1 /* 2 * USB Mass Storage Device emulation 3 * 4 * Copyright (c) 2006 CodeSourcery. 5 * Written by Paul Brook 6 * 7 * This code is licensed under the LGPL. 8 */ 9 10 #include "qemu/osdep.h" 11 #include "qapi/error.h" 12 #include "qemu/error-report.h" 13 #include "qemu/module.h" 14 #include "qemu/option.h" 15 #include "qemu/config-file.h" 16 #include "hw/usb.h" 17 #include "hw/usb/msd.h" 18 #include "desc.h" 19 #include "hw/qdev-properties.h" 20 #include "hw/scsi/scsi.h" 21 #include "migration/vmstate.h" 22 #include "qemu/cutils.h" 23 #include "qom/object.h" 24 #include "trace.h" 25 26 /* USB requests. */ 27 #define MassStorageReset 0xff 28 #define GetMaxLun 0xfe 29 30 struct usb_msd_cbw { 31 uint32_t sig; 32 uint32_t tag; 33 uint32_t data_len; 34 uint8_t flags; 35 uint8_t lun; 36 uint8_t cmd_len; 37 uint8_t cmd[16]; 38 }; 39 40 enum { 41 STR_MANUFACTURER = 1, 42 STR_PRODUCT, 43 STR_SERIALNUMBER, 44 STR_CONFIG_FULL, 45 STR_CONFIG_HIGH, 46 STR_CONFIG_SUPER, 47 }; 48 49 static const USBDescStrings desc_strings = { 50 [STR_MANUFACTURER] = "QEMU", 51 [STR_PRODUCT] = "QEMU USB HARDDRIVE", 52 [STR_SERIALNUMBER] = "1", 53 [STR_CONFIG_FULL] = "Full speed config (usb 1.1)", 54 [STR_CONFIG_HIGH] = "High speed config (usb 2.0)", 55 [STR_CONFIG_SUPER] = "Super speed config (usb 3.0)", 56 }; 57 58 static const USBDescIface desc_iface_full = { 59 .bInterfaceNumber = 0, 60 .bNumEndpoints = 2, 61 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 62 .bInterfaceSubClass = 0x06, /* SCSI */ 63 .bInterfaceProtocol = 0x50, /* Bulk */ 64 .eps = (USBDescEndpoint[]) { 65 { 66 .bEndpointAddress = USB_DIR_IN | 0x01, 67 .bmAttributes = USB_ENDPOINT_XFER_BULK, 68 .wMaxPacketSize = 64, 69 },{ 70 .bEndpointAddress = USB_DIR_OUT | 0x02, 71 .bmAttributes = USB_ENDPOINT_XFER_BULK, 72 .wMaxPacketSize = 64, 73 }, 74 } 75 }; 76 77 static const USBDescDevice desc_device_full = { 78 .bcdUSB = 0x0200, 79 .bMaxPacketSize0 = 8, 80 .bNumConfigurations = 1, 81 .confs = (USBDescConfig[]) { 82 { 83 .bNumInterfaces = 1, 84 .bConfigurationValue = 1, 85 .iConfiguration = STR_CONFIG_FULL, 86 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 87 .nif = 1, 88 .ifs = &desc_iface_full, 89 }, 90 }, 91 }; 92 93 static const USBDescIface desc_iface_high = { 94 .bInterfaceNumber = 0, 95 .bNumEndpoints = 2, 96 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 97 .bInterfaceSubClass = 0x06, /* SCSI */ 98 .bInterfaceProtocol = 0x50, /* Bulk */ 99 .eps = (USBDescEndpoint[]) { 100 { 101 .bEndpointAddress = USB_DIR_IN | 0x01, 102 .bmAttributes = USB_ENDPOINT_XFER_BULK, 103 .wMaxPacketSize = 512, 104 },{ 105 .bEndpointAddress = USB_DIR_OUT | 0x02, 106 .bmAttributes = USB_ENDPOINT_XFER_BULK, 107 .wMaxPacketSize = 512, 108 }, 109 } 110 }; 111 112 static const USBDescDevice desc_device_high = { 113 .bcdUSB = 0x0200, 114 .bMaxPacketSize0 = 64, 115 .bNumConfigurations = 1, 116 .confs = (USBDescConfig[]) { 117 { 118 .bNumInterfaces = 1, 119 .bConfigurationValue = 1, 120 .iConfiguration = STR_CONFIG_HIGH, 121 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 122 .nif = 1, 123 .ifs = &desc_iface_high, 124 }, 125 }, 126 }; 127 128 static const USBDescIface desc_iface_super = { 129 .bInterfaceNumber = 0, 130 .bNumEndpoints = 2, 131 .bInterfaceClass = USB_CLASS_MASS_STORAGE, 132 .bInterfaceSubClass = 0x06, /* SCSI */ 133 .bInterfaceProtocol = 0x50, /* Bulk */ 134 .eps = (USBDescEndpoint[]) { 135 { 136 .bEndpointAddress = USB_DIR_IN | 0x01, 137 .bmAttributes = USB_ENDPOINT_XFER_BULK, 138 .wMaxPacketSize = 1024, 139 .bMaxBurst = 15, 140 },{ 141 .bEndpointAddress = USB_DIR_OUT | 0x02, 142 .bmAttributes = USB_ENDPOINT_XFER_BULK, 143 .wMaxPacketSize = 1024, 144 .bMaxBurst = 15, 145 }, 146 } 147 }; 148 149 static const USBDescDevice desc_device_super = { 150 .bcdUSB = 0x0300, 151 .bMaxPacketSize0 = 9, 152 .bNumConfigurations = 1, 153 .confs = (USBDescConfig[]) { 154 { 155 .bNumInterfaces = 1, 156 .bConfigurationValue = 1, 157 .iConfiguration = STR_CONFIG_SUPER, 158 .bmAttributes = USB_CFG_ATT_ONE | USB_CFG_ATT_SELFPOWER, 159 .nif = 1, 160 .ifs = &desc_iface_super, 161 }, 162 }, 163 }; 164 165 static const USBDesc desc = { 166 .id = { 167 .idVendor = 0x46f4, /* CRC16() of "QEMU" */ 168 .idProduct = 0x0001, 169 .bcdDevice = 0, 170 .iManufacturer = STR_MANUFACTURER, 171 .iProduct = STR_PRODUCT, 172 .iSerialNumber = STR_SERIALNUMBER, 173 }, 174 .full = &desc_device_full, 175 .high = &desc_device_high, 176 .super = &desc_device_super, 177 .str = desc_strings, 178 }; 179 180 static void usb_msd_packet_complete(MSDState *s, int status) 181 { 182 USBPacket *p = s->packet; 183 184 /* 185 * Set s->packet to NULL before calling usb_packet_complete 186 * because another request may be issued before 187 * usb_packet_complete returns. 188 */ 189 trace_usb_msd_packet_complete(); 190 p->status = status; 191 s->packet = NULL; 192 usb_packet_complete(&s->dev, p); 193 } 194 195 static void usb_msd_fatal_error(MSDState *s) 196 { 197 trace_usb_msd_fatal_error(); 198 199 if (s->packet) { 200 usb_msd_packet_complete(s, USB_RET_STALL); 201 } 202 203 /* 204 * Guest messed up up device state with illegal requests. Go 205 * ignore any requests until the guests resets the device (and 206 * brings it into a known state that way). 207 */ 208 s->needs_reset = true; 209 } 210 211 static void usb_msd_copy_data(MSDState *s, USBPacket *p) 212 { 213 uint32_t len; 214 len = p->iov.size - p->actual_length; 215 if (len > s->scsi_len) 216 len = s->scsi_len; 217 usb_packet_copy(p, scsi_req_get_buf(s->req) + s->scsi_off, len); 218 s->scsi_len -= len; 219 s->scsi_off += len; 220 if (len > s->data_len) { 221 len = s->data_len; 222 } 223 s->data_len -= len; 224 if (s->scsi_len == 0 || s->data_len == 0) { 225 scsi_req_continue(s->req); 226 } 227 } 228 229 static void usb_msd_send_status(MSDState *s, USBPacket *p) 230 { 231 int len; 232 233 trace_usb_msd_send_status(s->csw.status, le32_to_cpu(s->csw.tag), 234 p->iov.size); 235 236 assert(s->csw.sig == cpu_to_le32(0x53425355)); 237 len = MIN(sizeof(s->csw), p->iov.size); 238 usb_packet_copy(p, &s->csw, len); 239 memset(&s->csw, 0, sizeof(s->csw)); 240 } 241 242 void usb_msd_transfer_data(SCSIRequest *req, uint32_t len) 243 { 244 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent); 245 USBPacket *p = s->packet; 246 247 if ((s->mode == USB_MSDM_DATAOUT) != (req->cmd.mode == SCSI_XFER_TO_DEV)) { 248 usb_msd_fatal_error(s); 249 return; 250 } 251 252 s->scsi_len = len; 253 s->scsi_off = 0; 254 if (p) { 255 usb_msd_copy_data(s, p); 256 p = s->packet; 257 if (p && p->actual_length == p->iov.size) { 258 /* USB_RET_SUCCESS status clears previous ASYNC status */ 259 usb_msd_packet_complete(s, USB_RET_SUCCESS); 260 } 261 } 262 } 263 264 void usb_msd_command_complete(SCSIRequest *req, size_t resid) 265 { 266 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent); 267 USBPacket *p = s->packet; 268 269 trace_usb_msd_cmd_complete(req->status, req->tag); 270 271 s->csw.sig = cpu_to_le32(0x53425355); 272 s->csw.tag = cpu_to_le32(req->tag); 273 s->csw.residue = cpu_to_le32(s->data_len); 274 s->csw.status = req->status != 0; 275 276 if (s->packet) { 277 if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) { 278 /* A deferred packet with no write data remaining must be 279 the status read packet. */ 280 usb_msd_send_status(s, p); 281 s->mode = USB_MSDM_CBW; 282 } else if (s->mode == USB_MSDM_CSW) { 283 usb_msd_send_status(s, p); 284 s->mode = USB_MSDM_CBW; 285 } else { 286 if (s->data_len) { 287 int len = (p->iov.size - p->actual_length); 288 usb_packet_skip(p, len); 289 if (len > s->data_len) { 290 len = s->data_len; 291 } 292 s->data_len -= len; 293 } 294 if (s->data_len == 0) { 295 s->mode = USB_MSDM_CSW; 296 } 297 } 298 /* USB_RET_SUCCESS status clears previous ASYNC status */ 299 usb_msd_packet_complete(s, USB_RET_SUCCESS); 300 } else if (s->data_len == 0) { 301 s->mode = USB_MSDM_CSW; 302 } 303 scsi_req_unref(req); 304 s->req = NULL; 305 } 306 307 void usb_msd_request_cancelled(SCSIRequest *req) 308 { 309 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent); 310 311 trace_usb_msd_cmd_cancel(req->tag); 312 313 if (req == s->req) { 314 s->csw.sig = cpu_to_le32(0x53425355); 315 s->csw.tag = cpu_to_le32(req->tag); 316 s->csw.status = 1; /* error */ 317 318 scsi_req_unref(s->req); 319 s->req = NULL; 320 s->scsi_len = 0; 321 } 322 } 323 324 void usb_msd_handle_reset(USBDevice *dev) 325 { 326 MSDState *s = (MSDState *)dev; 327 328 trace_usb_msd_reset(); 329 if (s->req) { 330 scsi_req_cancel(s->req); 331 } 332 assert(s->req == NULL); 333 334 if (s->packet) { 335 usb_msd_packet_complete(s, USB_RET_STALL); 336 } 337 338 memset(&s->csw, 0, sizeof(s->csw)); 339 s->mode = USB_MSDM_CBW; 340 341 s->needs_reset = false; 342 } 343 344 static void usb_msd_handle_control(USBDevice *dev, USBPacket *p, 345 int request, int value, int index, int length, uint8_t *data) 346 { 347 MSDState *s = (MSDState *)dev; 348 SCSIDevice *scsi_dev; 349 int ret, maxlun; 350 351 ret = usb_desc_handle_control(dev, p, request, value, index, length, data); 352 if (ret >= 0) { 353 return; 354 } 355 356 switch (request) { 357 case EndpointOutRequest | USB_REQ_CLEAR_FEATURE: 358 break; 359 /* Class specific requests. */ 360 case ClassInterfaceOutRequest | MassStorageReset: 361 /* Reset state ready for the next CBW. */ 362 s->mode = USB_MSDM_CBW; 363 break; 364 case ClassInterfaceRequest | GetMaxLun: 365 maxlun = 0; 366 for (;;) { 367 scsi_dev = scsi_device_find(&s->bus, 0, 0, maxlun+1); 368 if (scsi_dev == NULL) { 369 break; 370 } 371 if (scsi_dev->lun != maxlun+1) { 372 break; 373 } 374 maxlun++; 375 } 376 trace_usb_msd_maxlun(maxlun); 377 data[0] = maxlun; 378 p->actual_length = 1; 379 break; 380 default: 381 p->status = USB_RET_STALL; 382 break; 383 } 384 } 385 386 static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p) 387 { 388 MSDState *s = USB_STORAGE_DEV(dev); 389 390 assert(s->packet == p); 391 s->packet = NULL; 392 393 if (s->req) { 394 scsi_req_cancel(s->req); 395 } 396 } 397 398 static void usb_msd_handle_data(USBDevice *dev, USBPacket *p) 399 { 400 MSDState *s = (MSDState *)dev; 401 uint32_t tag; 402 struct usb_msd_cbw cbw; 403 uint8_t devep = p->ep->nr; 404 SCSIDevice *scsi_dev; 405 int len; 406 407 if (s->needs_reset) { 408 p->status = USB_RET_STALL; 409 return; 410 } 411 412 switch (p->pid) { 413 case USB_TOKEN_OUT: 414 if (devep != 2) 415 goto fail; 416 417 switch (s->mode) { 418 case USB_MSDM_CBW: 419 if (p->iov.size != 31) { 420 error_report("usb-msd: Bad CBW size"); 421 goto fail; 422 } 423 usb_packet_copy(p, &cbw, 31); 424 if (le32_to_cpu(cbw.sig) != 0x43425355) { 425 error_report("usb-msd: Bad signature %08x", 426 le32_to_cpu(cbw.sig)); 427 goto fail; 428 } 429 scsi_dev = scsi_device_find(&s->bus, 0, 0, cbw.lun); 430 if (scsi_dev == NULL) { 431 error_report("usb-msd: Bad LUN %d", cbw.lun); 432 goto fail; 433 } 434 tag = le32_to_cpu(cbw.tag); 435 s->data_len = le32_to_cpu(cbw.data_len); 436 if (s->data_len == 0) { 437 s->mode = USB_MSDM_CSW; 438 } else if (cbw.flags & 0x80) { 439 s->mode = USB_MSDM_DATAIN; 440 } else { 441 s->mode = USB_MSDM_DATAOUT; 442 } 443 trace_usb_msd_cmd_submit(cbw.lun, tag, cbw.flags, 444 cbw.cmd_len, s->data_len); 445 assert(le32_to_cpu(s->csw.residue) == 0); 446 s->scsi_len = 0; 447 s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, cbw.cmd_len, NULL); 448 if (s->commandlog) { 449 scsi_req_print(s->req); 450 } 451 len = scsi_req_enqueue(s->req); 452 if (len) { 453 scsi_req_continue(s->req); 454 } 455 break; 456 457 case USB_MSDM_DATAOUT: 458 trace_usb_msd_data_out(p->iov.size, s->data_len); 459 if (p->iov.size > s->data_len) { 460 goto fail; 461 } 462 463 if (s->scsi_len) { 464 usb_msd_copy_data(s, p); 465 } 466 if (le32_to_cpu(s->csw.residue)) { 467 len = p->iov.size - p->actual_length; 468 if (len) { 469 usb_packet_skip(p, len); 470 if (len > s->data_len) { 471 len = s->data_len; 472 } 473 s->data_len -= len; 474 if (s->data_len == 0) { 475 s->mode = USB_MSDM_CSW; 476 } 477 } 478 } 479 if (p->actual_length < p->iov.size) { 480 trace_usb_msd_packet_async(); 481 s->packet = p; 482 p->status = USB_RET_ASYNC; 483 } 484 break; 485 486 default: 487 goto fail; 488 } 489 break; 490 491 case USB_TOKEN_IN: 492 if (devep != 1) 493 goto fail; 494 495 switch (s->mode) { 496 case USB_MSDM_DATAOUT: 497 if (s->data_len != 0 || p->iov.size < 13) { 498 goto fail; 499 } 500 /* Waiting for SCSI write to complete. */ 501 trace_usb_msd_packet_async(); 502 s->packet = p; 503 p->status = USB_RET_ASYNC; 504 break; 505 506 case USB_MSDM_CSW: 507 if (p->iov.size < 13) { 508 goto fail; 509 } 510 511 if (s->req) { 512 /* still in flight */ 513 trace_usb_msd_packet_async(); 514 s->packet = p; 515 p->status = USB_RET_ASYNC; 516 } else { 517 usb_msd_send_status(s, p); 518 s->mode = USB_MSDM_CBW; 519 } 520 break; 521 522 case USB_MSDM_DATAIN: 523 trace_usb_msd_data_in(p->iov.size, s->data_len, s->scsi_len); 524 if (s->scsi_len) { 525 usb_msd_copy_data(s, p); 526 } 527 if (le32_to_cpu(s->csw.residue)) { 528 len = p->iov.size - p->actual_length; 529 if (len) { 530 usb_packet_skip(p, len); 531 if (len > s->data_len) { 532 len = s->data_len; 533 } 534 s->data_len -= len; 535 if (s->data_len == 0) { 536 s->mode = USB_MSDM_CSW; 537 } 538 } 539 } 540 if (p->actual_length < p->iov.size && s->mode == USB_MSDM_DATAIN) { 541 trace_usb_msd_packet_async(); 542 s->packet = p; 543 p->status = USB_RET_ASYNC; 544 } 545 break; 546 547 default: 548 goto fail; 549 } 550 break; 551 552 default: 553 fail: 554 p->status = USB_RET_STALL; 555 break; 556 } 557 } 558 559 void *usb_msd_load_request(QEMUFile *f, SCSIRequest *req) 560 { 561 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent); 562 563 /* nothing to load, just store req in our state struct */ 564 assert(s->req == NULL); 565 scsi_req_ref(req); 566 s->req = req; 567 return NULL; 568 } 569 570 static const VMStateDescription vmstate_usb_msd = { 571 .name = "usb-storage", 572 .version_id = 1, 573 .minimum_version_id = 1, 574 .fields = (const VMStateField[]) { 575 VMSTATE_USB_DEVICE(dev, MSDState), 576 VMSTATE_UINT32(mode, MSDState), 577 VMSTATE_UINT32(scsi_len, MSDState), 578 VMSTATE_UINT32(scsi_off, MSDState), 579 VMSTATE_UINT32(data_len, MSDState), 580 VMSTATE_UINT32(csw.sig, MSDState), 581 VMSTATE_UINT32(csw.tag, MSDState), 582 VMSTATE_UINT32(csw.residue, MSDState), 583 VMSTATE_UINT8(csw.status, MSDState), 584 VMSTATE_END_OF_LIST() 585 } 586 }; 587 588 static void usb_msd_class_initfn_common(ObjectClass *klass, void *data) 589 { 590 DeviceClass *dc = DEVICE_CLASS(klass); 591 USBDeviceClass *uc = USB_DEVICE_CLASS(klass); 592 593 uc->product_desc = "QEMU USB MSD"; 594 uc->usb_desc = &desc; 595 uc->cancel_packet = usb_msd_cancel_io; 596 uc->handle_attach = usb_desc_attach; 597 uc->handle_reset = usb_msd_handle_reset; 598 uc->handle_control = usb_msd_handle_control; 599 uc->handle_data = usb_msd_handle_data; 600 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 601 dc->fw_name = "storage"; 602 dc->vmsd = &vmstate_usb_msd; 603 } 604 605 static const TypeInfo usb_storage_dev_type_info = { 606 .name = TYPE_USB_STORAGE, 607 .parent = TYPE_USB_DEVICE, 608 .instance_size = sizeof(MSDState), 609 .abstract = true, 610 .class_init = usb_msd_class_initfn_common, 611 }; 612 613 static void usb_msd_register_types(void) 614 { 615 type_register_static(&usb_storage_dev_type_info); 616 } 617 618 type_init(usb_msd_register_types) 619