The async packet handling logic has places that infer whether the
async packet is data or CSW, based on context. This is not wrong,
it just makes the logic easier to follow if they are categorised
when they are accepted.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 include/hw/usb/msd.h |   5 +-
 hw/usb/dev-storage.c | 121 +++++++++++++++++++++++++++----------------
 2 files changed, 79 insertions(+), 47 deletions(-)

diff --git a/include/hw/usb/msd.h b/include/hw/usb/msd.h
index f9fd862b529..a40d15f5def 100644
--- a/include/hw/usb/msd.h
+++ b/include/hw/usb/msd.h
@@ -33,8 +33,11 @@ struct MSDState {
     struct usb_msd_csw csw;
     SCSIRequest *req;
     SCSIBus bus;
+
     /* For async completion.  */
-    USBPacket *packet;
+    USBPacket *data_packet;
+    USBPacket *csw_in_packet;
+
     /* usb-storage only */
     BlockConf conf;
     bool removable;
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index fe8955bf212..66fffda3713 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -185,18 +185,33 @@ static const USBDesc desc = {
     .str   = desc_strings,
 };
 
-static void usb_msd_packet_complete(MSDState *s, int status)
+static void usb_msd_data_packet_complete(MSDState *s, int status)
 {
-    USBPacket *p = s->packet;
+    USBPacket *p = s->data_packet;
 
     /*
-     * Set s->packet to NULL before calling usb_packet_complete
-     * because another request may be issued before
-     * usb_packet_complete returns.
+     * Set s->data_packet to NULL before calling usb_packet_complete
+     * because another request may be issued before usb_packet_complete
+     * returns.
      */
     trace_usb_msd_packet_complete();
+    s->data_packet = NULL;
+    p->status = status;
+    usb_packet_complete(&s->dev, p);
+}
+
+static void usb_msd_csw_packet_complete(MSDState *s, int status)
+{
+    USBPacket *p = s->csw_in_packet;
+
+    /*
+     * Set s->csw_in_packet to NULL before calling usb_packet_complete
+     * because another request may be issued before usb_packet_complete
+     * returns.
+     */
+    trace_usb_msd_packet_complete();
+    s->csw_in_packet = NULL;
     p->status = status;
-    s->packet = NULL;
     usb_packet_complete(&s->dev, p);
 }
 
@@ -204,8 +219,12 @@ static void usb_msd_fatal_error(MSDState *s)
 {
     trace_usb_msd_fatal_error();
 
-    if (s->packet) {
-        usb_msd_packet_complete(s, USB_RET_STALL);
+    if (s->data_packet) {
+        usb_msd_data_packet_complete(s, USB_RET_STALL);
+    }
+
+    if (s->csw_in_packet) {
+        usb_msd_csw_packet_complete(s, USB_RET_STALL);
     }
 
     /*
@@ -250,7 +269,7 @@ static void usb_msd_send_status(MSDState *s, USBPacket *p)
 void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
 {
     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
-    USBPacket *p = s->packet;
+    USBPacket *p = s->data_packet;
 
     if ((s->mode == USB_MSDM_DATAOUT) != (req->cmd.mode == SCSI_XFER_TO_DEV)) {
         usb_msd_fatal_error(s);
@@ -261,10 +280,10 @@ void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
     s->scsi_off = 0;
     if (p) {
         usb_msd_copy_data(s, p);
-        p = s->packet;
+        p = s->data_packet;
         if (p && p->actual_length == p->iov.size) {
             /* USB_RET_SUCCESS status clears previous ASYNC status */
-            usb_msd_packet_complete(s, USB_RET_SUCCESS);
+            usb_msd_data_packet_complete(s, USB_RET_SUCCESS);
         }
     }
 }
@@ -272,7 +291,7 @@ void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
 void usb_msd_command_complete(SCSIRequest *req, size_t resid)
 {
     MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
-    USBPacket *p = s->packet;
+    USBPacket *p = s->data_packet;
 
     trace_usb_msd_cmd_complete(req->status, req->tag);
 
@@ -281,35 +300,37 @@ void usb_msd_command_complete(SCSIRequest *req, size_t resid)
     s->csw.residue = cpu_to_le32(s->data_len);
     s->csw.status = req->status != 0;
 
-    if (s->packet) {
-        if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) {
-            /* A deferred packet with no write data remaining must be
-               the status read packet.  */
-            usb_msd_send_status(s, p);
-            s->mode = USB_MSDM_CBW;
-        } else if (s->mode == USB_MSDM_CSW) {
-            usb_msd_send_status(s, p);
-            s->mode = USB_MSDM_CBW;
-        } else {
-            if (s->data_len) {
-                int len = (p->iov.size - p->actual_length);
-                usb_packet_skip(p, len);
-                if (len > s->data_len) {
-                    len = s->data_len;
-                }
-                s->data_len -= len;
-            }
-            if (s->data_len == 0) {
-                s->mode = USB_MSDM_CSW;
+    scsi_req_unref(req);
+    s->req = NULL;
+
+    if (p) {
+        g_assert(s->mode == USB_MSDM_DATAIN || s->mode == USB_MSDM_DATAOUT);
+        if (s->data_len) {
+            int len = (p->iov.size - p->actual_length);
+            usb_packet_skip(p, len);
+            if (len > s->data_len) {
+                len = s->data_len;
             }
+            s->data_len -= len;
+        }
+        if (s->data_len == 0) {
+            s->mode = USB_MSDM_CSW;
         }
         /* USB_RET_SUCCESS status clears previous ASYNC status */
-        usb_msd_packet_complete(s, USB_RET_SUCCESS);
+        usb_msd_data_packet_complete(s, USB_RET_SUCCESS);
     } else if (s->data_len == 0) {
         s->mode = USB_MSDM_CSW;
     }
-    scsi_req_unref(req);
-    s->req = NULL;
+
+    if (s->mode == USB_MSDM_CSW) {
+        p = s->csw_in_packet;
+        if (p) {
+            usb_msd_send_status(s, p);
+            s->mode = USB_MSDM_CBW;
+            /* USB_RET_SUCCESS status clears previous ASYNC status */
+            usb_msd_csw_packet_complete(s, USB_RET_SUCCESS);
+        }
+    }
 }
 
 void usb_msd_request_cancelled(SCSIRequest *req)
@@ -339,8 +360,12 @@ void usb_msd_handle_reset(USBDevice *dev)
     }
     assert(s->req == NULL);
 
-    if (s->packet) {
-        usb_msd_packet_complete(s, USB_RET_STALL);
+    if (s->data_packet) {
+        usb_msd_data_packet_complete(s, USB_RET_STALL);
+    }
+
+    if (s->csw_in_packet) {
+        usb_msd_csw_packet_complete(s, USB_RET_STALL);
     }
 
     memset(&s->csw, 0, sizeof(s->csw));
@@ -395,11 +420,15 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
 {
     MSDState *s = USB_STORAGE_DEV(dev);
 
-    assert(s->packet == p);
-    s->packet = NULL;
-
-    if (s->req) {
-        scsi_req_cancel(s->req);
+    if (p == s->data_packet) {
+        s->data_packet = NULL;
+        if (s->req) {
+            scsi_req_cancel(s->req);
+        }
+    } else if (p == s->csw_in_packet) {
+        s->csw_in_packet = NULL;
+    } else {
+        g_assert_not_reached();
     }
 }
 
@@ -500,7 +529,7 @@ static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p)
         }
         if (p->actual_length < p->iov.size) {
             trace_usb_msd_packet_async();
-            s->packet = p;
+            s->data_packet = p;
             p->status = USB_RET_ASYNC;
         }
         break;
@@ -532,7 +561,7 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
 
         /* Waiting for SCSI write to complete.  */
         trace_usb_msd_packet_async();
-        s->packet = p;
+        s->csw_in_packet = p;
         p->status = USB_RET_ASYNC;
         break;
 
@@ -544,7 +573,7 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
         if (s->req) {
             /* still in flight */
             trace_usb_msd_packet_async();
-            s->packet = p;
+            s->csw_in_packet = p;
             p->status = USB_RET_ASYNC;
         } else {
             usb_msd_send_status(s, p);
@@ -572,7 +601,7 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
         }
         if (p->actual_length < p->iov.size && s->mode == USB_MSDM_DATAIN) {
             trace_usb_msd_packet_async();
-            s->packet = p;
+            s->data_packet = p;
             p->status = USB_RET_ASYNC;
         }
         break;
-- 
2.47.1

Am 02.05.2025 um 05:30 hat Nicholas Piggin geschrieben:
> The async packet handling logic has places that infer whether the
> async packet is data or CSW, based on context. This is not wrong,
> it just makes the logic easier to follow if they are categorised
> when they are accepted.
> 
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>  include/hw/usb/msd.h |   5 +-
>  hw/usb/dev-storage.c | 121 +++++++++++++++++++++++++++----------------
>  2 files changed, 79 insertions(+), 47 deletions(-)
> 
> diff --git a/include/hw/usb/msd.h b/include/hw/usb/msd.h
> index f9fd862b529..a40d15f5def 100644
> --- a/include/hw/usb/msd.h
> +++ b/include/hw/usb/msd.h
> @@ -33,8 +33,11 @@ struct MSDState {
>      struct usb_msd_csw csw;
>      SCSIRequest *req;
>      SCSIBus bus;
> +
>      /* For async completion.  */
> -    USBPacket *packet;
> +    USBPacket *data_packet;
> +    USBPacket *csw_in_packet;

This makes the state more complex, because there is a rule here that
isn't explicit in the code: At most one of data_packet or csw_in_packet
can be set at the same time.

Both are quite similar, so most of the patch just duplicates things that
are currently done for s->packet.

Wouldn't it make more sense to have one USBPacket pointer, but some
state that explicitly tells us what we're waiting for, data or the
status? I was thinking of a new bool at first, but on second thoughts,
s->mode looks quite similar to what we need here.

What if we just introduce a new state in the s->mode state machine for
"CSW read in progress" as opposed to USB_MSDM_CSW meaning "expecting the
host to read the CSW next"? Then the cases for which you currently set
s->csw_in_packet would instead transition to this new state, and
usb_msd_command_complete() (which has the only real change in this
patch) could just directly rely on s->mode.

> @@ -395,11 +420,15 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
>  {
>      MSDState *s = USB_STORAGE_DEV(dev);
>  
> -    assert(s->packet == p);
> -    s->packet = NULL;
> -
> -    if (s->req) {
> -        scsi_req_cancel(s->req);
> +    if (p == s->data_packet) {
> +        s->data_packet = NULL;
> +        if (s->req) {
> +            scsi_req_cancel(s->req);
> +        }
> +    } else if (p == s->csw_in_packet) {
> +        s->csw_in_packet = NULL;
> +    } else {
> +        g_assert_not_reached();
>      }
>  }

I think scsi_req_cancel() is required even in csw_in_packet case.
Whether someone already asked for the result doesn't change the state of
the in-flight SCSI request, so we shouldn't try to cancel it in one
case, but not in the other.

Kevin

Am 05.05.2025 um 15:05 hat Kevin Wolf geschrieben:
> Am 02.05.2025 um 05:30 hat Nicholas Piggin geschrieben:
> > The async packet handling logic has places that infer whether the
> > async packet is data or CSW, based on context. This is not wrong,
> > it just makes the logic easier to follow if they are categorised
> > when they are accepted.
> > 
> > Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> > ---
> >  include/hw/usb/msd.h |   5 +-
> >  hw/usb/dev-storage.c | 121 +++++++++++++++++++++++++++----------------
> >  2 files changed, 79 insertions(+), 47 deletions(-)
> > 
> > diff --git a/include/hw/usb/msd.h b/include/hw/usb/msd.h
> > index f9fd862b529..a40d15f5def 100644
> > --- a/include/hw/usb/msd.h
> > +++ b/include/hw/usb/msd.h
> > @@ -33,8 +33,11 @@ struct MSDState {
> >      struct usb_msd_csw csw;
> >      SCSIRequest *req;
> >      SCSIBus bus;
> > +
> >      /* For async completion.  */
> > -    USBPacket *packet;
> > +    USBPacket *data_packet;
> > +    USBPacket *csw_in_packet;
> 
> This makes the state more complex, because there is a rule here that
> isn't explicit in the code: At most one of data_packet or csw_in_packet
> can be set at the same time.
> 
> Both are quite similar, so most of the patch just duplicates things that
> are currently done for s->packet.
> 
> Wouldn't it make more sense to have one USBPacket pointer, but some
> state that explicitly tells us what we're waiting for, data or the
> status? I was thinking of a new bool at first, but on second thoughts,
> s->mode looks quite similar to what we need here.
> 
> What if we just introduce a new state in the s->mode state machine for
> "CSW read in progress" as opposed to USB_MSDM_CSW meaning "expecting the
> host to read the CSW next"? Then the cases for which you currently set
> s->csw_in_packet would instead transition to this new state, and
> usb_msd_command_complete() (which has the only real change in this
> patch) could just directly rely on s->mode.

After looking at the rest of the series, this is probably not what we
want either.

I think a big part of the problem why this device is hard to understand
is that it's too much centered around what the host does rather than
what the core logic of the device is. Which is really simple:

    while (!unrealizing) {
        cbw = read_in_packet();
        req = start_scsi_req();
        ret = wait_for_scsi_req(req);
        write_out_packet(status_to_csw(ret));
    }

This flow (which is really Figure 1 in Chapter 5 in the spec) is nowhere
to be seen in the code. Can we change things to look more like this?
Could be almost literally this if we make it coroutine based, or just
the callback based equivalent of it.

And then when we receive a packet, we just queue it as the next in or
out packet, and leave it to the main state machine/coroutine to make use
of the packet or wait for one if it's missing.

Kevin