xref: /openbmc/qemu/hw/ide/core.c (revision 5e6aceb2)
1 /*
2  * QEMU IDE disk and CD/DVD-ROM Emulator
3  *
4  * Copyright (c) 2003 Fabrice Bellard
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * Permission is hereby granted, free of charge, to any person obtaining a copy
8  * of this software and associated documentation files (the "Software"), to deal
9  * in the Software without restriction, including without limitation the rights
10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11  * copies of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be included in
15  * all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23  * THE SOFTWARE.
24  */
25 
26 #include "qemu/osdep.h"
27 #include "hw/irq.h"
28 #include "hw/isa/isa.h"
29 #include "migration/vmstate.h"
30 #include "qemu/error-report.h"
31 #include "qemu/main-loop.h"
32 #include "qemu/timer.h"
33 #include "qemu/hw-version.h"
34 #include "qemu/memalign.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/blockdev.h"
37 #include "sysemu/dma.h"
38 #include "hw/block/block.h"
39 #include "sysemu/block-backend.h"
40 #include "qapi/error.h"
41 #include "qemu/cutils.h"
42 #include "sysemu/replay.h"
43 #include "sysemu/runstate.h"
44 #include "hw/ide/internal.h"
45 #include "trace.h"
46 
47 /* These values were based on a Seagate ST3500418AS but have been modified
48    to make more sense in QEMU */
49 static const int smart_attributes[][12] = {
50     /* id,  flags, hflags, val, wrst, raw (6 bytes), threshold */
51     /* raw read error rate*/
52     { 0x01, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06},
53     /* spin up */
54     { 0x03, 0x03, 0x00, 0x64, 0x64, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
55     /* start stop count */
56     { 0x04, 0x02, 0x00, 0x64, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14},
57     /* remapped sectors */
58     { 0x05, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24},
59     /* power on hours */
60     { 0x09, 0x03, 0x00, 0x64, 0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
61     /* power cycle count */
62     { 0x0c, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
63     /* airflow-temperature-celsius */
64     { 190,  0x03, 0x00, 0x45, 0x45, 0x1f, 0x00, 0x1f, 0x1f, 0x00, 0x00, 0x32},
65 };
66 
67 const char *IDE_DMA_CMD_lookup[IDE_DMA__COUNT] = {
68     [IDE_DMA_READ] = "DMA READ",
69     [IDE_DMA_WRITE] = "DMA WRITE",
70     [IDE_DMA_TRIM] = "DMA TRIM",
71     [IDE_DMA_ATAPI] = "DMA ATAPI"
72 };
73 
74 static const char *IDE_DMA_CMD_str(enum ide_dma_cmd enval)
75 {
76     if ((unsigned)enval < IDE_DMA__COUNT) {
77         return IDE_DMA_CMD_lookup[enval];
78     }
79     return "DMA UNKNOWN CMD";
80 }
81 
82 static void ide_dummy_transfer_stop(IDEState *s);
83 
84 const MemoryRegionPortio ide_portio_list[] = {
85     { 0, 8, 1, .read = ide_ioport_read, .write = ide_ioport_write },
86     { 0, 1, 2, .read = ide_data_readw, .write = ide_data_writew },
87     { 0, 1, 4, .read = ide_data_readl, .write = ide_data_writel },
88     PORTIO_END_OF_LIST(),
89 };
90 
91 const MemoryRegionPortio ide_portio2_list[] = {
92     { 0, 1, 1, .read = ide_status_read, .write = ide_ctrl_write },
93     PORTIO_END_OF_LIST(),
94 };
95 
96 static void padstr(char *str, const char *src, int len)
97 {
98     int i, v;
99     for(i = 0; i < len; i++) {
100         if (*src)
101             v = *src++;
102         else
103             v = ' ';
104         str[i^1] = v;
105     }
106 }
107 
108 static void put_le16(uint16_t *p, unsigned int v)
109 {
110     *p = cpu_to_le16(v);
111 }
112 
113 static void ide_identify_size(IDEState *s)
114 {
115     uint16_t *p = (uint16_t *)s->identify_data;
116     int64_t nb_sectors_lba28 = s->nb_sectors;
117     if (nb_sectors_lba28 >= 1 << 28) {
118         nb_sectors_lba28 = (1 << 28) - 1;
119     }
120     put_le16(p + 60, nb_sectors_lba28);
121     put_le16(p + 61, nb_sectors_lba28 >> 16);
122     put_le16(p + 100, s->nb_sectors);
123     put_le16(p + 101, s->nb_sectors >> 16);
124     put_le16(p + 102, s->nb_sectors >> 32);
125     put_le16(p + 103, s->nb_sectors >> 48);
126 }
127 
128 static void ide_identify(IDEState *s)
129 {
130     uint16_t *p;
131     unsigned int oldsize;
132     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
133 
134     p = (uint16_t *)s->identify_data;
135     if (s->identify_set) {
136         goto fill_buffer;
137     }
138     memset(p, 0, sizeof(s->identify_data));
139 
140     put_le16(p + 0, 0x0040);
141     put_le16(p + 1, s->cylinders);
142     put_le16(p + 3, s->heads);
143     put_le16(p + 4, 512 * s->sectors); /* XXX: retired, remove ? */
144     put_le16(p + 5, 512); /* XXX: retired, remove ? */
145     put_le16(p + 6, s->sectors);
146     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
147     put_le16(p + 20, 3); /* XXX: retired, remove ? */
148     put_le16(p + 21, 512); /* cache size in sectors */
149     put_le16(p + 22, 4); /* ecc bytes */
150     padstr((char *)(p + 23), s->version, 8); /* firmware version */
151     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
152 #if MAX_MULT_SECTORS > 1
153     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
154 #endif
155     put_le16(p + 48, 1); /* dword I/O */
156     put_le16(p + 49, (1 << 11) | (1 << 9) | (1 << 8)); /* DMA and LBA supported */
157     put_le16(p + 51, 0x200); /* PIO transfer cycle */
158     put_le16(p + 52, 0x200); /* DMA transfer cycle */
159     put_le16(p + 53, 1 | (1 << 1) | (1 << 2)); /* words 54-58,64-70,88 are valid */
160     put_le16(p + 54, s->cylinders);
161     put_le16(p + 55, s->heads);
162     put_le16(p + 56, s->sectors);
163     oldsize = s->cylinders * s->heads * s->sectors;
164     put_le16(p + 57, oldsize);
165     put_le16(p + 58, oldsize >> 16);
166     if (s->mult_sectors)
167         put_le16(p + 59, 0x100 | s->mult_sectors);
168     /* *(p + 60) := nb_sectors       -- see ide_identify_size */
169     /* *(p + 61) := nb_sectors >> 16 -- see ide_identify_size */
170     put_le16(p + 62, 0x07); /* single word dma0-2 supported */
171     put_le16(p + 63, 0x07); /* mdma0-2 supported */
172     put_le16(p + 64, 0x03); /* pio3-4 supported */
173     put_le16(p + 65, 120);
174     put_le16(p + 66, 120);
175     put_le16(p + 67, 120);
176     put_le16(p + 68, 120);
177     if (dev && dev->conf.discard_granularity) {
178         put_le16(p + 69, (1 << 14)); /* determinate TRIM behavior */
179     }
180 
181     if (s->ncq_queues) {
182         put_le16(p + 75, s->ncq_queues - 1);
183         /* NCQ supported */
184         put_le16(p + 76, (1 << 8));
185     }
186 
187     put_le16(p + 80, 0xf0); /* ata3 -> ata6 supported */
188     put_le16(p + 81, 0x16); /* conforms to ata5 */
189     /* 14=NOP supported, 5=WCACHE supported, 0=SMART supported */
190     put_le16(p + 82, (1 << 14) | (1 << 5) | 1);
191     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
192     put_le16(p + 83, (1 << 14) | (1 << 13) | (1 <<12) | (1 << 10));
193     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
194     if (s->wwn) {
195         put_le16(p + 84, (1 << 14) | (1 << 8) | 0);
196     } else {
197         put_le16(p + 84, (1 << 14) | 0);
198     }
199     /* 14 = NOP supported, 5=WCACHE enabled, 0=SMART feature set enabled */
200     if (blk_enable_write_cache(s->blk)) {
201         put_le16(p + 85, (1 << 14) | (1 << 5) | 1);
202     } else {
203         put_le16(p + 85, (1 << 14) | 1);
204     }
205     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
206     put_le16(p + 86, (1 << 13) | (1 <<12) | (1 << 10));
207     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
208     if (s->wwn) {
209         put_le16(p + 87, (1 << 14) | (1 << 8) | 0);
210     } else {
211         put_le16(p + 87, (1 << 14) | 0);
212     }
213     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
214     put_le16(p + 93, 1 | (1 << 14) | 0x2000);
215     /* *(p + 100) := nb_sectors       -- see ide_identify_size */
216     /* *(p + 101) := nb_sectors >> 16 -- see ide_identify_size */
217     /* *(p + 102) := nb_sectors >> 32 -- see ide_identify_size */
218     /* *(p + 103) := nb_sectors >> 48 -- see ide_identify_size */
219 
220     if (dev && dev->conf.physical_block_size)
221         put_le16(p + 106, 0x6000 | get_physical_block_exp(&dev->conf));
222     if (s->wwn) {
223         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
224         put_le16(p + 108, s->wwn >> 48);
225         put_le16(p + 109, s->wwn >> 32);
226         put_le16(p + 110, s->wwn >> 16);
227         put_le16(p + 111, s->wwn);
228     }
229     if (dev && dev->conf.discard_granularity) {
230         put_le16(p + 169, 1); /* TRIM support */
231     }
232     if (dev) {
233         put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
234     }
235 
236     ide_identify_size(s);
237     s->identify_set = 1;
238 
239 fill_buffer:
240     memcpy(s->io_buffer, p, sizeof(s->identify_data));
241 }
242 
243 static void ide_atapi_identify(IDEState *s)
244 {
245     uint16_t *p;
246 
247     p = (uint16_t *)s->identify_data;
248     if (s->identify_set) {
249         goto fill_buffer;
250     }
251     memset(p, 0, sizeof(s->identify_data));
252 
253     /* Removable CDROM, 50us response, 12 byte packets */
254     put_le16(p + 0, (2 << 14) | (5 << 8) | (1 << 7) | (2 << 5) | (0 << 0));
255     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
256     put_le16(p + 20, 3); /* buffer type */
257     put_le16(p + 21, 512); /* cache size in sectors */
258     put_le16(p + 22, 4); /* ecc bytes */
259     padstr((char *)(p + 23), s->version, 8); /* firmware version */
260     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
261     put_le16(p + 48, 1); /* dword I/O (XXX: should not be set on CDROM) */
262 #ifdef USE_DMA_CDROM
263     put_le16(p + 49, 1 << 9 | 1 << 8); /* DMA and LBA supported */
264     put_le16(p + 53, 7); /* words 64-70, 54-58, 88 valid */
265     put_le16(p + 62, 7);  /* single word dma0-2 supported */
266     put_le16(p + 63, 7);  /* mdma0-2 supported */
267 #else
268     put_le16(p + 49, 1 << 9); /* LBA supported, no DMA */
269     put_le16(p + 53, 3); /* words 64-70, 54-58 valid */
270     put_le16(p + 63, 0x103); /* DMA modes XXX: may be incorrect */
271 #endif
272     put_le16(p + 64, 3); /* pio3-4 supported */
273     put_le16(p + 65, 0xb4); /* minimum DMA multiword tx cycle time */
274     put_le16(p + 66, 0xb4); /* recommended DMA multiword tx cycle time */
275     put_le16(p + 67, 0x12c); /* minimum PIO cycle time without flow control */
276     put_le16(p + 68, 0xb4); /* minimum PIO cycle time with IORDY flow control */
277 
278     put_le16(p + 71, 30); /* in ns */
279     put_le16(p + 72, 30); /* in ns */
280 
281     if (s->ncq_queues) {
282         put_le16(p + 75, s->ncq_queues - 1);
283         /* NCQ supported */
284         put_le16(p + 76, (1 << 8));
285     }
286 
287     put_le16(p + 80, 0x1e); /* support up to ATA/ATAPI-4 */
288     if (s->wwn) {
289         put_le16(p + 84, (1 << 8)); /* supports WWN for words 108-111 */
290         put_le16(p + 87, (1 << 8)); /* WWN enabled */
291     }
292 
293 #ifdef USE_DMA_CDROM
294     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
295 #endif
296 
297     if (s->wwn) {
298         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
299         put_le16(p + 108, s->wwn >> 48);
300         put_le16(p + 109, s->wwn >> 32);
301         put_le16(p + 110, s->wwn >> 16);
302         put_le16(p + 111, s->wwn);
303     }
304 
305     s->identify_set = 1;
306 
307 fill_buffer:
308     memcpy(s->io_buffer, p, sizeof(s->identify_data));
309 }
310 
311 static void ide_cfata_identify_size(IDEState *s)
312 {
313     uint16_t *p = (uint16_t *)s->identify_data;
314     put_le16(p + 7, s->nb_sectors >> 16);  /* Sectors per card */
315     put_le16(p + 8, s->nb_sectors);        /* Sectors per card */
316     put_le16(p + 60, s->nb_sectors);       /* Total LBA sectors */
317     put_le16(p + 61, s->nb_sectors >> 16); /* Total LBA sectors */
318 }
319 
320 static void ide_cfata_identify(IDEState *s)
321 {
322     uint16_t *p;
323     uint32_t cur_sec;
324 
325     p = (uint16_t *)s->identify_data;
326     if (s->identify_set) {
327         goto fill_buffer;
328     }
329     memset(p, 0, sizeof(s->identify_data));
330 
331     cur_sec = s->cylinders * s->heads * s->sectors;
332 
333     put_le16(p + 0, 0x848a);                    /* CF Storage Card signature */
334     put_le16(p + 1, s->cylinders);              /* Default cylinders */
335     put_le16(p + 3, s->heads);                  /* Default heads */
336     put_le16(p + 6, s->sectors);                /* Default sectors per track */
337     /* *(p + 7) := nb_sectors >> 16 -- see ide_cfata_identify_size */
338     /* *(p + 8) := nb_sectors       -- see ide_cfata_identify_size */
339     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
340     put_le16(p + 22, 0x0004);                   /* ECC bytes */
341     padstr((char *) (p + 23), s->version, 8);   /* Firmware Revision */
342     padstr((char *) (p + 27), s->drive_model_str, 40);/* Model number */
343 #if MAX_MULT_SECTORS > 1
344     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
345 #else
346     put_le16(p + 47, 0x0000);
347 #endif
348     put_le16(p + 49, 0x0f00);                   /* Capabilities */
349     put_le16(p + 51, 0x0002);                   /* PIO cycle timing mode */
350     put_le16(p + 52, 0x0001);                   /* DMA cycle timing mode */
351     put_le16(p + 53, 0x0003);                   /* Translation params valid */
352     put_le16(p + 54, s->cylinders);             /* Current cylinders */
353     put_le16(p + 55, s->heads);                 /* Current heads */
354     put_le16(p + 56, s->sectors);               /* Current sectors */
355     put_le16(p + 57, cur_sec);                  /* Current capacity */
356     put_le16(p + 58, cur_sec >> 16);            /* Current capacity */
357     if (s->mult_sectors)                        /* Multiple sector setting */
358         put_le16(p + 59, 0x100 | s->mult_sectors);
359     /* *(p + 60) := nb_sectors       -- see ide_cfata_identify_size */
360     /* *(p + 61) := nb_sectors >> 16 -- see ide_cfata_identify_size */
361     put_le16(p + 63, 0x0203);                   /* Multiword DMA capability */
362     put_le16(p + 64, 0x0001);                   /* Flow Control PIO support */
363     put_le16(p + 65, 0x0096);                   /* Min. Multiword DMA cycle */
364     put_le16(p + 66, 0x0096);                   /* Rec. Multiword DMA cycle */
365     put_le16(p + 68, 0x00b4);                   /* Min. PIO cycle time */
366     put_le16(p + 82, 0x400c);                   /* Command Set supported */
367     put_le16(p + 83, 0x7068);                   /* Command Set supported */
368     put_le16(p + 84, 0x4000);                   /* Features supported */
369     put_le16(p + 85, 0x000c);                   /* Command Set enabled */
370     put_le16(p + 86, 0x7044);                   /* Command Set enabled */
371     put_le16(p + 87, 0x4000);                   /* Features enabled */
372     put_le16(p + 91, 0x4060);                   /* Current APM level */
373     put_le16(p + 129, 0x0002);                  /* Current features option */
374     put_le16(p + 130, 0x0005);                  /* Reassigned sectors */
375     put_le16(p + 131, 0x0001);                  /* Initial power mode */
376     put_le16(p + 132, 0x0000);                  /* User signature */
377     put_le16(p + 160, 0x8100);                  /* Power requirement */
378     put_le16(p + 161, 0x8001);                  /* CF command set */
379 
380     ide_cfata_identify_size(s);
381     s->identify_set = 1;
382 
383 fill_buffer:
384     memcpy(s->io_buffer, p, sizeof(s->identify_data));
385 }
386 
387 static void ide_set_signature(IDEState *s)
388 {
389     s->select &= ~(ATA_DEV_HS); /* clear head */
390     /* put signature */
391     s->nsector = 1;
392     s->sector = 1;
393     if (s->drive_kind == IDE_CD) {
394         s->lcyl = 0x14;
395         s->hcyl = 0xeb;
396     } else if (s->blk) {
397         s->lcyl = 0;
398         s->hcyl = 0;
399     } else {
400         s->lcyl = 0xff;
401         s->hcyl = 0xff;
402     }
403 }
404 
405 static bool ide_sect_range_ok(IDEState *s,
406                               uint64_t sector, uint64_t nb_sectors)
407 {
408     uint64_t total_sectors;
409 
410     blk_get_geometry(s->blk, &total_sectors);
411     if (sector > total_sectors || nb_sectors > total_sectors - sector) {
412         return false;
413     }
414     return true;
415 }
416 
417 typedef struct TrimAIOCB {
418     BlockAIOCB common;
419     IDEState *s;
420     QEMUBH *bh;
421     int ret;
422     QEMUIOVector *qiov;
423     BlockAIOCB *aiocb;
424     int i, j;
425 } TrimAIOCB;
426 
427 static void trim_aio_cancel(BlockAIOCB *acb)
428 {
429     TrimAIOCB *iocb = container_of(acb, TrimAIOCB, common);
430 
431     /* Exit the loop so ide_issue_trim_cb will not continue  */
432     iocb->j = iocb->qiov->niov - 1;
433     iocb->i = (iocb->qiov->iov[iocb->j].iov_len / 8) - 1;
434 
435     iocb->ret = -ECANCELED;
436 
437     if (iocb->aiocb) {
438         blk_aio_cancel_async(iocb->aiocb);
439         iocb->aiocb = NULL;
440     }
441 }
442 
443 static const AIOCBInfo trim_aiocb_info = {
444     .aiocb_size         = sizeof(TrimAIOCB),
445     .cancel_async       = trim_aio_cancel,
446 };
447 
448 static void ide_trim_bh_cb(void *opaque)
449 {
450     TrimAIOCB *iocb = opaque;
451     BlockBackend *blk = iocb->s->blk;
452 
453     iocb->common.cb(iocb->common.opaque, iocb->ret);
454 
455     qemu_bh_delete(iocb->bh);
456     iocb->bh = NULL;
457     qemu_aio_unref(iocb);
458 
459     /* Paired with an increment in ide_issue_trim() */
460     blk_dec_in_flight(blk);
461 }
462 
463 static void ide_issue_trim_cb(void *opaque, int ret)
464 {
465     TrimAIOCB *iocb = opaque;
466     IDEState *s = iocb->s;
467 
468     if (iocb->i >= 0) {
469         if (ret >= 0) {
470             block_acct_done(blk_get_stats(s->blk), &s->acct);
471         } else {
472             block_acct_failed(blk_get_stats(s->blk), &s->acct);
473         }
474     }
475 
476     if (ret >= 0) {
477         while (iocb->j < iocb->qiov->niov) {
478             int j = iocb->j;
479             while (++iocb->i < iocb->qiov->iov[j].iov_len / 8) {
480                 int i = iocb->i;
481                 uint64_t *buffer = iocb->qiov->iov[j].iov_base;
482 
483                 /* 6-byte LBA + 2-byte range per entry */
484                 uint64_t entry = le64_to_cpu(buffer[i]);
485                 uint64_t sector = entry & 0x0000ffffffffffffULL;
486                 uint16_t count = entry >> 48;
487 
488                 if (count == 0) {
489                     continue;
490                 }
491 
492                 if (!ide_sect_range_ok(s, sector, count)) {
493                     block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_UNMAP);
494                     iocb->ret = -EINVAL;
495                     goto done;
496                 }
497 
498                 block_acct_start(blk_get_stats(s->blk), &s->acct,
499                                  count << BDRV_SECTOR_BITS, BLOCK_ACCT_UNMAP);
500 
501                 /* Got an entry! Submit and exit.  */
502                 iocb->aiocb = blk_aio_pdiscard(s->blk,
503                                                sector << BDRV_SECTOR_BITS,
504                                                count << BDRV_SECTOR_BITS,
505                                                ide_issue_trim_cb, opaque);
506                 return;
507             }
508 
509             iocb->j++;
510             iocb->i = -1;
511         }
512     } else {
513         iocb->ret = ret;
514     }
515 
516 done:
517     iocb->aiocb = NULL;
518     if (iocb->bh) {
519         replay_bh_schedule_event(iocb->bh);
520     }
521 }
522 
523 BlockAIOCB *ide_issue_trim(
524         int64_t offset, QEMUIOVector *qiov,
525         BlockCompletionFunc *cb, void *cb_opaque, void *opaque)
526 {
527     IDEState *s = opaque;
528     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
529     TrimAIOCB *iocb;
530 
531     /* Paired with a decrement in ide_trim_bh_cb() */
532     blk_inc_in_flight(s->blk);
533 
534     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
535     iocb->s = s;
536     iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
537                                    &DEVICE(dev)->mem_reentrancy_guard);
538     iocb->ret = 0;
539     iocb->qiov = qiov;
540     iocb->i = -1;
541     iocb->j = 0;
542     ide_issue_trim_cb(iocb, 0);
543     return &iocb->common;
544 }
545 
546 void ide_abort_command(IDEState *s)
547 {
548     s->status = READY_STAT | ERR_STAT;
549     s->error = ABRT_ERR;
550     ide_transfer_stop(s);
551 }
552 
553 static void ide_set_retry(IDEState *s)
554 {
555     s->bus->retry_unit = s->unit;
556     s->bus->retry_sector_num = ide_get_sector(s);
557     s->bus->retry_nsector = s->nsector;
558 }
559 
560 static void ide_clear_retry(IDEState *s)
561 {
562     s->bus->retry_unit = -1;
563     s->bus->retry_sector_num = 0;
564     s->bus->retry_nsector = 0;
565 }
566 
567 /* prepare data transfer and tell what to do after */
568 bool ide_transfer_start_norecurse(IDEState *s, uint8_t *buf, int size,
569                                   EndTransferFunc *end_transfer_func)
570 {
571     s->data_ptr = buf;
572     s->data_end = buf + size;
573     ide_set_retry(s);
574     if (!(s->status & ERR_STAT)) {
575         s->status |= DRQ_STAT;
576     }
577     if (!s->bus->dma->ops->pio_transfer) {
578         s->end_transfer_func = end_transfer_func;
579         return false;
580     }
581     s->bus->dma->ops->pio_transfer(s->bus->dma);
582     return true;
583 }
584 
585 void ide_transfer_start(IDEState *s, uint8_t *buf, int size,
586                         EndTransferFunc *end_transfer_func)
587 {
588     if (ide_transfer_start_norecurse(s, buf, size, end_transfer_func)) {
589         end_transfer_func(s);
590     }
591 }
592 
593 static void ide_cmd_done(IDEState *s)
594 {
595     if (s->bus->dma->ops->cmd_done) {
596         s->bus->dma->ops->cmd_done(s->bus->dma);
597     }
598 }
599 
600 static void ide_transfer_halt(IDEState *s)
601 {
602     s->end_transfer_func = ide_transfer_stop;
603     s->data_ptr = s->io_buffer;
604     s->data_end = s->io_buffer;
605     s->status &= ~DRQ_STAT;
606 }
607 
608 void ide_transfer_stop(IDEState *s)
609 {
610     ide_transfer_halt(s);
611     ide_cmd_done(s);
612 }
613 
614 int64_t ide_get_sector(IDEState *s)
615 {
616     int64_t sector_num;
617     if (s->select & (ATA_DEV_LBA)) {
618         if (s->lba48) {
619             sector_num = ((int64_t)s->hob_hcyl << 40) |
620                 ((int64_t) s->hob_lcyl << 32) |
621                 ((int64_t) s->hob_sector << 24) |
622                 ((int64_t) s->hcyl << 16) |
623                 ((int64_t) s->lcyl << 8) | s->sector;
624         } else {
625             /* LBA28 */
626             sector_num = ((s->select & (ATA_DEV_LBA_MSB)) << 24) |
627                 (s->hcyl << 16) | (s->lcyl << 8) | s->sector;
628         }
629     } else {
630         /* CHS */
631         sector_num = ((s->hcyl << 8) | s->lcyl) * s->heads * s->sectors +
632             (s->select & (ATA_DEV_HS)) * s->sectors + (s->sector - 1);
633     }
634 
635     return sector_num;
636 }
637 
638 void ide_set_sector(IDEState *s, int64_t sector_num)
639 {
640     unsigned int cyl, r;
641     if (s->select & (ATA_DEV_LBA)) {
642         if (s->lba48) {
643             s->sector = sector_num;
644             s->lcyl = sector_num >> 8;
645             s->hcyl = sector_num >> 16;
646             s->hob_sector = sector_num >> 24;
647             s->hob_lcyl = sector_num >> 32;
648             s->hob_hcyl = sector_num >> 40;
649         } else {
650             /* LBA28 */
651             s->select = (s->select & ~(ATA_DEV_LBA_MSB)) |
652                 ((sector_num >> 24) & (ATA_DEV_LBA_MSB));
653             s->hcyl = (sector_num >> 16);
654             s->lcyl = (sector_num >> 8);
655             s->sector = (sector_num);
656         }
657     } else {
658         /* CHS */
659         cyl = sector_num / (s->heads * s->sectors);
660         r = sector_num % (s->heads * s->sectors);
661         s->hcyl = cyl >> 8;
662         s->lcyl = cyl;
663         s->select = (s->select & ~(ATA_DEV_HS)) |
664             ((r / s->sectors) & (ATA_DEV_HS));
665         s->sector = (r % s->sectors) + 1;
666     }
667 }
668 
669 static void ide_rw_error(IDEState *s) {
670     ide_abort_command(s);
671     ide_bus_set_irq(s->bus);
672 }
673 
674 static void ide_buffered_readv_cb(void *opaque, int ret)
675 {
676     IDEBufferedRequest *req = opaque;
677     if (!req->orphaned) {
678         if (!ret) {
679             assert(req->qiov.size == req->original_qiov->size);
680             qemu_iovec_from_buf(req->original_qiov, 0,
681                                 req->qiov.local_iov.iov_base,
682                                 req->original_qiov->size);
683         }
684         req->original_cb(req->original_opaque, ret);
685     }
686     QLIST_REMOVE(req, list);
687     qemu_vfree(qemu_iovec_buf(&req->qiov));
688     g_free(req);
689 }
690 
691 #define MAX_BUFFERED_REQS 16
692 
693 BlockAIOCB *ide_buffered_readv(IDEState *s, int64_t sector_num,
694                                QEMUIOVector *iov, int nb_sectors,
695                                BlockCompletionFunc *cb, void *opaque)
696 {
697     BlockAIOCB *aioreq;
698     IDEBufferedRequest *req;
699     int c = 0;
700 
701     QLIST_FOREACH(req, &s->buffered_requests, list) {
702         c++;
703     }
704     if (c > MAX_BUFFERED_REQS) {
705         return blk_abort_aio_request(s->blk, cb, opaque, -EIO);
706     }
707 
708     req = g_new0(IDEBufferedRequest, 1);
709     req->original_qiov = iov;
710     req->original_cb = cb;
711     req->original_opaque = opaque;
712     qemu_iovec_init_buf(&req->qiov, blk_blockalign(s->blk, iov->size),
713                         iov->size);
714 
715     aioreq = blk_aio_preadv(s->blk, sector_num << BDRV_SECTOR_BITS,
716                             &req->qiov, 0, ide_buffered_readv_cb, req);
717 
718     QLIST_INSERT_HEAD(&s->buffered_requests, req, list);
719     return aioreq;
720 }
721 
722 /**
723  * Cancel all pending DMA requests.
724  * Any buffered DMA requests are instantly canceled,
725  * but any pending unbuffered DMA requests must be waited on.
726  */
727 void ide_cancel_dma_sync(IDEState *s)
728 {
729     IDEBufferedRequest *req;
730 
731     /* First invoke the callbacks of all buffered requests
732      * and flag those requests as orphaned. Ideally there
733      * are no unbuffered (Scatter Gather DMA Requests or
734      * write requests) pending and we can avoid to drain. */
735     QLIST_FOREACH(req, &s->buffered_requests, list) {
736         if (!req->orphaned) {
737             trace_ide_cancel_dma_sync_buffered(req->original_cb, req);
738             req->original_cb(req->original_opaque, -ECANCELED);
739         }
740         req->orphaned = true;
741     }
742 
743     /*
744      * We can't cancel Scatter Gather DMA in the middle of the
745      * operation or a partial (not full) DMA transfer would reach
746      * the storage so we wait for completion instead (we behave
747      * like if the DMA was completed by the time the guest trying
748      * to cancel dma with bmdma_cmd_writeb with BM_CMD_START not
749      * set).
750      *
751      * In the future we'll be able to safely cancel the I/O if the
752      * whole DMA operation will be submitted to disk with a single
753      * aio operation with preadv/pwritev.
754      */
755     if (s->bus->dma->aiocb) {
756         trace_ide_cancel_dma_sync_remaining();
757         blk_drain(s->blk);
758         assert(s->bus->dma->aiocb == NULL);
759     }
760 }
761 
762 static void ide_sector_read(IDEState *s);
763 
764 static void ide_sector_read_cb(void *opaque, int ret)
765 {
766     IDEState *s = opaque;
767     int n;
768 
769     s->pio_aiocb = NULL;
770     s->status &= ~BUSY_STAT;
771 
772     if (ret != 0) {
773         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO |
774                                 IDE_RETRY_READ)) {
775             return;
776         }
777     }
778 
779     block_acct_done(blk_get_stats(s->blk), &s->acct);
780 
781     n = s->nsector;
782     if (n > s->req_nb_sectors) {
783         n = s->req_nb_sectors;
784     }
785 
786     ide_set_sector(s, ide_get_sector(s) + n);
787     s->nsector -= n;
788     /* Allow the guest to read the io_buffer */
789     ide_transfer_start(s, s->io_buffer, n * BDRV_SECTOR_SIZE, ide_sector_read);
790     ide_bus_set_irq(s->bus);
791 }
792 
793 static void ide_sector_read(IDEState *s)
794 {
795     int64_t sector_num;
796     int n;
797 
798     s->status = READY_STAT | SEEK_STAT;
799     s->error = 0; /* not needed by IDE spec, but needed by Windows */
800     sector_num = ide_get_sector(s);
801     n = s->nsector;
802 
803     if (n == 0) {
804         ide_transfer_stop(s);
805         return;
806     }
807 
808     s->status |= BUSY_STAT;
809 
810     if (n > s->req_nb_sectors) {
811         n = s->req_nb_sectors;
812     }
813 
814     trace_ide_sector_read(sector_num, n);
815 
816     if (!ide_sect_range_ok(s, sector_num, n)) {
817         ide_rw_error(s);
818         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
819         return;
820     }
821 
822     qemu_iovec_init_buf(&s->qiov, s->io_buffer, n * BDRV_SECTOR_SIZE);
823 
824     block_acct_start(blk_get_stats(s->blk), &s->acct,
825                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
826     s->pio_aiocb = ide_buffered_readv(s, sector_num, &s->qiov, n,
827                                       ide_sector_read_cb, s);
828 }
829 
830 void dma_buf_commit(IDEState *s, uint32_t tx_bytes)
831 {
832     if (s->bus->dma->ops->commit_buf) {
833         s->bus->dma->ops->commit_buf(s->bus->dma, tx_bytes);
834     }
835     s->io_buffer_offset += tx_bytes;
836     qemu_sglist_destroy(&s->sg);
837 }
838 
839 void ide_set_inactive(IDEState *s, bool more)
840 {
841     s->bus->dma->aiocb = NULL;
842     ide_clear_retry(s);
843     if (s->bus->dma->ops->set_inactive) {
844         s->bus->dma->ops->set_inactive(s->bus->dma, more);
845     }
846     ide_cmd_done(s);
847 }
848 
849 void ide_dma_error(IDEState *s)
850 {
851     dma_buf_commit(s, 0);
852     ide_abort_command(s);
853     ide_set_inactive(s, false);
854     ide_bus_set_irq(s->bus);
855 }
856 
857 int ide_handle_rw_error(IDEState *s, int error, int op)
858 {
859     bool is_read = (op & IDE_RETRY_READ) != 0;
860     BlockErrorAction action = blk_get_error_action(s->blk, is_read, error);
861 
862     if (action == BLOCK_ERROR_ACTION_STOP) {
863         assert(s->bus->retry_unit == s->unit);
864         s->bus->error_status = op;
865     } else if (action == BLOCK_ERROR_ACTION_REPORT) {
866         block_acct_failed(blk_get_stats(s->blk), &s->acct);
867         if (IS_IDE_RETRY_DMA(op)) {
868             ide_dma_error(s);
869         } else if (IS_IDE_RETRY_ATAPI(op)) {
870             ide_atapi_io_error(s, -error);
871         } else {
872             ide_rw_error(s);
873         }
874     }
875     blk_error_action(s->blk, action, is_read, error);
876     return action != BLOCK_ERROR_ACTION_IGNORE;
877 }
878 
879 static void ide_dma_cb(void *opaque, int ret)
880 {
881     IDEState *s = opaque;
882     int n;
883     int64_t sector_num;
884     uint64_t offset;
885     bool stay_active = false;
886     int32_t prep_size = 0;
887 
888     if (ret == -EINVAL) {
889         ide_dma_error(s);
890         return;
891     }
892 
893     if (ret < 0) {
894         if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
895             s->bus->dma->aiocb = NULL;
896             dma_buf_commit(s, 0);
897             return;
898         }
899     }
900 
901     if (s->io_buffer_size > s->nsector * 512) {
902         /*
903          * The PRDs were longer than needed for this request.
904          * The Active bit must remain set after the request completes.
905          */
906         n = s->nsector;
907         stay_active = true;
908     } else {
909         n = s->io_buffer_size >> 9;
910     }
911 
912     sector_num = ide_get_sector(s);
913     if (n > 0) {
914         assert(n * 512 == s->sg.size);
915         dma_buf_commit(s, s->sg.size);
916         sector_num += n;
917         ide_set_sector(s, sector_num);
918         s->nsector -= n;
919     }
920 
921     /* end of transfer ? */
922     if (s->nsector == 0) {
923         s->status = READY_STAT | SEEK_STAT;
924         ide_bus_set_irq(s->bus);
925         goto eot;
926     }
927 
928     /* launch next transfer */
929     n = s->nsector;
930     s->io_buffer_index = 0;
931     s->io_buffer_size = n * 512;
932     prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
933     /* prepare_buf() must succeed and respect the limit */
934     assert(prep_size >= 0 && prep_size <= n * 512);
935 
936     /*
937      * Now prep_size stores the number of bytes in the sglist, and
938      * s->io_buffer_size stores the number of bytes described by the PRDs.
939      */
940 
941     if (prep_size < n * 512) {
942         /*
943          * The PRDs are too short for this request. Error condition!
944          * Reset the Active bit and don't raise the interrupt.
945          */
946         s->status = READY_STAT | SEEK_STAT;
947         dma_buf_commit(s, 0);
948         goto eot;
949     }
950 
951     trace_ide_dma_cb(s, sector_num, n, IDE_DMA_CMD_str(s->dma_cmd));
952 
953     if ((s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) &&
954         !ide_sect_range_ok(s, sector_num, n)) {
955         ide_dma_error(s);
956         block_acct_invalid(blk_get_stats(s->blk), s->acct.type);
957         return;
958     }
959 
960     offset = sector_num << BDRV_SECTOR_BITS;
961     switch (s->dma_cmd) {
962     case IDE_DMA_READ:
963         s->bus->dma->aiocb = dma_blk_read(s->blk, &s->sg, offset,
964                                           BDRV_SECTOR_SIZE, ide_dma_cb, s);
965         break;
966     case IDE_DMA_WRITE:
967         s->bus->dma->aiocb = dma_blk_write(s->blk, &s->sg, offset,
968                                            BDRV_SECTOR_SIZE, ide_dma_cb, s);
969         break;
970     case IDE_DMA_TRIM:
971         s->bus->dma->aiocb = dma_blk_io(blk_get_aio_context(s->blk),
972                                         &s->sg, offset, BDRV_SECTOR_SIZE,
973                                         ide_issue_trim, s, ide_dma_cb, s,
974                                         DMA_DIRECTION_TO_DEVICE);
975         break;
976     default:
977         abort();
978     }
979     return;
980 
981 eot:
982     if (s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) {
983         block_acct_done(blk_get_stats(s->blk), &s->acct);
984     }
985     ide_set_inactive(s, stay_active);
986 }
987 
988 static void ide_sector_start_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
989 {
990     s->status = READY_STAT | SEEK_STAT | DRQ_STAT;
991     s->io_buffer_size = 0;
992     s->dma_cmd = dma_cmd;
993 
994     switch (dma_cmd) {
995     case IDE_DMA_READ:
996         block_acct_start(blk_get_stats(s->blk), &s->acct,
997                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
998         break;
999     case IDE_DMA_WRITE:
1000         block_acct_start(blk_get_stats(s->blk), &s->acct,
1001                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
1002         break;
1003     default:
1004         break;
1005     }
1006 
1007     ide_start_dma(s, ide_dma_cb);
1008 }
1009 
1010 void ide_start_dma(IDEState *s, BlockCompletionFunc *cb)
1011 {
1012     s->io_buffer_index = 0;
1013     ide_set_retry(s);
1014     if (s->bus->dma->ops->start_dma) {
1015         s->bus->dma->ops->start_dma(s->bus->dma, s, cb);
1016     }
1017 }
1018 
1019 static void ide_sector_write(IDEState *s);
1020 
1021 static void ide_sector_write_timer_cb(void *opaque)
1022 {
1023     IDEState *s = opaque;
1024     ide_bus_set_irq(s->bus);
1025 }
1026 
1027 static void ide_sector_write_cb(void *opaque, int ret)
1028 {
1029     IDEState *s = opaque;
1030     int n;
1031 
1032     s->pio_aiocb = NULL;
1033     s->status &= ~BUSY_STAT;
1034 
1035     if (ret != 0) {
1036         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO)) {
1037             return;
1038         }
1039     }
1040 
1041     block_acct_done(blk_get_stats(s->blk), &s->acct);
1042 
1043     n = s->nsector;
1044     if (n > s->req_nb_sectors) {
1045         n = s->req_nb_sectors;
1046     }
1047     s->nsector -= n;
1048 
1049     ide_set_sector(s, ide_get_sector(s) + n);
1050     if (s->nsector == 0) {
1051         /* no more sectors to write */
1052         ide_transfer_stop(s);
1053     } else {
1054         int n1 = s->nsector;
1055         if (n1 > s->req_nb_sectors) {
1056             n1 = s->req_nb_sectors;
1057         }
1058         ide_transfer_start(s, s->io_buffer, n1 * BDRV_SECTOR_SIZE,
1059                            ide_sector_write);
1060     }
1061 
1062     if (win2k_install_hack && ((++s->irq_count % 16) == 0)) {
1063         /* It seems there is a bug in the Windows 2000 installer HDD
1064            IDE driver which fills the disk with empty logs when the
1065            IDE write IRQ comes too early. This hack tries to correct
1066            that at the expense of slower write performances. Use this
1067            option _only_ to install Windows 2000. You must disable it
1068            for normal use. */
1069         timer_mod(s->sector_write_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
1070                   (NANOSECONDS_PER_SECOND / 1000));
1071     } else {
1072         ide_bus_set_irq(s->bus);
1073     }
1074 }
1075 
1076 static void ide_sector_write(IDEState *s)
1077 {
1078     int64_t sector_num;
1079     int n;
1080 
1081     s->status = READY_STAT | SEEK_STAT | BUSY_STAT;
1082     sector_num = ide_get_sector(s);
1083 
1084     n = s->nsector;
1085     if (n > s->req_nb_sectors) {
1086         n = s->req_nb_sectors;
1087     }
1088 
1089     trace_ide_sector_write(sector_num, n);
1090 
1091     if (!ide_sect_range_ok(s, sector_num, n)) {
1092         ide_rw_error(s);
1093         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_WRITE);
1094         return;
1095     }
1096 
1097     qemu_iovec_init_buf(&s->qiov, s->io_buffer, n * BDRV_SECTOR_SIZE);
1098 
1099     block_acct_start(blk_get_stats(s->blk), &s->acct,
1100                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
1101     s->pio_aiocb = blk_aio_pwritev(s->blk, sector_num << BDRV_SECTOR_BITS,
1102                                    &s->qiov, 0, ide_sector_write_cb, s);
1103 }
1104 
1105 static void ide_flush_cb(void *opaque, int ret)
1106 {
1107     IDEState *s = opaque;
1108 
1109     s->pio_aiocb = NULL;
1110 
1111     if (ret < 0) {
1112         /* XXX: What sector number to set here? */
1113         if (ide_handle_rw_error(s, -ret, IDE_RETRY_FLUSH)) {
1114             return;
1115         }
1116     }
1117 
1118     if (s->blk) {
1119         block_acct_done(blk_get_stats(s->blk), &s->acct);
1120     }
1121     s->status = READY_STAT | SEEK_STAT;
1122     ide_cmd_done(s);
1123     ide_bus_set_irq(s->bus);
1124 }
1125 
1126 static void ide_flush_cache(IDEState *s)
1127 {
1128     if (s->blk == NULL) {
1129         ide_flush_cb(s, 0);
1130         return;
1131     }
1132 
1133     s->status |= BUSY_STAT;
1134     ide_set_retry(s);
1135     block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
1136     s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
1137 }
1138 
1139 static void ide_cfata_metadata_inquiry(IDEState *s)
1140 {
1141     uint16_t *p;
1142     uint32_t spd;
1143 
1144     p = (uint16_t *) s->io_buffer;
1145     memset(p, 0, 0x200);
1146     spd = ((s->mdata_size - 1) >> 9) + 1;
1147 
1148     put_le16(p + 0, 0x0001);                    /* Data format revision */
1149     put_le16(p + 1, 0x0000);                    /* Media property: silicon */
1150     put_le16(p + 2, s->media_changed);          /* Media status */
1151     put_le16(p + 3, s->mdata_size & 0xffff);    /* Capacity in bytes (low) */
1152     put_le16(p + 4, s->mdata_size >> 16);       /* Capacity in bytes (high) */
1153     put_le16(p + 5, spd & 0xffff);              /* Sectors per device (low) */
1154     put_le16(p + 6, spd >> 16);                 /* Sectors per device (high) */
1155 }
1156 
1157 static void ide_cfata_metadata_read(IDEState *s)
1158 {
1159     uint16_t *p;
1160 
1161     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1162         s->status = ERR_STAT;
1163         s->error = ABRT_ERR;
1164         return;
1165     }
1166 
1167     p = (uint16_t *) s->io_buffer;
1168     memset(p, 0, 0x200);
1169 
1170     put_le16(p + 0, s->media_changed);          /* Media status */
1171     memcpy(p + 1, s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1172                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1173                                     s->nsector << 9), 0x200 - 2));
1174 }
1175 
1176 static void ide_cfata_metadata_write(IDEState *s)
1177 {
1178     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1179         s->status = ERR_STAT;
1180         s->error = ABRT_ERR;
1181         return;
1182     }
1183 
1184     s->media_changed = 0;
1185 
1186     memcpy(s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1187                     s->io_buffer + 2,
1188                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1189                                     s->nsector << 9), 0x200 - 2));
1190 }
1191 
1192 /* called when the inserted state of the media has changed */
1193 static void ide_cd_change_cb(void *opaque, bool load, Error **errp)
1194 {
1195     IDEState *s = opaque;
1196     uint64_t nb_sectors;
1197 
1198     s->tray_open = !load;
1199     blk_get_geometry(s->blk, &nb_sectors);
1200     s->nb_sectors = nb_sectors;
1201 
1202     /*
1203      * First indicate to the guest that a CD has been removed.  That's
1204      * done on the next command the guest sends us.
1205      *
1206      * Then we set UNIT_ATTENTION, by which the guest will
1207      * detect a new CD in the drive.  See ide_atapi_cmd() for details.
1208      */
1209     s->cdrom_changed = 1;
1210     s->events.new_media = true;
1211     s->events.eject_request = false;
1212     ide_bus_set_irq(s->bus);
1213 }
1214 
1215 static void ide_cd_eject_request_cb(void *opaque, bool force)
1216 {
1217     IDEState *s = opaque;
1218 
1219     s->events.eject_request = true;
1220     if (force) {
1221         s->tray_locked = false;
1222     }
1223     ide_bus_set_irq(s->bus);
1224 }
1225 
1226 static void ide_cmd_lba48_transform(IDEState *s, int lba48)
1227 {
1228     s->lba48 = lba48;
1229 
1230     /* handle the 'magic' 0 nsector count conversion here. to avoid
1231      * fiddling with the rest of the read logic, we just store the
1232      * full sector count in ->nsector and ignore ->hob_nsector from now
1233      */
1234     if (!s->lba48) {
1235         if (!s->nsector)
1236             s->nsector = 256;
1237     } else {
1238         if (!s->nsector && !s->hob_nsector)
1239             s->nsector = 65536;
1240         else {
1241             int lo = s->nsector;
1242             int hi = s->hob_nsector;
1243 
1244             s->nsector = (hi << 8) | lo;
1245         }
1246     }
1247 }
1248 
1249 static void ide_clear_hob(IDEBus *bus)
1250 {
1251     /* any write clears HOB high bit of device control register */
1252     bus->cmd &= ~(IDE_CTRL_HOB);
1253 }
1254 
1255 /* IOport [W]rite [R]egisters */
1256 enum ATA_IOPORT_WR {
1257     ATA_IOPORT_WR_DATA = 0,
1258     ATA_IOPORT_WR_FEATURES = 1,
1259     ATA_IOPORT_WR_SECTOR_COUNT = 2,
1260     ATA_IOPORT_WR_SECTOR_NUMBER = 3,
1261     ATA_IOPORT_WR_CYLINDER_LOW = 4,
1262     ATA_IOPORT_WR_CYLINDER_HIGH = 5,
1263     ATA_IOPORT_WR_DEVICE_HEAD = 6,
1264     ATA_IOPORT_WR_COMMAND = 7,
1265     ATA_IOPORT_WR_NUM_REGISTERS,
1266 };
1267 
1268 const char *ATA_IOPORT_WR_lookup[ATA_IOPORT_WR_NUM_REGISTERS] = {
1269     [ATA_IOPORT_WR_DATA] = "Data",
1270     [ATA_IOPORT_WR_FEATURES] = "Features",
1271     [ATA_IOPORT_WR_SECTOR_COUNT] = "Sector Count",
1272     [ATA_IOPORT_WR_SECTOR_NUMBER] = "Sector Number",
1273     [ATA_IOPORT_WR_CYLINDER_LOW] = "Cylinder Low",
1274     [ATA_IOPORT_WR_CYLINDER_HIGH] = "Cylinder High",
1275     [ATA_IOPORT_WR_DEVICE_HEAD] = "Device/Head",
1276     [ATA_IOPORT_WR_COMMAND] = "Command"
1277 };
1278 
1279 void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
1280 {
1281     IDEBus *bus = opaque;
1282     IDEState *s = ide_bus_active_if(bus);
1283     int reg_num = addr & 7;
1284 
1285     trace_ide_ioport_write(addr, ATA_IOPORT_WR_lookup[reg_num], val, bus, s);
1286 
1287     /* ignore writes to command block while busy with previous command */
1288     if (reg_num != 7 && (s->status & (BUSY_STAT|DRQ_STAT))) {
1289         return;
1290     }
1291 
1292     /* NOTE: Device0 and Device1 both receive incoming register writes.
1293      * (They're on the same bus! They have to!) */
1294 
1295     switch (reg_num) {
1296     case 0:
1297         break;
1298     case ATA_IOPORT_WR_FEATURES:
1299         ide_clear_hob(bus);
1300         bus->ifs[0].hob_feature = bus->ifs[0].feature;
1301         bus->ifs[1].hob_feature = bus->ifs[1].feature;
1302         bus->ifs[0].feature = val;
1303         bus->ifs[1].feature = val;
1304         break;
1305     case ATA_IOPORT_WR_SECTOR_COUNT:
1306         ide_clear_hob(bus);
1307         bus->ifs[0].hob_nsector = bus->ifs[0].nsector;
1308         bus->ifs[1].hob_nsector = bus->ifs[1].nsector;
1309         bus->ifs[0].nsector = val;
1310         bus->ifs[1].nsector = val;
1311         break;
1312     case ATA_IOPORT_WR_SECTOR_NUMBER:
1313         ide_clear_hob(bus);
1314         bus->ifs[0].hob_sector = bus->ifs[0].sector;
1315         bus->ifs[1].hob_sector = bus->ifs[1].sector;
1316         bus->ifs[0].sector = val;
1317         bus->ifs[1].sector = val;
1318         break;
1319     case ATA_IOPORT_WR_CYLINDER_LOW:
1320         ide_clear_hob(bus);
1321         bus->ifs[0].hob_lcyl = bus->ifs[0].lcyl;
1322         bus->ifs[1].hob_lcyl = bus->ifs[1].lcyl;
1323         bus->ifs[0].lcyl = val;
1324         bus->ifs[1].lcyl = val;
1325         break;
1326     case ATA_IOPORT_WR_CYLINDER_HIGH:
1327         ide_clear_hob(bus);
1328         bus->ifs[0].hob_hcyl = bus->ifs[0].hcyl;
1329         bus->ifs[1].hob_hcyl = bus->ifs[1].hcyl;
1330         bus->ifs[0].hcyl = val;
1331         bus->ifs[1].hcyl = val;
1332         break;
1333     case ATA_IOPORT_WR_DEVICE_HEAD:
1334         ide_clear_hob(bus);
1335         bus->ifs[0].select = val | (ATA_DEV_ALWAYS_ON);
1336         bus->ifs[1].select = val | (ATA_DEV_ALWAYS_ON);
1337         /* select drive */
1338         bus->unit = (val & (ATA_DEV_SELECT)) ? 1 : 0;
1339         break;
1340     default:
1341     case ATA_IOPORT_WR_COMMAND:
1342         ide_clear_hob(bus);
1343         qemu_irq_lower(bus->irq);
1344         ide_bus_exec_cmd(bus, val);
1345         break;
1346     }
1347 }
1348 
1349 static void ide_reset(IDEState *s)
1350 {
1351     trace_ide_reset(s);
1352 
1353     if (s->pio_aiocb) {
1354         blk_aio_cancel(s->pio_aiocb);
1355         s->pio_aiocb = NULL;
1356     }
1357 
1358     if (s->reset_reverts) {
1359         s->reset_reverts = false;
1360         s->heads         = s->drive_heads;
1361         s->sectors       = s->drive_sectors;
1362     }
1363     if (s->drive_kind == IDE_CFATA)
1364         s->mult_sectors = 0;
1365     else
1366         s->mult_sectors = MAX_MULT_SECTORS;
1367     /* ide regs */
1368     s->feature = 0;
1369     s->error = 0;
1370     s->nsector = 0;
1371     s->sector = 0;
1372     s->lcyl = 0;
1373     s->hcyl = 0;
1374 
1375     /* lba48 */
1376     s->hob_feature = 0;
1377     s->hob_sector = 0;
1378     s->hob_nsector = 0;
1379     s->hob_lcyl = 0;
1380     s->hob_hcyl = 0;
1381 
1382     s->select = (ATA_DEV_ALWAYS_ON);
1383     s->status = READY_STAT | SEEK_STAT;
1384 
1385     s->lba48 = 0;
1386 
1387     /* ATAPI specific */
1388     s->sense_key = 0;
1389     s->asc = 0;
1390     s->cdrom_changed = 0;
1391     s->packet_transfer_size = 0;
1392     s->elementary_transfer_size = 0;
1393     s->io_buffer_index = 0;
1394     s->cd_sector_size = 0;
1395     s->atapi_dma = 0;
1396     s->tray_locked = 0;
1397     s->tray_open = 0;
1398     /* ATA DMA state */
1399     s->io_buffer_size = 0;
1400     s->req_nb_sectors = 0;
1401 
1402     ide_set_signature(s);
1403     /* init the transfer handler so that 0xffff is returned on data
1404        accesses */
1405     s->end_transfer_func = ide_dummy_transfer_stop;
1406     ide_dummy_transfer_stop(s);
1407     s->media_changed = 0;
1408 }
1409 
1410 static bool cmd_nop(IDEState *s, uint8_t cmd)
1411 {
1412     return true;
1413 }
1414 
1415 static bool cmd_device_reset(IDEState *s, uint8_t cmd)
1416 {
1417     /* Halt PIO (in the DRQ phase), then DMA */
1418     ide_transfer_halt(s);
1419     ide_cancel_dma_sync(s);
1420 
1421     /* Reset any PIO commands, reset signature, etc */
1422     ide_reset(s);
1423 
1424     /* RESET: ATA8-ACS3 7.10.4 "Normal Outputs";
1425      * ATA8-ACS3 Table 184 "Device Signatures for Normal Output" */
1426     s->status = 0x00;
1427 
1428     /* Do not overwrite status register */
1429     return false;
1430 }
1431 
1432 static bool cmd_data_set_management(IDEState *s, uint8_t cmd)
1433 {
1434     switch (s->feature) {
1435     case DSM_TRIM:
1436         if (s->blk) {
1437             ide_sector_start_dma(s, IDE_DMA_TRIM);
1438             return false;
1439         }
1440         break;
1441     }
1442 
1443     ide_abort_command(s);
1444     return true;
1445 }
1446 
1447 static bool cmd_identify(IDEState *s, uint8_t cmd)
1448 {
1449     if (s->blk && s->drive_kind != IDE_CD) {
1450         if (s->drive_kind != IDE_CFATA) {
1451             ide_identify(s);
1452         } else {
1453             ide_cfata_identify(s);
1454         }
1455         s->status = READY_STAT | SEEK_STAT;
1456         ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1457         ide_bus_set_irq(s->bus);
1458         return false;
1459     } else {
1460         if (s->drive_kind == IDE_CD) {
1461             ide_set_signature(s);
1462         }
1463         ide_abort_command(s);
1464     }
1465 
1466     return true;
1467 }
1468 
1469 static bool cmd_verify(IDEState *s, uint8_t cmd)
1470 {
1471     bool lba48 = (cmd == WIN_VERIFY_EXT);
1472 
1473     /* do sector number check ? */
1474     ide_cmd_lba48_transform(s, lba48);
1475 
1476     return true;
1477 }
1478 
1479 static bool cmd_set_multiple_mode(IDEState *s, uint8_t cmd)
1480 {
1481     if (s->drive_kind == IDE_CFATA && s->nsector == 0) {
1482         /* Disable Read and Write Multiple */
1483         s->mult_sectors = 0;
1484     } else if ((s->nsector & 0xff) != 0 &&
1485         ((s->nsector & 0xff) > MAX_MULT_SECTORS ||
1486          (s->nsector & (s->nsector - 1)) != 0)) {
1487         ide_abort_command(s);
1488     } else {
1489         s->mult_sectors = s->nsector & 0xff;
1490     }
1491 
1492     return true;
1493 }
1494 
1495 static bool cmd_read_multiple(IDEState *s, uint8_t cmd)
1496 {
1497     bool lba48 = (cmd == WIN_MULTREAD_EXT);
1498 
1499     if (!s->blk || !s->mult_sectors) {
1500         ide_abort_command(s);
1501         return true;
1502     }
1503 
1504     ide_cmd_lba48_transform(s, lba48);
1505     s->req_nb_sectors = s->mult_sectors;
1506     ide_sector_read(s);
1507     return false;
1508 }
1509 
1510 static bool cmd_write_multiple(IDEState *s, uint8_t cmd)
1511 {
1512     bool lba48 = (cmd == WIN_MULTWRITE_EXT);
1513     int n;
1514 
1515     if (!s->blk || !s->mult_sectors) {
1516         ide_abort_command(s);
1517         return true;
1518     }
1519 
1520     ide_cmd_lba48_transform(s, lba48);
1521 
1522     s->req_nb_sectors = s->mult_sectors;
1523     n = MIN(s->nsector, s->req_nb_sectors);
1524 
1525     s->status = SEEK_STAT | READY_STAT;
1526     ide_transfer_start(s, s->io_buffer, 512 * n, ide_sector_write);
1527 
1528     s->media_changed = 1;
1529 
1530     return false;
1531 }
1532 
1533 static bool cmd_read_pio(IDEState *s, uint8_t cmd)
1534 {
1535     bool lba48 = (cmd == WIN_READ_EXT);
1536 
1537     if (s->drive_kind == IDE_CD) {
1538         ide_set_signature(s); /* odd, but ATA4 8.27.5.2 requires it */
1539         ide_abort_command(s);
1540         return true;
1541     }
1542 
1543     if (!s->blk) {
1544         ide_abort_command(s);
1545         return true;
1546     }
1547 
1548     ide_cmd_lba48_transform(s, lba48);
1549     s->req_nb_sectors = 1;
1550     ide_sector_read(s);
1551 
1552     return false;
1553 }
1554 
1555 static bool cmd_write_pio(IDEState *s, uint8_t cmd)
1556 {
1557     bool lba48 = (cmd == WIN_WRITE_EXT);
1558 
1559     if (!s->blk) {
1560         ide_abort_command(s);
1561         return true;
1562     }
1563 
1564     ide_cmd_lba48_transform(s, lba48);
1565 
1566     s->req_nb_sectors = 1;
1567     s->status = SEEK_STAT | READY_STAT;
1568     ide_transfer_start(s, s->io_buffer, 512, ide_sector_write);
1569 
1570     s->media_changed = 1;
1571 
1572     return false;
1573 }
1574 
1575 static bool cmd_read_dma(IDEState *s, uint8_t cmd)
1576 {
1577     bool lba48 = (cmd == WIN_READDMA_EXT);
1578 
1579     if (!s->blk) {
1580         ide_abort_command(s);
1581         return true;
1582     }
1583 
1584     ide_cmd_lba48_transform(s, lba48);
1585     ide_sector_start_dma(s, IDE_DMA_READ);
1586 
1587     return false;
1588 }
1589 
1590 static bool cmd_write_dma(IDEState *s, uint8_t cmd)
1591 {
1592     bool lba48 = (cmd == WIN_WRITEDMA_EXT);
1593 
1594     if (!s->blk) {
1595         ide_abort_command(s);
1596         return true;
1597     }
1598 
1599     ide_cmd_lba48_transform(s, lba48);
1600     ide_sector_start_dma(s, IDE_DMA_WRITE);
1601 
1602     s->media_changed = 1;
1603 
1604     return false;
1605 }
1606 
1607 static bool cmd_flush_cache(IDEState *s, uint8_t cmd)
1608 {
1609     ide_flush_cache(s);
1610     return false;
1611 }
1612 
1613 static bool cmd_seek(IDEState *s, uint8_t cmd)
1614 {
1615     /* XXX: Check that seek is within bounds */
1616     return true;
1617 }
1618 
1619 static bool cmd_read_native_max(IDEState *s, uint8_t cmd)
1620 {
1621     bool lba48 = (cmd == WIN_READ_NATIVE_MAX_EXT);
1622 
1623     /* Refuse if no sectors are addressable (e.g. medium not inserted) */
1624     if (s->nb_sectors == 0) {
1625         ide_abort_command(s);
1626         return true;
1627     }
1628 
1629     ide_cmd_lba48_transform(s, lba48);
1630     ide_set_sector(s, s->nb_sectors - 1);
1631 
1632     return true;
1633 }
1634 
1635 static bool cmd_check_power_mode(IDEState *s, uint8_t cmd)
1636 {
1637     s->nsector = 0xff; /* device active or idle */
1638     return true;
1639 }
1640 
1641 /* INITIALIZE DEVICE PARAMETERS */
1642 static bool cmd_specify(IDEState *s, uint8_t cmd)
1643 {
1644     if (s->blk && s->drive_kind != IDE_CD) {
1645         s->heads = (s->select & (ATA_DEV_HS)) + 1;
1646         s->sectors = s->nsector;
1647         ide_bus_set_irq(s->bus);
1648     } else {
1649         ide_abort_command(s);
1650     }
1651 
1652     return true;
1653 }
1654 
1655 static bool cmd_set_features(IDEState *s, uint8_t cmd)
1656 {
1657     uint16_t *identify_data;
1658 
1659     if (!s->blk) {
1660         ide_abort_command(s);
1661         return true;
1662     }
1663 
1664     /* XXX: valid for CDROM ? */
1665     switch (s->feature) {
1666     case 0x01: /* 8-bit I/O enable (CompactFlash) */
1667     case 0x81: /* 8-bit I/O disable (CompactFlash) */
1668         if (s->drive_kind != IDE_CFATA) {
1669             goto abort_cmd;
1670         }
1671         s->io8 = !(s->feature & 0x80);
1672         return true;
1673     case 0x02: /* write cache enable */
1674         blk_set_enable_write_cache(s->blk, true);
1675         identify_data = (uint16_t *)s->identify_data;
1676         put_le16(identify_data + 85, (1 << 14) | (1 << 5) | 1);
1677         return true;
1678     case 0x82: /* write cache disable */
1679         blk_set_enable_write_cache(s->blk, false);
1680         identify_data = (uint16_t *)s->identify_data;
1681         put_le16(identify_data + 85, (1 << 14) | 1);
1682         ide_flush_cache(s);
1683         return false;
1684     case 0xcc: /* reverting to power-on defaults enable */
1685         s->reset_reverts = true;
1686         return true;
1687     case 0x66: /* reverting to power-on defaults disable */
1688         s->reset_reverts = false;
1689         return true;
1690     case 0xaa: /* read look-ahead enable */
1691     case 0x55: /* read look-ahead disable */
1692     case 0x05: /* set advanced power management mode */
1693     case 0x85: /* disable advanced power management mode */
1694     case 0x69: /* NOP */
1695     case 0x67: /* NOP */
1696     case 0x96: /* NOP */
1697     case 0x9a: /* NOP */
1698     case 0x42: /* enable Automatic Acoustic Mode */
1699     case 0xc2: /* disable Automatic Acoustic Mode */
1700         return true;
1701     case 0x03: /* set transfer mode */
1702         {
1703             uint8_t val = s->nsector & 0x07;
1704             identify_data = (uint16_t *)s->identify_data;
1705 
1706             switch (s->nsector >> 3) {
1707             case 0x00: /* pio default */
1708             case 0x01: /* pio mode */
1709                 put_le16(identify_data + 62, 0x07);
1710                 put_le16(identify_data + 63, 0x07);
1711                 put_le16(identify_data + 88, 0x3f);
1712                 break;
1713             case 0x02: /* single word dma mode */
1714                 put_le16(identify_data + 62, 0x07 | (1 << (val + 8)));
1715                 put_le16(identify_data + 63, 0x07);
1716                 put_le16(identify_data + 88, 0x3f);
1717                 break;
1718             case 0x04: /* mdma mode */
1719                 put_le16(identify_data + 62, 0x07);
1720                 put_le16(identify_data + 63, 0x07 | (1 << (val + 8)));
1721                 put_le16(identify_data + 88, 0x3f);
1722                 break;
1723             case 0x08: /* udma mode */
1724                 put_le16(identify_data + 62, 0x07);
1725                 put_le16(identify_data + 63, 0x07);
1726                 put_le16(identify_data + 88, 0x3f | (1 << (val + 8)));
1727                 break;
1728             default:
1729                 goto abort_cmd;
1730             }
1731             return true;
1732         }
1733     }
1734 
1735 abort_cmd:
1736     ide_abort_command(s);
1737     return true;
1738 }
1739 
1740 
1741 /*** ATAPI commands ***/
1742 
1743 static bool cmd_identify_packet(IDEState *s, uint8_t cmd)
1744 {
1745     ide_atapi_identify(s);
1746     s->status = READY_STAT | SEEK_STAT;
1747     ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1748     ide_bus_set_irq(s->bus);
1749     return false;
1750 }
1751 
1752 /* EXECUTE DEVICE DIAGNOSTIC */
1753 static bool cmd_exec_dev_diagnostic(IDEState *s, uint8_t cmd)
1754 {
1755     /*
1756      * Clear the device register per the ATA (v6) specification,
1757      * because ide_set_signature does not clear LBA or drive bits.
1758      */
1759     s->select = (ATA_DEV_ALWAYS_ON);
1760     ide_set_signature(s);
1761 
1762     if (s->drive_kind == IDE_CD) {
1763         s->status = 0; /* ATAPI spec (v6) section 9.10 defines packet
1764                         * devices to return a clear status register
1765                         * with READY_STAT *not* set. */
1766         s->error = 0x01;
1767     } else {
1768         s->status = READY_STAT | SEEK_STAT;
1769         /* The bits of the error register are not as usual for this command!
1770          * They are part of the regular output (this is why ERR_STAT isn't set)
1771          * Device 0 passed, Device 1 passed or not present. */
1772         s->error = 0x01;
1773         ide_bus_set_irq(s->bus);
1774     }
1775 
1776     return false;
1777 }
1778 
1779 static bool cmd_packet(IDEState *s, uint8_t cmd)
1780 {
1781     /* overlapping commands not supported */
1782     if (s->feature & 0x02) {
1783         ide_abort_command(s);
1784         return true;
1785     }
1786 
1787     s->status = READY_STAT | SEEK_STAT;
1788     s->atapi_dma = s->feature & 1;
1789     if (s->atapi_dma) {
1790         s->dma_cmd = IDE_DMA_ATAPI;
1791     }
1792     s->nsector = 1;
1793     ide_transfer_start(s, s->io_buffer, ATAPI_PACKET_SIZE,
1794                        ide_atapi_cmd);
1795     return false;
1796 }
1797 
1798 
1799 /*** CF-ATA commands ***/
1800 
1801 static bool cmd_cfa_req_ext_error_code(IDEState *s, uint8_t cmd)
1802 {
1803     s->error = 0x09;    /* miscellaneous error */
1804     s->status = READY_STAT | SEEK_STAT;
1805     ide_bus_set_irq(s->bus);
1806 
1807     return false;
1808 }
1809 
1810 static bool cmd_cfa_erase_sectors(IDEState *s, uint8_t cmd)
1811 {
1812     /* WIN_SECURITY_FREEZE_LOCK has the same ID as CFA_WEAR_LEVEL and is
1813      * required for Windows 8 to work with AHCI */
1814 
1815     if (cmd == CFA_WEAR_LEVEL) {
1816         s->nsector = 0;
1817     }
1818 
1819     if (cmd == CFA_ERASE_SECTORS) {
1820         s->media_changed = 1;
1821     }
1822 
1823     return true;
1824 }
1825 
1826 static bool cmd_cfa_translate_sector(IDEState *s, uint8_t cmd)
1827 {
1828     s->status = READY_STAT | SEEK_STAT;
1829 
1830     memset(s->io_buffer, 0, 0x200);
1831     s->io_buffer[0x00] = s->hcyl;                   /* Cyl MSB */
1832     s->io_buffer[0x01] = s->lcyl;                   /* Cyl LSB */
1833     s->io_buffer[0x02] = s->select;                 /* Head */
1834     s->io_buffer[0x03] = s->sector;                 /* Sector */
1835     s->io_buffer[0x04] = ide_get_sector(s) >> 16;   /* LBA MSB */
1836     s->io_buffer[0x05] = ide_get_sector(s) >> 8;    /* LBA */
1837     s->io_buffer[0x06] = ide_get_sector(s) >> 0;    /* LBA LSB */
1838     s->io_buffer[0x13] = 0x00;                      /* Erase flag */
1839     s->io_buffer[0x18] = 0x00;                      /* Hot count */
1840     s->io_buffer[0x19] = 0x00;                      /* Hot count */
1841     s->io_buffer[0x1a] = 0x01;                      /* Hot count */
1842 
1843     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1844     ide_bus_set_irq(s->bus);
1845 
1846     return false;
1847 }
1848 
1849 static bool cmd_cfa_access_metadata_storage(IDEState *s, uint8_t cmd)
1850 {
1851     switch (s->feature) {
1852     case 0x02:  /* Inquiry Metadata Storage */
1853         ide_cfata_metadata_inquiry(s);
1854         break;
1855     case 0x03:  /* Read Metadata Storage */
1856         ide_cfata_metadata_read(s);
1857         break;
1858     case 0x04:  /* Write Metadata Storage */
1859         ide_cfata_metadata_write(s);
1860         break;
1861     default:
1862         ide_abort_command(s);
1863         return true;
1864     }
1865 
1866     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1867     s->status = 0x00; /* NOTE: READY is _not_ set */
1868     ide_bus_set_irq(s->bus);
1869 
1870     return false;
1871 }
1872 
1873 static bool cmd_ibm_sense_condition(IDEState *s, uint8_t cmd)
1874 {
1875     switch (s->feature) {
1876     case 0x01:  /* sense temperature in device */
1877         s->nsector = 0x50;      /* +20 C */
1878         break;
1879     default:
1880         ide_abort_command(s);
1881         return true;
1882     }
1883 
1884     return true;
1885 }
1886 
1887 
1888 /*** SMART commands ***/
1889 
1890 static bool cmd_smart(IDEState *s, uint8_t cmd)
1891 {
1892     int n;
1893 
1894     if (s->hcyl != 0xc2 || s->lcyl != 0x4f) {
1895         goto abort_cmd;
1896     }
1897 
1898     if (!s->smart_enabled && s->feature != SMART_ENABLE) {
1899         goto abort_cmd;
1900     }
1901 
1902     switch (s->feature) {
1903     case SMART_DISABLE:
1904         s->smart_enabled = 0;
1905         return true;
1906 
1907     case SMART_ENABLE:
1908         s->smart_enabled = 1;
1909         return true;
1910 
1911     case SMART_ATTR_AUTOSAVE:
1912         switch (s->sector) {
1913         case 0x00:
1914             s->smart_autosave = 0;
1915             break;
1916         case 0xf1:
1917             s->smart_autosave = 1;
1918             break;
1919         default:
1920             goto abort_cmd;
1921         }
1922         return true;
1923 
1924     case SMART_STATUS:
1925         if (!s->smart_errors) {
1926             s->hcyl = 0xc2;
1927             s->lcyl = 0x4f;
1928         } else {
1929             s->hcyl = 0x2c;
1930             s->lcyl = 0xf4;
1931         }
1932         return true;
1933 
1934     case SMART_READ_THRESH:
1935         memset(s->io_buffer, 0, 0x200);
1936         s->io_buffer[0] = 0x01; /* smart struct version */
1937 
1938         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1939             s->io_buffer[2 + 0 + (n * 12)] = smart_attributes[n][0];
1940             s->io_buffer[2 + 1 + (n * 12)] = smart_attributes[n][11];
1941         }
1942 
1943         /* checksum */
1944         for (n = 0; n < 511; n++) {
1945             s->io_buffer[511] += s->io_buffer[n];
1946         }
1947         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1948 
1949         s->status = READY_STAT | SEEK_STAT;
1950         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1951         ide_bus_set_irq(s->bus);
1952         return false;
1953 
1954     case SMART_READ_DATA:
1955         memset(s->io_buffer, 0, 0x200);
1956         s->io_buffer[0] = 0x01; /* smart struct version */
1957 
1958         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1959             int i;
1960             for (i = 0; i < 11; i++) {
1961                 s->io_buffer[2 + i + (n * 12)] = smart_attributes[n][i];
1962             }
1963         }
1964 
1965         s->io_buffer[362] = 0x02 | (s->smart_autosave ? 0x80 : 0x00);
1966         if (s->smart_selftest_count == 0) {
1967             s->io_buffer[363] = 0;
1968         } else {
1969             s->io_buffer[363] =
1970                 s->smart_selftest_data[3 +
1971                            (s->smart_selftest_count - 1) *
1972                            24];
1973         }
1974         s->io_buffer[364] = 0x20;
1975         s->io_buffer[365] = 0x01;
1976         /* offline data collection capacity: execute + self-test*/
1977         s->io_buffer[367] = (1 << 4 | 1 << 3 | 1);
1978         s->io_buffer[368] = 0x03; /* smart capability (1) */
1979         s->io_buffer[369] = 0x00; /* smart capability (2) */
1980         s->io_buffer[370] = 0x01; /* error logging supported */
1981         s->io_buffer[372] = 0x02; /* minutes for poll short test */
1982         s->io_buffer[373] = 0x36; /* minutes for poll ext test */
1983         s->io_buffer[374] = 0x01; /* minutes for poll conveyance */
1984 
1985         for (n = 0; n < 511; n++) {
1986             s->io_buffer[511] += s->io_buffer[n];
1987         }
1988         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1989 
1990         s->status = READY_STAT | SEEK_STAT;
1991         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1992         ide_bus_set_irq(s->bus);
1993         return false;
1994 
1995     case SMART_READ_LOG:
1996         switch (s->sector) {
1997         case 0x01: /* summary smart error log */
1998             memset(s->io_buffer, 0, 0x200);
1999             s->io_buffer[0] = 0x01;
2000             s->io_buffer[1] = 0x00; /* no error entries */
2001             s->io_buffer[452] = s->smart_errors & 0xff;
2002             s->io_buffer[453] = (s->smart_errors & 0xff00) >> 8;
2003 
2004             for (n = 0; n < 511; n++) {
2005                 s->io_buffer[511] += s->io_buffer[n];
2006             }
2007             s->io_buffer[511] = 0x100 - s->io_buffer[511];
2008             break;
2009         case 0x06: /* smart self test log */
2010             memset(s->io_buffer, 0, 0x200);
2011             s->io_buffer[0] = 0x01;
2012             if (s->smart_selftest_count == 0) {
2013                 s->io_buffer[508] = 0;
2014             } else {
2015                 s->io_buffer[508] = s->smart_selftest_count;
2016                 for (n = 2; n < 506; n++)  {
2017                     s->io_buffer[n] = s->smart_selftest_data[n];
2018                 }
2019             }
2020 
2021             for (n = 0; n < 511; n++) {
2022                 s->io_buffer[511] += s->io_buffer[n];
2023             }
2024             s->io_buffer[511] = 0x100 - s->io_buffer[511];
2025             break;
2026         default:
2027             goto abort_cmd;
2028         }
2029         s->status = READY_STAT | SEEK_STAT;
2030         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
2031         ide_bus_set_irq(s->bus);
2032         return false;
2033 
2034     case SMART_EXECUTE_OFFLINE:
2035         switch (s->sector) {
2036         case 0: /* off-line routine */
2037         case 1: /* short self test */
2038         case 2: /* extended self test */
2039             s->smart_selftest_count++;
2040             if (s->smart_selftest_count > 21) {
2041                 s->smart_selftest_count = 1;
2042             }
2043             n = 2 + (s->smart_selftest_count - 1) * 24;
2044             s->smart_selftest_data[n] = s->sector;
2045             s->smart_selftest_data[n + 1] = 0x00; /* OK and finished */
2046             s->smart_selftest_data[n + 2] = 0x34; /* hour count lsb */
2047             s->smart_selftest_data[n + 3] = 0x12; /* hour count msb */
2048             break;
2049         default:
2050             goto abort_cmd;
2051         }
2052         return true;
2053     }
2054 
2055 abort_cmd:
2056     ide_abort_command(s);
2057     return true;
2058 }
2059 
2060 #define HD_OK (1u << IDE_HD)
2061 #define CD_OK (1u << IDE_CD)
2062 #define CFA_OK (1u << IDE_CFATA)
2063 #define HD_CFA_OK (HD_OK | CFA_OK)
2064 #define ALL_OK (HD_OK | CD_OK | CFA_OK)
2065 
2066 /* Set the Disk Seek Completed status bit during completion */
2067 #define SET_DSC (1u << 8)
2068 
2069 /* See ACS-2 T13/2015-D Table B.2 Command codes */
2070 static const struct {
2071     /* Returns true if the completion code should be run */
2072     bool (*handler)(IDEState *s, uint8_t cmd);
2073     int flags;
2074 } ide_cmd_table[0x100] = {
2075     /* NOP not implemented, mandatory for CD */
2076     [CFA_REQ_EXT_ERROR_CODE]      = { cmd_cfa_req_ext_error_code, CFA_OK },
2077     [WIN_DSM]                     = { cmd_data_set_management, HD_CFA_OK },
2078     [WIN_DEVICE_RESET]            = { cmd_device_reset, CD_OK },
2079     [WIN_RECAL]                   = { cmd_nop, HD_CFA_OK | SET_DSC},
2080     [WIN_READ]                    = { cmd_read_pio, ALL_OK },
2081     [WIN_READ_ONCE]               = { cmd_read_pio, HD_CFA_OK },
2082     [WIN_READ_EXT]                = { cmd_read_pio, HD_CFA_OK },
2083     [WIN_READDMA_EXT]             = { cmd_read_dma, HD_CFA_OK },
2084     [WIN_READ_NATIVE_MAX_EXT]     = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2085     [WIN_MULTREAD_EXT]            = { cmd_read_multiple, HD_CFA_OK },
2086     [WIN_WRITE]                   = { cmd_write_pio, HD_CFA_OK },
2087     [WIN_WRITE_ONCE]              = { cmd_write_pio, HD_CFA_OK },
2088     [WIN_WRITE_EXT]               = { cmd_write_pio, HD_CFA_OK },
2089     [WIN_WRITEDMA_EXT]            = { cmd_write_dma, HD_CFA_OK },
2090     [CFA_WRITE_SECT_WO_ERASE]     = { cmd_write_pio, CFA_OK },
2091     [WIN_MULTWRITE_EXT]           = { cmd_write_multiple, HD_CFA_OK },
2092     [WIN_WRITE_VERIFY]            = { cmd_write_pio, HD_CFA_OK },
2093     [WIN_VERIFY]                  = { cmd_verify, HD_CFA_OK | SET_DSC },
2094     [WIN_VERIFY_ONCE]             = { cmd_verify, HD_CFA_OK | SET_DSC },
2095     [WIN_VERIFY_EXT]              = { cmd_verify, HD_CFA_OK | SET_DSC },
2096     [WIN_SEEK]                    = { cmd_seek, HD_CFA_OK | SET_DSC },
2097     [CFA_TRANSLATE_SECTOR]        = { cmd_cfa_translate_sector, CFA_OK },
2098     [WIN_DIAGNOSE]                = { cmd_exec_dev_diagnostic, ALL_OK },
2099     [WIN_SPECIFY]                 = { cmd_specify, HD_CFA_OK | SET_DSC },
2100     [WIN_STANDBYNOW2]             = { cmd_nop, HD_CFA_OK },
2101     [WIN_IDLEIMMEDIATE2]          = { cmd_nop, HD_CFA_OK },
2102     [WIN_STANDBY2]                = { cmd_nop, HD_CFA_OK },
2103     [WIN_SETIDLE2]                = { cmd_nop, HD_CFA_OK },
2104     [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2105     [WIN_SLEEPNOW2]               = { cmd_nop, HD_CFA_OK },
2106     [WIN_PACKETCMD]               = { cmd_packet, CD_OK },
2107     [WIN_PIDENTIFY]               = { cmd_identify_packet, CD_OK },
2108     [WIN_SMART]                   = { cmd_smart, HD_CFA_OK | SET_DSC },
2109     [CFA_ACCESS_METADATA_STORAGE] = { cmd_cfa_access_metadata_storage, CFA_OK },
2110     [CFA_ERASE_SECTORS]           = { cmd_cfa_erase_sectors, CFA_OK | SET_DSC },
2111     [WIN_MULTREAD]                = { cmd_read_multiple, HD_CFA_OK },
2112     [WIN_MULTWRITE]               = { cmd_write_multiple, HD_CFA_OK },
2113     [WIN_SETMULT]                 = { cmd_set_multiple_mode, HD_CFA_OK | SET_DSC },
2114     [WIN_READDMA]                 = { cmd_read_dma, HD_CFA_OK },
2115     [WIN_READDMA_ONCE]            = { cmd_read_dma, HD_CFA_OK },
2116     [WIN_WRITEDMA]                = { cmd_write_dma, HD_CFA_OK },
2117     [WIN_WRITEDMA_ONCE]           = { cmd_write_dma, HD_CFA_OK },
2118     [CFA_WRITE_MULTI_WO_ERASE]    = { cmd_write_multiple, CFA_OK },
2119     [WIN_STANDBYNOW1]             = { cmd_nop, HD_CFA_OK },
2120     [WIN_IDLEIMMEDIATE]           = { cmd_nop, HD_CFA_OK },
2121     [WIN_STANDBY]                 = { cmd_nop, HD_CFA_OK },
2122     [WIN_SETIDLE1]                = { cmd_nop, HD_CFA_OK },
2123     [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2124     [WIN_SLEEPNOW1]               = { cmd_nop, HD_CFA_OK },
2125     [WIN_FLUSH_CACHE]             = { cmd_flush_cache, ALL_OK },
2126     [WIN_FLUSH_CACHE_EXT]         = { cmd_flush_cache, HD_CFA_OK },
2127     [WIN_IDENTIFY]                = { cmd_identify, ALL_OK },
2128     [WIN_SETFEATURES]             = { cmd_set_features, ALL_OK | SET_DSC },
2129     [IBM_SENSE_CONDITION]         = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
2130     [CFA_WEAR_LEVEL]              = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
2131     [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2132 };
2133 
2134 static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
2135 {
2136     return cmd < ARRAY_SIZE(ide_cmd_table)
2137         && (ide_cmd_table[cmd].flags & (1u << s->drive_kind));
2138 }
2139 
2140 void ide_bus_exec_cmd(IDEBus *bus, uint32_t val)
2141 {
2142     IDEState *s;
2143     bool complete;
2144 
2145     s = ide_bus_active_if(bus);
2146     trace_ide_bus_exec_cmd(bus, s, val);
2147 
2148     /* ignore commands to non existent slave */
2149     if (s != bus->ifs && !s->blk) {
2150         return;
2151     }
2152 
2153     /* Only RESET is allowed while BSY and/or DRQ are set,
2154      * and only to ATAPI devices. */
2155     if (s->status & (BUSY_STAT|DRQ_STAT)) {
2156         if (val != WIN_DEVICE_RESET || s->drive_kind != IDE_CD) {
2157             return;
2158         }
2159     }
2160 
2161     if (!ide_cmd_permitted(s, val)) {
2162         ide_abort_command(s);
2163         ide_bus_set_irq(s->bus);
2164         return;
2165     }
2166 
2167     s->status = READY_STAT | BUSY_STAT;
2168     s->error = 0;
2169     s->io_buffer_offset = 0;
2170 
2171     complete = ide_cmd_table[val].handler(s, val);
2172     if (complete) {
2173         s->status &= ~BUSY_STAT;
2174         assert(!!s->error == !!(s->status & ERR_STAT));
2175 
2176         if ((ide_cmd_table[val].flags & SET_DSC) && !s->error) {
2177             s->status |= SEEK_STAT;
2178         }
2179 
2180         ide_cmd_done(s);
2181         ide_bus_set_irq(s->bus);
2182     }
2183 }
2184 
2185 /* IOport [R]ead [R]egisters */
2186 enum ATA_IOPORT_RR {
2187     ATA_IOPORT_RR_DATA = 0,
2188     ATA_IOPORT_RR_ERROR = 1,
2189     ATA_IOPORT_RR_SECTOR_COUNT = 2,
2190     ATA_IOPORT_RR_SECTOR_NUMBER = 3,
2191     ATA_IOPORT_RR_CYLINDER_LOW = 4,
2192     ATA_IOPORT_RR_CYLINDER_HIGH = 5,
2193     ATA_IOPORT_RR_DEVICE_HEAD = 6,
2194     ATA_IOPORT_RR_STATUS = 7,
2195     ATA_IOPORT_RR_NUM_REGISTERS,
2196 };
2197 
2198 const char *ATA_IOPORT_RR_lookup[ATA_IOPORT_RR_NUM_REGISTERS] = {
2199     [ATA_IOPORT_RR_DATA] = "Data",
2200     [ATA_IOPORT_RR_ERROR] = "Error",
2201     [ATA_IOPORT_RR_SECTOR_COUNT] = "Sector Count",
2202     [ATA_IOPORT_RR_SECTOR_NUMBER] = "Sector Number",
2203     [ATA_IOPORT_RR_CYLINDER_LOW] = "Cylinder Low",
2204     [ATA_IOPORT_RR_CYLINDER_HIGH] = "Cylinder High",
2205     [ATA_IOPORT_RR_DEVICE_HEAD] = "Device/Head",
2206     [ATA_IOPORT_RR_STATUS] = "Status"
2207 };
2208 
2209 uint32_t ide_ioport_read(void *opaque, uint32_t addr)
2210 {
2211     IDEBus *bus = opaque;
2212     IDEState *s = ide_bus_active_if(bus);
2213     uint32_t reg_num;
2214     int ret, hob;
2215 
2216     reg_num = addr & 7;
2217     hob = bus->cmd & (IDE_CTRL_HOB);
2218     switch (reg_num) {
2219     case ATA_IOPORT_RR_DATA:
2220         /*
2221          * The pre-GRUB Solaris x86 bootloader relies upon inb
2222          * consuming a word from the drive's sector buffer.
2223          */
2224         ret = ide_data_readw(bus, addr) & 0xff;
2225         break;
2226     case ATA_IOPORT_RR_ERROR:
2227         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2228             (s != bus->ifs && !s->blk)) {
2229             ret = 0;
2230         } else if (!hob) {
2231             ret = s->error;
2232         } else {
2233             ret = s->hob_feature;
2234         }
2235         break;
2236     case ATA_IOPORT_RR_SECTOR_COUNT:
2237         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2238             ret = 0;
2239         } else if (!hob) {
2240             ret = s->nsector & 0xff;
2241         } else {
2242             ret = s->hob_nsector;
2243         }
2244         break;
2245     case ATA_IOPORT_RR_SECTOR_NUMBER:
2246         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2247             ret = 0;
2248         } else if (!hob) {
2249             ret = s->sector;
2250         } else {
2251             ret = s->hob_sector;
2252         }
2253         break;
2254     case ATA_IOPORT_RR_CYLINDER_LOW:
2255         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2256             ret = 0;
2257         } else if (!hob) {
2258             ret = s->lcyl;
2259         } else {
2260             ret = s->hob_lcyl;
2261         }
2262         break;
2263     case ATA_IOPORT_RR_CYLINDER_HIGH:
2264         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2265             ret = 0;
2266         } else if (!hob) {
2267             ret = s->hcyl;
2268         } else {
2269             ret = s->hob_hcyl;
2270         }
2271         break;
2272     case ATA_IOPORT_RR_DEVICE_HEAD:
2273         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2274             ret = 0;
2275         } else {
2276             ret = s->select;
2277         }
2278         break;
2279     default:
2280     case ATA_IOPORT_RR_STATUS:
2281         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2282             (s != bus->ifs && !s->blk)) {
2283             ret = 0;
2284         } else {
2285             ret = s->status;
2286         }
2287         qemu_irq_lower(bus->irq);
2288         break;
2289     }
2290 
2291     trace_ide_ioport_read(addr, ATA_IOPORT_RR_lookup[reg_num], ret, bus, s);
2292     return ret;
2293 }
2294 
2295 uint32_t ide_status_read(void *opaque, uint32_t addr)
2296 {
2297     IDEBus *bus = opaque;
2298     IDEState *s = ide_bus_active_if(bus);
2299     int ret;
2300 
2301     if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2302         (s != bus->ifs && !s->blk)) {
2303         ret = 0;
2304     } else {
2305         ret = s->status;
2306     }
2307 
2308     trace_ide_status_read(addr, ret, bus, s);
2309     return ret;
2310 }
2311 
2312 static void ide_perform_srst(IDEState *s)
2313 {
2314     s->status |= BUSY_STAT;
2315 
2316     /* Halt PIO (Via register state); PIO BH remains scheduled. */
2317     ide_transfer_halt(s);
2318 
2319     /* Cancel DMA -- may drain block device and invoke callbacks */
2320     ide_cancel_dma_sync(s);
2321 
2322     /* Cancel PIO callback, reset registers/signature, etc */
2323     ide_reset(s);
2324 
2325     /* perform diagnostic */
2326     cmd_exec_dev_diagnostic(s, WIN_DIAGNOSE);
2327 }
2328 
2329 static void ide_bus_perform_srst(void *opaque)
2330 {
2331     IDEBus *bus = opaque;
2332     IDEState *s;
2333     int i;
2334 
2335     for (i = 0; i < 2; i++) {
2336         s = &bus->ifs[i];
2337         ide_perform_srst(s);
2338     }
2339 
2340     bus->cmd &= ~IDE_CTRL_RESET;
2341 }
2342 
2343 void ide_ctrl_write(void *opaque, uint32_t addr, uint32_t val)
2344 {
2345     IDEBus *bus = opaque;
2346     IDEState *s;
2347     int i;
2348 
2349     trace_ide_ctrl_write(addr, val, bus);
2350 
2351     /* Device0 and Device1 each have their own control register,
2352      * but QEMU models it as just one register in the controller. */
2353     if (!(bus->cmd & IDE_CTRL_RESET) && (val & IDE_CTRL_RESET)) {
2354         for (i = 0; i < 2; i++) {
2355             s = &bus->ifs[i];
2356             s->status |= BUSY_STAT;
2357         }
2358         replay_bh_schedule_oneshot_event(qemu_get_aio_context(),
2359                                          ide_bus_perform_srst, bus);
2360     }
2361 
2362     bus->cmd = val;
2363 }
2364 
2365 /*
2366  * Returns true if the running PIO transfer is a PIO out (i.e. data is
2367  * transferred from the device to the guest), false if it's a PIO in
2368  */
2369 static bool ide_is_pio_out(IDEState *s)
2370 {
2371     if (s->end_transfer_func == ide_sector_write ||
2372         s->end_transfer_func == ide_atapi_cmd) {
2373         return false;
2374     } else if (s->end_transfer_func == ide_sector_read ||
2375                s->end_transfer_func == ide_transfer_stop ||
2376                s->end_transfer_func == ide_atapi_cmd_reply_end ||
2377                s->end_transfer_func == ide_dummy_transfer_stop) {
2378         return true;
2379     }
2380 
2381     abort();
2382 }
2383 
2384 void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
2385 {
2386     IDEBus *bus = opaque;
2387     IDEState *s = ide_bus_active_if(bus);
2388     uint8_t *p;
2389 
2390     trace_ide_data_writew(addr, val, bus, s);
2391 
2392     /* PIO data access allowed only when DRQ bit is set. The result of a write
2393      * during PIO out is indeterminate, just ignore it. */
2394     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2395         return;
2396     }
2397 
2398     p = s->data_ptr;
2399     if (s->io8) {
2400         if (p + 1 > s->data_end) {
2401             return;
2402         }
2403 
2404         *p++ = val;
2405     } else {
2406         if (p + 2 > s->data_end) {
2407             return;
2408         }
2409 
2410         *(uint16_t *)p = le16_to_cpu(val);
2411         p += 2;
2412     }
2413     s->data_ptr = p;
2414     if (p >= s->data_end) {
2415         s->status &= ~DRQ_STAT;
2416         s->end_transfer_func(s);
2417     }
2418 }
2419 
2420 uint32_t ide_data_readw(void *opaque, uint32_t addr)
2421 {
2422     IDEBus *bus = opaque;
2423     IDEState *s = ide_bus_active_if(bus);
2424     uint8_t *p;
2425     int ret;
2426 
2427     /* PIO data access allowed only when DRQ bit is set. The result of a read
2428      * during PIO in is indeterminate, return 0 and don't move forward. */
2429     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2430         return 0;
2431     }
2432 
2433     p = s->data_ptr;
2434     if (s->io8) {
2435         if (p + 1 > s->data_end) {
2436             return 0;
2437         }
2438 
2439         ret = *p++;
2440     } else {
2441         if (p + 2 > s->data_end) {
2442             return 0;
2443         }
2444 
2445         ret = cpu_to_le16(*(uint16_t *)p);
2446         p += 2;
2447     }
2448     s->data_ptr = p;
2449     if (p >= s->data_end) {
2450         s->status &= ~DRQ_STAT;
2451         s->end_transfer_func(s);
2452     }
2453 
2454     trace_ide_data_readw(addr, ret, bus, s);
2455     return ret;
2456 }
2457 
2458 void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
2459 {
2460     IDEBus *bus = opaque;
2461     IDEState *s = ide_bus_active_if(bus);
2462     uint8_t *p;
2463 
2464     trace_ide_data_writel(addr, val, bus, s);
2465 
2466     /* PIO data access allowed only when DRQ bit is set. The result of a write
2467      * during PIO out is indeterminate, just ignore it. */
2468     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2469         return;
2470     }
2471 
2472     p = s->data_ptr;
2473     if (p + 4 > s->data_end) {
2474         return;
2475     }
2476 
2477     *(uint32_t *)p = le32_to_cpu(val);
2478     p += 4;
2479     s->data_ptr = p;
2480     if (p >= s->data_end) {
2481         s->status &= ~DRQ_STAT;
2482         s->end_transfer_func(s);
2483     }
2484 }
2485 
2486 uint32_t ide_data_readl(void *opaque, uint32_t addr)
2487 {
2488     IDEBus *bus = opaque;
2489     IDEState *s = ide_bus_active_if(bus);
2490     uint8_t *p;
2491     int ret;
2492 
2493     /* PIO data access allowed only when DRQ bit is set. The result of a read
2494      * during PIO in is indeterminate, return 0 and don't move forward. */
2495     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2496         ret = 0;
2497         goto out;
2498     }
2499 
2500     p = s->data_ptr;
2501     if (p + 4 > s->data_end) {
2502         return 0;
2503     }
2504 
2505     ret = cpu_to_le32(*(uint32_t *)p);
2506     p += 4;
2507     s->data_ptr = p;
2508     if (p >= s->data_end) {
2509         s->status &= ~DRQ_STAT;
2510         s->end_transfer_func(s);
2511     }
2512 
2513 out:
2514     trace_ide_data_readl(addr, ret, bus, s);
2515     return ret;
2516 }
2517 
2518 static void ide_dummy_transfer_stop(IDEState *s)
2519 {
2520     s->data_ptr = s->io_buffer;
2521     s->data_end = s->io_buffer;
2522     s->io_buffer[0] = 0xff;
2523     s->io_buffer[1] = 0xff;
2524     s->io_buffer[2] = 0xff;
2525     s->io_buffer[3] = 0xff;
2526 }
2527 
2528 void ide_bus_reset(IDEBus *bus)
2529 {
2530     /* pending async DMA - needs the IDEState before it is reset */
2531     if (bus->dma->aiocb) {
2532         trace_ide_bus_reset_aio();
2533         blk_aio_cancel(bus->dma->aiocb);
2534         bus->dma->aiocb = NULL;
2535     }
2536 
2537     bus->unit = 0;
2538     bus->cmd = 0;
2539     ide_reset(&bus->ifs[0]);
2540     ide_reset(&bus->ifs[1]);
2541     ide_clear_hob(bus);
2542 
2543     /* reset dma provider too */
2544     if (bus->dma->ops->reset) {
2545         bus->dma->ops->reset(bus->dma);
2546     }
2547 }
2548 
2549 static bool ide_cd_is_tray_open(void *opaque)
2550 {
2551     return ((IDEState *)opaque)->tray_open;
2552 }
2553 
2554 static bool ide_cd_is_medium_locked(void *opaque)
2555 {
2556     return ((IDEState *)opaque)->tray_locked;
2557 }
2558 
2559 static void ide_resize_cb(void *opaque)
2560 {
2561     IDEState *s = opaque;
2562     uint64_t nb_sectors;
2563 
2564     if (!s->identify_set) {
2565         return;
2566     }
2567 
2568     blk_get_geometry(s->blk, &nb_sectors);
2569     s->nb_sectors = nb_sectors;
2570 
2571     /* Update the identify data buffer. */
2572     if (s->drive_kind == IDE_CFATA) {
2573         ide_cfata_identify_size(s);
2574     } else {
2575         /* IDE_CD uses a different set of callbacks entirely. */
2576         assert(s->drive_kind != IDE_CD);
2577         ide_identify_size(s);
2578     }
2579 }
2580 
2581 static const BlockDevOps ide_cd_block_ops = {
2582     .change_media_cb = ide_cd_change_cb,
2583     .eject_request_cb = ide_cd_eject_request_cb,
2584     .is_tray_open = ide_cd_is_tray_open,
2585     .is_medium_locked = ide_cd_is_medium_locked,
2586 };
2587 
2588 static const BlockDevOps ide_hd_block_ops = {
2589     .resize_cb = ide_resize_cb,
2590 };
2591 
2592 int ide_init_drive(IDEState *s, BlockBackend *blk, IDEDriveKind kind,
2593                    const char *version, const char *serial, const char *model,
2594                    uint64_t wwn,
2595                    uint32_t cylinders, uint32_t heads, uint32_t secs,
2596                    int chs_trans, Error **errp)
2597 {
2598     uint64_t nb_sectors;
2599 
2600     s->blk = blk;
2601     s->drive_kind = kind;
2602 
2603     blk_get_geometry(blk, &nb_sectors);
2604     s->cylinders = cylinders;
2605     s->heads = s->drive_heads = heads;
2606     s->sectors = s->drive_sectors = secs;
2607     s->chs_trans = chs_trans;
2608     s->nb_sectors = nb_sectors;
2609     s->wwn = wwn;
2610     /* The SMART values should be preserved across power cycles
2611        but they aren't.  */
2612     s->smart_enabled = 1;
2613     s->smart_autosave = 1;
2614     s->smart_errors = 0;
2615     s->smart_selftest_count = 0;
2616     if (kind == IDE_CD) {
2617         blk_set_dev_ops(blk, &ide_cd_block_ops, s);
2618     } else {
2619         if (!blk_is_inserted(s->blk)) {
2620             error_setg(errp, "Device needs media, but drive is empty");
2621             return -1;
2622         }
2623         if (!blk_is_writable(blk)) {
2624             error_setg(errp, "Can't use a read-only drive");
2625             return -1;
2626         }
2627         blk_set_dev_ops(blk, &ide_hd_block_ops, s);
2628     }
2629     if (serial) {
2630         pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), serial);
2631     } else {
2632         snprintf(s->drive_serial_str, sizeof(s->drive_serial_str),
2633                  "QM%05d", s->drive_serial);
2634     }
2635     if (model) {
2636         pstrcpy(s->drive_model_str, sizeof(s->drive_model_str), model);
2637     } else {
2638         switch (kind) {
2639         case IDE_CD:
2640             strcpy(s->drive_model_str, "QEMU DVD-ROM");
2641             break;
2642         case IDE_CFATA:
2643             strcpy(s->drive_model_str, "QEMU MICRODRIVE");
2644             break;
2645         default:
2646             strcpy(s->drive_model_str, "QEMU HARDDISK");
2647             break;
2648         }
2649     }
2650 
2651     if (version) {
2652         pstrcpy(s->version, sizeof(s->version), version);
2653     } else {
2654         pstrcpy(s->version, sizeof(s->version), qemu_hw_version());
2655     }
2656 
2657     ide_reset(s);
2658     blk_iostatus_enable(blk);
2659     return 0;
2660 }
2661 
2662 static void ide_init1(IDEBus *bus, int unit)
2663 {
2664     static int drive_serial = 1;
2665     IDEState *s = &bus->ifs[unit];
2666 
2667     s->bus = bus;
2668     s->unit = unit;
2669     s->drive_serial = drive_serial++;
2670     /* we need at least 2k alignment for accessing CDROMs using O_DIRECT */
2671     s->io_buffer_total_len = IDE_DMA_BUF_SECTORS*512 + 4;
2672     s->io_buffer = qemu_memalign(2048, s->io_buffer_total_len);
2673     memset(s->io_buffer, 0, s->io_buffer_total_len);
2674 
2675     s->smart_selftest_data = blk_blockalign(s->blk, 512);
2676     memset(s->smart_selftest_data, 0, 512);
2677 
2678     s->sector_write_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
2679                                            ide_sector_write_timer_cb, s);
2680 }
2681 
2682 static int ide_nop_int(const IDEDMA *dma, bool is_write)
2683 {
2684     return 0;
2685 }
2686 
2687 static void ide_nop(const IDEDMA *dma)
2688 {
2689 }
2690 
2691 static int32_t ide_nop_int32(const IDEDMA *dma, int32_t l)
2692 {
2693     return 0;
2694 }
2695 
2696 static const IDEDMAOps ide_dma_nop_ops = {
2697     .prepare_buf    = ide_nop_int32,
2698     .restart_dma    = ide_nop,
2699     .rw_buf         = ide_nop_int,
2700 };
2701 
2702 static void ide_restart_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
2703 {
2704     s->unit = s->bus->retry_unit;
2705     ide_set_sector(s, s->bus->retry_sector_num);
2706     s->nsector = s->bus->retry_nsector;
2707     s->bus->dma->ops->restart_dma(s->bus->dma);
2708     s->io_buffer_size = 0;
2709     s->dma_cmd = dma_cmd;
2710     ide_start_dma(s, ide_dma_cb);
2711 }
2712 
2713 static void ide_restart_bh(void *opaque)
2714 {
2715     IDEBus *bus = opaque;
2716     IDEState *s;
2717     bool is_read;
2718     int error_status;
2719 
2720     qemu_bh_delete(bus->bh);
2721     bus->bh = NULL;
2722 
2723     error_status = bus->error_status;
2724     if (bus->error_status == 0) {
2725         return;
2726     }
2727 
2728     s = ide_bus_active_if(bus);
2729     is_read = (bus->error_status & IDE_RETRY_READ) != 0;
2730 
2731     /* The error status must be cleared before resubmitting the request: The
2732      * request may fail again, and this case can only be distinguished if the
2733      * called function can set a new error status. */
2734     bus->error_status = 0;
2735 
2736     /* The HBA has generically asked to be kicked on retry */
2737     if (error_status & IDE_RETRY_HBA) {
2738         if (s->bus->dma->ops->restart) {
2739             s->bus->dma->ops->restart(s->bus->dma);
2740         }
2741     } else if (IS_IDE_RETRY_DMA(error_status)) {
2742         if (error_status & IDE_RETRY_TRIM) {
2743             ide_restart_dma(s, IDE_DMA_TRIM);
2744         } else {
2745             ide_restart_dma(s, is_read ? IDE_DMA_READ : IDE_DMA_WRITE);
2746         }
2747     } else if (IS_IDE_RETRY_PIO(error_status)) {
2748         if (is_read) {
2749             ide_sector_read(s);
2750         } else {
2751             ide_sector_write(s);
2752         }
2753     } else if (error_status & IDE_RETRY_FLUSH) {
2754         ide_flush_cache(s);
2755     } else if (IS_IDE_RETRY_ATAPI(error_status)) {
2756         assert(s->end_transfer_func == ide_atapi_cmd);
2757         ide_atapi_dma_restart(s);
2758     } else {
2759         abort();
2760     }
2761 }
2762 
2763 static void ide_restart_cb(void *opaque, bool running, RunState state)
2764 {
2765     IDEBus *bus = opaque;
2766 
2767     if (!running)
2768         return;
2769 
2770     if (!bus->bh) {
2771         bus->bh = qemu_bh_new(ide_restart_bh, bus);
2772         qemu_bh_schedule(bus->bh);
2773     }
2774 }
2775 
2776 void ide_bus_register_restart_cb(IDEBus *bus)
2777 {
2778     if (bus->dma->ops->restart_dma) {
2779         bus->vmstate = qemu_add_vm_change_state_handler(ide_restart_cb, bus);
2780     }
2781 }
2782 
2783 static IDEDMA ide_dma_nop = {
2784     .ops = &ide_dma_nop_ops,
2785     .aiocb = NULL,
2786 };
2787 
2788 void ide_bus_init_output_irq(IDEBus *bus, qemu_irq irq_out)
2789 {
2790     int i;
2791 
2792     for(i = 0; i < 2; i++) {
2793         ide_init1(bus, i);
2794         ide_reset(&bus->ifs[i]);
2795     }
2796     bus->irq = irq_out;
2797     bus->dma = &ide_dma_nop;
2798 }
2799 
2800 void ide_bus_set_irq(IDEBus *bus)
2801 {
2802     if (!(bus->cmd & IDE_CTRL_DISABLE_IRQ)) {
2803         qemu_irq_raise(bus->irq);
2804     }
2805 }
2806 
2807 void ide_exit(IDEState *s)
2808 {
2809     timer_free(s->sector_write_timer);
2810     qemu_vfree(s->smart_selftest_data);
2811     qemu_vfree(s->io_buffer);
2812 }
2813 
2814 static bool is_identify_set(void *opaque, int version_id)
2815 {
2816     IDEState *s = opaque;
2817 
2818     return s->identify_set != 0;
2819 }
2820 
2821 static EndTransferFunc* transfer_end_table[] = {
2822         ide_sector_read,
2823         ide_sector_write,
2824         ide_transfer_stop,
2825         ide_atapi_cmd_reply_end,
2826         ide_atapi_cmd,
2827         ide_dummy_transfer_stop,
2828 };
2829 
2830 static int transfer_end_table_idx(EndTransferFunc *fn)
2831 {
2832     int i;
2833 
2834     for (i = 0; i < ARRAY_SIZE(transfer_end_table); i++)
2835         if (transfer_end_table[i] == fn)
2836             return i;
2837 
2838     return -1;
2839 }
2840 
2841 static int ide_drive_post_load(void *opaque, int version_id)
2842 {
2843     IDEState *s = opaque;
2844 
2845     if (s->blk && s->identify_set) {
2846         blk_set_enable_write_cache(s->blk, !!(s->identify_data[85] & (1 << 5)));
2847     }
2848     return 0;
2849 }
2850 
2851 static int ide_drive_pio_post_load(void *opaque, int version_id)
2852 {
2853     IDEState *s = opaque;
2854 
2855     if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
2856         return -EINVAL;
2857     }
2858     s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
2859     s->data_ptr = s->io_buffer + s->cur_io_buffer_offset;
2860     s->data_end = s->data_ptr + s->cur_io_buffer_len;
2861     s->atapi_dma = s->feature & 1; /* as per cmd_packet */
2862 
2863     return 0;
2864 }
2865 
2866 static int ide_drive_pio_pre_save(void *opaque)
2867 {
2868     IDEState *s = opaque;
2869     int idx;
2870 
2871     s->cur_io_buffer_offset = s->data_ptr - s->io_buffer;
2872     s->cur_io_buffer_len = s->data_end - s->data_ptr;
2873 
2874     idx = transfer_end_table_idx(s->end_transfer_func);
2875     if (idx == -1) {
2876         fprintf(stderr, "%s: invalid end_transfer_func for DRQ_STAT\n",
2877                         __func__);
2878         s->end_transfer_fn_idx = 2;
2879     } else {
2880         s->end_transfer_fn_idx = idx;
2881     }
2882 
2883     return 0;
2884 }
2885 
2886 static bool ide_drive_pio_state_needed(void *opaque)
2887 {
2888     IDEState *s = opaque;
2889 
2890     return ((s->status & DRQ_STAT) != 0)
2891         || (s->bus->error_status & IDE_RETRY_PIO);
2892 }
2893 
2894 static bool ide_tray_state_needed(void *opaque)
2895 {
2896     IDEState *s = opaque;
2897 
2898     return s->tray_open || s->tray_locked;
2899 }
2900 
2901 static bool ide_atapi_gesn_needed(void *opaque)
2902 {
2903     IDEState *s = opaque;
2904 
2905     return s->events.new_media || s->events.eject_request;
2906 }
2907 
2908 static bool ide_error_needed(void *opaque)
2909 {
2910     IDEBus *bus = opaque;
2911 
2912     return (bus->error_status != 0);
2913 }
2914 
2915 /* Fields for GET_EVENT_STATUS_NOTIFICATION ATAPI command */
2916 static const VMStateDescription vmstate_ide_atapi_gesn_state = {
2917     .name ="ide_drive/atapi/gesn_state",
2918     .version_id = 1,
2919     .minimum_version_id = 1,
2920     .needed = ide_atapi_gesn_needed,
2921     .fields = (const VMStateField[]) {
2922         VMSTATE_BOOL(events.new_media, IDEState),
2923         VMSTATE_BOOL(events.eject_request, IDEState),
2924         VMSTATE_END_OF_LIST()
2925     }
2926 };
2927 
2928 static const VMStateDescription vmstate_ide_tray_state = {
2929     .name = "ide_drive/tray_state",
2930     .version_id = 1,
2931     .minimum_version_id = 1,
2932     .needed = ide_tray_state_needed,
2933     .fields = (const VMStateField[]) {
2934         VMSTATE_BOOL(tray_open, IDEState),
2935         VMSTATE_BOOL(tray_locked, IDEState),
2936         VMSTATE_END_OF_LIST()
2937     }
2938 };
2939 
2940 static const VMStateDescription vmstate_ide_drive_pio_state = {
2941     .name = "ide_drive/pio_state",
2942     .version_id = 1,
2943     .minimum_version_id = 1,
2944     .pre_save = ide_drive_pio_pre_save,
2945     .post_load = ide_drive_pio_post_load,
2946     .needed = ide_drive_pio_state_needed,
2947     .fields = (const VMStateField[]) {
2948         VMSTATE_INT32(req_nb_sectors, IDEState),
2949         VMSTATE_VARRAY_INT32(io_buffer, IDEState, io_buffer_total_len, 1,
2950                              vmstate_info_uint8, uint8_t),
2951         VMSTATE_INT32(cur_io_buffer_offset, IDEState),
2952         VMSTATE_INT32(cur_io_buffer_len, IDEState),
2953         VMSTATE_UINT8(end_transfer_fn_idx, IDEState),
2954         VMSTATE_INT32(elementary_transfer_size, IDEState),
2955         VMSTATE_INT32(packet_transfer_size, IDEState),
2956         VMSTATE_END_OF_LIST()
2957     }
2958 };
2959 
2960 const VMStateDescription vmstate_ide_drive = {
2961     .name = "ide_drive",
2962     .version_id = 3,
2963     .minimum_version_id = 0,
2964     .post_load = ide_drive_post_load,
2965     .fields = (const VMStateField[]) {
2966         VMSTATE_INT32(mult_sectors, IDEState),
2967         VMSTATE_INT32(identify_set, IDEState),
2968         VMSTATE_BUFFER_TEST(identify_data, IDEState, is_identify_set),
2969         VMSTATE_UINT8(feature, IDEState),
2970         VMSTATE_UINT8(error, IDEState),
2971         VMSTATE_UINT32(nsector, IDEState),
2972         VMSTATE_UINT8(sector, IDEState),
2973         VMSTATE_UINT8(lcyl, IDEState),
2974         VMSTATE_UINT8(hcyl, IDEState),
2975         VMSTATE_UINT8(hob_feature, IDEState),
2976         VMSTATE_UINT8(hob_sector, IDEState),
2977         VMSTATE_UINT8(hob_nsector, IDEState),
2978         VMSTATE_UINT8(hob_lcyl, IDEState),
2979         VMSTATE_UINT8(hob_hcyl, IDEState),
2980         VMSTATE_UINT8(select, IDEState),
2981         VMSTATE_UINT8(status, IDEState),
2982         VMSTATE_UINT8(lba48, IDEState),
2983         VMSTATE_UINT8(sense_key, IDEState),
2984         VMSTATE_UINT8(asc, IDEState),
2985         VMSTATE_UINT8_V(cdrom_changed, IDEState, 3),
2986         VMSTATE_END_OF_LIST()
2987     },
2988     .subsections = (const VMStateDescription * const []) {
2989         &vmstate_ide_drive_pio_state,
2990         &vmstate_ide_tray_state,
2991         &vmstate_ide_atapi_gesn_state,
2992         NULL
2993     }
2994 };
2995 
2996 static const VMStateDescription vmstate_ide_error_status = {
2997     .name ="ide_bus/error",
2998     .version_id = 2,
2999     .minimum_version_id = 1,
3000     .needed = ide_error_needed,
3001     .fields = (const VMStateField[]) {
3002         VMSTATE_INT32(error_status, IDEBus),
3003         VMSTATE_INT64_V(retry_sector_num, IDEBus, 2),
3004         VMSTATE_UINT32_V(retry_nsector, IDEBus, 2),
3005         VMSTATE_UINT8_V(retry_unit, IDEBus, 2),
3006         VMSTATE_END_OF_LIST()
3007     }
3008 };
3009 
3010 const VMStateDescription vmstate_ide_bus = {
3011     .name = "ide_bus",
3012     .version_id = 1,
3013     .minimum_version_id = 1,
3014     .fields = (const VMStateField[]) {
3015         VMSTATE_UINT8(cmd, IDEBus),
3016         VMSTATE_UINT8(unit, IDEBus),
3017         VMSTATE_END_OF_LIST()
3018     },
3019     .subsections = (const VMStateDescription * const []) {
3020         &vmstate_ide_error_status,
3021         NULL
3022     }
3023 };
3024 
3025 void ide_drive_get(DriveInfo **hd, int n)
3026 {
3027     int i;
3028 
3029     for (i = 0; i < n; i++) {
3030         hd[i] = drive_get_by_index(IF_IDE, i);
3031     }
3032 }
3033