f_mass_storage.c 92.9 KB
Newer Older
1
// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
2
/*
3
 * f_mass_storage.c -- Mass Storage USB Composite Function
4
5
 *
 * Copyright (C) 2003-2008 Alan Stern
6
 * Copyright (C) 2009 Samsung Electronics
7
 *                    Author: Michal Nazarewicz <mina86@mina86.com>
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions, and the following disclaimer,
 *    without modification.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The names of the above-listed copyright holders may not be used
 *    to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 * ALTERNATIVELY, this software may be distributed under the terms of the
 * GNU General Public License ("GPL") as published by the Free Software
 * Foundation, either version 2 of that License or (at your option) any
 * later version.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
42
43
44
45
46
 * The Mass Storage Function acts as a USB Mass Storage device,
 * appearing to the host as a disk drive or as a CD-ROM drive.  In
 * addition to providing an example of a genuinely useful composite
 * function for a USB device, it also illustrates a technique of
 * double-buffering for increased throughput.
47
 *
48
49
 * For more information about MSF and in particular its module
 * parameters and sysfs interface read the
50
 * <Documentation/usb/mass-storage.rst> file.
51
52
53
 */

/*
54
55
56
57
 * MSF is configured by specifying a fsg_config structure.  It has the
 * following fields:
 *
 *	nluns		Number of LUNs function have (anywhere from 1
58
 *				to FSG_MAX_LUNS).
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 *	luns		An array of LUN configuration values.  This
 *				should be filled for each LUN that
 *				function will include (ie. for "nluns"
 *				LUNs).  Each element of the array has
 *				the following fields:
 *	->filename	The path to the backing file for the LUN.
 *				Required if LUN is not marked as
 *				removable.
 *	->ro		Flag specifying access to the LUN shall be
 *				read-only.  This is implied if CD-ROM
 *				emulation is enabled as well as when
 *				it was impossible to open "filename"
 *				in R/W mode.
 *	->removable	Flag specifying that LUN shall be indicated as
 *				being removable.
 *	->cdrom		Flag specifying that LUN shall be reported as
 *				being a CD-ROM.
76
77
 *	->nofua		Flag specifying that FUA flag in SCSI WRITE(10,12)
 *				commands for this LUN shall be ignored.
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 *
 *	vendor_name
 *	product_name
 *	release		Information used as a reply to INQUIRY
 *				request.  To use default set to NULL,
 *				NULL, 0xffff respectively.  The first
 *				field should be 8 and the second 16
 *				characters or less.
 *
 *	can_stall	Set to permit function to halt bulk endpoints.
 *				Disabled on some USB devices known not
 *				to work correctly.  You should set it
 *				to true.
 *
 * If "removable" is not set for a LUN then a backing file must be
 * specified.  If it is set, then NULL filename means the LUN's medium
 * is not loaded (an empty string as "filename" in the fsg_config
 * structure causes error).  The CD-ROM emulation includes a single
 * data track and no audio tracks; hence there need be only one
97
 * backing file per LUN.
98
99
100
101
102
103
104
105
106
107
108
 *
 * This function is heavily based on "File-backed Storage Gadget" by
 * Alan Stern which in turn is heavily based on "Gadget Zero" by David
 * Brownell.  The driver's SCSI command interface was based on the
 * "Information technology - Small Computer System Interface - 2"
 * document from X3T9.2 Project 375D, Revision 10L, 7-SEP-93,
 * available at <http://www.t10.org/ftp/t10/drafts/s2/s2-r10l.pdf>.
 * The single exception is opcode 0x23 (READ FORMAT CAPACITIES), which
 * was based on the "Universal Serial Bus Mass Storage Class UFI
 * Command Specification" document, Revision 1.0, December 14, 1998,
 * available at
109
110
111
112
113
114
 * <http://www.usb.org/developers/devclass_docs/usbmass-ufi10.pdf>.
 */

/*
 *				Driver Design
 *
115
 * The MSF is fairly straightforward.  There is a main kernel
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
 * thread that handles most of the work.  Interrupt routines field
 * callbacks from the controller driver: bulk- and interrupt-request
 * completion notifications, endpoint-0 events, and disconnect events.
 * Completion events are passed to the main thread by wakeup calls.  Many
 * ep0 requests are handled at interrupt time, but SetInterface,
 * SetConfiguration, and device reset requests are forwarded to the
 * thread in the form of "exceptions" using SIGUSR1 signals (since they
 * should interrupt any ongoing file I/O operations).
 *
 * The thread's main routine implements the standard command/data/status
 * parts of a SCSI interaction.  It and its subroutines are full of tests
 * for pending signals/exceptions -- all this polling is necessary since
 * the kernel has no setjmp/longjmp equivalents.  (Maybe this is an
 * indication that the driver really wants to be running in userspace.)
 * An important point is that so long as the thread is alive it keeps an
 * open reference to the backing file.  This will prevent unmounting
 * the backing file's underlying filesystem and could cause problems
 * during system shutdown, for example.  To prevent such problems, the
 * thread catches INT, TERM, and KILL signals and converts them into
 * an EXIT exception.
 *
 * In normal operation the main thread is started during the gadget's
138
139
 * fsg_bind() callback and stopped during fsg_unbind().  But it can
 * also exit when it receives a signal, and there's no point leaving
140
 * the gadget running when the thread is dead.  As of this moment, MSF
141
142
 * provides no way to deregister the gadget when thread dies -- maybe
 * a callback functions is needed.
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
 *
 * To provide maximum throughput, the driver uses a circular pipeline of
 * buffer heads (struct fsg_buffhd).  In principle the pipeline can be
 * arbitrarily long; in practice the benefits don't justify having more
 * than 2 stages (i.e., double buffering).  But it helps to think of the
 * pipeline as being a long one.  Each buffer head contains a bulk-in and
 * a bulk-out request pointer (since the buffer can be used for both
 * output and input -- directions always are given from the host's
 * point of view) as well as a pointer to the buffer and various state
 * variables.
 *
 * Use of the pipeline follows a simple protocol.  There is a variable
 * (fsg->next_buffhd_to_fill) that points to the next buffer head to use.
 * At any time that buffer head may still be in use from an earlier
 * request, so each buffer head has a state variable indicating whether
 * it is EMPTY, FULL, or BUSY.  Typical use involves waiting for the
 * buffer head to be EMPTY, filling the buffer either by file I/O or by
 * USB I/O (during which the buffer head is BUSY), and marking the buffer
 * head FULL when the I/O is complete.  Then the buffer will be emptied
 * (again possibly by USB I/O, during which it is marked BUSY) and
 * finally marked EMPTY again (possibly by a completion routine).
 *
 * A module parameter tells the driver to avoid stalling the bulk
 * endpoints wherever the transport specification allows.  This is
 * necessary for some UDCs like the SuperH, which cannot reliably clear a
 * halt on a bulk endpoint.  However, under certain circumstances the
 * Bulk-only specification requires a stall.  In such cases the driver
 * will halt the endpoint and set a flag indicating that it should clear
 * the halt in software during the next device reset.  Hopefully this
 * will permit everything to work correctly.  Furthermore, although the
 * specification allows the bulk-out endpoint to halt when the host sends
 * too much data, implementing this would cause an unavoidable race.
 * The driver will always use the "no-stall" approach for OUT transfers.
 *
 * One subtle point concerns sending status-stage responses for ep0
 * requests.  Some of these requests, such as device reset, can involve
 * interrupting an ongoing file I/O operation, which might take an
 * arbitrarily long time.  During that delay the host might give up on
 * the original ep0 request and issue a new one.  When that happens the
 * driver should not notify the host about completion of the original
 * request, as the host will no longer be waiting for it.  So the driver
 * assigns to each ep0 request a unique tag, and it keeps track of the
 * tag value of the request associated with a long-running exception
 * (device-reset, interface-change, or configuration-change).  When the
 * exception handler is finished, the status-stage response is submitted
 * only if the current ep0 request tag is equal to the exception request
 * tag.  Thus only the most recently received ep0 request will get a
 * status-stage response.
 *
 * Warning: This driver source file is too long.  It ought to be split up
 * into a header file plus about 3 separate .c files, to handle the details
 * of the Gadget, USB Mass Storage, and SCSI protocols.
 */


/* #define VERBOSE_DEBUG */
/* #define DUMP_MSGS */

#include <linux/blkdev.h>
#include <linux/completion.h>
#include <linux/dcache.h>
#include <linux/delay.h>
#include <linux/device.h>
#include <linux/fcntl.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/kthread.h>
210
#include <linux/sched/signal.h>
211
212
213
214
215
216
#include <linux/limits.h>
#include <linux/rwsem.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/string.h>
#include <linux/freezer.h>
217
#include <linux/module.h>
218
#include <linux/uaccess.h>
219
220
221

#include <linux/usb/ch9.h>
#include <linux/usb/gadget.h>
222
#include <linux/usb/composite.h>
223

224
225
#include <linux/nospec.h>

226
#include "configfs.h"
227
228


229
/*------------------------------------------------------------------------*/
230

231
#define FSG_DRIVER_DESC		"Mass Storage Function"
232
#define FSG_DRIVER_VERSION	"2009/09/11"
233
234
235

static const char fsg_string_interface[] = "Mass Storage";

236
#include "storage_common.h"
237
#include "f_mass_storage.h"
238

239
240
241
242
243
244
245
246
247
248
/* Static strings, in UTF-8 (for simplicity we use only ASCII characters) */
static struct usb_string		fsg_strings[] = {
	{FSG_STRING_INTERFACE,		fsg_string_interface},
	{}
};

static struct usb_gadget_strings	fsg_stringtab = {
	.language	= 0x0409,		/* en-us */
	.strings	= fsg_strings,
};
249

250
251
252
253
254
static struct usb_gadget_strings *fsg_strings_array[] = {
	&fsg_stringtab,
	NULL,
};

255
256
/*-------------------------------------------------------------------------*/

257
struct fsg_dev;
258
259
struct fsg_common;

260
261
/* Data shared by all the FSG instances. */
struct fsg_common {
262
	struct usb_gadget	*gadget;
263
	struct usb_composite_dev *cdev;
264
	struct fsg_dev		*fsg;
265
	wait_queue_head_t	io_wait;
266
	wait_queue_head_t	fsg_wait;
267

268
269
270
	/* filesem protects: backing files in use */
	struct rw_semaphore	filesem;

271
	/* lock protects: state and thread_task */
272
273
274
275
276
277
	spinlock_t		lock;

	struct usb_ep		*ep0;		/* Copy of gadget->ep0 */
	struct usb_request	*ep0req;	/* Copy of cdev->req */
	unsigned int		ep0_req_tag;

278
279
	struct fsg_buffhd	*next_buffhd_to_fill;
	struct fsg_buffhd	*next_buffhd_to_drain;
280
	struct fsg_buffhd	*buffhds;
281
	unsigned int		fsg_num_buffers;
282
283
284
285
286

	int			cmnd_size;
	u8			cmnd[MAX_COMMAND_SIZE];

	unsigned int		lun;
287
	struct fsg_lun		*luns[FSG_MAX_LUNS];
288
	struct fsg_lun		*curlun;
289

290
291
292
	unsigned int		bulk_out_maxpacket;
	enum fsg_state		state;		/* For exception handling */
	unsigned int		exception_req_tag;
293
	void			*exception_arg;
294
295
296
297
298
299
300
301

	enum data_direction	data_dir;
	u32			data_size;
	u32			data_size_from_cmnd;
	u32			tag;
	u32			residue;
	u32			usb_amount_left;

302
	unsigned int		can_stall:1;
303
	unsigned int		free_storage_on_release:1;
304
305
306
307
	unsigned int		phase_error:1;
	unsigned int		short_packet_received:1;
	unsigned int		bad_lun_okay:1;
	unsigned int		running:1;
308
	unsigned int		sysfs:1;
309

310
311
	struct completion	thread_notifier;
	struct task_struct	*thread_task;
312

313
314
315
	/* Gadget's private data. */
	void			*private_data;

316
	char inquiry_string[INQUIRY_STRING_LEN];
317
318
};

319
struct fsg_dev {
320
321
	struct usb_function	function;
	struct usb_gadget	*gadget;	/* Copy of cdev->gadget */
322
323
	struct fsg_common	*common;

324
325
	u16			interface_number;

326
327
	unsigned int		bulk_in_enabled:1;
	unsigned int		bulk_out_enabled:1;
328
329

	unsigned long		atomic_bitflags;
330
#define IGNORE_BULK_OUT		0
331
332
333

	struct usb_ep		*bulk_in;
	struct usb_ep		*bulk_out;
334
};
335

336
337
338
339
340
341
static inline int __fsg_is_set(struct fsg_common *common,
			       const char *func, unsigned line)
{
	if (common->fsg)
		return 1;
	ERROR(common, "common->fsg is NULL in %s at %u\n", func, line);
342
	WARN_ON(1);
343
344
345
346
	return 0;
}

#define fsg_is_set(common) likely(__fsg_is_set(common, __func__, __LINE__))
347

348
349
350
351
352
static inline struct fsg_dev *fsg_from_func(struct usb_function *f)
{
	return container_of(f, struct fsg_dev, function);
}

353
354
typedef void (*fsg_routine_t)(struct fsg_dev *);

355
static int exception_in_progress(struct fsg_common *common)
356
{
357
	return common->state > FSG_STATE_NORMAL;
358
359
}

360
361
362
363
364
365
366
367
368
369
370
371
372
373
/* Make bulk-out requests be divisible by the maxpacket size */
static void set_bulk_out_req_length(struct fsg_common *common,
				    struct fsg_buffhd *bh, unsigned int length)
{
	unsigned int	rem;

	bh->bulk_out_intended_length = length;
	rem = length % common->bulk_out_maxpacket;
	if (rem > 0)
		length += common->bulk_out_maxpacket - rem;
	bh->outreq->length = length;
}


374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
/*-------------------------------------------------------------------------*/

static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
{
	const char	*name;

	if (ep == fsg->bulk_in)
		name = "bulk-in";
	else if (ep == fsg->bulk_out)
		name = "bulk-out";
	else
		name = ep->name;
	DBG(fsg, "%s set halt\n", name);
	return usb_ep_set_halt(ep);
}


/*-------------------------------------------------------------------------*/

/* These routines may be called in process context or in_irq */

395
396
static void __raise_exception(struct fsg_common *common, enum fsg_state new_state,
			      void *arg)
397
398
399
{
	unsigned long		flags;

400
401
	/*
	 * Do nothing if a higher-priority exception is already in progress.
402
	 * If a lower-or-equal priority exception is in progress, preempt it
403
404
	 * and notify the main thread by sending it a signal.
	 */
405
406
407
408
	spin_lock_irqsave(&common->lock, flags);
	if (common->state <= new_state) {
		common->exception_req_tag = common->ep0_req_tag;
		common->state = new_state;
409
		common->exception_arg = arg;
410
		if (common->thread_task)
411
			send_sig_info(SIGUSR1, SEND_SIG_PRIV,
412
				      common->thread_task);
413
	}
414
	spin_unlock_irqrestore(&common->lock, flags);
415
416
}

417
418
419
420
static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
{
	__raise_exception(common, new_state, NULL);
}
421
422
423

/*-------------------------------------------------------------------------*/

424
static int ep0_queue(struct fsg_common *common)
425
426
427
{
	int	rc;

428
429
	rc = usb_ep_queue(common->ep0, common->ep0req, GFP_ATOMIC);
	common->ep0->driver_data = common;
430
431
	if (rc != 0 && rc != -ESHUTDOWN) {
		/* We can't do much more than wait for a reset */
432
433
		WARNING(common, "error in submission: %s --> %d\n",
			common->ep0->name, rc);
434
435
436
437
	}
	return rc;
}

438

439
440
/*-------------------------------------------------------------------------*/

441
/* Completion handlers. These always run in_irq. */
442
443
444

static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
{
445
	struct fsg_common	*common = ep->driver_data;
446
447
448
	struct fsg_buffhd	*bh = req->context;

	if (req->status || req->actual != req->length)
449
		DBG(common, "%s --> %d, %u/%u\n", __func__,
450
		    req->status, req->actual, req->length);
451
	if (req->status == -ECONNRESET)		/* Request was cancelled */
452
453
		usb_ep_fifo_flush(ep);

454
455
456
	/* Synchronize with the smp_load_acquire() in sleep_thread() */
	smp_store_release(&bh->state, BUF_STATE_EMPTY);
	wake_up(&common->io_wait);
457
458
459
460
}

static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req)
{
461
	struct fsg_common	*common = ep->driver_data;
462
463
	struct fsg_buffhd	*bh = req->context;

464
	dump_msg(common, "bulk-out", req->buf, req->actual);
465
	if (req->status || req->actual != bh->bulk_out_intended_length)
466
		DBG(common, "%s --> %d, %u/%u\n", __func__,
467
		    req->status, req->actual, bh->bulk_out_intended_length);
468
	if (req->status == -ECONNRESET)		/* Request was cancelled */
469
470
		usb_ep_fifo_flush(ep);

471
472
473
	/* Synchronize with the smp_load_acquire() in sleep_thread() */
	smp_store_release(&bh->state, BUF_STATE_FULL);
	wake_up(&common->io_wait);
474
475
}

476
477
478
479
480
481
482
483
484
485
static int _fsg_common_get_max_lun(struct fsg_common *common)
{
	int i = ARRAY_SIZE(common->luns) - 1;

	while (i >= 0 && !common->luns[i])
		--i;

	return i;
}

486
static int fsg_setup(struct usb_function *f,
487
		     const struct usb_ctrlrequest *ctrl)
488
{
489
	struct fsg_dev		*fsg = fsg_from_func(f);
490
	struct usb_request	*req = fsg->common->ep0req;
491
	u16			w_index = le16_to_cpu(ctrl->wIndex);
492
	u16			w_value = le16_to_cpu(ctrl->wValue);
493
494
	u16			w_length = le16_to_cpu(ctrl->wLength);

495
	if (!fsg_is_set(fsg->common))
496
		return -EOPNOTSUPP;
497

498
499
500
501
502
	++fsg->common->ep0_req_tag;	/* Record arrival of a new request */
	req->context = NULL;
	req->length = 0;
	dump_msg(fsg, "ep0-setup", (u8 *) ctrl, sizeof(*ctrl));

503
	switch (ctrl->bRequest) {
504

505
	case US_BULK_RESET_REQUEST:
506
507
		if (ctrl->bRequestType !=
		    (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
508
			break;
509
510
		if (w_index != fsg->interface_number || w_value != 0 ||
				w_length != 0)
511
			return -EDOM;
512

513
514
515
516
		/*
		 * Raise an exception to stop the current operation
		 * and reinitialize our state.
		 */
517
		DBG(fsg, "bulk reset request\n");
518
		raise_exception(fsg->common, FSG_STATE_PROTOCOL_RESET);
519
		return USB_GADGET_DELAYED_STATUS;
520

521
	case US_BULK_GET_MAX_LUN:
522
523
		if (ctrl->bRequestType !=
		    (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE))
524
			break;
525
526
		if (w_index != fsg->interface_number || w_value != 0 ||
				w_length != 1)
527
528
			return -EDOM;
		VDBG(fsg, "get max LUN\n");
529
		*(u8 *)req->buf = _fsg_common_get_max_lun(fsg->common);
530
531

		/* Respond with data/status */
532
		req->length = min((u16)1, w_length);
533
		return ep0_queue(fsg->common);
534
535
536
	}

	VDBG(fsg,
537
	     "unknown class-specific control req %02x.%02x v%04x i%04x l%u\n",
538
539
540
	     ctrl->bRequestType, ctrl->bRequest,
	     le16_to_cpu(ctrl->wValue), w_index, w_length);
	return -EOPNOTSUPP;
541
542
543
544
545
546
547
548
}


/*-------------------------------------------------------------------------*/

/* All the following routines run in process context */

/* Use this for bulk or interrupt transfers, not ep0 */
549
550
static int start_transfer(struct fsg_dev *fsg, struct usb_ep *ep,
			   struct usb_request *req)
551
552
553
554
555
556
557
{
	int	rc;

	if (ep == fsg->bulk_in)
		dump_msg(fsg, "bulk-in", req->buf, req->length);

	rc = usb_ep_queue(ep, req, GFP_KERNEL);
558
	if (rc) {
559

560
561
		/* We can't do much more than wait for a reset */
		req->status = rc;
562

563
564
565
566
567
568
569
570
571
572
		/*
		 * Note: currently the net2280 driver fails zero-length
		 * submissions if DMA is enabled.
		 */
		if (rc != -ESHUTDOWN &&
				!(rc == -EOPNOTSUPP && req->length == 0))
			WARNING(fsg, "error in submission: %s --> %d\n",
					ep->name, rc);
	}
	return rc;
573
574
}

575
576
577
578
static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
{
	if (!fsg_is_set(common))
		return false;
579
580
581
	bh->state = BUF_STATE_SENDING;
	if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq))
		bh->state = BUF_STATE_EMPTY;
582
583
	return true;
}
584

585
586
587
588
static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh)
{
	if (!fsg_is_set(common))
		return false;
589
590
591
	bh->state = BUF_STATE_RECEIVING;
	if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq))
		bh->state = BUF_STATE_FULL;
592
593
	return true;
}
594

595
596
static int sleep_thread(struct fsg_common *common, bool can_freeze,
		struct fsg_buffhd *bh)
597
{
598
	int	rc;
599

600
601
602
603
604
605
606
607
608
609
610
611
612
613
	/* Wait until a signal arrives or bh is no longer busy */
	if (can_freeze)
		/*
		 * synchronize with the smp_store_release(&bh->state) in
		 * bulk_in_complete() or bulk_out_complete()
		 */
		rc = wait_event_freezable(common->io_wait,
				bh && smp_load_acquire(&bh->state) >=
					BUF_STATE_EMPTY);
	else
		rc = wait_event_interruptible(common->io_wait,
				bh && smp_load_acquire(&bh->state) >=
					BUF_STATE_EMPTY);
	return rc ? -EINTR : 0;
614
615
616
617
618
}


/*-------------------------------------------------------------------------*/

619
static int do_read(struct fsg_common *common)
620
{
621
	struct fsg_lun		*curlun = common->curlun;
622
623
624
625
626
627
628
629
	u32			lba;
	struct fsg_buffhd	*bh;
	int			rc;
	u32			amount_left;
	loff_t			file_offset, file_offset_tmp;
	unsigned int		amount;
	ssize_t			nread;

630
631
632
633
	/*
	 * Get the starting Logical Block Address and check that it's
	 * not too big.
	 */
634
	if (common->cmnd[0] == READ_6)
635
		lba = get_unaligned_be24(&common->cmnd[1]);
636
	else {
637
		lba = get_unaligned_be32(&common->cmnd[2]);
638

639
640
		/*
		 * We allow DPO (Disable Page Out = don't save data in the
641
		 * cache) and FUA (Force Unit Access = don't read from the
642
643
		 * cache), but we don't implement them.
		 */
644
		if ((common->cmnd[1] & ~0x18) != 0) {
645
646
647
648
649
650
651
652
			curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
			return -EINVAL;
		}
	}
	if (lba >= curlun->num_sectors) {
		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
		return -EINVAL;
	}
653
	file_offset = ((loff_t) lba) << curlun->blkbits;
654
655

	/* Carry out the file reads */
656
	amount_left = common->data_size_from_cmnd;
657
	if (unlikely(amount_left == 0))
658
		return -EIO;		/* No default reply */
659
660

	for (;;) {
661
662
		/*
		 * Figure out how much we need to read:
663
664
665
		 * Try to read the remaining amount.
		 * But don't read more than the buffer size.
		 * And don't try to read past the end of the file.
666
		 */
667
		amount = min(amount_left, FSG_BUFLEN);
668
669
		amount = min((loff_t)amount,
			     curlun->file_length - file_offset);
670
671

		/* Wait for the next buffer to become available */
672
		bh = common->next_buffhd_to_fill;
673
674
675
		rc = sleep_thread(common, false, bh);
		if (rc)
			return rc;
676

677
678
679
680
		/*
		 * If we were asked to read past the end of file,
		 * end with an empty buffer.
		 */
681
682
683
		if (amount == 0) {
			curlun->sense_data =
					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
684
685
			curlun->sense_data_info =
					file_offset >> curlun->blkbits;
686
687
688
689
690
691
692
693
			curlun->info_valid = 1;
			bh->inreq->length = 0;
			bh->state = BUF_STATE_FULL;
			break;
		}

		/* Perform the read */
		file_offset_tmp = file_offset;
694
695
		nread = kernel_read(curlun->filp, bh->buf, amount,
				&file_offset_tmp);
696
		VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
697
		      (unsigned long long)file_offset, (int)nread);
698
699
700
701
		if (signal_pending(current))
			return -EINTR;

		if (nread < 0) {
702
			LDBG(curlun, "error in file read: %d\n", (int)nread);
703
704
705
			nread = 0;
		} else if (nread < amount) {
			LDBG(curlun, "partial file read: %d/%u\n",
706
			     (int)nread, amount);
707
			nread = round_down(nread, curlun->blksize);
708
709
710
		}
		file_offset  += nread;
		amount_left  -= nread;
711
		common->residue -= nread;
712
713
714
715
716
717

		/*
		 * Except at the end of the transfer, nread will be
		 * equal to the buffer size, which is divisible by the
		 * bulk-in maxpacket size.
		 */
718
719
720
721
722
723
		bh->inreq->length = nread;
		bh->state = BUF_STATE_FULL;

		/* If an error occurred, report it and its position */
		if (nread < amount) {
			curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
724
725
			curlun->sense_data_info =
					file_offset >> curlun->blkbits;
726
727
728
729
730
			curlun->info_valid = 1;
			break;
		}

		if (amount_left == 0)
731
			break;		/* No more left to read */
732
733
734

		/* Send this buffer and go read some more */
		bh->inreq->zero = 0;
735
736
		if (!start_in_transfer(common, bh))
			/* Don't know what to do if common->fsg is NULL */
737
738
			return -EIO;
		common->next_buffhd_to_fill = bh->next;
739
740
	}

741
	return -EIO;		/* No default reply */
742
743
744
745
746
}


/*-------------------------------------------------------------------------*/

747
static int do_write(struct fsg_common *common)
748
{
749
	struct fsg_lun		*curlun = common->curlun;
750
751
752
753
754
755
756
757
758
759
760
761
762
763
	u32			lba;
	struct fsg_buffhd	*bh;
	int			get_some_more;
	u32			amount_left_to_req, amount_left_to_write;
	loff_t			usb_offset, file_offset, file_offset_tmp;
	unsigned int		amount;
	ssize_t			nwritten;
	int			rc;

	if (curlun->ro) {
		curlun->sense_data = SS_WRITE_PROTECTED;
		return -EINVAL;
	}
	spin_lock(&curlun->filp->f_lock);
764
	curlun->filp->f_flags &= ~O_SYNC;	/* Default is not to wait */
765
766
	spin_unlock(&curlun->filp->f_lock);

767
768
769
770
	/*
	 * Get the starting Logical Block Address and check that it's
	 * not too big
	 */
771
	if (common->cmnd[0] == WRITE_6)
772
		lba = get_unaligned_be24(&common->cmnd[1]);
773
	else {
774
		lba = get_unaligned_be32(&common->cmnd[2]);
775

776
777
		/*
		 * We allow DPO (Disable Page Out = don't save data in the
778
779
		 * cache) and FUA (Force Unit Access = write directly to the
		 * medium).  We don't implement DPO; we implement FUA by
780
781
		 * performing synchronous output.
		 */
782
		if (common->cmnd[1] & ~0x18) {
783
784
785
			curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
			return -EINVAL;
		}
786
		if (!curlun->nofua && (common->cmnd[1] & 0x08)) { /* FUA */
787
788
789
790
791
792
793
794
795
796
797
798
			spin_lock(&curlun->filp->f_lock);
			curlun->filp->f_flags |= O_SYNC;
			spin_unlock(&curlun->filp->f_lock);
		}
	}
	if (lba >= curlun->num_sectors) {
		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
		return -EINVAL;
	}

	/* Carry out the file writes */
	get_some_more = 1;
799
	file_offset = usb_offset = ((loff_t) lba) << curlun->blkbits;
800
801
	amount_left_to_req = common->data_size_from_cmnd;
	amount_left_to_write = common->data_size_from_cmnd;
802
803
804
805

	while (amount_left_to_write > 0) {

		/* Queue a request for more data from the host */
806
		bh = common->next_buffhd_to_fill;
807
808
		if (bh->state == BUF_STATE_EMPTY && get_some_more) {

809
810
			/*
			 * Figure out how much we want to get:
811
812
			 * Try to get the remaining amount,
			 * but not more than the buffer size.
813
			 */
814
			amount = min(amount_left_to_req, FSG_BUFLEN);
815
816
817

			/* Beyond the end of the backing file? */
			if (usb_offset >= curlun->file_length) {
818
819
820
				get_some_more = 0;
				curlun->sense_data =
					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
821
822
				curlun->sense_data_info =
					usb_offset >> curlun->blkbits;
823
824
825
826
827
828
				curlun->info_valid = 1;
				continue;
			}

			/* Get the next buffer */
			usb_offset += amount;
829
			common->usb_amount_left -= amount;
830
831
832
833
			amount_left_to_req -= amount;
			if (amount_left_to_req == 0)
				get_some_more = 0;

834
			/*
835
836
837
			 * Except at the end of the transfer, amount will be
			 * equal to the buffer size, which is divisible by
			 * the bulk-out maxpacket size.
838
			 */
839
			set_bulk_out_req_length(common, bh, amount);
840
			if (!start_out_transfer(common, bh))
841
				/* Dunno what to do if common->fsg is NULL */
842
843
				return -EIO;
			common->next_buffhd_to_fill = bh->next;
844
845
846
847
			continue;
		}

		/* Write the received data to the backing file */
848
		bh = common->next_buffhd_to_drain;
849
		if (bh->state == BUF_STATE_EMPTY && !get_some_more)
850
			break;			/* We stopped early */
851
852
853
854
855
856
857
858
859
860
861
862
863

		/* Wait for the data to be received */
		rc = sleep_thread(common, false, bh);
		if (rc)
			return rc;

		common->next_buffhd_to_drain = bh->next;
		bh->state = BUF_STATE_EMPTY;

		/* Did something go wrong with the transfer? */
		if (bh->outreq->status != 0) {
			curlun->sense_data = SS_COMMUNICATION_FAILURE;
			curlun->sense_data_info =
864
					file_offset >> curlun->blkbits;
865
866
867
			curlun->info_valid = 1;
			break;
		}
868

869
870
871
		amount = bh->outreq->actual;
		if (curlun->file_length - file_offset < amount) {
			LERROR(curlun, "write %u @ %llu beyond end %llu\n",
872
873
				       amount, (unsigned long long)file_offset,
				       (unsigned long long)curlun->file_length);
874
875
			amount = curlun->file_length - file_offset;
		}
876

877
878
879
880
881
		/*
		 * Don't accept excess data.  The spec doesn't say
		 * what to do in this case.  We'll ignore the error.
		 */
		amount = min(amount, bh->bulk_out_intended_length);
882

883
884
885
886
887
888
889
		/* Don't write a partial block */
		amount = round_down(amount, curlun->blksize);
		if (amount == 0)
			goto empty_write;

		/* Perform the write */
		file_offset_tmp = file_offset;
890
891
		nwritten = kernel_write(curlun->filp, bh->buf, amount,
				&file_offset_tmp);
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
		VLDBG(curlun, "file write %u @ %llu -> %d\n", amount,
				(unsigned long long)file_offset, (int)nwritten);
		if (signal_pending(current))
			return -EINTR;		/* Interrupted! */

		if (nwritten < 0) {
			LDBG(curlun, "error in file write: %d\n",
					(int) nwritten);
			nwritten = 0;
		} else if (nwritten < amount) {
			LDBG(curlun, "partial file write: %d/%u\n",
					(int) nwritten, amount);
			nwritten = round_down(nwritten, curlun->blksize);
		}
		file_offset += nwritten;
		amount_left_to_write -= nwritten;
		common->residue -= nwritten;

		/* If an error occurred, report it and its position */
		if (nwritten < amount) {
			curlun->sense_data = SS_WRITE_ERROR;
			curlun->sense_data_info =
914
					file_offset >> curlun->blkbits;
915
916
917
			curlun->info_valid = 1;
			break;
		}
918

919
 empty_write:
920
921
922
923
		/* Did the host decide to stop early? */
		if (bh->outreq->actual < bh->bulk_out_intended_length) {
			common->short_packet_received = 1;
			break;
924
925
926
		}
	}

927
	return -EIO;		/* No default reply */
928
929
930
931
932
}


/*-------------------------------------------------------------------------*/

933
static int do_synchronize_cache(struct fsg_common *common)
934
{
935
	struct fsg_lun	*curlun = common->curlun;
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
	int		rc;

	/* We ignore the requested LBA and write out all file's
	 * dirty data buffers. */
	rc = fsg_lun_fsync_sub(curlun);
	if (rc)
		curlun->sense_data = SS_WRITE_ERROR;
	return 0;
}


/*-------------------------------------------------------------------------*/

static void invalidate_sub(struct fsg_lun *curlun)
{
	struct file	*filp = curlun->filp;
Al Viro's avatar
Al Viro committed
952
	struct inode	*inode = file_inode(filp);
953
954
955
	unsigned long	rc;

	rc = invalidate_mapping_pages(inode->i_mapping, 0, -1);
956
	VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc);
957
958
}

959
static int do_verify(struct fsg_common *common)
960
{
961
	struct fsg_lun		*curlun = common->curlun;
962
963
	u32			lba;
	u32			verification_length;
964
	struct fsg_buffhd	*bh = common->next_buffhd_to_fill;
965
966
967
968
969
	loff_t			file_offset, file_offset_tmp;
	u32			amount_left;
	unsigned int		amount;
	ssize_t			nread;

970
971
972
973
	/*
	 * Get the starting Logical Block Address and check that it's
	 * not too big.
	 */
974
	lba = get_unaligned_be32(&common->cmnd[2]);
975
976
977
978
979
	if (lba >= curlun->num_sectors) {
		curlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
		return -EINVAL;
	}

980
981
982
983
	/*
	 * We allow DPO (Disable Page Out = don't save data in the
	 * cache) but we don't implement it.
	 */
984
	if (common->cmnd[1] & ~0x10) {
985
986
987
988
		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
		return -EINVAL;
	}

989
	verification_length = get_unaligned_be16(&common->cmnd[7]);
990
	if (unlikely(verification_length == 0))
991
		return -EIO;		/* No default reply */
992
993

	/* Prepare to carry out the file verify */
994
995
	amount_left = verification_length << curlun->blkbits;
	file_offset = ((loff_t) lba) << curlun->blkbits;
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007

	/* Write out all the dirty buffers before invalidating them */
	fsg_lun_fsync_sub(curlun);
	if (signal_pending(current))
		return -EINTR;

	invalidate_sub(curlun);
	if (signal_pending(current))
		return -EINTR;

	/* Just try to read the requested blocks */
	while (amount_left > 0) {
1008
1009
		/*
		 * Figure out how much we need to read:
1010
1011
1012
		 * Try to read the remaining amount, but not more than
		 * the buffer size.
		 * And don't try to read past the end of the file.
1013
		 */
1014
		amount = min(amount_left, FSG_BUFLEN);
1015
1016
		amount = min((loff_t)amount,
			     curlun->file_length - file_offset);
1017
1018
1019
		if (amount == 0) {
			curlun->sense_data =
					SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1020
1021
			curlun->sense_data_info =
				file_offset >> curlun->blkbits;
1022
1023
1024
1025
1026
1027
			curlun->info_valid = 1;
			break;
		}

		/* Perform the read */
		file_offset_tmp = file_offset;
1028
1029
		nread = kernel_read(curlun->filp, bh->buf, amount,
				&file_offset_tmp);
1030
1031
1032
1033
1034
1035
1036
		VLDBG(curlun, "file read %u @ %llu -> %d\n", amount,
				(unsigned long long) file_offset,
				(int) nread);
		if (signal_pending(current))
			return -EINTR;

		if (nread < 0) {
1037
			LDBG(curlun, "error in file verify: %d\n", (int)nread);
1038
1039
1040
			nread = 0;
		} else if (nread < amount) {
			LDBG(curlun, "partial file verify: %d/%u\n",
1041
			     (int)nread, amount);
1042
			nread = round_down(nread, curlun->blksize);
1043
1044
1045
		}
		if (nread == 0) {
			curlun->sense_data = SS_UNRECOVERED_READ_ERROR;
1046
1047
			curlun->sense_data_info =
				file_offset >> curlun->blkbits;
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
			curlun->info_valid = 1;
			break;
		}
		file_offset += nread;
		amount_left -= nread;
	}
	return 0;
}


/*-------------------------------------------------------------------------*/

1060
static int do_inquiry(struct fsg_common *common, struct fsg_buffhd *bh)
1061
{
1062
	struct fsg_lun *curlun = common->curlun;
1063
1064
	u8	*buf = (u8 *) bh->buf;

1065
	if (!curlun) {		/* Unsupported LUNs are okay */
1066
		common->bad_lun_okay = 1;
1067
		memset(buf, 0, 36);
1068
		buf[0] = TYPE_NO_LUN;	/* Unsupported, no device-type */
1069
		buf[4] = 31;		/* Additional length */
1070
1071
1072
		return 36;
	}

1073
	buf[0] = curlun->cdrom ? TYPE_ROM : TYPE_DISK;
1074
	buf[1] = curlun->removable ? 0x80 : 0;
1075
1076
1077
1078
	buf[2] = 2;		/* ANSI SCSI level 2 */
	buf[3] = 2;		/* SCSI-2 INQUIRY data format */
	buf[4] = 31;		/* Additional length */
	buf[5] = 0;		/* No special options */
1079
1080
	buf[6] = 0;
	buf[7] = 0;
1081
1082
1083
1084
1085
1086
	if (curlun->inquiry_string[0])
		memcpy(buf + 8, curlun->inquiry_string,
		       sizeof(curlun->inquiry_string));
	else
		memcpy(buf + 8, common->inquiry_string,
		       sizeof(common->inquiry_string));
1087
1088
1089
	return 36;
}

1090
static int do_request_sense(struct fsg_common *common, struct fsg_buffhd *bh)
1091
{
1092
	struct fsg_lun	*curlun = common->curlun;
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
	u8		*buf = (u8 *) bh->buf;
	u32		sd, sdinfo;
	int		valid;

	/*
	 * From the SCSI-2 spec., section 7.9 (Unit attention condition):
	 *
	 * If a REQUEST SENSE command is received from an initiator
	 * with a pending unit attention condition (before the target
	 * generates the contingent allegiance condition), then the
	 * target shall either:
	 *   a) report any pending sense data and preserve the unit
	 *	attention condition on the logical unit, or,
	 *   b) report the unit attention condition, may discard any
	 *	pending sense data, and clear the unit attention
	 *	condition on the logical unit for that initiator.
	 *
	 * FSG normally uses option a); enable this code to use option b).
	 */
#if 0
	if (curlun && curlun->unit_attention_data != SS_NO_SENSE) {
		curlun->sense_data = curlun->unit_attention_data;
		curlun->unit_attention_data = SS_NO_SENSE;
	}
#endif

1119
	if (!curlun) {		/* Unsupported LUNs are okay */
1120
		common->bad_lun_okay = 1;
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
		sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
		sdinfo = 0;
		valid = 0;
	} else {
		sd = curlun->sense_data;
		sdinfo = curlun->sense_data_info;
		valid = curlun->info_valid << 7;
		curlun->sense_data = SS_NO_SENSE;
		curlun->sense_data_info = 0;
		curlun->info_valid = 0;
	}

	memset(buf, 0, 18);
1134
	buf[0] = valid | 0x70;			/* Valid, current error */
1135
1136
	buf[2] = SK(sd);
	put_unaligned_be32(sdinfo, &buf[3]);	/* Sense information */
1137
	buf[7] = 18 - 8;			/* Additional sense length */
1138
1139
1140
1141
1142
	buf[12] = ASC(sd);
	buf[13] = ASCQ(sd);
	return 18;
}

1143
static int do_read_capacity(struct fsg_common *common, struct fsg_buffhd *bh)
1144
{
1145
1146
1147
	struct fsg_lun	*curlun = common->curlun;
	u32		lba = get_unaligned_be32(&common->cmnd[2]);
	int		pmi = common->cmnd[8];
1148
	u8		*buf = (u8 *)bh->buf;
1149
1150
1151
1152
1153
1154
1155
1156
1157

	/* Check the PMI and LBA fields */
	if (pmi > 1 || (pmi == 0 && lba != 0)) {
		curlun->sense_data = SS_INVALID_FIELD_IN_CDB;
		return -EINVAL;
	}

	put_unaligned_be32(curlun->num_sectors - 1, &buf[0]);
						/* Max logical block */
1158
	put_unaligned_be32(curlun->blksize, &buf[4]);/* Block length */
1159
1160
1161
	return 8;
}

1162
static int do_read_header(struct fsg_common *common, struct fsg_buffhd *bh)
1163
{
1164
1165
1166
	struct fsg_lun	*curlun = common->curlun;
	int		msf = common->cmnd[1] & 0x02;
	u32		lba = get_unaligned_be32(&common->cmnd[2]);
1167
	u8		*buf = (u8 *)bh->buf;
1168

1169
	if (common->cmnd[1] & ~0x02) {		/* Mask away MSF */
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183