1 /* 2 * UAS (USB Attached SCSI) emulation 3 * 4 * Copyright Red Hat, Inc. 2012 5 * 6 * Author: Gerd Hoffmann <kraxel@redhat.com> 7 * 8 * This work is licensed under the terms of the GNU GPL, version 2 or later. 9 * See the COPYING file in the top-level directory. 10 */ 11 12 #include "qemu-common.h" 13 #include "qemu/option.h" 14 #include "qemu/config-file.h" 15 #include "trace.h" 16 17 #include "hw/usb.h" 18 #include "hw/usb/desc.h" 19 #include "hw/scsi/scsi.h" 20 #include "block/scsi.h" 21 22 /* --------------------------------------------------------------------- */ 23 24 #define UAS_UI_COMMAND 0x01 25 #define UAS_UI_SENSE 0x03 26 #define UAS_UI_RESPONSE 0x04 27 #define UAS_UI_TASK_MGMT 0x05 28 #define UAS_UI_READ_READY 0x06 29 #define UAS_UI_WRITE_READY 0x07 30 31 #define UAS_RC_TMF_COMPLETE 0x00 32 #define UAS_RC_INVALID_INFO_UNIT 0x02 33 #define UAS_RC_TMF_NOT_SUPPORTED 0x04 34 #define UAS_RC_TMF_FAILED 0x05 35 #define UAS_RC_TMF_SUCCEEDED 0x08 36 #define UAS_RC_INCORRECT_LUN 0x09 37 #define UAS_RC_OVERLAPPED_TAG 0x0a 38 39 #define UAS_TMF_ABORT_TASK 0x01 40 #define UAS_TMF_ABORT_TASK_SET 0x02 41 #define UAS_TMF_CLEAR_TASK_SET 0x04 42 #define UAS_TMF_LOGICAL_UNIT_RESET 0x08 43 #define UAS_TMF_I_T_NEXUS_RESET 0x10 44 #define UAS_TMF_CLEAR_ACA 0x40 45 #define UAS_TMF_QUERY_TASK 0x80 46 #define UAS_TMF_QUERY_TASK_SET 0x81 47 #define UAS_TMF_QUERY_ASYNC_EVENT 0x82 48 49 #define UAS_PIPE_ID_COMMAND 0x01 50 #define UAS_PIPE_ID_STATUS 0x02 51 #define UAS_PIPE_ID_DATA_IN 0x03 52 #define UAS_PIPE_ID_DATA_OUT 0x04 53 54 typedef struct { 55 uint8_t id; 56 uint8_t reserved; 57 uint16_t tag; 58 } QEMU_PACKED uas_iu_header; 59 60 typedef struct { 61 uint8_t prio_taskattr; /* 6:3 priority, 2:0 task attribute */ 62 uint8_t reserved_1; 63 uint8_t add_cdb_length; /* 7:2 additional adb length (dwords) */ 64 uint8_t reserved_2; 65 uint64_t lun; 66 uint8_t cdb[16]; 67 uint8_t add_cdb[]; 68 } QEMU_PACKED uas_iu_command; 69 70 typedef struct { 71 uint16_t status_qualifier; 72 uint8_t status; 73 uint8_t reserved[7]; 74 uint16_t sense_length; 75 uint8_t sense_data[18]; 76 } QEMU_PACKED uas_iu_sense; 77 78 typedef struct { 79 uint8_t add_response_info[3]; 80 uint8_t response_code; 81 } QEMU_PACKED uas_iu_response; 82 83 typedef struct { 84 uint8_t function; 85 uint8_t reserved; 86 uint16_t task_tag; 87 uint64_t lun; 88 } QEMU_PACKED uas_iu_task_mgmt; 89 90 typedef struct { 91 uas_iu_header hdr; 92 union { 93 uas_iu_command command; 94 uas_iu_sense sense; 95 uas_iu_task_mgmt task; 96 uas_iu_response response; 97 }; 98 } QEMU_PACKED uas_iu; 99 100 /* --------------------------------------------------------------------- */ 101 102 #define UAS_STREAM_BM_ATTR 4 103 #define UAS_MAX_STREAMS (1 << UAS_STREAM_BM_ATTR) 104 105 typedef struct UASDevice UASDevice; 106 typedef struct UASRequest UASRequest; 107 typedef struct UASStatus UASStatus; 108 109 struct UASDevice { 110 USBDevice dev; 111 SCSIBus bus; 112 QEMUBH *status_bh; 113 QTAILQ_HEAD(, UASStatus) results; 114 QTAILQ_HEAD(, UASRequest) requests; 115 116 /* properties */ 117 uint32_t requestlog; 118 119 /* usb 2.0 only */ 120 USBPacket *status2; 121 UASRequest *datain2; 122 UASRequest *dataout2; 123 124 /* usb 3.0 only */ 125 USBPacket *data3[UAS_MAX_STREAMS + 1]; 126 USBPacket *status3[UAS_MAX_STREAMS + 1]; 127 }; 128 129 struct UASRequest { 130 uint16_t tag; 131 uint64_t lun; 132 UASDevice *uas; 133 SCSIDevice *dev; 134 SCSIRequest *req; 135 USBPacket *data; 136 bool data_async; 137 bool active; 138 bool complete; 139 uint32_t buf_off; 140 uint32_t buf_size; 141 uint32_t data_off; 142 uint32_t data_size; 143 QTAILQ_ENTRY(UASRequest) next; 144 }; 145 146 struct UASStatus { 147 uint32_t stream; 148 uas_iu status; 149 uint32_t length; 150 QTAILQ_ENTRY(UASStatus) next; 151 }; 152 153 /* --------------------------------------------------------------------- */ 154 155 enum { 156 STR_MANUFACTURER = 1, 157 STR_PRODUCT, 158 STR_SERIALNUMBER, 159 STR_CONFIG_HIGH, 160 STR_CONFIG_SUPER, 161 }; 162 163 static const USBDescStrings desc_strings = { 164 [STR_MANUFACTURER] = "QEMU", 165 [STR_PRODUCT] = "USB Attached SCSI HBA", 166 [STR_SERIALNUMBER] = "27842", 167 [STR_CONFIG_HIGH] = "High speed config (usb 2.0)", 168 [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)", 169 }; 170 171 static const USBDescIface desc_iface_high = { 172 .bInterfaceNumber = 0, 173 .bNumEndpoints = 4, 174 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 175 .bInterfaceSubClass = 0x06, /* SCSI */ 176 .bInterfaceProtocol = 0x62, /* UAS */ 177 .eps = (USBDescEndpoint[]) { 178 { 179 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 180 .bmAttributes = USB_ENDPOINT_XFER_BULK, 181 .wMaxPacketSize = 512, 182 .extra = (uint8_t[]) { 183 0x04, /* u8 bLength */ 184 0x24, /* u8 bDescriptorType */ 185 UAS_PIPE_ID_COMMAND, 186 0x00, /* u8 bReserved */ 187 }, 188 },{ 189 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 190 .bmAttributes = USB_ENDPOINT_XFER_BULK, 191 .wMaxPacketSize = 512, 192 .extra = (uint8_t[]) { 193 0x04, /* u8 bLength */ 194 0x24, /* u8 bDescriptorType */ 195 UAS_PIPE_ID_STATUS, 196 0x00, /* u8 bReserved */ 197 }, 198 },{ 199 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 200 .bmAttributes = USB_ENDPOINT_XFER_BULK, 201 .wMaxPacketSize = 512, 202 .extra = (uint8_t[]) { 203 0x04, /* u8 bLength */ 204 0x24, /* u8 bDescriptorType */ 205 UAS_PIPE_ID_DATA_IN, 206 0x00, /* u8 bReserved */ 207 }, 208 },{ 209 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 210 .bmAttributes = USB_ENDPOINT_XFER_BULK, 211 .wMaxPacketSize = 512, 212 .extra = (uint8_t[]) { 213 0x04, /* u8 bLength */ 214 0x24, /* u8 bDescriptorType */ 215 UAS_PIPE_ID_DATA_OUT, 216 0x00, /* u8 bReserved */ 217 }, 218 }, 219 } 220 }; 221 222 static const USBDescIface desc_iface_super = { 223 .bInterfaceNumber = 0, 224 .bNumEndpoints = 4, 225 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 226 .bInterfaceSubClass = 0x06, /* SCSI */ 227 .bInterfaceProtocol = 0x62, /* UAS */ 228 .eps = (USBDescEndpoint[]) { 229 { 230 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 231 .bmAttributes = USB_ENDPOINT_XFER_BULK, 232 .wMaxPacketSize = 1024, 233 .bMaxBurst = 15, 234 .extra = (uint8_t[]) { 235 0x04, /* u8 bLength */ 236 0x24, /* u8 bDescriptorType */ 237 UAS_PIPE_ID_COMMAND, 238 0x00, /* u8 bReserved */ 239 }, 240 },{ 241 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 242 .bmAttributes = USB_ENDPOINT_XFER_BULK, 243 .wMaxPacketSize = 1024, 244 .bMaxBurst = 15, 245 .bmAttributes_super = UAS_STREAM_BM_ATTR, 246 .extra = (uint8_t[]) { 247 0x04, /* u8 bLength */ 248 0x24, /* u8 bDescriptorType */ 249 UAS_PIPE_ID_STATUS, 250 0x00, /* u8 bReserved */ 251 }, 252 },{ 253 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 254 .bmAttributes = USB_ENDPOINT_XFER_BULK, 255 .wMaxPacketSize = 1024, 256 .bMaxBurst = 15, 257 .bmAttributes_super = UAS_STREAM_BM_ATTR, 258 .extra = (uint8_t[]) { 259 0x04, /* u8 bLength */ 260 0x24, /* u8 bDescriptorType */ 261 UAS_PIPE_ID_DATA_IN, 262 0x00, /* u8 bReserved */ 263 }, 264 },{ 265 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 266 .bmAttributes = USB_ENDPOINT_XFER_BULK, 267 .wMaxPacketSize = 1024, 268 .bMaxBurst = 15, 269 .bmAttributes_super = UAS_STREAM_BM_ATTR, 270 .extra = (uint8_t[]) { 271 0x04, /* u8 bLength */ 272 0x24, /* u8 bDescriptorType */ 273 UAS_PIPE_ID_DATA_OUT, 274 0x00, /* u8 bReserved */ 275 }, 276 }, 277 } 278 }; 279 280 static const USBDescDevice desc_device_high = { 281 .bcdUSB = 0x0200, 282 .bMaxPacketSize0 = 64, 283 .bNumConfigurations = 1, 284 .confs = (USBDescConfig[]) { 285 { 286 .bNumInterfaces = 1, 287 .bConfigurationValue = 1, 288 .iConfiguration = STR_CONFIG_HIGH, 289 .bmAttributes = 0xc0, 290 .nif = 1, 291 .ifs = &desc_iface_high, 292 }, 293 }, 294 }; 295 296 static const USBDescDevice desc_device_super = { 297 .bcdUSB = 0x0300, 298 .bMaxPacketSize0 = 64, 299 .bNumConfigurations = 1, 300 .confs = (USBDescConfig[]) { 301 { 302 .bNumInterfaces = 1, 303 .bConfigurationValue = 1, 304 .iConfiguration = STR_CONFIG_SUPER, 305 .bmAttributes = 0xc0, 306 .nif = 1, 307 .ifs = &desc_iface_super, 308 }, 309 }, 310 }; 311 312 static const USBDesc desc = { 313 .id = { 314 .idVendor = 0x46f4, /* CRC16() of "QEMU" */ 315 .idProduct = 0x0003, 316 .bcdDevice = 0, 317 .iManufacturer = STR_MANUFACTURER, 318 .iProduct = STR_PRODUCT, 319 .iSerialNumber = STR_SERIALNUMBER, 320 }, 321 .high = &desc_device_high, 322 .super = &desc_device_super, 323 .str = desc_strings, 324 }; 325 326 /* --------------------------------------------------------------------- */ 327 328 static bool uas_using_streams(UASDevice *uas) 329 { 330 return uas->dev.speed == USB_SPEED_SUPER; 331 } 332 333 /* --------------------------------------------------------------------- */ 334 335 static UASStatus *usb_uas_alloc_status(UASDevice *uas, uint8_t id, uint16_t tag) 336 { 337 UASStatus *st = g_new0(UASStatus, 1); 338 339 st->status.hdr.id = id; 340 st->status.hdr.tag = cpu_to_be16(tag); 341 st->length = sizeof(uas_iu_header); 342 if (uas_using_streams(uas)) { 343 st->stream = tag; 344 } 345 return st; 346 } 347 348 static void usb_uas_send_status_bh(void *opaque) 349 { 350 UASDevice *uas = opaque; 351 UASStatus *st; 352 USBPacket *p; 353 354 while ((st = QTAILQ_FIRST(&uas->results)) != NULL) { 355 if (uas_using_streams(uas)) { 356 p = uas->status3[st->stream]; 357 uas->status3[st->stream] = NULL; 358 } else { 359 p = uas->status2; 360 uas->status2 = NULL; 361 } 362 if (p == NULL) { 363 break; 364 } 365 366 usb_packet_copy(p, &st->status, st->length); 367 QTAILQ_REMOVE(&uas->results, st, next); 368 g_free(st); 369 370 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 371 usb_packet_complete(&uas->dev, p); 372 } 373 } 374 375 static void usb_uas_queue_status(UASDevice *uas, UASStatus *st, int length) 376 { 377 USBPacket *p = uas_using_streams(uas) ? 378 uas->status3[st->stream] : uas->status2; 379 380 st->length += length; 381 QTAILQ_INSERT_TAIL(&uas->results, st, next); 382 if (p) { 383 /* 384 * Just schedule bh make sure any in-flight data transaction 385 * is finished before completing (sending) the status packet. 386 */ 387 qemu_bh_schedule(uas->status_bh); 388 } else { 389 USBEndpoint *ep = usb_ep_get(&uas->dev, USB_TOKEN_IN, 390 UAS_PIPE_ID_STATUS); 391 usb_wakeup(ep, st->stream); 392 } 393 } 394 395 static void usb_uas_queue_response(UASDevice *uas, uint16_t tag, uint8_t code) 396 { 397 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_RESPONSE, tag); 398 399 trace_usb_uas_response(uas->dev.addr, tag, code); 400 st->status.response.response_code = code; 401 usb_uas_queue_status(uas, st, sizeof(uas_iu_response)); 402 } 403 404 static void usb_uas_queue_sense(UASRequest *req, uint8_t status) 405 { 406 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_SENSE, req->tag); 407 int len, slen = 0; 408 409 trace_usb_uas_sense(req->uas->dev.addr, req->tag, status); 410 st->status.sense.status = status; 411 st->status.sense.status_qualifier = cpu_to_be16(0); 412 if (status != GOOD) { 413 slen = scsi_req_get_sense(req->req, st->status.sense.sense_data, 414 sizeof(st->status.sense.sense_data)); 415 st->status.sense.sense_length = cpu_to_be16(slen); 416 } 417 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 418 usb_uas_queue_status(req->uas, st, len); 419 } 420 421 static void usb_uas_queue_fake_sense(UASDevice *uas, uint16_t tag, 422 struct SCSISense sense) 423 { 424 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_SENSE, tag); 425 int len, slen = 0; 426 427 st->status.sense.status = CHECK_CONDITION; 428 st->status.sense.status_qualifier = cpu_to_be16(0); 429 st->status.sense.sense_data[0] = 0x70; 430 st->status.sense.sense_data[2] = sense.key; 431 st->status.sense.sense_data[7] = 10; 432 st->status.sense.sense_data[12] = sense.asc; 433 st->status.sense.sense_data[13] = sense.ascq; 434 slen = 18; 435 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 436 usb_uas_queue_status(uas, st, len); 437 } 438 439 static void usb_uas_queue_read_ready(UASRequest *req) 440 { 441 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_READ_READY, 442 req->tag); 443 444 trace_usb_uas_read_ready(req->uas->dev.addr, req->tag); 445 usb_uas_queue_status(req->uas, st, 0); 446 } 447 448 static void usb_uas_queue_write_ready(UASRequest *req) 449 { 450 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_WRITE_READY, 451 req->tag); 452 453 trace_usb_uas_write_ready(req->uas->dev.addr, req->tag); 454 usb_uas_queue_status(req->uas, st, 0); 455 } 456 457 /* --------------------------------------------------------------------- */ 458 459 static int usb_uas_get_lun(uint64_t lun64) 460 { 461 return (lun64 >> 48) & 0xff; 462 } 463 464 static SCSIDevice *usb_uas_get_dev(UASDevice *uas, uint64_t lun64) 465 { 466 if ((lun64 >> 56) != 0x00) { 467 return NULL; 468 } 469 return scsi_device_find(&uas->bus, 0, 0, usb_uas_get_lun(lun64)); 470 } 471 472 static void usb_uas_complete_data_packet(UASRequest *req) 473 { 474 USBPacket *p; 475 476 if (!req->data_async) { 477 return; 478 } 479 p = req->data; 480 req->data = NULL; 481 req->data_async = false; 482 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 483 usb_packet_complete(&req->uas->dev, p); 484 } 485 486 static void usb_uas_copy_data(UASRequest *req) 487 { 488 uint32_t length; 489 490 length = MIN(req->buf_size - req->buf_off, 491 req->data->iov.size - req->data->actual_length); 492 trace_usb_uas_xfer_data(req->uas->dev.addr, req->tag, length, 493 req->data->actual_length, req->data->iov.size, 494 req->buf_off, req->buf_size); 495 usb_packet_copy(req->data, scsi_req_get_buf(req->req) + req->buf_off, 496 length); 497 req->buf_off += length; 498 req->data_off += length; 499 500 if (req->data->actual_length == req->data->iov.size) { 501 usb_uas_complete_data_packet(req); 502 } 503 if (req->buf_size && req->buf_off == req->buf_size) { 504 req->buf_off = 0; 505 req->buf_size = 0; 506 scsi_req_continue(req->req); 507 } 508 } 509 510 static void usb_uas_start_next_transfer(UASDevice *uas) 511 { 512 UASRequest *req; 513 514 if (uas_using_streams(uas)) { 515 return; 516 } 517 518 QTAILQ_FOREACH(req, &uas->requests, next) { 519 if (req->active || req->complete) { 520 continue; 521 } 522 if (req->req->cmd.mode == SCSI_XFER_FROM_DEV && uas->datain2 == NULL) { 523 uas->datain2 = req; 524 usb_uas_queue_read_ready(req); 525 req->active = true; 526 return; 527 } 528 if (req->req->cmd.mode == SCSI_XFER_TO_DEV && uas->dataout2 == NULL) { 529 uas->dataout2 = req; 530 usb_uas_queue_write_ready(req); 531 req->active = true; 532 return; 533 } 534 } 535 } 536 537 static UASRequest *usb_uas_alloc_request(UASDevice *uas, uas_iu *iu) 538 { 539 UASRequest *req; 540 541 req = g_new0(UASRequest, 1); 542 req->uas = uas; 543 req->tag = be16_to_cpu(iu->hdr.tag); 544 req->lun = be64_to_cpu(iu->command.lun); 545 req->dev = usb_uas_get_dev(req->uas, req->lun); 546 return req; 547 } 548 549 static void usb_uas_scsi_free_request(SCSIBus *bus, void *priv) 550 { 551 UASRequest *req = priv; 552 UASDevice *uas = req->uas; 553 554 if (req == uas->datain2) { 555 uas->datain2 = NULL; 556 } 557 if (req == uas->dataout2) { 558 uas->dataout2 = NULL; 559 } 560 QTAILQ_REMOVE(&uas->requests, req, next); 561 g_free(req); 562 usb_uas_start_next_transfer(uas); 563 } 564 565 static UASRequest *usb_uas_find_request(UASDevice *uas, uint16_t tag) 566 { 567 UASRequest *req; 568 569 QTAILQ_FOREACH(req, &uas->requests, next) { 570 if (req->tag == tag) { 571 return req; 572 } 573 } 574 return NULL; 575 } 576 577 static void usb_uas_scsi_transfer_data(SCSIRequest *r, uint32_t len) 578 { 579 UASRequest *req = r->hba_private; 580 581 trace_usb_uas_scsi_data(req->uas->dev.addr, req->tag, len); 582 req->buf_off = 0; 583 req->buf_size = len; 584 if (req->data) { 585 usb_uas_copy_data(req); 586 } else { 587 usb_uas_start_next_transfer(req->uas); 588 } 589 } 590 591 static void usb_uas_scsi_command_complete(SCSIRequest *r, 592 uint32_t status, size_t resid) 593 { 594 UASRequest *req = r->hba_private; 595 596 trace_usb_uas_scsi_complete(req->uas->dev.addr, req->tag, status, resid); 597 req->complete = true; 598 if (req->data) { 599 usb_uas_complete_data_packet(req); 600 } 601 usb_uas_queue_sense(req, status); 602 scsi_req_unref(req->req); 603 } 604 605 static void usb_uas_scsi_request_cancelled(SCSIRequest *r) 606 { 607 UASRequest *req = r->hba_private; 608 609 /* FIXME: queue notification to status pipe? */ 610 scsi_req_unref(req->req); 611 } 612 613 static const struct SCSIBusInfo usb_uas_scsi_info = { 614 .tcq = true, 615 .max_target = 0, 616 .max_lun = 255, 617 618 .transfer_data = usb_uas_scsi_transfer_data, 619 .complete = usb_uas_scsi_command_complete, 620 .cancel = usb_uas_scsi_request_cancelled, 621 .free_request = usb_uas_scsi_free_request, 622 }; 623 624 /* --------------------------------------------------------------------- */ 625 626 static void usb_uas_handle_reset(USBDevice *dev) 627 { 628 UASDevice *uas = DO_UPCAST(UASDevice, dev, dev); 629 UASRequest *req, *nreq; 630 UASStatus *st, *nst; 631 632 trace_usb_uas_reset(dev->addr); 633 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 634 scsi_req_cancel(req->req); 635 } 636 QTAILQ_FOREACH_SAFE(st, &uas->results, next, nst) { 637 QTAILQ_REMOVE(&uas->results, st, next); 638 g_free(st); 639 } 640 } 641 642 static void usb_uas_handle_control(USBDevice *dev, USBPacket *p, 643 int request, int value, int index, int length, uint8_t *data) 644 { 645 int ret; 646 647 ret = usb_desc_handle_control(dev, p, request, value, index, length, data); 648 if (ret >= 0) { 649 return; 650 } 651 fprintf(stderr, "%s: unhandled control request\n", __func__); 652 p->status = USB_RET_STALL; 653 } 654 655 static void usb_uas_cancel_io(USBDevice *dev, USBPacket *p) 656 { 657 UASDevice *uas = DO_UPCAST(UASDevice, dev, dev); 658 UASRequest *req, *nreq; 659 int i; 660 661 if (uas->status2 == p) { 662 uas->status2 = NULL; 663 qemu_bh_cancel(uas->status_bh); 664 return; 665 } 666 if (uas_using_streams(uas)) { 667 for (i = 0; i <= UAS_MAX_STREAMS; i++) { 668 if (uas->status3[i] == p) { 669 uas->status3[i] = NULL; 670 return; 671 } 672 if (uas->data3[i] == p) { 673 uas->data3[i] = NULL; 674 return; 675 } 676 } 677 } 678 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 679 if (req->data == p) { 680 req->data = NULL; 681 return; 682 } 683 } 684 assert(!"canceled usb packet not found"); 685 } 686 687 static void usb_uas_command(UASDevice *uas, uas_iu *iu) 688 { 689 UASRequest *req; 690 uint32_t len; 691 uint16_t tag = be16_to_cpu(iu->hdr.tag); 692 693 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 694 goto invalid_tag; 695 } 696 req = usb_uas_find_request(uas, tag); 697 if (req) { 698 goto overlapped_tag; 699 } 700 req = usb_uas_alloc_request(uas, iu); 701 if (req->dev == NULL) { 702 goto bad_target; 703 } 704 705 trace_usb_uas_command(uas->dev.addr, req->tag, 706 usb_uas_get_lun(req->lun), 707 req->lun >> 32, req->lun & 0xffffffff); 708 QTAILQ_INSERT_TAIL(&uas->requests, req, next); 709 if (uas_using_streams(uas) && uas->data3[req->tag] != NULL) { 710 req->data = uas->data3[req->tag]; 711 req->data_async = true; 712 uas->data3[req->tag] = NULL; 713 } 714 715 req->req = scsi_req_new(req->dev, req->tag, 716 usb_uas_get_lun(req->lun), 717 iu->command.cdb, req); 718 if (uas->requestlog) { 719 scsi_req_print(req->req); 720 } 721 len = scsi_req_enqueue(req->req); 722 if (len) { 723 req->data_size = len; 724 scsi_req_continue(req->req); 725 } 726 return; 727 728 invalid_tag: 729 usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG); 730 return; 731 732 overlapped_tag: 733 usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS); 734 return; 735 736 bad_target: 737 usb_uas_queue_fake_sense(uas, tag, sense_code_LUN_NOT_SUPPORTED); 738 g_free(req); 739 } 740 741 static void usb_uas_task(UASDevice *uas, uas_iu *iu) 742 { 743 uint16_t tag = be16_to_cpu(iu->hdr.tag); 744 uint64_t lun64 = be64_to_cpu(iu->task.lun); 745 SCSIDevice *dev = usb_uas_get_dev(uas, lun64); 746 int lun = usb_uas_get_lun(lun64); 747 UASRequest *req; 748 uint16_t task_tag; 749 750 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 751 goto invalid_tag; 752 } 753 req = usb_uas_find_request(uas, be16_to_cpu(iu->hdr.tag)); 754 if (req) { 755 goto overlapped_tag; 756 } 757 if (dev == NULL) { 758 goto incorrect_lun; 759 } 760 761 switch (iu->task.function) { 762 case UAS_TMF_ABORT_TASK: 763 task_tag = be16_to_cpu(iu->task.task_tag); 764 trace_usb_uas_tmf_abort_task(uas->dev.addr, tag, task_tag); 765 req = usb_uas_find_request(uas, task_tag); 766 if (req && req->dev == dev) { 767 scsi_req_cancel(req->req); 768 } 769 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 770 break; 771 772 case UAS_TMF_LOGICAL_UNIT_RESET: 773 trace_usb_uas_tmf_logical_unit_reset(uas->dev.addr, tag, lun); 774 qdev_reset_all(&dev->qdev); 775 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 776 break; 777 778 default: 779 trace_usb_uas_tmf_unsupported(uas->dev.addr, tag, iu->task.function); 780 usb_uas_queue_response(uas, tag, UAS_RC_TMF_NOT_SUPPORTED); 781 break; 782 } 783 return; 784 785 invalid_tag: 786 usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT); 787 return; 788 789 overlapped_tag: 790 usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG); 791 return; 792 793 incorrect_lun: 794 usb_uas_queue_response(uas, tag, UAS_RC_INCORRECT_LUN); 795 } 796 797 static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) 798 { 799 UASDevice *uas = DO_UPCAST(UASDevice, dev, dev); 800 uas_iu iu; 801 UASStatus *st; 802 UASRequest *req; 803 int length; 804 805 switch (p->ep->nr) { 806 case UAS_PIPE_ID_COMMAND: 807 length = MIN(sizeof(iu), p->iov.size); 808 usb_packet_copy(p, &iu, length); 809 switch (iu.hdr.id) { 810 case UAS_UI_COMMAND: 811 usb_uas_command(uas, &iu); 812 break; 813 case UAS_UI_TASK_MGMT: 814 usb_uas_task(uas, &iu); 815 break; 816 default: 817 fprintf(stderr, "%s: unknown command iu: id 0x%x\n", 818 __func__, iu.hdr.id); 819 p->status = USB_RET_STALL; 820 break; 821 } 822 break; 823 case UAS_PIPE_ID_STATUS: 824 if (p->stream) { 825 QTAILQ_FOREACH(st, &uas->results, next) { 826 if (st->stream == p->stream) { 827 break; 828 } 829 } 830 if (st == NULL) { 831 assert(uas->status3[p->stream] == NULL); 832 uas->status3[p->stream] = p; 833 p->status = USB_RET_ASYNC; 834 break; 835 } 836 } else { 837 st = QTAILQ_FIRST(&uas->results); 838 if (st == NULL) { 839 assert(uas->status2 == NULL); 840 uas->status2 = p; 841 p->status = USB_RET_ASYNC; 842 break; 843 } 844 } 845 usb_packet_copy(p, &st->status, st->length); 846 QTAILQ_REMOVE(&uas->results, st, next); 847 g_free(st); 848 break; 849 case UAS_PIPE_ID_DATA_IN: 850 case UAS_PIPE_ID_DATA_OUT: 851 if (p->stream) { 852 req = usb_uas_find_request(uas, p->stream); 853 } else { 854 req = (p->ep->nr == UAS_PIPE_ID_DATA_IN) 855 ? uas->datain2 : uas->dataout2; 856 } 857 if (req == NULL) { 858 if (p->stream) { 859 assert(uas->data3[p->stream] == NULL); 860 uas->data3[p->stream] = p; 861 p->status = USB_RET_ASYNC; 862 break; 863 } else { 864 fprintf(stderr, "%s: no inflight request\n", __func__); 865 p->status = USB_RET_STALL; 866 break; 867 } 868 } 869 scsi_req_ref(req->req); 870 req->data = p; 871 usb_uas_copy_data(req); 872 if (p->actual_length == p->iov.size || req->complete) { 873 req->data = NULL; 874 } else { 875 req->data_async = true; 876 p->status = USB_RET_ASYNC; 877 } 878 scsi_req_unref(req->req); 879 usb_uas_start_next_transfer(uas); 880 break; 881 default: 882 fprintf(stderr, "%s: invalid endpoint %d\n", __func__, p->ep->nr); 883 p->status = USB_RET_STALL; 884 break; 885 } 886 } 887 888 static void usb_uas_handle_destroy(USBDevice *dev) 889 { 890 UASDevice *uas = DO_UPCAST(UASDevice, dev, dev); 891 892 qemu_bh_delete(uas->status_bh); 893 } 894 895 static int usb_uas_init(USBDevice *dev) 896 { 897 UASDevice *uas = DO_UPCAST(UASDevice, dev, dev); 898 899 usb_desc_create_serial(dev); 900 usb_desc_init(dev); 901 902 QTAILQ_INIT(&uas->results); 903 QTAILQ_INIT(&uas->requests); 904 uas->status_bh = qemu_bh_new(usb_uas_send_status_bh, uas); 905 906 scsi_bus_new(&uas->bus, sizeof(uas->bus), DEVICE(dev), 907 &usb_uas_scsi_info, NULL); 908 909 return 0; 910 } 911 912 static const VMStateDescription vmstate_usb_uas = { 913 .name = "usb-uas", 914 .unmigratable = 1, 915 .fields = (VMStateField[]) { 916 VMSTATE_USB_DEVICE(dev, UASDevice), 917 VMSTATE_END_OF_LIST() 918 } 919 }; 920 921 static Property uas_properties[] = { 922 DEFINE_PROP_UINT32("log-scsi-req", UASDevice, requestlog, 0), 923 DEFINE_PROP_END_OF_LIST(), 924 }; 925 926 static void usb_uas_class_initfn(ObjectClass *klass, void *data) 927 { 928 DeviceClass *dc = DEVICE_CLASS(klass); 929 USBDeviceClass *uc = USB_DEVICE_CLASS(klass); 930 931 uc->init = usb_uas_init; 932 uc->product_desc = desc_strings[STR_PRODUCT]; 933 uc->usb_desc = &desc; 934 uc->cancel_packet = usb_uas_cancel_io; 935 uc->handle_attach = usb_desc_attach; 936 uc->handle_reset = usb_uas_handle_reset; 937 uc->handle_control = usb_uas_handle_control; 938 uc->handle_data = usb_uas_handle_data; 939 uc->handle_destroy = usb_uas_handle_destroy; 940 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 941 dc->fw_name = "storage"; 942 dc->vmsd = &vmstate_usb_uas; 943 dc->props = uas_properties; 944 } 945 946 static const TypeInfo uas_info = { 947 .name = "usb-uas", 948 .parent = TYPE_USB_DEVICE, 949 .instance_size = sizeof(UASDevice), 950 .class_init = usb_uas_class_initfn, 951 }; 952 953 static void usb_uas_register_types(void) 954 { 955 type_register_static(&uas_info); 956 } 957 958 type_init(usb_uas_register_types) 959