xref: /openbmc/qemu/hw/ide/core.c (revision ad66b5cb)
1 /*
2  * QEMU IDE disk and CD/DVD-ROM Emulator
3  *
4  * Copyright (c) 2003 Fabrice Bellard
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * Permission is hereby granted, free of charge, to any person obtaining a copy
8  * of this software and associated documentation files (the "Software"), to deal
9  * in the Software without restriction, including without limitation the rights
10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11  * copies of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be included in
15  * all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23  * THE SOFTWARE.
24  */
25 
26 #include "qemu/osdep.h"
27 #include "hw/irq.h"
28 #include "hw/isa/isa.h"
29 #include "migration/vmstate.h"
30 #include "qemu/error-report.h"
31 #include "qemu/main-loop.h"
32 #include "qemu/timer.h"
33 #include "qemu/hw-version.h"
34 #include "qemu/memalign.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/blockdev.h"
37 #include "sysemu/dma.h"
38 #include "hw/block/block.h"
39 #include "sysemu/block-backend.h"
40 #include "qapi/error.h"
41 #include "qemu/cutils.h"
42 #include "sysemu/replay.h"
43 #include "sysemu/runstate.h"
44 #include "hw/ide/internal.h"
45 #include "trace.h"
46 
47 /* These values were based on a Seagate ST3500418AS but have been modified
48    to make more sense in QEMU */
49 static const int smart_attributes[][12] = {
50     /* id,  flags, hflags, val, wrst, raw (6 bytes), threshold */
51     /* raw read error rate*/
52     { 0x01, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06},
53     /* spin up */
54     { 0x03, 0x03, 0x00, 0x64, 0x64, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
55     /* start stop count */
56     { 0x04, 0x02, 0x00, 0x64, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14},
57     /* remapped sectors */
58     { 0x05, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24},
59     /* power on hours */
60     { 0x09, 0x03, 0x00, 0x64, 0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
61     /* power cycle count */
62     { 0x0c, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
63     /* airflow-temperature-celsius */
64     { 190,  0x03, 0x00, 0x45, 0x45, 0x1f, 0x00, 0x1f, 0x1f, 0x00, 0x00, 0x32},
65 };
66 
67 const char *IDE_DMA_CMD_lookup[IDE_DMA__COUNT] = {
68     [IDE_DMA_READ] = "DMA READ",
69     [IDE_DMA_WRITE] = "DMA WRITE",
70     [IDE_DMA_TRIM] = "DMA TRIM",
71     [IDE_DMA_ATAPI] = "DMA ATAPI"
72 };
73 
74 static const char *IDE_DMA_CMD_str(enum ide_dma_cmd enval)
75 {
76     if ((unsigned)enval < IDE_DMA__COUNT) {
77         return IDE_DMA_CMD_lookup[enval];
78     }
79     return "DMA UNKNOWN CMD";
80 }
81 
82 static void ide_dummy_transfer_stop(IDEState *s);
83 
84 static void padstr(char *str, const char *src, int len)
85 {
86     int i, v;
87     for(i = 0; i < len; i++) {
88         if (*src)
89             v = *src++;
90         else
91             v = ' ';
92         str[i^1] = v;
93     }
94 }
95 
96 static void put_le16(uint16_t *p, unsigned int v)
97 {
98     *p = cpu_to_le16(v);
99 }
100 
101 static void ide_identify_size(IDEState *s)
102 {
103     uint16_t *p = (uint16_t *)s->identify_data;
104     int64_t nb_sectors_lba28 = s->nb_sectors;
105     if (nb_sectors_lba28 >= 1 << 28) {
106         nb_sectors_lba28 = (1 << 28) - 1;
107     }
108     put_le16(p + 60, nb_sectors_lba28);
109     put_le16(p + 61, nb_sectors_lba28 >> 16);
110     put_le16(p + 100, s->nb_sectors);
111     put_le16(p + 101, s->nb_sectors >> 16);
112     put_le16(p + 102, s->nb_sectors >> 32);
113     put_le16(p + 103, s->nb_sectors >> 48);
114 }
115 
116 static void ide_identify(IDEState *s)
117 {
118     uint16_t *p;
119     unsigned int oldsize;
120     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
121 
122     p = (uint16_t *)s->identify_data;
123     if (s->identify_set) {
124         goto fill_buffer;
125     }
126     memset(p, 0, sizeof(s->identify_data));
127 
128     put_le16(p + 0, 0x0040);
129     put_le16(p + 1, s->cylinders);
130     put_le16(p + 3, s->heads);
131     put_le16(p + 4, 512 * s->sectors); /* XXX: retired, remove ? */
132     put_le16(p + 5, 512); /* XXX: retired, remove ? */
133     put_le16(p + 6, s->sectors);
134     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
135     put_le16(p + 20, 3); /* XXX: retired, remove ? */
136     put_le16(p + 21, 512); /* cache size in sectors */
137     put_le16(p + 22, 4); /* ecc bytes */
138     padstr((char *)(p + 23), s->version, 8); /* firmware version */
139     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
140 #if MAX_MULT_SECTORS > 1
141     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
142 #endif
143     put_le16(p + 48, 1); /* dword I/O */
144     put_le16(p + 49, (1 << 11) | (1 << 9) | (1 << 8)); /* DMA and LBA supported */
145     put_le16(p + 51, 0x200); /* PIO transfer cycle */
146     put_le16(p + 52, 0x200); /* DMA transfer cycle */
147     put_le16(p + 53, 1 | (1 << 1) | (1 << 2)); /* words 54-58,64-70,88 are valid */
148     put_le16(p + 54, s->cylinders);
149     put_le16(p + 55, s->heads);
150     put_le16(p + 56, s->sectors);
151     oldsize = s->cylinders * s->heads * s->sectors;
152     put_le16(p + 57, oldsize);
153     put_le16(p + 58, oldsize >> 16);
154     if (s->mult_sectors)
155         put_le16(p + 59, 0x100 | s->mult_sectors);
156     /* *(p + 60) := nb_sectors       -- see ide_identify_size */
157     /* *(p + 61) := nb_sectors >> 16 -- see ide_identify_size */
158     put_le16(p + 62, 0x07); /* single word dma0-2 supported */
159     put_le16(p + 63, 0x07); /* mdma0-2 supported */
160     put_le16(p + 64, 0x03); /* pio3-4 supported */
161     put_le16(p + 65, 120);
162     put_le16(p + 66, 120);
163     put_le16(p + 67, 120);
164     put_le16(p + 68, 120);
165     if (dev && dev->conf.discard_granularity) {
166         put_le16(p + 69, (1 << 14)); /* determinate TRIM behavior */
167     }
168 
169     if (s->ncq_queues) {
170         put_le16(p + 75, s->ncq_queues - 1);
171         /* NCQ supported */
172         put_le16(p + 76, (1 << 8));
173     }
174 
175     put_le16(p + 80, 0xf0); /* ata3 -> ata6 supported */
176     put_le16(p + 81, 0x16); /* conforms to ata5 */
177     /* 14=NOP supported, 5=WCACHE supported, 0=SMART supported */
178     put_le16(p + 82, (1 << 14) | (1 << 5) | 1);
179     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
180     put_le16(p + 83, (1 << 14) | (1 << 13) | (1 <<12) | (1 << 10));
181     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
182     if (s->wwn) {
183         put_le16(p + 84, (1 << 14) | (1 << 8) | 0);
184     } else {
185         put_le16(p + 84, (1 << 14) | 0);
186     }
187     /* 14 = NOP supported, 5=WCACHE enabled, 0=SMART feature set enabled */
188     if (blk_enable_write_cache(s->blk)) {
189         put_le16(p + 85, (1 << 14) | (1 << 5) | 1);
190     } else {
191         put_le16(p + 85, (1 << 14) | 1);
192     }
193     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
194     put_le16(p + 86, (1 << 13) | (1 <<12) | (1 << 10));
195     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
196     if (s->wwn) {
197         put_le16(p + 87, (1 << 14) | (1 << 8) | 0);
198     } else {
199         put_le16(p + 87, (1 << 14) | 0);
200     }
201     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
202     put_le16(p + 93, 1 | (1 << 14) | 0x2000);
203     /* *(p + 100) := nb_sectors       -- see ide_identify_size */
204     /* *(p + 101) := nb_sectors >> 16 -- see ide_identify_size */
205     /* *(p + 102) := nb_sectors >> 32 -- see ide_identify_size */
206     /* *(p + 103) := nb_sectors >> 48 -- see ide_identify_size */
207 
208     if (dev && dev->conf.physical_block_size)
209         put_le16(p + 106, 0x6000 | get_physical_block_exp(&dev->conf));
210     if (s->wwn) {
211         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
212         put_le16(p + 108, s->wwn >> 48);
213         put_le16(p + 109, s->wwn >> 32);
214         put_le16(p + 110, s->wwn >> 16);
215         put_le16(p + 111, s->wwn);
216     }
217     if (dev && dev->conf.discard_granularity) {
218         put_le16(p + 169, 1); /* TRIM support */
219     }
220     if (dev) {
221         put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
222     }
223 
224     ide_identify_size(s);
225     s->identify_set = 1;
226 
227 fill_buffer:
228     memcpy(s->io_buffer, p, sizeof(s->identify_data));
229 }
230 
231 static void ide_atapi_identify(IDEState *s)
232 {
233     uint16_t *p;
234 
235     p = (uint16_t *)s->identify_data;
236     if (s->identify_set) {
237         goto fill_buffer;
238     }
239     memset(p, 0, sizeof(s->identify_data));
240 
241     /* Removable CDROM, 50us response, 12 byte packets */
242     put_le16(p + 0, (2 << 14) | (5 << 8) | (1 << 7) | (2 << 5) | (0 << 0));
243     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
244     put_le16(p + 20, 3); /* buffer type */
245     put_le16(p + 21, 512); /* cache size in sectors */
246     put_le16(p + 22, 4); /* ecc bytes */
247     padstr((char *)(p + 23), s->version, 8); /* firmware version */
248     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
249     put_le16(p + 48, 1); /* dword I/O (XXX: should not be set on CDROM) */
250 #ifdef USE_DMA_CDROM
251     put_le16(p + 49, 1 << 9 | 1 << 8); /* DMA and LBA supported */
252     put_le16(p + 53, 7); /* words 64-70, 54-58, 88 valid */
253     put_le16(p + 62, 7);  /* single word dma0-2 supported */
254     put_le16(p + 63, 7);  /* mdma0-2 supported */
255 #else
256     put_le16(p + 49, 1 << 9); /* LBA supported, no DMA */
257     put_le16(p + 53, 3); /* words 64-70, 54-58 valid */
258     put_le16(p + 63, 0x103); /* DMA modes XXX: may be incorrect */
259 #endif
260     put_le16(p + 64, 3); /* pio3-4 supported */
261     put_le16(p + 65, 0xb4); /* minimum DMA multiword tx cycle time */
262     put_le16(p + 66, 0xb4); /* recommended DMA multiword tx cycle time */
263     put_le16(p + 67, 0x12c); /* minimum PIO cycle time without flow control */
264     put_le16(p + 68, 0xb4); /* minimum PIO cycle time with IORDY flow control */
265 
266     put_le16(p + 71, 30); /* in ns */
267     put_le16(p + 72, 30); /* in ns */
268 
269     if (s->ncq_queues) {
270         put_le16(p + 75, s->ncq_queues - 1);
271         /* NCQ supported */
272         put_le16(p + 76, (1 << 8));
273     }
274 
275     put_le16(p + 80, 0x1e); /* support up to ATA/ATAPI-4 */
276     if (s->wwn) {
277         put_le16(p + 84, (1 << 8)); /* supports WWN for words 108-111 */
278         put_le16(p + 87, (1 << 8)); /* WWN enabled */
279     }
280 
281 #ifdef USE_DMA_CDROM
282     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
283 #endif
284 
285     if (s->wwn) {
286         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
287         put_le16(p + 108, s->wwn >> 48);
288         put_le16(p + 109, s->wwn >> 32);
289         put_le16(p + 110, s->wwn >> 16);
290         put_le16(p + 111, s->wwn);
291     }
292 
293     s->identify_set = 1;
294 
295 fill_buffer:
296     memcpy(s->io_buffer, p, sizeof(s->identify_data));
297 }
298 
299 static void ide_cfata_identify_size(IDEState *s)
300 {
301     uint16_t *p = (uint16_t *)s->identify_data;
302     put_le16(p + 7, s->nb_sectors >> 16);  /* Sectors per card */
303     put_le16(p + 8, s->nb_sectors);        /* Sectors per card */
304     put_le16(p + 60, s->nb_sectors);       /* Total LBA sectors */
305     put_le16(p + 61, s->nb_sectors >> 16); /* Total LBA sectors */
306 }
307 
308 static void ide_cfata_identify(IDEState *s)
309 {
310     uint16_t *p;
311     uint32_t cur_sec;
312 
313     p = (uint16_t *)s->identify_data;
314     if (s->identify_set) {
315         goto fill_buffer;
316     }
317     memset(p, 0, sizeof(s->identify_data));
318 
319     cur_sec = s->cylinders * s->heads * s->sectors;
320 
321     put_le16(p + 0, 0x848a);			/* CF Storage Card signature */
322     put_le16(p + 1, s->cylinders);		/* Default cylinders */
323     put_le16(p + 3, s->heads);			/* Default heads */
324     put_le16(p + 6, s->sectors);		/* Default sectors per track */
325     /* *(p + 7) := nb_sectors >> 16 -- see ide_cfata_identify_size */
326     /* *(p + 8) := nb_sectors       -- see ide_cfata_identify_size */
327     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
328     put_le16(p + 22, 0x0004);			/* ECC bytes */
329     padstr((char *) (p + 23), s->version, 8);	/* Firmware Revision */
330     padstr((char *) (p + 27), s->drive_model_str, 40);/* Model number */
331 #if MAX_MULT_SECTORS > 1
332     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
333 #else
334     put_le16(p + 47, 0x0000);
335 #endif
336     put_le16(p + 49, 0x0f00);			/* Capabilities */
337     put_le16(p + 51, 0x0002);			/* PIO cycle timing mode */
338     put_le16(p + 52, 0x0001);			/* DMA cycle timing mode */
339     put_le16(p + 53, 0x0003);			/* Translation params valid */
340     put_le16(p + 54, s->cylinders);		/* Current cylinders */
341     put_le16(p + 55, s->heads);			/* Current heads */
342     put_le16(p + 56, s->sectors);		/* Current sectors */
343     put_le16(p + 57, cur_sec);			/* Current capacity */
344     put_le16(p + 58, cur_sec >> 16);		/* Current capacity */
345     if (s->mult_sectors)			/* Multiple sector setting */
346         put_le16(p + 59, 0x100 | s->mult_sectors);
347     /* *(p + 60) := nb_sectors       -- see ide_cfata_identify_size */
348     /* *(p + 61) := nb_sectors >> 16 -- see ide_cfata_identify_size */
349     put_le16(p + 63, 0x0203);			/* Multiword DMA capability */
350     put_le16(p + 64, 0x0001);			/* Flow Control PIO support */
351     put_le16(p + 65, 0x0096);			/* Min. Multiword DMA cycle */
352     put_le16(p + 66, 0x0096);			/* Rec. Multiword DMA cycle */
353     put_le16(p + 68, 0x00b4);			/* Min. PIO cycle time */
354     put_le16(p + 82, 0x400c);			/* Command Set supported */
355     put_le16(p + 83, 0x7068);			/* Command Set supported */
356     put_le16(p + 84, 0x4000);			/* Features supported */
357     put_le16(p + 85, 0x000c);			/* Command Set enabled */
358     put_le16(p + 86, 0x7044);			/* Command Set enabled */
359     put_le16(p + 87, 0x4000);			/* Features enabled */
360     put_le16(p + 91, 0x4060);			/* Current APM level */
361     put_le16(p + 129, 0x0002);			/* Current features option */
362     put_le16(p + 130, 0x0005);			/* Reassigned sectors */
363     put_le16(p + 131, 0x0001);			/* Initial power mode */
364     put_le16(p + 132, 0x0000);			/* User signature */
365     put_le16(p + 160, 0x8100);			/* Power requirement */
366     put_le16(p + 161, 0x8001);			/* CF command set */
367 
368     ide_cfata_identify_size(s);
369     s->identify_set = 1;
370 
371 fill_buffer:
372     memcpy(s->io_buffer, p, sizeof(s->identify_data));
373 }
374 
375 static void ide_set_signature(IDEState *s)
376 {
377     s->select &= ~(ATA_DEV_HS); /* clear head */
378     /* put signature */
379     s->nsector = 1;
380     s->sector = 1;
381     if (s->drive_kind == IDE_CD) {
382         s->lcyl = 0x14;
383         s->hcyl = 0xeb;
384     } else if (s->blk) {
385         s->lcyl = 0;
386         s->hcyl = 0;
387     } else {
388         s->lcyl = 0xff;
389         s->hcyl = 0xff;
390     }
391 }
392 
393 static bool ide_sect_range_ok(IDEState *s,
394                               uint64_t sector, uint64_t nb_sectors)
395 {
396     uint64_t total_sectors;
397 
398     blk_get_geometry(s->blk, &total_sectors);
399     if (sector > total_sectors || nb_sectors > total_sectors - sector) {
400         return false;
401     }
402     return true;
403 }
404 
405 typedef struct TrimAIOCB {
406     BlockAIOCB common;
407     IDEState *s;
408     QEMUBH *bh;
409     int ret;
410     QEMUIOVector *qiov;
411     BlockAIOCB *aiocb;
412     int i, j;
413 } TrimAIOCB;
414 
415 static void trim_aio_cancel(BlockAIOCB *acb)
416 {
417     TrimAIOCB *iocb = container_of(acb, TrimAIOCB, common);
418 
419     /* Exit the loop so ide_issue_trim_cb will not continue  */
420     iocb->j = iocb->qiov->niov - 1;
421     iocb->i = (iocb->qiov->iov[iocb->j].iov_len / 8) - 1;
422 
423     iocb->ret = -ECANCELED;
424 
425     if (iocb->aiocb) {
426         blk_aio_cancel_async(iocb->aiocb);
427         iocb->aiocb = NULL;
428     }
429 }
430 
431 static const AIOCBInfo trim_aiocb_info = {
432     .aiocb_size         = sizeof(TrimAIOCB),
433     .cancel_async       = trim_aio_cancel,
434 };
435 
436 static void ide_trim_bh_cb(void *opaque)
437 {
438     TrimAIOCB *iocb = opaque;
439     BlockBackend *blk = iocb->s->blk;
440 
441     iocb->common.cb(iocb->common.opaque, iocb->ret);
442 
443     qemu_bh_delete(iocb->bh);
444     iocb->bh = NULL;
445     qemu_aio_unref(iocb);
446 
447     /* Paired with an increment in ide_issue_trim() */
448     blk_dec_in_flight(blk);
449 }
450 
451 static void ide_issue_trim_cb(void *opaque, int ret)
452 {
453     TrimAIOCB *iocb = opaque;
454     IDEState *s = iocb->s;
455 
456     if (iocb->i >= 0) {
457         if (ret >= 0) {
458             block_acct_done(blk_get_stats(s->blk), &s->acct);
459         } else {
460             block_acct_failed(blk_get_stats(s->blk), &s->acct);
461         }
462     }
463 
464     if (ret >= 0) {
465         while (iocb->j < iocb->qiov->niov) {
466             int j = iocb->j;
467             while (++iocb->i < iocb->qiov->iov[j].iov_len / 8) {
468                 int i = iocb->i;
469                 uint64_t *buffer = iocb->qiov->iov[j].iov_base;
470 
471                 /* 6-byte LBA + 2-byte range per entry */
472                 uint64_t entry = le64_to_cpu(buffer[i]);
473                 uint64_t sector = entry & 0x0000ffffffffffffULL;
474                 uint16_t count = entry >> 48;
475 
476                 if (count == 0) {
477                     continue;
478                 }
479 
480                 if (!ide_sect_range_ok(s, sector, count)) {
481                     block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_UNMAP);
482                     iocb->ret = -EINVAL;
483                     goto done;
484                 }
485 
486                 block_acct_start(blk_get_stats(s->blk), &s->acct,
487                                  count << BDRV_SECTOR_BITS, BLOCK_ACCT_UNMAP);
488 
489                 /* Got an entry! Submit and exit.  */
490                 iocb->aiocb = blk_aio_pdiscard(s->blk,
491                                                sector << BDRV_SECTOR_BITS,
492                                                count << BDRV_SECTOR_BITS,
493                                                ide_issue_trim_cb, opaque);
494                 return;
495             }
496 
497             iocb->j++;
498             iocb->i = -1;
499         }
500     } else {
501         iocb->ret = ret;
502     }
503 
504 done:
505     iocb->aiocb = NULL;
506     if (iocb->bh) {
507         replay_bh_schedule_event(iocb->bh);
508     }
509 }
510 
511 BlockAIOCB *ide_issue_trim(
512         int64_t offset, QEMUIOVector *qiov,
513         BlockCompletionFunc *cb, void *cb_opaque, void *opaque)
514 {
515     IDEState *s = opaque;
516     TrimAIOCB *iocb;
517 
518     /* Paired with a decrement in ide_trim_bh_cb() */
519     blk_inc_in_flight(s->blk);
520 
521     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
522     iocb->s = s;
523     iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
524     iocb->ret = 0;
525     iocb->qiov = qiov;
526     iocb->i = -1;
527     iocb->j = 0;
528     ide_issue_trim_cb(iocb, 0);
529     return &iocb->common;
530 }
531 
532 void ide_abort_command(IDEState *s)
533 {
534     ide_transfer_stop(s);
535     s->status = READY_STAT | ERR_STAT;
536     s->error = ABRT_ERR;
537 }
538 
539 static void ide_set_retry(IDEState *s)
540 {
541     s->bus->retry_unit = s->unit;
542     s->bus->retry_sector_num = ide_get_sector(s);
543     s->bus->retry_nsector = s->nsector;
544 }
545 
546 static void ide_clear_retry(IDEState *s)
547 {
548     s->bus->retry_unit = -1;
549     s->bus->retry_sector_num = 0;
550     s->bus->retry_nsector = 0;
551 }
552 
553 /* prepare data transfer and tell what to do after */
554 bool ide_transfer_start_norecurse(IDEState *s, uint8_t *buf, int size,
555                                   EndTransferFunc *end_transfer_func)
556 {
557     s->data_ptr = buf;
558     s->data_end = buf + size;
559     ide_set_retry(s);
560     if (!(s->status & ERR_STAT)) {
561         s->status |= DRQ_STAT;
562     }
563     if (!s->bus->dma->ops->pio_transfer) {
564         s->end_transfer_func = end_transfer_func;
565         return false;
566     }
567     s->bus->dma->ops->pio_transfer(s->bus->dma);
568     return true;
569 }
570 
571 void ide_transfer_start(IDEState *s, uint8_t *buf, int size,
572                         EndTransferFunc *end_transfer_func)
573 {
574     if (ide_transfer_start_norecurse(s, buf, size, end_transfer_func)) {
575         end_transfer_func(s);
576     }
577 }
578 
579 static void ide_cmd_done(IDEState *s)
580 {
581     if (s->bus->dma->ops->cmd_done) {
582         s->bus->dma->ops->cmd_done(s->bus->dma);
583     }
584 }
585 
586 static void ide_transfer_halt(IDEState *s)
587 {
588     s->end_transfer_func = ide_transfer_stop;
589     s->data_ptr = s->io_buffer;
590     s->data_end = s->io_buffer;
591     s->status &= ~DRQ_STAT;
592 }
593 
594 void ide_transfer_stop(IDEState *s)
595 {
596     ide_transfer_halt(s);
597     ide_cmd_done(s);
598 }
599 
600 int64_t ide_get_sector(IDEState *s)
601 {
602     int64_t sector_num;
603     if (s->select & (ATA_DEV_LBA)) {
604         if (s->lba48) {
605             sector_num = ((int64_t)s->hob_hcyl << 40) |
606                 ((int64_t) s->hob_lcyl << 32) |
607                 ((int64_t) s->hob_sector << 24) |
608                 ((int64_t) s->hcyl << 16) |
609                 ((int64_t) s->lcyl << 8) | s->sector;
610         } else {
611             /* LBA28 */
612             sector_num = ((s->select & (ATA_DEV_LBA_MSB)) << 24) |
613                 (s->hcyl << 16) | (s->lcyl << 8) | s->sector;
614         }
615     } else {
616         /* CHS */
617         sector_num = ((s->hcyl << 8) | s->lcyl) * s->heads * s->sectors +
618             (s->select & (ATA_DEV_HS)) * s->sectors + (s->sector - 1);
619     }
620 
621     return sector_num;
622 }
623 
624 void ide_set_sector(IDEState *s, int64_t sector_num)
625 {
626     unsigned int cyl, r;
627     if (s->select & (ATA_DEV_LBA)) {
628         if (s->lba48) {
629             s->sector = sector_num;
630             s->lcyl = sector_num >> 8;
631             s->hcyl = sector_num >> 16;
632             s->hob_sector = sector_num >> 24;
633             s->hob_lcyl = sector_num >> 32;
634             s->hob_hcyl = sector_num >> 40;
635         } else {
636             /* LBA28 */
637             s->select = (s->select & ~(ATA_DEV_LBA_MSB)) |
638                 ((sector_num >> 24) & (ATA_DEV_LBA_MSB));
639             s->hcyl = (sector_num >> 16);
640             s->lcyl = (sector_num >> 8);
641             s->sector = (sector_num);
642         }
643     } else {
644         /* CHS */
645         cyl = sector_num / (s->heads * s->sectors);
646         r = sector_num % (s->heads * s->sectors);
647         s->hcyl = cyl >> 8;
648         s->lcyl = cyl;
649         s->select = (s->select & ~(ATA_DEV_HS)) |
650             ((r / s->sectors) & (ATA_DEV_HS));
651         s->sector = (r % s->sectors) + 1;
652     }
653 }
654 
655 static void ide_rw_error(IDEState *s) {
656     ide_abort_command(s);
657     ide_bus_set_irq(s->bus);
658 }
659 
660 static void ide_buffered_readv_cb(void *opaque, int ret)
661 {
662     IDEBufferedRequest *req = opaque;
663     if (!req->orphaned) {
664         if (!ret) {
665             assert(req->qiov.size == req->original_qiov->size);
666             qemu_iovec_from_buf(req->original_qiov, 0,
667                                 req->qiov.local_iov.iov_base,
668                                 req->original_qiov->size);
669         }
670         req->original_cb(req->original_opaque, ret);
671     }
672     QLIST_REMOVE(req, list);
673     qemu_vfree(qemu_iovec_buf(&req->qiov));
674     g_free(req);
675 }
676 
677 #define MAX_BUFFERED_REQS 16
678 
679 BlockAIOCB *ide_buffered_readv(IDEState *s, int64_t sector_num,
680                                QEMUIOVector *iov, int nb_sectors,
681                                BlockCompletionFunc *cb, void *opaque)
682 {
683     BlockAIOCB *aioreq;
684     IDEBufferedRequest *req;
685     int c = 0;
686 
687     QLIST_FOREACH(req, &s->buffered_requests, list) {
688         c++;
689     }
690     if (c > MAX_BUFFERED_REQS) {
691         return blk_abort_aio_request(s->blk, cb, opaque, -EIO);
692     }
693 
694     req = g_new0(IDEBufferedRequest, 1);
695     req->original_qiov = iov;
696     req->original_cb = cb;
697     req->original_opaque = opaque;
698     qemu_iovec_init_buf(&req->qiov, blk_blockalign(s->blk, iov->size),
699                         iov->size);
700 
701     aioreq = blk_aio_preadv(s->blk, sector_num << BDRV_SECTOR_BITS,
702                             &req->qiov, 0, ide_buffered_readv_cb, req);
703 
704     QLIST_INSERT_HEAD(&s->buffered_requests, req, list);
705     return aioreq;
706 }
707 
708 /**
709  * Cancel all pending DMA requests.
710  * Any buffered DMA requests are instantly canceled,
711  * but any pending unbuffered DMA requests must be waited on.
712  */
713 void ide_cancel_dma_sync(IDEState *s)
714 {
715     IDEBufferedRequest *req;
716 
717     /* First invoke the callbacks of all buffered requests
718      * and flag those requests as orphaned. Ideally there
719      * are no unbuffered (Scatter Gather DMA Requests or
720      * write requests) pending and we can avoid to drain. */
721     QLIST_FOREACH(req, &s->buffered_requests, list) {
722         if (!req->orphaned) {
723             trace_ide_cancel_dma_sync_buffered(req->original_cb, req);
724             req->original_cb(req->original_opaque, -ECANCELED);
725         }
726         req->orphaned = true;
727     }
728 
729     /*
730      * We can't cancel Scatter Gather DMA in the middle of the
731      * operation or a partial (not full) DMA transfer would reach
732      * the storage so we wait for completion instead (we behave
733      * like if the DMA was completed by the time the guest trying
734      * to cancel dma with bmdma_cmd_writeb with BM_CMD_START not
735      * set).
736      *
737      * In the future we'll be able to safely cancel the I/O if the
738      * whole DMA operation will be submitted to disk with a single
739      * aio operation with preadv/pwritev.
740      */
741     if (s->bus->dma->aiocb) {
742         trace_ide_cancel_dma_sync_remaining();
743         blk_drain(s->blk);
744         assert(s->bus->dma->aiocb == NULL);
745     }
746 }
747 
748 static void ide_sector_read(IDEState *s);
749 
750 static void ide_sector_read_cb(void *opaque, int ret)
751 {
752     IDEState *s = opaque;
753     int n;
754 
755     s->pio_aiocb = NULL;
756     s->status &= ~BUSY_STAT;
757 
758     if (ret != 0) {
759         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO |
760                                 IDE_RETRY_READ)) {
761             return;
762         }
763     }
764 
765     block_acct_done(blk_get_stats(s->blk), &s->acct);
766 
767     n = s->nsector;
768     if (n > s->req_nb_sectors) {
769         n = s->req_nb_sectors;
770     }
771 
772     ide_set_sector(s, ide_get_sector(s) + n);
773     s->nsector -= n;
774     /* Allow the guest to read the io_buffer */
775     ide_transfer_start(s, s->io_buffer, n * BDRV_SECTOR_SIZE, ide_sector_read);
776     ide_bus_set_irq(s->bus);
777 }
778 
779 static void ide_sector_read(IDEState *s)
780 {
781     int64_t sector_num;
782     int n;
783 
784     s->status = READY_STAT | SEEK_STAT;
785     s->error = 0; /* not needed by IDE spec, but needed by Windows */
786     sector_num = ide_get_sector(s);
787     n = s->nsector;
788 
789     if (n == 0) {
790         ide_transfer_stop(s);
791         return;
792     }
793 
794     s->status |= BUSY_STAT;
795 
796     if (n > s->req_nb_sectors) {
797         n = s->req_nb_sectors;
798     }
799 
800     trace_ide_sector_read(sector_num, n);
801 
802     if (!ide_sect_range_ok(s, sector_num, n)) {
803         ide_rw_error(s);
804         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
805         return;
806     }
807 
808     qemu_iovec_init_buf(&s->qiov, s->io_buffer, n * BDRV_SECTOR_SIZE);
809 
810     block_acct_start(blk_get_stats(s->blk), &s->acct,
811                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
812     s->pio_aiocb = ide_buffered_readv(s, sector_num, &s->qiov, n,
813                                       ide_sector_read_cb, s);
814 }
815 
816 void dma_buf_commit(IDEState *s, uint32_t tx_bytes)
817 {
818     if (s->bus->dma->ops->commit_buf) {
819         s->bus->dma->ops->commit_buf(s->bus->dma, tx_bytes);
820     }
821     s->io_buffer_offset += tx_bytes;
822     qemu_sglist_destroy(&s->sg);
823 }
824 
825 void ide_set_inactive(IDEState *s, bool more)
826 {
827     s->bus->dma->aiocb = NULL;
828     ide_clear_retry(s);
829     if (s->bus->dma->ops->set_inactive) {
830         s->bus->dma->ops->set_inactive(s->bus->dma, more);
831     }
832     ide_cmd_done(s);
833 }
834 
835 void ide_dma_error(IDEState *s)
836 {
837     dma_buf_commit(s, 0);
838     ide_abort_command(s);
839     ide_set_inactive(s, false);
840     ide_bus_set_irq(s->bus);
841 }
842 
843 int ide_handle_rw_error(IDEState *s, int error, int op)
844 {
845     bool is_read = (op & IDE_RETRY_READ) != 0;
846     BlockErrorAction action = blk_get_error_action(s->blk, is_read, error);
847 
848     if (action == BLOCK_ERROR_ACTION_STOP) {
849         assert(s->bus->retry_unit == s->unit);
850         s->bus->error_status = op;
851     } else if (action == BLOCK_ERROR_ACTION_REPORT) {
852         block_acct_failed(blk_get_stats(s->blk), &s->acct);
853         if (IS_IDE_RETRY_DMA(op)) {
854             ide_dma_error(s);
855         } else if (IS_IDE_RETRY_ATAPI(op)) {
856             ide_atapi_io_error(s, -error);
857         } else {
858             ide_rw_error(s);
859         }
860     }
861     blk_error_action(s->blk, action, is_read, error);
862     return action != BLOCK_ERROR_ACTION_IGNORE;
863 }
864 
865 static void ide_dma_cb(void *opaque, int ret)
866 {
867     IDEState *s = opaque;
868     int n;
869     int64_t sector_num;
870     uint64_t offset;
871     bool stay_active = false;
872     int32_t prep_size = 0;
873 
874     if (ret == -EINVAL) {
875         ide_dma_error(s);
876         return;
877     }
878 
879     if (ret < 0) {
880         if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
881             s->bus->dma->aiocb = NULL;
882             dma_buf_commit(s, 0);
883             return;
884         }
885     }
886 
887     if (s->io_buffer_size > s->nsector * 512) {
888         /*
889          * The PRDs were longer than needed for this request.
890          * The Active bit must remain set after the request completes.
891          */
892         n = s->nsector;
893         stay_active = true;
894     } else {
895         n = s->io_buffer_size >> 9;
896     }
897 
898     sector_num = ide_get_sector(s);
899     if (n > 0) {
900         assert(n * 512 == s->sg.size);
901         dma_buf_commit(s, s->sg.size);
902         sector_num += n;
903         ide_set_sector(s, sector_num);
904         s->nsector -= n;
905     }
906 
907     /* end of transfer ? */
908     if (s->nsector == 0) {
909         s->status = READY_STAT | SEEK_STAT;
910         ide_bus_set_irq(s->bus);
911         goto eot;
912     }
913 
914     /* launch next transfer */
915     n = s->nsector;
916     s->io_buffer_index = 0;
917     s->io_buffer_size = n * 512;
918     prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
919     /* prepare_buf() must succeed and respect the limit */
920     assert(prep_size >= 0 && prep_size <= n * 512);
921 
922     /*
923      * Now prep_size stores the number of bytes in the sglist, and
924      * s->io_buffer_size stores the number of bytes described by the PRDs.
925      */
926 
927     if (prep_size < n * 512) {
928         /*
929          * The PRDs are too short for this request. Error condition!
930          * Reset the Active bit and don't raise the interrupt.
931          */
932         s->status = READY_STAT | SEEK_STAT;
933         dma_buf_commit(s, 0);
934         goto eot;
935     }
936 
937     trace_ide_dma_cb(s, sector_num, n, IDE_DMA_CMD_str(s->dma_cmd));
938 
939     if ((s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) &&
940         !ide_sect_range_ok(s, sector_num, n)) {
941         ide_dma_error(s);
942         block_acct_invalid(blk_get_stats(s->blk), s->acct.type);
943         return;
944     }
945 
946     offset = sector_num << BDRV_SECTOR_BITS;
947     switch (s->dma_cmd) {
948     case IDE_DMA_READ:
949         s->bus->dma->aiocb = dma_blk_read(s->blk, &s->sg, offset,
950                                           BDRV_SECTOR_SIZE, ide_dma_cb, s);
951         break;
952     case IDE_DMA_WRITE:
953         s->bus->dma->aiocb = dma_blk_write(s->blk, &s->sg, offset,
954                                            BDRV_SECTOR_SIZE, ide_dma_cb, s);
955         break;
956     case IDE_DMA_TRIM:
957         s->bus->dma->aiocb = dma_blk_io(blk_get_aio_context(s->blk),
958                                         &s->sg, offset, BDRV_SECTOR_SIZE,
959                                         ide_issue_trim, s, ide_dma_cb, s,
960                                         DMA_DIRECTION_TO_DEVICE);
961         break;
962     default:
963         abort();
964     }
965     return;
966 
967 eot:
968     if (s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) {
969         block_acct_done(blk_get_stats(s->blk), &s->acct);
970     }
971     ide_set_inactive(s, stay_active);
972 }
973 
974 static void ide_sector_start_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
975 {
976     s->status = READY_STAT | SEEK_STAT | DRQ_STAT;
977     s->io_buffer_size = 0;
978     s->dma_cmd = dma_cmd;
979 
980     switch (dma_cmd) {
981     case IDE_DMA_READ:
982         block_acct_start(blk_get_stats(s->blk), &s->acct,
983                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
984         break;
985     case IDE_DMA_WRITE:
986         block_acct_start(blk_get_stats(s->blk), &s->acct,
987                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
988         break;
989     default:
990         break;
991     }
992 
993     ide_start_dma(s, ide_dma_cb);
994 }
995 
996 void ide_start_dma(IDEState *s, BlockCompletionFunc *cb)
997 {
998     s->io_buffer_index = 0;
999     ide_set_retry(s);
1000     if (s->bus->dma->ops->start_dma) {
1001         s->bus->dma->ops->start_dma(s->bus->dma, s, cb);
1002     }
1003 }
1004 
1005 static void ide_sector_write(IDEState *s);
1006 
1007 static void ide_sector_write_timer_cb(void *opaque)
1008 {
1009     IDEState *s = opaque;
1010     ide_bus_set_irq(s->bus);
1011 }
1012 
1013 static void ide_sector_write_cb(void *opaque, int ret)
1014 {
1015     IDEState *s = opaque;
1016     int n;
1017 
1018     s->pio_aiocb = NULL;
1019     s->status &= ~BUSY_STAT;
1020 
1021     if (ret != 0) {
1022         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO)) {
1023             return;
1024         }
1025     }
1026 
1027     block_acct_done(blk_get_stats(s->blk), &s->acct);
1028 
1029     n = s->nsector;
1030     if (n > s->req_nb_sectors) {
1031         n = s->req_nb_sectors;
1032     }
1033     s->nsector -= n;
1034 
1035     ide_set_sector(s, ide_get_sector(s) + n);
1036     if (s->nsector == 0) {
1037         /* no more sectors to write */
1038         ide_transfer_stop(s);
1039     } else {
1040         int n1 = s->nsector;
1041         if (n1 > s->req_nb_sectors) {
1042             n1 = s->req_nb_sectors;
1043         }
1044         ide_transfer_start(s, s->io_buffer, n1 * BDRV_SECTOR_SIZE,
1045                            ide_sector_write);
1046     }
1047 
1048     if (win2k_install_hack && ((++s->irq_count % 16) == 0)) {
1049         /* It seems there is a bug in the Windows 2000 installer HDD
1050            IDE driver which fills the disk with empty logs when the
1051            IDE write IRQ comes too early. This hack tries to correct
1052            that at the expense of slower write performances. Use this
1053            option _only_ to install Windows 2000. You must disable it
1054            for normal use. */
1055         timer_mod(s->sector_write_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
1056                   (NANOSECONDS_PER_SECOND / 1000));
1057     } else {
1058         ide_bus_set_irq(s->bus);
1059     }
1060 }
1061 
1062 static void ide_sector_write(IDEState *s)
1063 {
1064     int64_t sector_num;
1065     int n;
1066 
1067     s->status = READY_STAT | SEEK_STAT | BUSY_STAT;
1068     sector_num = ide_get_sector(s);
1069 
1070     n = s->nsector;
1071     if (n > s->req_nb_sectors) {
1072         n = s->req_nb_sectors;
1073     }
1074 
1075     trace_ide_sector_write(sector_num, n);
1076 
1077     if (!ide_sect_range_ok(s, sector_num, n)) {
1078         ide_rw_error(s);
1079         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_WRITE);
1080         return;
1081     }
1082 
1083     qemu_iovec_init_buf(&s->qiov, s->io_buffer, n * BDRV_SECTOR_SIZE);
1084 
1085     block_acct_start(blk_get_stats(s->blk), &s->acct,
1086                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
1087     s->pio_aiocb = blk_aio_pwritev(s->blk, sector_num << BDRV_SECTOR_BITS,
1088                                    &s->qiov, 0, ide_sector_write_cb, s);
1089 }
1090 
1091 static void ide_flush_cb(void *opaque, int ret)
1092 {
1093     IDEState *s = opaque;
1094 
1095     s->pio_aiocb = NULL;
1096 
1097     if (ret < 0) {
1098         /* XXX: What sector number to set here? */
1099         if (ide_handle_rw_error(s, -ret, IDE_RETRY_FLUSH)) {
1100             return;
1101         }
1102     }
1103 
1104     if (s->blk) {
1105         block_acct_done(blk_get_stats(s->blk), &s->acct);
1106     }
1107     s->status = READY_STAT | SEEK_STAT;
1108     ide_cmd_done(s);
1109     ide_bus_set_irq(s->bus);
1110 }
1111 
1112 static void ide_flush_cache(IDEState *s)
1113 {
1114     if (s->blk == NULL) {
1115         ide_flush_cb(s, 0);
1116         return;
1117     }
1118 
1119     s->status |= BUSY_STAT;
1120     ide_set_retry(s);
1121     block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
1122     s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
1123 }
1124 
1125 static void ide_cfata_metadata_inquiry(IDEState *s)
1126 {
1127     uint16_t *p;
1128     uint32_t spd;
1129 
1130     p = (uint16_t *) s->io_buffer;
1131     memset(p, 0, 0x200);
1132     spd = ((s->mdata_size - 1) >> 9) + 1;
1133 
1134     put_le16(p + 0, 0x0001);			/* Data format revision */
1135     put_le16(p + 1, 0x0000);			/* Media property: silicon */
1136     put_le16(p + 2, s->media_changed);		/* Media status */
1137     put_le16(p + 3, s->mdata_size & 0xffff);	/* Capacity in bytes (low) */
1138     put_le16(p + 4, s->mdata_size >> 16);	/* Capacity in bytes (high) */
1139     put_le16(p + 5, spd & 0xffff);		/* Sectors per device (low) */
1140     put_le16(p + 6, spd >> 16);			/* Sectors per device (high) */
1141 }
1142 
1143 static void ide_cfata_metadata_read(IDEState *s)
1144 {
1145     uint16_t *p;
1146 
1147     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1148         s->status = ERR_STAT;
1149         s->error = ABRT_ERR;
1150         return;
1151     }
1152 
1153     p = (uint16_t *) s->io_buffer;
1154     memset(p, 0, 0x200);
1155 
1156     put_le16(p + 0, s->media_changed);		/* Media status */
1157     memcpy(p + 1, s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1158                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1159                                     s->nsector << 9), 0x200 - 2));
1160 }
1161 
1162 static void ide_cfata_metadata_write(IDEState *s)
1163 {
1164     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1165         s->status = ERR_STAT;
1166         s->error = ABRT_ERR;
1167         return;
1168     }
1169 
1170     s->media_changed = 0;
1171 
1172     memcpy(s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1173                     s->io_buffer + 2,
1174                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1175                                     s->nsector << 9), 0x200 - 2));
1176 }
1177 
1178 /* called when the inserted state of the media has changed */
1179 static void ide_cd_change_cb(void *opaque, bool load, Error **errp)
1180 {
1181     IDEState *s = opaque;
1182     uint64_t nb_sectors;
1183 
1184     s->tray_open = !load;
1185     blk_get_geometry(s->blk, &nb_sectors);
1186     s->nb_sectors = nb_sectors;
1187 
1188     /*
1189      * First indicate to the guest that a CD has been removed.  That's
1190      * done on the next command the guest sends us.
1191      *
1192      * Then we set UNIT_ATTENTION, by which the guest will
1193      * detect a new CD in the drive.  See ide_atapi_cmd() for details.
1194      */
1195     s->cdrom_changed = 1;
1196     s->events.new_media = true;
1197     s->events.eject_request = false;
1198     ide_bus_set_irq(s->bus);
1199 }
1200 
1201 static void ide_cd_eject_request_cb(void *opaque, bool force)
1202 {
1203     IDEState *s = opaque;
1204 
1205     s->events.eject_request = true;
1206     if (force) {
1207         s->tray_locked = false;
1208     }
1209     ide_bus_set_irq(s->bus);
1210 }
1211 
1212 static void ide_cmd_lba48_transform(IDEState *s, int lba48)
1213 {
1214     s->lba48 = lba48;
1215 
1216     /* handle the 'magic' 0 nsector count conversion here. to avoid
1217      * fiddling with the rest of the read logic, we just store the
1218      * full sector count in ->nsector and ignore ->hob_nsector from now
1219      */
1220     if (!s->lba48) {
1221         if (!s->nsector)
1222             s->nsector = 256;
1223     } else {
1224         if (!s->nsector && !s->hob_nsector)
1225             s->nsector = 65536;
1226         else {
1227             int lo = s->nsector;
1228             int hi = s->hob_nsector;
1229 
1230             s->nsector = (hi << 8) | lo;
1231         }
1232     }
1233 }
1234 
1235 static void ide_clear_hob(IDEBus *bus)
1236 {
1237     /* any write clears HOB high bit of device control register */
1238     bus->cmd &= ~(IDE_CTRL_HOB);
1239 }
1240 
1241 /* IOport [W]rite [R]egisters */
1242 enum ATA_IOPORT_WR {
1243     ATA_IOPORT_WR_DATA = 0,
1244     ATA_IOPORT_WR_FEATURES = 1,
1245     ATA_IOPORT_WR_SECTOR_COUNT = 2,
1246     ATA_IOPORT_WR_SECTOR_NUMBER = 3,
1247     ATA_IOPORT_WR_CYLINDER_LOW = 4,
1248     ATA_IOPORT_WR_CYLINDER_HIGH = 5,
1249     ATA_IOPORT_WR_DEVICE_HEAD = 6,
1250     ATA_IOPORT_WR_COMMAND = 7,
1251     ATA_IOPORT_WR_NUM_REGISTERS,
1252 };
1253 
1254 const char *ATA_IOPORT_WR_lookup[ATA_IOPORT_WR_NUM_REGISTERS] = {
1255     [ATA_IOPORT_WR_DATA] = "Data",
1256     [ATA_IOPORT_WR_FEATURES] = "Features",
1257     [ATA_IOPORT_WR_SECTOR_COUNT] = "Sector Count",
1258     [ATA_IOPORT_WR_SECTOR_NUMBER] = "Sector Number",
1259     [ATA_IOPORT_WR_CYLINDER_LOW] = "Cylinder Low",
1260     [ATA_IOPORT_WR_CYLINDER_HIGH] = "Cylinder High",
1261     [ATA_IOPORT_WR_DEVICE_HEAD] = "Device/Head",
1262     [ATA_IOPORT_WR_COMMAND] = "Command"
1263 };
1264 
1265 void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
1266 {
1267     IDEBus *bus = opaque;
1268     IDEState *s = ide_bus_active_if(bus);
1269     int reg_num = addr & 7;
1270 
1271     trace_ide_ioport_write(addr, ATA_IOPORT_WR_lookup[reg_num], val, bus, s);
1272 
1273     /* ignore writes to command block while busy with previous command */
1274     if (reg_num != 7 && (s->status & (BUSY_STAT|DRQ_STAT))) {
1275         return;
1276     }
1277 
1278     /* NOTE: Device0 and Device1 both receive incoming register writes.
1279      * (They're on the same bus! They have to!) */
1280 
1281     switch (reg_num) {
1282     case 0:
1283         break;
1284     case ATA_IOPORT_WR_FEATURES:
1285         ide_clear_hob(bus);
1286         bus->ifs[0].hob_feature = bus->ifs[0].feature;
1287         bus->ifs[1].hob_feature = bus->ifs[1].feature;
1288         bus->ifs[0].feature = val;
1289         bus->ifs[1].feature = val;
1290         break;
1291     case ATA_IOPORT_WR_SECTOR_COUNT:
1292         ide_clear_hob(bus);
1293         bus->ifs[0].hob_nsector = bus->ifs[0].nsector;
1294         bus->ifs[1].hob_nsector = bus->ifs[1].nsector;
1295         bus->ifs[0].nsector = val;
1296         bus->ifs[1].nsector = val;
1297         break;
1298     case ATA_IOPORT_WR_SECTOR_NUMBER:
1299         ide_clear_hob(bus);
1300         bus->ifs[0].hob_sector = bus->ifs[0].sector;
1301         bus->ifs[1].hob_sector = bus->ifs[1].sector;
1302         bus->ifs[0].sector = val;
1303         bus->ifs[1].sector = val;
1304         break;
1305     case ATA_IOPORT_WR_CYLINDER_LOW:
1306         ide_clear_hob(bus);
1307         bus->ifs[0].hob_lcyl = bus->ifs[0].lcyl;
1308         bus->ifs[1].hob_lcyl = bus->ifs[1].lcyl;
1309         bus->ifs[0].lcyl = val;
1310         bus->ifs[1].lcyl = val;
1311         break;
1312     case ATA_IOPORT_WR_CYLINDER_HIGH:
1313         ide_clear_hob(bus);
1314         bus->ifs[0].hob_hcyl = bus->ifs[0].hcyl;
1315         bus->ifs[1].hob_hcyl = bus->ifs[1].hcyl;
1316         bus->ifs[0].hcyl = val;
1317         bus->ifs[1].hcyl = val;
1318         break;
1319     case ATA_IOPORT_WR_DEVICE_HEAD:
1320         ide_clear_hob(bus);
1321         bus->ifs[0].select = val | (ATA_DEV_ALWAYS_ON);
1322         bus->ifs[1].select = val | (ATA_DEV_ALWAYS_ON);
1323         /* select drive */
1324         bus->unit = (val & (ATA_DEV_SELECT)) ? 1 : 0;
1325         break;
1326     default:
1327     case ATA_IOPORT_WR_COMMAND:
1328         ide_clear_hob(bus);
1329         qemu_irq_lower(bus->irq);
1330         ide_bus_exec_cmd(bus, val);
1331         break;
1332     }
1333 }
1334 
1335 static void ide_reset(IDEState *s)
1336 {
1337     trace_ide_reset(s);
1338 
1339     if (s->pio_aiocb) {
1340         blk_aio_cancel(s->pio_aiocb);
1341         s->pio_aiocb = NULL;
1342     }
1343 
1344     if (s->reset_reverts) {
1345         s->reset_reverts = false;
1346         s->heads         = s->drive_heads;
1347         s->sectors       = s->drive_sectors;
1348     }
1349     if (s->drive_kind == IDE_CFATA)
1350         s->mult_sectors = 0;
1351     else
1352         s->mult_sectors = MAX_MULT_SECTORS;
1353     /* ide regs */
1354     s->feature = 0;
1355     s->error = 0;
1356     s->nsector = 0;
1357     s->sector = 0;
1358     s->lcyl = 0;
1359     s->hcyl = 0;
1360 
1361     /* lba48 */
1362     s->hob_feature = 0;
1363     s->hob_sector = 0;
1364     s->hob_nsector = 0;
1365     s->hob_lcyl = 0;
1366     s->hob_hcyl = 0;
1367 
1368     s->select = (ATA_DEV_ALWAYS_ON);
1369     s->status = READY_STAT | SEEK_STAT;
1370 
1371     s->lba48 = 0;
1372 
1373     /* ATAPI specific */
1374     s->sense_key = 0;
1375     s->asc = 0;
1376     s->cdrom_changed = 0;
1377     s->packet_transfer_size = 0;
1378     s->elementary_transfer_size = 0;
1379     s->io_buffer_index = 0;
1380     s->cd_sector_size = 0;
1381     s->atapi_dma = 0;
1382     s->tray_locked = 0;
1383     s->tray_open = 0;
1384     /* ATA DMA state */
1385     s->io_buffer_size = 0;
1386     s->req_nb_sectors = 0;
1387 
1388     ide_set_signature(s);
1389     /* init the transfer handler so that 0xffff is returned on data
1390        accesses */
1391     s->end_transfer_func = ide_dummy_transfer_stop;
1392     ide_dummy_transfer_stop(s);
1393     s->media_changed = 0;
1394 }
1395 
1396 static bool cmd_nop(IDEState *s, uint8_t cmd)
1397 {
1398     return true;
1399 }
1400 
1401 static bool cmd_device_reset(IDEState *s, uint8_t cmd)
1402 {
1403     /* Halt PIO (in the DRQ phase), then DMA */
1404     ide_transfer_halt(s);
1405     ide_cancel_dma_sync(s);
1406 
1407     /* Reset any PIO commands, reset signature, etc */
1408     ide_reset(s);
1409 
1410     /* RESET: ATA8-ACS3 7.10.4 "Normal Outputs";
1411      * ATA8-ACS3 Table 184 "Device Signatures for Normal Output" */
1412     s->status = 0x00;
1413 
1414     /* Do not overwrite status register */
1415     return false;
1416 }
1417 
1418 static bool cmd_data_set_management(IDEState *s, uint8_t cmd)
1419 {
1420     switch (s->feature) {
1421     case DSM_TRIM:
1422         if (s->blk) {
1423             ide_sector_start_dma(s, IDE_DMA_TRIM);
1424             return false;
1425         }
1426         break;
1427     }
1428 
1429     ide_abort_command(s);
1430     return true;
1431 }
1432 
1433 static bool cmd_identify(IDEState *s, uint8_t cmd)
1434 {
1435     if (s->blk && s->drive_kind != IDE_CD) {
1436         if (s->drive_kind != IDE_CFATA) {
1437             ide_identify(s);
1438         } else {
1439             ide_cfata_identify(s);
1440         }
1441         s->status = READY_STAT | SEEK_STAT;
1442         ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1443         ide_bus_set_irq(s->bus);
1444         return false;
1445     } else {
1446         if (s->drive_kind == IDE_CD) {
1447             ide_set_signature(s);
1448         }
1449         ide_abort_command(s);
1450     }
1451 
1452     return true;
1453 }
1454 
1455 static bool cmd_verify(IDEState *s, uint8_t cmd)
1456 {
1457     bool lba48 = (cmd == WIN_VERIFY_EXT);
1458 
1459     /* do sector number check ? */
1460     ide_cmd_lba48_transform(s, lba48);
1461 
1462     return true;
1463 }
1464 
1465 static bool cmd_set_multiple_mode(IDEState *s, uint8_t cmd)
1466 {
1467     if (s->drive_kind == IDE_CFATA && s->nsector == 0) {
1468         /* Disable Read and Write Multiple */
1469         s->mult_sectors = 0;
1470     } else if ((s->nsector & 0xff) != 0 &&
1471         ((s->nsector & 0xff) > MAX_MULT_SECTORS ||
1472          (s->nsector & (s->nsector - 1)) != 0)) {
1473         ide_abort_command(s);
1474     } else {
1475         s->mult_sectors = s->nsector & 0xff;
1476     }
1477 
1478     return true;
1479 }
1480 
1481 static bool cmd_read_multiple(IDEState *s, uint8_t cmd)
1482 {
1483     bool lba48 = (cmd == WIN_MULTREAD_EXT);
1484 
1485     if (!s->blk || !s->mult_sectors) {
1486         ide_abort_command(s);
1487         return true;
1488     }
1489 
1490     ide_cmd_lba48_transform(s, lba48);
1491     s->req_nb_sectors = s->mult_sectors;
1492     ide_sector_read(s);
1493     return false;
1494 }
1495 
1496 static bool cmd_write_multiple(IDEState *s, uint8_t cmd)
1497 {
1498     bool lba48 = (cmd == WIN_MULTWRITE_EXT);
1499     int n;
1500 
1501     if (!s->blk || !s->mult_sectors) {
1502         ide_abort_command(s);
1503         return true;
1504     }
1505 
1506     ide_cmd_lba48_transform(s, lba48);
1507 
1508     s->req_nb_sectors = s->mult_sectors;
1509     n = MIN(s->nsector, s->req_nb_sectors);
1510 
1511     s->status = SEEK_STAT | READY_STAT;
1512     ide_transfer_start(s, s->io_buffer, 512 * n, ide_sector_write);
1513 
1514     s->media_changed = 1;
1515 
1516     return false;
1517 }
1518 
1519 static bool cmd_read_pio(IDEState *s, uint8_t cmd)
1520 {
1521     bool lba48 = (cmd == WIN_READ_EXT);
1522 
1523     if (s->drive_kind == IDE_CD) {
1524         ide_set_signature(s); /* odd, but ATA4 8.27.5.2 requires it */
1525         ide_abort_command(s);
1526         return true;
1527     }
1528 
1529     if (!s->blk) {
1530         ide_abort_command(s);
1531         return true;
1532     }
1533 
1534     ide_cmd_lba48_transform(s, lba48);
1535     s->req_nb_sectors = 1;
1536     ide_sector_read(s);
1537 
1538     return false;
1539 }
1540 
1541 static bool cmd_write_pio(IDEState *s, uint8_t cmd)
1542 {
1543     bool lba48 = (cmd == WIN_WRITE_EXT);
1544 
1545     if (!s->blk) {
1546         ide_abort_command(s);
1547         return true;
1548     }
1549 
1550     ide_cmd_lba48_transform(s, lba48);
1551 
1552     s->req_nb_sectors = 1;
1553     s->status = SEEK_STAT | READY_STAT;
1554     ide_transfer_start(s, s->io_buffer, 512, ide_sector_write);
1555 
1556     s->media_changed = 1;
1557 
1558     return false;
1559 }
1560 
1561 static bool cmd_read_dma(IDEState *s, uint8_t cmd)
1562 {
1563     bool lba48 = (cmd == WIN_READDMA_EXT);
1564 
1565     if (!s->blk) {
1566         ide_abort_command(s);
1567         return true;
1568     }
1569 
1570     ide_cmd_lba48_transform(s, lba48);
1571     ide_sector_start_dma(s, IDE_DMA_READ);
1572 
1573     return false;
1574 }
1575 
1576 static bool cmd_write_dma(IDEState *s, uint8_t cmd)
1577 {
1578     bool lba48 = (cmd == WIN_WRITEDMA_EXT);
1579 
1580     if (!s->blk) {
1581         ide_abort_command(s);
1582         return true;
1583     }
1584 
1585     ide_cmd_lba48_transform(s, lba48);
1586     ide_sector_start_dma(s, IDE_DMA_WRITE);
1587 
1588     s->media_changed = 1;
1589 
1590     return false;
1591 }
1592 
1593 static bool cmd_flush_cache(IDEState *s, uint8_t cmd)
1594 {
1595     ide_flush_cache(s);
1596     return false;
1597 }
1598 
1599 static bool cmd_seek(IDEState *s, uint8_t cmd)
1600 {
1601     /* XXX: Check that seek is within bounds */
1602     return true;
1603 }
1604 
1605 static bool cmd_read_native_max(IDEState *s, uint8_t cmd)
1606 {
1607     bool lba48 = (cmd == WIN_READ_NATIVE_MAX_EXT);
1608 
1609     /* Refuse if no sectors are addressable (e.g. medium not inserted) */
1610     if (s->nb_sectors == 0) {
1611         ide_abort_command(s);
1612         return true;
1613     }
1614 
1615     ide_cmd_lba48_transform(s, lba48);
1616     ide_set_sector(s, s->nb_sectors - 1);
1617 
1618     return true;
1619 }
1620 
1621 static bool cmd_check_power_mode(IDEState *s, uint8_t cmd)
1622 {
1623     s->nsector = 0xff; /* device active or idle */
1624     return true;
1625 }
1626 
1627 /* INITIALIZE DEVICE PARAMETERS */
1628 static bool cmd_specify(IDEState *s, uint8_t cmd)
1629 {
1630     if (s->blk && s->drive_kind != IDE_CD) {
1631         s->heads = (s->select & (ATA_DEV_HS)) + 1;
1632         s->sectors = s->nsector;
1633         ide_bus_set_irq(s->bus);
1634     } else {
1635         ide_abort_command(s);
1636     }
1637 
1638     return true;
1639 }
1640 
1641 static bool cmd_set_features(IDEState *s, uint8_t cmd)
1642 {
1643     uint16_t *identify_data;
1644 
1645     if (!s->blk) {
1646         ide_abort_command(s);
1647         return true;
1648     }
1649 
1650     /* XXX: valid for CDROM ? */
1651     switch (s->feature) {
1652     case 0x01: /* 8-bit I/O enable (CompactFlash) */
1653     case 0x81: /* 8-bit I/O disable (CompactFlash) */
1654         if (s->drive_kind != IDE_CFATA) {
1655             goto abort_cmd;
1656         }
1657         s->io8 = !(s->feature & 0x80);
1658         return true;
1659     case 0x02: /* write cache enable */
1660         blk_set_enable_write_cache(s->blk, true);
1661         identify_data = (uint16_t *)s->identify_data;
1662         put_le16(identify_data + 85, (1 << 14) | (1 << 5) | 1);
1663         return true;
1664     case 0x82: /* write cache disable */
1665         blk_set_enable_write_cache(s->blk, false);
1666         identify_data = (uint16_t *)s->identify_data;
1667         put_le16(identify_data + 85, (1 << 14) | 1);
1668         ide_flush_cache(s);
1669         return false;
1670     case 0xcc: /* reverting to power-on defaults enable */
1671         s->reset_reverts = true;
1672         return true;
1673     case 0x66: /* reverting to power-on defaults disable */
1674         s->reset_reverts = false;
1675         return true;
1676     case 0xaa: /* read look-ahead enable */
1677     case 0x55: /* read look-ahead disable */
1678     case 0x05: /* set advanced power management mode */
1679     case 0x85: /* disable advanced power management mode */
1680     case 0x69: /* NOP */
1681     case 0x67: /* NOP */
1682     case 0x96: /* NOP */
1683     case 0x9a: /* NOP */
1684     case 0x42: /* enable Automatic Acoustic Mode */
1685     case 0xc2: /* disable Automatic Acoustic Mode */
1686         return true;
1687     case 0x03: /* set transfer mode */
1688         {
1689             uint8_t val = s->nsector & 0x07;
1690             identify_data = (uint16_t *)s->identify_data;
1691 
1692             switch (s->nsector >> 3) {
1693             case 0x00: /* pio default */
1694             case 0x01: /* pio mode */
1695                 put_le16(identify_data + 62, 0x07);
1696                 put_le16(identify_data + 63, 0x07);
1697                 put_le16(identify_data + 88, 0x3f);
1698                 break;
1699             case 0x02: /* sigle word dma mode*/
1700                 put_le16(identify_data + 62, 0x07 | (1 << (val + 8)));
1701                 put_le16(identify_data + 63, 0x07);
1702                 put_le16(identify_data + 88, 0x3f);
1703                 break;
1704             case 0x04: /* mdma mode */
1705                 put_le16(identify_data + 62, 0x07);
1706                 put_le16(identify_data + 63, 0x07 | (1 << (val + 8)));
1707                 put_le16(identify_data + 88, 0x3f);
1708                 break;
1709             case 0x08: /* udma mode */
1710                 put_le16(identify_data + 62, 0x07);
1711                 put_le16(identify_data + 63, 0x07);
1712                 put_le16(identify_data + 88, 0x3f | (1 << (val + 8)));
1713                 break;
1714             default:
1715                 goto abort_cmd;
1716             }
1717             return true;
1718         }
1719     }
1720 
1721 abort_cmd:
1722     ide_abort_command(s);
1723     return true;
1724 }
1725 
1726 
1727 /*** ATAPI commands ***/
1728 
1729 static bool cmd_identify_packet(IDEState *s, uint8_t cmd)
1730 {
1731     ide_atapi_identify(s);
1732     s->status = READY_STAT | SEEK_STAT;
1733     ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1734     ide_bus_set_irq(s->bus);
1735     return false;
1736 }
1737 
1738 /* EXECUTE DEVICE DIAGNOSTIC */
1739 static bool cmd_exec_dev_diagnostic(IDEState *s, uint8_t cmd)
1740 {
1741     /*
1742      * Clear the device register per the ATA (v6) specification,
1743      * because ide_set_signature does not clear LBA or drive bits.
1744      */
1745     s->select = (ATA_DEV_ALWAYS_ON);
1746     ide_set_signature(s);
1747 
1748     if (s->drive_kind == IDE_CD) {
1749         s->status = 0; /* ATAPI spec (v6) section 9.10 defines packet
1750                         * devices to return a clear status register
1751                         * with READY_STAT *not* set. */
1752         s->error = 0x01;
1753     } else {
1754         s->status = READY_STAT | SEEK_STAT;
1755         /* The bits of the error register are not as usual for this command!
1756          * They are part of the regular output (this is why ERR_STAT isn't set)
1757          * Device 0 passed, Device 1 passed or not present. */
1758         s->error = 0x01;
1759         ide_bus_set_irq(s->bus);
1760     }
1761 
1762     return false;
1763 }
1764 
1765 static bool cmd_packet(IDEState *s, uint8_t cmd)
1766 {
1767     /* overlapping commands not supported */
1768     if (s->feature & 0x02) {
1769         ide_abort_command(s);
1770         return true;
1771     }
1772 
1773     s->status = READY_STAT | SEEK_STAT;
1774     s->atapi_dma = s->feature & 1;
1775     if (s->atapi_dma) {
1776         s->dma_cmd = IDE_DMA_ATAPI;
1777     }
1778     s->nsector = 1;
1779     ide_transfer_start(s, s->io_buffer, ATAPI_PACKET_SIZE,
1780                        ide_atapi_cmd);
1781     return false;
1782 }
1783 
1784 
1785 /*** CF-ATA commands ***/
1786 
1787 static bool cmd_cfa_req_ext_error_code(IDEState *s, uint8_t cmd)
1788 {
1789     s->error = 0x09;    /* miscellaneous error */
1790     s->status = READY_STAT | SEEK_STAT;
1791     ide_bus_set_irq(s->bus);
1792 
1793     return false;
1794 }
1795 
1796 static bool cmd_cfa_erase_sectors(IDEState *s, uint8_t cmd)
1797 {
1798     /* WIN_SECURITY_FREEZE_LOCK has the same ID as CFA_WEAR_LEVEL and is
1799      * required for Windows 8 to work with AHCI */
1800 
1801     if (cmd == CFA_WEAR_LEVEL) {
1802         s->nsector = 0;
1803     }
1804 
1805     if (cmd == CFA_ERASE_SECTORS) {
1806         s->media_changed = 1;
1807     }
1808 
1809     return true;
1810 }
1811 
1812 static bool cmd_cfa_translate_sector(IDEState *s, uint8_t cmd)
1813 {
1814     s->status = READY_STAT | SEEK_STAT;
1815 
1816     memset(s->io_buffer, 0, 0x200);
1817     s->io_buffer[0x00] = s->hcyl;                   /* Cyl MSB */
1818     s->io_buffer[0x01] = s->lcyl;                   /* Cyl LSB */
1819     s->io_buffer[0x02] = s->select;                 /* Head */
1820     s->io_buffer[0x03] = s->sector;                 /* Sector */
1821     s->io_buffer[0x04] = ide_get_sector(s) >> 16;   /* LBA MSB */
1822     s->io_buffer[0x05] = ide_get_sector(s) >> 8;    /* LBA */
1823     s->io_buffer[0x06] = ide_get_sector(s) >> 0;    /* LBA LSB */
1824     s->io_buffer[0x13] = 0x00;                      /* Erase flag */
1825     s->io_buffer[0x18] = 0x00;                      /* Hot count */
1826     s->io_buffer[0x19] = 0x00;                      /* Hot count */
1827     s->io_buffer[0x1a] = 0x01;                      /* Hot count */
1828 
1829     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1830     ide_bus_set_irq(s->bus);
1831 
1832     return false;
1833 }
1834 
1835 static bool cmd_cfa_access_metadata_storage(IDEState *s, uint8_t cmd)
1836 {
1837     switch (s->feature) {
1838     case 0x02:  /* Inquiry Metadata Storage */
1839         ide_cfata_metadata_inquiry(s);
1840         break;
1841     case 0x03:  /* Read Metadata Storage */
1842         ide_cfata_metadata_read(s);
1843         break;
1844     case 0x04:  /* Write Metadata Storage */
1845         ide_cfata_metadata_write(s);
1846         break;
1847     default:
1848         ide_abort_command(s);
1849         return true;
1850     }
1851 
1852     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1853     s->status = 0x00; /* NOTE: READY is _not_ set */
1854     ide_bus_set_irq(s->bus);
1855 
1856     return false;
1857 }
1858 
1859 static bool cmd_ibm_sense_condition(IDEState *s, uint8_t cmd)
1860 {
1861     switch (s->feature) {
1862     case 0x01:  /* sense temperature in device */
1863         s->nsector = 0x50;      /* +20 C */
1864         break;
1865     default:
1866         ide_abort_command(s);
1867         return true;
1868     }
1869 
1870     return true;
1871 }
1872 
1873 
1874 /*** SMART commands ***/
1875 
1876 static bool cmd_smart(IDEState *s, uint8_t cmd)
1877 {
1878     int n;
1879 
1880     if (s->hcyl != 0xc2 || s->lcyl != 0x4f) {
1881         goto abort_cmd;
1882     }
1883 
1884     if (!s->smart_enabled && s->feature != SMART_ENABLE) {
1885         goto abort_cmd;
1886     }
1887 
1888     switch (s->feature) {
1889     case SMART_DISABLE:
1890         s->smart_enabled = 0;
1891         return true;
1892 
1893     case SMART_ENABLE:
1894         s->smart_enabled = 1;
1895         return true;
1896 
1897     case SMART_ATTR_AUTOSAVE:
1898         switch (s->sector) {
1899         case 0x00:
1900             s->smart_autosave = 0;
1901             break;
1902         case 0xf1:
1903             s->smart_autosave = 1;
1904             break;
1905         default:
1906             goto abort_cmd;
1907         }
1908         return true;
1909 
1910     case SMART_STATUS:
1911         if (!s->smart_errors) {
1912             s->hcyl = 0xc2;
1913             s->lcyl = 0x4f;
1914         } else {
1915             s->hcyl = 0x2c;
1916             s->lcyl = 0xf4;
1917         }
1918         return true;
1919 
1920     case SMART_READ_THRESH:
1921         memset(s->io_buffer, 0, 0x200);
1922         s->io_buffer[0] = 0x01; /* smart struct version */
1923 
1924         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1925             s->io_buffer[2 + 0 + (n * 12)] = smart_attributes[n][0];
1926             s->io_buffer[2 + 1 + (n * 12)] = smart_attributes[n][11];
1927         }
1928 
1929         /* checksum */
1930         for (n = 0; n < 511; n++) {
1931             s->io_buffer[511] += s->io_buffer[n];
1932         }
1933         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1934 
1935         s->status = READY_STAT | SEEK_STAT;
1936         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1937         ide_bus_set_irq(s->bus);
1938         return false;
1939 
1940     case SMART_READ_DATA:
1941         memset(s->io_buffer, 0, 0x200);
1942         s->io_buffer[0] = 0x01; /* smart struct version */
1943 
1944         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1945             int i;
1946             for (i = 0; i < 11; i++) {
1947                 s->io_buffer[2 + i + (n * 12)] = smart_attributes[n][i];
1948             }
1949         }
1950 
1951         s->io_buffer[362] = 0x02 | (s->smart_autosave ? 0x80 : 0x00);
1952         if (s->smart_selftest_count == 0) {
1953             s->io_buffer[363] = 0;
1954         } else {
1955             s->io_buffer[363] =
1956                 s->smart_selftest_data[3 +
1957                            (s->smart_selftest_count - 1) *
1958                            24];
1959         }
1960         s->io_buffer[364] = 0x20;
1961         s->io_buffer[365] = 0x01;
1962         /* offline data collection capacity: execute + self-test*/
1963         s->io_buffer[367] = (1 << 4 | 1 << 3 | 1);
1964         s->io_buffer[368] = 0x03; /* smart capability (1) */
1965         s->io_buffer[369] = 0x00; /* smart capability (2) */
1966         s->io_buffer[370] = 0x01; /* error logging supported */
1967         s->io_buffer[372] = 0x02; /* minutes for poll short test */
1968         s->io_buffer[373] = 0x36; /* minutes for poll ext test */
1969         s->io_buffer[374] = 0x01; /* minutes for poll conveyance */
1970 
1971         for (n = 0; n < 511; n++) {
1972             s->io_buffer[511] += s->io_buffer[n];
1973         }
1974         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1975 
1976         s->status = READY_STAT | SEEK_STAT;
1977         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1978         ide_bus_set_irq(s->bus);
1979         return false;
1980 
1981     case SMART_READ_LOG:
1982         switch (s->sector) {
1983         case 0x01: /* summary smart error log */
1984             memset(s->io_buffer, 0, 0x200);
1985             s->io_buffer[0] = 0x01;
1986             s->io_buffer[1] = 0x00; /* no error entries */
1987             s->io_buffer[452] = s->smart_errors & 0xff;
1988             s->io_buffer[453] = (s->smart_errors & 0xff00) >> 8;
1989 
1990             for (n = 0; n < 511; n++) {
1991                 s->io_buffer[511] += s->io_buffer[n];
1992             }
1993             s->io_buffer[511] = 0x100 - s->io_buffer[511];
1994             break;
1995         case 0x06: /* smart self test log */
1996             memset(s->io_buffer, 0, 0x200);
1997             s->io_buffer[0] = 0x01;
1998             if (s->smart_selftest_count == 0) {
1999                 s->io_buffer[508] = 0;
2000             } else {
2001                 s->io_buffer[508] = s->smart_selftest_count;
2002                 for (n = 2; n < 506; n++)  {
2003                     s->io_buffer[n] = s->smart_selftest_data[n];
2004                 }
2005             }
2006 
2007             for (n = 0; n < 511; n++) {
2008                 s->io_buffer[511] += s->io_buffer[n];
2009             }
2010             s->io_buffer[511] = 0x100 - s->io_buffer[511];
2011             break;
2012         default:
2013             goto abort_cmd;
2014         }
2015         s->status = READY_STAT | SEEK_STAT;
2016         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
2017         ide_bus_set_irq(s->bus);
2018         return false;
2019 
2020     case SMART_EXECUTE_OFFLINE:
2021         switch (s->sector) {
2022         case 0: /* off-line routine */
2023         case 1: /* short self test */
2024         case 2: /* extended self test */
2025             s->smart_selftest_count++;
2026             if (s->smart_selftest_count > 21) {
2027                 s->smart_selftest_count = 1;
2028             }
2029             n = 2 + (s->smart_selftest_count - 1) * 24;
2030             s->smart_selftest_data[n] = s->sector;
2031             s->smart_selftest_data[n + 1] = 0x00; /* OK and finished */
2032             s->smart_selftest_data[n + 2] = 0x34; /* hour count lsb */
2033             s->smart_selftest_data[n + 3] = 0x12; /* hour count msb */
2034             break;
2035         default:
2036             goto abort_cmd;
2037         }
2038         return true;
2039     }
2040 
2041 abort_cmd:
2042     ide_abort_command(s);
2043     return true;
2044 }
2045 
2046 #define HD_OK (1u << IDE_HD)
2047 #define CD_OK (1u << IDE_CD)
2048 #define CFA_OK (1u << IDE_CFATA)
2049 #define HD_CFA_OK (HD_OK | CFA_OK)
2050 #define ALL_OK (HD_OK | CD_OK | CFA_OK)
2051 
2052 /* Set the Disk Seek Completed status bit during completion */
2053 #define SET_DSC (1u << 8)
2054 
2055 /* See ACS-2 T13/2015-D Table B.2 Command codes */
2056 static const struct {
2057     /* Returns true if the completion code should be run */
2058     bool (*handler)(IDEState *s, uint8_t cmd);
2059     int flags;
2060 } ide_cmd_table[0x100] = {
2061     /* NOP not implemented, mandatory for CD */
2062     [CFA_REQ_EXT_ERROR_CODE]      = { cmd_cfa_req_ext_error_code, CFA_OK },
2063     [WIN_DSM]                     = { cmd_data_set_management, HD_CFA_OK },
2064     [WIN_DEVICE_RESET]            = { cmd_device_reset, CD_OK },
2065     [WIN_RECAL]                   = { cmd_nop, HD_CFA_OK | SET_DSC},
2066     [WIN_READ]                    = { cmd_read_pio, ALL_OK },
2067     [WIN_READ_ONCE]               = { cmd_read_pio, HD_CFA_OK },
2068     [WIN_READ_EXT]                = { cmd_read_pio, HD_CFA_OK },
2069     [WIN_READDMA_EXT]             = { cmd_read_dma, HD_CFA_OK },
2070     [WIN_READ_NATIVE_MAX_EXT]     = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2071     [WIN_MULTREAD_EXT]            = { cmd_read_multiple, HD_CFA_OK },
2072     [WIN_WRITE]                   = { cmd_write_pio, HD_CFA_OK },
2073     [WIN_WRITE_ONCE]              = { cmd_write_pio, HD_CFA_OK },
2074     [WIN_WRITE_EXT]               = { cmd_write_pio, HD_CFA_OK },
2075     [WIN_WRITEDMA_EXT]            = { cmd_write_dma, HD_CFA_OK },
2076     [CFA_WRITE_SECT_WO_ERASE]     = { cmd_write_pio, CFA_OK },
2077     [WIN_MULTWRITE_EXT]           = { cmd_write_multiple, HD_CFA_OK },
2078     [WIN_WRITE_VERIFY]            = { cmd_write_pio, HD_CFA_OK },
2079     [WIN_VERIFY]                  = { cmd_verify, HD_CFA_OK | SET_DSC },
2080     [WIN_VERIFY_ONCE]             = { cmd_verify, HD_CFA_OK | SET_DSC },
2081     [WIN_VERIFY_EXT]              = { cmd_verify, HD_CFA_OK | SET_DSC },
2082     [WIN_SEEK]                    = { cmd_seek, HD_CFA_OK | SET_DSC },
2083     [CFA_TRANSLATE_SECTOR]        = { cmd_cfa_translate_sector, CFA_OK },
2084     [WIN_DIAGNOSE]                = { cmd_exec_dev_diagnostic, ALL_OK },
2085     [WIN_SPECIFY]                 = { cmd_specify, HD_CFA_OK | SET_DSC },
2086     [WIN_STANDBYNOW2]             = { cmd_nop, HD_CFA_OK },
2087     [WIN_IDLEIMMEDIATE2]          = { cmd_nop, HD_CFA_OK },
2088     [WIN_STANDBY2]                = { cmd_nop, HD_CFA_OK },
2089     [WIN_SETIDLE2]                = { cmd_nop, HD_CFA_OK },
2090     [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2091     [WIN_SLEEPNOW2]               = { cmd_nop, HD_CFA_OK },
2092     [WIN_PACKETCMD]               = { cmd_packet, CD_OK },
2093     [WIN_PIDENTIFY]               = { cmd_identify_packet, CD_OK },
2094     [WIN_SMART]                   = { cmd_smart, HD_CFA_OK | SET_DSC },
2095     [CFA_ACCESS_METADATA_STORAGE] = { cmd_cfa_access_metadata_storage, CFA_OK },
2096     [CFA_ERASE_SECTORS]           = { cmd_cfa_erase_sectors, CFA_OK | SET_DSC },
2097     [WIN_MULTREAD]                = { cmd_read_multiple, HD_CFA_OK },
2098     [WIN_MULTWRITE]               = { cmd_write_multiple, HD_CFA_OK },
2099     [WIN_SETMULT]                 = { cmd_set_multiple_mode, HD_CFA_OK | SET_DSC },
2100     [WIN_READDMA]                 = { cmd_read_dma, HD_CFA_OK },
2101     [WIN_READDMA_ONCE]            = { cmd_read_dma, HD_CFA_OK },
2102     [WIN_WRITEDMA]                = { cmd_write_dma, HD_CFA_OK },
2103     [WIN_WRITEDMA_ONCE]           = { cmd_write_dma, HD_CFA_OK },
2104     [CFA_WRITE_MULTI_WO_ERASE]    = { cmd_write_multiple, CFA_OK },
2105     [WIN_STANDBYNOW1]             = { cmd_nop, HD_CFA_OK },
2106     [WIN_IDLEIMMEDIATE]           = { cmd_nop, HD_CFA_OK },
2107     [WIN_STANDBY]                 = { cmd_nop, HD_CFA_OK },
2108     [WIN_SETIDLE1]                = { cmd_nop, HD_CFA_OK },
2109     [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2110     [WIN_SLEEPNOW1]               = { cmd_nop, HD_CFA_OK },
2111     [WIN_FLUSH_CACHE]             = { cmd_flush_cache, ALL_OK },
2112     [WIN_FLUSH_CACHE_EXT]         = { cmd_flush_cache, HD_CFA_OK },
2113     [WIN_IDENTIFY]                = { cmd_identify, ALL_OK },
2114     [WIN_SETFEATURES]             = { cmd_set_features, ALL_OK | SET_DSC },
2115     [IBM_SENSE_CONDITION]         = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
2116     [CFA_WEAR_LEVEL]              = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
2117     [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2118 };
2119 
2120 static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
2121 {
2122     return cmd < ARRAY_SIZE(ide_cmd_table)
2123         && (ide_cmd_table[cmd].flags & (1u << s->drive_kind));
2124 }
2125 
2126 void ide_bus_exec_cmd(IDEBus *bus, uint32_t val)
2127 {
2128     IDEState *s;
2129     bool complete;
2130 
2131     s = ide_bus_active_if(bus);
2132     trace_ide_bus_exec_cmd(bus, s, val);
2133 
2134     /* ignore commands to non existent slave */
2135     if (s != bus->ifs && !s->blk) {
2136         return;
2137     }
2138 
2139     /* Only RESET is allowed while BSY and/or DRQ are set,
2140      * and only to ATAPI devices. */
2141     if (s->status & (BUSY_STAT|DRQ_STAT)) {
2142         if (val != WIN_DEVICE_RESET || s->drive_kind != IDE_CD) {
2143             return;
2144         }
2145     }
2146 
2147     if (!ide_cmd_permitted(s, val)) {
2148         ide_abort_command(s);
2149         ide_bus_set_irq(s->bus);
2150         return;
2151     }
2152 
2153     s->status = READY_STAT | BUSY_STAT;
2154     s->error = 0;
2155     s->io_buffer_offset = 0;
2156 
2157     complete = ide_cmd_table[val].handler(s, val);
2158     if (complete) {
2159         s->status &= ~BUSY_STAT;
2160         assert(!!s->error == !!(s->status & ERR_STAT));
2161 
2162         if ((ide_cmd_table[val].flags & SET_DSC) && !s->error) {
2163             s->status |= SEEK_STAT;
2164         }
2165 
2166         ide_cmd_done(s);
2167         ide_bus_set_irq(s->bus);
2168     }
2169 }
2170 
2171 /* IOport [R]ead [R]egisters */
2172 enum ATA_IOPORT_RR {
2173     ATA_IOPORT_RR_DATA = 0,
2174     ATA_IOPORT_RR_ERROR = 1,
2175     ATA_IOPORT_RR_SECTOR_COUNT = 2,
2176     ATA_IOPORT_RR_SECTOR_NUMBER = 3,
2177     ATA_IOPORT_RR_CYLINDER_LOW = 4,
2178     ATA_IOPORT_RR_CYLINDER_HIGH = 5,
2179     ATA_IOPORT_RR_DEVICE_HEAD = 6,
2180     ATA_IOPORT_RR_STATUS = 7,
2181     ATA_IOPORT_RR_NUM_REGISTERS,
2182 };
2183 
2184 const char *ATA_IOPORT_RR_lookup[ATA_IOPORT_RR_NUM_REGISTERS] = {
2185     [ATA_IOPORT_RR_DATA] = "Data",
2186     [ATA_IOPORT_RR_ERROR] = "Error",
2187     [ATA_IOPORT_RR_SECTOR_COUNT] = "Sector Count",
2188     [ATA_IOPORT_RR_SECTOR_NUMBER] = "Sector Number",
2189     [ATA_IOPORT_RR_CYLINDER_LOW] = "Cylinder Low",
2190     [ATA_IOPORT_RR_CYLINDER_HIGH] = "Cylinder High",
2191     [ATA_IOPORT_RR_DEVICE_HEAD] = "Device/Head",
2192     [ATA_IOPORT_RR_STATUS] = "Status"
2193 };
2194 
2195 uint32_t ide_ioport_read(void *opaque, uint32_t addr)
2196 {
2197     IDEBus *bus = opaque;
2198     IDEState *s = ide_bus_active_if(bus);
2199     uint32_t reg_num;
2200     int ret, hob;
2201 
2202     reg_num = addr & 7;
2203     hob = bus->cmd & (IDE_CTRL_HOB);
2204     switch (reg_num) {
2205     case ATA_IOPORT_RR_DATA:
2206         /*
2207          * The pre-GRUB Solaris x86 bootloader relies upon inb
2208          * consuming a word from the drive's sector buffer.
2209          */
2210         ret = ide_data_readw(bus, addr) & 0xff;
2211         break;
2212     case ATA_IOPORT_RR_ERROR:
2213         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2214             (s != bus->ifs && !s->blk)) {
2215             ret = 0;
2216         } else if (!hob) {
2217             ret = s->error;
2218         } else {
2219             ret = s->hob_feature;
2220         }
2221         break;
2222     case ATA_IOPORT_RR_SECTOR_COUNT:
2223         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2224             ret = 0;
2225         } else if (!hob) {
2226             ret = s->nsector & 0xff;
2227         } else {
2228             ret = s->hob_nsector;
2229         }
2230         break;
2231     case ATA_IOPORT_RR_SECTOR_NUMBER:
2232         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2233             ret = 0;
2234         } else if (!hob) {
2235             ret = s->sector;
2236         } else {
2237             ret = s->hob_sector;
2238         }
2239         break;
2240     case ATA_IOPORT_RR_CYLINDER_LOW:
2241         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2242             ret = 0;
2243         } else if (!hob) {
2244             ret = s->lcyl;
2245         } else {
2246             ret = s->hob_lcyl;
2247         }
2248         break;
2249     case ATA_IOPORT_RR_CYLINDER_HIGH:
2250         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2251             ret = 0;
2252         } else if (!hob) {
2253             ret = s->hcyl;
2254         } else {
2255             ret = s->hob_hcyl;
2256         }
2257         break;
2258     case ATA_IOPORT_RR_DEVICE_HEAD:
2259         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2260             ret = 0;
2261         } else {
2262             ret = s->select;
2263         }
2264         break;
2265     default:
2266     case ATA_IOPORT_RR_STATUS:
2267         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2268             (s != bus->ifs && !s->blk)) {
2269             ret = 0;
2270         } else {
2271             ret = s->status;
2272         }
2273         qemu_irq_lower(bus->irq);
2274         break;
2275     }
2276 
2277     trace_ide_ioport_read(addr, ATA_IOPORT_RR_lookup[reg_num], ret, bus, s);
2278     return ret;
2279 }
2280 
2281 uint32_t ide_status_read(void *opaque, uint32_t addr)
2282 {
2283     IDEBus *bus = opaque;
2284     IDEState *s = ide_bus_active_if(bus);
2285     int ret;
2286 
2287     if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2288         (s != bus->ifs && !s->blk)) {
2289         ret = 0;
2290     } else {
2291         ret = s->status;
2292     }
2293 
2294     trace_ide_status_read(addr, ret, bus, s);
2295     return ret;
2296 }
2297 
2298 static void ide_perform_srst(IDEState *s)
2299 {
2300     s->status |= BUSY_STAT;
2301 
2302     /* Halt PIO (Via register state); PIO BH remains scheduled. */
2303     ide_transfer_halt(s);
2304 
2305     /* Cancel DMA -- may drain block device and invoke callbacks */
2306     ide_cancel_dma_sync(s);
2307 
2308     /* Cancel PIO callback, reset registers/signature, etc */
2309     ide_reset(s);
2310 
2311     /* perform diagnostic */
2312     cmd_exec_dev_diagnostic(s, WIN_DIAGNOSE);
2313 }
2314 
2315 static void ide_bus_perform_srst(void *opaque)
2316 {
2317     IDEBus *bus = opaque;
2318     IDEState *s;
2319     int i;
2320 
2321     for (i = 0; i < 2; i++) {
2322         s = &bus->ifs[i];
2323         ide_perform_srst(s);
2324     }
2325 
2326     bus->cmd &= ~IDE_CTRL_RESET;
2327 }
2328 
2329 void ide_ctrl_write(void *opaque, uint32_t addr, uint32_t val)
2330 {
2331     IDEBus *bus = opaque;
2332     IDEState *s;
2333     int i;
2334 
2335     trace_ide_ctrl_write(addr, val, bus);
2336 
2337     /* Device0 and Device1 each have their own control register,
2338      * but QEMU models it as just one register in the controller. */
2339     if (!(bus->cmd & IDE_CTRL_RESET) && (val & IDE_CTRL_RESET)) {
2340         for (i = 0; i < 2; i++) {
2341             s = &bus->ifs[i];
2342             s->status |= BUSY_STAT;
2343         }
2344         replay_bh_schedule_oneshot_event(qemu_get_aio_context(),
2345                                          ide_bus_perform_srst, bus);
2346     }
2347 
2348     bus->cmd = val;
2349 }
2350 
2351 /*
2352  * Returns true if the running PIO transfer is a PIO out (i.e. data is
2353  * transferred from the device to the guest), false if it's a PIO in
2354  */
2355 static bool ide_is_pio_out(IDEState *s)
2356 {
2357     if (s->end_transfer_func == ide_sector_write ||
2358         s->end_transfer_func == ide_atapi_cmd) {
2359         return false;
2360     } else if (s->end_transfer_func == ide_sector_read ||
2361                s->end_transfer_func == ide_transfer_stop ||
2362                s->end_transfer_func == ide_atapi_cmd_reply_end ||
2363                s->end_transfer_func == ide_dummy_transfer_stop) {
2364         return true;
2365     }
2366 
2367     abort();
2368 }
2369 
2370 void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
2371 {
2372     IDEBus *bus = opaque;
2373     IDEState *s = ide_bus_active_if(bus);
2374     uint8_t *p;
2375 
2376     trace_ide_data_writew(addr, val, bus, s);
2377 
2378     /* PIO data access allowed only when DRQ bit is set. The result of a write
2379      * during PIO out is indeterminate, just ignore it. */
2380     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2381         return;
2382     }
2383 
2384     p = s->data_ptr;
2385     if (s->io8) {
2386         if (p + 1 > s->data_end) {
2387             return;
2388         }
2389 
2390         *p++ = val;
2391     } else {
2392         if (p + 2 > s->data_end) {
2393             return;
2394         }
2395 
2396         *(uint16_t *)p = le16_to_cpu(val);
2397         p += 2;
2398     }
2399     s->data_ptr = p;
2400     if (p >= s->data_end) {
2401         s->status &= ~DRQ_STAT;
2402         s->end_transfer_func(s);
2403     }
2404 }
2405 
2406 uint32_t ide_data_readw(void *opaque, uint32_t addr)
2407 {
2408     IDEBus *bus = opaque;
2409     IDEState *s = ide_bus_active_if(bus);
2410     uint8_t *p;
2411     int ret;
2412 
2413     /* PIO data access allowed only when DRQ bit is set. The result of a read
2414      * during PIO in is indeterminate, return 0 and don't move forward. */
2415     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2416         return 0;
2417     }
2418 
2419     p = s->data_ptr;
2420     if (s->io8) {
2421         if (p + 1 > s->data_end) {
2422             return 0;
2423         }
2424 
2425         ret = *p++;
2426     } else {
2427         if (p + 2 > s->data_end) {
2428             return 0;
2429         }
2430 
2431         ret = cpu_to_le16(*(uint16_t *)p);
2432         p += 2;
2433     }
2434     s->data_ptr = p;
2435     if (p >= s->data_end) {
2436         s->status &= ~DRQ_STAT;
2437         s->end_transfer_func(s);
2438     }
2439 
2440     trace_ide_data_readw(addr, ret, bus, s);
2441     return ret;
2442 }
2443 
2444 void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
2445 {
2446     IDEBus *bus = opaque;
2447     IDEState *s = ide_bus_active_if(bus);
2448     uint8_t *p;
2449 
2450     trace_ide_data_writel(addr, val, bus, s);
2451 
2452     /* PIO data access allowed only when DRQ bit is set. The result of a write
2453      * during PIO out is indeterminate, just ignore it. */
2454     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2455         return;
2456     }
2457 
2458     p = s->data_ptr;
2459     if (p + 4 > s->data_end) {
2460         return;
2461     }
2462 
2463     *(uint32_t *)p = le32_to_cpu(val);
2464     p += 4;
2465     s->data_ptr = p;
2466     if (p >= s->data_end) {
2467         s->status &= ~DRQ_STAT;
2468         s->end_transfer_func(s);
2469     }
2470 }
2471 
2472 uint32_t ide_data_readl(void *opaque, uint32_t addr)
2473 {
2474     IDEBus *bus = opaque;
2475     IDEState *s = ide_bus_active_if(bus);
2476     uint8_t *p;
2477     int ret;
2478 
2479     /* PIO data access allowed only when DRQ bit is set. The result of a read
2480      * during PIO in is indeterminate, return 0 and don't move forward. */
2481     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2482         ret = 0;
2483         goto out;
2484     }
2485 
2486     p = s->data_ptr;
2487     if (p + 4 > s->data_end) {
2488         return 0;
2489     }
2490 
2491     ret = cpu_to_le32(*(uint32_t *)p);
2492     p += 4;
2493     s->data_ptr = p;
2494     if (p >= s->data_end) {
2495         s->status &= ~DRQ_STAT;
2496         s->end_transfer_func(s);
2497     }
2498 
2499 out:
2500     trace_ide_data_readl(addr, ret, bus, s);
2501     return ret;
2502 }
2503 
2504 static void ide_dummy_transfer_stop(IDEState *s)
2505 {
2506     s->data_ptr = s->io_buffer;
2507     s->data_end = s->io_buffer;
2508     s->io_buffer[0] = 0xff;
2509     s->io_buffer[1] = 0xff;
2510     s->io_buffer[2] = 0xff;
2511     s->io_buffer[3] = 0xff;
2512 }
2513 
2514 void ide_bus_reset(IDEBus *bus)
2515 {
2516     bus->unit = 0;
2517     bus->cmd = 0;
2518     ide_reset(&bus->ifs[0]);
2519     ide_reset(&bus->ifs[1]);
2520     ide_clear_hob(bus);
2521 
2522     /* pending async DMA */
2523     if (bus->dma->aiocb) {
2524         trace_ide_bus_reset_aio();
2525         blk_aio_cancel(bus->dma->aiocb);
2526         bus->dma->aiocb = NULL;
2527     }
2528 
2529     /* reset dma provider too */
2530     if (bus->dma->ops->reset) {
2531         bus->dma->ops->reset(bus->dma);
2532     }
2533 }
2534 
2535 static bool ide_cd_is_tray_open(void *opaque)
2536 {
2537     return ((IDEState *)opaque)->tray_open;
2538 }
2539 
2540 static bool ide_cd_is_medium_locked(void *opaque)
2541 {
2542     return ((IDEState *)opaque)->tray_locked;
2543 }
2544 
2545 static void ide_resize_cb(void *opaque)
2546 {
2547     IDEState *s = opaque;
2548     uint64_t nb_sectors;
2549 
2550     if (!s->identify_set) {
2551         return;
2552     }
2553 
2554     blk_get_geometry(s->blk, &nb_sectors);
2555     s->nb_sectors = nb_sectors;
2556 
2557     /* Update the identify data buffer. */
2558     if (s->drive_kind == IDE_CFATA) {
2559         ide_cfata_identify_size(s);
2560     } else {
2561         /* IDE_CD uses a different set of callbacks entirely. */
2562         assert(s->drive_kind != IDE_CD);
2563         ide_identify_size(s);
2564     }
2565 }
2566 
2567 static const BlockDevOps ide_cd_block_ops = {
2568     .change_media_cb = ide_cd_change_cb,
2569     .eject_request_cb = ide_cd_eject_request_cb,
2570     .is_tray_open = ide_cd_is_tray_open,
2571     .is_medium_locked = ide_cd_is_medium_locked,
2572 };
2573 
2574 static const BlockDevOps ide_hd_block_ops = {
2575     .resize_cb = ide_resize_cb,
2576 };
2577 
2578 int ide_init_drive(IDEState *s, BlockBackend *blk, IDEDriveKind kind,
2579                    const char *version, const char *serial, const char *model,
2580                    uint64_t wwn,
2581                    uint32_t cylinders, uint32_t heads, uint32_t secs,
2582                    int chs_trans, Error **errp)
2583 {
2584     uint64_t nb_sectors;
2585 
2586     s->blk = blk;
2587     s->drive_kind = kind;
2588 
2589     blk_get_geometry(blk, &nb_sectors);
2590     s->cylinders = cylinders;
2591     s->heads = s->drive_heads = heads;
2592     s->sectors = s->drive_sectors = secs;
2593     s->chs_trans = chs_trans;
2594     s->nb_sectors = nb_sectors;
2595     s->wwn = wwn;
2596     /* The SMART values should be preserved across power cycles
2597        but they aren't.  */
2598     s->smart_enabled = 1;
2599     s->smart_autosave = 1;
2600     s->smart_errors = 0;
2601     s->smart_selftest_count = 0;
2602     if (kind == IDE_CD) {
2603         blk_set_dev_ops(blk, &ide_cd_block_ops, s);
2604     } else {
2605         if (!blk_is_inserted(s->blk)) {
2606             error_setg(errp, "Device needs media, but drive is empty");
2607             return -1;
2608         }
2609         if (!blk_is_writable(blk)) {
2610             error_setg(errp, "Can't use a read-only drive");
2611             return -1;
2612         }
2613         blk_set_dev_ops(blk, &ide_hd_block_ops, s);
2614     }
2615     if (serial) {
2616         pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), serial);
2617     } else {
2618         snprintf(s->drive_serial_str, sizeof(s->drive_serial_str),
2619                  "QM%05d", s->drive_serial);
2620     }
2621     if (model) {
2622         pstrcpy(s->drive_model_str, sizeof(s->drive_model_str), model);
2623     } else {
2624         switch (kind) {
2625         case IDE_CD:
2626             strcpy(s->drive_model_str, "QEMU DVD-ROM");
2627             break;
2628         case IDE_CFATA:
2629             strcpy(s->drive_model_str, "QEMU MICRODRIVE");
2630             break;
2631         default:
2632             strcpy(s->drive_model_str, "QEMU HARDDISK");
2633             break;
2634         }
2635     }
2636 
2637     if (version) {
2638         pstrcpy(s->version, sizeof(s->version), version);
2639     } else {
2640         pstrcpy(s->version, sizeof(s->version), qemu_hw_version());
2641     }
2642 
2643     ide_reset(s);
2644     blk_iostatus_enable(blk);
2645     return 0;
2646 }
2647 
2648 static void ide_init1(IDEBus *bus, int unit)
2649 {
2650     static int drive_serial = 1;
2651     IDEState *s = &bus->ifs[unit];
2652 
2653     s->bus = bus;
2654     s->unit = unit;
2655     s->drive_serial = drive_serial++;
2656     /* we need at least 2k alignment for accessing CDROMs using O_DIRECT */
2657     s->io_buffer_total_len = IDE_DMA_BUF_SECTORS*512 + 4;
2658     s->io_buffer = qemu_memalign(2048, s->io_buffer_total_len);
2659     memset(s->io_buffer, 0, s->io_buffer_total_len);
2660 
2661     s->smart_selftest_data = blk_blockalign(s->blk, 512);
2662     memset(s->smart_selftest_data, 0, 512);
2663 
2664     s->sector_write_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
2665                                            ide_sector_write_timer_cb, s);
2666 }
2667 
2668 static int ide_nop_int(const IDEDMA *dma, bool is_write)
2669 {
2670     return 0;
2671 }
2672 
2673 static void ide_nop(const IDEDMA *dma)
2674 {
2675 }
2676 
2677 static int32_t ide_nop_int32(const IDEDMA *dma, int32_t l)
2678 {
2679     return 0;
2680 }
2681 
2682 static const IDEDMAOps ide_dma_nop_ops = {
2683     .prepare_buf    = ide_nop_int32,
2684     .restart_dma    = ide_nop,
2685     .rw_buf         = ide_nop_int,
2686 };
2687 
2688 static void ide_restart_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
2689 {
2690     s->unit = s->bus->retry_unit;
2691     ide_set_sector(s, s->bus->retry_sector_num);
2692     s->nsector = s->bus->retry_nsector;
2693     s->bus->dma->ops->restart_dma(s->bus->dma);
2694     s->io_buffer_size = 0;
2695     s->dma_cmd = dma_cmd;
2696     ide_start_dma(s, ide_dma_cb);
2697 }
2698 
2699 static void ide_restart_bh(void *opaque)
2700 {
2701     IDEBus *bus = opaque;
2702     IDEState *s;
2703     bool is_read;
2704     int error_status;
2705 
2706     qemu_bh_delete(bus->bh);
2707     bus->bh = NULL;
2708 
2709     error_status = bus->error_status;
2710     if (bus->error_status == 0) {
2711         return;
2712     }
2713 
2714     s = ide_bus_active_if(bus);
2715     is_read = (bus->error_status & IDE_RETRY_READ) != 0;
2716 
2717     /* The error status must be cleared before resubmitting the request: The
2718      * request may fail again, and this case can only be distinguished if the
2719      * called function can set a new error status. */
2720     bus->error_status = 0;
2721 
2722     /* The HBA has generically asked to be kicked on retry */
2723     if (error_status & IDE_RETRY_HBA) {
2724         if (s->bus->dma->ops->restart) {
2725             s->bus->dma->ops->restart(s->bus->dma);
2726         }
2727     } else if (IS_IDE_RETRY_DMA(error_status)) {
2728         if (error_status & IDE_RETRY_TRIM) {
2729             ide_restart_dma(s, IDE_DMA_TRIM);
2730         } else {
2731             ide_restart_dma(s, is_read ? IDE_DMA_READ : IDE_DMA_WRITE);
2732         }
2733     } else if (IS_IDE_RETRY_PIO(error_status)) {
2734         if (is_read) {
2735             ide_sector_read(s);
2736         } else {
2737             ide_sector_write(s);
2738         }
2739     } else if (error_status & IDE_RETRY_FLUSH) {
2740         ide_flush_cache(s);
2741     } else if (IS_IDE_RETRY_ATAPI(error_status)) {
2742         assert(s->end_transfer_func == ide_atapi_cmd);
2743         ide_atapi_dma_restart(s);
2744     } else {
2745         abort();
2746     }
2747 }
2748 
2749 static void ide_restart_cb(void *opaque, bool running, RunState state)
2750 {
2751     IDEBus *bus = opaque;
2752 
2753     if (!running)
2754         return;
2755 
2756     if (!bus->bh) {
2757         bus->bh = qemu_bh_new(ide_restart_bh, bus);
2758         qemu_bh_schedule(bus->bh);
2759     }
2760 }
2761 
2762 void ide_bus_register_restart_cb(IDEBus *bus)
2763 {
2764     if (bus->dma->ops->restart_dma) {
2765         bus->vmstate = qemu_add_vm_change_state_handler(ide_restart_cb, bus);
2766     }
2767 }
2768 
2769 static IDEDMA ide_dma_nop = {
2770     .ops = &ide_dma_nop_ops,
2771     .aiocb = NULL,
2772 };
2773 
2774 void ide_bus_init_output_irq(IDEBus *bus, qemu_irq irq_out)
2775 {
2776     int i;
2777 
2778     for(i = 0; i < 2; i++) {
2779         ide_init1(bus, i);
2780         ide_reset(&bus->ifs[i]);
2781     }
2782     bus->irq = irq_out;
2783     bus->dma = &ide_dma_nop;
2784 }
2785 
2786 void ide_bus_set_irq(IDEBus *bus)
2787 {
2788     if (!(bus->cmd & IDE_CTRL_DISABLE_IRQ)) {
2789         qemu_irq_raise(bus->irq);
2790     }
2791 }
2792 
2793 void ide_exit(IDEState *s)
2794 {
2795     timer_free(s->sector_write_timer);
2796     qemu_vfree(s->smart_selftest_data);
2797     qemu_vfree(s->io_buffer);
2798 }
2799 
2800 static bool is_identify_set(void *opaque, int version_id)
2801 {
2802     IDEState *s = opaque;
2803 
2804     return s->identify_set != 0;
2805 }
2806 
2807 static EndTransferFunc* transfer_end_table[] = {
2808         ide_sector_read,
2809         ide_sector_write,
2810         ide_transfer_stop,
2811         ide_atapi_cmd_reply_end,
2812         ide_atapi_cmd,
2813         ide_dummy_transfer_stop,
2814 };
2815 
2816 static int transfer_end_table_idx(EndTransferFunc *fn)
2817 {
2818     int i;
2819 
2820     for (i = 0; i < ARRAY_SIZE(transfer_end_table); i++)
2821         if (transfer_end_table[i] == fn)
2822             return i;
2823 
2824     return -1;
2825 }
2826 
2827 static int ide_drive_post_load(void *opaque, int version_id)
2828 {
2829     IDEState *s = opaque;
2830 
2831     if (s->blk && s->identify_set) {
2832         blk_set_enable_write_cache(s->blk, !!(s->identify_data[85] & (1 << 5)));
2833     }
2834     return 0;
2835 }
2836 
2837 static int ide_drive_pio_post_load(void *opaque, int version_id)
2838 {
2839     IDEState *s = opaque;
2840 
2841     if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
2842         return -EINVAL;
2843     }
2844     s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
2845     s->data_ptr = s->io_buffer + s->cur_io_buffer_offset;
2846     s->data_end = s->data_ptr + s->cur_io_buffer_len;
2847     s->atapi_dma = s->feature & 1; /* as per cmd_packet */
2848 
2849     return 0;
2850 }
2851 
2852 static int ide_drive_pio_pre_save(void *opaque)
2853 {
2854     IDEState *s = opaque;
2855     int idx;
2856 
2857     s->cur_io_buffer_offset = s->data_ptr - s->io_buffer;
2858     s->cur_io_buffer_len = s->data_end - s->data_ptr;
2859 
2860     idx = transfer_end_table_idx(s->end_transfer_func);
2861     if (idx == -1) {
2862         fprintf(stderr, "%s: invalid end_transfer_func for DRQ_STAT\n",
2863                         __func__);
2864         s->end_transfer_fn_idx = 2;
2865     } else {
2866         s->end_transfer_fn_idx = idx;
2867     }
2868 
2869     return 0;
2870 }
2871 
2872 static bool ide_drive_pio_state_needed(void *opaque)
2873 {
2874     IDEState *s = opaque;
2875 
2876     return ((s->status & DRQ_STAT) != 0)
2877         || (s->bus->error_status & IDE_RETRY_PIO);
2878 }
2879 
2880 static bool ide_tray_state_needed(void *opaque)
2881 {
2882     IDEState *s = opaque;
2883 
2884     return s->tray_open || s->tray_locked;
2885 }
2886 
2887 static bool ide_atapi_gesn_needed(void *opaque)
2888 {
2889     IDEState *s = opaque;
2890 
2891     return s->events.new_media || s->events.eject_request;
2892 }
2893 
2894 static bool ide_error_needed(void *opaque)
2895 {
2896     IDEBus *bus = opaque;
2897 
2898     return (bus->error_status != 0);
2899 }
2900 
2901 /* Fields for GET_EVENT_STATUS_NOTIFICATION ATAPI command */
2902 static const VMStateDescription vmstate_ide_atapi_gesn_state = {
2903     .name ="ide_drive/atapi/gesn_state",
2904     .version_id = 1,
2905     .minimum_version_id = 1,
2906     .needed = ide_atapi_gesn_needed,
2907     .fields = (VMStateField[]) {
2908         VMSTATE_BOOL(events.new_media, IDEState),
2909         VMSTATE_BOOL(events.eject_request, IDEState),
2910         VMSTATE_END_OF_LIST()
2911     }
2912 };
2913 
2914 static const VMStateDescription vmstate_ide_tray_state = {
2915     .name = "ide_drive/tray_state",
2916     .version_id = 1,
2917     .minimum_version_id = 1,
2918     .needed = ide_tray_state_needed,
2919     .fields = (VMStateField[]) {
2920         VMSTATE_BOOL(tray_open, IDEState),
2921         VMSTATE_BOOL(tray_locked, IDEState),
2922         VMSTATE_END_OF_LIST()
2923     }
2924 };
2925 
2926 static const VMStateDescription vmstate_ide_drive_pio_state = {
2927     .name = "ide_drive/pio_state",
2928     .version_id = 1,
2929     .minimum_version_id = 1,
2930     .pre_save = ide_drive_pio_pre_save,
2931     .post_load = ide_drive_pio_post_load,
2932     .needed = ide_drive_pio_state_needed,
2933     .fields = (VMStateField[]) {
2934         VMSTATE_INT32(req_nb_sectors, IDEState),
2935         VMSTATE_VARRAY_INT32(io_buffer, IDEState, io_buffer_total_len, 1,
2936                              vmstate_info_uint8, uint8_t),
2937         VMSTATE_INT32(cur_io_buffer_offset, IDEState),
2938         VMSTATE_INT32(cur_io_buffer_len, IDEState),
2939         VMSTATE_UINT8(end_transfer_fn_idx, IDEState),
2940         VMSTATE_INT32(elementary_transfer_size, IDEState),
2941         VMSTATE_INT32(packet_transfer_size, IDEState),
2942         VMSTATE_END_OF_LIST()
2943     }
2944 };
2945 
2946 const VMStateDescription vmstate_ide_drive = {
2947     .name = "ide_drive",
2948     .version_id = 3,
2949     .minimum_version_id = 0,
2950     .post_load = ide_drive_post_load,
2951     .fields = (VMStateField[]) {
2952         VMSTATE_INT32(mult_sectors, IDEState),
2953         VMSTATE_INT32(identify_set, IDEState),
2954         VMSTATE_BUFFER_TEST(identify_data, IDEState, is_identify_set),
2955         VMSTATE_UINT8(feature, IDEState),
2956         VMSTATE_UINT8(error, IDEState),
2957         VMSTATE_UINT32(nsector, IDEState),
2958         VMSTATE_UINT8(sector, IDEState),
2959         VMSTATE_UINT8(lcyl, IDEState),
2960         VMSTATE_UINT8(hcyl, IDEState),
2961         VMSTATE_UINT8(hob_feature, IDEState),
2962         VMSTATE_UINT8(hob_sector, IDEState),
2963         VMSTATE_UINT8(hob_nsector, IDEState),
2964         VMSTATE_UINT8(hob_lcyl, IDEState),
2965         VMSTATE_UINT8(hob_hcyl, IDEState),
2966         VMSTATE_UINT8(select, IDEState),
2967         VMSTATE_UINT8(status, IDEState),
2968         VMSTATE_UINT8(lba48, IDEState),
2969         VMSTATE_UINT8(sense_key, IDEState),
2970         VMSTATE_UINT8(asc, IDEState),
2971         VMSTATE_UINT8_V(cdrom_changed, IDEState, 3),
2972         VMSTATE_END_OF_LIST()
2973     },
2974     .subsections = (const VMStateDescription*[]) {
2975         &vmstate_ide_drive_pio_state,
2976         &vmstate_ide_tray_state,
2977         &vmstate_ide_atapi_gesn_state,
2978         NULL
2979     }
2980 };
2981 
2982 static const VMStateDescription vmstate_ide_error_status = {
2983     .name ="ide_bus/error",
2984     .version_id = 2,
2985     .minimum_version_id = 1,
2986     .needed = ide_error_needed,
2987     .fields = (VMStateField[]) {
2988         VMSTATE_INT32(error_status, IDEBus),
2989         VMSTATE_INT64_V(retry_sector_num, IDEBus, 2),
2990         VMSTATE_UINT32_V(retry_nsector, IDEBus, 2),
2991         VMSTATE_UINT8_V(retry_unit, IDEBus, 2),
2992         VMSTATE_END_OF_LIST()
2993     }
2994 };
2995 
2996 const VMStateDescription vmstate_ide_bus = {
2997     .name = "ide_bus",
2998     .version_id = 1,
2999     .minimum_version_id = 1,
3000     .fields = (VMStateField[]) {
3001         VMSTATE_UINT8(cmd, IDEBus),
3002         VMSTATE_UINT8(unit, IDEBus),
3003         VMSTATE_END_OF_LIST()
3004     },
3005     .subsections = (const VMStateDescription*[]) {
3006         &vmstate_ide_error_status,
3007         NULL
3008     }
3009 };
3010 
3011 void ide_drive_get(DriveInfo **hd, int n)
3012 {
3013     int i;
3014 
3015     for (i = 0; i < n; i++) {
3016         hd[i] = drive_get_by_index(IF_IDE, i);
3017     }
3018 }
3019