1 /* 2 * Media Transfer Protocol implementation, backed by host filesystem. 3 * 4 * Copyright Red Hat, Inc 2014 5 * 6 * Author: 7 * Gerd Hoffmann <kraxel@redhat.com> 8 * 9 * This code is licensed under the GPL v2 or later. 10 */ 11 12 #include "qemu/osdep.h" 13 #include "qapi/error.h" 14 #include "qemu/error-report.h" 15 #include <wchar.h> 16 #include <dirent.h> 17 #include <glib/gstdio.h> 18 #include <sys/statvfs.h> 19 20 21 #include "qemu/iov.h" 22 #include "qemu/module.h" 23 #include "qemu/filemonitor.h" 24 #include "trace.h" 25 #include "hw/qdev-properties.h" 26 #include "hw/usb.h" 27 #include "migration/vmstate.h" 28 #include "desc.h" 29 #include "qemu/units.h" 30 #include "qom/object.h" 31 32 /* ----------------------------------------------------------------------- */ 33 34 enum mtp_container_type { 35 TYPE_COMMAND = 1, 36 TYPE_DATA = 2, 37 TYPE_RESPONSE = 3, 38 TYPE_EVENT = 4, 39 }; 40 41 /* MTP write stage, for internal use only */ 42 enum mtp_write_status { 43 WRITE_START = 1, 44 WRITE_CONTINUE = 2, 45 WRITE_END = 3, 46 }; 47 48 enum mtp_code { 49 /* command codes */ 50 CMD_GET_DEVICE_INFO = 0x1001, 51 CMD_OPEN_SESSION = 0x1002, 52 CMD_CLOSE_SESSION = 0x1003, 53 CMD_GET_STORAGE_IDS = 0x1004, 54 CMD_GET_STORAGE_INFO = 0x1005, 55 CMD_GET_NUM_OBJECTS = 0x1006, 56 CMD_GET_OBJECT_HANDLES = 0x1007, 57 CMD_GET_OBJECT_INFO = 0x1008, 58 CMD_GET_OBJECT = 0x1009, 59 CMD_DELETE_OBJECT = 0x100b, 60 CMD_SEND_OBJECT_INFO = 0x100c, 61 CMD_SEND_OBJECT = 0x100d, 62 CMD_GET_PARTIAL_OBJECT = 0x101b, 63 CMD_GET_OBJECT_PROPS_SUPPORTED = 0x9801, 64 CMD_GET_OBJECT_PROP_DESC = 0x9802, 65 CMD_GET_OBJECT_PROP_VALUE = 0x9803, 66 67 /* response codes */ 68 RES_OK = 0x2001, 69 RES_GENERAL_ERROR = 0x2002, 70 RES_SESSION_NOT_OPEN = 0x2003, 71 RES_INVALID_TRANSACTION_ID = 0x2004, 72 RES_OPERATION_NOT_SUPPORTED = 0x2005, 73 RES_PARAMETER_NOT_SUPPORTED = 0x2006, 74 RES_INCOMPLETE_TRANSFER = 0x2007, 75 RES_INVALID_STORAGE_ID = 0x2008, 76 RES_INVALID_OBJECT_HANDLE = 0x2009, 77 RES_INVALID_OBJECT_FORMAT_CODE = 0x200b, 78 RES_STORE_FULL = 0x200c, 79 RES_STORE_READ_ONLY = 0x200e, 80 RES_PARTIAL_DELETE = 0x2012, 81 RES_STORE_NOT_AVAILABLE = 0x2013, 82 RES_SPEC_BY_FORMAT_UNSUPPORTED = 0x2014, 83 RES_INVALID_OBJECTINFO = 0x2015, 84 RES_DESTINATION_UNSUPPORTED = 0x2020, 85 RES_INVALID_PARENT_OBJECT = 0x201a, 86 RES_INVALID_PARAMETER = 0x201d, 87 RES_SESSION_ALREADY_OPEN = 0x201e, 88 RES_INVALID_OBJECT_PROP_CODE = 0xA801, 89 90 /* format codes */ 91 FMT_UNDEFINED_OBJECT = 0x3000, 92 FMT_ASSOCIATION = 0x3001, 93 94 /* event codes */ 95 EVT_CANCEL_TRANSACTION = 0x4001, 96 EVT_OBJ_ADDED = 0x4002, 97 EVT_OBJ_REMOVED = 0x4003, 98 EVT_OBJ_INFO_CHANGED = 0x4007, 99 100 /* object properties */ 101 PROP_STORAGE_ID = 0xDC01, 102 PROP_OBJECT_FORMAT = 0xDC02, 103 PROP_OBJECT_COMPRESSED_SIZE = 0xDC04, 104 PROP_PARENT_OBJECT = 0xDC0B, 105 PROP_PERSISTENT_UNIQUE_OBJECT_IDENTIFIER = 0xDC41, 106 PROP_NAME = 0xDC44, 107 }; 108 109 enum mtp_data_type { 110 DATA_TYPE_UINT16 = 0x0004, 111 DATA_TYPE_UINT32 = 0x0006, 112 DATA_TYPE_UINT64 = 0x0008, 113 DATA_TYPE_UINT128 = 0x000a, 114 DATA_TYPE_STRING = 0xffff, 115 }; 116 117 typedef struct { 118 uint32_t length; 119 uint16_t type; 120 uint16_t code; 121 uint32_t trans; 122 } QEMU_PACKED mtp_container; 123 124 /* ----------------------------------------------------------------------- */ 125 126 typedef struct MTPState MTPState; 127 typedef struct MTPControl MTPControl; 128 typedef struct MTPData MTPData; 129 typedef struct MTPObject MTPObject; 130 131 enum { 132 EP_DATA_IN = 1, 133 EP_DATA_OUT, 134 EP_EVENT, 135 }; 136 137 typedef struct MTPMonEntry MTPMonEntry; 138 139 struct MTPMonEntry { 140 uint32_t event; 141 uint32_t handle; 142 143 QTAILQ_ENTRY(MTPMonEntry) next; 144 }; 145 146 struct MTPControl { 147 uint16_t code; 148 uint32_t trans; 149 int argc; 150 uint32_t argv[5]; 151 }; 152 153 struct MTPData { 154 uint16_t code; 155 uint32_t trans; 156 uint64_t offset; 157 uint64_t length; 158 uint64_t alloc; 159 uint8_t *data; 160 bool first; 161 /* Used for >4G file sizes */ 162 bool pending; 163 int fd; 164 uint8_t write_status; 165 /* Internal pointer per every MTP_WRITE_BUF_SZ */ 166 uint64_t data_offset; 167 }; 168 169 struct MTPObject { 170 uint32_t handle; 171 uint16_t format; 172 char *name; 173 char *path; 174 struct stat stat; 175 /* file monitor watch id */ 176 int64_t watchid; 177 MTPObject *parent; 178 uint32_t nchildren; 179 QLIST_HEAD(, MTPObject) children; 180 QLIST_ENTRY(MTPObject) list; 181 bool have_children; 182 QTAILQ_ENTRY(MTPObject) next; 183 }; 184 185 struct MTPState { 186 USBDevice dev; 187 char *root; 188 char *desc; 189 uint32_t flags; 190 191 MTPData *data_in; 192 MTPData *data_out; 193 MTPControl *result; 194 uint32_t session; 195 uint32_t next_handle; 196 bool readonly; 197 198 QTAILQ_HEAD(, MTPObject) objects; 199 QFileMonitor *file_monitor; 200 QTAILQ_HEAD(, MTPMonEntry) events; 201 /* Responder is expecting a write operation */ 202 bool write_pending; 203 struct { 204 uint32_t parent_handle; 205 uint16_t format; 206 uint32_t size; 207 char *filename; 208 } dataset; 209 }; 210 211 /* 212 * ObjectInfo dataset received from initiator 213 * Fields we don't care about are ignored 214 */ 215 typedef struct { 216 uint32_t storage_id; /*unused*/ 217 uint16_t format; 218 uint16_t protection_status; /*unused*/ 219 uint32_t size; 220 uint16_t thumb_format; /*unused*/ 221 uint32_t thumb_comp_sz; /*unused*/ 222 uint32_t thumb_pix_width; /*unused*/ 223 uint32_t thumb_pix_height; /*unused*/ 224 uint32_t image_pix_width; /*unused*/ 225 uint32_t image_pix_height; /*unused*/ 226 uint32_t image_bit_depth; /*unused*/ 227 uint32_t parent; /*unused*/ 228 uint16_t assoc_type; 229 uint32_t assoc_desc; 230 uint32_t seq_no; /*unused*/ 231 uint8_t length; /*part of filename field*/ 232 uint8_t filename[0]; /* UTF-16 encoded */ 233 char date_created[0]; /*unused*/ 234 char date_modified[0]; /*unused*/ 235 char keywords[0]; /*unused*/ 236 /* string and other data follows */ 237 } QEMU_PACKED ObjectInfo; 238 239 #define TYPE_USB_MTP "usb-mtp" 240 OBJECT_DECLARE_SIMPLE_TYPE(MTPState, USB_MTP) 241 242 #define QEMU_STORAGE_ID 0x00010001 243 244 #define MTP_FLAG_WRITABLE 0 245 246 #define FLAG_SET(_mtp, _flag) ((_mtp)->flags & (1 << (_flag))) 247 248 /* ----------------------------------------------------------------------- */ 249 250 #define MTP_MANUFACTURER "QEMU" 251 #define MTP_PRODUCT "QEMU filesharing" 252 #define MTP_WRITE_BUF_SZ (512 * KiB) 253 254 enum { 255 STR_MANUFACTURER = 1, 256 STR_PRODUCT, 257 STR_SERIALNUMBER, 258 STR_MTP, 259 STR_CONFIG_FULL, 260 STR_CONFIG_HIGH, 261 STR_CONFIG_SUPER, 262 }; 263 264 static const USBDescStrings desc_strings = { 265 [STR_MANUFACTURER] = MTP_MANUFACTURER, 266 [STR_PRODUCT] = MTP_PRODUCT, 267 [STR_SERIALNUMBER] = "34617", 268 [STR_MTP] = "MTP", 269 [STR_CONFIG_FULL] = "Full speed config (usb 1.1)", 270 [STR_CONFIG_HIGH] = "High speed config (usb 2.0)", 271 [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)", 272 }; 273 274 static const USBDescIface desc_iface_full = { 275 .bInterfaceNumber = 0, 276 .bNumEndpoints = 3, 277 .bInterfaceClass = USB_CLASS_STILL_IMAGE, 278 .bInterfaceSubClass = 0x01, 279 .bInterfaceProtocol = 0x01, 280 .iInterface = STR_MTP, 281 .eps = (USBDescEndpoint[]) { 282 { 283 .bEndpointAddress = USB_DIR_IN | EP_DATA_IN, 284 .bmAttributes = USB_ENDPOINT_XFER_BULK, 285 .wMaxPacketSize = 64, 286 },{ 287 .bEndpointAddress = USB_DIR_OUT | EP_DATA_OUT, 288 .bmAttributes = USB_ENDPOINT_XFER_BULK, 289 .wMaxPacketSize = 64, 290 },{ 291 .bEndpointAddress = USB_DIR_IN | EP_EVENT, 292 .bmAttributes = USB_ENDPOINT_XFER_INT, 293 .wMaxPacketSize = 64, 294 .bInterval = 0x0a, 295 }, 296 } 297 }; 298 299 static const USBDescDevice desc_device_full = { 300 .bcdUSB = 0x0200, 301 .bMaxPacketSize0 = 8, 302 .bNumConfigurations = 1, 303 .confs = (USBDescConfig[]) { 304 { 305 .bNumInterfaces = 1, 306 .bConfigurationValue = 1, 307 .iConfiguration = STR_CONFIG_FULL, 308 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_WAKEUP, 309 .bMaxPower = 2, 310 .nif = 1, 311 .ifs = &desc_iface_full, 312 }, 313 }, 314 }; 315 316 static const USBDescIface desc_iface_high = { 317 .bInterfaceNumber = 0, 318 .bNumEndpoints = 3, 319 .bInterfaceClass = USB_CLASS_STILL_IMAGE, 320 .bInterfaceSubClass = 0x01, 321 .bInterfaceProtocol = 0x01, 322 .iInterface = STR_MTP, 323 .eps = (USBDescEndpoint[]) { 324 { 325 .bEndpointAddress = USB_DIR_IN | EP_DATA_IN, 326 .bmAttributes = USB_ENDPOINT_XFER_BULK, 327 .wMaxPacketSize = 512, 328 },{ 329 .bEndpointAddress = USB_DIR_OUT | EP_DATA_OUT, 330 .bmAttributes = USB_ENDPOINT_XFER_BULK, 331 .wMaxPacketSize = 512, 332 },{ 333 .bEndpointAddress = USB_DIR_IN | EP_EVENT, 334 .bmAttributes = USB_ENDPOINT_XFER_INT, 335 .wMaxPacketSize = 64, 336 .bInterval = 0x0a, 337 }, 338 } 339 }; 340 341 static const USBDescDevice desc_device_high = { 342 .bcdUSB = 0x0200, 343 .bMaxPacketSize0 = 64, 344 .bNumConfigurations = 1, 345 .confs = (USBDescConfig[]) { 346 { 347 .bNumInterfaces = 1, 348 .bConfigurationValue = 1, 349 .iConfiguration = STR_CONFIG_HIGH, 350 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_WAKEUP, 351 .bMaxPower = 2, 352 .nif = 1, 353 .ifs = &desc_iface_high, 354 }, 355 }, 356 }; 357 358 static const USBDescMSOS desc_msos = { 359 .CompatibleID = "MTP", 360 .SelectiveSuspendEnabled = true, 361 }; 362 363 static const USBDesc desc = { 364 .id = { 365 .idVendor = 0x46f4, /* CRC16() of "QEMU" */ 366 .idProduct = 0x0004, 367 .bcdDevice = 0, 368 .iManufacturer = STR_MANUFACTURER, 369 .iProduct = STR_PRODUCT, 370 .iSerialNumber = STR_SERIALNUMBER, 371 }, 372 .full = &desc_device_full, 373 .high = &desc_device_high, 374 .str = desc_strings, 375 .msos = &desc_msos, 376 }; 377 378 /* ----------------------------------------------------------------------- */ 379 usb_mtp_object_alloc(MTPState * s,uint32_t handle,MTPObject * parent,const char * name)380 static MTPObject *usb_mtp_object_alloc(MTPState *s, uint32_t handle, 381 MTPObject *parent, const char *name) 382 { 383 MTPObject *o = g_new0(MTPObject, 1); 384 385 if (name[0] == '.') { 386 goto ignore; 387 } 388 389 o->watchid = -1; 390 o->handle = handle; 391 o->parent = parent; 392 o->name = g_strdup(name); 393 if (parent == NULL) { 394 o->path = g_strdup(name); 395 } else { 396 o->path = g_strdup_printf("%s/%s", parent->path, name); 397 } 398 399 if (lstat(o->path, &o->stat) != 0) { 400 goto ignore; 401 } 402 if (S_ISREG(o->stat.st_mode)) { 403 o->format = FMT_UNDEFINED_OBJECT; 404 } else if (S_ISDIR(o->stat.st_mode)) { 405 o->format = FMT_ASSOCIATION; 406 } else { 407 goto ignore; 408 } 409 410 if (access(o->path, R_OK) != 0) { 411 goto ignore; 412 } 413 414 trace_usb_mtp_object_alloc(s->dev.addr, o->handle, o->path); 415 416 QTAILQ_INSERT_TAIL(&s->objects, o, next); 417 return o; 418 419 ignore: 420 g_free(o->name); 421 g_free(o->path); 422 g_free(o); 423 return NULL; 424 } 425 usb_mtp_object_free(MTPState * s,MTPObject * o)426 static void usb_mtp_object_free(MTPState *s, MTPObject *o) 427 { 428 MTPObject *iter; 429 430 if (!o) { 431 return; 432 } 433 434 trace_usb_mtp_object_free(s->dev.addr, o->handle, o->path); 435 436 if (o->watchid != -1 && s->file_monitor) { 437 qemu_file_monitor_remove_watch(s->file_monitor, o->path, o->watchid); 438 } 439 440 QTAILQ_REMOVE(&s->objects, o, next); 441 if (o->parent) { 442 QLIST_REMOVE(o, list); 443 o->parent->nchildren--; 444 } 445 446 while (!QLIST_EMPTY(&o->children)) { 447 iter = QLIST_FIRST(&o->children); 448 usb_mtp_object_free(s, iter); 449 } 450 g_free(o->name); 451 g_free(o->path); 452 g_free(o); 453 } 454 usb_mtp_object_lookup(MTPState * s,uint32_t handle)455 static MTPObject *usb_mtp_object_lookup(MTPState *s, uint32_t handle) 456 { 457 MTPObject *o; 458 459 QTAILQ_FOREACH(o, &s->objects, next) { 460 if (o->handle == handle) { 461 return o; 462 } 463 } 464 return NULL; 465 } 466 usb_mtp_add_child(MTPState * s,MTPObject * o,const char * name)467 static MTPObject *usb_mtp_add_child(MTPState *s, MTPObject *o, 468 const char *name) 469 { 470 MTPObject *child = 471 usb_mtp_object_alloc(s, s->next_handle++, o, name); 472 473 if (child) { 474 trace_usb_mtp_add_child(s->dev.addr, child->handle, child->path); 475 QLIST_INSERT_HEAD(&o->children, child, list); 476 o->nchildren++; 477 478 if (child->format == FMT_ASSOCIATION) { 479 QLIST_INIT(&child->children); 480 } 481 } 482 483 return child; 484 } 485 usb_mtp_object_lookup_name(MTPObject * parent,const char * name,int len)486 static MTPObject *usb_mtp_object_lookup_name(MTPObject *parent, 487 const char *name, int len) 488 { 489 MTPObject *iter; 490 491 if (len == -1) { 492 len = strlen(name); 493 } 494 495 QLIST_FOREACH(iter, &parent->children, list) { 496 if (strncmp(iter->name, name, len) == 0) { 497 return iter; 498 } 499 } 500 501 return NULL; 502 } 503 usb_mtp_object_lookup_id(MTPState * s,int64_t id)504 static MTPObject *usb_mtp_object_lookup_id(MTPState *s, int64_t id) 505 { 506 MTPObject *iter; 507 508 QTAILQ_FOREACH(iter, &s->objects, next) { 509 if (iter->watchid == id) { 510 return iter; 511 } 512 } 513 514 return NULL; 515 } 516 file_monitor_event(int64_t id,QFileMonitorEvent ev,const char * name,void * opaque)517 static void file_monitor_event(int64_t id, 518 QFileMonitorEvent ev, 519 const char *name, 520 void *opaque) 521 { 522 MTPState *s = opaque; 523 MTPObject *parent = usb_mtp_object_lookup_id(s, id); 524 MTPMonEntry *entry = NULL; 525 MTPObject *o; 526 527 if (!parent) { 528 return; 529 } 530 531 switch (ev) { 532 case QFILE_MONITOR_EVENT_CREATED: 533 if (usb_mtp_object_lookup_name(parent, name, -1)) { 534 /* Duplicate create event */ 535 return; 536 } 537 entry = g_new0(MTPMonEntry, 1); 538 entry->handle = s->next_handle; 539 entry->event = EVT_OBJ_ADDED; 540 o = usb_mtp_add_child(s, parent, name); 541 if (!o) { 542 g_free(entry); 543 return; 544 } 545 trace_usb_mtp_file_monitor_event(s->dev.addr, name, "Obj Added"); 546 break; 547 548 case QFILE_MONITOR_EVENT_DELETED: 549 /* 550 * The kernel issues a IN_IGNORED event 551 * when a dir containing a watchpoint is 552 * deleted, so we don't have to delete the 553 * watchpoint 554 */ 555 o = usb_mtp_object_lookup_name(parent, name, -1); 556 if (!o) { 557 return; 558 } 559 entry = g_new0(MTPMonEntry, 1); 560 entry->handle = o->handle; 561 entry->event = EVT_OBJ_REMOVED; 562 trace_usb_mtp_file_monitor_event(s->dev.addr, o->path, "Obj Deleted"); 563 usb_mtp_object_free(s, o); 564 break; 565 566 case QFILE_MONITOR_EVENT_MODIFIED: 567 o = usb_mtp_object_lookup_name(parent, name, -1); 568 if (!o) { 569 return; 570 } 571 entry = g_new0(MTPMonEntry, 1); 572 entry->handle = o->handle; 573 entry->event = EVT_OBJ_INFO_CHANGED; 574 trace_usb_mtp_file_monitor_event(s->dev.addr, o->path, "Obj Modified"); 575 break; 576 577 case QFILE_MONITOR_EVENT_IGNORED: 578 trace_usb_mtp_file_monitor_event(s->dev.addr, parent->path, 579 "Obj parent dir ignored"); 580 break; 581 582 case QFILE_MONITOR_EVENT_ATTRIBUTES: 583 break; 584 585 default: 586 g_assert_not_reached(); 587 } 588 589 if (entry) { 590 QTAILQ_INSERT_HEAD(&s->events, entry, next); 591 } 592 } 593 usb_mtp_file_monitor_cleanup(MTPState * s)594 static void usb_mtp_file_monitor_cleanup(MTPState *s) 595 { 596 MTPMonEntry *e, *p; 597 598 QTAILQ_FOREACH_SAFE(e, &s->events, next, p) { 599 QTAILQ_REMOVE(&s->events, e, next); 600 g_free(e); 601 } 602 603 qemu_file_monitor_free(s->file_monitor); 604 s->file_monitor = NULL; 605 } 606 607 usb_mtp_object_readdir(MTPState * s,MTPObject * o)608 static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) 609 { 610 struct dirent *entry; 611 DIR *dir; 612 int fd; 613 Error *err = NULL; 614 615 if (o->have_children) { 616 return; 617 } 618 o->have_children = true; 619 620 fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); 621 if (fd < 0) { 622 return; 623 } 624 dir = fdopendir(fd); 625 if (!dir) { 626 close(fd); 627 return; 628 } 629 630 if (s->file_monitor) { 631 int64_t id = qemu_file_monitor_add_watch(s->file_monitor, o->path, NULL, 632 file_monitor_event, s, &err); 633 if (id == -1) { 634 error_reportf_err(err, 635 "usb-mtp: failed to add watch for %s: ", 636 o->path); 637 } else { 638 trace_usb_mtp_file_monitor_event(s->dev.addr, o->path, 639 "Watch Added"); 640 o->watchid = id; 641 } 642 } 643 644 while ((entry = readdir(dir)) != NULL) { 645 usb_mtp_add_child(s, o, entry->d_name); 646 } 647 closedir(dir); 648 } 649 650 /* ----------------------------------------------------------------------- */ 651 usb_mtp_data_alloc(MTPControl * c)652 static MTPData *usb_mtp_data_alloc(MTPControl *c) 653 { 654 MTPData *data = g_new0(MTPData, 1); 655 656 data->code = c->code; 657 data->trans = c->trans; 658 data->fd = -1; 659 data->first = true; 660 return data; 661 } 662 usb_mtp_data_free(MTPData * data)663 static void usb_mtp_data_free(MTPData *data) 664 { 665 if (data == NULL) { 666 return; 667 } 668 if (data->fd != -1) { 669 close(data->fd); 670 } 671 g_free(data->data); 672 g_free(data); 673 } 674 usb_mtp_realloc(MTPData * data,uint32_t bytes)675 static void usb_mtp_realloc(MTPData *data, uint32_t bytes) 676 { 677 if (data->length + bytes <= data->alloc) { 678 return; 679 } 680 data->alloc = (data->length + bytes + 0xff) & ~0xff; 681 data->data = g_realloc(data->data, data->alloc); 682 } 683 usb_mtp_add_u8(MTPData * data,uint8_t val)684 static void usb_mtp_add_u8(MTPData *data, uint8_t val) 685 { 686 usb_mtp_realloc(data, 1); 687 data->data[data->length++] = val; 688 } 689 usb_mtp_add_u16(MTPData * data,uint16_t val)690 static void usb_mtp_add_u16(MTPData *data, uint16_t val) 691 { 692 usb_mtp_realloc(data, 2); 693 data->data[data->length++] = (val >> 0) & 0xff; 694 data->data[data->length++] = (val >> 8) & 0xff; 695 } 696 usb_mtp_add_u32(MTPData * data,uint32_t val)697 static void usb_mtp_add_u32(MTPData *data, uint32_t val) 698 { 699 usb_mtp_realloc(data, 4); 700 data->data[data->length++] = (val >> 0) & 0xff; 701 data->data[data->length++] = (val >> 8) & 0xff; 702 data->data[data->length++] = (val >> 16) & 0xff; 703 data->data[data->length++] = (val >> 24) & 0xff; 704 } 705 usb_mtp_add_u64(MTPData * data,uint64_t val)706 static void usb_mtp_add_u64(MTPData *data, uint64_t val) 707 { 708 usb_mtp_realloc(data, 8); 709 data->data[data->length++] = (val >> 0) & 0xff; 710 data->data[data->length++] = (val >> 8) & 0xff; 711 data->data[data->length++] = (val >> 16) & 0xff; 712 data->data[data->length++] = (val >> 24) & 0xff; 713 data->data[data->length++] = (val >> 32) & 0xff; 714 data->data[data->length++] = (val >> 40) & 0xff; 715 data->data[data->length++] = (val >> 48) & 0xff; 716 data->data[data->length++] = (val >> 56) & 0xff; 717 } 718 usb_mtp_add_u16_array(MTPData * data,uint32_t len,const uint16_t * vals)719 static void usb_mtp_add_u16_array(MTPData *data, uint32_t len, 720 const uint16_t *vals) 721 { 722 int i; 723 724 usb_mtp_add_u32(data, len); 725 for (i = 0; i < len; i++) { 726 usb_mtp_add_u16(data, vals[i]); 727 } 728 } 729 usb_mtp_add_u32_array(MTPData * data,uint32_t len,const uint32_t * vals)730 static void usb_mtp_add_u32_array(MTPData *data, uint32_t len, 731 const uint32_t *vals) 732 { 733 int i; 734 735 usb_mtp_add_u32(data, len); 736 for (i = 0; i < len; i++) { 737 usb_mtp_add_u32(data, vals[i]); 738 } 739 } 740 usb_mtp_add_wstr(MTPData * data,const wchar_t * str)741 static void usb_mtp_add_wstr(MTPData *data, const wchar_t *str) 742 { 743 uint32_t len = wcslen(str); 744 int i; 745 746 if (len > 0) { 747 len++; /* include terminating L'\0' */ 748 } 749 750 usb_mtp_add_u8(data, len); 751 for (i = 0; i < len; i++) { 752 usb_mtp_add_u16(data, str[i]); 753 } 754 } 755 usb_mtp_add_str(MTPData * data,const char * str)756 static void usb_mtp_add_str(MTPData *data, const char *str) 757 { 758 uint32_t len = strlen(str)+1; 759 wchar_t *wstr = g_new(wchar_t, len); 760 size_t ret; 761 762 ret = mbstowcs(wstr, str, len); 763 if (ret == -1) { 764 usb_mtp_add_wstr(data, L"Oops"); 765 } else { 766 usb_mtp_add_wstr(data, wstr); 767 } 768 769 g_free(wstr); 770 } 771 usb_mtp_add_time(MTPData * data,time_t time)772 static void usb_mtp_add_time(MTPData *data, time_t time) 773 { 774 g_autoptr(GDateTime) then = g_date_time_new_from_unix_utc(time); 775 g_autofree char *thenstr = g_date_time_format(then, "%Y%m%dT%H%M%S"); 776 usb_mtp_add_str(data, thenstr); 777 } 778 779 /* ----------------------------------------------------------------------- */ 780 usb_mtp_queue_result(MTPState * s,uint16_t code,uint32_t trans,int argc,uint32_t arg0,uint32_t arg1,uint32_t arg2)781 static void usb_mtp_queue_result(MTPState *s, uint16_t code, uint32_t trans, 782 int argc, uint32_t arg0, uint32_t arg1, 783 uint32_t arg2) 784 { 785 MTPControl *c = g_new0(MTPControl, 1); 786 787 c->code = code; 788 c->trans = trans; 789 c->argc = argc; 790 if (argc > 0) { 791 c->argv[0] = arg0; 792 } 793 if (argc > 1) { 794 c->argv[1] = arg1; 795 } 796 if (argc > 2) { 797 c->argv[2] = arg2; 798 } 799 800 assert(s->result == NULL); 801 s->result = c; 802 } 803 804 /* ----------------------------------------------------------------------- */ 805 usb_mtp_get_device_info(MTPState * s,MTPControl * c)806 static MTPData *usb_mtp_get_device_info(MTPState *s, MTPControl *c) 807 { 808 static const uint16_t ops[] = { 809 CMD_GET_DEVICE_INFO, 810 CMD_OPEN_SESSION, 811 CMD_CLOSE_SESSION, 812 CMD_GET_STORAGE_IDS, 813 CMD_GET_STORAGE_INFO, 814 CMD_GET_NUM_OBJECTS, 815 CMD_GET_OBJECT_HANDLES, 816 CMD_GET_OBJECT_INFO, 817 CMD_DELETE_OBJECT, 818 CMD_SEND_OBJECT_INFO, 819 CMD_SEND_OBJECT, 820 CMD_GET_OBJECT, 821 CMD_GET_PARTIAL_OBJECT, 822 CMD_GET_OBJECT_PROPS_SUPPORTED, 823 CMD_GET_OBJECT_PROP_DESC, 824 CMD_GET_OBJECT_PROP_VALUE, 825 }; 826 static const uint16_t fmt[] = { 827 FMT_UNDEFINED_OBJECT, 828 FMT_ASSOCIATION, 829 }; 830 MTPData *d = usb_mtp_data_alloc(c); 831 832 trace_usb_mtp_op_get_device_info(s->dev.addr); 833 834 usb_mtp_add_u16(d, 100); 835 usb_mtp_add_u32(d, 0x00000006); 836 usb_mtp_add_u16(d, 0x0064); 837 usb_mtp_add_wstr(d, L""); 838 usb_mtp_add_u16(d, 0x0000); 839 840 usb_mtp_add_u16_array(d, ARRAY_SIZE(ops), ops); 841 usb_mtp_add_u16_array(d, 0, NULL); 842 usb_mtp_add_u16_array(d, 0, NULL); 843 usb_mtp_add_u16_array(d, 0, NULL); 844 usb_mtp_add_u16_array(d, ARRAY_SIZE(fmt), fmt); 845 846 usb_mtp_add_wstr(d, L"" MTP_MANUFACTURER); 847 usb_mtp_add_wstr(d, L"" MTP_PRODUCT); 848 usb_mtp_add_wstr(d, L"0.1"); 849 usb_mtp_add_wstr(d, L"0123456789abcdef0123456789abcdef"); 850 851 return d; 852 } 853 usb_mtp_get_storage_ids(MTPState * s,MTPControl * c)854 static MTPData *usb_mtp_get_storage_ids(MTPState *s, MTPControl *c) 855 { 856 static const uint32_t ids[] = { 857 QEMU_STORAGE_ID, 858 }; 859 MTPData *d = usb_mtp_data_alloc(c); 860 861 trace_usb_mtp_op_get_storage_ids(s->dev.addr); 862 863 usb_mtp_add_u32_array(d, ARRAY_SIZE(ids), ids); 864 865 return d; 866 } 867 usb_mtp_get_storage_info(MTPState * s,MTPControl * c)868 static MTPData *usb_mtp_get_storage_info(MTPState *s, MTPControl *c) 869 { 870 MTPData *d = usb_mtp_data_alloc(c); 871 struct statvfs buf; 872 int rc; 873 874 trace_usb_mtp_op_get_storage_info(s->dev.addr); 875 876 if (FLAG_SET(s, MTP_FLAG_WRITABLE)) { 877 usb_mtp_add_u16(d, 0x0003); 878 usb_mtp_add_u16(d, 0x0002); 879 usb_mtp_add_u16(d, 0x0000); 880 } else { 881 usb_mtp_add_u16(d, 0x0001); 882 usb_mtp_add_u16(d, 0x0002); 883 usb_mtp_add_u16(d, 0x0001); 884 } 885 886 rc = statvfs(s->root, &buf); 887 if (rc == 0) { 888 usb_mtp_add_u64(d, (uint64_t)buf.f_frsize * buf.f_blocks); 889 usb_mtp_add_u64(d, (uint64_t)buf.f_frsize * buf.f_bavail); 890 usb_mtp_add_u32(d, buf.f_ffree); 891 } else { 892 usb_mtp_add_u64(d, 0xffffffff); 893 usb_mtp_add_u64(d, 0xffffffff); 894 usb_mtp_add_u32(d, 0xffffffff); 895 } 896 897 usb_mtp_add_str(d, s->desc); 898 usb_mtp_add_wstr(d, L"123456789abcdef"); 899 return d; 900 } 901 usb_mtp_get_object_handles(MTPState * s,MTPControl * c,MTPObject * o)902 static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c, 903 MTPObject *o) 904 { 905 MTPData *d = usb_mtp_data_alloc(c); 906 uint32_t i = 0; 907 g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren); 908 MTPObject *iter; 909 910 trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path); 911 912 QLIST_FOREACH(iter, &o->children, list) { 913 handles[i++] = iter->handle; 914 } 915 assert(i == o->nchildren); 916 usb_mtp_add_u32_array(d, o->nchildren, handles); 917 918 return d; 919 } 920 usb_mtp_get_object_info(MTPState * s,MTPControl * c,MTPObject * o)921 static MTPData *usb_mtp_get_object_info(MTPState *s, MTPControl *c, 922 MTPObject *o) 923 { 924 MTPData *d = usb_mtp_data_alloc(c); 925 926 trace_usb_mtp_op_get_object_info(s->dev.addr, o->handle, o->path); 927 928 usb_mtp_add_u32(d, QEMU_STORAGE_ID); 929 usb_mtp_add_u16(d, o->format); 930 usb_mtp_add_u16(d, 0); 931 932 if (o->stat.st_size > 0xFFFFFFFF) { 933 usb_mtp_add_u32(d, 0xFFFFFFFF); 934 } else { 935 usb_mtp_add_u32(d, o->stat.st_size); 936 } 937 938 usb_mtp_add_u16(d, 0); 939 usb_mtp_add_u32(d, 0); 940 usb_mtp_add_u32(d, 0); 941 usb_mtp_add_u32(d, 0); 942 usb_mtp_add_u32(d, 0); 943 usb_mtp_add_u32(d, 0); 944 usb_mtp_add_u32(d, 0); 945 946 if (o->parent) { 947 usb_mtp_add_u32(d, o->parent->handle); 948 } else { 949 usb_mtp_add_u32(d, 0); 950 } 951 if (o->format == FMT_ASSOCIATION) { 952 usb_mtp_add_u16(d, 0x0001); 953 usb_mtp_add_u32(d, 0x00000001); 954 usb_mtp_add_u32(d, 0); 955 } else { 956 usb_mtp_add_u16(d, 0); 957 usb_mtp_add_u32(d, 0); 958 usb_mtp_add_u32(d, 0); 959 } 960 961 usb_mtp_add_str(d, o->name); 962 usb_mtp_add_time(d, o->stat.st_ctime); 963 usb_mtp_add_time(d, o->stat.st_mtime); 964 usb_mtp_add_wstr(d, L""); 965 966 return d; 967 } 968 usb_mtp_get_object(MTPState * s,MTPControl * c,MTPObject * o)969 static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, 970 MTPObject *o) 971 { 972 MTPData *d = usb_mtp_data_alloc(c); 973 974 trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); 975 976 d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); 977 if (d->fd == -1) { 978 usb_mtp_data_free(d); 979 return NULL; 980 } 981 d->length = o->stat.st_size; 982 d->alloc = 512; 983 d->data = g_malloc(d->alloc); 984 return d; 985 } 986 usb_mtp_get_partial_object(MTPState * s,MTPControl * c,MTPObject * o)987 static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, 988 MTPObject *o) 989 { 990 MTPData *d; 991 off_t offset; 992 993 if (c->argc <= 2) { 994 return NULL; 995 } 996 trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, 997 c->argv[1], c->argv[2]); 998 999 d = usb_mtp_data_alloc(c); 1000 d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); 1001 if (d->fd == -1) { 1002 usb_mtp_data_free(d); 1003 return NULL; 1004 } 1005 1006 offset = c->argv[1]; 1007 if (offset > o->stat.st_size) { 1008 offset = o->stat.st_size; 1009 } 1010 if (lseek(d->fd, offset, SEEK_SET) < 0) { 1011 usb_mtp_data_free(d); 1012 return NULL; 1013 } 1014 1015 d->length = c->argv[2]; 1016 if (d->length > o->stat.st_size - offset) { 1017 d->length = o->stat.st_size - offset; 1018 } 1019 1020 return d; 1021 } 1022 usb_mtp_get_object_props_supported(MTPState * s,MTPControl * c)1023 static MTPData *usb_mtp_get_object_props_supported(MTPState *s, MTPControl *c) 1024 { 1025 static const uint16_t props[] = { 1026 PROP_STORAGE_ID, 1027 PROP_OBJECT_FORMAT, 1028 PROP_OBJECT_COMPRESSED_SIZE, 1029 PROP_PARENT_OBJECT, 1030 PROP_PERSISTENT_UNIQUE_OBJECT_IDENTIFIER, 1031 PROP_NAME, 1032 }; 1033 MTPData *d = usb_mtp_data_alloc(c); 1034 usb_mtp_add_u16_array(d, ARRAY_SIZE(props), props); 1035 1036 return d; 1037 } 1038 usb_mtp_get_object_prop_desc(MTPState * s,MTPControl * c)1039 static MTPData *usb_mtp_get_object_prop_desc(MTPState *s, MTPControl *c) 1040 { 1041 MTPData *d = usb_mtp_data_alloc(c); 1042 switch (c->argv[0]) { 1043 case PROP_STORAGE_ID: 1044 usb_mtp_add_u16(d, PROP_STORAGE_ID); 1045 usb_mtp_add_u16(d, DATA_TYPE_UINT32); 1046 usb_mtp_add_u8(d, 0x00); 1047 usb_mtp_add_u32(d, 0x00000000); 1048 usb_mtp_add_u32(d, 0x00000000); 1049 usb_mtp_add_u8(d, 0x00); 1050 break; 1051 case PROP_OBJECT_FORMAT: 1052 usb_mtp_add_u16(d, PROP_OBJECT_FORMAT); 1053 usb_mtp_add_u16(d, DATA_TYPE_UINT16); 1054 usb_mtp_add_u8(d, 0x00); 1055 usb_mtp_add_u16(d, 0x0000); 1056 usb_mtp_add_u32(d, 0x00000000); 1057 usb_mtp_add_u8(d, 0x00); 1058 break; 1059 case PROP_OBJECT_COMPRESSED_SIZE: 1060 usb_mtp_add_u16(d, PROP_OBJECT_COMPRESSED_SIZE); 1061 usb_mtp_add_u16(d, DATA_TYPE_UINT64); 1062 usb_mtp_add_u8(d, 0x00); 1063 usb_mtp_add_u64(d, 0x0000000000000000); 1064 usb_mtp_add_u32(d, 0x00000000); 1065 usb_mtp_add_u8(d, 0x00); 1066 break; 1067 case PROP_PARENT_OBJECT: 1068 usb_mtp_add_u16(d, PROP_PARENT_OBJECT); 1069 usb_mtp_add_u16(d, DATA_TYPE_UINT32); 1070 usb_mtp_add_u8(d, 0x00); 1071 usb_mtp_add_u32(d, 0x00000000); 1072 usb_mtp_add_u32(d, 0x00000000); 1073 usb_mtp_add_u8(d, 0x00); 1074 break; 1075 case PROP_PERSISTENT_UNIQUE_OBJECT_IDENTIFIER: 1076 usb_mtp_add_u16(d, PROP_PERSISTENT_UNIQUE_OBJECT_IDENTIFIER); 1077 usb_mtp_add_u16(d, DATA_TYPE_UINT128); 1078 usb_mtp_add_u8(d, 0x00); 1079 usb_mtp_add_u64(d, 0x0000000000000000); 1080 usb_mtp_add_u64(d, 0x0000000000000000); 1081 usb_mtp_add_u32(d, 0x00000000); 1082 usb_mtp_add_u8(d, 0x00); 1083 break; 1084 case PROP_NAME: 1085 usb_mtp_add_u16(d, PROP_NAME); 1086 usb_mtp_add_u16(d, DATA_TYPE_STRING); 1087 usb_mtp_add_u8(d, 0x00); 1088 usb_mtp_add_u8(d, 0x00); 1089 usb_mtp_add_u32(d, 0x00000000); 1090 usb_mtp_add_u8(d, 0x00); 1091 break; 1092 default: 1093 usb_mtp_data_free(d); 1094 return NULL; 1095 } 1096 1097 return d; 1098 } 1099 usb_mtp_get_object_prop_value(MTPState * s,MTPControl * c,MTPObject * o)1100 static MTPData *usb_mtp_get_object_prop_value(MTPState *s, MTPControl *c, 1101 MTPObject *o) 1102 { 1103 MTPData *d = usb_mtp_data_alloc(c); 1104 switch (c->argv[1]) { 1105 case PROP_STORAGE_ID: 1106 usb_mtp_add_u32(d, QEMU_STORAGE_ID); 1107 break; 1108 case PROP_OBJECT_FORMAT: 1109 usb_mtp_add_u16(d, o->format); 1110 break; 1111 case PROP_OBJECT_COMPRESSED_SIZE: 1112 usb_mtp_add_u64(d, o->stat.st_size); 1113 break; 1114 case PROP_PARENT_OBJECT: 1115 if (o->parent == NULL) { 1116 usb_mtp_add_u32(d, 0x00000000); 1117 } else { 1118 usb_mtp_add_u32(d, o->parent->handle); 1119 } 1120 break; 1121 case PROP_PERSISTENT_UNIQUE_OBJECT_IDENTIFIER: 1122 /* Should be persistent between sessions, 1123 * but using our objedt ID is "good enough" 1124 * for now */ 1125 usb_mtp_add_u64(d, 0x0000000000000000); 1126 usb_mtp_add_u64(d, o->handle); 1127 break; 1128 case PROP_NAME: 1129 usb_mtp_add_str(d, o->name); 1130 break; 1131 default: 1132 usb_mtp_data_free(d); 1133 return NULL; 1134 } 1135 1136 return d; 1137 } 1138 1139 /* 1140 * Return values when object @o is deleted. 1141 * If at least one of the deletions succeeded, 1142 * DELETE_SUCCESS is set and if at least one 1143 * of the deletions failed, DELETE_FAILURE is 1144 * set. Both bits being set (DELETE_PARTIAL) 1145 * signifies a RES_PARTIAL_DELETE being sent 1146 * back to the initiator. 1147 */ 1148 enum { 1149 DELETE_SUCCESS = (1 << 0), 1150 DELETE_FAILURE = (1 << 1), 1151 DELETE_PARTIAL = (DELETE_FAILURE | DELETE_SUCCESS), 1152 }; 1153 usb_mtp_deletefn(MTPState * s,MTPObject * o,uint32_t trans)1154 static int usb_mtp_deletefn(MTPState *s, MTPObject *o, uint32_t trans) 1155 { 1156 MTPObject *iter, *iter2; 1157 int ret = 0; 1158 1159 /* 1160 * TODO: Add support for Protection Status 1161 */ 1162 1163 QLIST_FOREACH(iter, &o->children, list) { 1164 if (iter->format == FMT_ASSOCIATION) { 1165 QLIST_FOREACH(iter2, &iter->children, list) { 1166 ret |= usb_mtp_deletefn(s, iter2, trans); 1167 } 1168 } 1169 } 1170 1171 if (o->format == FMT_UNDEFINED_OBJECT) { 1172 if (remove(o->path)) { 1173 ret |= DELETE_FAILURE; 1174 } else { 1175 usb_mtp_object_free(s, o); 1176 ret |= DELETE_SUCCESS; 1177 } 1178 } else if (o->format == FMT_ASSOCIATION) { 1179 if (rmdir(o->path)) { 1180 ret |= DELETE_FAILURE; 1181 } else { 1182 usb_mtp_object_free(s, o); 1183 ret |= DELETE_SUCCESS; 1184 } 1185 } 1186 1187 return ret; 1188 } 1189 usb_mtp_object_delete(MTPState * s,uint32_t handle,uint32_t format_code,uint32_t trans)1190 static void usb_mtp_object_delete(MTPState *s, uint32_t handle, 1191 uint32_t format_code, uint32_t trans) 1192 { 1193 MTPObject *o; 1194 int ret; 1195 1196 /* Return error if store is read-only */ 1197 if (!FLAG_SET(s, MTP_FLAG_WRITABLE)) { 1198 usb_mtp_queue_result(s, RES_STORE_READ_ONLY, 1199 trans, 0, 0, 0, 0); 1200 return; 1201 } 1202 1203 if (format_code != 0) { 1204 usb_mtp_queue_result(s, RES_SPEC_BY_FORMAT_UNSUPPORTED, 1205 trans, 0, 0, 0, 0); 1206 return; 1207 } 1208 1209 if (handle == 0xFFFFFFF) { 1210 o = QTAILQ_FIRST(&s->objects); 1211 } else { 1212 o = usb_mtp_object_lookup(s, handle); 1213 } 1214 if (o == NULL) { 1215 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1216 trans, 0, 0, 0, 0); 1217 return; 1218 } 1219 1220 ret = usb_mtp_deletefn(s, o, trans); 1221 switch (ret) { 1222 case DELETE_SUCCESS: 1223 usb_mtp_queue_result(s, RES_OK, trans, 1224 0, 0, 0, 0); 1225 break; 1226 case DELETE_FAILURE: 1227 usb_mtp_queue_result(s, RES_PARTIAL_DELETE, 1228 trans, 0, 0, 0, 0); 1229 break; 1230 case DELETE_PARTIAL: 1231 usb_mtp_queue_result(s, RES_PARTIAL_DELETE, 1232 trans, 0, 0, 0, 0); 1233 break; 1234 default: 1235 g_assert_not_reached(); 1236 } 1237 } 1238 usb_mtp_command(MTPState * s,MTPControl * c)1239 static void usb_mtp_command(MTPState *s, MTPControl *c) 1240 { 1241 MTPData *data_in = NULL; 1242 MTPObject *o = NULL; 1243 uint32_t nres = 0, res0 = 0; 1244 Error *err = NULL; 1245 1246 /* sanity checks */ 1247 if (c->code >= CMD_CLOSE_SESSION && s->session == 0) { 1248 usb_mtp_queue_result(s, RES_SESSION_NOT_OPEN, 1249 c->trans, 0, 0, 0, 0); 1250 return; 1251 } 1252 1253 /* process commands */ 1254 switch (c->code) { 1255 case CMD_GET_DEVICE_INFO: 1256 data_in = usb_mtp_get_device_info(s, c); 1257 break; 1258 case CMD_OPEN_SESSION: 1259 if (s->session) { 1260 usb_mtp_queue_result(s, RES_SESSION_ALREADY_OPEN, 1261 c->trans, 1, s->session, 0, 0); 1262 return; 1263 } 1264 if (c->argv[0] == 0) { 1265 usb_mtp_queue_result(s, RES_INVALID_PARAMETER, 1266 c->trans, 0, 0, 0, 0); 1267 return; 1268 } 1269 trace_usb_mtp_op_open_session(s->dev.addr); 1270 s->session = c->argv[0]; 1271 usb_mtp_object_alloc(s, s->next_handle++, NULL, s->root); 1272 1273 s->file_monitor = qemu_file_monitor_new(&err); 1274 if (err) { 1275 error_reportf_err(err, 1276 "usb-mtp: file monitoring init failed: "); 1277 } else { 1278 QTAILQ_INIT(&s->events); 1279 } 1280 break; 1281 case CMD_CLOSE_SESSION: 1282 trace_usb_mtp_op_close_session(s->dev.addr); 1283 s->session = 0; 1284 s->next_handle = 0; 1285 usb_mtp_file_monitor_cleanup(s); 1286 usb_mtp_object_free(s, QTAILQ_FIRST(&s->objects)); 1287 assert(QTAILQ_EMPTY(&s->objects)); 1288 break; 1289 case CMD_GET_STORAGE_IDS: 1290 data_in = usb_mtp_get_storage_ids(s, c); 1291 break; 1292 case CMD_GET_STORAGE_INFO: 1293 if (c->argv[0] != QEMU_STORAGE_ID && 1294 c->argv[0] != 0xffffffff) { 1295 usb_mtp_queue_result(s, RES_INVALID_STORAGE_ID, 1296 c->trans, 0, 0, 0, 0); 1297 return; 1298 } 1299 data_in = usb_mtp_get_storage_info(s, c); 1300 break; 1301 case CMD_GET_NUM_OBJECTS: 1302 case CMD_GET_OBJECT_HANDLES: 1303 if (c->argv[0] != QEMU_STORAGE_ID && 1304 c->argv[0] != 0xffffffff) { 1305 usb_mtp_queue_result(s, RES_INVALID_STORAGE_ID, 1306 c->trans, 0, 0, 0, 0); 1307 return; 1308 } 1309 if (c->argv[1] != 0x00000000) { 1310 usb_mtp_queue_result(s, RES_SPEC_BY_FORMAT_UNSUPPORTED, 1311 c->trans, 0, 0, 0, 0); 1312 return; 1313 } 1314 if (c->argv[2] == 0x00000000 || 1315 c->argv[2] == 0xffffffff) { 1316 o = QTAILQ_FIRST(&s->objects); 1317 } else { 1318 o = usb_mtp_object_lookup(s, c->argv[2]); 1319 } 1320 if (o == NULL) { 1321 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1322 c->trans, 0, 0, 0, 0); 1323 return; 1324 } 1325 if (o->format != FMT_ASSOCIATION) { 1326 usb_mtp_queue_result(s, RES_INVALID_PARENT_OBJECT, 1327 c->trans, 0, 0, 0, 0); 1328 return; 1329 } 1330 usb_mtp_object_readdir(s, o); 1331 if (c->code == CMD_GET_NUM_OBJECTS) { 1332 trace_usb_mtp_op_get_num_objects(s->dev.addr, o->handle, o->path); 1333 nres = 1; 1334 res0 = o->nchildren; 1335 } else { 1336 data_in = usb_mtp_get_object_handles(s, c, o); 1337 } 1338 break; 1339 case CMD_GET_OBJECT_INFO: 1340 o = usb_mtp_object_lookup(s, c->argv[0]); 1341 if (o == NULL) { 1342 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1343 c->trans, 0, 0, 0, 0); 1344 return; 1345 } 1346 data_in = usb_mtp_get_object_info(s, c, o); 1347 break; 1348 case CMD_GET_OBJECT: 1349 o = usb_mtp_object_lookup(s, c->argv[0]); 1350 if (o == NULL) { 1351 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1352 c->trans, 0, 0, 0, 0); 1353 return; 1354 } 1355 if (o->format == FMT_ASSOCIATION) { 1356 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1357 c->trans, 0, 0, 0, 0); 1358 return; 1359 } 1360 data_in = usb_mtp_get_object(s, c, o); 1361 if (data_in == NULL) { 1362 usb_mtp_queue_result(s, RES_GENERAL_ERROR, 1363 c->trans, 0, 0, 0, 0); 1364 return; 1365 } 1366 break; 1367 case CMD_DELETE_OBJECT: 1368 usb_mtp_object_delete(s, c->argv[0], c->argv[1], c->trans); 1369 return; 1370 case CMD_GET_PARTIAL_OBJECT: 1371 o = usb_mtp_object_lookup(s, c->argv[0]); 1372 if (o == NULL) { 1373 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1374 c->trans, 0, 0, 0, 0); 1375 return; 1376 } 1377 if (o->format == FMT_ASSOCIATION) { 1378 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1379 c->trans, 0, 0, 0, 0); 1380 return; 1381 } 1382 data_in = usb_mtp_get_partial_object(s, c, o); 1383 if (data_in == NULL) { 1384 usb_mtp_queue_result(s, RES_GENERAL_ERROR, 1385 c->trans, 0, 0, 0, 0); 1386 return; 1387 } 1388 nres = 1; 1389 res0 = data_in->length; 1390 break; 1391 case CMD_SEND_OBJECT_INFO: 1392 /* Return error if store is read-only */ 1393 if (!FLAG_SET(s, MTP_FLAG_WRITABLE)) { 1394 usb_mtp_queue_result(s, RES_STORE_READ_ONLY, 1395 c->trans, 0, 0, 0, 0); 1396 } else if (c->argv[0] && (c->argv[0] != QEMU_STORAGE_ID)) { 1397 /* First parameter points to storage id or is 0 */ 1398 usb_mtp_queue_result(s, RES_STORE_NOT_AVAILABLE, c->trans, 1399 0, 0, 0, 0); 1400 } else if (c->argv[1] && !c->argv[0]) { 1401 /* If second parameter is specified, first must also be specified */ 1402 usb_mtp_queue_result(s, RES_DESTINATION_UNSUPPORTED, c->trans, 1403 0, 0, 0, 0); 1404 } else { 1405 uint32_t handle = c->argv[1]; 1406 if (handle == 0xFFFFFFFF || handle == 0) { 1407 /* root object */ 1408 o = QTAILQ_FIRST(&s->objects); 1409 } else { 1410 o = usb_mtp_object_lookup(s, handle); 1411 } 1412 if (o == NULL) { 1413 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, c->trans, 1414 0, 0, 0, 0); 1415 } else if (o->format != FMT_ASSOCIATION) { 1416 usb_mtp_queue_result(s, RES_INVALID_PARENT_OBJECT, c->trans, 1417 0, 0, 0, 0); 1418 } 1419 } 1420 if (o) { 1421 s->dataset.parent_handle = o->handle; 1422 } 1423 s->data_out = usb_mtp_data_alloc(c); 1424 return; 1425 case CMD_SEND_OBJECT: 1426 if (!FLAG_SET(s, MTP_FLAG_WRITABLE)) { 1427 usb_mtp_queue_result(s, RES_STORE_READ_ONLY, 1428 c->trans, 0, 0, 0, 0); 1429 return; 1430 } 1431 if (!s->write_pending) { 1432 usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 1433 c->trans, 0, 0, 0, 0); 1434 return; 1435 } 1436 s->data_out = usb_mtp_data_alloc(c); 1437 return; 1438 case CMD_GET_OBJECT_PROPS_SUPPORTED: 1439 if (c->argv[0] != FMT_UNDEFINED_OBJECT && 1440 c->argv[0] != FMT_ASSOCIATION) { 1441 usb_mtp_queue_result(s, RES_INVALID_OBJECT_FORMAT_CODE, 1442 c->trans, 0, 0, 0, 0); 1443 return; 1444 } 1445 data_in = usb_mtp_get_object_props_supported(s, c); 1446 break; 1447 case CMD_GET_OBJECT_PROP_DESC: 1448 if (c->argv[1] != FMT_UNDEFINED_OBJECT && 1449 c->argv[1] != FMT_ASSOCIATION) { 1450 usb_mtp_queue_result(s, RES_INVALID_OBJECT_FORMAT_CODE, 1451 c->trans, 0, 0, 0, 0); 1452 return; 1453 } 1454 data_in = usb_mtp_get_object_prop_desc(s, c); 1455 if (data_in == NULL) { 1456 usb_mtp_queue_result(s, RES_INVALID_OBJECT_PROP_CODE, 1457 c->trans, 0, 0, 0, 0); 1458 return; 1459 } 1460 break; 1461 case CMD_GET_OBJECT_PROP_VALUE: 1462 o = usb_mtp_object_lookup(s, c->argv[0]); 1463 if (o == NULL) { 1464 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, 1465 c->trans, 0, 0, 0, 0); 1466 return; 1467 } 1468 data_in = usb_mtp_get_object_prop_value(s, c, o); 1469 if (data_in == NULL) { 1470 usb_mtp_queue_result(s, RES_INVALID_OBJECT_PROP_CODE, 1471 c->trans, 0, 0, 0, 0); 1472 return; 1473 } 1474 break; 1475 default: 1476 trace_usb_mtp_op_unknown(s->dev.addr, c->code); 1477 usb_mtp_queue_result(s, RES_OPERATION_NOT_SUPPORTED, 1478 c->trans, 0, 0, 0, 0); 1479 return; 1480 } 1481 1482 /* return results on success */ 1483 if (data_in) { 1484 assert(s->data_in == NULL); 1485 s->data_in = data_in; 1486 } 1487 usb_mtp_queue_result(s, RES_OK, c->trans, nres, res0, 0, 0); 1488 } 1489 1490 /* ----------------------------------------------------------------------- */ 1491 usb_mtp_handle_reset(USBDevice * dev)1492 static void usb_mtp_handle_reset(USBDevice *dev) 1493 { 1494 MTPState *s = USB_MTP(dev); 1495 1496 trace_usb_mtp_reset(s->dev.addr); 1497 1498 usb_mtp_file_monitor_cleanup(s); 1499 usb_mtp_object_free(s, QTAILQ_FIRST(&s->objects)); 1500 s->session = 0; 1501 usb_mtp_data_free(s->data_in); 1502 s->data_in = NULL; 1503 usb_mtp_data_free(s->data_out); 1504 s->data_out = NULL; 1505 g_free(s->result); 1506 s->result = NULL; 1507 } 1508 usb_mtp_handle_control(USBDevice * dev,USBPacket * p,int request,int value,int index,int length,uint8_t * data)1509 static void usb_mtp_handle_control(USBDevice *dev, USBPacket *p, 1510 int request, int value, int index, 1511 int length, uint8_t *data) 1512 { 1513 int ret; 1514 MTPState *s = USB_MTP(dev); 1515 uint16_t *event = (uint16_t *)data; 1516 1517 switch (request) { 1518 case ClassInterfaceOutRequest | 0x64: 1519 if (*event == EVT_CANCEL_TRANSACTION) { 1520 g_free(s->result); 1521 s->result = NULL; 1522 usb_mtp_data_free(s->data_in); 1523 s->data_in = NULL; 1524 if (s->write_pending) { 1525 g_free(s->dataset.filename); 1526 s->write_pending = false; 1527 s->dataset.size = 0; 1528 } 1529 usb_mtp_data_free(s->data_out); 1530 s->data_out = NULL; 1531 } else { 1532 p->status = USB_RET_STALL; 1533 } 1534 break; 1535 default: 1536 ret = usb_desc_handle_control(dev, p, request, 1537 value, index, length, data); 1538 if (ret >= 0) { 1539 return; 1540 } 1541 } 1542 1543 trace_usb_mtp_stall(dev->addr, "unknown control request"); 1544 } 1545 usb_mtp_cancel_packet(USBDevice * dev,USBPacket * p)1546 static void usb_mtp_cancel_packet(USBDevice *dev, USBPacket *p) 1547 { 1548 /* we don't use async packets, so this should never be called */ 1549 fprintf(stderr, "%s\n", __func__); 1550 } 1551 utf16_to_str(uint8_t len,uint8_t * str16)1552 static char *utf16_to_str(uint8_t len, uint8_t *str16) 1553 { 1554 wchar_t *wstr = g_new0(wchar_t, len + 1); 1555 int count, dlen; 1556 char *dest; 1557 1558 for (count = 0; count < len; count++) { 1559 /* FIXME: not working for surrogate pairs */ 1560 wstr[count] = lduw_le_p(str16 + (count * 2)); 1561 } 1562 wstr[count] = 0; 1563 1564 dlen = wcstombs(NULL, wstr, 0) + 1; 1565 dest = g_malloc(dlen); 1566 wcstombs(dest, wstr, dlen); 1567 g_free(wstr); 1568 return dest; 1569 } 1570 1571 /* Wrapper around write, returns 0 on failure */ write_retry(int fd,void * buf,uint64_t size,off_t offset)1572 static uint64_t write_retry(int fd, void *buf, uint64_t size, off_t offset) 1573 { 1574 uint64_t ret = 0; 1575 1576 if (lseek(fd, offset, SEEK_SET) < 0) { 1577 goto done; 1578 } 1579 1580 ret = qemu_write_full(fd, buf, size); 1581 1582 done: 1583 return ret; 1584 } 1585 usb_mtp_update_object(MTPObject * parent,char * name)1586 static int usb_mtp_update_object(MTPObject *parent, char *name) 1587 { 1588 int ret = 0; 1589 1590 MTPObject *o = 1591 usb_mtp_object_lookup_name(parent, name, strlen(name)); 1592 1593 if (o) { 1594 ret = lstat(o->path, &o->stat); 1595 } 1596 1597 return ret; 1598 } 1599 usb_mtp_write_data(MTPState * s,uint32_t handle)1600 static void usb_mtp_write_data(MTPState *s, uint32_t handle) 1601 { 1602 MTPData *d = s->data_out; 1603 MTPObject *parent = 1604 usb_mtp_object_lookup(s, s->dataset.parent_handle); 1605 char *path = NULL; 1606 uint64_t rc; 1607 mode_t mask = 0755; 1608 int ret = 0; 1609 1610 assert(d != NULL); 1611 1612 switch (d->write_status) { 1613 case WRITE_START: 1614 if (!parent || !s->write_pending) { 1615 usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, d->trans, 1616 0, 0, 0, 0); 1617 return; 1618 } 1619 1620 if (s->dataset.filename) { 1621 path = g_strdup_printf("%s/%s", parent->path, s->dataset.filename); 1622 if (s->dataset.format == FMT_ASSOCIATION) { 1623 ret = g_mkdir(path, mask); 1624 if (!ret) { 1625 usb_mtp_queue_result(s, RES_OK, d->trans, 3, 1626 QEMU_STORAGE_ID, 1627 s->dataset.parent_handle, 1628 handle); 1629 goto close; 1630 } 1631 goto done; 1632 } 1633 1634 d->fd = open(path, O_CREAT | O_WRONLY | 1635 O_CLOEXEC | O_NOFOLLOW, mask & 0666); 1636 if (d->fd == -1) { 1637 ret = 1; 1638 goto done; 1639 } 1640 1641 /* Return success if initiator sent 0 sized data */ 1642 if (!s->dataset.size) { 1643 goto done; 1644 } 1645 if (d->length != MTP_WRITE_BUF_SZ && !d->pending) { 1646 d->write_status = WRITE_END; 1647 } 1648 } 1649 /* fall through */ 1650 case WRITE_CONTINUE: 1651 case WRITE_END: 1652 rc = write_retry(d->fd, d->data, d->data_offset, 1653 d->offset - d->data_offset); 1654 if (rc != d->data_offset) { 1655 ret = 1; 1656 goto done; 1657 } 1658 if (d->write_status != WRITE_END) { 1659 g_free(path); 1660 return; 1661 } else { 1662 /* 1663 * Return an incomplete transfer if file size doesn't match 1664 * for < 4G file or if lstat fails which will result in an incorrect 1665 * file size 1666 */ 1667 if ((s->dataset.size != 0xFFFFFFFF && 1668 d->offset != s->dataset.size) || 1669 usb_mtp_update_object(parent, s->dataset.filename)) { 1670 usb_mtp_queue_result(s, RES_INCOMPLETE_TRANSFER, d->trans, 1671 0, 0, 0, 0); 1672 goto close; 1673 } 1674 } 1675 } 1676 1677 done: 1678 if (ret) { 1679 usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, 1680 0, 0, 0, 0); 1681 } else { 1682 usb_mtp_queue_result(s, RES_OK, d->trans, 1683 0, 0, 0, 0); 1684 } 1685 close: 1686 /* 1687 * The write dataset is kept around and freed only 1688 * on success or if another write request comes in 1689 */ 1690 if (d->fd != -1) { 1691 close(d->fd); 1692 d->fd = -1; 1693 } 1694 g_free(s->dataset.filename); 1695 s->dataset.size = 0; 1696 g_free(path); 1697 s->write_pending = false; 1698 } 1699 usb_mtp_write_metadata(MTPState * s,uint64_t dlen)1700 static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) 1701 { 1702 MTPData *d = s->data_out; 1703 ObjectInfo *dataset = (ObjectInfo *)d->data; 1704 char *filename; 1705 MTPObject *o; 1706 MTPObject *p = usb_mtp_object_lookup(s, s->dataset.parent_handle); 1707 uint32_t next_handle = s->next_handle; 1708 size_t filename_chars = dlen - offsetof(ObjectInfo, filename); 1709 1710 /* 1711 * filename is utf-16. We're intentionally doing 1712 * integer division to truncate if malicious guest 1713 * sent an odd number of bytes. 1714 */ 1715 filename_chars /= 2; 1716 1717 assert(!s->write_pending); 1718 assert(p != NULL); 1719 1720 filename = utf16_to_str(MIN(dataset->length, filename_chars), 1721 dataset->filename); 1722 1723 if (strchr(filename, '/')) { 1724 usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, 1725 0, 0, 0, 0); 1726 g_free(filename); 1727 return; 1728 } 1729 1730 o = usb_mtp_object_lookup_name(p, filename, -1); 1731 if (o != NULL) { 1732 next_handle = o->handle; 1733 } 1734 1735 s->dataset.filename = filename; 1736 s->dataset.format = dataset->format; 1737 s->dataset.size = dataset->size; 1738 s->write_pending = true; 1739 1740 if (s->dataset.format == FMT_ASSOCIATION) { 1741 usb_mtp_write_data(s, next_handle); 1742 } else { 1743 usb_mtp_queue_result(s, RES_OK, d->trans, 3, QEMU_STORAGE_ID, 1744 s->dataset.parent_handle, next_handle); 1745 } 1746 } 1747 usb_mtp_get_data(MTPState * s,mtp_container * container,USBPacket * p)1748 static void usb_mtp_get_data(MTPState *s, mtp_container *container, 1749 USBPacket *p) 1750 { 1751 MTPData *d = s->data_out; 1752 uint64_t dlen; 1753 uint32_t data_len = p->iov.size; 1754 uint64_t total_len; 1755 1756 if (!d) { 1757 usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0, 1758 0, 0, 0, 0); 1759 return; 1760 } 1761 if (d->first) { 1762 /* Total length of incoming data */ 1763 total_len = cpu_to_le32(container->length) - sizeof(mtp_container); 1764 /* Length of data in this packet */ 1765 data_len -= sizeof(mtp_container); 1766 if (total_len < MTP_WRITE_BUF_SZ) { 1767 usb_mtp_realloc(d, total_len); 1768 d->length += total_len; 1769 } else { 1770 usb_mtp_realloc(d, MTP_WRITE_BUF_SZ - sizeof(mtp_container)); 1771 d->length += MTP_WRITE_BUF_SZ - sizeof(mtp_container); 1772 } 1773 d->offset = 0; 1774 d->first = false; 1775 d->pending = false; 1776 d->data_offset = 0; 1777 d->write_status = WRITE_START; 1778 } 1779 1780 if (d->pending) { 1781 memset(d->data, 0, d->length); 1782 if (d->length != MTP_WRITE_BUF_SZ) { 1783 usb_mtp_realloc(d, MTP_WRITE_BUF_SZ - d->length); 1784 d->length += (MTP_WRITE_BUF_SZ - d->length); 1785 } 1786 d->pending = false; 1787 d->write_status = WRITE_CONTINUE; 1788 d->data_offset = 0; 1789 } 1790 1791 if (d->length - d->data_offset > data_len) { 1792 dlen = data_len; 1793 } else { 1794 dlen = d->length - d->data_offset; 1795 } 1796 1797 switch (d->code) { 1798 case CMD_SEND_OBJECT_INFO: 1799 usb_packet_copy(p, d->data + d->data_offset, dlen); 1800 d->offset += dlen; 1801 d->data_offset += dlen; 1802 if (d->data_offset == d->length) { 1803 /* The operation might have already failed */ 1804 if (!s->result) { 1805 usb_mtp_write_metadata(s, dlen); 1806 } 1807 usb_mtp_data_free(s->data_out); 1808 s->data_out = NULL; 1809 return; 1810 } 1811 break; 1812 case CMD_SEND_OBJECT: 1813 usb_packet_copy(p, d->data + d->data_offset, dlen); 1814 d->offset += dlen; 1815 d->data_offset += dlen; 1816 if ((p->iov.size % 64) || !p->iov.size) { 1817 assert((s->dataset.size == 0xFFFFFFFF) || 1818 (s->dataset.size == d->offset)); 1819 1820 if (d->length == MTP_WRITE_BUF_SZ) { 1821 d->write_status = WRITE_END; 1822 } else { 1823 d->write_status = WRITE_START; 1824 } 1825 usb_mtp_write_data(s, 0); 1826 usb_mtp_data_free(s->data_out); 1827 s->data_out = NULL; 1828 return; 1829 } 1830 if (d->data_offset == d->length) { 1831 d->pending = true; 1832 usb_mtp_write_data(s, 0); 1833 } 1834 break; 1835 default: 1836 p->status = USB_RET_STALL; 1837 return; 1838 } 1839 } 1840 usb_mtp_handle_data(USBDevice * dev,USBPacket * p)1841 static void usb_mtp_handle_data(USBDevice *dev, USBPacket *p) 1842 { 1843 MTPState *s = USB_MTP(dev); 1844 MTPControl cmd; 1845 mtp_container container; 1846 uint32_t params[5]; 1847 uint16_t container_type; 1848 int i, rc; 1849 1850 switch (p->ep->nr) { 1851 case EP_DATA_IN: 1852 if (s->data_out != NULL) { 1853 /* guest bug */ 1854 trace_usb_mtp_stall(s->dev.addr, "awaiting data-out"); 1855 p->status = USB_RET_STALL; 1856 return; 1857 } 1858 if (p->iov.size < sizeof(container)) { 1859 trace_usb_mtp_stall(s->dev.addr, "packet too small"); 1860 p->status = USB_RET_STALL; 1861 return; 1862 } 1863 if (s->data_in != NULL) { 1864 MTPData *d = s->data_in; 1865 uint64_t dlen = d->length - d->offset; 1866 if (d->first) { 1867 trace_usb_mtp_data_in(s->dev.addr, d->trans, d->length); 1868 if (d->length + sizeof(container) > 0xFFFFFFFF) { 1869 container.length = cpu_to_le32(0xFFFFFFFF); 1870 } else { 1871 container.length = 1872 cpu_to_le32(d->length + sizeof(container)); 1873 } 1874 container.type = cpu_to_le16(TYPE_DATA); 1875 container.code = cpu_to_le16(d->code); 1876 container.trans = cpu_to_le32(d->trans); 1877 usb_packet_copy(p, &container, sizeof(container)); 1878 d->first = false; 1879 if (dlen > p->iov.size - sizeof(container)) { 1880 dlen = p->iov.size - sizeof(container); 1881 } 1882 } else { 1883 if (dlen > p->iov.size) { 1884 dlen = p->iov.size; 1885 } 1886 } 1887 if (d->fd == -1) { 1888 usb_packet_copy(p, d->data + d->offset, dlen); 1889 } else { 1890 if (d->alloc < p->iov.size) { 1891 d->alloc = p->iov.size; 1892 d->data = g_realloc(d->data, d->alloc); 1893 } 1894 rc = read(d->fd, d->data, dlen); 1895 if (rc != dlen) { 1896 memset(d->data, 0, dlen); 1897 s->result->code = RES_INCOMPLETE_TRANSFER; 1898 } 1899 usb_packet_copy(p, d->data, dlen); 1900 } 1901 d->offset += dlen; 1902 if (d->offset == d->length) { 1903 usb_mtp_data_free(s->data_in); 1904 s->data_in = NULL; 1905 } 1906 } else if (s->result != NULL) { 1907 MTPControl *r = s->result; 1908 int length = sizeof(container) + r->argc * sizeof(uint32_t); 1909 if (r->code == RES_OK) { 1910 trace_usb_mtp_success(s->dev.addr, r->trans, 1911 (r->argc > 0) ? r->argv[0] : 0, 1912 (r->argc > 1) ? r->argv[1] : 0); 1913 } else { 1914 trace_usb_mtp_error(s->dev.addr, r->code, r->trans, 1915 (r->argc > 0) ? r->argv[0] : 0, 1916 (r->argc > 1) ? r->argv[1] : 0); 1917 } 1918 container.length = cpu_to_le32(length); 1919 container.type = cpu_to_le16(TYPE_RESPONSE); 1920 container.code = cpu_to_le16(r->code); 1921 container.trans = cpu_to_le32(r->trans); 1922 for (i = 0; i < r->argc; i++) { 1923 params[i] = cpu_to_le32(r->argv[i]); 1924 } 1925 usb_packet_copy(p, &container, sizeof(container)); 1926 usb_packet_copy(p, ¶ms, length - sizeof(container)); 1927 g_free(s->result); 1928 s->result = NULL; 1929 } 1930 break; 1931 case EP_DATA_OUT: 1932 if (p->iov.size < sizeof(container)) { 1933 trace_usb_mtp_stall(s->dev.addr, "packet too small"); 1934 p->status = USB_RET_STALL; 1935 return; 1936 } 1937 if ((s->data_out != NULL) && !s->data_out->first) { 1938 container_type = TYPE_DATA; 1939 } else { 1940 usb_packet_copy(p, &container, sizeof(container)); 1941 container_type = le16_to_cpu(container.type); 1942 } 1943 switch (container_type) { 1944 case TYPE_COMMAND: 1945 if (s->data_in || s->data_out || s->result) { 1946 trace_usb_mtp_stall(s->dev.addr, "transaction inflight"); 1947 p->status = USB_RET_STALL; 1948 return; 1949 } 1950 cmd.code = le16_to_cpu(container.code); 1951 cmd.argc = (le32_to_cpu(container.length) - sizeof(container)) 1952 / sizeof(uint32_t); 1953 cmd.trans = le32_to_cpu(container.trans); 1954 if (cmd.argc > ARRAY_SIZE(cmd.argv)) { 1955 cmd.argc = ARRAY_SIZE(cmd.argv); 1956 } 1957 if (p->iov.size < sizeof(container) + cmd.argc * sizeof(uint32_t)) { 1958 trace_usb_mtp_stall(s->dev.addr, "packet too small"); 1959 p->status = USB_RET_STALL; 1960 return; 1961 } 1962 usb_packet_copy(p, ¶ms, cmd.argc * sizeof(uint32_t)); 1963 for (i = 0; i < cmd.argc; i++) { 1964 cmd.argv[i] = le32_to_cpu(params[i]); 1965 } 1966 trace_usb_mtp_command(s->dev.addr, cmd.code, cmd.trans, 1967 (cmd.argc > 0) ? cmd.argv[0] : 0, 1968 (cmd.argc > 1) ? cmd.argv[1] : 0, 1969 (cmd.argc > 2) ? cmd.argv[2] : 0, 1970 (cmd.argc > 3) ? cmd.argv[3] : 0, 1971 (cmd.argc > 4) ? cmd.argv[4] : 0); 1972 usb_mtp_command(s, &cmd); 1973 break; 1974 case TYPE_DATA: 1975 /* One of the previous transfers has already errored but the 1976 * responder is still sending data associated with it 1977 */ 1978 if (s->result != NULL) { 1979 return; 1980 } 1981 usb_mtp_get_data(s, &container, p); 1982 break; 1983 default: 1984 /* not needed as long as the mtp device is read-only */ 1985 p->status = USB_RET_STALL; 1986 return; 1987 } 1988 break; 1989 case EP_EVENT: 1990 if (!QTAILQ_EMPTY(&s->events)) { 1991 struct MTPMonEntry *e = QTAILQ_LAST(&s->events); 1992 uint32_t handle; 1993 int len = sizeof(container) + sizeof(uint32_t); 1994 1995 if (p->iov.size < len) { 1996 trace_usb_mtp_stall(s->dev.addr, 1997 "packet too small to send event"); 1998 p->status = USB_RET_STALL; 1999 return; 2000 } 2001 2002 QTAILQ_REMOVE(&s->events, e, next); 2003 container.length = cpu_to_le32(len); 2004 container.type = cpu_to_le32(TYPE_EVENT); 2005 container.code = cpu_to_le16(e->event); 2006 container.trans = 0; /* no trans specific events */ 2007 handle = cpu_to_le32(e->handle); 2008 usb_packet_copy(p, &container, sizeof(container)); 2009 usb_packet_copy(p, &handle, sizeof(uint32_t)); 2010 g_free(e); 2011 return; 2012 } 2013 p->status = USB_RET_NAK; 2014 return; 2015 default: 2016 trace_usb_mtp_stall(s->dev.addr, "invalid endpoint"); 2017 p->status = USB_RET_STALL; 2018 return; 2019 } 2020 2021 if (p->actual_length == 0) { 2022 trace_usb_mtp_nak(s->dev.addr, p->ep->nr); 2023 p->status = USB_RET_NAK; 2024 return; 2025 } else { 2026 trace_usb_mtp_xfer(s->dev.addr, p->ep->nr, p->actual_length, 2027 p->iov.size); 2028 return; 2029 } 2030 } 2031 usb_mtp_realize(USBDevice * dev,Error ** errp)2032 static void usb_mtp_realize(USBDevice *dev, Error **errp) 2033 { 2034 MTPState *s = USB_MTP(dev); 2035 2036 if ((s->root == NULL) || !g_path_is_absolute(s->root)) { 2037 error_setg(errp, "usb-mtp: rootdir must be configured and be an absolute path"); 2038 return; 2039 } 2040 2041 if (access(s->root, R_OK) != 0) { 2042 error_setg(errp, "usb-mtp: rootdir does not exist/not readable"); 2043 return; 2044 } else if (!s->readonly && access(s->root, W_OK) != 0) { 2045 error_setg(errp, "usb-mtp: rootdir does not have write permissions"); 2046 return; 2047 } 2048 2049 /* Mark store as RW */ 2050 if (!s->readonly) { 2051 s->flags |= (1 << MTP_FLAG_WRITABLE); 2052 } 2053 2054 if (s->desc == NULL) { 2055 /* 2056 * This does not check if path exists 2057 * but we have the checks above 2058 */ 2059 s->desc = g_path_get_basename(s->root); 2060 } 2061 2062 usb_desc_create_serial(dev); 2063 usb_desc_init(dev); 2064 QTAILQ_INIT(&s->objects); 2065 2066 } 2067 2068 static const VMStateDescription vmstate_usb_mtp = { 2069 .name = "usb-mtp", 2070 .unmigratable = 1, 2071 .version_id = 1, 2072 .minimum_version_id = 1, 2073 .fields = (const VMStateField[]) { 2074 VMSTATE_USB_DEVICE(dev, MTPState), 2075 VMSTATE_END_OF_LIST() 2076 } 2077 }; 2078 2079 static const Property mtp_properties[] = { 2080 DEFINE_PROP_STRING("rootdir", MTPState, root), 2081 DEFINE_PROP_STRING("desc", MTPState, desc), 2082 DEFINE_PROP_BOOL("readonly", MTPState, readonly, true), 2083 }; 2084 usb_mtp_class_initfn(ObjectClass * klass,const void * data)2085 static void usb_mtp_class_initfn(ObjectClass *klass, const void *data) 2086 { 2087 DeviceClass *dc = DEVICE_CLASS(klass); 2088 USBDeviceClass *uc = USB_DEVICE_CLASS(klass); 2089 2090 uc->realize = usb_mtp_realize; 2091 uc->product_desc = "QEMU USB MTP"; 2092 uc->usb_desc = &desc; 2093 uc->cancel_packet = usb_mtp_cancel_packet; 2094 uc->handle_attach = usb_desc_attach; 2095 uc->handle_reset = usb_mtp_handle_reset; 2096 uc->handle_control = usb_mtp_handle_control; 2097 uc->handle_data = usb_mtp_handle_data; 2098 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2099 dc->desc = "USB Media Transfer Protocol device"; 2100 dc->fw_name = "mtp"; 2101 dc->vmsd = &vmstate_usb_mtp; 2102 device_class_set_props(dc, mtp_properties); 2103 } 2104 2105 static const TypeInfo mtp_info = { 2106 .name = TYPE_USB_MTP, 2107 .parent = TYPE_USB_DEVICE, 2108 .instance_size = sizeof(MTPState), 2109 .class_init = usb_mtp_class_initfn, 2110 }; 2111 usb_mtp_register_types(void)2112 static void usb_mtp_register_types(void) 2113 { 2114 type_register_static(&mtp_info); 2115 } 2116 2117 type_init(usb_mtp_register_types) 2118