294 3295 /* Serial string handling. 3296 * On a real device, the serial string would be loaded 3297 * from permanent storage. */ 3298 if (mod_data.serial) { 3299 const char *ch; 3300 unsigned len = 0; 3301 3302 /* Sanity check : 3303 * The CB[I] specification limits the serial string to 3304 * 12 uppercase hexadecimal characters. 3305 * BBB need at least 12 uppercase hexadecimal characters, 3306 * with a maximum of 126. */ 3307 for (ch = mod_data.serial; *ch; ++ch) { 3308 ++len; 3309 if ((*ch < '0' || *ch > '9') && 3310 (*ch < 'A' || *ch > 'F')) { /* not uppercase hex */ 3311 WARNING(fsg, 3312 "Invalid serial string character: %c\n", 3313 *ch); 3314 goto no_serial; 3315 } 3316 } 3317 if (len > 126 || 3318 (mod_data.transport_type == USB_PR_BULK && len < 12) || 3319 (mod_data.transport_type != USB_PR_BULK && len > 12)) { 3320 WARNING(fsg, "Invalid serial string length!\n"); 3321 goto no_serial; 3322 } 3323 fsg_strings[FSG_STRING_SERIAL - 1].s = mod_data.serial; 3324 } else { 3325 WARNING(fsg, "No serial-number string provided!\n"); 3326 no_serial: 3327 device_desc.iSerialNumber = 0; 3328 } 3329 3330 return 0; 3331} 3332 3333 3334static int __init fsg_bind(struct usb_gadget *gadget) 3335{ 3336 struct fsg_dev *fsg = the_fsg; 3337 int rc; 3338 int i; 3339 struct fsg_lun *curlun; 3340 struct usb_ep *ep; 3341 struct usb_request *req; 3342 char *pathbuf, *p; 3343 3344 fsg->gadget = gadget; 3345 set_gadget_data(gadget, fsg); 3346 fsg->ep0 = gadget->ep0; 3347 fsg->ep0->driver_data = fsg; 3348 3349 if ((rc = check_parameters(fsg)) != 0) 3350 goto out; 3351 3352 if (mod_data.removable) { // Enable the store_xxx attributes 3353 dev_attr_file.attr.mode = 0644; 3354 dev_attr_file.store = fsg_store_file; 3355 if (!mod_data.cdrom) { 3356 dev_attr_ro.attr.mode = 0644; 3357 dev_attr_ro.store = fsg_store_ro; 3358 } 3359 } 3360 3361 /* Only for removable media? */ 3362 dev_attr_nofua.attr.mode = 0644; 3363 dev_attr_nofua.store = fsg_store_nofua; 3364 3365 /* Find out how many LUNs there should be */ 3366 i = mod_data.nluns; 3367 if (i == 0) 3368 i = max(mod_data.num_filenames, 1u); 3369 if (i > FSG_MAX_LUNS) { 3370 ERROR(fsg, "invalid number of LUNs: %d\n", i); 3371 rc = -EINVAL; 3372 goto out; 3373 } 3374 3375 /* Create the LUNs, open their backing files, and register the 3376 * LUN devices in sysfs. */ 3377 fsg->luns = kzalloc(i * sizeof(struct fsg_lun), GFP_KERNEL); 3378 if (!fsg->luns) { 3379 rc = -ENOMEM; 3380 goto out; 3381 } 3382 fsg->nluns = i; 3383 3384 for (i = 0; i < fsg->nluns; ++i) { 3385 curlun = &fsg->luns[i]; 3386 curlun->cdrom = !!mod_data.cdrom; 3387 curlun->ro = mod_data.cdrom || mod_data.ro[i]; 3388 curlun->initially_ro = curlun->ro; 3389 curlun->removable = mod_data.removable; 3390 curlun->nofua = mod_data.nofua[i]; 3391 curlun->dev.release = lun_release; 3392 curlun->dev.parent = &gadget->dev; 3393 curlun->dev.driver = &fsg_driver.driver; 3394 dev_set_drvdata(&curlun->dev, &fsg->filesem); 3395 dev_set_name(&curlun->dev,"%s-lun%d", 3396 dev_name(&gadget->dev), i); 3397 3398 kref_get(&fsg->ref); 3399 rc = device_register(&curlun->dev); 3400 if (rc) { 3401 INFO(fsg, "failed to register LUN%d: %d\n", i, rc); 3402 put_device(&curlun->dev); 3403 goto out; 3404 } 3405 curlun->registered = 1; 3406 3407 rc = device_create_file(&curlun->dev, &dev_attr_ro); 3408 if (rc) 3409 goto out; 3410 rc = device_create_file(&curlun->dev, &dev_attr_nofua); 3411 if (rc) 3412 goto out; 3413 rc = device_create_file(&curlun->dev, &dev_attr_file); 3414 if (rc) 3415 goto out; 3416 3417 if (mod_data.file[i] && *mod_data.file[i]) { 3418 rc = fsg_lun_open(curlun, mod_data.file[i]); 3419 if (rc) 3420 goto out; 3421 } else if (!mod_data.removable) { 3422 ERROR(fsg, "no file given for LUN%d\n", i); 3423 rc = -EINVAL; 3424 goto out; 3425 } 3426 } 3427 3428 /* Find all the endpoints we will use */ 3429 usb_ep_autoconfig_reset(gadget); 3430 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc); 3431 if (!ep) 3432 goto autoconf_fail; 3433 ep->driver_data = fsg; // claim the endpoint 3434 fsg->bulk_in = ep; 3435 3436 ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc); 3437 if (!ep) 3438 goto autoconf_fail; 3439 ep->driver_data = fsg; // claim the endpoint 3440 fsg->bulk_out = ep; 3441 3442 if (transport_is_cbi()) { 3443 ep = usb_ep_autoconfig(gadget, &fsg_fs_intr_in_desc); 3444 if (!ep) 3445 goto autoconf_fail; 3446 ep->driver_data = fsg; // claim the endpoint 3447 fsg->intr_in = ep; 3448 } 3449 3450 /* Fix up the descriptors */ 3451 device_desc.idVendor = cpu_to_le16(mod_data.vendor); 3452 device_desc.idProduct = cpu_to_le16(mod_data.product); 3453 device_desc.bcdDevice = cpu_to_le16(mod_data.release); 3454 3455 i = (transport_is_cbi() ? 3 : 2); // Number of endpoints 3456 fsg_intf_desc.bNumEndpoints = i; 3457 fsg_intf_desc.bInterfaceSubClass = mod_data.protocol_type; 3458 fsg_intf_desc.bInterfaceProtocol = mod_data.transport_type; 3459 fsg_fs_function[i + FSG_FS_FUNCTION_PRE_EP_ENTRIES] = NULL; 3460 3461 if (gadget_is_dualspeed(gadget)) { 3462 fsg_hs_function[i + FSG_HS_FUNCTION_PRE_EP_ENTRIES] = NULL; 3463 3464 /* Assume endpoint addresses are the same for both speeds */ 3465 fsg_hs_bulk_in_desc.bEndpointAddress = 3466 fsg_fs_bulk_in_desc.bEndpointAddress; 3467 fsg_hs_bulk_out_desc.bEndpointAddress = 3468 fsg_fs_bulk_out_desc.bEndpointAddress; 3469 fsg_hs_intr_in_desc.bEndpointAddress = 3470 fsg_fs_intr_in_desc.bEndpointAddress; 3471 } 3472 3473 if (gadget_is_superspeed(gadget)) { 3474 unsigned max_burst; 3475 3476 fsg_ss_function[i + FSG_SS_FUNCTION_PRE_EP_ENTRIES] = NULL; 3477 3478 /* Calculate bMaxBurst, we know packet size is 1024 */ 3479 max_burst = min_t(unsigned, mod_data.buflen / 1024, 15); 3480 3481 /* Assume endpoint addresses are the same for both speeds */ 3482 fsg_ss_bulk_in_desc.bEndpointAddress = 3483 fsg_fs_bulk_in_desc.bEndpointAddress; 3484 fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst; 3485 3486 fsg_ss_bulk_out_desc.bEndpointAddress = 3487 fsg_fs_bulk_out_desc.bEndpointAddress; 3488 fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst; 3489 } 3490 3491 if (gadget_is_otg(gadget)) 3492 fsg_otg_desc.bmAttributes |= USB_OTG_HNP; 3493 3494 rc = -ENOMEM; 3495 3496 /* Allocate the request and buffer for endpoint 0 */ 3497 fsg->ep0req = req = usb_ep_alloc_request(fsg->ep0, GFP_KERNEL); 3498 if (!req) 3499 goto out; 3500 req->buf = kmalloc(EP0_BUFSIZE, GFP_KERNEL); 3501 if (!req->buf) 3502 goto out; 3503 req->complete = ep0_complete; 3504 3505 /* Allocate the data buffers */ 3506 for (i = 0; i < fsg_num_buffers; ++i) { 3507 struct fsg_buffhd *bh = &fsg->buffhds[i]; 3508 3509 /* Allocate for the bulk-in endpoint. We assume that 3510 * the buffer will also work with the bulk-out (and 3511 * interrupt-in) endpoint. */ 3512 bh->buf = kmalloc(mod_data.buflen, GFP_KERNEL); 3513 if (!bh->buf) 3514 goto out; 3515 bh->next = bh + 1; 3516 } 3517 fsg->buffhds[fsg_num_buffers - 1].next = &fsg->buffhds[0]; 3518 3519 /* This should reflect the actual gadget power source */ 3520 usb_gadget_set_selfpowered(gadget); 3521 3522 snprintf(fsg_string_manufacturer, sizeof fsg_string_manufacturer, 3523 "%s %s with %s", 3524 init_utsname()->sysname, init_utsname()->release, 3525 gadget->name); 3526 3527 fsg->thread_task = kthread_create(fsg_main_thread, fsg, 3528 "file-storage-gadget"); 3529 if (IS_ERR(fsg->thread_task)) { 3530 rc = PTR_ERR(fsg->thread_task); 3531 goto out; 3532 } 3533 3534 INFO(fsg, DRIVER_DESC ", version: " DRIVER_VERSION "\n"); 3535 INFO(fsg, "NOTE: This driver is deprecated. " 3536 "Consider using g_mass_storage instead.\n"); 3537 INFO(fsg, "Number of LUNs=%d\n", fsg->nluns); 3538 3539 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); 3540 for (i = 0; i < fsg->nluns; ++i) { 3541 curlun = &fsg->luns[i]; 3542 if (fsg_lun_is_open(curlun)) { 3543 p = NULL; 3544 if (pathbuf) { 3545 p = d_path(&curlun->filp->f_path, 3546 pathbuf, PATH_MAX); 3547 if (IS_ERR(p)) 3548 p = NULL; 3549 } 3550 LINFO(curlun, "ro=%d, nofua=%d, file: %s\n", 3551 curlun->ro, curlun->nofua, (p ? p : "(error)")); 3552 } 3553 } 3554 kfree(pathbuf); 3555 3556 DBG(fsg, "transport=%s (x%02x)\n", 3557 mod_data.transport_name, mod_data.transport_type); 3558 DBG(fsg, "protocol=%s (x%02x)\n", 3559 mod_data.protocol_name, mod_data.protocol_type); 3560 DBG(fsg, "VendorID=x%04x, ProductID=x%04x, Release=x%04x\n", 3561 mod_data.vendor, mod_data.product, mod_data.release); 3562 DBG(fsg, "removable=%d, stall=%d, cdrom=%d, buflen=%u\n", 3563 mod_data.removable, mod_data.can_stall, 3564 mod_data.cdrom, mod_data.buflen); 3565 DBG(fsg, "I/O thread pid: %d\n", task_pid_nr(fsg->thread_task)); 3566 3567 set_bit(REGISTERED, &fsg->atomic_bitflags); 3568 3569 /* Tell the thread to start working */ 3570 wake_up_process(fsg->thread_task); 3571 return 0; 3572 3573autoconf_fail: 3574 ERROR(fsg, "unable to autoconfigure all endpoints\n"); 3575 rc = -ENOTSUPP; 3576 3577out: 3578 fsg->state = FSG_STATE_TERMINATED; // The thread is dead 3579 fsg_unbind(gadget); 3580 complete(&fsg->thread_notifier); 3581 return rc; 3582} 3583 3584 3585/*-------------------------------------------------------------------------*/ 3586 3587static void fsg_suspend(struct usb_gadget *gadget) 3588{ 3589 struct fsg_dev *fsg = get_gadget_data(gadget); 3590 3591 DBG(fsg, "suspend\n"); 3592 set_bit(SUSPENDED, &fsg->atomic_bitflags); 3593} 3594 3595static void fsg_resume(struct usb_gadget *gadget) 3596{ 3597 struct fsg_dev *fsg = get_gadget_data(gadget); 3598 3599 DBG(fsg, "resume\n"); 3600 clear_bit(SUSPENDED, &fsg->atomic_bitflags); 3601} 3602 3603 3604/*-------------------------------------------------------------------------*/ 3605 3606static struct usb_gadget_driver fsg_driver = { 3607 .max_speed = USB_SPEED_SUPER, 3608 .function = (char *) fsg_string_product, 3609 .unbind = fsg_unbind, 3610 .disconnect = fsg_disconnect, 3611 .setup = fsg_setup, 3612 .suspend = fsg_suspend, 3613 .resume = fsg_resume, 3614 3615 .driver = { 3616 .name = DRIVER_NAME, 3617 .owner = THIS_MODULE, 3618 // .release = ... 3619 // .suspend = ... 3620 // .resume = ... 3621 }, 3622}; 3623 3624 3625static int __init fsg_alloc(void) 3626{ 3627 struct fsg_dev *fsg; 3628 3629 fsg = kzalloc(sizeof *fsg + 3630 fsg_num_buffers * sizeof *(fsg->buffhds), GFP_KERNEL); 3631 3632 if (!fsg) 3633 return -ENOMEM; 3634 spin_lock_init(&fsg->lock); 3635 init_rwsem(&fsg->filesem); 3636 kref_init(&fsg->ref); 3637 init_completion(&fsg->thread_notifier); 3638 3639 the_fsg = fsg; 3640 return 0; 3641} 3642 3643 3644static int __init fsg_init(void) 3645{ 3646 int rc; 3647 struct fsg_dev *fsg; 3648 3649 rc = fsg_num_buffers_validate(); 3650 if (rc != 0) 3651 return rc; 3652 3653 if ((rc = fsg_alloc()) != 0) 3654 return rc; 3655 fsg = the_fsg; 3656 if ((rc = usb_gadget_probe_driver(&fsg_driver, fsg_bind)) != 0) 3657 kref_put(&fsg->ref, fsg_release); 3658 return rc; 3659} 3660module_init(fsg_init); 3661 3662 3663static void __exit fsg_cleanup(void) 3664{ 3665 struct fsg_dev *fsg = the_fsg; 3666 3667 /* Unregister the driver iff the thread hasn't already done so */ 3668 if (test_and_clear_bit(REGISTERED, &fsg->atomic_bitflags)) 3669 usb_gadget_unregister_driver(&fsg_driver); 3670 3671 /* Wait for the thread to finish up */ 3672 wait_for_completion(&fsg->thread_notifier); 3673 3674 kref_put(&fsg->ref, fsg_release); 3675} 3676module_exit(fsg_cleanup); 3677