1 /* 2 * UAS (USB Attached SCSI) emulation 3 * 4 * Copyright Red Hat, Inc. 2012 5 * 6 * Author: Gerd Hoffmann <kraxel@redhat.com> 7 * 8 * This work is licensed under the terms of the GNU GPL, version 2 or later. 9 * See the COPYING file in the top-level directory. 10 */ 11 12 #include "qemu/osdep.h" 13 #include "qemu-common.h" 14 #include "qemu/option.h" 15 #include "qemu/config-file.h" 16 #include "trace.h" 17 #include "qemu/error-report.h" 18 19 #include "hw/usb.h" 20 #include "hw/usb/desc.h" 21 #include "hw/scsi/scsi.h" 22 #include "block/scsi.h" 23 24 /* --------------------------------------------------------------------- */ 25 26 #define UAS_UI_COMMAND 0x01 27 #define UAS_UI_SENSE 0x03 28 #define UAS_UI_RESPONSE 0x04 29 #define UAS_UI_TASK_MGMT 0x05 30 #define UAS_UI_READ_READY 0x06 31 #define UAS_UI_WRITE_READY 0x07 32 33 #define UAS_RC_TMF_COMPLETE 0x00 34 #define UAS_RC_INVALID_INFO_UNIT 0x02 35 #define UAS_RC_TMF_NOT_SUPPORTED 0x04 36 #define UAS_RC_TMF_FAILED 0x05 37 #define UAS_RC_TMF_SUCCEEDED 0x08 38 #define UAS_RC_INCORRECT_LUN 0x09 39 #define UAS_RC_OVERLAPPED_TAG 0x0a 40 41 #define UAS_TMF_ABORT_TASK 0x01 42 #define UAS_TMF_ABORT_TASK_SET 0x02 43 #define UAS_TMF_CLEAR_TASK_SET 0x04 44 #define UAS_TMF_LOGICAL_UNIT_RESET 0x08 45 #define UAS_TMF_I_T_NEXUS_RESET 0x10 46 #define UAS_TMF_CLEAR_ACA 0x40 47 #define UAS_TMF_QUERY_TASK 0x80 48 #define UAS_TMF_QUERY_TASK_SET 0x81 49 #define UAS_TMF_QUERY_ASYNC_EVENT 0x82 50 51 #define UAS_PIPE_ID_COMMAND 0x01 52 #define UAS_PIPE_ID_STATUS 0x02 53 #define UAS_PIPE_ID_DATA_IN 0x03 54 #define UAS_PIPE_ID_DATA_OUT 0x04 55 56 typedef struct { 57 uint8_t id; 58 uint8_t reserved; 59 uint16_t tag; 60 } QEMU_PACKED uas_iu_header; 61 62 typedef struct { 63 uint8_t prio_taskattr; /* 6:3 priority, 2:0 task attribute */ 64 uint8_t reserved_1; 65 uint8_t add_cdb_length; /* 7:2 additional adb length (dwords) */ 66 uint8_t reserved_2; 67 uint64_t lun; 68 uint8_t cdb[16]; 69 uint8_t add_cdb[]; 70 } QEMU_PACKED uas_iu_command; 71 72 typedef struct { 73 uint16_t status_qualifier; 74 uint8_t status; 75 uint8_t reserved[7]; 76 uint16_t sense_length; 77 uint8_t sense_data[18]; 78 } QEMU_PACKED uas_iu_sense; 79 80 typedef struct { 81 uint8_t add_response_info[3]; 82 uint8_t response_code; 83 } QEMU_PACKED uas_iu_response; 84 85 typedef struct { 86 uint8_t function; 87 uint8_t reserved; 88 uint16_t task_tag; 89 uint64_t lun; 90 } QEMU_PACKED uas_iu_task_mgmt; 91 92 typedef struct { 93 uas_iu_header hdr; 94 union { 95 uas_iu_command command; 96 uas_iu_sense sense; 97 uas_iu_task_mgmt task; 98 uas_iu_response response; 99 }; 100 } QEMU_PACKED uas_iu; 101 102 /* --------------------------------------------------------------------- */ 103 104 #define UAS_STREAM_BM_ATTR 4 105 #define UAS_MAX_STREAMS (1 << UAS_STREAM_BM_ATTR) 106 107 typedef struct UASDevice UASDevice; 108 typedef struct UASRequest UASRequest; 109 typedef struct UASStatus UASStatus; 110 111 struct UASDevice { 112 USBDevice dev; 113 SCSIBus bus; 114 QEMUBH *status_bh; 115 QTAILQ_HEAD(, UASStatus) results; 116 QTAILQ_HEAD(, UASRequest) requests; 117 118 /* properties */ 119 uint32_t requestlog; 120 121 /* usb 2.0 only */ 122 USBPacket *status2; 123 UASRequest *datain2; 124 UASRequest *dataout2; 125 126 /* usb 3.0 only */ 127 USBPacket *data3[UAS_MAX_STREAMS + 1]; 128 USBPacket *status3[UAS_MAX_STREAMS + 1]; 129 }; 130 131 #define TYPE_USB_UAS "usb-uas" 132 #define USB_UAS(obj) OBJECT_CHECK(UASDevice, (obj), TYPE_USB_UAS) 133 134 struct UASRequest { 135 uint16_t tag; 136 uint64_t lun; 137 UASDevice *uas; 138 SCSIDevice *dev; 139 SCSIRequest *req; 140 USBPacket *data; 141 bool data_async; 142 bool active; 143 bool complete; 144 uint32_t buf_off; 145 uint32_t buf_size; 146 uint32_t data_off; 147 uint32_t data_size; 148 QTAILQ_ENTRY(UASRequest) next; 149 }; 150 151 struct UASStatus { 152 uint32_t stream; 153 uas_iu status; 154 uint32_t length; 155 QTAILQ_ENTRY(UASStatus) next; 156 }; 157 158 /* --------------------------------------------------------------------- */ 159 160 enum { 161 STR_MANUFACTURER = 1, 162 STR_PRODUCT, 163 STR_SERIALNUMBER, 164 STR_CONFIG_HIGH, 165 STR_CONFIG_SUPER, 166 }; 167 168 static const USBDescStrings desc_strings = { 169 [STR_MANUFACTURER] = "QEMU", 170 [STR_PRODUCT] = "USB Attached SCSI HBA", 171 [STR_SERIALNUMBER] = "27842", 172 [STR_CONFIG_HIGH] = "High speed config (usb 2.0)", 173 [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)", 174 }; 175 176 static const USBDescIface desc_iface_high = { 177 .bInterfaceNumber = 0, 178 .bNumEndpoints = 4, 179 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 180 .bInterfaceSubClass = 0x06, /* SCSI */ 181 .bInterfaceProtocol = 0x62, /* UAS */ 182 .eps = (USBDescEndpoint[]) { 183 { 184 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 185 .bmAttributes = USB_ENDPOINT_XFER_BULK, 186 .wMaxPacketSize = 512, 187 .extra = (uint8_t[]) { 188 0x04, /* u8 bLength */ 189 0x24, /* u8 bDescriptorType */ 190 UAS_PIPE_ID_COMMAND, 191 0x00, /* u8 bReserved */ 192 }, 193 },{ 194 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 195 .bmAttributes = USB_ENDPOINT_XFER_BULK, 196 .wMaxPacketSize = 512, 197 .extra = (uint8_t[]) { 198 0x04, /* u8 bLength */ 199 0x24, /* u8 bDescriptorType */ 200 UAS_PIPE_ID_STATUS, 201 0x00, /* u8 bReserved */ 202 }, 203 },{ 204 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 205 .bmAttributes = USB_ENDPOINT_XFER_BULK, 206 .wMaxPacketSize = 512, 207 .extra = (uint8_t[]) { 208 0x04, /* u8 bLength */ 209 0x24, /* u8 bDescriptorType */ 210 UAS_PIPE_ID_DATA_IN, 211 0x00, /* u8 bReserved */ 212 }, 213 },{ 214 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 215 .bmAttributes = USB_ENDPOINT_XFER_BULK, 216 .wMaxPacketSize = 512, 217 .extra = (uint8_t[]) { 218 0x04, /* u8 bLength */ 219 0x24, /* u8 bDescriptorType */ 220 UAS_PIPE_ID_DATA_OUT, 221 0x00, /* u8 bReserved */ 222 }, 223 }, 224 } 225 }; 226 227 static const USBDescIface desc_iface_super = { 228 .bInterfaceNumber = 0, 229 .bNumEndpoints = 4, 230 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 231 .bInterfaceSubClass = 0x06, /* SCSI */ 232 .bInterfaceProtocol = 0x62, /* UAS */ 233 .eps = (USBDescEndpoint[]) { 234 { 235 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 236 .bmAttributes = USB_ENDPOINT_XFER_BULK, 237 .wMaxPacketSize = 1024, 238 .bMaxBurst = 15, 239 .extra = (uint8_t[]) { 240 0x04, /* u8 bLength */ 241 0x24, /* u8 bDescriptorType */ 242 UAS_PIPE_ID_COMMAND, 243 0x00, /* u8 bReserved */ 244 }, 245 },{ 246 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 247 .bmAttributes = USB_ENDPOINT_XFER_BULK, 248 .wMaxPacketSize = 1024, 249 .bMaxBurst = 15, 250 .bmAttributes_super = UAS_STREAM_BM_ATTR, 251 .extra = (uint8_t[]) { 252 0x04, /* u8 bLength */ 253 0x24, /* u8 bDescriptorType */ 254 UAS_PIPE_ID_STATUS, 255 0x00, /* u8 bReserved */ 256 }, 257 },{ 258 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 259 .bmAttributes = USB_ENDPOINT_XFER_BULK, 260 .wMaxPacketSize = 1024, 261 .bMaxBurst = 15, 262 .bmAttributes_super = UAS_STREAM_BM_ATTR, 263 .extra = (uint8_t[]) { 264 0x04, /* u8 bLength */ 265 0x24, /* u8 bDescriptorType */ 266 UAS_PIPE_ID_DATA_IN, 267 0x00, /* u8 bReserved */ 268 }, 269 },{ 270 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 271 .bmAttributes = USB_ENDPOINT_XFER_BULK, 272 .wMaxPacketSize = 1024, 273 .bMaxBurst = 15, 274 .bmAttributes_super = UAS_STREAM_BM_ATTR, 275 .extra = (uint8_t[]) { 276 0x04, /* u8 bLength */ 277 0x24, /* u8 bDescriptorType */ 278 UAS_PIPE_ID_DATA_OUT, 279 0x00, /* u8 bReserved */ 280 }, 281 }, 282 } 283 }; 284 285 static const USBDescDevice desc_device_high = { 286 .bcdUSB = 0x0200, 287 .bMaxPacketSize0 = 64, 288 .bNumConfigurations = 1, 289 .confs = (USBDescConfig[]) { 290 { 291 .bNumInterfaces = 1, 292 .bConfigurationValue = 1, 293 .iConfiguration = STR_CONFIG_HIGH, 294 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 295 .nif = 1, 296 .ifs = &desc_iface_high, 297 }, 298 }, 299 }; 300 301 static const USBDescDevice desc_device_super = { 302 .bcdUSB = 0x0300, 303 .bMaxPacketSize0 = 64, 304 .bNumConfigurations = 1, 305 .confs = (USBDescConfig[]) { 306 { 307 .bNumInterfaces = 1, 308 .bConfigurationValue = 1, 309 .iConfiguration = STR_CONFIG_SUPER, 310 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 311 .nif = 1, 312 .ifs = &desc_iface_super, 313 }, 314 }, 315 }; 316 317 static const USBDesc desc = { 318 .id = { 319 .idVendor = 0x46f4, /* CRC16() of "QEMU" */ 320 .idProduct = 0x0003, 321 .bcdDevice = 0, 322 .iManufacturer = STR_MANUFACTURER, 323 .iProduct = STR_PRODUCT, 324 .iSerialNumber = STR_SERIALNUMBER, 325 }, 326 .high = &desc_device_high, 327 .super = &desc_device_super, 328 .str = desc_strings, 329 }; 330 331 /* --------------------------------------------------------------------- */ 332 333 static bool uas_using_streams(UASDevice *uas) 334 { 335 return uas->dev.speed == USB_SPEED_SUPER; 336 } 337 338 /* --------------------------------------------------------------------- */ 339 340 static UASStatus *usb_uas_alloc_status(UASDevice *uas, uint8_t id, uint16_t tag) 341 { 342 UASStatus *st = g_new0(UASStatus, 1); 343 344 st->status.hdr.id = id; 345 st->status.hdr.tag = cpu_to_be16(tag); 346 st->length = sizeof(uas_iu_header); 347 if (uas_using_streams(uas)) { 348 st->stream = tag; 349 } 350 return st; 351 } 352 353 static void usb_uas_send_status_bh(void *opaque) 354 { 355 UASDevice *uas = opaque; 356 UASStatus *st; 357 USBPacket *p; 358 359 while ((st = QTAILQ_FIRST(&uas->results)) != NULL) { 360 if (uas_using_streams(uas)) { 361 p = uas->status3[st->stream]; 362 uas->status3[st->stream] = NULL; 363 } else { 364 p = uas->status2; 365 uas->status2 = NULL; 366 } 367 if (p == NULL) { 368 break; 369 } 370 371 usb_packet_copy(p, &st->status, st->length); 372 QTAILQ_REMOVE(&uas->results, st, next); 373 g_free(st); 374 375 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 376 usb_packet_complete(&uas->dev, p); 377 } 378 } 379 380 static void usb_uas_queue_status(UASDevice *uas, UASStatus *st, int length) 381 { 382 USBPacket *p = uas_using_streams(uas) ? 383 uas->status3[st->stream] : uas->status2; 384 385 st->length += length; 386 QTAILQ_INSERT_TAIL(&uas->results, st, next); 387 if (p) { 388 /* 389 * Just schedule bh make sure any in-flight data transaction 390 * is finished before completing (sending) the status packet. 391 */ 392 qemu_bh_schedule(uas->status_bh); 393 } else { 394 USBEndpoint *ep = usb_ep_get(&uas->dev, USB_TOKEN_IN, 395 UAS_PIPE_ID_STATUS); 396 usb_wakeup(ep, st->stream); 397 } 398 } 399 400 static void usb_uas_queue_response(UASDevice *uas, uint16_t tag, uint8_t code) 401 { 402 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_RESPONSE, tag); 403 404 trace_usb_uas_response(uas->dev.addr, tag, code); 405 st->status.response.response_code = code; 406 usb_uas_queue_status(uas, st, sizeof(uas_iu_response)); 407 } 408 409 static void usb_uas_queue_sense(UASRequest *req, uint8_t status) 410 { 411 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_SENSE, req->tag); 412 int len, slen = 0; 413 414 trace_usb_uas_sense(req->uas->dev.addr, req->tag, status); 415 st->status.sense.status = status; 416 st->status.sense.status_qualifier = cpu_to_be16(0); 417 if (status != GOOD) { 418 slen = scsi_req_get_sense(req->req, st->status.sense.sense_data, 419 sizeof(st->status.sense.sense_data)); 420 st->status.sense.sense_length = cpu_to_be16(slen); 421 } 422 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 423 usb_uas_queue_status(req->uas, st, len); 424 } 425 426 static void usb_uas_queue_fake_sense(UASDevice *uas, uint16_t tag, 427 struct SCSISense sense) 428 { 429 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_SENSE, tag); 430 int len, slen = 0; 431 432 st->status.sense.status = CHECK_CONDITION; 433 st->status.sense.status_qualifier = cpu_to_be16(0); 434 st->status.sense.sense_data[0] = 0x70; 435 st->status.sense.sense_data[2] = sense.key; 436 st->status.sense.sense_data[7] = 10; 437 st->status.sense.sense_data[12] = sense.asc; 438 st->status.sense.sense_data[13] = sense.ascq; 439 slen = 18; 440 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 441 usb_uas_queue_status(uas, st, len); 442 } 443 444 static void usb_uas_queue_read_ready(UASRequest *req) 445 { 446 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_READ_READY, 447 req->tag); 448 449 trace_usb_uas_read_ready(req->uas->dev.addr, req->tag); 450 usb_uas_queue_status(req->uas, st, 0); 451 } 452 453 static void usb_uas_queue_write_ready(UASRequest *req) 454 { 455 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_WRITE_READY, 456 req->tag); 457 458 trace_usb_uas_write_ready(req->uas->dev.addr, req->tag); 459 usb_uas_queue_status(req->uas, st, 0); 460 } 461 462 /* --------------------------------------------------------------------- */ 463 464 static int usb_uas_get_lun(uint64_t lun64) 465 { 466 return (lun64 >> 48) & 0xff; 467 } 468 469 static SCSIDevice *usb_uas_get_dev(UASDevice *uas, uint64_t lun64) 470 { 471 if ((lun64 >> 56) != 0x00) { 472 return NULL; 473 } 474 return scsi_device_find(&uas->bus, 0, 0, usb_uas_get_lun(lun64)); 475 } 476 477 static void usb_uas_complete_data_packet(UASRequest *req) 478 { 479 USBPacket *p; 480 481 if (!req->data_async) { 482 return; 483 } 484 p = req->data; 485 req->data = NULL; 486 req->data_async = false; 487 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 488 usb_packet_complete(&req->uas->dev, p); 489 } 490 491 static void usb_uas_copy_data(UASRequest *req) 492 { 493 uint32_t length; 494 495 length = MIN(req->buf_size - req->buf_off, 496 req->data->iov.size - req->data->actual_length); 497 trace_usb_uas_xfer_data(req->uas->dev.addr, req->tag, length, 498 req->data->actual_length, req->data->iov.size, 499 req->buf_off, req->buf_size); 500 usb_packet_copy(req->data, scsi_req_get_buf(req->req) + req->buf_off, 501 length); 502 req->buf_off += length; 503 req->data_off += length; 504 505 if (req->data->actual_length == req->data->iov.size) { 506 usb_uas_complete_data_packet(req); 507 } 508 if (req->buf_size && req->buf_off == req->buf_size) { 509 req->buf_off = 0; 510 req->buf_size = 0; 511 scsi_req_continue(req->req); 512 } 513 } 514 515 static void usb_uas_start_next_transfer(UASDevice *uas) 516 { 517 UASRequest *req; 518 519 if (uas_using_streams(uas)) { 520 return; 521 } 522 523 QTAILQ_FOREACH(req, &uas->requests, next) { 524 if (req->active || req->complete) { 525 continue; 526 } 527 if (req->req->cmd.mode == SCSI_XFER_FROM_DEV && uas->datain2 == NULL) { 528 uas->datain2 = req; 529 usb_uas_queue_read_ready(req); 530 req->active = true; 531 return; 532 } 533 if (req->req->cmd.mode == SCSI_XFER_TO_DEV && uas->dataout2 == NULL) { 534 uas->dataout2 = req; 535 usb_uas_queue_write_ready(req); 536 req->active = true; 537 return; 538 } 539 } 540 } 541 542 static UASRequest *usb_uas_alloc_request(UASDevice *uas, uas_iu *iu) 543 { 544 UASRequest *req; 545 546 req = g_new0(UASRequest, 1); 547 req->uas = uas; 548 req->tag = be16_to_cpu(iu->hdr.tag); 549 req->lun = be64_to_cpu(iu->command.lun); 550 req->dev = usb_uas_get_dev(req->uas, req->lun); 551 return req; 552 } 553 554 static void usb_uas_scsi_free_request(SCSIBus *bus, void *priv) 555 { 556 UASRequest *req = priv; 557 UASDevice *uas = req->uas; 558 559 if (req == uas->datain2) { 560 uas->datain2 = NULL; 561 } 562 if (req == uas->dataout2) { 563 uas->dataout2 = NULL; 564 } 565 QTAILQ_REMOVE(&uas->requests, req, next); 566 g_free(req); 567 usb_uas_start_next_transfer(uas); 568 } 569 570 static UASRequest *usb_uas_find_request(UASDevice *uas, uint16_t tag) 571 { 572 UASRequest *req; 573 574 QTAILQ_FOREACH(req, &uas->requests, next) { 575 if (req->tag == tag) { 576 return req; 577 } 578 } 579 return NULL; 580 } 581 582 static void usb_uas_scsi_transfer_data(SCSIRequest *r, uint32_t len) 583 { 584 UASRequest *req = r->hba_private; 585 586 trace_usb_uas_scsi_data(req->uas->dev.addr, req->tag, len); 587 req->buf_off = 0; 588 req->buf_size = len; 589 if (req->data) { 590 usb_uas_copy_data(req); 591 } else { 592 usb_uas_start_next_transfer(req->uas); 593 } 594 } 595 596 static void usb_uas_scsi_command_complete(SCSIRequest *r, 597 uint32_t status, size_t resid) 598 { 599 UASRequest *req = r->hba_private; 600 601 trace_usb_uas_scsi_complete(req->uas->dev.addr, req->tag, status, resid); 602 req->complete = true; 603 if (req->data) { 604 usb_uas_complete_data_packet(req); 605 } 606 usb_uas_queue_sense(req, status); 607 scsi_req_unref(req->req); 608 } 609 610 static void usb_uas_scsi_request_cancelled(SCSIRequest *r) 611 { 612 UASRequest *req = r->hba_private; 613 614 /* FIXME: queue notification to status pipe? */ 615 scsi_req_unref(req->req); 616 } 617 618 static const struct SCSIBusInfo usb_uas_scsi_info = { 619 .tcq = true, 620 .max_target = 0, 621 .max_lun = 255, 622 623 .transfer_data = usb_uas_scsi_transfer_data, 624 .complete = usb_uas_scsi_command_complete, 625 .cancel = usb_uas_scsi_request_cancelled, 626 .free_request = usb_uas_scsi_free_request, 627 }; 628 629 /* --------------------------------------------------------------------- */ 630 631 static void usb_uas_handle_reset(USBDevice *dev) 632 { 633 UASDevice *uas = USB_UAS(dev); 634 UASRequest *req, *nreq; 635 UASStatus *st, *nst; 636 637 trace_usb_uas_reset(dev->addr); 638 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 639 scsi_req_cancel(req->req); 640 } 641 QTAILQ_FOREACH_SAFE(st, &uas->results, next, nst) { 642 QTAILQ_REMOVE(&uas->results, st, next); 643 g_free(st); 644 } 645 } 646 647 static void usb_uas_handle_control(USBDevice *dev, USBPacket *p, 648 int request, int value, int index, int length, uint8_t *data) 649 { 650 int ret; 651 652 ret = usb_desc_handle_control(dev, p, request, value, index, length, data); 653 if (ret >= 0) { 654 return; 655 } 656 error_report("%s: unhandled control request", __func__); 657 p->status = USB_RET_STALL; 658 } 659 660 static void usb_uas_cancel_io(USBDevice *dev, USBPacket *p) 661 { 662 UASDevice *uas = USB_UAS(dev); 663 UASRequest *req, *nreq; 664 int i; 665 666 if (uas->status2 == p) { 667 uas->status2 = NULL; 668 qemu_bh_cancel(uas->status_bh); 669 return; 670 } 671 if (uas_using_streams(uas)) { 672 for (i = 0; i <= UAS_MAX_STREAMS; i++) { 673 if (uas->status3[i] == p) { 674 uas->status3[i] = NULL; 675 return; 676 } 677 if (uas->data3[i] == p) { 678 uas->data3[i] = NULL; 679 return; 680 } 681 } 682 } 683 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 684 if (req->data == p) { 685 req->data = NULL; 686 return; 687 } 688 } 689 assert(!"canceled usb packet not found"); 690 } 691 692 static void usb_uas_command(UASDevice *uas, uas_iu *iu) 693 { 694 UASRequest *req; 695 uint32_t len; 696 uint16_t tag = be16_to_cpu(iu->hdr.tag); 697 698 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 699 goto invalid_tag; 700 } 701 req = usb_uas_find_request(uas, tag); 702 if (req) { 703 goto overlapped_tag; 704 } 705 req = usb_uas_alloc_request(uas, iu); 706 if (req->dev == NULL) { 707 goto bad_target; 708 } 709 710 trace_usb_uas_command(uas->dev.addr, req->tag, 711 usb_uas_get_lun(req->lun), 712 req->lun >> 32, req->lun & 0xffffffff); 713 QTAILQ_INSERT_TAIL(&uas->requests, req, next); 714 if (uas_using_streams(uas) && uas->data3[req->tag] != NULL) { 715 req->data = uas->data3[req->tag]; 716 req->data_async = true; 717 uas->data3[req->tag] = NULL; 718 } 719 720 req->req = scsi_req_new(req->dev, req->tag, 721 usb_uas_get_lun(req->lun), 722 iu->command.cdb, req); 723 if (uas->requestlog) { 724 scsi_req_print(req->req); 725 } 726 len = scsi_req_enqueue(req->req); 727 if (len) { 728 req->data_size = len; 729 scsi_req_continue(req->req); 730 } 731 return; 732 733 invalid_tag: 734 usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG); 735 return; 736 737 overlapped_tag: 738 usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS); 739 return; 740 741 bad_target: 742 usb_uas_queue_fake_sense(uas, tag, sense_code_LUN_NOT_SUPPORTED); 743 g_free(req); 744 } 745 746 static void usb_uas_task(UASDevice *uas, uas_iu *iu) 747 { 748 uint16_t tag = be16_to_cpu(iu->hdr.tag); 749 uint64_t lun64 = be64_to_cpu(iu->task.lun); 750 SCSIDevice *dev = usb_uas_get_dev(uas, lun64); 751 int lun = usb_uas_get_lun(lun64); 752 UASRequest *req; 753 uint16_t task_tag; 754 755 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 756 goto invalid_tag; 757 } 758 req = usb_uas_find_request(uas, be16_to_cpu(iu->hdr.tag)); 759 if (req) { 760 goto overlapped_tag; 761 } 762 if (dev == NULL) { 763 goto incorrect_lun; 764 } 765 766 switch (iu->task.function) { 767 case UAS_TMF_ABORT_TASK: 768 task_tag = be16_to_cpu(iu->task.task_tag); 769 trace_usb_uas_tmf_abort_task(uas->dev.addr, tag, task_tag); 770 req = usb_uas_find_request(uas, task_tag); 771 if (req && req->dev == dev) { 772 scsi_req_cancel(req->req); 773 } 774 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 775 break; 776 777 case UAS_TMF_LOGICAL_UNIT_RESET: 778 trace_usb_uas_tmf_logical_unit_reset(uas->dev.addr, tag, lun); 779 qdev_reset_all(&dev->qdev); 780 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 781 break; 782 783 default: 784 trace_usb_uas_tmf_unsupported(uas->dev.addr, tag, iu->task.function); 785 usb_uas_queue_response(uas, tag, UAS_RC_TMF_NOT_SUPPORTED); 786 break; 787 } 788 return; 789 790 invalid_tag: 791 usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT); 792 return; 793 794 overlapped_tag: 795 usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG); 796 return; 797 798 incorrect_lun: 799 usb_uas_queue_response(uas, tag, UAS_RC_INCORRECT_LUN); 800 } 801 802 static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) 803 { 804 UASDevice *uas = USB_UAS(dev); 805 uas_iu iu; 806 UASStatus *st; 807 UASRequest *req; 808 int length; 809 810 switch (p->ep->nr) { 811 case UAS_PIPE_ID_COMMAND: 812 length = MIN(sizeof(iu), p->iov.size); 813 usb_packet_copy(p, &iu, length); 814 switch (iu.hdr.id) { 815 case UAS_UI_COMMAND: 816 usb_uas_command(uas, &iu); 817 break; 818 case UAS_UI_TASK_MGMT: 819 usb_uas_task(uas, &iu); 820 break; 821 default: 822 error_report("%s: unknown command iu: id 0x%x", 823 __func__, iu.hdr.id); 824 p->status = USB_RET_STALL; 825 break; 826 } 827 break; 828 case UAS_PIPE_ID_STATUS: 829 if (p->stream) { 830 QTAILQ_FOREACH(st, &uas->results, next) { 831 if (st->stream == p->stream) { 832 break; 833 } 834 } 835 if (st == NULL) { 836 assert(uas->status3[p->stream] == NULL); 837 uas->status3[p->stream] = p; 838 p->status = USB_RET_ASYNC; 839 break; 840 } 841 } else { 842 st = QTAILQ_FIRST(&uas->results); 843 if (st == NULL) { 844 assert(uas->status2 == NULL); 845 uas->status2 = p; 846 p->status = USB_RET_ASYNC; 847 break; 848 } 849 } 850 usb_packet_copy(p, &st->status, st->length); 851 QTAILQ_REMOVE(&uas->results, st, next); 852 g_free(st); 853 break; 854 case UAS_PIPE_ID_DATA_IN: 855 case UAS_PIPE_ID_DATA_OUT: 856 if (p->stream) { 857 req = usb_uas_find_request(uas, p->stream); 858 } else { 859 req = (p->ep->nr == UAS_PIPE_ID_DATA_IN) 860 ? uas->datain2 : uas->dataout2; 861 } 862 if (req == NULL) { 863 if (p->stream) { 864 assert(uas->data3[p->stream] == NULL); 865 uas->data3[p->stream] = p; 866 p->status = USB_RET_ASYNC; 867 break; 868 } else { 869 error_report("%s: no inflight request", __func__); 870 p->status = USB_RET_STALL; 871 break; 872 } 873 } 874 scsi_req_ref(req->req); 875 req->data = p; 876 usb_uas_copy_data(req); 877 if (p->actual_length == p->iov.size || req->complete) { 878 req->data = NULL; 879 } else { 880 req->data_async = true; 881 p->status = USB_RET_ASYNC; 882 } 883 scsi_req_unref(req->req); 884 usb_uas_start_next_transfer(uas); 885 break; 886 default: 887 error_report("%s: invalid endpoint %d", __func__, p->ep->nr); 888 p->status = USB_RET_STALL; 889 break; 890 } 891 } 892 893 static void usb_uas_handle_destroy(USBDevice *dev) 894 { 895 UASDevice *uas = USB_UAS(dev); 896 897 qemu_bh_delete(uas->status_bh); 898 } 899 900 static void usb_uas_realize(USBDevice *dev, Error **errp) 901 { 902 UASDevice *uas = USB_UAS(dev); 903 904 usb_desc_create_serial(dev); 905 usb_desc_init(dev); 906 907 QTAILQ_INIT(&uas->results); 908 QTAILQ_INIT(&uas->requests); 909 uas->status_bh = qemu_bh_new(usb_uas_send_status_bh, uas); 910 911 scsi_bus_new(&uas->bus, sizeof(uas->bus), DEVICE(dev), 912 &usb_uas_scsi_info, NULL); 913 } 914 915 static const VMStateDescription vmstate_usb_uas = { 916 .name = "usb-uas", 917 .unmigratable = 1, 918 .fields = (VMStateField[]) { 919 VMSTATE_USB_DEVICE(dev, UASDevice), 920 VMSTATE_END_OF_LIST() 921 } 922 }; 923 924 static Property uas_properties[] = { 925 DEFINE_PROP_UINT32("log-scsi-req", UASDevice, requestlog, 0), 926 DEFINE_PROP_END_OF_LIST(), 927 }; 928 929 static void usb_uas_class_initfn(ObjectClass *klass, void *data) 930 { 931 DeviceClass *dc = DEVICE_CLASS(klass); 932 USBDeviceClass *uc = USB_DEVICE_CLASS(klass); 933 934 uc->realize = usb_uas_realize; 935 uc->product_desc = desc_strings[STR_PRODUCT]; 936 uc->usb_desc = &desc; 937 uc->cancel_packet = usb_uas_cancel_io; 938 uc->handle_attach = usb_desc_attach; 939 uc->handle_reset = usb_uas_handle_reset; 940 uc->handle_control = usb_uas_handle_control; 941 uc->handle_data = usb_uas_handle_data; 942 uc->handle_destroy = usb_uas_handle_destroy; 943 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 944 dc->fw_name = "storage"; 945 dc->vmsd = &vmstate_usb_uas; 946 dc->props = uas_properties; 947 } 948 949 static const TypeInfo uas_info = { 950 .name = TYPE_USB_UAS, 951 .parent = TYPE_USB_DEVICE, 952 .instance_size = sizeof(UASDevice), 953 .class_init = usb_uas_class_initfn, 954 }; 955 956 static void usb_uas_register_types(void) 957 { 958 type_register_static(&uas_info); 959 } 960 961 type_init(usb_uas_register_types) 962