xref: /openbmc/qemu/hw/usb/dev-storage.c (revision f8ed85ac)
1 /*
2  * USB Mass Storage Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Written by Paul Brook
6  *
7  * This code is licensed under the LGPL.
8  */
9 
10 #include "qemu-common.h"
11 #include "qemu/error-report.h"
12 #include "qemu/option.h"
13 #include "qemu/config-file.h"
14 #include "hw/usb.h"
15 #include "hw/usb/desc.h"
16 #include "hw/scsi/scsi.h"
17 #include "ui/console.h"
18 #include "monitor/monitor.h"
19 #include "sysemu/sysemu.h"
20 #include "sysemu/block-backend.h"
21 #include "sysemu/blockdev.h"
22 #include "qapi/visitor.h"
23 
24 //#define DEBUG_MSD
25 
26 #ifdef DEBUG_MSD
27 #define DPRINTF(fmt, ...) \
28 do { printf("usb-msd: " fmt , ## __VA_ARGS__); } while (0)
29 #else
30 #define DPRINTF(fmt, ...) do {} while(0)
31 #endif
32 
33 /* USB requests.  */
34 #define MassStorageReset  0xff
35 #define GetMaxLun         0xfe
36 
37 enum USBMSDMode {
38     USB_MSDM_CBW, /* Command Block.  */
39     USB_MSDM_DATAOUT, /* Transfer data to device.  */
40     USB_MSDM_DATAIN, /* Transfer data from device.  */
41     USB_MSDM_CSW /* Command Status.  */
42 };
43 
44 struct usb_msd_csw {
45     uint32_t sig;
46     uint32_t tag;
47     uint32_t residue;
48     uint8_t status;
49 };
50 
51 typedef struct {
52     USBDevice dev;
53     enum USBMSDMode mode;
54     uint32_t scsi_off;
55     uint32_t scsi_len;
56     uint32_t data_len;
57     struct usb_msd_csw csw;
58     SCSIRequest *req;
59     SCSIBus bus;
60     /* For async completion.  */
61     USBPacket *packet;
62     /* usb-storage only */
63     BlockConf conf;
64     uint32_t removable;
65     SCSIDevice *scsi_dev;
66 } MSDState;
67 
68 #define TYPE_USB_STORAGE "usb-storage-dev"
69 #define USB_STORAGE_DEV(obj) OBJECT_CHECK(MSDState, (obj), TYPE_USB_STORAGE)
70 
71 struct usb_msd_cbw {
72     uint32_t sig;
73     uint32_t tag;
74     uint32_t data_len;
75     uint8_t flags;
76     uint8_t lun;
77     uint8_t cmd_len;
78     uint8_t cmd[16];
79 };
80 
81 enum {
82     STR_MANUFACTURER = 1,
83     STR_PRODUCT,
84     STR_SERIALNUMBER,
85     STR_CONFIG_FULL,
86     STR_CONFIG_HIGH,
87     STR_CONFIG_SUPER,
88 };
89 
90 static const USBDescStrings desc_strings = {
91     [STR_MANUFACTURER] = "QEMU",
92     [STR_PRODUCT]      = "QEMU USB HARDDRIVE",
93     [STR_SERIALNUMBER] = "1",
94     [STR_CONFIG_FULL]  = "Full speed config (usb 1.1)",
95     [STR_CONFIG_HIGH]  = "High speed config (usb 2.0)",
96     [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)",
97 };
98 
99 static const USBDescIface desc_iface_full = {
100     .bInterfaceNumber              = 0,
101     .bNumEndpoints                 = 2,
102     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
103     .bInterfaceSubClass            = 0x06, /* SCSI */
104     .bInterfaceProtocol            = 0x50, /* Bulk */
105     .eps = (USBDescEndpoint[]) {
106         {
107             .bEndpointAddress      = USB_DIR_IN | 0x01,
108             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
109             .wMaxPacketSize        = 64,
110         },{
111             .bEndpointAddress      = USB_DIR_OUT | 0x02,
112             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
113             .wMaxPacketSize        = 64,
114         },
115     }
116 };
117 
118 static const USBDescDevice desc_device_full = {
119     .bcdUSB                        = 0x0200,
120     .bMaxPacketSize0               = 8,
121     .bNumConfigurations            = 1,
122     .confs = (USBDescConfig[]) {
123         {
124             .bNumInterfaces        = 1,
125             .bConfigurationValue   = 1,
126             .iConfiguration        = STR_CONFIG_FULL,
127             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
128             .nif = 1,
129             .ifs = &desc_iface_full,
130         },
131     },
132 };
133 
134 static const USBDescIface desc_iface_high = {
135     .bInterfaceNumber              = 0,
136     .bNumEndpoints                 = 2,
137     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
138     .bInterfaceSubClass            = 0x06, /* SCSI */
139     .bInterfaceProtocol            = 0x50, /* Bulk */
140     .eps = (USBDescEndpoint[]) {
141         {
142             .bEndpointAddress      = USB_DIR_IN | 0x01,
143             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
144             .wMaxPacketSize        = 512,
145         },{
146             .bEndpointAddress      = USB_DIR_OUT | 0x02,
147             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
148             .wMaxPacketSize        = 512,
149         },
150     }
151 };
152 
153 static const USBDescDevice desc_device_high = {
154     .bcdUSB                        = 0x0200,
155     .bMaxPacketSize0               = 64,
156     .bNumConfigurations            = 1,
157     .confs = (USBDescConfig[]) {
158         {
159             .bNumInterfaces        = 1,
160             .bConfigurationValue   = 1,
161             .iConfiguration        = STR_CONFIG_HIGH,
162             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
163             .nif = 1,
164             .ifs = &desc_iface_high,
165         },
166     },
167 };
168 
169 static const USBDescIface desc_iface_super = {
170     .bInterfaceNumber              = 0,
171     .bNumEndpoints                 = 2,
172     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
173     .bInterfaceSubClass            = 0x06, /* SCSI */
174     .bInterfaceProtocol            = 0x50, /* Bulk */
175     .eps = (USBDescEndpoint[]) {
176         {
177             .bEndpointAddress      = USB_DIR_IN | 0x01,
178             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
179             .wMaxPacketSize        = 1024,
180             .bMaxBurst             = 15,
181         },{
182             .bEndpointAddress      = USB_DIR_OUT | 0x02,
183             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
184             .wMaxPacketSize        = 1024,
185             .bMaxBurst             = 15,
186         },
187     }
188 };
189 
190 static const USBDescDevice desc_device_super = {
191     .bcdUSB                        = 0x0300,
192     .bMaxPacketSize0               = 9,
193     .bNumConfigurations            = 1,
194     .confs = (USBDescConfig[]) {
195         {
196             .bNumInterfaces        = 1,
197             .bConfigurationValue   = 1,
198             .iConfiguration        = STR_CONFIG_SUPER,
199             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
200             .nif = 1,
201             .ifs = &desc_iface_super,
202         },
203     },
204 };
205 
206 static const USBDesc desc = {
207     .id = {
208         .idVendor          = 0x46f4, /* CRC16() of "QEMU" */
209         .idProduct         = 0x0001,
210         .bcdDevice         = 0,
211         .iManufacturer     = STR_MANUFACTURER,
212         .iProduct          = STR_PRODUCT,
213         .iSerialNumber     = STR_SERIALNUMBER,
214     },
215     .full  = &desc_device_full,
216     .high  = &desc_device_high,
217     .super = &desc_device_super,
218     .str   = desc_strings,
219 };
220 
221 static void usb_msd_copy_data(MSDState *s, USBPacket *p)
222 {
223     uint32_t len;
224     len = p->iov.size - p->actual_length;
225     if (len > s->scsi_len)
226         len = s->scsi_len;
227     usb_packet_copy(p, scsi_req_get_buf(s->req) + s->scsi_off, len);
228     s->scsi_len -= len;
229     s->scsi_off += len;
230     s->data_len -= len;
231     if (s->scsi_len == 0 || s->data_len == 0) {
232         scsi_req_continue(s->req);
233     }
234 }
235 
236 static void usb_msd_send_status(MSDState *s, USBPacket *p)
237 {
238     int len;
239 
240     DPRINTF("Command status %d tag 0x%x, len %zd\n",
241             s->csw.status, le32_to_cpu(s->csw.tag), p->iov.size);
242 
243     assert(s->csw.sig == cpu_to_le32(0x53425355));
244     len = MIN(sizeof(s->csw), p->iov.size);
245     usb_packet_copy(p, &s->csw, len);
246     memset(&s->csw, 0, sizeof(s->csw));
247 }
248 
249 static void usb_msd_packet_complete(MSDState *s)
250 {
251     USBPacket *p = s->packet;
252 
253     /* Set s->packet to NULL before calling usb_packet_complete
254        because another request may be issued before
255        usb_packet_complete returns.  */
256     DPRINTF("Packet complete %p\n", p);
257     s->packet = NULL;
258     usb_packet_complete(&s->dev, p);
259 }
260 
261 static void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
262 {
263     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
264     USBPacket *p = s->packet;
265 
266     assert((s->mode == USB_MSDM_DATAOUT) == (req->cmd.mode == SCSI_XFER_TO_DEV));
267     s->scsi_len = len;
268     s->scsi_off = 0;
269     if (p) {
270         usb_msd_copy_data(s, p);
271         p = s->packet;
272         if (p && p->actual_length == p->iov.size) {
273             p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
274             usb_msd_packet_complete(s);
275         }
276     }
277 }
278 
279 static void usb_msd_command_complete(SCSIRequest *req, uint32_t status, size_t resid)
280 {
281     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
282     USBPacket *p = s->packet;
283 
284     DPRINTF("Command complete %d tag 0x%x\n", status, req->tag);
285 
286     s->csw.sig = cpu_to_le32(0x53425355);
287     s->csw.tag = cpu_to_le32(req->tag);
288     s->csw.residue = cpu_to_le32(s->data_len);
289     s->csw.status = status != 0;
290 
291     if (s->packet) {
292         if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) {
293             /* A deferred packet with no write data remaining must be
294                the status read packet.  */
295             usb_msd_send_status(s, p);
296             s->mode = USB_MSDM_CBW;
297         } else if (s->mode == USB_MSDM_CSW) {
298             usb_msd_send_status(s, p);
299             s->mode = USB_MSDM_CBW;
300         } else {
301             if (s->data_len) {
302                 int len = (p->iov.size - p->actual_length);
303                 usb_packet_skip(p, len);
304                 s->data_len -= len;
305             }
306             if (s->data_len == 0) {
307                 s->mode = USB_MSDM_CSW;
308             }
309         }
310         p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
311         usb_msd_packet_complete(s);
312     } else if (s->data_len == 0) {
313         s->mode = USB_MSDM_CSW;
314     }
315     scsi_req_unref(req);
316     s->req = NULL;
317 }
318 
319 static void usb_msd_request_cancelled(SCSIRequest *req)
320 {
321     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
322 
323     if (req == s->req) {
324         scsi_req_unref(s->req);
325         s->req = NULL;
326         s->scsi_len = 0;
327     }
328 }
329 
330 static void usb_msd_handle_reset(USBDevice *dev)
331 {
332     MSDState *s = (MSDState *)dev;
333 
334     DPRINTF("Reset\n");
335     if (s->req) {
336         scsi_req_cancel(s->req);
337     }
338     assert(s->req == NULL);
339 
340     if (s->packet) {
341         s->packet->status = USB_RET_STALL;
342         usb_msd_packet_complete(s);
343     }
344 
345     s->mode = USB_MSDM_CBW;
346 }
347 
348 static void usb_msd_handle_control(USBDevice *dev, USBPacket *p,
349                int request, int value, int index, int length, uint8_t *data)
350 {
351     MSDState *s = (MSDState *)dev;
352     SCSIDevice *scsi_dev;
353     int ret, maxlun;
354 
355     ret = usb_desc_handle_control(dev, p, request, value, index, length, data);
356     if (ret >= 0) {
357         return;
358     }
359 
360     switch (request) {
361     case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
362         break;
363         /* Class specific requests.  */
364     case ClassInterfaceOutRequest | MassStorageReset:
365         /* Reset state ready for the next CBW.  */
366         s->mode = USB_MSDM_CBW;
367         break;
368     case ClassInterfaceRequest | GetMaxLun:
369         maxlun = 0;
370         for (;;) {
371             scsi_dev = scsi_device_find(&s->bus, 0, 0, maxlun+1);
372             if (scsi_dev == NULL) {
373                 break;
374             }
375             if (scsi_dev->lun != maxlun+1) {
376                 break;
377             }
378             maxlun++;
379         }
380         DPRINTF("MaxLun %d\n", maxlun);
381         data[0] = maxlun;
382         p->actual_length = 1;
383         break;
384     default:
385         p->status = USB_RET_STALL;
386         break;
387     }
388 }
389 
390 static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
391 {
392     MSDState *s = USB_STORAGE_DEV(dev);
393 
394     assert(s->packet == p);
395     s->packet = NULL;
396 
397     if (s->req) {
398         scsi_req_cancel(s->req);
399     }
400 }
401 
402 static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
403 {
404     MSDState *s = (MSDState *)dev;
405     uint32_t tag;
406     struct usb_msd_cbw cbw;
407     uint8_t devep = p->ep->nr;
408     SCSIDevice *scsi_dev;
409     uint32_t len;
410 
411     switch (p->pid) {
412     case USB_TOKEN_OUT:
413         if (devep != 2)
414             goto fail;
415 
416         switch (s->mode) {
417         case USB_MSDM_CBW:
418             if (p->iov.size != 31) {
419                 error_report("usb-msd: Bad CBW size");
420                 goto fail;
421             }
422             usb_packet_copy(p, &cbw, 31);
423             if (le32_to_cpu(cbw.sig) != 0x43425355) {
424                 error_report("usb-msd: Bad signature %08x",
425                              le32_to_cpu(cbw.sig));
426                 goto fail;
427             }
428             DPRINTF("Command on LUN %d\n", cbw.lun);
429             scsi_dev = scsi_device_find(&s->bus, 0, 0, cbw.lun);
430             if (scsi_dev == NULL) {
431                 error_report("usb-msd: Bad LUN %d", cbw.lun);
432                 goto fail;
433             }
434             tag = le32_to_cpu(cbw.tag);
435             s->data_len = le32_to_cpu(cbw.data_len);
436             if (s->data_len == 0) {
437                 s->mode = USB_MSDM_CSW;
438             } else if (cbw.flags & 0x80) {
439                 s->mode = USB_MSDM_DATAIN;
440             } else {
441                 s->mode = USB_MSDM_DATAOUT;
442             }
443             DPRINTF("Command tag 0x%x flags %08x len %d data %d\n",
444                     tag, cbw.flags, cbw.cmd_len, s->data_len);
445             assert(le32_to_cpu(s->csw.residue) == 0);
446             s->scsi_len = 0;
447             s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, NULL);
448 #ifdef DEBUG_MSD
449             scsi_req_print(s->req);
450 #endif
451             len = scsi_req_enqueue(s->req);
452             if (len) {
453                 scsi_req_continue(s->req);
454             }
455             break;
456 
457         case USB_MSDM_DATAOUT:
458             DPRINTF("Data out %zd/%d\n", p->iov.size, s->data_len);
459             if (p->iov.size > s->data_len) {
460                 goto fail;
461             }
462 
463             if (s->scsi_len) {
464                 usb_msd_copy_data(s, p);
465             }
466             if (le32_to_cpu(s->csw.residue)) {
467                 int len = p->iov.size - p->actual_length;
468                 if (len) {
469                     usb_packet_skip(p, len);
470                     s->data_len -= len;
471                     if (s->data_len == 0) {
472                         s->mode = USB_MSDM_CSW;
473                     }
474                 }
475             }
476             if (p->actual_length < p->iov.size) {
477                 DPRINTF("Deferring packet %p [wait data-out]\n", p);
478                 s->packet = p;
479                 p->status = USB_RET_ASYNC;
480             }
481             break;
482 
483         default:
484             DPRINTF("Unexpected write (len %zd)\n", p->iov.size);
485             goto fail;
486         }
487         break;
488 
489     case USB_TOKEN_IN:
490         if (devep != 1)
491             goto fail;
492 
493         switch (s->mode) {
494         case USB_MSDM_DATAOUT:
495             if (s->data_len != 0 || p->iov.size < 13) {
496                 goto fail;
497             }
498             /* Waiting for SCSI write to complete.  */
499             s->packet = p;
500             p->status = USB_RET_ASYNC;
501             break;
502 
503         case USB_MSDM_CSW:
504             if (p->iov.size < 13) {
505                 goto fail;
506             }
507 
508             if (s->req) {
509                 /* still in flight */
510                 DPRINTF("Deferring packet %p [wait status]\n", p);
511                 s->packet = p;
512                 p->status = USB_RET_ASYNC;
513             } else {
514                 usb_msd_send_status(s, p);
515                 s->mode = USB_MSDM_CBW;
516             }
517             break;
518 
519         case USB_MSDM_DATAIN:
520             DPRINTF("Data in %zd/%d, scsi_len %d\n",
521                     p->iov.size, s->data_len, s->scsi_len);
522             if (s->scsi_len) {
523                 usb_msd_copy_data(s, p);
524             }
525             if (le32_to_cpu(s->csw.residue)) {
526                 int len = p->iov.size - p->actual_length;
527                 if (len) {
528                     usb_packet_skip(p, len);
529                     s->data_len -= len;
530                     if (s->data_len == 0) {
531                         s->mode = USB_MSDM_CSW;
532                     }
533                 }
534             }
535             if (p->actual_length < p->iov.size) {
536                 DPRINTF("Deferring packet %p [wait data-in]\n", p);
537                 s->packet = p;
538                 p->status = USB_RET_ASYNC;
539             }
540             break;
541 
542         default:
543             DPRINTF("Unexpected read (len %zd)\n", p->iov.size);
544             goto fail;
545         }
546         break;
547 
548     default:
549         DPRINTF("Bad token\n");
550     fail:
551         p->status = USB_RET_STALL;
552         break;
553     }
554 }
555 
556 static void usb_msd_password_cb(void *opaque, int err)
557 {
558     MSDState *s = opaque;
559     Error *local_err = NULL;
560 
561     if (!err) {
562         usb_device_attach(&s->dev, &local_err);
563     }
564 
565     if (local_err) {
566         error_report_err(local_err);
567         qdev_unplug(&s->dev.qdev, NULL);
568     }
569 }
570 
571 static void *usb_msd_load_request(QEMUFile *f, SCSIRequest *req)
572 {
573     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
574 
575     /* nothing to load, just store req in our state struct */
576     assert(s->req == NULL);
577     scsi_req_ref(req);
578     s->req = req;
579     return NULL;
580 }
581 
582 static const struct SCSIBusInfo usb_msd_scsi_info_storage = {
583     .tcq = false,
584     .max_target = 0,
585     .max_lun = 0,
586 
587     .transfer_data = usb_msd_transfer_data,
588     .complete = usb_msd_command_complete,
589     .cancel = usb_msd_request_cancelled,
590     .load_request = usb_msd_load_request,
591 };
592 
593 static const struct SCSIBusInfo usb_msd_scsi_info_bot = {
594     .tcq = false,
595     .max_target = 0,
596     .max_lun = 15,
597 
598     .transfer_data = usb_msd_transfer_data,
599     .complete = usb_msd_command_complete,
600     .cancel = usb_msd_request_cancelled,
601     .load_request = usb_msd_load_request,
602 };
603 
604 static void usb_msd_realize_storage(USBDevice *dev, Error **errp)
605 {
606     MSDState *s = USB_STORAGE_DEV(dev);
607     BlockBackend *blk = s->conf.blk;
608     SCSIDevice *scsi_dev;
609     Error *err = NULL;
610 
611     if (!blk) {
612         error_setg(errp, "drive property not set");
613         return;
614     }
615 
616     bdrv_add_key(blk_bs(blk), NULL, &err);
617     if (err) {
618         if (monitor_cur_is_qmp()) {
619             error_propagate(errp, err);
620             return;
621         }
622         error_free(err);
623         err = NULL;
624         if (cur_mon) {
625             monitor_read_bdrv_key_start(cur_mon, blk_bs(blk),
626                                         usb_msd_password_cb, s);
627             s->dev.auto_attach = 0;
628         } else {
629             autostart = 0;
630         }
631     }
632 
633     blkconf_serial(&s->conf, &dev->serial);
634     blkconf_blocksizes(&s->conf);
635 
636     /*
637      * Hack alert: this pretends to be a block device, but it's really
638      * a SCSI bus that can serve only a single device, which it
639      * creates automatically.  But first it needs to detach from its
640      * blockdev, or else scsi_bus_legacy_add_drive() dies when it
641      * attaches again.
642      *
643      * The hack is probably a bad idea.
644      */
645     blk_detach_dev(blk, &s->dev.qdev);
646     s->conf.blk = NULL;
647 
648     usb_desc_create_serial(dev);
649     usb_desc_init(dev);
650     scsi_bus_new(&s->bus, sizeof(s->bus), DEVICE(dev),
651                  &usb_msd_scsi_info_storage, NULL);
652     scsi_dev = scsi_bus_legacy_add_drive(&s->bus, blk, 0, !!s->removable,
653                                          s->conf.bootindex, dev->serial,
654                                          &err);
655     if (!scsi_dev) {
656         error_propagate(errp, err);
657         return;
658     }
659     usb_msd_handle_reset(dev);
660     s->scsi_dev = scsi_dev;
661 }
662 
663 static void usb_msd_realize_bot(USBDevice *dev, Error **errp)
664 {
665     MSDState *s = USB_STORAGE_DEV(dev);
666 
667     usb_desc_create_serial(dev);
668     usb_desc_init(dev);
669     scsi_bus_new(&s->bus, sizeof(s->bus), DEVICE(dev),
670                  &usb_msd_scsi_info_bot, NULL);
671     usb_msd_handle_reset(dev);
672 }
673 
674 static USBDevice *usb_msd_init(USBBus *bus, const char *filename)
675 {
676     static int nr=0;
677     Error *err = NULL;
678     char id[8];
679     QemuOpts *opts;
680     DriveInfo *dinfo;
681     USBDevice *dev;
682     const char *p1;
683     char fmt[32];
684 
685     /* parse -usbdevice disk: syntax into drive opts */
686     do {
687         snprintf(id, sizeof(id), "usb%d", nr++);
688         opts = qemu_opts_create(qemu_find_opts("drive"), id, 1, NULL);
689     } while (!opts);
690 
691     p1 = strchr(filename, ':');
692     if (p1++) {
693         const char *p2;
694 
695         if (strstart(filename, "format=", &p2)) {
696             int len = MIN(p1 - p2, sizeof(fmt));
697             pstrcpy(fmt, len, p2);
698             qemu_opt_set(opts, "format", fmt, &error_abort);
699         } else if (*filename != ':') {
700             error_report("unrecognized USB mass-storage option %s", filename);
701             return NULL;
702         }
703         filename = p1;
704     }
705     if (!*filename) {
706         error_report("block device specification needed");
707         return NULL;
708     }
709     qemu_opt_set(opts, "file", filename, &error_abort);
710     qemu_opt_set(opts, "if", "none", &error_abort);
711 
712     /* create host drive */
713     dinfo = drive_new(opts, 0);
714     if (!dinfo) {
715         qemu_opts_del(opts);
716         return NULL;
717     }
718 
719     /* create guest device */
720     dev = usb_create(bus, "usb-storage");
721     qdev_prop_set_drive(&dev->qdev, "drive", blk_by_legacy_dinfo(dinfo),
722                         &err);
723     if (err) {
724         error_report_err(err);
725         object_unparent(OBJECT(dev));
726         return NULL;
727     }
728     return dev;
729 }
730 
731 static const VMStateDescription vmstate_usb_msd = {
732     .name = "usb-storage",
733     .version_id = 1,
734     .minimum_version_id = 1,
735     .fields = (VMStateField[]) {
736         VMSTATE_USB_DEVICE(dev, MSDState),
737         VMSTATE_UINT32(mode, MSDState),
738         VMSTATE_UINT32(scsi_len, MSDState),
739         VMSTATE_UINT32(scsi_off, MSDState),
740         VMSTATE_UINT32(data_len, MSDState),
741         VMSTATE_UINT32(csw.sig, MSDState),
742         VMSTATE_UINT32(csw.tag, MSDState),
743         VMSTATE_UINT32(csw.residue, MSDState),
744         VMSTATE_UINT8(csw.status, MSDState),
745         VMSTATE_END_OF_LIST()
746     }
747 };
748 
749 static Property msd_properties[] = {
750     DEFINE_BLOCK_PROPERTIES(MSDState, conf),
751     DEFINE_PROP_BIT("removable", MSDState, removable, 0, false),
752     DEFINE_PROP_END_OF_LIST(),
753 };
754 
755 static void usb_msd_class_initfn_common(ObjectClass *klass, void *data)
756 {
757     DeviceClass *dc = DEVICE_CLASS(klass);
758     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
759 
760     uc->product_desc   = "QEMU USB MSD";
761     uc->usb_desc       = &desc;
762     uc->cancel_packet  = usb_msd_cancel_io;
763     uc->handle_attach  = usb_desc_attach;
764     uc->handle_reset   = usb_msd_handle_reset;
765     uc->handle_control = usb_msd_handle_control;
766     uc->handle_data    = usb_msd_handle_data;
767     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
768     dc->fw_name = "storage";
769     dc->vmsd = &vmstate_usb_msd;
770 }
771 
772 static void usb_msd_class_initfn_storage(ObjectClass *klass, void *data)
773 {
774     DeviceClass *dc = DEVICE_CLASS(klass);
775     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
776 
777     uc->realize = usb_msd_realize_storage;
778     dc->props = msd_properties;
779 }
780 
781 static void usb_msd_get_bootindex(Object *obj, Visitor *v, void *opaque,
782                                   const char *name, Error **errp)
783 {
784     USBDevice *dev = USB_DEVICE(obj);
785     MSDState *s = USB_STORAGE_DEV(dev);
786 
787     visit_type_int32(v, &s->conf.bootindex, name, errp);
788 }
789 
790 static void usb_msd_set_bootindex(Object *obj, Visitor *v, void *opaque,
791                                   const char *name, Error **errp)
792 {
793     USBDevice *dev = USB_DEVICE(obj);
794     MSDState *s = USB_STORAGE_DEV(dev);
795     int32_t boot_index;
796     Error *local_err = NULL;
797 
798     visit_type_int32(v, &boot_index, name, &local_err);
799     if (local_err) {
800         goto out;
801     }
802     /* check whether bootindex is present in fw_boot_order list  */
803     check_boot_index(boot_index, &local_err);
804     if (local_err) {
805         goto out;
806     }
807     /* change bootindex to a new one */
808     s->conf.bootindex = boot_index;
809 
810     if (s->scsi_dev) {
811         object_property_set_int(OBJECT(s->scsi_dev), boot_index, "bootindex",
812                                 &error_abort);
813     }
814 
815 out:
816     if (local_err) {
817         error_propagate(errp, local_err);
818     }
819 }
820 
821 static const TypeInfo usb_storage_dev_type_info = {
822     .name = TYPE_USB_STORAGE,
823     .parent = TYPE_USB_DEVICE,
824     .instance_size = sizeof(MSDState),
825     .abstract = true,
826     .class_init = usb_msd_class_initfn_common,
827 };
828 
829 static void usb_msd_instance_init(Object *obj)
830 {
831     object_property_add(obj, "bootindex", "int32",
832                         usb_msd_get_bootindex,
833                         usb_msd_set_bootindex, NULL, NULL, NULL);
834     object_property_set_int(obj, -1, "bootindex", NULL);
835 }
836 
837 static void usb_msd_class_initfn_bot(ObjectClass *klass, void *data)
838 {
839     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
840     DeviceClass *dc = DEVICE_CLASS(klass);
841 
842     uc->realize = usb_msd_realize_bot;
843     dc->hotpluggable = false;
844 }
845 
846 static const TypeInfo msd_info = {
847     .name          = "usb-storage",
848     .parent        = TYPE_USB_STORAGE,
849     .class_init    = usb_msd_class_initfn_storage,
850     .instance_init = usb_msd_instance_init,
851 };
852 
853 static const TypeInfo bot_info = {
854     .name          = "usb-bot",
855     .parent        = TYPE_USB_STORAGE,
856     .class_init    = usb_msd_class_initfn_bot,
857 };
858 
859 static void usb_msd_register_types(void)
860 {
861     type_register_static(&usb_storage_dev_type_info);
862     type_register_static(&msd_info);
863     type_register_static(&bot_info);
864     usb_legacy_register("usb-storage", "disk", usb_msd_init);
865 }
866 
867 type_init(usb_msd_register_types)
868