1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (C) 2003-2005 Alan Stern
5  * Copyright (C) 2008 Hans Petter Selasky
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions, and the following disclaimer,
13  *    without modification.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. The names of the above-listed copyright holders may not be used
18  *    to endorse or promote products derived from this software without
19  *    specific prior written permission.
20  *
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
23  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
25  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
26  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
29  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
30  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
31  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
32  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 /*
36  * NOTE: Much of the SCSI statemachine handling code derives from the
37  * Linux USB gadget stack.
38  */
39 
40 #ifdef USB_GLOBAL_INCLUDE_FILE
41 #include USB_GLOBAL_INCLUDE_FILE
42 #else
43 #include <sys/stdint.h>
44 #include <sys/stddef.h>
45 #include <sys/param.h>
46 #include <sys/queue.h>
47 #include <sys/types.h>
48 #include <sys/systm.h>
49 #include <sys/kernel.h>
50 #include <sys/bus.h>
51 #include <sys/module.h>
52 #include <sys/lock.h>
53 #include <sys/mutex.h>
54 #include <sys/condvar.h>
55 #include <sys/sysctl.h>
56 #include <sys/sx.h>
57 #include <sys/unistd.h>
58 #include <sys/callout.h>
59 #include <sys/malloc.h>
60 #include <sys/priv.h>
61 
62 #include <dev/usb/usb.h>
63 #include <dev/usb/usbdi.h>
64 #include "usbdevs.h"
65 #include "usb_if.h"
66 
67 #define	USB_DEBUG_VAR ustorage_fs_debug
68 #include <dev/usb/usb_debug.h>
69 #endif			/* USB_GLOBAL_INCLUDE_FILE */
70 
71 #ifdef USB_DEBUG
72 static int ustorage_fs_debug = 0;
73 
74 SYSCTL_NODE(_hw_usb, OID_AUTO, ustorage_fs, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
75     "USB ustorage_fs");
76 SYSCTL_INT(_hw_usb_ustorage_fs, OID_AUTO, debug, CTLFLAG_RWTUN,
77     &ustorage_fs_debug, 0, "ustorage_fs debug level");
78 #endif
79 
80 /* Define some limits */
81 
82 #ifndef USTORAGE_FS_BULK_SIZE
83 #define	USTORAGE_FS_BULK_SIZE	(1U << 17)	/* bytes */
84 #endif
85 
86 #ifndef	USTORAGE_FS_MAX_LUN
87 #define	USTORAGE_FS_MAX_LUN	8	/* units */
88 #endif
89 
90 #ifndef USTORAGE_QDATA_MAX
91 #define	USTORAGE_QDATA_MAX	40	/* bytes */
92 #endif
93 
94 /*
95  * The SCSI ID string must be exactly 28 characters long
96  * exluding the terminating zero.
97  */
98 #ifndef USTORAGE_FS_ID_STRING
99 #define	USTORAGE_FS_ID_STRING \
100 	"FreeBSD " /* 8 */ \
101 	"File-Stor Gadget" /* 16 */ \
102 	"0101" /* 4 */
103 #endif
104 
105 /*
106  * The following macro defines the number of
107  * sectors to be allocated for the RAM disk:
108  */
109 #ifndef USTORAGE_FS_RAM_SECT
110 #define	USTORAGE_FS_RAM_SECT (1UL << 13)
111 #endif
112 
113 static uint8_t *ustorage_fs_ramdisk;
114 
115 /* USB transfer definitions */
116 
117 #define	USTORAGE_FS_T_BBB_COMMAND     0
118 #define	USTORAGE_FS_T_BBB_DATA_DUMP   1
119 #define	USTORAGE_FS_T_BBB_DATA_READ   2
120 #define	USTORAGE_FS_T_BBB_DATA_WRITE  3
121 #define	USTORAGE_FS_T_BBB_STATUS      4
122 #define	USTORAGE_FS_T_BBB_MAX         5
123 
124 /* USB data stage direction */
125 
126 #define	DIR_NONE	0
127 #define	DIR_READ	1
128 #define	DIR_WRITE	2
129 
130 /* USB interface specific control request */
131 
132 #define	UR_BBB_RESET		0xff	/* Bulk-Only reset */
133 #define	UR_BBB_GET_MAX_LUN	0xfe	/* Get maximum lun */
134 
135 /* Command Block Wrapper */
136 typedef struct {
137 	uDWord	dCBWSignature;
138 #define	CBWSIGNATURE	0x43425355
139 	uDWord	dCBWTag;
140 	uDWord	dCBWDataTransferLength;
141 	uByte	bCBWFlags;
142 #define	CBWFLAGS_OUT	0x00
143 #define	CBWFLAGS_IN	0x80
144 	uByte	bCBWLUN;
145 	uByte	bCDBLength;
146 #define	CBWCDBLENGTH	16
147 	uByte	CBWCDB[CBWCDBLENGTH];
148 } __packed ustorage_fs_bbb_cbw_t;
149 
150 #define	USTORAGE_FS_BBB_CBW_SIZE	31
151 
152 /* Command Status Wrapper */
153 typedef struct {
154 	uDWord	dCSWSignature;
155 #define	CSWSIGNATURE	0x53425355
156 	uDWord	dCSWTag;
157 	uDWord	dCSWDataResidue;
158 	uByte	bCSWStatus;
159 #define	CSWSTATUS_GOOD	0x0
160 #define	CSWSTATUS_FAILED	0x1
161 #define	CSWSTATUS_PHASE	0x2
162 } __packed ustorage_fs_bbb_csw_t;
163 
164 #define	USTORAGE_FS_BBB_CSW_SIZE	13
165 
166 struct ustorage_fs_lun {
167 	uint8_t	*memory_image;
168 
169 	uint32_t num_sectors;
170 	uint32_t sense_data;
171 	uint32_t sense_data_info;
172 	uint32_t unit_attention_data;
173 
174 	uint8_t	read_only:1;
175 	uint8_t	prevent_medium_removal:1;
176 	uint8_t	info_valid:1;
177 	uint8_t	removable:1;
178 };
179 
180 struct ustorage_fs_softc {
181 	ustorage_fs_bbb_cbw_t *sc_cbw;	/* Command Wrapper Block */
182 	ustorage_fs_bbb_csw_t *sc_csw;	/* Command Status Block */
183 	void *sc_dma_ptr;		/* Main data buffer */
184 
185 	struct mtx sc_mtx;
186 
187 	struct ustorage_fs_lun sc_lun[USTORAGE_FS_MAX_LUN];
188 
189 	struct {
190 		uint8_t *data_ptr;
191 		struct ustorage_fs_lun *currlun;
192 
193 		uint32_t data_rem;	/* bytes, as reported by the command
194 					 * block wrapper */
195 		uint32_t offset;	/* bytes */
196 
197 		uint8_t	cbw_dir;
198 		uint8_t	cmd_dir;
199 		uint8_t	lun;
200 		uint8_t	cmd_len;
201 		uint8_t	data_short:1;
202 		uint8_t	data_error:1;
203 	}	sc_transfer;
204 
205 	device_t sc_dev;
206 	struct usb_device *sc_udev;
207 	struct usb_xfer *sc_xfer[USTORAGE_FS_T_BBB_MAX];
208 
209 	uint8_t	sc_iface_no;		/* interface number */
210 	uint8_t	sc_last_lun;
211 	uint8_t	sc_last_xfer_index;
212 	uint8_t	sc_qdata[USTORAGE_QDATA_MAX];
213 };
214 
215 /* prototypes */
216 
217 static device_probe_t ustorage_fs_probe;
218 static device_attach_t ustorage_fs_attach;
219 static device_detach_t ustorage_fs_detach;
220 static device_suspend_t ustorage_fs_suspend;
221 static device_resume_t ustorage_fs_resume;
222 static usb_handle_request_t ustorage_fs_handle_request;
223 
224 static usb_callback_t ustorage_fs_t_bbb_command_callback;
225 static usb_callback_t ustorage_fs_t_bbb_data_dump_callback;
226 static usb_callback_t ustorage_fs_t_bbb_data_read_callback;
227 static usb_callback_t ustorage_fs_t_bbb_data_write_callback;
228 static usb_callback_t ustorage_fs_t_bbb_status_callback;
229 
230 static void ustorage_fs_transfer_start(struct ustorage_fs_softc *sc, uint8_t xfer_index);
231 static void ustorage_fs_transfer_stop(struct ustorage_fs_softc *sc);
232 
233 static uint8_t ustorage_fs_verify(struct ustorage_fs_softc *sc);
234 static uint8_t ustorage_fs_inquiry(struct ustorage_fs_softc *sc);
235 static uint8_t ustorage_fs_request_sense(struct ustorage_fs_softc *sc);
236 static uint8_t ustorage_fs_read_capacity(struct ustorage_fs_softc *sc);
237 static uint8_t ustorage_fs_mode_sense(struct ustorage_fs_softc *sc);
238 static uint8_t ustorage_fs_start_stop(struct ustorage_fs_softc *sc);
239 static uint8_t ustorage_fs_prevent_allow(struct ustorage_fs_softc *sc);
240 static uint8_t ustorage_fs_read_format_capacities(struct ustorage_fs_softc *sc);
241 static uint8_t ustorage_fs_mode_select(struct ustorage_fs_softc *sc);
242 static uint8_t ustorage_fs_min_len(struct ustorage_fs_softc *sc, uint32_t len, uint32_t mask);
243 static uint8_t ustorage_fs_read(struct ustorage_fs_softc *sc);
244 static uint8_t ustorage_fs_write(struct ustorage_fs_softc *sc);
245 static uint8_t ustorage_fs_check_cmd(struct ustorage_fs_softc *sc, uint8_t cmd_size, uint16_t mask, uint8_t needs_medium);
246 static uint8_t ustorage_fs_do_cmd(struct ustorage_fs_softc *sc);
247 
248 static device_method_t ustorage_fs_methods[] = {
249 	/* USB interface */
250 	DEVMETHOD(usb_handle_request, ustorage_fs_handle_request),
251 
252 	/* Device interface */
253 	DEVMETHOD(device_probe, ustorage_fs_probe),
254 	DEVMETHOD(device_attach, ustorage_fs_attach),
255 	DEVMETHOD(device_detach, ustorage_fs_detach),
256 	DEVMETHOD(device_suspend, ustorage_fs_suspend),
257 	DEVMETHOD(device_resume, ustorage_fs_resume),
258 
259 	DEVMETHOD_END
260 };
261 
262 static driver_t ustorage_fs_driver = {
263 	.name = "ustorage_fs",
264 	.methods = ustorage_fs_methods,
265 	.size = sizeof(struct ustorage_fs_softc),
266 };
267 
268 DRIVER_MODULE(ustorage_fs, uhub, ustorage_fs_driver, NULL, NULL);
269 MODULE_VERSION(ustorage_fs, 0);
270 MODULE_DEPEND(ustorage_fs, usb, 1, 1, 1);
271 
272 static struct usb_config ustorage_fs_bbb_config[USTORAGE_FS_T_BBB_MAX] = {
273 	[USTORAGE_FS_T_BBB_COMMAND] = {
274 		.type = UE_BULK,
275 		.endpoint = UE_ADDR_ANY,
276 		.direction = UE_DIR_OUT,
277 		.bufsize = sizeof(ustorage_fs_bbb_cbw_t),
278 		.callback = &ustorage_fs_t_bbb_command_callback,
279 		.usb_mode = USB_MODE_DEVICE,
280 	},
281 
282 	[USTORAGE_FS_T_BBB_DATA_DUMP] = {
283 		.type = UE_BULK,
284 		.endpoint = UE_ADDR_ANY,
285 		.direction = UE_DIR_OUT,
286 		.bufsize = 0,	/* use wMaxPacketSize */
287 		.flags = {.proxy_buffer = 1,.short_xfer_ok = 1,},
288 		.callback = &ustorage_fs_t_bbb_data_dump_callback,
289 		.usb_mode = USB_MODE_DEVICE,
290 	},
291 
292 	[USTORAGE_FS_T_BBB_DATA_READ] = {
293 		.type = UE_BULK,
294 		.endpoint = UE_ADDR_ANY,
295 		.direction = UE_DIR_OUT,
296 		.bufsize = USTORAGE_FS_BULK_SIZE,
297 		.flags = {.proxy_buffer = 1,.short_xfer_ok = 1},
298 		.callback = &ustorage_fs_t_bbb_data_read_callback,
299 		.usb_mode = USB_MODE_DEVICE,
300 	},
301 
302 	[USTORAGE_FS_T_BBB_DATA_WRITE] = {
303 		.type = UE_BULK,
304 		.endpoint = UE_ADDR_ANY,
305 		.direction = UE_DIR_IN,
306 		.bufsize = USTORAGE_FS_BULK_SIZE,
307 		.flags = {.proxy_buffer = 1,.short_xfer_ok = 1,.ext_buffer = 1},
308 		.callback = &ustorage_fs_t_bbb_data_write_callback,
309 		.usb_mode = USB_MODE_DEVICE,
310 	},
311 
312 	[USTORAGE_FS_T_BBB_STATUS] = {
313 		.type = UE_BULK,
314 		.endpoint = UE_ADDR_ANY,
315 		.direction = UE_DIR_IN,
316 		.bufsize = sizeof(ustorage_fs_bbb_csw_t),
317 		.flags = {.short_xfer_ok = 1},
318 		.callback = &ustorage_fs_t_bbb_status_callback,
319 		.usb_mode = USB_MODE_DEVICE,
320 	},
321 };
322 
323 /*
324  * USB device probe/attach/detach
325  */
326 
327 static int
ustorage_fs_probe(device_t dev)328 ustorage_fs_probe(device_t dev)
329 {
330 	struct usb_attach_arg *uaa = device_get_ivars(dev);
331 	struct usb_interface_descriptor *id;
332 
333 	if (uaa->usb_mode != USB_MODE_DEVICE) {
334 		return (ENXIO);
335 	}
336 	/* Check for a standards compliant device */
337 	id = usbd_get_interface_descriptor(uaa->iface);
338 	if ((id == NULL) ||
339 	    (id->bInterfaceClass != UICLASS_MASS) ||
340 	    (id->bInterfaceSubClass != UISUBCLASS_SCSI) ||
341 	    (id->bInterfaceProtocol != UIPROTO_MASS_BBB)) {
342 		return (ENXIO);
343 	}
344 	return (BUS_PROBE_GENERIC);
345 }
346 
347 static int
ustorage_fs_attach(device_t dev)348 ustorage_fs_attach(device_t dev)
349 {
350 	struct ustorage_fs_softc *sc = device_get_softc(dev);
351 	struct usb_attach_arg *uaa = device_get_ivars(dev);
352 	struct usb_interface_descriptor *id;
353 	int err;
354 	int unit;
355 
356 	/*
357 	 * NOTE: the softc struct is cleared in device_set_driver.
358 	 * We can safely call ustorage_fs_detach without specifically
359 	 * initializing the struct.
360 	 */
361 
362 	sc->sc_dev = dev;
363 	sc->sc_udev = uaa->device;
364 	unit = device_get_unit(dev);
365 
366 	/* enable power saving mode */
367 	usbd_set_power_mode(uaa->device, USB_POWER_MODE_SAVE);
368 
369 	if (unit == 0) {
370 		if (ustorage_fs_ramdisk == NULL) {
371 			/*
372 			 * allocate a memory image for our ramdisk until
373 			 * further
374 			 */
375 			ustorage_fs_ramdisk =
376 			    malloc(USTORAGE_FS_RAM_SECT << 9, M_USB,
377 			    M_ZERO | M_WAITOK);
378 		}
379 		sc->sc_lun[0].memory_image = ustorage_fs_ramdisk;
380 		sc->sc_lun[0].num_sectors = USTORAGE_FS_RAM_SECT;
381 		sc->sc_lun[0].removable = 1;
382 	}
383 
384 	device_set_usb_desc(dev);
385 
386 	mtx_init(&sc->sc_mtx, "USTORAGE_FS lock",
387 	    NULL, (MTX_DEF | MTX_RECURSE));
388 
389 	/* get interface index */
390 
391 	id = usbd_get_interface_descriptor(uaa->iface);
392 	if (id == NULL) {
393 		device_printf(dev, "failed to get "
394 		    "interface number\n");
395 		goto detach;
396 	}
397 	sc->sc_iface_no = id->bInterfaceNumber;
398 
399 	err = usbd_transfer_setup(uaa->device,
400 	    &uaa->info.bIfaceIndex, sc->sc_xfer, ustorage_fs_bbb_config,
401 	    USTORAGE_FS_T_BBB_MAX, sc, &sc->sc_mtx);
402 	if (err) {
403 		device_printf(dev, "could not setup required "
404 		    "transfers, %s\n", usbd_errstr(err));
405 		goto detach;
406 	}
407 
408 	sc->sc_cbw = usbd_xfer_get_frame_buffer(sc->sc_xfer[
409 	    USTORAGE_FS_T_BBB_COMMAND], 0);
410 	sc->sc_csw = usbd_xfer_get_frame_buffer(sc->sc_xfer[
411 	    USTORAGE_FS_T_BBB_STATUS], 0);
412  	sc->sc_dma_ptr = usbd_xfer_get_frame_buffer(sc->sc_xfer[
413 	    USTORAGE_FS_T_BBB_DATA_READ], 0);
414 
415 	/* start Mass Storage State Machine */
416 
417 	mtx_lock(&sc->sc_mtx);
418 	ustorage_fs_transfer_start(sc, USTORAGE_FS_T_BBB_COMMAND);
419 	mtx_unlock(&sc->sc_mtx);
420 
421 	return (0);			/* success */
422 
423 detach:
424 	ustorage_fs_detach(dev);
425 	return (ENXIO);			/* failure */
426 }
427 
428 static int
ustorage_fs_detach(device_t dev)429 ustorage_fs_detach(device_t dev)
430 {
431 	struct ustorage_fs_softc *sc = device_get_softc(dev);
432 
433 	/* teardown our statemachine */
434 
435 	usbd_transfer_unsetup(sc->sc_xfer, USTORAGE_FS_T_BBB_MAX);
436 
437 	mtx_destroy(&sc->sc_mtx);
438 
439 	return (0);			/* success */
440 }
441 
442 static int
ustorage_fs_suspend(device_t dev)443 ustorage_fs_suspend(device_t dev)
444 {
445 	device_printf(dev, "suspending\n");
446 	return (0);			/* success */
447 }
448 
449 static int
ustorage_fs_resume(device_t dev)450 ustorage_fs_resume(device_t dev)
451 {
452 	device_printf(dev, "resuming\n");
453 	return (0);			/* success */
454 }
455 
456 /*
457  * Generic functions to handle transfers
458  */
459 
460 static void
ustorage_fs_transfer_start(struct ustorage_fs_softc * sc,uint8_t xfer_index)461 ustorage_fs_transfer_start(struct ustorage_fs_softc *sc, uint8_t xfer_index)
462 {
463 	if (sc->sc_xfer[xfer_index]) {
464 		sc->sc_last_xfer_index = xfer_index;
465 		usbd_transfer_start(sc->sc_xfer[xfer_index]);
466 	}
467 }
468 
469 static void
ustorage_fs_transfer_stop(struct ustorage_fs_softc * sc)470 ustorage_fs_transfer_stop(struct ustorage_fs_softc *sc)
471 {
472 	usbd_transfer_stop(sc->sc_xfer[sc->sc_last_xfer_index]);
473 	mtx_unlock(&sc->sc_mtx);
474 	usbd_transfer_drain(sc->sc_xfer[sc->sc_last_xfer_index]);
475 	mtx_lock(&sc->sc_mtx);
476 }
477 
478 static int
ustorage_fs_handle_request(device_t dev,const void * preq,void ** pptr,uint16_t * plen,uint16_t offset,uint8_t * pstate)479 ustorage_fs_handle_request(device_t dev,
480     const void *preq, void **pptr, uint16_t *plen,
481     uint16_t offset, uint8_t *pstate)
482 {
483 	struct ustorage_fs_softc *sc = device_get_softc(dev);
484 	const struct usb_device_request *req = preq;
485 	uint8_t is_complete = *pstate;
486 
487 	if (!is_complete) {
488 		if ((req->bmRequestType == UT_WRITE_CLASS_INTERFACE) &&
489 		    (req->bRequest == UR_BBB_RESET)) {
490 			*plen = 0;
491 			mtx_lock(&sc->sc_mtx);
492 			ustorage_fs_transfer_stop(sc);
493 			sc->sc_transfer.data_error = 1;
494 			ustorage_fs_transfer_start(sc,
495 			    USTORAGE_FS_T_BBB_COMMAND);
496 			mtx_unlock(&sc->sc_mtx);
497 			return (0);
498 		} else if ((req->bmRequestType == UT_READ_CLASS_INTERFACE) &&
499 			   (req->bRequest == UR_BBB_GET_MAX_LUN)) {
500 			if (offset == 0) {
501 				*plen = 1;
502 				*pptr = &sc->sc_last_lun;
503 			} else {
504 				*plen = 0;
505 			}
506 			return (0);
507 		}
508 	}
509 	return (ENXIO);			/* use builtin handler */
510 }
511 
512 static void
ustorage_fs_t_bbb_command_callback(struct usb_xfer * xfer,usb_error_t error)513 ustorage_fs_t_bbb_command_callback(struct usb_xfer *xfer, usb_error_t error)
514 {
515 	struct ustorage_fs_softc *sc = usbd_xfer_softc(xfer);
516 	uint32_t tag;
517 	uint8_t err = 0;
518 
519 	DPRINTF("\n");
520 
521 	switch (USB_GET_STATE(xfer)) {
522 	case USB_ST_TRANSFERRED:
523 
524 		tag = UGETDW(sc->sc_cbw->dCBWSignature);
525 
526 		if (tag != CBWSIGNATURE) {
527 			/* do nothing */
528 			DPRINTF("invalid signature 0x%08x\n", tag);
529 			break;
530 		}
531 		tag = UGETDW(sc->sc_cbw->dCBWTag);
532 
533 		/* echo back tag */
534 		USETDW(sc->sc_csw->dCSWTag, tag);
535 
536 		/* reset status */
537 		sc->sc_csw->bCSWStatus = 0;
538 
539 		/* reset data offset, data length and data remainder */
540 		sc->sc_transfer.offset = 0;
541 		sc->sc_transfer.data_rem =
542 		    UGETDW(sc->sc_cbw->dCBWDataTransferLength);
543 
544 		/* reset data flags */
545 		sc->sc_transfer.data_short = 0;
546 
547 		/* extract LUN */
548 		sc->sc_transfer.lun = sc->sc_cbw->bCBWLUN;
549 
550 		if (sc->sc_transfer.data_rem == 0) {
551 			sc->sc_transfer.cbw_dir = DIR_NONE;
552 		} else {
553 			if (sc->sc_cbw->bCBWFlags & CBWFLAGS_IN) {
554 				sc->sc_transfer.cbw_dir = DIR_WRITE;
555 			} else {
556 				sc->sc_transfer.cbw_dir = DIR_READ;
557 			}
558 		}
559 
560 		sc->sc_transfer.cmd_len = sc->sc_cbw->bCDBLength;
561 		if ((sc->sc_transfer.cmd_len > sizeof(sc->sc_cbw->CBWCDB)) ||
562 		    (sc->sc_transfer.cmd_len == 0)) {
563 			/* just halt - this is invalid */
564 			DPRINTF("invalid command length %d bytes\n",
565 			    sc->sc_transfer.cmd_len);
566 			break;
567 		}
568 
569 		err = ustorage_fs_do_cmd(sc);
570 		if (err) {
571 			/* got an error */
572 			DPRINTF("command failed\n");
573 			break;
574 		}
575 		if ((sc->sc_transfer.data_rem > 0) &&
576 		    (sc->sc_transfer.cbw_dir != sc->sc_transfer.cmd_dir)) {
577 			/* contradicting data transfer direction */
578 			err = 1;
579 			DPRINTF("data direction mismatch\n");
580 			break;
581 		}
582 		switch (sc->sc_transfer.cbw_dir) {
583 		case DIR_READ:
584 			ustorage_fs_transfer_start(sc, USTORAGE_FS_T_BBB_DATA_READ);
585 			break;
586 		case DIR_WRITE:
587 			ustorage_fs_transfer_start(sc, USTORAGE_FS_T_BBB_DATA_WRITE);
588 			break;
589 		default:
590 			ustorage_fs_transfer_start(sc,
591 			    USTORAGE_FS_T_BBB_STATUS);
592 			break;
593 		}
594 		break;
595 
596 	case USB_ST_SETUP:
597 tr_setup:
598 		if (sc->sc_transfer.data_error) {
599 			sc->sc_transfer.data_error = 0;
600 			usbd_xfer_set_stall(xfer);
601 			DPRINTF("stall pipe\n");
602 		}
603 		usbd_xfer_set_frame_len(xfer, 0,
604 		    sizeof(ustorage_fs_bbb_cbw_t));
605 		usbd_transfer_submit(xfer);
606 		break;
607 
608 	default:			/* Error */
609 		DPRINTF("error\n");
610 		if (error == USB_ERR_CANCELLED) {
611 			break;
612 		}
613 		/* If the pipe is already stalled, don't do another stall */
614 		if (!usbd_xfer_is_stalled(xfer))
615 			sc->sc_transfer.data_error = 1;
616 
617 		/* try again */
618 		goto tr_setup;
619 	}
620 	if (err) {
621 		if (sc->sc_csw->bCSWStatus == 0) {
622 			/* set some default error code */
623 			sc->sc_csw->bCSWStatus = CSWSTATUS_FAILED;
624 		}
625 		if (sc->sc_transfer.cbw_dir == DIR_READ) {
626 			/* dump all data */
627 			ustorage_fs_transfer_start(sc,
628 			    USTORAGE_FS_T_BBB_DATA_DUMP);
629 			return;
630 		}
631 		if (sc->sc_transfer.cbw_dir == DIR_WRITE) {
632 			/* need to stall before status */
633 			sc->sc_transfer.data_error = 1;
634 		}
635 		ustorage_fs_transfer_start(sc, USTORAGE_FS_T_BBB_STATUS);
636 	}
637 }
638 
639 static void
ustorage_fs_t_bbb_data_dump_callback(struct usb_xfer * xfer,usb_error_t error)640 ustorage_fs_t_bbb_data_dump_callback(struct usb_xfer *xfer, usb_error_t error)
641 {
642 	struct ustorage_fs_softc *sc = usbd_xfer_softc(xfer);
643 	uint32_t max_bulk = usbd_xfer_max_len(xfer);
644 	int actlen, sumlen;
645 
646 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
647 
648 	DPRINTF("\n");
649 
650 	switch (USB_GET_STATE(xfer)) {
651 	case USB_ST_TRANSFERRED:
652 		sc->sc_transfer.data_rem -= actlen;
653 		sc->sc_transfer.offset += actlen;
654 
655 		if (actlen != sumlen || sc->sc_transfer.data_rem == 0) {
656 			/* short transfer or end of data */
657 			ustorage_fs_transfer_start(sc,
658 			    USTORAGE_FS_T_BBB_STATUS);
659 			break;
660 		}
661 		/* Fallthrough */
662 
663 	case USB_ST_SETUP:
664 tr_setup:
665 		if (max_bulk > sc->sc_transfer.data_rem) {
666 			max_bulk = sc->sc_transfer.data_rem;
667 		}
668 		if (sc->sc_transfer.data_error) {
669 			sc->sc_transfer.data_error = 0;
670 			usbd_xfer_set_stall(xfer);
671 		}
672 		usbd_xfer_set_frame_len(xfer, 0, max_bulk);
673 		usbd_transfer_submit(xfer);
674 		break;
675 
676 	default:			/* Error */
677 		if (error == USB_ERR_CANCELLED) {
678 			break;
679 		}
680 		/*
681 		 * If the pipe is already stalled, don't do another stall:
682 		 */
683 		if (!usbd_xfer_is_stalled(xfer))
684 			sc->sc_transfer.data_error = 1;
685 
686 		/* try again */
687 		goto tr_setup;
688 	}
689 }
690 
691 static void
ustorage_fs_t_bbb_data_read_callback(struct usb_xfer * xfer,usb_error_t error)692 ustorage_fs_t_bbb_data_read_callback(struct usb_xfer *xfer, usb_error_t error)
693 {
694 	struct ustorage_fs_softc *sc = usbd_xfer_softc(xfer);
695 	uint32_t max_bulk = usbd_xfer_max_len(xfer);
696 	int actlen, sumlen;
697 
698 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
699 
700 	DPRINTF("\n");
701 
702 	switch (USB_GET_STATE(xfer)) {
703 	case USB_ST_TRANSFERRED:
704 		/* XXX copy data from DMA buffer */
705 		memcpy(sc->sc_transfer.data_ptr, sc->sc_dma_ptr, actlen);
706 
707 		sc->sc_transfer.data_rem -= actlen;
708 		sc->sc_transfer.data_ptr += actlen;
709 		sc->sc_transfer.offset += actlen;
710 
711 		if (actlen != sumlen || sc->sc_transfer.data_rem == 0) {
712 			/* short transfer or end of data */
713 			ustorage_fs_transfer_start(sc,
714 			    USTORAGE_FS_T_BBB_STATUS);
715 			break;
716 		}
717 		/* Fallthrough */
718 
719 	case USB_ST_SETUP:
720 tr_setup:
721 		if (max_bulk > sc->sc_transfer.data_rem) {
722 			max_bulk = sc->sc_transfer.data_rem;
723 		}
724 		if (sc->sc_transfer.data_error) {
725 			sc->sc_transfer.data_error = 0;
726 			usbd_xfer_set_stall(xfer);
727 		}
728 
729 		usbd_xfer_set_frame_data(xfer, 0, sc->sc_dma_ptr, max_bulk);
730 		usbd_transfer_submit(xfer);
731 		break;
732 
733 	default:			/* Error */
734 		if (error == USB_ERR_CANCELLED) {
735 			break;
736 		}
737 		/* If the pipe is already stalled, don't do another stall */
738 		if (!usbd_xfer_is_stalled(xfer))
739 			sc->sc_transfer.data_error = 1;
740 
741 		/* try again */
742 		goto tr_setup;
743 	}
744 }
745 
746 static void
ustorage_fs_t_bbb_data_write_callback(struct usb_xfer * xfer,usb_error_t error)747 ustorage_fs_t_bbb_data_write_callback(struct usb_xfer *xfer, usb_error_t error)
748 {
749 	struct ustorage_fs_softc *sc = usbd_xfer_softc(xfer);
750 	uint32_t max_bulk = usbd_xfer_max_len(xfer);
751 	int actlen, sumlen;
752 
753 	usbd_xfer_status(xfer, &actlen, &sumlen, NULL, NULL);
754 
755 	DPRINTF("\n");
756 
757 	switch (USB_GET_STATE(xfer)) {
758 	case USB_ST_TRANSFERRED:
759 		sc->sc_transfer.data_rem -= actlen;
760 		sc->sc_transfer.data_ptr += actlen;
761 		sc->sc_transfer.offset += actlen;
762 
763 		if (actlen != sumlen || sc->sc_transfer.data_rem == 0) {
764 			/* short transfer or end of data */
765 			ustorage_fs_transfer_start(sc,
766 			    USTORAGE_FS_T_BBB_STATUS);
767 			break;
768 		}
769 	case USB_ST_SETUP:
770 tr_setup:
771 		if (max_bulk >= sc->sc_transfer.data_rem) {
772 			max_bulk = sc->sc_transfer.data_rem;
773 			if (sc->sc_transfer.data_short)
774 				usbd_xfer_set_flag(xfer, USB_FORCE_SHORT_XFER);
775 			else
776 				usbd_xfer_clr_flag(xfer, USB_FORCE_SHORT_XFER);
777 		} else
778 			usbd_xfer_clr_flag(xfer, USB_FORCE_SHORT_XFER);
779 
780 		if (sc->sc_transfer.data_error) {
781 			sc->sc_transfer.data_error = 0;
782 			usbd_xfer_set_stall(xfer);
783 		}
784 
785 		/* XXX copy data to DMA buffer */
786 		memcpy(sc->sc_dma_ptr, sc->sc_transfer.data_ptr, max_bulk);
787 
788 		usbd_xfer_set_frame_data(xfer, 0, sc->sc_dma_ptr, max_bulk);
789 		usbd_transfer_submit(xfer);
790 		break;
791 
792 	default:			/* Error */
793 		if (error == USB_ERR_CANCELLED) {
794 			break;
795 		}
796 		/*
797 		 * If the pipe is already stalled, don't do another
798 		 * stall
799 		 */
800 		if (!usbd_xfer_is_stalled(xfer))
801 			sc->sc_transfer.data_error = 1;
802 
803 		/* try again */
804 		goto tr_setup;
805 	}
806 }
807 
808 static void
ustorage_fs_t_bbb_status_callback(struct usb_xfer * xfer,usb_error_t error)809 ustorage_fs_t_bbb_status_callback(struct usb_xfer *xfer, usb_error_t error)
810 {
811 	struct ustorage_fs_softc *sc = usbd_xfer_softc(xfer);
812 
813 	DPRINTF("\n");
814 
815 	switch (USB_GET_STATE(xfer)) {
816 	case USB_ST_TRANSFERRED:
817 		ustorage_fs_transfer_start(sc, USTORAGE_FS_T_BBB_COMMAND);
818 		break;
819 
820 	case USB_ST_SETUP:
821 tr_setup:
822 		USETDW(sc->sc_csw->dCSWSignature, CSWSIGNATURE);
823 		USETDW(sc->sc_csw->dCSWDataResidue, sc->sc_transfer.data_rem);
824 
825 		if (sc->sc_transfer.data_error) {
826 			sc->sc_transfer.data_error = 0;
827 			usbd_xfer_set_stall(xfer);
828 		}
829 		usbd_xfer_set_frame_len(xfer, 0,
830 		    sizeof(ustorage_fs_bbb_csw_t));
831 		usbd_transfer_submit(xfer);
832 		break;
833 
834 	default:
835 		if (error == USB_ERR_CANCELLED) {
836 			break;
837 		}
838 		/* If the pipe is already stalled, don't do another stall */
839 		if (!usbd_xfer_is_stalled(xfer))
840 			sc->sc_transfer.data_error = 1;
841 
842 		/* try again */
843 		goto tr_setup;
844 	}
845 }
846 
847 /* SCSI commands that we recognize */
848 #define	SC_FORMAT_UNIT			0x04
849 #define	SC_INQUIRY			0x12
850 #define	SC_MODE_SELECT_6		0x15
851 #define	SC_MODE_SELECT_10		0x55
852 #define	SC_MODE_SENSE_6			0x1a
853 #define	SC_MODE_SENSE_10		0x5a
854 #define	SC_PREVENT_ALLOW_MEDIUM_REMOVAL	0x1e
855 #define	SC_READ_6			0x08
856 #define	SC_READ_10			0x28
857 #define	SC_READ_12			0xa8
858 #define	SC_READ_CAPACITY		0x25
859 #define	SC_READ_FORMAT_CAPACITIES	0x23
860 #define	SC_RELEASE			0x17
861 #define	SC_REQUEST_SENSE		0x03
862 #define	SC_RESERVE			0x16
863 #define	SC_SEND_DIAGNOSTIC		0x1d
864 #define	SC_START_STOP_UNIT		0x1b
865 #define	SC_SYNCHRONIZE_CACHE		0x35
866 #define	SC_TEST_UNIT_READY		0x00
867 #define	SC_VERIFY			0x2f
868 #define	SC_WRITE_6			0x0a
869 #define	SC_WRITE_10			0x2a
870 #define	SC_WRITE_12			0xaa
871 
872 /* SCSI Sense Key/Additional Sense Code/ASC Qualifier values */
873 #define	SS_NO_SENSE				0
874 #define	SS_COMMUNICATION_FAILURE		0x040800
875 #define	SS_INVALID_COMMAND			0x052000
876 #define	SS_INVALID_FIELD_IN_CDB			0x052400
877 #define	SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE	0x052100
878 #define	SS_LOGICAL_UNIT_NOT_SUPPORTED		0x052500
879 #define	SS_MEDIUM_NOT_PRESENT			0x023a00
880 #define	SS_MEDIUM_REMOVAL_PREVENTED		0x055302
881 #define	SS_NOT_READY_TO_READY_TRANSITION	0x062800
882 #define	SS_RESET_OCCURRED			0x062900
883 #define	SS_SAVING_PARAMETERS_NOT_SUPPORTED	0x053900
884 #define	SS_UNRECOVERED_READ_ERROR		0x031100
885 #define	SS_WRITE_ERROR				0x030c02
886 #define	SS_WRITE_PROTECTED			0x072700
887 
888 #define	SK(x)		((uint8_t) ((x) >> 16))	/* Sense Key byte, etc. */
889 #define	ASC(x)		((uint8_t) ((x) >> 8))
890 #define	ASCQ(x)		((uint8_t) (x))
891 
892 /* Routines for unaligned data access */
893 
894 static uint16_t
get_be16(uint8_t * buf)895 get_be16(uint8_t *buf)
896 {
897 	return ((uint16_t)buf[0] << 8) | ((uint16_t)buf[1]);
898 }
899 
900 static uint32_t
get_be32(uint8_t * buf)901 get_be32(uint8_t *buf)
902 {
903 	return ((uint32_t)buf[0] << 24) | ((uint32_t)buf[1] << 16) |
904 	((uint32_t)buf[2] << 8) | ((uint32_t)buf[3]);
905 }
906 
907 static void
put_be16(uint8_t * buf,uint16_t val)908 put_be16(uint8_t *buf, uint16_t val)
909 {
910 	buf[0] = val >> 8;
911 	buf[1] = val;
912 }
913 
914 static void
put_be32(uint8_t * buf,uint32_t val)915 put_be32(uint8_t *buf, uint32_t val)
916 {
917 	buf[0] = val >> 24;
918 	buf[1] = val >> 16;
919 	buf[2] = val >> 8;
920 	buf[3] = val & 0xff;
921 }
922 
923 /*------------------------------------------------------------------------*
924  *	ustorage_fs_verify
925  *
926  * Returns:
927  *    0: Success
928  * Else: Failure
929  *------------------------------------------------------------------------*/
930 static uint8_t
ustorage_fs_verify(struct ustorage_fs_softc * sc)931 ustorage_fs_verify(struct ustorage_fs_softc *sc)
932 {
933 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
934 	uint32_t lba;
935 	uint32_t vlen;
936 
937 	/*
938 	 * Get the starting Logical Block Address
939 	 */
940 	lba = get_be32(&sc->sc_cbw->CBWCDB[2]);
941 
942 	/*
943 	 * We allow DPO (Disable Page Out = don't save data in the cache)
944 	 * but we don't implement it.
945 	 */
946 	if ((sc->sc_cbw->CBWCDB[1] & ~0x10) != 0) {
947 		currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
948 		return (1);
949 	}
950 	vlen = get_be16(&sc->sc_cbw->CBWCDB[7]);
951 	if (vlen == 0) {
952 		goto done;
953 	}
954 	/* No default reply */
955 
956 	/* Range check */
957 	vlen += lba;
958 
959 	if ((vlen < lba) ||
960 	    (vlen > currlun->num_sectors) ||
961 	    (lba >= currlun->num_sectors)) {
962 		currlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
963 		return (1);
964 	}
965 	/* XXX TODO: verify that data is readable */
966 done:
967 	return (ustorage_fs_min_len(sc, 0, -1U));
968 }
969 
970 /*------------------------------------------------------------------------*
971  *	ustorage_fs_inquiry
972  *
973  * Returns:
974  *    0: Success
975  * Else: Failure
976  *------------------------------------------------------------------------*/
977 static uint8_t
ustorage_fs_inquiry(struct ustorage_fs_softc * sc)978 ustorage_fs_inquiry(struct ustorage_fs_softc *sc)
979 {
980 	uint8_t *buf = sc->sc_transfer.data_ptr;
981 
982 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
983 
984 	if (!sc->sc_transfer.currlun) {
985 		/* Unsupported LUNs are okay */
986 		memset(buf, 0, 36);
987 		buf[0] = 0x7f;
988 		/* Unsupported, no device - type */
989 		return (ustorage_fs_min_len(sc, 36, -1U));
990 	}
991 	memset(buf, 0, 8);
992 	/* Non - removable, direct - access device */
993 	if (currlun->removable)
994 		buf[1] = 0x80;
995 	buf[2] = 2;
996 	/* ANSI SCSI level 2 */
997 	buf[3] = 2;
998 	/* SCSI - 2 INQUIRY data format */
999 	buf[4] = 31;
1000 	/* Additional length */
1001 	/* No special options */
1002 	/* Copy in ID string */
1003 	memcpy(buf + 8, USTORAGE_FS_ID_STRING, 28);
1004 
1005 #if (USTORAGE_QDATA_MAX < 36)
1006 #error "(USTORAGE_QDATA_MAX < 36)"
1007 #endif
1008 	return (ustorage_fs_min_len(sc, 36, -1U));
1009 }
1010 
1011 /*------------------------------------------------------------------------*
1012  *	ustorage_fs_request_sense
1013  *
1014  * Returns:
1015  *    0: Success
1016  * Else: Failure
1017  *------------------------------------------------------------------------*/
1018 static uint8_t
ustorage_fs_request_sense(struct ustorage_fs_softc * sc)1019 ustorage_fs_request_sense(struct ustorage_fs_softc *sc)
1020 {
1021 	uint8_t *buf = sc->sc_transfer.data_ptr;
1022 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1023 	uint32_t sd;
1024 	uint32_t sdinfo;
1025 	uint8_t valid;
1026 
1027 	/*
1028 	 * From the SCSI-2 spec., section 7.9 (Unit attention condition):
1029 	 *
1030 	 * If a REQUEST SENSE command is received from an initiator
1031 	 * with a pending unit attention condition (before the target
1032 	 * generates the contingent allegiance condition), then the
1033 	 * target shall either:
1034 	 *   a) report any pending sense data and preserve the unit
1035 	 *	attention condition on the logical unit, or,
1036 	 *   b) report the unit attention condition, may discard any
1037 	 *	pending sense data, and clear the unit attention
1038 	 *	condition on the logical unit for that initiator.
1039 	 *
1040 	 * FSG normally uses option a); enable this code to use option b).
1041 	 */
1042 #if 0
1043 	if (currlun && currlun->unit_attention_data != SS_NO_SENSE) {
1044 		currlun->sense_data = currlun->unit_attention_data;
1045 		currlun->unit_attention_data = SS_NO_SENSE;
1046 	}
1047 #endif
1048 
1049 	if (!currlun) {
1050 		/* Unsupported LUNs are okay */
1051 		sd = SS_LOGICAL_UNIT_NOT_SUPPORTED;
1052 		sdinfo = 0;
1053 		valid = 0;
1054 	} else {
1055 		sd = currlun->sense_data;
1056 		sdinfo = currlun->sense_data_info;
1057 		valid = currlun->info_valid << 7;
1058 		currlun->sense_data = SS_NO_SENSE;
1059 		currlun->sense_data_info = 0;
1060 		currlun->info_valid = 0;
1061 	}
1062 
1063 	memset(buf, 0, 18);
1064 	buf[0] = valid | 0x70;
1065 	/* Valid, current error */
1066 	buf[2] = SK(sd);
1067 	put_be32(&buf[3], sdinfo);
1068 	/* Sense information */
1069 	buf[7] = 18 - 8;
1070 	/* Additional sense length */
1071 	buf[12] = ASC(sd);
1072 	buf[13] = ASCQ(sd);
1073 
1074 #if (USTORAGE_QDATA_MAX < 18)
1075 #error "(USTORAGE_QDATA_MAX < 18)"
1076 #endif
1077 	return (ustorage_fs_min_len(sc, 18, -1U));
1078 }
1079 
1080 /*------------------------------------------------------------------------*
1081  *	ustorage_fs_read_capacity
1082  *
1083  * Returns:
1084  *    0: Success
1085  * Else: Failure
1086  *------------------------------------------------------------------------*/
1087 static uint8_t
ustorage_fs_read_capacity(struct ustorage_fs_softc * sc)1088 ustorage_fs_read_capacity(struct ustorage_fs_softc *sc)
1089 {
1090 	uint8_t *buf = sc->sc_transfer.data_ptr;
1091 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1092 	uint32_t lba = get_be32(&sc->sc_cbw->CBWCDB[2]);
1093 	uint8_t pmi = sc->sc_cbw->CBWCDB[8];
1094 
1095 	/* Check the PMI and LBA fields */
1096 	if ((pmi > 1) || ((pmi == 0) && (lba != 0))) {
1097 		currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1098 		return (1);
1099 	}
1100 	/* Max logical block */
1101 	put_be32(&buf[0], currlun->num_sectors - 1);
1102 	/* Block length */
1103 	put_be32(&buf[4], 512);
1104 
1105 #if (USTORAGE_QDATA_MAX < 8)
1106 #error "(USTORAGE_QDATA_MAX < 8)"
1107 #endif
1108 	return (ustorage_fs_min_len(sc, 8, -1U));
1109 }
1110 
1111 /*------------------------------------------------------------------------*
1112  *	ustorage_fs_mode_sense
1113  *
1114  * Returns:
1115  *    0: Success
1116  * Else: Failure
1117  *------------------------------------------------------------------------*/
1118 static uint8_t
ustorage_fs_mode_sense(struct ustorage_fs_softc * sc)1119 ustorage_fs_mode_sense(struct ustorage_fs_softc *sc)
1120 {
1121 	uint8_t *buf = sc->sc_transfer.data_ptr;
1122 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1123 	uint8_t *buf0;
1124 	uint16_t len;
1125 	uint16_t limit;
1126 	uint8_t mscmnd = sc->sc_cbw->CBWCDB[0];
1127 	uint8_t pc;
1128 	uint8_t page_code;
1129 	uint8_t changeable_values;
1130 	uint8_t all_pages;
1131 
1132 	buf0 = buf;
1133 
1134 	if ((sc->sc_cbw->CBWCDB[1] & ~0x08) != 0) {
1135 		/* Mask away DBD */
1136 		currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1137 		return (1);
1138 	}
1139 	pc = sc->sc_cbw->CBWCDB[2] >> 6;
1140 	page_code = sc->sc_cbw->CBWCDB[2] & 0x3f;
1141 	if (pc == 3) {
1142 		currlun->sense_data = SS_SAVING_PARAMETERS_NOT_SUPPORTED;
1143 		return (1);
1144 	}
1145 	changeable_values = (pc == 1);
1146 	all_pages = (page_code == 0x3f);
1147 
1148 	/*
1149 	 * Write the mode parameter header.  Fixed values are: default
1150 	 * medium type, no cache control (DPOFUA), and no block descriptors.
1151 	 * The only variable value is the WriteProtect bit.  We will fill in
1152 	 * the mode data length later.
1153 	 */
1154 	memset(buf, 0, 8);
1155 	if (mscmnd == SC_MODE_SENSE_6) {
1156 		buf[2] = (currlun->read_only ? 0x80 : 0x00);
1157 		/* WP, DPOFUA */
1158 		buf += 4;
1159 		limit = 255;
1160 	} else {
1161 		/* SC_MODE_SENSE_10 */
1162 		buf[3] = (currlun->read_only ? 0x80 : 0x00);
1163 		/* WP, DPOFUA */
1164 		buf += 8;
1165 		limit = 65535;
1166 		/* Should really be mod_data.buflen */
1167 	}
1168 
1169 	/* No block descriptors */
1170 
1171 	/*
1172 	 * The mode pages, in numerical order.
1173 	 */
1174 	if ((page_code == 0x08) || all_pages) {
1175 		buf[0] = 0x08;
1176 		/* Page code */
1177 		buf[1] = 10;
1178 		/* Page length */
1179 		memset(buf + 2, 0, 10);
1180 		/* None of the fields are changeable */
1181 
1182 		if (!changeable_values) {
1183 			buf[2] = 0x04;
1184 			/* Write cache enable, */
1185 			/* Read cache not disabled */
1186 			/* No cache retention priorities */
1187 			put_be16(&buf[4], 0xffff);
1188 			/* Don 't disable prefetch */
1189 			/* Minimum prefetch = 0 */
1190 			put_be16(&buf[8], 0xffff);
1191 			/* Maximum prefetch */
1192 			put_be16(&buf[10], 0xffff);
1193 			/* Maximum prefetch ceiling */
1194 		}
1195 		buf += 12;
1196 	}
1197 	/*
1198 	 * Check that a valid page was requested and the mode data length
1199 	 * isn't too long.
1200 	 */
1201 	len = buf - buf0;
1202 	if (len > limit) {
1203 		currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1204 		return (1);
1205 	}
1206 	/* Store the mode data length */
1207 	if (mscmnd == SC_MODE_SENSE_6)
1208 		buf0[0] = len - 1;
1209 	else
1210 		put_be16(buf0, len - 2);
1211 
1212 #if (USTORAGE_QDATA_MAX < 24)
1213 #error "(USTORAGE_QDATA_MAX < 24)"
1214 #endif
1215 	return (ustorage_fs_min_len(sc, len, -1U));
1216 }
1217 
1218 /*------------------------------------------------------------------------*
1219  *	ustorage_fs_start_stop
1220  *
1221  * Returns:
1222  *    0: Success
1223  * Else: Failure
1224  *------------------------------------------------------------------------*/
1225 static uint8_t
ustorage_fs_start_stop(struct ustorage_fs_softc * sc)1226 ustorage_fs_start_stop(struct ustorage_fs_softc *sc)
1227 {
1228 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1229 	uint8_t loej;
1230 	uint8_t start;
1231 	uint8_t immed;
1232 
1233 	if (!currlun->removable) {
1234 		currlun->sense_data = SS_INVALID_COMMAND;
1235 		return (1);
1236 	}
1237 	immed = sc->sc_cbw->CBWCDB[1] & 0x01;
1238 	loej = sc->sc_cbw->CBWCDB[4] & 0x02;
1239 	start = sc->sc_cbw->CBWCDB[4] & 0x01;
1240 
1241 	if (immed || loej || start) {
1242 		/* compile fix */
1243 	}
1244 	return (0);
1245 }
1246 
1247 /*------------------------------------------------------------------------*
1248  *	ustorage_fs_prevent_allow
1249  *
1250  * Returns:
1251  *    0: Success
1252  * Else: Failure
1253  *------------------------------------------------------------------------*/
1254 static uint8_t
ustorage_fs_prevent_allow(struct ustorage_fs_softc * sc)1255 ustorage_fs_prevent_allow(struct ustorage_fs_softc *sc)
1256 {
1257 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1258 	uint8_t prevent;
1259 
1260 	if (!currlun->removable) {
1261 		currlun->sense_data = SS_INVALID_COMMAND;
1262 		return (1);
1263 	}
1264 	prevent = sc->sc_cbw->CBWCDB[4] & 0x01;
1265 	if ((sc->sc_cbw->CBWCDB[4] & ~0x01) != 0) {
1266 		/* Mask away Prevent */
1267 		currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1268 		return (1);
1269 	}
1270 	if (currlun->prevent_medium_removal && !prevent) {
1271 		//fsync_sub(currlun);
1272 	}
1273 	currlun->prevent_medium_removal = prevent;
1274 	return (0);
1275 }
1276 
1277 /*------------------------------------------------------------------------*
1278  *	ustorage_fs_read_format_capacities
1279  *
1280  * Returns:
1281  *    0: Success
1282  * Else: Failure
1283  *------------------------------------------------------------------------*/
1284 static uint8_t
ustorage_fs_read_format_capacities(struct ustorage_fs_softc * sc)1285 ustorage_fs_read_format_capacities(struct ustorage_fs_softc *sc)
1286 {
1287 	uint8_t *buf = sc->sc_transfer.data_ptr;
1288 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1289 
1290 	buf[0] = buf[1] = buf[2] = 0;
1291 	buf[3] = 8;
1292 	/* Only the Current / Maximum Capacity Descriptor */
1293 	buf += 4;
1294 
1295 	/* Number of blocks */
1296 	put_be32(&buf[0], currlun->num_sectors);
1297 	/* Block length */
1298 	put_be32(&buf[4], 512);
1299 	/* Current capacity */
1300 	buf[4] = 0x02;
1301 
1302 #if (USTORAGE_QDATA_MAX < 12)
1303 #error "(USTORAGE_QDATA_MAX < 12)"
1304 #endif
1305 	return (ustorage_fs_min_len(sc, 12, -1U));
1306 }
1307 
1308 /*------------------------------------------------------------------------*
1309  *	ustorage_fs_mode_select
1310  *
1311  * Return values:
1312  *    0: Success
1313  * Else: Failure
1314  *------------------------------------------------------------------------*/
1315 static uint8_t
ustorage_fs_mode_select(struct ustorage_fs_softc * sc)1316 ustorage_fs_mode_select(struct ustorage_fs_softc *sc)
1317 {
1318 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1319 
1320 	/* We don't support MODE SELECT */
1321 	currlun->sense_data = SS_INVALID_COMMAND;
1322 	return (1);
1323 }
1324 
1325 /*------------------------------------------------------------------------*
1326  *	ustorage_fs_synchronize_cache
1327  *
1328  * Return values:
1329  *    0: Success
1330  * Else: Failure
1331  *------------------------------------------------------------------------*/
1332 static uint8_t
ustorage_fs_synchronize_cache(struct ustorage_fs_softc * sc)1333 ustorage_fs_synchronize_cache(struct ustorage_fs_softc *sc)
1334 {
1335 #if 0
1336 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1337 	uint8_t rc;
1338 
1339 	/*
1340 	 * We ignore the requested LBA and write out all dirty data buffers.
1341 	 */
1342 	rc = 0;
1343 	if (rc) {
1344 		currlun->sense_data = SS_WRITE_ERROR;
1345 	}
1346 #endif
1347 	return (0);
1348 }
1349 
1350 /*------------------------------------------------------------------------*
1351  *	ustorage_fs_read - read data from disk
1352  *
1353  * Return values:
1354  *    0: Success
1355  * Else: Failure
1356  *------------------------------------------------------------------------*/
1357 static uint8_t
ustorage_fs_read(struct ustorage_fs_softc * sc)1358 ustorage_fs_read(struct ustorage_fs_softc *sc)
1359 {
1360 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1361 	uint64_t file_offset;
1362 	uint32_t lba;
1363 	uint32_t len;
1364 
1365 	/*
1366 	 * Get the starting Logical Block Address and check that it's not
1367 	 * too big
1368 	 */
1369 	if (sc->sc_cbw->CBWCDB[0] == SC_READ_6) {
1370 		lba = (((uint32_t)sc->sc_cbw->CBWCDB[1]) << 16) |
1371 		    get_be16(&sc->sc_cbw->CBWCDB[2]);
1372 	} else {
1373 		lba = get_be32(&sc->sc_cbw->CBWCDB[2]);
1374 
1375 		/*
1376 		 * We allow DPO (Disable Page Out = don't save data in the
1377 		 * cache) and FUA (Force Unit Access = don't read from the
1378 		 * cache), but we don't implement them.
1379 		 */
1380 		if ((sc->sc_cbw->CBWCDB[1] & ~0x18) != 0) {
1381 			currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1382 			return (1);
1383 		}
1384 	}
1385 	len = sc->sc_transfer.data_rem >> 9;
1386 	len += lba;
1387 
1388 	if ((len < lba) ||
1389 	    (len > currlun->num_sectors) ||
1390 	    (lba >= currlun->num_sectors)) {
1391 		currlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1392 		return (1);
1393 	}
1394 	file_offset = lba;
1395 	file_offset <<= 9;
1396 
1397 	sc->sc_transfer.data_ptr = currlun->memory_image + file_offset;
1398 
1399 	return (0);
1400 }
1401 
1402 /*------------------------------------------------------------------------*
1403  *	ustorage_fs_write - write data to disk
1404  *
1405  * Return values:
1406  *    0: Success
1407  * Else: Failure
1408  *------------------------------------------------------------------------*/
1409 static uint8_t
ustorage_fs_write(struct ustorage_fs_softc * sc)1410 ustorage_fs_write(struct ustorage_fs_softc *sc)
1411 {
1412 	struct ustorage_fs_lun *currlun = sc->sc_transfer.currlun;
1413 	uint64_t file_offset;
1414 	uint32_t lba;
1415 	uint32_t len;
1416 
1417 	if (currlun->read_only) {
1418 		currlun->sense_data = SS_WRITE_PROTECTED;
1419 		return (1);
1420 	}
1421 	/* XXX clear SYNC */
1422 
1423 	/*
1424 	 * Get the starting Logical Block Address and check that it's not
1425 	 * too big.
1426 	 */
1427 	if (sc->sc_cbw->CBWCDB[0] == SC_WRITE_6)
1428 		lba = (((uint32_t)sc->sc_cbw->CBWCDB[1]) << 16) |
1429 		    get_be16(&sc->sc_cbw->CBWCDB[2]);
1430 	else {
1431 		lba = get_be32(&sc->sc_cbw->CBWCDB[2]);
1432 
1433 		/*
1434 		 * We allow DPO (Disable Page Out = don't save data in the
1435 		 * cache) and FUA (Force Unit Access = write directly to the
1436 		 * medium).  We don't implement DPO; we implement FUA by
1437 		 * performing synchronous output.
1438 		 */
1439 		if ((sc->sc_cbw->CBWCDB[1] & ~0x18) != 0) {
1440 			currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1441 			return (1);
1442 		}
1443 		if (sc->sc_cbw->CBWCDB[1] & 0x08) {
1444 			/* FUA */
1445 			/* XXX set SYNC flag here */
1446 		}
1447 	}
1448 
1449 	len = sc->sc_transfer.data_rem >> 9;
1450 	len += lba;
1451 
1452 	if ((len < lba) ||
1453 	    (len > currlun->num_sectors) ||
1454 	    (lba >= currlun->num_sectors)) {
1455 		currlun->sense_data = SS_LOGICAL_BLOCK_ADDRESS_OUT_OF_RANGE;
1456 		return (1);
1457 	}
1458 	file_offset = lba;
1459 	file_offset <<= 9;
1460 
1461 	sc->sc_transfer.data_ptr = currlun->memory_image + file_offset;
1462 
1463 	return (0);
1464 }
1465 
1466 /*------------------------------------------------------------------------*
1467  *	ustorage_fs_min_len
1468  *
1469  * Return values:
1470  *    0: Success
1471  * Else: Failure
1472  *------------------------------------------------------------------------*/
1473 static uint8_t
ustorage_fs_min_len(struct ustorage_fs_softc * sc,uint32_t len,uint32_t mask)1474 ustorage_fs_min_len(struct ustorage_fs_softc *sc, uint32_t len, uint32_t mask)
1475 {
1476 	if (len != sc->sc_transfer.data_rem) {
1477 		if (sc->sc_transfer.cbw_dir == DIR_READ) {
1478 			/*
1479 			 * there must be something wrong about this SCSI
1480 			 * command
1481 			 */
1482 			sc->sc_csw->bCSWStatus = CSWSTATUS_PHASE;
1483 			return (1);
1484 		}
1485 		/* compute the minimum length */
1486 
1487 		if (sc->sc_transfer.data_rem > len) {
1488 			/* data ends prematurely */
1489 			sc->sc_transfer.data_rem = len;
1490 			sc->sc_transfer.data_short = 1;
1491 		}
1492 		/* check length alignment */
1493 
1494 		if (sc->sc_transfer.data_rem & ~mask) {
1495 			/* data ends prematurely */
1496 			sc->sc_transfer.data_rem &= mask;
1497 			sc->sc_transfer.data_short = 1;
1498 		}
1499 	}
1500 	return (0);
1501 }
1502 
1503 /*------------------------------------------------------------------------*
1504  *	ustorage_fs_check_cmd - check command routine
1505  *
1506  * Check whether the command is properly formed and whether its data
1507  * size and direction agree with the values we already have.
1508  *
1509  * Return values:
1510  *    0: Success
1511  * Else: Failure
1512  *------------------------------------------------------------------------*/
1513 static uint8_t
ustorage_fs_check_cmd(struct ustorage_fs_softc * sc,uint8_t min_cmd_size,uint16_t mask,uint8_t needs_medium)1514 ustorage_fs_check_cmd(struct ustorage_fs_softc *sc, uint8_t min_cmd_size,
1515     uint16_t mask, uint8_t needs_medium)
1516 {
1517 	struct ustorage_fs_lun *currlun;
1518 	uint8_t lun = (sc->sc_cbw->CBWCDB[1] >> 5);
1519 	uint8_t i;
1520 
1521 	/* Verify the length of the command itself */
1522 	if (min_cmd_size > sc->sc_transfer.cmd_len) {
1523 		DPRINTF("%u > %u\n",
1524 		    min_cmd_size, sc->sc_transfer.cmd_len);
1525 		sc->sc_csw->bCSWStatus = CSWSTATUS_PHASE;
1526 		return (1);
1527 	}
1528 	/* Mask away the LUN */
1529 	sc->sc_cbw->CBWCDB[1] &= 0x1f;
1530 
1531 	/* Check if LUN is correct */
1532 	if (lun != sc->sc_transfer.lun) {
1533 	}
1534 	/* Check the LUN */
1535 	if (sc->sc_transfer.lun <= sc->sc_last_lun) {
1536 		sc->sc_transfer.currlun = currlun =
1537 		    sc->sc_lun + sc->sc_transfer.lun;
1538 		if (sc->sc_cbw->CBWCDB[0] != SC_REQUEST_SENSE) {
1539 			currlun->sense_data = SS_NO_SENSE;
1540 			currlun->sense_data_info = 0;
1541 			currlun->info_valid = 0;
1542 		}
1543 		/*
1544 		 * If a unit attention condition exists, only INQUIRY
1545 		 * and REQUEST SENSE commands are allowed. Anything
1546 		 * else must fail!
1547 		 */
1548 		if ((currlun->unit_attention_data != SS_NO_SENSE) &&
1549 		    (sc->sc_cbw->CBWCDB[0] != SC_INQUIRY) &&
1550 		    (sc->sc_cbw->CBWCDB[0] != SC_REQUEST_SENSE)) {
1551 			currlun->sense_data = currlun->unit_attention_data;
1552 			currlun->unit_attention_data = SS_NO_SENSE;
1553 			return (1);
1554 		}
1555 	} else {
1556 		sc->sc_transfer.currlun = currlun = NULL;
1557 
1558 		/*
1559 		 * INQUIRY and REQUEST SENSE commands are explicitly allowed
1560 		 * to use unsupported LUNs; all others may not.
1561 		 */
1562 		if ((sc->sc_cbw->CBWCDB[0] != SC_INQUIRY) &&
1563 		    (sc->sc_cbw->CBWCDB[0] != SC_REQUEST_SENSE)) {
1564 			return (1);
1565 		}
1566 	}
1567 
1568 	/*
1569 	 * Check that only command bytes listed in the mask are
1570 	 * non-zero.
1571 	 */
1572 	for (i = 0; i != min_cmd_size; i++) {
1573 		if (sc->sc_cbw->CBWCDB[i] && !(mask & (1UL << i))) {
1574 			if (currlun) {
1575 				currlun->sense_data = SS_INVALID_FIELD_IN_CDB;
1576 			}
1577 			return (1);
1578 		}
1579 	}
1580 
1581 	/*
1582 	 * If the medium isn't mounted and the command needs to access
1583 	 * it, return an error.
1584 	 */
1585 	if (currlun && (!currlun->memory_image) && needs_medium) {
1586 		currlun->sense_data = SS_MEDIUM_NOT_PRESENT;
1587 		return (1);
1588 	}
1589 	return (0);
1590 }
1591 
1592 /*------------------------------------------------------------------------*
1593  *	ustorage_fs_do_cmd - do command
1594  *
1595  * Return values:
1596  *    0: Success
1597  * Else: Failure
1598  *------------------------------------------------------------------------*/
1599 static uint8_t
ustorage_fs_do_cmd(struct ustorage_fs_softc * sc)1600 ustorage_fs_do_cmd(struct ustorage_fs_softc *sc)
1601 {
1602 	uint8_t error = 1;
1603 	uint8_t i;
1604 	uint32_t temp;
1605 	const uint32_t mask9 = (0xFFFFFFFFUL >> 9) << 9;
1606 
1607 	/* set default data transfer pointer */
1608 	sc->sc_transfer.data_ptr = sc->sc_qdata;
1609 
1610 	DPRINTF("cmd_data[0]=0x%02x, data_rem=0x%08x\n",
1611 	    sc->sc_cbw->CBWCDB[0], sc->sc_transfer.data_rem);
1612 
1613 	switch (sc->sc_cbw->CBWCDB[0]) {
1614 	case SC_INQUIRY:
1615 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1616 		error = ustorage_fs_min_len(sc, sc->sc_cbw->CBWCDB[4], -1U);
1617 		if (error) {
1618 			break;
1619 		}
1620 		error = ustorage_fs_check_cmd(sc, 6,
1621 		    (1UL << 4) | 1, 0);
1622 		if (error) {
1623 			break;
1624 		}
1625 		error = ustorage_fs_inquiry(sc);
1626 
1627 		break;
1628 
1629 	case SC_MODE_SELECT_6:
1630 		sc->sc_transfer.cmd_dir = DIR_READ;
1631 		error = ustorage_fs_min_len(sc, sc->sc_cbw->CBWCDB[4], -1U);
1632 		if (error) {
1633 			break;
1634 		}
1635 		error = ustorage_fs_check_cmd(sc, 6,
1636 		    (1UL << 1) | (1UL << 4) | 1, 0);
1637 		if (error) {
1638 			break;
1639 		}
1640 		error = ustorage_fs_mode_select(sc);
1641 
1642 		break;
1643 
1644 	case SC_MODE_SELECT_10:
1645 		sc->sc_transfer.cmd_dir = DIR_READ;
1646 		error = ustorage_fs_min_len(sc,
1647 		    get_be16(&sc->sc_cbw->CBWCDB[7]), -1U);
1648 		if (error) {
1649 			break;
1650 		}
1651 		error = ustorage_fs_check_cmd(sc, 10,
1652 		    (1UL << 1) | (3UL << 7) | 1, 0);
1653 		if (error) {
1654 			break;
1655 		}
1656 		error = ustorage_fs_mode_select(sc);
1657 
1658 		break;
1659 
1660 	case SC_MODE_SENSE_6:
1661 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1662 		error = ustorage_fs_min_len(sc, sc->sc_cbw->CBWCDB[4], -1U);
1663 		if (error) {
1664 			break;
1665 		}
1666 		error = ustorage_fs_check_cmd(sc, 6,
1667 		    (1UL << 1) | (1UL << 2) | (1UL << 4) | 1, 0);
1668 		if (error) {
1669 			break;
1670 		}
1671 		error = ustorage_fs_mode_sense(sc);
1672 
1673 		break;
1674 
1675 	case SC_MODE_SENSE_10:
1676 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1677 		error = ustorage_fs_min_len(sc,
1678 		    get_be16(&sc->sc_cbw->CBWCDB[7]), -1U);
1679 		if (error) {
1680 			break;
1681 		}
1682 		error = ustorage_fs_check_cmd(sc, 10,
1683 		    (1UL << 1) | (1UL << 2) | (3UL << 7) | 1, 0);
1684 		if (error) {
1685 			break;
1686 		}
1687 		error = ustorage_fs_mode_sense(sc);
1688 
1689 		break;
1690 
1691 	case SC_PREVENT_ALLOW_MEDIUM_REMOVAL:
1692 		error = ustorage_fs_min_len(sc, 0, -1U);
1693 		if (error) {
1694 			break;
1695 		}
1696 		error = ustorage_fs_check_cmd(sc, 6,
1697 		    (1UL << 4) | 1, 0);
1698 		if (error) {
1699 			break;
1700 		}
1701 		error = ustorage_fs_prevent_allow(sc);
1702 
1703 		break;
1704 
1705 	case SC_READ_6:
1706 		i = sc->sc_cbw->CBWCDB[4];
1707 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1708 		temp = ((i == 0) ? 256UL : i);
1709 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1710 		if (error) {
1711 			break;
1712 		}
1713 		error = ustorage_fs_check_cmd(sc, 6,
1714 		    (7UL << 1) | (1UL << 4) | 1, 1);
1715 		if (error) {
1716 			break;
1717 		}
1718 		error = ustorage_fs_read(sc);
1719 
1720 		break;
1721 
1722 	case SC_READ_10:
1723 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1724 		temp = get_be16(&sc->sc_cbw->CBWCDB[7]);
1725 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1726 		if (error) {
1727 			break;
1728 		}
1729 		error = ustorage_fs_check_cmd(sc, 10,
1730 		    (1UL << 1) | (0xfUL << 2) | (3UL << 7) | 1, 1);
1731 		if (error) {
1732 			break;
1733 		}
1734 		error = ustorage_fs_read(sc);
1735 
1736 		break;
1737 
1738 	case SC_READ_12:
1739 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1740 		temp = get_be32(&sc->sc_cbw->CBWCDB[6]);
1741 		if (temp >= (1UL << (32 - 9))) {
1742 			/* numerical overflow */
1743 			sc->sc_csw->bCSWStatus = CSWSTATUS_FAILED;
1744 			error = 1;
1745 			break;
1746 		}
1747 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1748 		if (error) {
1749 			break;
1750 		}
1751 		error = ustorage_fs_check_cmd(sc, 12,
1752 		    (1UL << 1) | (0xfUL << 2) | (0xfUL << 6) | 1, 1);
1753 		if (error) {
1754 			break;
1755 		}
1756 		error = ustorage_fs_read(sc);
1757 
1758 		break;
1759 
1760 	case SC_READ_CAPACITY:
1761 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1762 		error = ustorage_fs_check_cmd(sc, 10,
1763 		    (0xfUL << 2) | (1UL << 8) | 1, 1);
1764 		if (error) {
1765 			break;
1766 		}
1767 		error = ustorage_fs_read_capacity(sc);
1768 
1769 		break;
1770 
1771 	case SC_READ_FORMAT_CAPACITIES:
1772 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1773 		error = ustorage_fs_min_len(sc,
1774 		    get_be16(&sc->sc_cbw->CBWCDB[7]), -1U);
1775 		if (error) {
1776 			break;
1777 		}
1778 		error = ustorage_fs_check_cmd(sc, 10,
1779 		    (3UL << 7) | 1, 1);
1780 		if (error) {
1781 			break;
1782 		}
1783 		error = ustorage_fs_read_format_capacities(sc);
1784 
1785 		break;
1786 
1787 	case SC_REQUEST_SENSE:
1788 		sc->sc_transfer.cmd_dir = DIR_WRITE;
1789 		error = ustorage_fs_min_len(sc, sc->sc_cbw->CBWCDB[4], -1U);
1790 		if (error) {
1791 			break;
1792 		}
1793 		error = ustorage_fs_check_cmd(sc, 6,
1794 		    (1UL << 4) | 1, 0);
1795 		if (error) {
1796 			break;
1797 		}
1798 		error = ustorage_fs_request_sense(sc);
1799 
1800 		break;
1801 
1802 	case SC_START_STOP_UNIT:
1803 		error = ustorage_fs_min_len(sc, 0, -1U);
1804 		if (error) {
1805 			break;
1806 		}
1807 		error = ustorage_fs_check_cmd(sc, 6,
1808 		    (1UL << 1) | (1UL << 4) | 1, 0);
1809 		if (error) {
1810 			break;
1811 		}
1812 		error = ustorage_fs_start_stop(sc);
1813 
1814 		break;
1815 
1816 	case SC_SYNCHRONIZE_CACHE:
1817 		error = ustorage_fs_min_len(sc, 0, -1U);
1818 		if (error) {
1819 			break;
1820 		}
1821 		error = ustorage_fs_check_cmd(sc, 10,
1822 		    (0xfUL << 2) | (3UL << 7) | 1, 1);
1823 		if (error) {
1824 			break;
1825 		}
1826 		error = ustorage_fs_synchronize_cache(sc);
1827 
1828 		break;
1829 
1830 	case SC_TEST_UNIT_READY:
1831 		error = ustorage_fs_min_len(sc, 0, -1U);
1832 		if (error) {
1833 			break;
1834 		}
1835 		error = ustorage_fs_check_cmd(sc, 6,
1836 		    0 | 1, 1);
1837 		break;
1838 
1839 		/*
1840 		 * Although optional, this command is used by MS-Windows.
1841 		 * We support a minimal version: BytChk must be 0.
1842 		 */
1843 	case SC_VERIFY:
1844 		error = ustorage_fs_min_len(sc, 0, -1U);
1845 		if (error) {
1846 			break;
1847 		}
1848 		error = ustorage_fs_check_cmd(sc, 10,
1849 		    (1UL << 1) | (0xfUL << 2) | (3UL << 7) | 1, 1);
1850 		if (error) {
1851 			break;
1852 		}
1853 		error = ustorage_fs_verify(sc);
1854 
1855 		break;
1856 
1857 	case SC_WRITE_6:
1858 		i = sc->sc_cbw->CBWCDB[4];
1859 		sc->sc_transfer.cmd_dir = DIR_READ;
1860 		temp = ((i == 0) ? 256UL : i);
1861 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1862 		if (error) {
1863 			break;
1864 		}
1865 		error = ustorage_fs_check_cmd(sc, 6,
1866 		    (7UL << 1) | (1UL << 4) | 1, 1);
1867 		if (error) {
1868 			break;
1869 		}
1870 		error = ustorage_fs_write(sc);
1871 
1872 		break;
1873 
1874 	case SC_WRITE_10:
1875 		sc->sc_transfer.cmd_dir = DIR_READ;
1876 		temp = get_be16(&sc->sc_cbw->CBWCDB[7]);
1877 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1878 		if (error) {
1879 			break;
1880 		}
1881 		error = ustorage_fs_check_cmd(sc, 10,
1882 		    (1UL << 1) | (0xfUL << 2) | (3UL << 7) | 1, 1);
1883 		if (error) {
1884 			break;
1885 		}
1886 		error = ustorage_fs_write(sc);
1887 
1888 		break;
1889 
1890 	case SC_WRITE_12:
1891 		sc->sc_transfer.cmd_dir = DIR_READ;
1892 		temp = get_be32(&sc->sc_cbw->CBWCDB[6]);
1893 		if (temp > (mask9 >> 9)) {
1894 			/* numerical overflow */
1895 			sc->sc_csw->bCSWStatus = CSWSTATUS_FAILED;
1896 			error = 1;
1897 			break;
1898 		}
1899 		error = ustorage_fs_min_len(sc, temp << 9, mask9);
1900 		if (error) {
1901 			break;
1902 		}
1903 		error = ustorage_fs_check_cmd(sc, 12,
1904 		    (1UL << 1) | (0xfUL << 2) | (0xfUL << 6) | 1, 1);
1905 		if (error) {
1906 			break;
1907 		}
1908 		error = ustorage_fs_write(sc);
1909 
1910 		break;
1911 
1912 		/*
1913 		 * Some mandatory commands that we recognize but don't
1914 		 * implement.  They don't mean much in this setting.
1915 		 * It's left as an exercise for anyone interested to
1916 		 * implement RESERVE and RELEASE in terms of Posix
1917 		 * locks.
1918 		 */
1919 	case SC_FORMAT_UNIT:
1920 	case SC_RELEASE:
1921 	case SC_RESERVE:
1922 	case SC_SEND_DIAGNOSTIC:
1923 		/* Fallthrough */
1924 
1925 	default:
1926 		error = ustorage_fs_min_len(sc, 0, -1U);
1927 		if (error) {
1928 			break;
1929 		}
1930 		error = ustorage_fs_check_cmd(sc, sc->sc_transfer.cmd_len,
1931 		    0xff, 0);
1932 		if (error) {
1933 			break;
1934 		}
1935 		sc->sc_transfer.currlun->sense_data =
1936 		    SS_INVALID_COMMAND;
1937 		error = 1;
1938 
1939 		break;
1940 	}
1941 	return (error);
1942 }
1943