1 /* 2 * UAS (USB Attached SCSI) emulation 3 * 4 * Copyright Red Hat, Inc. 2012 5 * 6 * Author: Gerd Hoffmann <kraxel@redhat.com> 7 * 8 * This work is licensed under the terms of the GNU GPL, version 2 or later. 9 * See the COPYING file in the top-level directory. 10 */ 11 12 #include "qemu/osdep.h" 13 #include "qemu/option.h" 14 #include "qemu/config-file.h" 15 #include "trace.h" 16 #include "qemu/error-report.h" 17 #include "qemu/main-loop.h" 18 #include "qemu/module.h" 19 20 #include "hw/usb.h" 21 #include "migration/vmstate.h" 22 #include "desc.h" 23 #include "hw/scsi/scsi.h" 24 #include "scsi/constants.h" 25 26 /* --------------------------------------------------------------------- */ 27 28 #define UAS_UI_COMMAND 0x01 29 #define UAS_UI_SENSE 0x03 30 #define UAS_UI_RESPONSE 0x04 31 #define UAS_UI_TASK_MGMT 0x05 32 #define UAS_UI_READ_READY 0x06 33 #define UAS_UI_WRITE_READY 0x07 34 35 #define UAS_RC_TMF_COMPLETE 0x00 36 #define UAS_RC_INVALID_INFO_UNIT 0x02 37 #define UAS_RC_TMF_NOT_SUPPORTED 0x04 38 #define UAS_RC_TMF_FAILED 0x05 39 #define UAS_RC_TMF_SUCCEEDED 0x08 40 #define UAS_RC_INCORRECT_LUN 0x09 41 #define UAS_RC_OVERLAPPED_TAG 0x0a 42 43 #define UAS_TMF_ABORT_TASK 0x01 44 #define UAS_TMF_ABORT_TASK_SET 0x02 45 #define UAS_TMF_CLEAR_TASK_SET 0x04 46 #define UAS_TMF_LOGICAL_UNIT_RESET 0x08 47 #define UAS_TMF_I_T_NEXUS_RESET 0x10 48 #define UAS_TMF_CLEAR_ACA 0x40 49 #define UAS_TMF_QUERY_TASK 0x80 50 #define UAS_TMF_QUERY_TASK_SET 0x81 51 #define UAS_TMF_QUERY_ASYNC_EVENT 0x82 52 53 #define UAS_PIPE_ID_COMMAND 0x01 54 #define UAS_PIPE_ID_STATUS 0x02 55 #define UAS_PIPE_ID_DATA_IN 0x03 56 #define UAS_PIPE_ID_DATA_OUT 0x04 57 58 typedef struct { 59 uint8_t id; 60 uint8_t reserved; 61 uint16_t tag; 62 } QEMU_PACKED uas_iu_header; 63 64 typedef struct { 65 uint8_t prio_taskattr; /* 6:3 priority, 2:0 task attribute */ 66 uint8_t reserved_1; 67 uint8_t add_cdb_length; /* 7:2 additional adb length (dwords) */ 68 uint8_t reserved_2; 69 uint64_t lun; 70 uint8_t cdb[16]; 71 uint8_t add_cdb[]; 72 } QEMU_PACKED uas_iu_command; 73 74 typedef struct { 75 uint16_t status_qualifier; 76 uint8_t status; 77 uint8_t reserved[7]; 78 uint16_t sense_length; 79 uint8_t sense_data[18]; 80 } QEMU_PACKED uas_iu_sense; 81 82 typedef struct { 83 uint8_t add_response_info[3]; 84 uint8_t response_code; 85 } QEMU_PACKED uas_iu_response; 86 87 typedef struct { 88 uint8_t function; 89 uint8_t reserved; 90 uint16_t task_tag; 91 uint64_t lun; 92 } QEMU_PACKED uas_iu_task_mgmt; 93 94 typedef struct { 95 uas_iu_header hdr; 96 union { 97 uas_iu_command command; 98 uas_iu_sense sense; 99 uas_iu_task_mgmt task; 100 uas_iu_response response; 101 }; 102 } QEMU_PACKED uas_iu; 103 104 /* --------------------------------------------------------------------- */ 105 106 #define UAS_STREAM_BM_ATTR 4 107 #define UAS_MAX_STREAMS (1 << UAS_STREAM_BM_ATTR) 108 109 typedef struct UASDevice UASDevice; 110 typedef struct UASRequest UASRequest; 111 typedef struct UASStatus UASStatus; 112 113 struct UASDevice { 114 USBDevice dev; 115 SCSIBus bus; 116 QEMUBH *status_bh; 117 QTAILQ_HEAD(, UASStatus) results; 118 QTAILQ_HEAD(, UASRequest) requests; 119 120 /* properties */ 121 uint32_t requestlog; 122 123 /* usb 2.0 only */ 124 USBPacket *status2; 125 UASRequest *datain2; 126 UASRequest *dataout2; 127 128 /* usb 3.0 only */ 129 USBPacket *data3[UAS_MAX_STREAMS + 1]; 130 USBPacket *status3[UAS_MAX_STREAMS + 1]; 131 }; 132 133 #define TYPE_USB_UAS "usb-uas" 134 #define USB_UAS(obj) OBJECT_CHECK(UASDevice, (obj), TYPE_USB_UAS) 135 136 struct UASRequest { 137 uint16_t tag; 138 uint64_t lun; 139 UASDevice *uas; 140 SCSIDevice *dev; 141 SCSIRequest *req; 142 USBPacket *data; 143 bool data_async; 144 bool active; 145 bool complete; 146 uint32_t buf_off; 147 uint32_t buf_size; 148 uint32_t data_off; 149 uint32_t data_size; 150 QTAILQ_ENTRY(UASRequest) next; 151 }; 152 153 struct UASStatus { 154 uint32_t stream; 155 uas_iu status; 156 uint32_t length; 157 QTAILQ_ENTRY(UASStatus) next; 158 }; 159 160 /* --------------------------------------------------------------------- */ 161 162 enum { 163 STR_MANUFACTURER = 1, 164 STR_PRODUCT, 165 STR_SERIALNUMBER, 166 STR_CONFIG_HIGH, 167 STR_CONFIG_SUPER, 168 }; 169 170 static const USBDescStrings desc_strings = { 171 [STR_MANUFACTURER] = "QEMU", 172 [STR_PRODUCT] = "USB Attached SCSI HBA", 173 [STR_SERIALNUMBER] = "27842", 174 [STR_CONFIG_HIGH] = "High speed config (usb 2.0)", 175 [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)", 176 }; 177 178 static const USBDescIface desc_iface_high = { 179 .bInterfaceNumber = 0, 180 .bNumEndpoints = 4, 181 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 182 .bInterfaceSubClass = 0x06, /* SCSI */ 183 .bInterfaceProtocol = 0x62, /* UAS */ 184 .eps = (USBDescEndpoint[]) { 185 { 186 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 187 .bmAttributes = USB_ENDPOINT_XFER_BULK, 188 .wMaxPacketSize = 512, 189 .extra = (uint8_t[]) { 190 0x04, /* u8 bLength */ 191 0x24, /* u8 bDescriptorType */ 192 UAS_PIPE_ID_COMMAND, 193 0x00, /* u8 bReserved */ 194 }, 195 },{ 196 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 197 .bmAttributes = USB_ENDPOINT_XFER_BULK, 198 .wMaxPacketSize = 512, 199 .extra = (uint8_t[]) { 200 0x04, /* u8 bLength */ 201 0x24, /* u8 bDescriptorType */ 202 UAS_PIPE_ID_STATUS, 203 0x00, /* u8 bReserved */ 204 }, 205 },{ 206 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 207 .bmAttributes = USB_ENDPOINT_XFER_BULK, 208 .wMaxPacketSize = 512, 209 .extra = (uint8_t[]) { 210 0x04, /* u8 bLength */ 211 0x24, /* u8 bDescriptorType */ 212 UAS_PIPE_ID_DATA_IN, 213 0x00, /* u8 bReserved */ 214 }, 215 },{ 216 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 217 .bmAttributes = USB_ENDPOINT_XFER_BULK, 218 .wMaxPacketSize = 512, 219 .extra = (uint8_t[]) { 220 0x04, /* u8 bLength */ 221 0x24, /* u8 bDescriptorType */ 222 UAS_PIPE_ID_DATA_OUT, 223 0x00, /* u8 bReserved */ 224 }, 225 }, 226 } 227 }; 228 229 static const USBDescIface desc_iface_super = { 230 .bInterfaceNumber = 0, 231 .bNumEndpoints = 4, 232 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 233 .bInterfaceSubClass = 0x06, /* SCSI */ 234 .bInterfaceProtocol = 0x62, /* UAS */ 235 .eps = (USBDescEndpoint[]) { 236 { 237 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_COMMAND, 238 .bmAttributes = USB_ENDPOINT_XFER_BULK, 239 .wMaxPacketSize = 1024, 240 .bMaxBurst = 15, 241 .extra = (uint8_t[]) { 242 0x04, /* u8 bLength */ 243 0x24, /* u8 bDescriptorType */ 244 UAS_PIPE_ID_COMMAND, 245 0x00, /* u8 bReserved */ 246 }, 247 },{ 248 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_STATUS, 249 .bmAttributes = USB_ENDPOINT_XFER_BULK, 250 .wMaxPacketSize = 1024, 251 .bMaxBurst = 15, 252 .bmAttributes_super = UAS_STREAM_BM_ATTR, 253 .extra = (uint8_t[]) { 254 0x04, /* u8 bLength */ 255 0x24, /* u8 bDescriptorType */ 256 UAS_PIPE_ID_STATUS, 257 0x00, /* u8 bReserved */ 258 }, 259 },{ 260 .bEndpointAddress = USB_DIR_IN | UAS_PIPE_ID_DATA_IN, 261 .bmAttributes = USB_ENDPOINT_XFER_BULK, 262 .wMaxPacketSize = 1024, 263 .bMaxBurst = 15, 264 .bmAttributes_super = UAS_STREAM_BM_ATTR, 265 .extra = (uint8_t[]) { 266 0x04, /* u8 bLength */ 267 0x24, /* u8 bDescriptorType */ 268 UAS_PIPE_ID_DATA_IN, 269 0x00, /* u8 bReserved */ 270 }, 271 },{ 272 .bEndpointAddress = USB_DIR_OUT | UAS_PIPE_ID_DATA_OUT, 273 .bmAttributes = USB_ENDPOINT_XFER_BULK, 274 .wMaxPacketSize = 1024, 275 .bMaxBurst = 15, 276 .bmAttributes_super = UAS_STREAM_BM_ATTR, 277 .extra = (uint8_t[]) { 278 0x04, /* u8 bLength */ 279 0x24, /* u8 bDescriptorType */ 280 UAS_PIPE_ID_DATA_OUT, 281 0x00, /* u8 bReserved */ 282 }, 283 }, 284 } 285 }; 286 287 static const USBDescDevice desc_device_high = { 288 .bcdUSB = 0x0200, 289 .bMaxPacketSize0 = 64, 290 .bNumConfigurations = 1, 291 .confs = (USBDescConfig[]) { 292 { 293 .bNumInterfaces = 1, 294 .bConfigurationValue = 1, 295 .iConfiguration = STR_CONFIG_HIGH, 296 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 297 .nif = 1, 298 .ifs = &desc_iface_high, 299 }, 300 }, 301 }; 302 303 static const USBDescDevice desc_device_super = { 304 .bcdUSB = 0x0300, 305 .bMaxPacketSize0 = 64, 306 .bNumConfigurations = 1, 307 .confs = (USBDescConfig[]) { 308 { 309 .bNumInterfaces = 1, 310 .bConfigurationValue = 1, 311 .iConfiguration = STR_CONFIG_SUPER, 312 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 313 .nif = 1, 314 .ifs = &desc_iface_super, 315 }, 316 }, 317 }; 318 319 static const USBDesc desc = { 320 .id = { 321 .idVendor = 0x46f4, /* CRC16() of "QEMU" */ 322 .idProduct = 0x0003, 323 .bcdDevice = 0, 324 .iManufacturer = STR_MANUFACTURER, 325 .iProduct = STR_PRODUCT, 326 .iSerialNumber = STR_SERIALNUMBER, 327 }, 328 .high = &desc_device_high, 329 .super = &desc_device_super, 330 .str = desc_strings, 331 }; 332 333 /* --------------------------------------------------------------------- */ 334 335 static bool uas_using_streams(UASDevice *uas) 336 { 337 return uas->dev.speed == USB_SPEED_SUPER; 338 } 339 340 /* --------------------------------------------------------------------- */ 341 342 static UASStatus *usb_uas_alloc_status(UASDevice *uas, uint8_t id, uint16_t tag) 343 { 344 UASStatus *st = g_new0(UASStatus, 1); 345 346 st->status.hdr.id = id; 347 st->status.hdr.tag = cpu_to_be16(tag); 348 st->length = sizeof(uas_iu_header); 349 if (uas_using_streams(uas)) { 350 st->stream = tag; 351 } 352 return st; 353 } 354 355 static void usb_uas_send_status_bh(void *opaque) 356 { 357 UASDevice *uas = opaque; 358 UASStatus *st; 359 USBPacket *p; 360 361 while ((st = QTAILQ_FIRST(&uas->results)) != NULL) { 362 if (uas_using_streams(uas)) { 363 p = uas->status3[st->stream]; 364 uas->status3[st->stream] = NULL; 365 } else { 366 p = uas->status2; 367 uas->status2 = NULL; 368 } 369 if (p == NULL) { 370 break; 371 } 372 373 usb_packet_copy(p, &st->status, st->length); 374 QTAILQ_REMOVE(&uas->results, st, next); 375 g_free(st); 376 377 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 378 usb_packet_complete(&uas->dev, p); 379 } 380 } 381 382 static void usb_uas_queue_status(UASDevice *uas, UASStatus *st, int length) 383 { 384 USBPacket *p = uas_using_streams(uas) ? 385 uas->status3[st->stream] : uas->status2; 386 387 st->length += length; 388 QTAILQ_INSERT_TAIL(&uas->results, st, next); 389 if (p) { 390 /* 391 * Just schedule bh make sure any in-flight data transaction 392 * is finished before completing (sending) the status packet. 393 */ 394 qemu_bh_schedule(uas->status_bh); 395 } else { 396 USBEndpoint *ep = usb_ep_get(&uas->dev, USB_TOKEN_IN, 397 UAS_PIPE_ID_STATUS); 398 usb_wakeup(ep, st->stream); 399 } 400 } 401 402 static void usb_uas_queue_response(UASDevice *uas, uint16_t tag, uint8_t code) 403 { 404 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_RESPONSE, tag); 405 406 trace_usb_uas_response(uas->dev.addr, tag, code); 407 st->status.response.response_code = code; 408 usb_uas_queue_status(uas, st, sizeof(uas_iu_response)); 409 } 410 411 static void usb_uas_queue_sense(UASRequest *req, uint8_t status) 412 { 413 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_SENSE, req->tag); 414 int len, slen = 0; 415 416 trace_usb_uas_sense(req->uas->dev.addr, req->tag, status); 417 st->status.sense.status = status; 418 st->status.sense.status_qualifier = cpu_to_be16(0); 419 if (status != GOOD) { 420 slen = scsi_req_get_sense(req->req, st->status.sense.sense_data, 421 sizeof(st->status.sense.sense_data)); 422 st->status.sense.sense_length = cpu_to_be16(slen); 423 } 424 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 425 usb_uas_queue_status(req->uas, st, len); 426 } 427 428 static void usb_uas_queue_fake_sense(UASDevice *uas, uint16_t tag, 429 struct SCSISense sense) 430 { 431 UASStatus *st = usb_uas_alloc_status(uas, UAS_UI_SENSE, tag); 432 int len, slen = 0; 433 434 st->status.sense.status = CHECK_CONDITION; 435 st->status.sense.status_qualifier = cpu_to_be16(0); 436 st->status.sense.sense_data[0] = 0x70; 437 st->status.sense.sense_data[2] = sense.key; 438 st->status.sense.sense_data[7] = 10; 439 st->status.sense.sense_data[12] = sense.asc; 440 st->status.sense.sense_data[13] = sense.ascq; 441 slen = 18; 442 len = sizeof(uas_iu_sense) - sizeof(st->status.sense.sense_data) + slen; 443 usb_uas_queue_status(uas, st, len); 444 } 445 446 static void usb_uas_queue_read_ready(UASRequest *req) 447 { 448 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_READ_READY, 449 req->tag); 450 451 trace_usb_uas_read_ready(req->uas->dev.addr, req->tag); 452 usb_uas_queue_status(req->uas, st, 0); 453 } 454 455 static void usb_uas_queue_write_ready(UASRequest *req) 456 { 457 UASStatus *st = usb_uas_alloc_status(req->uas, UAS_UI_WRITE_READY, 458 req->tag); 459 460 trace_usb_uas_write_ready(req->uas->dev.addr, req->tag); 461 usb_uas_queue_status(req->uas, st, 0); 462 } 463 464 /* --------------------------------------------------------------------- */ 465 466 static int usb_uas_get_lun(uint64_t lun64) 467 { 468 return (lun64 >> 48) & 0xff; 469 } 470 471 static SCSIDevice *usb_uas_get_dev(UASDevice *uas, uint64_t lun64) 472 { 473 if ((lun64 >> 56) != 0x00) { 474 return NULL; 475 } 476 return scsi_device_find(&uas->bus, 0, 0, usb_uas_get_lun(lun64)); 477 } 478 479 static void usb_uas_complete_data_packet(UASRequest *req) 480 { 481 USBPacket *p; 482 483 if (!req->data_async) { 484 return; 485 } 486 p = req->data; 487 req->data = NULL; 488 req->data_async = false; 489 p->status = USB_RET_SUCCESS; /* Clear previous ASYNC status */ 490 usb_packet_complete(&req->uas->dev, p); 491 } 492 493 static void usb_uas_copy_data(UASRequest *req) 494 { 495 uint32_t length; 496 497 length = MIN(req->buf_size - req->buf_off, 498 req->data->iov.size - req->data->actual_length); 499 trace_usb_uas_xfer_data(req->uas->dev.addr, req->tag, length, 500 req->data->actual_length, req->data->iov.size, 501 req->buf_off, req->buf_size); 502 usb_packet_copy(req->data, scsi_req_get_buf(req->req) + req->buf_off, 503 length); 504 req->buf_off += length; 505 req->data_off += length; 506 507 if (req->data->actual_length == req->data->iov.size) { 508 usb_uas_complete_data_packet(req); 509 } 510 if (req->buf_size && req->buf_off == req->buf_size) { 511 req->buf_off = 0; 512 req->buf_size = 0; 513 scsi_req_continue(req->req); 514 } 515 } 516 517 static void usb_uas_start_next_transfer(UASDevice *uas) 518 { 519 UASRequest *req; 520 521 if (uas_using_streams(uas)) { 522 return; 523 } 524 525 QTAILQ_FOREACH(req, &uas->requests, next) { 526 if (req->active || req->complete) { 527 continue; 528 } 529 if (req->req->cmd.mode == SCSI_XFER_FROM_DEV && uas->datain2 == NULL) { 530 uas->datain2 = req; 531 usb_uas_queue_read_ready(req); 532 req->active = true; 533 return; 534 } 535 if (req->req->cmd.mode == SCSI_XFER_TO_DEV && uas->dataout2 == NULL) { 536 uas->dataout2 = req; 537 usb_uas_queue_write_ready(req); 538 req->active = true; 539 return; 540 } 541 } 542 } 543 544 static UASRequest *usb_uas_alloc_request(UASDevice *uas, uas_iu *iu) 545 { 546 UASRequest *req; 547 548 req = g_new0(UASRequest, 1); 549 req->uas = uas; 550 req->tag = be16_to_cpu(iu->hdr.tag); 551 req->lun = be64_to_cpu(iu->command.lun); 552 req->dev = usb_uas_get_dev(req->uas, req->lun); 553 return req; 554 } 555 556 static void usb_uas_scsi_free_request(SCSIBus *bus, void *priv) 557 { 558 UASRequest *req = priv; 559 UASDevice *uas = req->uas; 560 561 if (req == uas->datain2) { 562 uas->datain2 = NULL; 563 } 564 if (req == uas->dataout2) { 565 uas->dataout2 = NULL; 566 } 567 QTAILQ_REMOVE(&uas->requests, req, next); 568 g_free(req); 569 usb_uas_start_next_transfer(uas); 570 } 571 572 static UASRequest *usb_uas_find_request(UASDevice *uas, uint16_t tag) 573 { 574 UASRequest *req; 575 576 QTAILQ_FOREACH(req, &uas->requests, next) { 577 if (req->tag == tag) { 578 return req; 579 } 580 } 581 return NULL; 582 } 583 584 static void usb_uas_scsi_transfer_data(SCSIRequest *r, uint32_t len) 585 { 586 UASRequest *req = r->hba_private; 587 588 trace_usb_uas_scsi_data(req->uas->dev.addr, req->tag, len); 589 req->buf_off = 0; 590 req->buf_size = len; 591 if (req->data) { 592 usb_uas_copy_data(req); 593 } else { 594 usb_uas_start_next_transfer(req->uas); 595 } 596 } 597 598 static void usb_uas_scsi_command_complete(SCSIRequest *r, 599 uint32_t status, size_t resid) 600 { 601 UASRequest *req = r->hba_private; 602 603 trace_usb_uas_scsi_complete(req->uas->dev.addr, req->tag, status, resid); 604 req->complete = true; 605 if (req->data) { 606 usb_uas_complete_data_packet(req); 607 } 608 usb_uas_queue_sense(req, status); 609 scsi_req_unref(req->req); 610 } 611 612 static void usb_uas_scsi_request_cancelled(SCSIRequest *r) 613 { 614 UASRequest *req = r->hba_private; 615 616 /* FIXME: queue notification to status pipe? */ 617 scsi_req_unref(req->req); 618 } 619 620 static const struct SCSIBusInfo usb_uas_scsi_info = { 621 .tcq = true, 622 .max_target = 0, 623 .max_lun = 255, 624 625 .transfer_data = usb_uas_scsi_transfer_data, 626 .complete = usb_uas_scsi_command_complete, 627 .cancel = usb_uas_scsi_request_cancelled, 628 .free_request = usb_uas_scsi_free_request, 629 }; 630 631 /* --------------------------------------------------------------------- */ 632 633 static void usb_uas_handle_reset(USBDevice *dev) 634 { 635 UASDevice *uas = USB_UAS(dev); 636 UASRequest *req, *nreq; 637 UASStatus *st, *nst; 638 639 trace_usb_uas_reset(dev->addr); 640 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 641 scsi_req_cancel(req->req); 642 } 643 QTAILQ_FOREACH_SAFE(st, &uas->results, next, nst) { 644 QTAILQ_REMOVE(&uas->results, st, next); 645 g_free(st); 646 } 647 } 648 649 static void usb_uas_handle_control(USBDevice *dev, USBPacket *p, 650 int request, int value, int index, int length, uint8_t *data) 651 { 652 int ret; 653 654 ret = usb_desc_handle_control(dev, p, request, value, index, length, data); 655 if (ret >= 0) { 656 return; 657 } 658 error_report("%s: unhandled control request (req 0x%x, val 0x%x, idx 0x%x", 659 __func__, request, value, index); 660 p->status = USB_RET_STALL; 661 } 662 663 static void usb_uas_cancel_io(USBDevice *dev, USBPacket *p) 664 { 665 UASDevice *uas = USB_UAS(dev); 666 UASRequest *req, *nreq; 667 int i; 668 669 if (uas->status2 == p) { 670 uas->status2 = NULL; 671 qemu_bh_cancel(uas->status_bh); 672 return; 673 } 674 if (uas_using_streams(uas)) { 675 for (i = 0; i <= UAS_MAX_STREAMS; i++) { 676 if (uas->status3[i] == p) { 677 uas->status3[i] = NULL; 678 return; 679 } 680 if (uas->data3[i] == p) { 681 uas->data3[i] = NULL; 682 return; 683 } 684 } 685 } 686 QTAILQ_FOREACH_SAFE(req, &uas->requests, next, nreq) { 687 if (req->data == p) { 688 req->data = NULL; 689 return; 690 } 691 } 692 assert(!"canceled usb packet not found"); 693 } 694 695 static void usb_uas_command(UASDevice *uas, uas_iu *iu) 696 { 697 UASRequest *req; 698 uint32_t len; 699 uint16_t tag = be16_to_cpu(iu->hdr.tag); 700 701 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 702 goto invalid_tag; 703 } 704 req = usb_uas_find_request(uas, tag); 705 if (req) { 706 goto overlapped_tag; 707 } 708 req = usb_uas_alloc_request(uas, iu); 709 if (req->dev == NULL) { 710 goto bad_target; 711 } 712 713 trace_usb_uas_command(uas->dev.addr, req->tag, 714 usb_uas_get_lun(req->lun), 715 req->lun >> 32, req->lun & 0xffffffff); 716 QTAILQ_INSERT_TAIL(&uas->requests, req, next); 717 if (uas_using_streams(uas) && uas->data3[req->tag] != NULL) { 718 req->data = uas->data3[req->tag]; 719 req->data_async = true; 720 uas->data3[req->tag] = NULL; 721 } 722 723 req->req = scsi_req_new(req->dev, req->tag, 724 usb_uas_get_lun(req->lun), 725 iu->command.cdb, req); 726 if (uas->requestlog) { 727 scsi_req_print(req->req); 728 } 729 len = scsi_req_enqueue(req->req); 730 if (len) { 731 req->data_size = len; 732 scsi_req_continue(req->req); 733 } 734 return; 735 736 invalid_tag: 737 usb_uas_queue_fake_sense(uas, tag, sense_code_INVALID_TAG); 738 return; 739 740 overlapped_tag: 741 usb_uas_queue_fake_sense(uas, tag, sense_code_OVERLAPPED_COMMANDS); 742 return; 743 744 bad_target: 745 usb_uas_queue_fake_sense(uas, tag, sense_code_LUN_NOT_SUPPORTED); 746 g_free(req); 747 } 748 749 static void usb_uas_task(UASDevice *uas, uas_iu *iu) 750 { 751 uint16_t tag = be16_to_cpu(iu->hdr.tag); 752 uint64_t lun64 = be64_to_cpu(iu->task.lun); 753 SCSIDevice *dev = usb_uas_get_dev(uas, lun64); 754 int lun = usb_uas_get_lun(lun64); 755 UASRequest *req; 756 uint16_t task_tag; 757 758 if (uas_using_streams(uas) && tag > UAS_MAX_STREAMS) { 759 goto invalid_tag; 760 } 761 req = usb_uas_find_request(uas, be16_to_cpu(iu->hdr.tag)); 762 if (req) { 763 goto overlapped_tag; 764 } 765 if (dev == NULL) { 766 goto incorrect_lun; 767 } 768 769 switch (iu->task.function) { 770 case UAS_TMF_ABORT_TASK: 771 task_tag = be16_to_cpu(iu->task.task_tag); 772 trace_usb_uas_tmf_abort_task(uas->dev.addr, tag, task_tag); 773 req = usb_uas_find_request(uas, task_tag); 774 if (req && req->dev == dev) { 775 scsi_req_cancel(req->req); 776 } 777 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 778 break; 779 780 case UAS_TMF_LOGICAL_UNIT_RESET: 781 trace_usb_uas_tmf_logical_unit_reset(uas->dev.addr, tag, lun); 782 qdev_reset_all(&dev->qdev); 783 usb_uas_queue_response(uas, tag, UAS_RC_TMF_COMPLETE); 784 break; 785 786 default: 787 trace_usb_uas_tmf_unsupported(uas->dev.addr, tag, iu->task.function); 788 usb_uas_queue_response(uas, tag, UAS_RC_TMF_NOT_SUPPORTED); 789 break; 790 } 791 return; 792 793 invalid_tag: 794 usb_uas_queue_response(uas, tag, UAS_RC_INVALID_INFO_UNIT); 795 return; 796 797 overlapped_tag: 798 usb_uas_queue_response(uas, req->tag, UAS_RC_OVERLAPPED_TAG); 799 return; 800 801 incorrect_lun: 802 usb_uas_queue_response(uas, tag, UAS_RC_INCORRECT_LUN); 803 } 804 805 static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) 806 { 807 UASDevice *uas = USB_UAS(dev); 808 uas_iu iu; 809 UASStatus *st; 810 UASRequest *req; 811 int length; 812 813 switch (p->ep->nr) { 814 case UAS_PIPE_ID_COMMAND: 815 length = MIN(sizeof(iu), p->iov.size); 816 usb_packet_copy(p, &iu, length); 817 switch (iu.hdr.id) { 818 case UAS_UI_COMMAND: 819 usb_uas_command(uas, &iu); 820 break; 821 case UAS_UI_TASK_MGMT: 822 usb_uas_task(uas, &iu); 823 break; 824 default: 825 error_report("%s: unknown command iu: id 0x%x", 826 __func__, iu.hdr.id); 827 p->status = USB_RET_STALL; 828 break; 829 } 830 break; 831 case UAS_PIPE_ID_STATUS: 832 if (p->stream) { 833 QTAILQ_FOREACH(st, &uas->results, next) { 834 if (st->stream == p->stream) { 835 break; 836 } 837 } 838 if (st == NULL) { 839 assert(uas->status3[p->stream] == NULL); 840 uas->status3[p->stream] = p; 841 p->status = USB_RET_ASYNC; 842 break; 843 } 844 } else { 845 st = QTAILQ_FIRST(&uas->results); 846 if (st == NULL) { 847 assert(uas->status2 == NULL); 848 uas->status2 = p; 849 p->status = USB_RET_ASYNC; 850 break; 851 } 852 } 853 usb_packet_copy(p, &st->status, st->length); 854 QTAILQ_REMOVE(&uas->results, st, next); 855 g_free(st); 856 break; 857 case UAS_PIPE_ID_DATA_IN: 858 case UAS_PIPE_ID_DATA_OUT: 859 if (p->stream) { 860 req = usb_uas_find_request(uas, p->stream); 861 } else { 862 req = (p->ep->nr == UAS_PIPE_ID_DATA_IN) 863 ? uas->datain2 : uas->dataout2; 864 } 865 if (req == NULL) { 866 if (p->stream) { 867 assert(uas->data3[p->stream] == NULL); 868 uas->data3[p->stream] = p; 869 p->status = USB_RET_ASYNC; 870 break; 871 } else { 872 error_report("%s: no inflight request", __func__); 873 p->status = USB_RET_STALL; 874 break; 875 } 876 } 877 scsi_req_ref(req->req); 878 req->data = p; 879 usb_uas_copy_data(req); 880 if (p->actual_length == p->iov.size || req->complete) { 881 req->data = NULL; 882 } else { 883 req->data_async = true; 884 p->status = USB_RET_ASYNC; 885 } 886 scsi_req_unref(req->req); 887 usb_uas_start_next_transfer(uas); 888 break; 889 default: 890 error_report("%s: invalid endpoint %d", __func__, p->ep->nr); 891 p->status = USB_RET_STALL; 892 break; 893 } 894 } 895 896 static void usb_uas_unrealize(USBDevice *dev, Error **errp) 897 { 898 UASDevice *uas = USB_UAS(dev); 899 900 qemu_bh_delete(uas->status_bh); 901 } 902 903 static void usb_uas_realize(USBDevice *dev, Error **errp) 904 { 905 UASDevice *uas = USB_UAS(dev); 906 DeviceState *d = DEVICE(dev); 907 908 usb_desc_create_serial(dev); 909 usb_desc_init(dev); 910 if (d->hotplugged) { 911 uas->dev.auto_attach = 0; 912 } 913 914 QTAILQ_INIT(&uas->results); 915 QTAILQ_INIT(&uas->requests); 916 uas->status_bh = qemu_bh_new(usb_uas_send_status_bh, uas); 917 918 scsi_bus_new(&uas->bus, sizeof(uas->bus), DEVICE(dev), 919 &usb_uas_scsi_info, NULL); 920 } 921 922 static const VMStateDescription vmstate_usb_uas = { 923 .name = "usb-uas", 924 .unmigratable = 1, 925 .fields = (VMStateField[]) { 926 VMSTATE_USB_DEVICE(dev, UASDevice), 927 VMSTATE_END_OF_LIST() 928 } 929 }; 930 931 static Property uas_properties[] = { 932 DEFINE_PROP_UINT32("log-scsi-req", UASDevice, requestlog, 0), 933 DEFINE_PROP_END_OF_LIST(), 934 }; 935 936 static void usb_uas_class_initfn(ObjectClass *klass, void *data) 937 { 938 DeviceClass *dc = DEVICE_CLASS(klass); 939 USBDeviceClass *uc = USB_DEVICE_CLASS(klass); 940 941 uc->realize = usb_uas_realize; 942 uc->product_desc = desc_strings[STR_PRODUCT]; 943 uc->usb_desc = &desc; 944 uc->cancel_packet = usb_uas_cancel_io; 945 uc->handle_attach = usb_desc_attach; 946 uc->handle_reset = usb_uas_handle_reset; 947 uc->handle_control = usb_uas_handle_control; 948 uc->handle_data = usb_uas_handle_data; 949 uc->unrealize = usb_uas_unrealize; 950 uc->attached_settable = true; 951 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 952 dc->fw_name = "storage"; 953 dc->vmsd = &vmstate_usb_uas; 954 dc->props = uas_properties; 955 } 956 957 static const TypeInfo uas_info = { 958 .name = TYPE_USB_UAS, 959 .parent = TYPE_USB_DEVICE, 960 .instance_size = sizeof(UASDevice), 961 .class_init = usb_uas_class_initfn, 962 }; 963 964 static void usb_uas_register_types(void) 965 { 966 type_register_static(&uas_info); 967 } 968 969 type_init(usb_uas_register_types) 970