xref: /openbmc/qemu/hw/usb/dev-uas.c (revision 650d103d3ea959212f826acb9d3fe80cf30e347b)
1 /*
2  * UAS (USB Attached SCSI) emulation
3  *
4  * Copyright Red Hat, Inc. 2012
5  *
6  * Author: Gerd Hoffmann <kraxel@redhat.com>
7  *
8  * This work is licensed under the terms of the GNU GPL, version 2 or later.
9  * See the COPYING file in the top-level directory.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qemu/option.h"
14 #include "qemu/config-file.h"
15 #include "trace.h"
16 #include "qemu/error-report.h"
17 #include "qemu/module.h"
18 
19 #include "hw/usb.h"
20 #include "migration/vmstate.h"
21 #include "desc.h"
22 #include "hw/scsi/scsi.h"
23 #include "scsi/constants.h"
24 
25 /* --------------------------------------------------------------------- */
26 
27 #define UAS_UI_COMMAND              0x01
28 #define UAS_UI_SENSE                0x03
29 #define UAS_UI_RESPONSE             0x04
30 #define UAS_UI_TASK_MGMT            0x05
31 #define UAS_UI_READ_READY           0x06
32 #define UAS_UI_WRITE_READY          0x07
33 
34 #define UAS_RC_TMF_COMPLETE         0x00
35 #define UAS_RC_INVALID_INFO_UNIT    0x02
36 #define UAS_RC_TMF_NOT_SUPPORTED    0x04
37 #define UAS_RC_TMF_FAILED           0x05
38 #define UAS_RC_TMF_SUCCEEDED        0x08
39 #define UAS_RC_INCORRECT_LUN        0x09
40 #define UAS_RC_OVERLAPPED_TAG       0x0a
41 
42 #define UAS_TMF_ABORT_TASK          0x01
43 #define UAS_TMF_ABORT_TASK_SET      0x02
44 #define UAS_TMF_CLEAR_TASK_SET      0x04
45 #define UAS_TMF_LOGICAL_UNIT_RESET  0x08
46 #define UAS_TMF_I_T_NEXUS_RESET     0x10
47 #define UAS_TMF_CLEAR_ACA           0x40
48 #define UAS_TMF_QUERY_TASK          0x80
49 #define UAS_TMF_QUERY_TASK_SET      0x81
50 #define UAS_TMF_QUERY_ASYNC_EVENT   0x82
51 
52 #define UAS_PIPE_ID_COMMAND         0x01
53 #define UAS_PIPE_ID_STATUS          0x02
54 #define UAS_PIPE_ID_DATA_IN         0x03
55 #define UAS_PIPE_ID_DATA_OUT        0x04
56 
57 typedef struct {
58     uint8_t    id;
59     uint8_t    reserved;
60     uint16_t   tag;
61 } QEMU_PACKED  uas_iu_header;
62 
63 typedef struct {
64     uint8_t    prio_taskattr;   /* 6:3 priority, 2:0 task attribute   */
65     uint8_t    reserved_1;
66     uint8_t    add_cdb_length;  /* 7:2 additional adb length (dwords) */
67     uint8_t    reserved_2;
68     uint64_t   lun;
69     uint8_t    cdb[16];
70     uint8_t    add_cdb[];
71 } QEMU_PACKED  uas_iu_command;
72 
73 typedef struct {
74     uint16_t   status_qualifier;
75     uint8_t    status;
76     uint8_t    reserved[7];
77     uint16_t   sense_length;
78     uint8_t    sense_data[18];
79 } QEMU_PACKED  uas_iu_sense;
80 
81 typedef struct {
82     uint8_t    add_response_info[3];
83     uint8_t    response_code;
84 } QEMU_PACKED  uas_iu_response;
85 
86 typedef struct {
87     uint8_t    function;
88     uint8_t    reserved;
89     uint16_t   task_tag;
90     uint64_t   lun;
91 } QEMU_PACKED  uas_iu_task_mgmt;
92 
93 typedef struct {
94     uas_iu_header  hdr;
95     union {
96         uas_iu_command   command;
97         uas_iu_sense     sense;
98         uas_iu_task_mgmt task;
99         uas_iu_response  response;
100     };
101 } QEMU_PACKED  uas_iu;
102 
103 /* --------------------------------------------------------------------- */
104 
105 #define UAS_STREAM_BM_ATTR  4
106 #define UAS_MAX_STREAMS     (1 << UAS_STREAM_BM_ATTR)
107 
108 typedef struct UASDevice UASDevice;
109 typedef struct UASRequest UASRequest;
110 typedef struct UASStatus UASStatus;
111 
112 struct UASDevice {
113     USBDevice                 dev;
114     SCSIBus                   bus;
115     QEMUBH                    *status_bh;
116     QTAILQ_HEAD(, UASStatus)  results;
117     QTAILQ_HEAD(, UASRequest) requests;
118 
119     /* properties */
120     uint32_t                  requestlog;
121 
122     /* usb 2.0 only */
123     USBPacket                 *status2;
124     UASRequest                *datain2;
125     UASRequest                *dataout2;
126 
127     /* usb 3.0 only */
128     USBPacket                 *data3[UAS_MAX_STREAMS + 1];
129     USBPacket                 *status3[UAS_MAX_STREAMS + 1];
130 };
131 
132 #define TYPE_USB_UAS "usb-uas"
133 #define USB_UAS(obj) OBJECT_CHECK(UASDevice, (obj), TYPE_USB_UAS)
134 
135 struct UASRequest {
136     uint16_t     tag;
137     uint64_t     lun;
138     UASDevice    *uas;
139     SCSIDevice   *dev;
140     SCSIRequest  *req;
141     USBPacket    *data;
142     bool         data_async;
143     bool         active;
144     bool         complete;
145     uint32_t     buf_off;
146     uint32_t     buf_size;
147     uint32_t     data_off;
148     uint32_t     data_size;
149     QTAILQ_ENTRY(UASRequest)  next;
150 };
151 
152 struct UASStatus {
153     uint32_t                  stream;
154     uas_iu                    status;
155     uint32_t                  length;
156     QTAILQ_ENTRY(UASStatus)   next;
157 };
158 
159 /* --------------------------------------------------------------------- */
160 
161 enum {
162     STR_MANUFACTURER = 1,
163     STR_PRODUCT,
164     STR_SERIALNUMBER,
165     STR_CONFIG_HIGH,
166     STR_CONFIG_SUPER,
167 };
168 
169 static const USBDescStrings desc_strings = {
170     [STR_MANUFACTURER] = "QEMU",
171     [STR_PRODUCT]      = "USB Attached SCSI HBA",
172     [STR_SERIALNUMBER] = "27842",
173     [STR_CONFIG_HIGH]  = "High speed config (usb 2.0)",
174     [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)",
175 };
176 
177 static const USBDescIface desc_iface_high = {
178     .bInterfaceNumber              = 0,
179     .bNumEndpoints                 = 4,
180     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
181     .bInterfaceSubClass            = 0x06, /* SCSI */
182     .bInterfaceProtocol            = 0x62, /* UAS  */
183     .eps = (USBDescEndpoint[]) {
184         {
185             .bEndpointAddress      = USB_DIR_OUT | UAS_PIPE_ID_COMMAND,
186             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
187             .wMaxPacketSize        = 512,
188             .extra = (uint8_t[]) {
189                 0x04,  /*  u8  bLength */
190                 0x24,  /*  u8  bDescriptorType */
191                 UAS_PIPE_ID_COMMAND,
192                 0x00,  /*  u8  bReserved */
193             },
194         },{
195             .bEndpointAddress      = USB_DIR_IN | UAS_PIPE_ID_STATUS,
196             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
197             .wMaxPacketSize        = 512,
198             .extra = (uint8_t[]) {
199                 0x04,  /*  u8  bLength */
200                 0x24,  /*  u8  bDescriptorType */
201                 UAS_PIPE_ID_STATUS,
202                 0x00,  /*  u8  bReserved */
203             },
204         },{
205             .bEndpointAddress      = USB_DIR_IN | UAS_PIPE_ID_DATA_IN,
206             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
207             .wMaxPacketSize        = 512,
208             .extra = (uint8_t[]) {
209                 0x04,  /*  u8  bLength */
210                 0x24,  /*  u8  bDescriptorType */
211                 UAS_PIPE_ID_DATA_IN,
212                 0x00,  /*  u8  bReserved */
213             },
214         },{
215             .bEndpointAddress      = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT,
216             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
217             .wMaxPacketSize        = 512,
218             .extra = (uint8_t[]) {
219                 0x04,  /*  u8  bLength */
220                 0x24,  /*  u8  bDescriptorType */
221                 UAS_PIPE_ID_DATA_OUT,
222                 0x00,  /*  u8  bReserved */
223             },
224         },
225     }
226 };
227 
228 static const USBDescIface desc_iface_super = {
229     .bInterfaceNumber              = 0,
230     .bNumEndpoints                 = 4,
231     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
232     .bInterfaceSubClass            = 0x06, /* SCSI */
233     .bInterfaceProtocol            = 0x62, /* UAS  */
234     .eps = (USBDescEndpoint[]) {
235         {
236             .bEndpointAddress      = USB_DIR_OUT | UAS_PIPE_ID_COMMAND,
237             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
238             .wMaxPacketSize        = 1024,
239             .bMaxBurst             = 15,
240             .extra = (uint8_t[]) {
241                 0x04,  /*  u8  bLength */
242                 0x24,  /*  u8  bDescriptorType */
243                 UAS_PIPE_ID_COMMAND,
244                 0x00,  /*  u8  bReserved */
245             },
246         },{
247             .bEndpointAddress      = USB_DIR_IN | UAS_PIPE_ID_STATUS,
248             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
249             .wMaxPacketSize        = 1024,
250             .bMaxBurst             = 15,
251             .bmAttributes_super    = UAS_STREAM_BM_ATTR,
252             .extra = (uint8_t[]) {
253                 0x04,  /*  u8  bLength */
254                 0x24,  /*  u8  bDescriptorType */
255                 UAS_PIPE_ID_STATUS,
256                 0x00,  /*  u8  bReserved */
257             },
258         },{
259             .bEndpointAddress      = USB_DIR_IN | UAS_PIPE_ID_DATA_IN,
260             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
261             .wMaxPacketSize        = 1024,
262             .bMaxBurst             = 15,
263             .bmAttributes_super    = UAS_STREAM_BM_ATTR,
264             .extra = (uint8_t[]) {
265                 0x04,  /*  u8  bLength */
266                 0x24,  /*  u8  bDescriptorType */
267                 UAS_PIPE_ID_DATA_IN,
268                 0x00,  /*  u8  bReserved */
269             },
270         },{
271             .bEndpointAddress      = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT,
272             .bmAttributes          = USB_ENDPOINT_XFER_BULK,
273             .wMaxPacketSize        = 1024,
274             .bMaxBurst             = 15,
275             .bmAttributes_super    = UAS_STREAM_BM_ATTR,
276             .extra = (uint8_t[]) {
277                 0x04,  /*  u8  bLength */
278                 0x24,  /*  u8  bDescriptorType */
279                 UAS_PIPE_ID_DATA_OUT,
280                 0x00,  /*  u8  bReserved */
281             },
282         },
283     }
284 };
285 
286 static const USBDescDevice desc_device_high = {
287     .bcdUSB                        = 0x0200,
288     .bMaxPacketSize0               = 64,
289     .bNumConfigurations            = 1,
290     .confs = (USBDescConfig[]) {
291         {
292             .bNumInterfaces        = 1,
293             .bConfigurationValue   = 1,
294             .iConfiguration        = STR_CONFIG_HIGH,
295             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
296             .nif = 1,
297             .ifs = &desc_iface_high,
298         },
299     },
300 };
301 
302 static const USBDescDevice desc_device_super = {
303     .bcdUSB                        = 0x0300,
304     .bMaxPacketSize0               = 64,
305     .bNumConfigurations            = 1,
306     .confs = (USBDescConfig[]) {
307         {
308             .bNumInterfaces        = 1,
309             .bConfigurationValue   = 1,
310             .iConfiguration        = STR_CONFIG_SUPER,
311             .bmAttributes          = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER,
312             .nif = 1,
313             .ifs = &desc_iface_super,
314         },
315     },
316 };
317 
318 static const USBDesc desc = {
319     .id = {
320         .idVendor          = 0x46f4, /* CRC16() of "QEMU" */
321         .idProduct         = 0x0003,
322         .bcdDevice         = 0,
323         .iManufacturer     = STR_MANUFACTURER,
324         .iProduct          = STR_PRODUCT,
325         .iSerialNumber     = STR_SERIALNUMBER,
326     },
327     .high  = &desc_device_high,
328     .super = &desc_device_super,
329     .str   = desc_strings,
330 };
331 
332 /* --------------------------------------------------------------------- */
333 
334 static bool uas_using_streams(UASDevice *uas)
335 {
336     return uas->dev.speed == USB_SPEED_SUPER;
337 }
338 
339 /* --------------------------------------------------------------------- */
340 
341 static UASStatus *usb_uas_alloc_status(UASDevice *uas, uint8_t id, uint16_t tag)
342 {
343     UASStatus *st = g_new0(UASStatus, 1);
344 
345     st->status.hdr.id = id;
346     st->status.hdr.tag = cpu_to_be16(tag);
347     st->length = sizeof(uas_iu_header);
348     if (uas_using_streams(uas)) {
349         st->stream = tag;
350     }
351     return st;
352 }
353 
354 static void usb_uas_send_status_bh(void *opaque)
355 {
356     UASDevice *uas = opaque;
357     UASStatus *st;
358     USBPacket *p;
359 
360     while ((st = QTAILQ_FIRST(&uas->results)) != NULL) {
361         if (uas_using_streams(uas)) {
362             p = uas->status3[st->stream];
363             uas->status3[st->stream] = NULL;
364         } else {
365             p = uas->status2;
366             uas->status2 = NULL;
367         }
368         if (p == NULL) {
369             break;
370         }
371 
372         usb_packet_copy(p, &st->status, st->length);
373         QTAILQ_REMOVE(&uas->results, st, next);
374         g_free(st);
375 
376         p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
377         usb_packet_complete(&uas->dev, p);
378     }
379 }
380 
381 static void usb_uas_queue_status(UASDevice *uas, UASStatus *st, int length)
382 {
383     USBPacket *p = uas_using_streams(uas) ?
384         uas->status3[st->stream] : uas->status2;
385 
386     st->length += length;
387     QTAILQ_INSERT_TAIL(&uas->results, st, next);
388     if (p) {
389         /*
390          * Just schedule bh make sure any in-flight data transaction
391          * is finished before completing (sending) the status packet.
392          */
393         qemu_bh_schedule(uas->status_bh);
394     } else {
395         USBEndpoint *ep = usb_ep_get(&uas->dev, USB_TOKEN_IN,
396                                      UAS_PIPE_ID_STATUS);
397         usb_wakeup(ep, st->stream);
398     }
399 }
400 
401 static void usb_uas_queue_response(UASDevice *uas, uint16_t tag, uint8_t code)
402 {
403     UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_RESPONSE, tag);
404 
405     trace_usb_uas_response(uas->dev.addr, tag, code);
406     st->status.response.response_code = code;
407     usb_uas_queue_status(uas, st, sizeof(uas_iu_response));
408 }
409 
410 static void usb_uas_queue_sense(UASRequest *req, uint8_t status)
411 {
412     UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_SENSE, req->tag);
413     int len, slen = 0;
414 
415     trace_usb_uas_sense(req->uas->dev.addr, req->tag, status);
416     st->status.sense.status = status;
417     st->status.sense.status_qualifier = cpu_to_be16(0);
418     if (status != GOOD) {
419         slen = scsi_req_get_sense(req->req, st->status.sense.sense_data,
420                                   sizeof(st->status.sense.sense_data));
421         st->status.sense.sense_length = cpu_to_be16(slen);
422     }
423     len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen;
424     usb_uas_queue_status(req->uas, st, len);
425 }
426 
427 static void usb_uas_queue_fake_sense(UASDevice *uas, uint16_t tag,
428                                      struct SCSISense sense)
429 {
430     UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_SENSE, tag);
431     int len, slen = 0;
432 
433     st->status.sense.status = CHECK_CONDITION;
434     st->status.sense.status_qualifier = cpu_to_be16(0);
435     st->status.sense.sense_data[0] = 0x70;
436     st->status.sense.sense_data[2] = sense.key;
437     st->status.sense.sense_data[7] = 10;
438     st->status.sense.sense_data[12] = sense.asc;
439     st->status.sense.sense_data[13] = sense.ascq;
440     slen = 18;
441     len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen;
442     usb_uas_queue_status(uas, st, len);
443 }
444 
445 static void usb_uas_queue_read_ready(UASRequest *req)
446 {
447     UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_READ_READY,
448                                          req->tag);
449 
450     trace_usb_uas_read_ready(req->uas->dev.addr, req->tag);
451     usb_uas_queue_status(req->uas, st, 0);
452 }
453 
454 static void usb_uas_queue_write_ready(UASRequest *req)
455 {
456     UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_WRITE_READY,
457                                          req->tag);
458 
459     trace_usb_uas_write_ready(req->uas->dev.addr, req->tag);
460     usb_uas_queue_status(req->uas, st, 0);
461 }
462 
463 /* --------------------------------------------------------------------- */
464 
465 static int usb_uas_get_lun(uint64_t lun64)
466 {
467     return (lun64 >> 48) & 0xff;
468 }
469 
470 static SCSIDevice *usb_uas_get_dev(UASDevice *uas, uint64_t lun64)
471 {
472     if ((lun64 >> 56) != 0x00) {
473         return NULL;
474     }
475     return scsi_device_find(&uas->bus, 0, 0, usb_uas_get_lun(lun64));
476 }
477 
478 static void usb_uas_complete_data_packet(UASRequest *req)
479 {
480     USBPacket *p;
481 
482     if (!req->data_async) {
483         return;
484     }
485     p = req->data;
486     req->data = NULL;
487     req->data_async = false;
488     p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */
489     usb_packet_complete(&req->uas->dev, p);
490 }
491 
492 static void usb_uas_copy_data(UASRequest *req)
493 {
494     uint32_t length;
495 
496     length = MIN(req->buf_size - req->buf_off,
497                  req->data->iov.size - req->data->actual_length);
498     trace_usb_uas_xfer_data(req->uas->dev.addr, req->tag, length,
499                             req->data->actual_length, req->data->iov.size,
500                             req->buf_off, req->buf_size);
501     usb_packet_copy(req->data, scsi_req_get_buf(req->req) + req->buf_off,
502                     length);
503     req->buf_off += length;
504     req->data_off += length;
505 
506     if (req->data->actual_length == req->data->iov.size) {
507         usb_uas_complete_data_packet(req);
508     }
509     if (req->buf_size && req->buf_off == req->buf_size) {
510         req->buf_off = 0;
511         req->buf_size = 0;
512         scsi_req_continue(req->req);
513     }
514 }
515 
516 static void usb_uas_start_next_transfer(UASDevice *uas)
517 {
518     UASRequest *req;
519 
520     if (uas_using_streams(uas)) {
521         return;
522     }
523 
524     QTAILQ_FOREACH(req, &uas->requests, next) {
525         if (req->active || req->complete) {
526             continue;
527         }
528         if (req->req->cmd.mode == SCSI_XFER_FROM_DEV && uas->datain2 == NULL) {
529             uas->datain2 = req;
530             usb_uas_queue_read_ready(req);
531             req->active = true;
532             return;
533         }
534         if (req->req->cmd.mode == SCSI_XFER_TO_DEV && uas->dataout2 == NULL) {
535             uas->dataout2 = req;
536             usb_uas_queue_write_ready(req);
537             req->active = true;
538             return;
539         }
540     }
541 }
542 
543 static UASRequest *usb_uas_alloc_request(UASDevice *uas, uas_iu *iu)
544 {
545     UASRequest *req;
546 
547     req = g_new0(UASRequest, 1);
548     req->uas = uas;
549     req->tag = be16_to_cpu(iu->hdr.tag);
550     req->lun = be64_to_cpu(iu->command.lun);
551     req->dev = usb_uas_get_dev(req->uas, req->lun);
552     return req;
553 }
554 
555 static void usb_uas_scsi_free_request(SCSIBus *bus, void *priv)
556 {
557     UASRequest *req = priv;
558     UASDevice *uas = req->uas;
559 
560     if (req == uas->datain2) {
561         uas->datain2 = NULL;
562     }
563     if (req == uas->dataout2) {
564         uas->dataout2 = NULL;
565     }
566     QTAILQ_REMOVE(&uas->requests, req, next);
567     g_free(req);
568     usb_uas_start_next_transfer(uas);
569 }
570 
571 static UASRequest *usb_uas_find_request(UASDevice *uas, uint16_t tag)
572 {
573     UASRequest *req;
574 
575     QTAILQ_FOREACH(req, &uas->requests, next) {
576         if (req->tag == tag) {
577             return req;
578         }
579     }
580     return NULL;
581 }
582 
583 static void usb_uas_scsi_transfer_data(SCSIRequest *r, uint32_t len)
584 {
585     UASRequest *req = r->hba_private;
586 
587     trace_usb_uas_scsi_data(req->uas->dev.addr, req->tag, len);
588     req->buf_off = 0;
589     req->buf_size = len;
590     if (req->data) {
591         usb_uas_copy_data(req);
592     } else {
593         usb_uas_start_next_transfer(req->uas);
594     }
595 }
596 
597 static void usb_uas_scsi_command_complete(SCSIRequest *r,
598                                           uint32_t status, size_t resid)
599 {
600     UASRequest *req = r->hba_private;
601 
602     trace_usb_uas_scsi_complete(req->uas->dev.addr, req->tag, status, resid);
603     req->complete = true;
604     if (req->data) {
605         usb_uas_complete_data_packet(req);
606     }
607     usb_uas_queue_sense(req, status);
608     scsi_req_unref(req->req);
609 }
610 
611 static void usb_uas_scsi_request_cancelled(SCSIRequest *r)
612 {
613     UASRequest *req = r->hba_private;
614 
615     /* FIXME: queue notification to status pipe? */
616     scsi_req_unref(req->req);
617 }
618 
619 static const struct SCSIBusInfo usb_uas_scsi_info = {
620     .tcq = true,
621     .max_target = 0,
622     .max_lun = 255,
623 
624     .transfer_data = usb_uas_scsi_transfer_data,
625     .complete = usb_uas_scsi_command_complete,
626     .cancel = usb_uas_scsi_request_cancelled,
627     .free_request = usb_uas_scsi_free_request,
628 };
629 
630 /* --------------------------------------------------------------------- */
631 
632 static void usb_uas_handle_reset(USBDevice *dev)
633 {
634     UASDevice *uas = USB_UAS(dev);
635     UASRequest *req, *nreq;
636     UASStatus *st, *nst;
637 
638     trace_usb_uas_reset(dev->addr);
639     QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) {
640         scsi_req_cancel(req->req);
641     }
642     QTAILQ_FOREACH_SAFE(st, &uas->results, next, nst) {
643         QTAILQ_REMOVE(&uas->results, st, next);
644         g_free(st);
645     }
646 }
647 
648 static void usb_uas_handle_control(USBDevice *dev, USBPacket *p,
649                int request, int value, int index, int length, uint8_t *data)
650 {
651     int ret;
652 
653     ret = usb_desc_handle_control(dev, p, request, value, index, length, data);
654     if (ret >= 0) {
655         return;
656     }
657     error_report("%s: unhandled control request (req 0x%x, val 0x%x, idx 0x%x",
658                  __func__, request, value, index);
659     p->status = USB_RET_STALL;
660 }
661 
662 static void usb_uas_cancel_io(USBDevice *dev, USBPacket *p)
663 {
664     UASDevice *uas = USB_UAS(dev);
665     UASRequest *req, *nreq;
666     int i;
667 
668     if (uas->status2 == p) {
669         uas->status2 = NULL;
670         qemu_bh_cancel(uas->status_bh);
671         return;
672     }
673     if (uas_using_streams(uas)) {
674         for (i = 0; i <= UAS_MAX_STREAMS; i++) {
675             if (uas->status3[i] == p) {
676                 uas->status3[i] = NULL;
677                 return;
678             }
679             if (uas->data3[i] == p) {
680                 uas->data3[i] = NULL;
681                 return;
682             }
683         }
684     }
685     QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) {
686         if (req->data == p) {
687             req->data = NULL;
688             return;
689         }
690     }
691     assert(!"canceled usb packet not found");
692 }
693 
694 static void usb_uas_command(UASDevice *uas, uas_iu *iu)
695 {
696     UASRequest *req;
697     uint32_t len;
698     uint16_t tag = be16_to_cpu(iu->hdr.tag);
699 
700     if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
701         goto invalid_tag;
702     }
703     req = usb_uas_find_request(uas, tag);
704     if (req) {
705         goto overlapped_tag;
706     }
707     req = usb_uas_alloc_request(uas, iu);
708     if (req->dev == NULL) {
709         goto bad_target;
710     }
711 
712     trace_usb_uas_command(uas->dev.addr, req->tag,
713                           usb_uas_get_lun(req->lun),
714                           req->lun >> 32, req->lun & 0xffffffff);
715     QTAILQ_INSERT_TAIL(&uas->requests, req, next);
716     if (uas_using_streams(uas) && uas->data3[req->tag] != NULL) {
717         req->data = uas->data3[req->tag];
718         req->data_async = true;
719         uas->data3[req->tag] = NULL;
720     }
721 
722     req->req = scsi_req_new(req->dev, req->tag,
723                             usb_uas_get_lun(req->lun),
724                             iu->command.cdb, req);
725     if (uas->requestlog) {
726         scsi_req_print(req->req);
727     }
728     len = scsi_req_enqueue(req->req);
729     if (len) {
730         req->data_size = len;
731         scsi_req_continue(req->req);
732     }
733     return;
734 
735 invalid_tag:
736     usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG);
737     return;
738 
739 overlapped_tag:
740     usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS);
741     return;
742 
743 bad_target:
744     usb_uas_queue_fake_sense(uas, tag, sense_code_LUN_NOT_SUPPORTED);
745     g_free(req);
746 }
747 
748 static void usb_uas_task(UASDevice *uas, uas_iu *iu)
749 {
750     uint16_t tag = be16_to_cpu(iu->hdr.tag);
751     uint64_t lun64 = be64_to_cpu(iu->task.lun);
752     SCSIDevice *dev = usb_uas_get_dev(uas, lun64);
753     int lun = usb_uas_get_lun(lun64);
754     UASRequest *req;
755     uint16_t task_tag;
756 
757     if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) {
758         goto invalid_tag;
759     }
760     req = usb_uas_find_request(uas, be16_to_cpu(iu->hdr.tag));
761     if (req) {
762         goto overlapped_tag;
763     }
764     if (dev == NULL) {
765         goto incorrect_lun;
766     }
767 
768     switch (iu->task.function) {
769     case UAS_TMF_ABORT_TASK:
770         task_tag = be16_to_cpu(iu->task.task_tag);
771         trace_usb_uas_tmf_abort_task(uas->dev.addr, tag, task_tag);
772         req = usb_uas_find_request(uas, task_tag);
773         if (req && req->dev == dev) {
774             scsi_req_cancel(req->req);
775         }
776         usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE);
777         break;
778 
779     case UAS_TMF_LOGICAL_UNIT_RESET:
780         trace_usb_uas_tmf_logical_unit_reset(uas->dev.addr, tag, lun);
781         qdev_reset_all(&dev->qdev);
782         usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE);
783         break;
784 
785     default:
786         trace_usb_uas_tmf_unsupported(uas->dev.addr, tag, iu->task.function);
787         usb_uas_queue_response(uas, tag, UAS_RC_TMF_NOT_SUPPORTED);
788         break;
789     }
790     return;
791 
792 invalid_tag:
793     usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT);
794     return;
795 
796 overlapped_tag:
797     usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG);
798     return;
799 
800 incorrect_lun:
801     usb_uas_queue_response(uas, tag, UAS_RC_INCORRECT_LUN);
802 }
803 
804 static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
805 {
806     UASDevice *uas = USB_UAS(dev);
807     uas_iu iu;
808     UASStatus *st;
809     UASRequest *req;
810     int length;
811 
812     switch (p->ep->nr) {
813     case UAS_PIPE_ID_COMMAND:
814         length = MIN(sizeof(iu), p->iov.size);
815         usb_packet_copy(p, &iu, length);
816         switch (iu.hdr.id) {
817         case UAS_UI_COMMAND:
818             usb_uas_command(uas, &iu);
819             break;
820         case UAS_UI_TASK_MGMT:
821             usb_uas_task(uas, &iu);
822             break;
823         default:
824             error_report("%s: unknown command iu: id 0x%x",
825                          __func__, iu.hdr.id);
826             p->status = USB_RET_STALL;
827             break;
828         }
829         break;
830     case UAS_PIPE_ID_STATUS:
831         if (p->stream) {
832             QTAILQ_FOREACH(st, &uas->results, next) {
833                 if (st->stream == p->stream) {
834                     break;
835                 }
836             }
837             if (st == NULL) {
838                 assert(uas->status3[p->stream] == NULL);
839                 uas->status3[p->stream] = p;
840                 p->status = USB_RET_ASYNC;
841                 break;
842             }
843         } else {
844             st = QTAILQ_FIRST(&uas->results);
845             if (st == NULL) {
846                 assert(uas->status2 == NULL);
847                 uas->status2 = p;
848                 p->status = USB_RET_ASYNC;
849                 break;
850             }
851         }
852         usb_packet_copy(p, &st->status, st->length);
853         QTAILQ_REMOVE(&uas->results, st, next);
854         g_free(st);
855         break;
856     case UAS_PIPE_ID_DATA_IN:
857     case UAS_PIPE_ID_DATA_OUT:
858         if (p->stream) {
859             req = usb_uas_find_request(uas, p->stream);
860         } else {
861             req = (p->ep->nr == UAS_PIPE_ID_DATA_IN)
862                 ? uas->datain2 : uas->dataout2;
863         }
864         if (req == NULL) {
865             if (p->stream) {
866                 assert(uas->data3[p->stream] == NULL);
867                 uas->data3[p->stream] = p;
868                 p->status = USB_RET_ASYNC;
869                 break;
870             } else {
871                 error_report("%s: no inflight request", __func__);
872                 p->status = USB_RET_STALL;
873                 break;
874             }
875         }
876         scsi_req_ref(req->req);
877         req->data = p;
878         usb_uas_copy_data(req);
879         if (p->actual_length == p->iov.size || req->complete) {
880             req->data = NULL;
881         } else {
882             req->data_async = true;
883             p->status = USB_RET_ASYNC;
884         }
885         scsi_req_unref(req->req);
886         usb_uas_start_next_transfer(uas);
887         break;
888     default:
889         error_report("%s: invalid endpoint %d", __func__, p->ep->nr);
890         p->status = USB_RET_STALL;
891         break;
892     }
893 }
894 
895 static void usb_uas_unrealize(USBDevice *dev, Error **errp)
896 {
897     UASDevice *uas = USB_UAS(dev);
898 
899     qemu_bh_delete(uas->status_bh);
900 }
901 
902 static void usb_uas_realize(USBDevice *dev, Error **errp)
903 {
904     UASDevice *uas = USB_UAS(dev);
905     DeviceState *d = DEVICE(dev);
906 
907     usb_desc_create_serial(dev);
908     usb_desc_init(dev);
909     if (d->hotplugged) {
910         uas->dev.auto_attach = 0;
911     }
912 
913     QTAILQ_INIT(&uas->results);
914     QTAILQ_INIT(&uas->requests);
915     uas->status_bh = qemu_bh_new(usb_uas_send_status_bh, uas);
916 
917     scsi_bus_new(&uas->bus, sizeof(uas->bus), DEVICE(dev),
918                  &usb_uas_scsi_info, NULL);
919 }
920 
921 static const VMStateDescription vmstate_usb_uas = {
922     .name = "usb-uas",
923     .unmigratable = 1,
924     .fields = (VMStateField[]) {
925         VMSTATE_USB_DEVICE(dev, UASDevice),
926         VMSTATE_END_OF_LIST()
927     }
928 };
929 
930 static Property uas_properties[] = {
931     DEFINE_PROP_UINT32("log-scsi-req", UASDevice, requestlog, 0),
932     DEFINE_PROP_END_OF_LIST(),
933 };
934 
935 static void usb_uas_class_initfn(ObjectClass *klass, void *data)
936 {
937     DeviceClass *dc = DEVICE_CLASS(klass);
938     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
939 
940     uc->realize        = usb_uas_realize;
941     uc->product_desc   = desc_strings[STR_PRODUCT];
942     uc->usb_desc       = &desc;
943     uc->cancel_packet  = usb_uas_cancel_io;
944     uc->handle_attach  = usb_desc_attach;
945     uc->handle_reset   = usb_uas_handle_reset;
946     uc->handle_control = usb_uas_handle_control;
947     uc->handle_data    = usb_uas_handle_data;
948     uc->unrealize      = usb_uas_unrealize;
949     uc->attached_settable = true;
950     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
951     dc->fw_name = "storage";
952     dc->vmsd = &vmstate_usb_uas;
953     dc->props = uas_properties;
954 }
955 
956 static const TypeInfo uas_info = {
957     .name          = TYPE_USB_UAS,
958     .parent        = TYPE_USB_DEVICE,
959     .instance_size = sizeof(UASDevice),
960     .class_init    = usb_uas_class_initfn,
961 };
962 
963 static void usb_uas_register_types(void)
964 {
965     type_register_static(&uas_info);
966 }
967 
968 type_init(usb_uas_register_types)
969