@@ -37,6 +37,7 @@ struct MSDState {
/* For async completion. */
USBPacket *data_packet;
USBPacket *csw_in_packet;
+ USBPacket *unknown_in_packet;
/* usb-storage only */
BlockConf conf;
@@ -436,6 +436,8 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
}
} else if (p == s->csw_in_packet) {
s->csw_in_packet = NULL;
+ } else if (p == s->unknown_in_packet) {
+ s->unknown_in_packet = NULL;
} else {
g_assert_not_reached();
}
@@ -499,6 +501,19 @@ static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p)
} else {
s->cbw_state = USB_MSD_CBW_DATAOUT;
}
+ if (s->unknown_in_packet) {
+ if (s->cbw_state == USB_MSD_CBW_DATAIN) {
+ /* Must be a DATAIN packet */
+ s->data_packet = s->unknown_in_packet;
+ } else {
+ /* Must be the CSW packet */
+ if (!check_valid_csw(s->unknown_in_packet)) {
+ goto fail;
+ }
+ s->csw_in_packet = s->unknown_in_packet;
+ }
+ s->unknown_in_packet = NULL;
+ }
trace_usb_msd_cmd_submit(cbw.lun, tag, cbw.flags,
cbw.cmd_len, s->data_len);
assert(le32_to_cpu(s->csw.residue) == 0);
@@ -516,6 +531,11 @@ static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p)
case USB_MSD_CBW_DATAOUT:
trace_usb_msd_data_out(p->iov.size, s->data_len);
+ if (s->unknown_in_packet) {
+ error_report("usb-msd: unknown_in_packet in DATAOUT state");
+ goto fail;
+ }
+
if (p->iov.size > s->data_len) {
goto fail;
}
@@ -558,7 +578,22 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
int len;
switch (s->cbw_state) {
+ case USB_MSD_CBW_NONE:
+ if (s->unknown_in_packet) {
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: second IN packet was"
+ "received before CBW\n");
+ goto fail;
+ }
+ trace_usb_msd_packet_async();
+ s->unknown_in_packet = p;
+ p->status = USB_RET_ASYNC;
+ break;
+
case USB_MSD_CBW_DATAOUT:
+ if (s->unknown_in_packet) {
+ error_report("usb-msd: unknown_in_packet in DATAOUT state");
+ goto fail;
+ }
if (!check_valid_csw(p)) {
goto fail;
}
@@ -575,6 +610,10 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
break;
case USB_MSD_CBW_CSW:
+ if (s->unknown_in_packet) {
+ error_report("usb-msd: unknown_in_packet in DATAOUT state");
+ goto fail;
+ }
if (!check_valid_csw(p)) {
goto fail;
}
@@ -592,6 +631,10 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
case USB_MSD_CBW_DATAIN:
trace_usb_msd_data_in(p->iov.size, s->data_len, s->scsi_len);
+ if (s->unknown_in_packet) {
+ error_report("usb-msd: unknown_in_packet in DATAIN state");
+ goto fail;
+ }
if (s->scsi_len) {
usb_msd_copy_data(s, p);
}
The USB MSD protocol has 3 packets that make up a command, and only one command may be active at any time. - CBW to start a command (that contains a SCSI request). - DATA (IN or OUT) to request data transfer between host and SCSI layer. - CSW to return status and complete the command. DATA is omitted if the request has no data. The QEMU MSD model requires these packets to arrive in this order, CBW, DATA, CSW. This is the way the state machine is generally described in the MSD spec, and this must be how most USB stacks operate. Except AIX. Universal Serial Bus Mass Storage Class Bulk-Only Transport 1.0 contains one word in one sentence that permits the relaxed ordering: 3.3 Host/Device Packet Transfer Order The host shall send the CBW before the associated Data-Out, and the device shall send Data-In after the associated CBW and before the associated CSW. The host may request Data-In or CSW before sending the associated CBW. Complicating matters, DATA-IN and CSW are both input packets that arrive in the same manner, so before a CBW it is impossible to determine if an IN packet is for data or CSW. So permit "unusually-ordered" packets by tracking them as an "unknown" packet until the CBW arrives, then they are categorized into a DATA or CSW packet. It is not clear whether the spec permits multiple such packets before the CBW. This implementation permits only one, which seems to be enough for AIX. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> --- include/hw/usb/msd.h | 1 + hw/usb/dev-storage.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+)