xref: /openbmc/qemu/hw/usb/dev-storage.c (revision 9884abee) 
1 /*
2  * USB Mass Storage Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 #include "qemu/osdep.h"
11 #include "qemu-common.h"
12 #include "qemu/error-report.h"
13 #include "qemu/option.h"
14 #include "qemu/config-file.h"
15 #include "hw/usb.h"
16 #include "hw/usb/desc.h"
17 #include "hw/scsi/scsi.h"
18 #include "ui/console.h"
19 #include "monitor/monitor.h"
20 #include "sysemu/sysemu.h"
21 #include "sysemu/block-backend.h"
22 #include "sysemu/blockdev.h"
23 #include "qapi/visitor.h"
24 
25 //#define DEBUG_MSD
26 
27 #ifdef DEBUG_MSD
28 #define DPRINTF(fmt, ...) \
29 do { printf("usb-msd: " fmt , ## __VA_ARGS__); } while (0)
30 #else
31 #define DPRINTF(fmt, ...) do {} while(0)
32 #endif
33 
34 /* USB requests.  */
35 #define MassStorageReset  0xff
36 #define GetMaxLun         0xfe
37 
38 enum USBMSDMode {
39     USB_MSDM_CBW, /* Command Block.  */
40     USB_MSDM_DATAOUT, /* Transfer data to device.  */
41     USB_MSDM_DATAIN, /* Transfer data from device.  */
42     USB_MSDM_CSW /* Command Status.  */
43 };
44 
45 struct usb_msd_csw {
46     uint32_t sig;
47     uint32_t tag;
48     uint32_t residue;
49     uint8_t status;
50 };
51 
52 typedef struct {
53     USBDevice dev;
54     enum USBMSDMode mode;
55     uint32_t scsi_off;
56     uint32_t scsi_len;
57     uint32_t data_len;
58     struct usb_msd_csw csw;
59     SCSIRequest *req;
60     SCSIBus bus;
61     /* For async completion.  */
62     USBPacket *packet;
63     /* usb-storage only */
64     BlockConf conf;
65     uint32_t removable;
66     SCSIDevice *scsi_dev;
67 } MSDState;
68 
69 #define TYPE_USB_STORAGE "usb-storage-dev"
70 #define USB_STORAGE_DEV(obj) OBJECT_CHECK(MSDState, (obj), TYPE_USB_STORAGE)
71 
72 struct usb_msd_cbw {
73     uint32_t sig;
74     uint32_t tag;
75     uint32_t data_len;
76     uint8_t flags;
77     uint8_t lun;
78     uint8_t cmd_len;
79     uint8_t cmd[16];
80 };
81 
82 enum {
83     STR_MANUFACTURER = 1,
84     STR_PRODUCT,
85     STR_SERIALNUMBER,
86     STR_CONFIG_FULL,
87     STR_CONFIG_HIGH,
88     STR_CONFIG_SUPER,
89 };
90 
91 static const USBDescStrings desc_strings = {
92     [STR_MANUFACTURER] = "QEMU",
93     [STR_PRODUCT]      = "QEMU USB HARDDRIVE",
94     [STR_SERIALNUMBER] = "1",
95     [STR_CONFIG_FULL]  = "Full speed config (usb 1.1)",
96     [STR_CONFIG_HIGH]  = "High speed config (usb 2.0)",
97     [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)",
98 };
99 
100 static const USBDescIface desc_iface_full = {
101     .bInterfaceNumber              = 0,
102     .bNumEndpoints                 = 2,
103     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
104     .bInterfaceSubClass            = 0x06, /* SCSI */
105     .bInterfaceProtocol            = 0x50, /* Bulk */
106     .eps = (USBDescEndpoint[]) {
107         {
108             .bEndpointAddress      = USB_DIR_IN | 0x01,
109             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
110             .wMaxPacketSize        = 64,
111         },{
112             .bEndpointAddress      = USB_DIR_OUT | 0x02,
113             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
114             .wMaxPacketSize        = 64,
115         },
116     }
117 };
118 
119 static const USBDescDevice desc_device_full = {
120     .bcdUSB                        = 0x0200,
121     .bMaxPacketSize0               = 8,
122     .bNumConfigurations            = 1,
123     .confs = (USBDescConfig[]) {
124         {
125             .bNumInterfaces        = 1,
126             .bConfigurationValue   = 1,
127             .iConfiguration        = STR_CONFIG_FULL,
128             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
129             .nif = 1,
130             .ifs = &desc_iface_full,
131         },
132     },
133 };
134 
135 static const USBDescIface desc_iface_high = {
136     .bInterfaceNumber              = 0,
137     .bNumEndpoints                 = 2,
138     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
139     .bInterfaceSubClass            = 0x06, /* SCSI */
140     .bInterfaceProtocol            = 0x50, /* Bulk */
141     .eps = (USBDescEndpoint[]) {
142         {
143             .bEndpointAddress      = USB_DIR_IN | 0x01,
144             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
145             .wMaxPacketSize        = 512,
146         },{
147             .bEndpointAddress      = USB_DIR_OUT | 0x02,
148             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
149             .wMaxPacketSize        = 512,
150         },
151     }
152 };
153 
154 static const USBDescDevice desc_device_high = {
155     .bcdUSB                        = 0x0200,
156     .bMaxPacketSize0               = 64,
157     .bNumConfigurations            = 1,
158     .confs = (USBDescConfig[]) {
159         {
160             .bNumInterfaces        = 1,
161             .bConfigurationValue   = 1,
162             .iConfiguration        = STR_CONFIG_HIGH,
163             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
164             .nif = 1,
165             .ifs = &desc_iface_high,
166         },
167     },
168 };
169 
170 static const USBDescIface desc_iface_super = {
171     .bInterfaceNumber              = 0,
172     .bNumEndpoints                 = 2,
173     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
174     .bInterfaceSubClass            = 0x06, /* SCSI */
175     .bInterfaceProtocol            = 0x50, /* Bulk */
176     .eps = (USBDescEndpoint[]) {
177         {
178             .bEndpointAddress      = USB_DIR_IN | 0x01,
179             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
180             .wMaxPacketSize        = 1024,
181             .bMaxBurst             = 15,
182         },{
183             .bEndpointAddress      = USB_DIR_OUT | 0x02,
184             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
185             .wMaxPacketSize        = 1024,
186             .bMaxBurst             = 15,
187         },
188     }
189 };
190 
191 static const USBDescDevice desc_device_super = {
192     .bcdUSB                        = 0x0300,
193     .bMaxPacketSize0               = 9,
194     .bNumConfigurations            = 1,
195     .confs = (USBDescConfig[]) {
196         {
197             .bNumInterfaces        = 1,
198             .bConfigurationValue   = 1,
199             .iConfiguration        = STR_CONFIG_SUPER,
200             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
201             .nif = 1,
202             .ifs = &desc_iface_super,
203         },
204     },
205 };
206 
207 static const USBDesc desc = {
208     .id = {
209         .idVendor          = 0x46f4, /* CRC16() of "QEMU" */
210         .idProduct         = 0x0001,
211         .bcdDevice         = 0,
212         .iManufacturer     = STR_MANUFACTURER,
213         .iProduct          = STR_PRODUCT,
214         .iSerialNumber     = STR_SERIALNUMBER,
215     },
216     .full  = &desc_device_full,
217     .high  = &desc_device_high,
218     .super = &desc_device_super,
219     .str   = desc_strings,
220 };
221 
222 static void usb_msd_copy_data(MSDState *s, USBPacket *p)
223 {
224     uint32_t len;
225     len = p->iov.size - p->actual_length;
226     if (len > s->scsi_len)
227         len = s->scsi_len;
228     usb_packet_copy(p, scsi_req_get_buf(s->req) + s->scsi_off, len);
229     s->scsi_len -= len;
230     s->scsi_off += len;
231     s->data_len -= len;
232     if (s->scsi_len == 0 || s->data_len == 0) {
233         scsi_req_continue(s->req);
234     }
235 }
236 
237 static void usb_msd_send_status(MSDState *s, USBPacket *p)
238 {
239     int len;
240 
241     DPRINTF("Command status %d tag 0x%x, len %zd\n",
242             s->csw.status, le32_to_cpu(s->csw.tag), p->iov.size);
243 
244     assert(s->csw.sig == cpu_to_le32(0x53425355));
245     len = MIN(sizeof(s->csw), p->iov.size);
246     usb_packet_copy(p, &s->csw, len);
247     memset(&s->csw, 0, sizeof(s->csw));
248 }
249 
250 static void usb_msd_packet_complete(MSDState *s)
251 {
252     USBPacket *p = s->packet;
253 
254     /* Set s->packet to NULL before calling usb_packet_complete
255        because another request may be issued before
256        usb_packet_complete returns.  */
257     DPRINTF("Packet complete %p\n", p);
258     s->packet = NULL;
259     usb_packet_complete(&s->dev, p);
260 }
261 
262 static void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
263 {
264     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
265     USBPacket *p = s->packet;
266 
267     assert((s->mode == USB_MSDM_DATAOUT) == (req->cmd.mode == SCSI_XFER_TO_DEV));
268     s->scsi_len = len;
269     s->scsi_off = 0;
270     if (p) {
271         usb_msd_copy_data(s, p);
272         p = s->packet;
273         if (p && p->actual_length == p->iov.size) {
274             p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
275             usb_msd_packet_complete(s);
276         }
277     }
278 }
279 
280 static void usb_msd_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
281 {
282     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
283     USBPacket *p = s->packet;
284 
285     DPRINTF("Command complete %d tag 0x%x\n", status, req->tag);
286 
287     s->csw.sig = cpu_to_le32(0x53425355);
288     s->csw.tag = cpu_to_le32(req->tag);
289     s->csw.residue = cpu_to_le32(s->data_len);
290     s->csw.status = status != 0;
291 
292     if (s->packet) {
293         if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) {
294             /* A deferred packet with no write data remaining must be
295                the status read packet.  */
296             usb_msd_send_status(s, p);
297             s->mode = USB_MSDM_CBW;
298         } else if (s->mode == USB_MSDM_CSW) {
299             usb_msd_send_status(s, p);
300             s->mode = USB_MSDM_CBW;
301         } else {
302             if (s->data_len) {
303                 int len = (p->iov.size - p->actual_length);
304                 usb_packet_skip(p, len);
305                 s->data_len -= len;
306             }
307             if (s->data_len == 0) {
308                 s->mode = USB_MSDM_CSW;
309             }
310         }
311         p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
312         usb_msd_packet_complete(s);
313     } else if (s->data_len == 0) {
314         s->mode = USB_MSDM_CSW;
315     }
316     scsi_req_unref(req);
317     s->req = NULL;
318 }
319 
320 static void usb_msd_request_cancelled(SCSIRequest *req)
321 {
322     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
323 
324     if (req == s->req) {
325         scsi_req_unref(s->req);
326         s->req = NULL;
327         s->scsi_len = 0;
328     }
329 }
330 
331 static void usb_msd_handle_reset(USBDevice *dev)
332 {
333     MSDState *s = (MSDState *)dev;
334 
335     DPRINTF("Reset\n");
336     if (s->req) {
337         scsi_req_cancel(s->req);
338     }
339     assert(s->req == NULL);
340 
341     if (s->packet) {
342         s->packet->status = USB_RET_STALL;
343         usb_msd_packet_complete(s);
344     }
345 
346     s->mode = USB_MSDM_CBW;
347 }
348 
349 static void usb_msd_handle_control(USBDevice *dev, USBPacket *p,
350                int request, int value, int index, int length, uint8_t *data)
351 {
352     MSDState *s = (MSDState *)dev;
353     SCSIDevice *scsi_dev;
354     int ret, maxlun;
355 
356     ret = usb_desc_handle_control(dev, p, request, value, index, length, data);
357     if (ret >= 0) {
358         return;
359     }
360 
361     switch (request) {
362     case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
363         break;
364         /* Class specific requests.  */
365     case ClassInterfaceOutRequest | MassStorageReset:
366         /* Reset state ready for the next CBW.  */
367         s->mode = USB_MSDM_CBW;
368         break;
369     case ClassInterfaceRequest | GetMaxLun:
370         maxlun = 0;
371         for (;;) {
372             scsi_dev = scsi_device_find(&s->bus, 0, 0, maxlun+1);
373             if (scsi_dev == NULL) {
374                 break;
375             }
376             if (scsi_dev->lun != maxlun+1) {
377                 break;
378             }
379             maxlun++;
380         }
381         DPRINTF("MaxLun %d\n", maxlun);
382         data[0] = maxlun;
383         p->actual_length = 1;
384         break;
385     default:
386         p->status = USB_RET_STALL;
387         break;
388     }
389 }
390 
391 static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
392 {
393     MSDState *s = USB_STORAGE_DEV(dev);
394 
395     assert(s->packet == p);
396     s->packet = NULL;
397 
398     if (s->req) {
399         scsi_req_cancel(s->req);
400     }
401 }
402 
403 static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
404 {
405     MSDState *s = (MSDState *)dev;
406     uint32_t tag;
407     struct usb_msd_cbw cbw;
408     uint8_t devep = p->ep->nr;
409     SCSIDevice *scsi_dev;
410     uint32_t len;
411 
412     switch (p->pid) {
413     case USB_TOKEN_OUT:
414         if (devep != 2)
415             goto fail;
416 
417         switch (s->mode) {
418         case USB_MSDM_CBW:
419             if (p->iov.size != 31) {
420                 error_report("usb-msd: Bad CBW size");
421                 goto fail;
422             }
423             usb_packet_copy(p, &cbw, 31);
424             if (le32_to_cpu(cbw.sig) != 0x43425355) {
425                 error_report("usb-msd: Bad signature %08x",
426                              le32_to_cpu(cbw.sig));
427                 goto fail;
428             }
429             DPRINTF("Command on LUN %d\n", cbw.lun);
430             scsi_dev = scsi_device_find(&s->bus, 0, 0, cbw.lun);
431             if (scsi_dev == NULL) {
432                 error_report("usb-msd: Bad LUN %d", cbw.lun);
433                 goto fail;
434             }
435             tag = le32_to_cpu(cbw.tag);
436             s->data_len = le32_to_cpu(cbw.data_len);
437             if (s->data_len == 0) {
438                 s->mode = USB_MSDM_CSW;
439             } else if (cbw.flags & 0x80) {
440                 s->mode = USB_MSDM_DATAIN;
441             } else {
442                 s->mode = USB_MSDM_DATAOUT;
443             }
444             DPRINTF("Command tag 0x%x flags %08x len %d data %d\n",
445                     tag, cbw.flags, cbw.cmd_len, s->data_len);
446             assert(le32_to_cpu(s->csw.residue) == 0);
447             s->scsi_len = 0;
448             s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, NULL);
449 #ifdef DEBUG_MSD
450             scsi_req_print(s->req);
451 #endif
452             len = scsi_req_enqueue(s->req);
453             if (len) {
454                 scsi_req_continue(s->req);
455             }
456             break;
457 
458         case USB_MSDM_DATAOUT:
459             DPRINTF("Data out %zd/%d\n", p->iov.size, s->data_len);
460             if (p->iov.size > s->data_len) {
461                 goto fail;
462             }
463 
464             if (s->scsi_len) {
465                 usb_msd_copy_data(s, p);
466             }
467             if (le32_to_cpu(s->csw.residue)) {
468                 int len = p->iov.size - p->actual_length;
469                 if (len) {
470                     usb_packet_skip(p, len);
471                     s->data_len -= len;
472                     if (s->data_len == 0) {
473                         s->mode = USB_MSDM_CSW;
474                     }
475                 }
476             }
477             if (p->actual_length < p->iov.size) {
478                 DPRINTF("Deferring packet %p [wait data-out]\n", p);
479                 s->packet = p;
480                 p->status = USB_RET_ASYNC;
481             }
482             break;
483 
484         default:
485             DPRINTF("Unexpected write (len %zd)\n", p->iov.size);
486             goto fail;
487         }
488         break;
489 
490     case USB_TOKEN_IN:
491         if (devep != 1)
492             goto fail;
493 
494         switch (s->mode) {
495         case USB_MSDM_DATAOUT:
496             if (s->data_len != 0 || p->iov.size < 13) {
497                 goto fail;
498             }
499             /* Waiting for SCSI write to complete.  */
500             s->packet = p;
501             p->status = USB_RET_ASYNC;
502             break;
503 
504         case USB_MSDM_CSW:
505             if (p->iov.size < 13) {
506                 goto fail;
507             }
508 
509             if (s->req) {
510                 /* still in flight */
511                 DPRINTF("Deferring packet %p [wait status]\n", p);
512                 s->packet = p;
513                 p->status = USB_RET_ASYNC;
514             } else {
515                 usb_msd_send_status(s, p);
516                 s->mode = USB_MSDM_CBW;
517             }
518             break;
519 
520         case USB_MSDM_DATAIN:
521             DPRINTF("Data in %zd/%d, scsi_len %d\n",
522                     p->iov.size, s->data_len, s->scsi_len);
523             if (s->scsi_len) {
524                 usb_msd_copy_data(s, p);
525             }
526             if (le32_to_cpu(s->csw.residue)) {
527                 int len = p->iov.size - p->actual_length;
528                 if (len) {
529                     usb_packet_skip(p, len);
530                     s->data_len -= len;
531                     if (s->data_len == 0) {
532                         s->mode = USB_MSDM_CSW;
533                     }
534                 }
535             }
536             if (p->actual_length < p->iov.size) {
537                 DPRINTF("Deferring packet %p [wait data-in]\n", p);
538                 s->packet = p;
539                 p->status = USB_RET_ASYNC;
540             }
541             break;
542 
543         default:
544             DPRINTF("Unexpected read (len %zd)\n", p->iov.size);
545             goto fail;
546         }
547         break;
548 
549     default:
550         DPRINTF("Bad token\n");
551     fail:
552         p->status = USB_RET_STALL;
553         break;
554     }
555 }
556 
557 static void usb_msd_password_cb(void *opaque, int err)
558 {
559     MSDState *s = opaque;
560     Error *local_err = NULL;
561 
562     if (!err) {
563         usb_device_attach(&s->dev, &local_err);
564     }
565 
566     if (local_err) {
567         error_report_err(local_err);
568         qdev_unplug(&s->dev.qdev, NULL);
569     }
570 }
571 
572 static void *usb_msd_load_request(QEMUFile *f, SCSIRequest *req)
573 {
574     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
575 
576     /* nothing to load, just store req in our state struct */
577     assert(s->req == NULL);
578     scsi_req_ref(req);
579     s->req = req;
580     return NULL;
581 }
582 
583 static const struct SCSIBusInfo usb_msd_scsi_info_storage = {
584     .tcq = false,
585     .max_target = 0,
586     .max_lun = 0,
587 
588     .transfer_data = usb_msd_transfer_data,
589     .complete = usb_msd_command_complete,
590     .cancel = usb_msd_request_cancelled,
591     .load_request = usb_msd_load_request,
592 };
593 
594 static const struct SCSIBusInfo usb_msd_scsi_info_bot = {
595     .tcq = false,
596     .max_target = 0,
597     .max_lun = 15,
598 
599     .transfer_data = usb_msd_transfer_data,
600     .complete = usb_msd_command_complete,
601     .cancel = usb_msd_request_cancelled,
602     .load_request = usb_msd_load_request,
603 };
604 
605 static void usb_msd_realize_storage(USBDevice *dev, Error **errp)
606 {
607     MSDState *s = USB_STORAGE_DEV(dev);
608     BlockBackend *blk = s->conf.blk;
609     SCSIDevice *scsi_dev;
610     Error *err = NULL;
611 
612     if (!blk) {
613         error_setg(errp, "drive property not set");
614         return;
615     }
616 
617     if (blk_bs(blk)) {
618         bdrv_add_key(blk_bs(blk), NULL, &err);
619         if (err) {
620             if (monitor_cur_is_qmp()) {
621                 error_propagate(errp, err);
622                 return;
623             }
624             error_free(err);
625             err = NULL;
626             if (cur_mon) {
627                 monitor_read_bdrv_key_start(cur_mon, blk_bs(blk),
628                                             usb_msd_password_cb, s);
629                 s->dev.auto_attach = 0;
630             } else {
631                 autostart = 0;
632             }
633         }
634     }
635 
636     blkconf_serial(&s->conf, &dev->serial);
637     blkconf_blocksizes(&s->conf);
638 
639     /*
640      * Hack alert: this pretends to be a block device, but it's really
641      * a SCSI bus that can serve only a single device, which it
642      * creates automatically.  But first it needs to detach from its
643      * blockdev, or else scsi_bus_legacy_add_drive() dies when it
644      * attaches again.
645      *
646      * The hack is probably a bad idea.
647      */
648     blk_detach_dev(blk, &s->dev.qdev);
649     s->conf.blk = NULL;
650 
651     usb_desc_create_serial(dev);
652     usb_desc_init(dev);
653     scsi_bus_new(&s->bus, sizeof(s->bus), DEVICE(dev),
654                  &usb_msd_scsi_info_storage, NULL);
655     scsi_dev = scsi_bus_legacy_add_drive(&s->bus, blk, 0, !!s->removable,
656                                          s->conf.bootindex, dev->serial,
657                                          &err);
658     if (!scsi_dev) {
659         error_propagate(errp, err);
660         return;
661     }
662     usb_msd_handle_reset(dev);
663     s->scsi_dev = scsi_dev;
664 }
665 
666 static void usb_msd_realize_bot(USBDevice *dev, Error **errp)
667 {
668     MSDState *s = USB_STORAGE_DEV(dev);
669 
670     usb_desc_create_serial(dev);
671     usb_desc_init(dev);
672     scsi_bus_new(&s->bus, sizeof(s->bus), DEVICE(dev),
673                  &usb_msd_scsi_info_bot, NULL);
674     usb_msd_handle_reset(dev);
675 }
676 
677 static USBDevice *usb_msd_init(USBBus *bus, const char *filename)
678 {
679     static int nr=0;
680     Error *err = NULL;
681     char id[8];
682     QemuOpts *opts;
683     DriveInfo *dinfo;
684     USBDevice *dev;
685     const char *p1;
686     char fmt[32];
687 
688     /* parse -usbdevice disk: syntax into drive opts */
689     do {
690         snprintf(id, sizeof(id), "usb%d", nr++);
691         opts = qemu_opts_create(qemu_find_opts("drive"), id, 1, NULL);
692     } while (!opts);
693 
694     p1 = strchr(filename, ':');
695     if (p1++) {
696         const char *p2;
697 
698         if (strstart(filename, "format=", &p2)) {
699             int len = MIN(p1 - p2, sizeof(fmt));
700             pstrcpy(fmt, len, p2);
701             qemu_opt_set(opts, "format", fmt, &error_abort);
702         } else if (*filename != ':') {
703             error_report("unrecognized USB mass-storage option %s", filename);
704             return NULL;
705         }
706         filename = p1;
707     }
708     if (!*filename) {
709         error_report("block device specification needed");
710         return NULL;
711     }
712     qemu_opt_set(opts, "file", filename, &error_abort);
713     qemu_opt_set(opts, "if", "none", &error_abort);
714 
715     /* create host drive */
716     dinfo = drive_new(opts, 0);
717     if (!dinfo) {
718         qemu_opts_del(opts);
719         return NULL;
720     }
721 
722     /* create guest device */
723     dev = usb_create(bus, "usb-storage");
724     qdev_prop_set_drive(&dev->qdev, "drive", blk_by_legacy_dinfo(dinfo),
725                         &err);
726     if (err) {
727         error_report_err(err);
728         object_unparent(OBJECT(dev));
729         return NULL;
730     }
731     return dev;
732 }
733 
734 static const VMStateDescription vmstate_usb_msd = {
735     .name = "usb-storage",
736     .version_id = 1,
737     .minimum_version_id = 1,
738     .fields = (VMStateField[]) {
739         VMSTATE_USB_DEVICE(dev, MSDState),
740         VMSTATE_UINT32(mode, MSDState),
741         VMSTATE_UINT32(scsi_len, MSDState),
742         VMSTATE_UINT32(scsi_off, MSDState),
743         VMSTATE_UINT32(data_len, MSDState),
744         VMSTATE_UINT32(csw.sig, MSDState),
745         VMSTATE_UINT32(csw.tag, MSDState),
746         VMSTATE_UINT32(csw.residue, MSDState),
747         VMSTATE_UINT8(csw.status, MSDState),
748         VMSTATE_END_OF_LIST()
749     }
750 };
751 
752 static Property msd_properties[] = {
753     DEFINE_BLOCK_PROPERTIES(MSDState, conf),
754     DEFINE_PROP_BIT("removable", MSDState, removable, 0, false),
755     DEFINE_PROP_END_OF_LIST(),
756 };
757 
758 static void usb_msd_class_initfn_common(ObjectClass *klass, void *data)
759 {
760     DeviceClass *dc = DEVICE_CLASS(klass);
761     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
762 
763     uc->product_desc   = "QEMU USB MSD";
764     uc->usb_desc       = &desc;
765     uc->cancel_packet  = usb_msd_cancel_io;
766     uc->handle_attach  = usb_desc_attach;
767     uc->handle_reset   = usb_msd_handle_reset;
768     uc->handle_control = usb_msd_handle_control;
769     uc->handle_data    = usb_msd_handle_data;
770     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
771     dc->fw_name = "storage";
772     dc->vmsd = &vmstate_usb_msd;
773 }
774 
775 static void usb_msd_class_initfn_storage(ObjectClass *klass, void *data)
776 {
777     DeviceClass *dc = DEVICE_CLASS(klass);
778     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
779 
780     uc->realize = usb_msd_realize_storage;
781     dc->props = msd_properties;
782 }
783 
784 static void usb_msd_get_bootindex(Object *obj, Visitor *v, void *opaque,
785                                   const char *name, Error **errp)
786 {
787     USBDevice *dev = USB_DEVICE(obj);
788     MSDState *s = USB_STORAGE_DEV(dev);
789 
790     visit_type_int32(v, &s->conf.bootindex, name, errp);
791 }
792 
793 static void usb_msd_set_bootindex(Object *obj, Visitor *v, void *opaque,
794                                   const char *name, Error **errp)
795 {
796     USBDevice *dev = USB_DEVICE(obj);
797     MSDState *s = USB_STORAGE_DEV(dev);
798     int32_t boot_index;
799     Error *local_err = NULL;
800 
801     visit_type_int32(v, &boot_index, name, &local_err);
802     if (local_err) {
803         goto out;
804     }
805     /* check whether bootindex is present in fw_boot_order list  */
806     check_boot_index(boot_index, &local_err);
807     if (local_err) {
808         goto out;
809     }
810     /* change bootindex to a new one */
811     s->conf.bootindex = boot_index;
812 
813     if (s->scsi_dev) {
814         object_property_set_int(OBJECT(s->scsi_dev), boot_index, "bootindex",
815                                 &error_abort);
816     }
817 
818 out:
819     if (local_err) {
820         error_propagate(errp, local_err);
821     }
822 }
823 
824 static const TypeInfo usb_storage_dev_type_info = {
825     .name = TYPE_USB_STORAGE,
826     .parent = TYPE_USB_DEVICE,
827     .instance_size = sizeof(MSDState),
828     .abstract = true,
829     .class_init = usb_msd_class_initfn_common,
830 };
831 
832 static void usb_msd_instance_init(Object *obj)
833 {
834     object_property_add(obj, "bootindex", "int32",
835                         usb_msd_get_bootindex,
836                         usb_msd_set_bootindex, NULL, NULL, NULL);
837     object_property_set_int(obj, -1, "bootindex", NULL);
838 }
839 
840 static void usb_msd_class_initfn_bot(ObjectClass *klass, void *data)
841 {
842     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
843     DeviceClass *dc = DEVICE_CLASS(klass);
844 
845     uc->realize = usb_msd_realize_bot;
846     dc->hotpluggable = false;
847 }
848 
849 static const TypeInfo msd_info = {
850     .name          = "usb-storage",
851     .parent        = TYPE_USB_STORAGE,
852     .class_init    = usb_msd_class_initfn_storage,
853     .instance_init = usb_msd_instance_init,
854 };
855 
856 static const TypeInfo bot_info = {
857     .name          = "usb-bot",
858     .parent        = TYPE_USB_STORAGE,
859     .class_init    = usb_msd_class_initfn_bot,
860 };
861 
862 static void usb_msd_register_types(void)
863 {
864     type_register_static(&usb_storage_dev_type_info);
865     type_register_static(&msd_info);
866     type_register_static(&bot_info);
867     usb_legacy_register("usb-storage", "disk", usb_msd_init);
868 }
869 
870 type_init(usb_msd_register_types)
871