linux usb gadget驱动详解（五）_libcomposite

        现从fsg_bind()讲起。

//不失一般性，删掉错误处理和configfs相关代码
static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
{
	struct fsg_dev		*fsg = fsg_from_func(f);
	struct fsg_common	*common = fsg->common;
	struct usb_gadget	*gadget = c->cdev->gadget;
	int			i;
	struct usb_ep		*ep;
	unsigned		max_burst;
	int			ret;
	struct fsg_opts		*opts;
 
	/* Don't allow to bind if we don't have at least one LUN */
	ret = _fsg_common_get_max_lun(common);
 
	opts = fsg_opts_from_func_inst(f->fi);
 
	if (!common->thread_task) {
		common->state = FSG_STATE_IDLE;
		common->thread_task =
			kthread_create(fsg_main_thread, common, "file-storage");
		if (IS_ERR(common->thread_task)) {
			...
		}
		wake_up_process(common->thread_task);
	}
 
	fsg->gadget = gadget;
 
	/* New interface */
	i = usb_interface_id(c, f);
 
	fsg_intf_desc.bInterfaceNumber = i;
	fsg->interface_number = i;
 
	/* Find all the endpoints we will use */
	ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
	fsg->bulk_in = ep;
 
	ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
	fsg->bulk_out = ep;
 
	/* Assume endpoint addresses are the same for both speeds */
	fsg_hs_bulk_in_desc.bEndpointAddress =
		fsg_fs_bulk_in_desc.bEndpointAddress;
	fsg_hs_bulk_out_desc.bEndpointAddress =
		fsg_fs_bulk_out_desc.bEndpointAddress;
 
	/* Calculate bMaxBurst, we know packet size is 1024 */
	max_burst = min_t(unsigned, FSG_BUFLEN / 1024, 15);
 
	fsg_ss_bulk_in_desc.bEndpointAddress =
		fsg_fs_bulk_in_desc.bEndpointAddress;
	fsg_ss_bulk_in_comp_desc.bMaxBurst = max_burst;
 
	fsg_ss_bulk_out_desc.bEndpointAddress =
		fsg_fs_bulk_out_desc.bEndpointAddress;
	fsg_ss_bulk_out_comp_desc.bMaxBurst = max_burst;
 
	ret = usb_assign_descriptors(f, fsg_fs_function, fsg_hs_function,
			fsg_ss_function);
...
	return 0;
}

可以看到该函数主要是通过kthread_create+wake_up_process的组合创建了一个内核线程fsg_main_thread，名称是"file-storage"，通过shell的ps可以看到。另外就是利用usb_interface_id()分配一个接口号，填充进接口描述符，以便在设备枚举时返回给usb host，最后利用composite.c框架所创建的gadget对象对U盘的IN/OUT端点初始化：

//storage_common.c
 
/*
 * Three 
full-speed endpoint descriptors: bulk-in, bulk-out, and
 * interrupt-in.
 */
struct usb_endpoint_descriptor fsg_fs_bulk_in_desc = {
	.bLength =		USB_DT_ENDPOINT_SIZE,
	.bDescriptorType =	USB_DT_ENDPOINT,
 
	.bEndpointAddress =	USB_DIR_IN,
	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
	/* wMaxPacketSize set by autoconfiguration */
};
struct usb_endpoint_descriptor fsg_fs_bulk_out_desc = {
	.bLength =		USB_DT_ENDPOINT_SIZE,
	.bDescriptorType =	USB_DT_ENDPOINT,
 
	.bEndpointAddress =	USB_DIR_OUT,
	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
	/* wMaxPacketSize set by autoconfiguration */
};
	
    /* Find all the endpoints we will use */
	ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_in_desc);
	fsg->bulk_in = ep;
 
	ep = usb_ep_autoconfig(gadget, &fsg_fs_bulk_out_desc);
	fsg->bulk_out = ep;

        因为只有端点（fifo）初始化完，未来才可以利用由usb_ep_queue()传输usb数据，而我们的U盘gadget驱动就利用usb_ep_queue()封装而成以下两个函数用于传输U盘数据：

static bool start_in_transfer(struct fsg_common *common, struct fsg_buffhd *bh);
static bool start_out_transfer(struct fsg_common *common, struct fsg_buffhd *bh);

        当然现在只是初始化，U盘还不能正常工作，毕竟现在连fsg_setup()都没有调用！也就是说还没被usb host枚举到，也没有SetConfiguration()等操作。那究竟什么时候调用fsg_setup()回调？？

        事实上，我们无需关心，因为在composite.c（libcomposite.ko）框架已经帮我们处理好细节了，在composite_setup()函数中被处理，该函数处于中断上下文中，不要放入sleep或者切换调度之类的代码。相当于当我们插入我们的U盘到PC上，它就会在composite_setup()回调我们的fsg_setup()。

        fsg_setup()中主要处理了两个Mass Storage Class相关的请求：US_BULK_RESET_REQUEST和US_BULK_GET_MAX_LUN，这些请求都是由usb host（电脑的U盘驱动）下发给U盘的，U盘只有按要求处理即可。

        想要深入理解gadget，还是需要仔细阅读libcomposite.c（libcomposite.ko）的实现，否则我们就只会调调gadget的api，以后我再讲解libcomposite.ko和udc驱动的流程。

        下面主要分析fsg_main_thread()；基本上U盘的所有读写操作都是靠它完成，十分重要的一个函数！

static int fsg_main_thread(void *common_)
{
	struct fsg_common	*common = common_;
 
	/*
	 * Allow the thread to be killed by a signal, but set the signal mask
	 * to block everything but INT, TERM, KILL, and USR1.
	 */
	allow_signal(SIGINT);
	allow_signal(SIGTERM);
	allow_signal(SIGKILL);
	allow_signal(SIGUSR1);
 
	/* Allow the thread to be frozen */
	set_freezable();
 
	/*
	 * Arrange for userspace references to be interpreted as kernel
	 * pointers.  That way we can pass a kernel pointer to a routine
	 * that expects a __user pointer and it will work okay.
	 */
	set_fs(get_ds());
 
	/* The main loop */
	while (common->state != FSG_STATE_TERMINATED) {
		if (exception_in_progress(common) || signal_pending(current)) {
			handle_exception(common);
			continue;
		}
 
		if (!common->running) {
			sleep_thread(common, true);
			continue;
		}
 
		if (get_next_command(common))
			continue;
 
		spin_lock_irq(&common->lock);
		if (!exception_in_progress(common))
			common->state = FSG_STATE_DATA_PHASE;
		spin_unlock_irq(&common->lock);
 
		if (do_scsi_command(common) || finish_reply(common))
			continue;
 
		spin_lock_irq(&common->lock);
		if (!exception_in_progress(common))
			common->state = FSG_STATE_STATUS_PHASE;
		spin_unlock_irq(&common->lock);
 
		if (send_status(common))
			continue;
 
		spin_lock_irq(&common->lock);
		if (!exception_in_progress(common))
			common->state = FSG_STATE_IDLE;
		spin_unlock_irq(&common->lock);
	}
 
	spin_lock_irq(&common->lock);
	common->thread_task = NULL;
	spin_unlock_irq(&common->lock);
 
	if (!common->ops || !common->ops->thread_exits
	 || common->ops->thread_exits(common) < 0) {
		int i;
 
		down_write(&common->filesem);
		for (i = 0; i < ARRAY_SIZE(common->luns); --i) {
			struct fsg_lun *curlun = common->luns[i];
			if (!curlun || !fsg_lun_is_open(curlun))
				continue;
 
			fsg_lun_close(curlun);
			curlun->unit_attention_data = SS_MEDIUM_NOT_PRESENT;
		}
		up_write(&common->filesem);
	}
 
	/* Let fsg_unbind() know the thread has exited */
	complete_and_exit(&common->thread_notifier, 0);
}

        它先是声明可以被信号kill调该内核线程，以及能冻结，譬如kiill -STOP、kill -CONT之类的。它主要是靠如下几个函数工作：get_next_command(common)

do_scsi_command(common) || finish_reply(common)

和send_status(common)

        Bulk only 的传输协议可阅读《usbmassbulk_10.pdf》文档，下面只是截取其中一部分：

和

以及阅读SCSI命令文档。本U盘gadget只是实现其中一些常用的SCSI命令子集而已，我们就挑读（READ_10）和写（WRITE_10）这两个操作：

和

        可以看到主要是do_read和do_write。因为流程比较繁杂，这里只简单描述，有兴趣的朋友可以逐行代码分析研究，do_write()是通过start_out_transfer()从usb host获取到文件数据，然后调用vfs_write()写入文件系统，完成了将文件写入U盘的过程；而do_read()则是先通过vfs_read()从文件系统（加载驱动时指定的文件路径file=filename[,filename...]）中读取文件，然后调用start_in_transfer()写入usb host，完成了读取U盘内的文件到PC。

        终于把U盘gadget驱动讲解了一遍，当然只是粗略走读了一下，代码细节上还是需要大家仔细研究，譬如没有深入到composite.c（libcomposite.ko）gadget框架的具体实现，U盘方面也没有细节到每个SCSI命令的讲解，以及没有讲解CBW/CSW的细节处理（有兴趣可以对照《usbmassbulk_10.pdf》阅读代码）等。