xref: /openbmc/qemu/hw/ide/core.c (revision e7bbc9b1)
1 /*
2  * QEMU IDE disk and CD/DVD-ROM Emulator
3  *
4  * Copyright (c) 2003 Fabrice Bellard
5  * Copyright (c) 2006 Openedhand Ltd.
6  *
7  * Permission is hereby granted, free of charge, to any person obtaining a copy
8  * of this software and associated documentation files (the "Software"), to deal
9  * in the Software without restriction, including without limitation the rights
10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11  * copies of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be included in
15  * all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23  * THE SOFTWARE.
24  */
25 
26 #include "qemu/osdep.h"
27 #include "hw/hw.h"
28 #include "hw/isa/isa.h"
29 #include "qemu/error-report.h"
30 #include "qemu/timer.h"
31 #include "sysemu/sysemu.h"
32 #include "sysemu/blockdev.h"
33 #include "sysemu/dma.h"
34 #include "hw/block/block.h"
35 #include "sysemu/block-backend.h"
36 #include "qapi/error.h"
37 #include "qemu/cutils.h"
38 #include "sysemu/replay.h"
39 
40 #include "hw/ide/internal.h"
41 #include "trace.h"
42 
43 /* These values were based on a Seagate ST3500418AS but have been modified
44    to make more sense in QEMU */
45 static const int smart_attributes[][12] = {
46     /* id,  flags, hflags, val, wrst, raw (6 bytes), threshold */
47     /* raw read error rate*/
48     { 0x01, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06},
49     /* spin up */
50     { 0x03, 0x03, 0x00, 0x64, 0x64, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
51     /* start stop count */
52     { 0x04, 0x02, 0x00, 0x64, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14},
53     /* remapped sectors */
54     { 0x05, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24},
55     /* power on hours */
56     { 0x09, 0x03, 0x00, 0x64, 0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
57     /* power cycle count */
58     { 0x0c, 0x03, 0x00, 0x64, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
59     /* airflow-temperature-celsius */
60     { 190,  0x03, 0x00, 0x45, 0x45, 0x1f, 0x00, 0x1f, 0x1f, 0x00, 0x00, 0x32},
61 };
62 
63 const char *IDE_DMA_CMD_lookup[IDE_DMA__COUNT] = {
64     [IDE_DMA_READ] = "DMA READ",
65     [IDE_DMA_WRITE] = "DMA WRITE",
66     [IDE_DMA_TRIM] = "DMA TRIM",
67     [IDE_DMA_ATAPI] = "DMA ATAPI"
68 };
69 
70 static const char *IDE_DMA_CMD_str(enum ide_dma_cmd enval)
71 {
72     if ((unsigned)enval < IDE_DMA__COUNT) {
73         return IDE_DMA_CMD_lookup[enval];
74     }
75     return "DMA UNKNOWN CMD";
76 }
77 
78 static void ide_dummy_transfer_stop(IDEState *s);
79 
80 static void padstr(char *str, const char *src, int len)
81 {
82     int i, v;
83     for(i = 0; i < len; i++) {
84         if (*src)
85             v = *src++;
86         else
87             v = ' ';
88         str[i^1] = v;
89     }
90 }
91 
92 static void put_le16(uint16_t *p, unsigned int v)
93 {
94     *p = cpu_to_le16(v);
95 }
96 
97 static void ide_identify_size(IDEState *s)
98 {
99     uint16_t *p = (uint16_t *)s->identify_data;
100     put_le16(p + 60, s->nb_sectors);
101     put_le16(p + 61, s->nb_sectors >> 16);
102     put_le16(p + 100, s->nb_sectors);
103     put_le16(p + 101, s->nb_sectors >> 16);
104     put_le16(p + 102, s->nb_sectors >> 32);
105     put_le16(p + 103, s->nb_sectors >> 48);
106 }
107 
108 static void ide_identify(IDEState *s)
109 {
110     uint16_t *p;
111     unsigned int oldsize;
112     IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
113 
114     p = (uint16_t *)s->identify_data;
115     if (s->identify_set) {
116         goto fill_buffer;
117     }
118     memset(p, 0, sizeof(s->identify_data));
119 
120     put_le16(p + 0, 0x0040);
121     put_le16(p + 1, s->cylinders);
122     put_le16(p + 3, s->heads);
123     put_le16(p + 4, 512 * s->sectors); /* XXX: retired, remove ? */
124     put_le16(p + 5, 512); /* XXX: retired, remove ? */
125     put_le16(p + 6, s->sectors);
126     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
127     put_le16(p + 20, 3); /* XXX: retired, remove ? */
128     put_le16(p + 21, 512); /* cache size in sectors */
129     put_le16(p + 22, 4); /* ecc bytes */
130     padstr((char *)(p + 23), s->version, 8); /* firmware version */
131     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
132 #if MAX_MULT_SECTORS > 1
133     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
134 #endif
135     put_le16(p + 48, 1); /* dword I/O */
136     put_le16(p + 49, (1 << 11) | (1 << 9) | (1 << 8)); /* DMA and LBA supported */
137     put_le16(p + 51, 0x200); /* PIO transfer cycle */
138     put_le16(p + 52, 0x200); /* DMA transfer cycle */
139     put_le16(p + 53, 1 | (1 << 1) | (1 << 2)); /* words 54-58,64-70,88 are valid */
140     put_le16(p + 54, s->cylinders);
141     put_le16(p + 55, s->heads);
142     put_le16(p + 56, s->sectors);
143     oldsize = s->cylinders * s->heads * s->sectors;
144     put_le16(p + 57, oldsize);
145     put_le16(p + 58, oldsize >> 16);
146     if (s->mult_sectors)
147         put_le16(p + 59, 0x100 | s->mult_sectors);
148     /* *(p + 60) := nb_sectors       -- see ide_identify_size */
149     /* *(p + 61) := nb_sectors >> 16 -- see ide_identify_size */
150     put_le16(p + 62, 0x07); /* single word dma0-2 supported */
151     put_le16(p + 63, 0x07); /* mdma0-2 supported */
152     put_le16(p + 64, 0x03); /* pio3-4 supported */
153     put_le16(p + 65, 120);
154     put_le16(p + 66, 120);
155     put_le16(p + 67, 120);
156     put_le16(p + 68, 120);
157     if (dev && dev->conf.discard_granularity) {
158         put_le16(p + 69, (1 << 14)); /* determinate TRIM behavior */
159     }
160 
161     if (s->ncq_queues) {
162         put_le16(p + 75, s->ncq_queues - 1);
163         /* NCQ supported */
164         put_le16(p + 76, (1 << 8));
165     }
166 
167     put_le16(p + 80, 0xf0); /* ata3 -> ata6 supported */
168     put_le16(p + 81, 0x16); /* conforms to ata5 */
169     /* 14=NOP supported, 5=WCACHE supported, 0=SMART supported */
170     put_le16(p + 82, (1 << 14) | (1 << 5) | 1);
171     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
172     put_le16(p + 83, (1 << 14) | (1 << 13) | (1 <<12) | (1 << 10));
173     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
174     if (s->wwn) {
175         put_le16(p + 84, (1 << 14) | (1 << 8) | 0);
176     } else {
177         put_le16(p + 84, (1 << 14) | 0);
178     }
179     /* 14 = NOP supported, 5=WCACHE enabled, 0=SMART feature set enabled */
180     if (blk_enable_write_cache(s->blk)) {
181         put_le16(p + 85, (1 << 14) | (1 << 5) | 1);
182     } else {
183         put_le16(p + 85, (1 << 14) | 1);
184     }
185     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
186     put_le16(p + 86, (1 << 13) | (1 <<12) | (1 << 10));
187     /* 14=set to 1, 8=has WWN, 1=SMART self test, 0=SMART error logging */
188     if (s->wwn) {
189         put_le16(p + 87, (1 << 14) | (1 << 8) | 0);
190     } else {
191         put_le16(p + 87, (1 << 14) | 0);
192     }
193     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
194     put_le16(p + 93, 1 | (1 << 14) | 0x2000);
195     /* *(p + 100) := nb_sectors       -- see ide_identify_size */
196     /* *(p + 101) := nb_sectors >> 16 -- see ide_identify_size */
197     /* *(p + 102) := nb_sectors >> 32 -- see ide_identify_size */
198     /* *(p + 103) := nb_sectors >> 48 -- see ide_identify_size */
199 
200     if (dev && dev->conf.physical_block_size)
201         put_le16(p + 106, 0x6000 | get_physical_block_exp(&dev->conf));
202     if (s->wwn) {
203         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
204         put_le16(p + 108, s->wwn >> 48);
205         put_le16(p + 109, s->wwn >> 32);
206         put_le16(p + 110, s->wwn >> 16);
207         put_le16(p + 111, s->wwn);
208     }
209     if (dev && dev->conf.discard_granularity) {
210         put_le16(p + 169, 1); /* TRIM support */
211     }
212     if (dev) {
213         put_le16(p + 217, dev->rotation_rate); /* Nominal media rotation rate */
214     }
215 
216     ide_identify_size(s);
217     s->identify_set = 1;
218 
219 fill_buffer:
220     memcpy(s->io_buffer, p, sizeof(s->identify_data));
221 }
222 
223 static void ide_atapi_identify(IDEState *s)
224 {
225     uint16_t *p;
226 
227     p = (uint16_t *)s->identify_data;
228     if (s->identify_set) {
229         goto fill_buffer;
230     }
231     memset(p, 0, sizeof(s->identify_data));
232 
233     /* Removable CDROM, 50us response, 12 byte packets */
234     put_le16(p + 0, (2 << 14) | (5 << 8) | (1 << 7) | (2 << 5) | (0 << 0));
235     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
236     put_le16(p + 20, 3); /* buffer type */
237     put_le16(p + 21, 512); /* cache size in sectors */
238     put_le16(p + 22, 4); /* ecc bytes */
239     padstr((char *)(p + 23), s->version, 8); /* firmware version */
240     padstr((char *)(p + 27), s->drive_model_str, 40); /* model */
241     put_le16(p + 48, 1); /* dword I/O (XXX: should not be set on CDROM) */
242 #ifdef USE_DMA_CDROM
243     put_le16(p + 49, 1 << 9 | 1 << 8); /* DMA and LBA supported */
244     put_le16(p + 53, 7); /* words 64-70, 54-58, 88 valid */
245     put_le16(p + 62, 7);  /* single word dma0-2 supported */
246     put_le16(p + 63, 7);  /* mdma0-2 supported */
247 #else
248     put_le16(p + 49, 1 << 9); /* LBA supported, no DMA */
249     put_le16(p + 53, 3); /* words 64-70, 54-58 valid */
250     put_le16(p + 63, 0x103); /* DMA modes XXX: may be incorrect */
251 #endif
252     put_le16(p + 64, 3); /* pio3-4 supported */
253     put_le16(p + 65, 0xb4); /* minimum DMA multiword tx cycle time */
254     put_le16(p + 66, 0xb4); /* recommended DMA multiword tx cycle time */
255     put_le16(p + 67, 0x12c); /* minimum PIO cycle time without flow control */
256     put_le16(p + 68, 0xb4); /* minimum PIO cycle time with IORDY flow control */
257 
258     put_le16(p + 71, 30); /* in ns */
259     put_le16(p + 72, 30); /* in ns */
260 
261     if (s->ncq_queues) {
262         put_le16(p + 75, s->ncq_queues - 1);
263         /* NCQ supported */
264         put_le16(p + 76, (1 << 8));
265     }
266 
267     put_le16(p + 80, 0x1e); /* support up to ATA/ATAPI-4 */
268     if (s->wwn) {
269         put_le16(p + 84, (1 << 8)); /* supports WWN for words 108-111 */
270         put_le16(p + 87, (1 << 8)); /* WWN enabled */
271     }
272 
273 #ifdef USE_DMA_CDROM
274     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
275 #endif
276 
277     if (s->wwn) {
278         /* LE 16-bit words 111-108 contain 64-bit World Wide Name */
279         put_le16(p + 108, s->wwn >> 48);
280         put_le16(p + 109, s->wwn >> 32);
281         put_le16(p + 110, s->wwn >> 16);
282         put_le16(p + 111, s->wwn);
283     }
284 
285     s->identify_set = 1;
286 
287 fill_buffer:
288     memcpy(s->io_buffer, p, sizeof(s->identify_data));
289 }
290 
291 static void ide_cfata_identify_size(IDEState *s)
292 {
293     uint16_t *p = (uint16_t *)s->identify_data;
294     put_le16(p + 7, s->nb_sectors >> 16);  /* Sectors per card */
295     put_le16(p + 8, s->nb_sectors);        /* Sectors per card */
296     put_le16(p + 60, s->nb_sectors);       /* Total LBA sectors */
297     put_le16(p + 61, s->nb_sectors >> 16); /* Total LBA sectors */
298 }
299 
300 static void ide_cfata_identify(IDEState *s)
301 {
302     uint16_t *p;
303     uint32_t cur_sec;
304 
305     p = (uint16_t *)s->identify_data;
306     if (s->identify_set) {
307         goto fill_buffer;
308     }
309     memset(p, 0, sizeof(s->identify_data));
310 
311     cur_sec = s->cylinders * s->heads * s->sectors;
312 
313     put_le16(p + 0, 0x848a);			/* CF Storage Card signature */
314     put_le16(p + 1, s->cylinders);		/* Default cylinders */
315     put_le16(p + 3, s->heads);			/* Default heads */
316     put_le16(p + 6, s->sectors);		/* Default sectors per track */
317     /* *(p + 7) := nb_sectors >> 16 -- see ide_cfata_identify_size */
318     /* *(p + 8) := nb_sectors       -- see ide_cfata_identify_size */
319     padstr((char *)(p + 10), s->drive_serial_str, 20); /* serial number */
320     put_le16(p + 22, 0x0004);			/* ECC bytes */
321     padstr((char *) (p + 23), s->version, 8);	/* Firmware Revision */
322     padstr((char *) (p + 27), s->drive_model_str, 40);/* Model number */
323 #if MAX_MULT_SECTORS > 1
324     put_le16(p + 47, 0x8000 | MAX_MULT_SECTORS);
325 #else
326     put_le16(p + 47, 0x0000);
327 #endif
328     put_le16(p + 49, 0x0f00);			/* Capabilities */
329     put_le16(p + 51, 0x0002);			/* PIO cycle timing mode */
330     put_le16(p + 52, 0x0001);			/* DMA cycle timing mode */
331     put_le16(p + 53, 0x0003);			/* Translation params valid */
332     put_le16(p + 54, s->cylinders);		/* Current cylinders */
333     put_le16(p + 55, s->heads);			/* Current heads */
334     put_le16(p + 56, s->sectors);		/* Current sectors */
335     put_le16(p + 57, cur_sec);			/* Current capacity */
336     put_le16(p + 58, cur_sec >> 16);		/* Current capacity */
337     if (s->mult_sectors)			/* Multiple sector setting */
338         put_le16(p + 59, 0x100 | s->mult_sectors);
339     /* *(p + 60) := nb_sectors       -- see ide_cfata_identify_size */
340     /* *(p + 61) := nb_sectors >> 16 -- see ide_cfata_identify_size */
341     put_le16(p + 63, 0x0203);			/* Multiword DMA capability */
342     put_le16(p + 64, 0x0001);			/* Flow Control PIO support */
343     put_le16(p + 65, 0x0096);			/* Min. Multiword DMA cycle */
344     put_le16(p + 66, 0x0096);			/* Rec. Multiword DMA cycle */
345     put_le16(p + 68, 0x00b4);			/* Min. PIO cycle time */
346     put_le16(p + 82, 0x400c);			/* Command Set supported */
347     put_le16(p + 83, 0x7068);			/* Command Set supported */
348     put_le16(p + 84, 0x4000);			/* Features supported */
349     put_le16(p + 85, 0x000c);			/* Command Set enabled */
350     put_le16(p + 86, 0x7044);			/* Command Set enabled */
351     put_le16(p + 87, 0x4000);			/* Features enabled */
352     put_le16(p + 91, 0x4060);			/* Current APM level */
353     put_le16(p + 129, 0x0002);			/* Current features option */
354     put_le16(p + 130, 0x0005);			/* Reassigned sectors */
355     put_le16(p + 131, 0x0001);			/* Initial power mode */
356     put_le16(p + 132, 0x0000);			/* User signature */
357     put_le16(p + 160, 0x8100);			/* Power requirement */
358     put_le16(p + 161, 0x8001);			/* CF command set */
359 
360     ide_cfata_identify_size(s);
361     s->identify_set = 1;
362 
363 fill_buffer:
364     memcpy(s->io_buffer, p, sizeof(s->identify_data));
365 }
366 
367 static void ide_set_signature(IDEState *s)
368 {
369     s->select &= 0xf0; /* clear head */
370     /* put signature */
371     s->nsector = 1;
372     s->sector = 1;
373     if (s->drive_kind == IDE_CD) {
374         s->lcyl = 0x14;
375         s->hcyl = 0xeb;
376     } else if (s->blk) {
377         s->lcyl = 0;
378         s->hcyl = 0;
379     } else {
380         s->lcyl = 0xff;
381         s->hcyl = 0xff;
382     }
383 }
384 
385 static bool ide_sect_range_ok(IDEState *s,
386                               uint64_t sector, uint64_t nb_sectors)
387 {
388     uint64_t total_sectors;
389 
390     blk_get_geometry(s->blk, &total_sectors);
391     if (sector > total_sectors || nb_sectors > total_sectors - sector) {
392         return false;
393     }
394     return true;
395 }
396 
397 typedef struct TrimAIOCB {
398     BlockAIOCB common;
399     IDEState *s;
400     QEMUBH *bh;
401     int ret;
402     QEMUIOVector *qiov;
403     BlockAIOCB *aiocb;
404     int i, j;
405 } TrimAIOCB;
406 
407 static void trim_aio_cancel(BlockAIOCB *acb)
408 {
409     TrimAIOCB *iocb = container_of(acb, TrimAIOCB, common);
410 
411     /* Exit the loop so ide_issue_trim_cb will not continue  */
412     iocb->j = iocb->qiov->niov - 1;
413     iocb->i = (iocb->qiov->iov[iocb->j].iov_len / 8) - 1;
414 
415     iocb->ret = -ECANCELED;
416 
417     if (iocb->aiocb) {
418         blk_aio_cancel_async(iocb->aiocb);
419         iocb->aiocb = NULL;
420     }
421 }
422 
423 static const AIOCBInfo trim_aiocb_info = {
424     .aiocb_size         = sizeof(TrimAIOCB),
425     .cancel_async       = trim_aio_cancel,
426 };
427 
428 static void ide_trim_bh_cb(void *opaque)
429 {
430     TrimAIOCB *iocb = opaque;
431 
432     iocb->common.cb(iocb->common.opaque, iocb->ret);
433 
434     qemu_bh_delete(iocb->bh);
435     iocb->bh = NULL;
436     qemu_aio_unref(iocb);
437 }
438 
439 static void ide_issue_trim_cb(void *opaque, int ret)
440 {
441     TrimAIOCB *iocb = opaque;
442     IDEState *s = iocb->s;
443 
444     if (ret >= 0) {
445         while (iocb->j < iocb->qiov->niov) {
446             int j = iocb->j;
447             while (++iocb->i < iocb->qiov->iov[j].iov_len / 8) {
448                 int i = iocb->i;
449                 uint64_t *buffer = iocb->qiov->iov[j].iov_base;
450 
451                 /* 6-byte LBA + 2-byte range per entry */
452                 uint64_t entry = le64_to_cpu(buffer[i]);
453                 uint64_t sector = entry & 0x0000ffffffffffffULL;
454                 uint16_t count = entry >> 48;
455 
456                 if (count == 0) {
457                     continue;
458                 }
459 
460                 if (!ide_sect_range_ok(s, sector, count)) {
461                     iocb->ret = -EINVAL;
462                     goto done;
463                 }
464 
465                 /* Got an entry! Submit and exit.  */
466                 iocb->aiocb = blk_aio_pdiscard(s->blk,
467                                                sector << BDRV_SECTOR_BITS,
468                                                count << BDRV_SECTOR_BITS,
469                                                ide_issue_trim_cb, opaque);
470                 return;
471             }
472 
473             iocb->j++;
474             iocb->i = -1;
475         }
476     } else {
477         iocb->ret = ret;
478     }
479 
480 done:
481     iocb->aiocb = NULL;
482     if (iocb->bh) {
483         replay_bh_schedule_event(iocb->bh);
484     }
485 }
486 
487 BlockAIOCB *ide_issue_trim(
488         int64_t offset, QEMUIOVector *qiov,
489         BlockCompletionFunc *cb, void *cb_opaque, void *opaque)
490 {
491     IDEState *s = opaque;
492     TrimAIOCB *iocb;
493 
494     iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
495     iocb->s = s;
496     iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
497     iocb->ret = 0;
498     iocb->qiov = qiov;
499     iocb->i = -1;
500     iocb->j = 0;
501     ide_issue_trim_cb(iocb, 0);
502     return &iocb->common;
503 }
504 
505 void ide_abort_command(IDEState *s)
506 {
507     ide_transfer_stop(s);
508     s->status = READY_STAT | ERR_STAT;
509     s->error = ABRT_ERR;
510 }
511 
512 static void ide_set_retry(IDEState *s)
513 {
514     s->bus->retry_unit = s->unit;
515     s->bus->retry_sector_num = ide_get_sector(s);
516     s->bus->retry_nsector = s->nsector;
517 }
518 
519 static void ide_clear_retry(IDEState *s)
520 {
521     s->bus->retry_unit = -1;
522     s->bus->retry_sector_num = 0;
523     s->bus->retry_nsector = 0;
524 }
525 
526 /* prepare data transfer and tell what to do after */
527 bool ide_transfer_start_norecurse(IDEState *s, uint8_t *buf, int size,
528                                   EndTransferFunc *end_transfer_func)
529 {
530     s->data_ptr = buf;
531     s->data_end = buf + size;
532     ide_set_retry(s);
533     if (!(s->status & ERR_STAT)) {
534         s->status |= DRQ_STAT;
535     }
536     if (!s->bus->dma->ops->pio_transfer) {
537         s->end_transfer_func = end_transfer_func;
538         return false;
539     }
540     s->bus->dma->ops->pio_transfer(s->bus->dma);
541     return true;
542 }
543 
544 void ide_transfer_start(IDEState *s, uint8_t *buf, int size,
545                         EndTransferFunc *end_transfer_func)
546 {
547     if (ide_transfer_start_norecurse(s, buf, size, end_transfer_func)) {
548         end_transfer_func(s);
549     }
550 }
551 
552 static void ide_cmd_done(IDEState *s)
553 {
554     if (s->bus->dma->ops->cmd_done) {
555         s->bus->dma->ops->cmd_done(s->bus->dma);
556     }
557 }
558 
559 static void ide_transfer_halt(IDEState *s)
560 {
561     s->end_transfer_func = ide_transfer_stop;
562     s->data_ptr = s->io_buffer;
563     s->data_end = s->io_buffer;
564     s->status &= ~DRQ_STAT;
565 }
566 
567 void ide_transfer_stop(IDEState *s)
568 {
569     ide_transfer_halt(s);
570     ide_cmd_done(s);
571 }
572 
573 int64_t ide_get_sector(IDEState *s)
574 {
575     int64_t sector_num;
576     if (s->select & 0x40) {
577         /* lba */
578         if (!s->lba48) {
579             sector_num = ((s->select & 0x0f) << 24) | (s->hcyl << 16) |
580                 (s->lcyl << 8) | s->sector;
581         } else {
582             sector_num = ((int64_t)s->hob_hcyl << 40) |
583                 ((int64_t) s->hob_lcyl << 32) |
584                 ((int64_t) s->hob_sector << 24) |
585                 ((int64_t) s->hcyl << 16) |
586                 ((int64_t) s->lcyl << 8) | s->sector;
587         }
588     } else {
589         sector_num = ((s->hcyl << 8) | s->lcyl) * s->heads * s->sectors +
590             (s->select & 0x0f) * s->sectors + (s->sector - 1);
591     }
592     return sector_num;
593 }
594 
595 void ide_set_sector(IDEState *s, int64_t sector_num)
596 {
597     unsigned int cyl, r;
598     if (s->select & 0x40) {
599         if (!s->lba48) {
600             s->select = (s->select & 0xf0) | (sector_num >> 24);
601             s->hcyl = (sector_num >> 16);
602             s->lcyl = (sector_num >> 8);
603             s->sector = (sector_num);
604         } else {
605             s->sector = sector_num;
606             s->lcyl = sector_num >> 8;
607             s->hcyl = sector_num >> 16;
608             s->hob_sector = sector_num >> 24;
609             s->hob_lcyl = sector_num >> 32;
610             s->hob_hcyl = sector_num >> 40;
611         }
612     } else {
613         cyl = sector_num / (s->heads * s->sectors);
614         r = sector_num % (s->heads * s->sectors);
615         s->hcyl = cyl >> 8;
616         s->lcyl = cyl;
617         s->select = (s->select & 0xf0) | ((r / s->sectors) & 0x0f);
618         s->sector = (r % s->sectors) + 1;
619     }
620 }
621 
622 static void ide_rw_error(IDEState *s) {
623     ide_abort_command(s);
624     ide_set_irq(s->bus);
625 }
626 
627 static void ide_buffered_readv_cb(void *opaque, int ret)
628 {
629     IDEBufferedRequest *req = opaque;
630     if (!req->orphaned) {
631         if (!ret) {
632             qemu_iovec_from_buf(req->original_qiov, 0, req->iov.iov_base,
633                                 req->original_qiov->size);
634         }
635         req->original_cb(req->original_opaque, ret);
636     }
637     QLIST_REMOVE(req, list);
638     qemu_vfree(req->iov.iov_base);
639     g_free(req);
640 }
641 
642 #define MAX_BUFFERED_REQS 16
643 
644 BlockAIOCB *ide_buffered_readv(IDEState *s, int64_t sector_num,
645                                QEMUIOVector *iov, int nb_sectors,
646                                BlockCompletionFunc *cb, void *opaque)
647 {
648     BlockAIOCB *aioreq;
649     IDEBufferedRequest *req;
650     int c = 0;
651 
652     QLIST_FOREACH(req, &s->buffered_requests, list) {
653         c++;
654     }
655     if (c > MAX_BUFFERED_REQS) {
656         return blk_abort_aio_request(s->blk, cb, opaque, -EIO);
657     }
658 
659     req = g_new0(IDEBufferedRequest, 1);
660     req->original_qiov = iov;
661     req->original_cb = cb;
662     req->original_opaque = opaque;
663     req->iov.iov_base = qemu_blockalign(blk_bs(s->blk), iov->size);
664     req->iov.iov_len = iov->size;
665     qemu_iovec_init_external(&req->qiov, &req->iov, 1);
666 
667     aioreq = blk_aio_preadv(s->blk, sector_num << BDRV_SECTOR_BITS,
668                             &req->qiov, 0, ide_buffered_readv_cb, req);
669 
670     QLIST_INSERT_HEAD(&s->buffered_requests, req, list);
671     return aioreq;
672 }
673 
674 /**
675  * Cancel all pending DMA requests.
676  * Any buffered DMA requests are instantly canceled,
677  * but any pending unbuffered DMA requests must be waited on.
678  */
679 void ide_cancel_dma_sync(IDEState *s)
680 {
681     IDEBufferedRequest *req;
682 
683     /* First invoke the callbacks of all buffered requests
684      * and flag those requests as orphaned. Ideally there
685      * are no unbuffered (Scatter Gather DMA Requests or
686      * write requests) pending and we can avoid to drain. */
687     QLIST_FOREACH(req, &s->buffered_requests, list) {
688         if (!req->orphaned) {
689             trace_ide_cancel_dma_sync_buffered(req->original_cb, req);
690             req->original_cb(req->original_opaque, -ECANCELED);
691         }
692         req->orphaned = true;
693     }
694 
695     /*
696      * We can't cancel Scatter Gather DMA in the middle of the
697      * operation or a partial (not full) DMA transfer would reach
698      * the storage so we wait for completion instead (we beahve
699      * like if the DMA was completed by the time the guest trying
700      * to cancel dma with bmdma_cmd_writeb with BM_CMD_START not
701      * set).
702      *
703      * In the future we'll be able to safely cancel the I/O if the
704      * whole DMA operation will be submitted to disk with a single
705      * aio operation with preadv/pwritev.
706      */
707     if (s->bus->dma->aiocb) {
708         trace_ide_cancel_dma_sync_remaining();
709         blk_drain(s->blk);
710         assert(s->bus->dma->aiocb == NULL);
711     }
712 }
713 
714 static void ide_sector_read(IDEState *s);
715 
716 static void ide_sector_read_cb(void *opaque, int ret)
717 {
718     IDEState *s = opaque;
719     int n;
720 
721     s->pio_aiocb = NULL;
722     s->status &= ~BUSY_STAT;
723 
724     if (ret == -ECANCELED) {
725         return;
726     }
727     if (ret != 0) {
728         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO |
729                                 IDE_RETRY_READ)) {
730             return;
731         }
732     }
733 
734     block_acct_done(blk_get_stats(s->blk), &s->acct);
735 
736     n = s->nsector;
737     if (n > s->req_nb_sectors) {
738         n = s->req_nb_sectors;
739     }
740 
741     ide_set_sector(s, ide_get_sector(s) + n);
742     s->nsector -= n;
743     /* Allow the guest to read the io_buffer */
744     ide_transfer_start(s, s->io_buffer, n * BDRV_SECTOR_SIZE, ide_sector_read);
745     ide_set_irq(s->bus);
746 }
747 
748 static void ide_sector_read(IDEState *s)
749 {
750     int64_t sector_num;
751     int n;
752 
753     s->status = READY_STAT | SEEK_STAT;
754     s->error = 0; /* not needed by IDE spec, but needed by Windows */
755     sector_num = ide_get_sector(s);
756     n = s->nsector;
757 
758     if (n == 0) {
759         ide_transfer_stop(s);
760         return;
761     }
762 
763     s->status |= BUSY_STAT;
764 
765     if (n > s->req_nb_sectors) {
766         n = s->req_nb_sectors;
767     }
768 
769     trace_ide_sector_read(sector_num, n);
770 
771     if (!ide_sect_range_ok(s, sector_num, n)) {
772         ide_rw_error(s);
773         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_READ);
774         return;
775     }
776 
777     s->iov.iov_base = s->io_buffer;
778     s->iov.iov_len  = n * BDRV_SECTOR_SIZE;
779     qemu_iovec_init_external(&s->qiov, &s->iov, 1);
780 
781     block_acct_start(blk_get_stats(s->blk), &s->acct,
782                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
783     s->pio_aiocb = ide_buffered_readv(s, sector_num, &s->qiov, n,
784                                       ide_sector_read_cb, s);
785 }
786 
787 void dma_buf_commit(IDEState *s, uint32_t tx_bytes)
788 {
789     if (s->bus->dma->ops->commit_buf) {
790         s->bus->dma->ops->commit_buf(s->bus->dma, tx_bytes);
791     }
792     s->io_buffer_offset += tx_bytes;
793     qemu_sglist_destroy(&s->sg);
794 }
795 
796 void ide_set_inactive(IDEState *s, bool more)
797 {
798     s->bus->dma->aiocb = NULL;
799     ide_clear_retry(s);
800     if (s->bus->dma->ops->set_inactive) {
801         s->bus->dma->ops->set_inactive(s->bus->dma, more);
802     }
803     ide_cmd_done(s);
804 }
805 
806 void ide_dma_error(IDEState *s)
807 {
808     dma_buf_commit(s, 0);
809     ide_abort_command(s);
810     ide_set_inactive(s, false);
811     ide_set_irq(s->bus);
812 }
813 
814 int ide_handle_rw_error(IDEState *s, int error, int op)
815 {
816     bool is_read = (op & IDE_RETRY_READ) != 0;
817     BlockErrorAction action = blk_get_error_action(s->blk, is_read, error);
818 
819     if (action == BLOCK_ERROR_ACTION_STOP) {
820         assert(s->bus->retry_unit == s->unit);
821         s->bus->error_status = op;
822     } else if (action == BLOCK_ERROR_ACTION_REPORT) {
823         block_acct_failed(blk_get_stats(s->blk), &s->acct);
824         if (IS_IDE_RETRY_DMA(op)) {
825             ide_dma_error(s);
826         } else if (IS_IDE_RETRY_ATAPI(op)) {
827             ide_atapi_io_error(s, -error);
828         } else {
829             ide_rw_error(s);
830         }
831     }
832     blk_error_action(s->blk, action, is_read, error);
833     return action != BLOCK_ERROR_ACTION_IGNORE;
834 }
835 
836 static void ide_dma_cb(void *opaque, int ret)
837 {
838     IDEState *s = opaque;
839     int n;
840     int64_t sector_num;
841     uint64_t offset;
842     bool stay_active = false;
843 
844     if (ret == -ECANCELED) {
845         return;
846     }
847 
848     if (ret == -EINVAL) {
849         ide_dma_error(s);
850         return;
851     }
852 
853     if (ret < 0) {
854         if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
855             s->bus->dma->aiocb = NULL;
856             dma_buf_commit(s, 0);
857             return;
858         }
859     }
860 
861     n = s->io_buffer_size >> 9;
862     if (n > s->nsector) {
863         /* The PRDs were longer than needed for this request. Shorten them so
864          * we don't get a negative remainder. The Active bit must remain set
865          * after the request completes. */
866         n = s->nsector;
867         stay_active = true;
868     }
869 
870     sector_num = ide_get_sector(s);
871     if (n > 0) {
872         assert(n * 512 == s->sg.size);
873         dma_buf_commit(s, s->sg.size);
874         sector_num += n;
875         ide_set_sector(s, sector_num);
876         s->nsector -= n;
877     }
878 
879     /* end of transfer ? */
880     if (s->nsector == 0) {
881         s->status = READY_STAT | SEEK_STAT;
882         ide_set_irq(s->bus);
883         goto eot;
884     }
885 
886     /* launch next transfer */
887     n = s->nsector;
888     s->io_buffer_index = 0;
889     s->io_buffer_size = n * 512;
890     if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) {
891         /* The PRDs were too short. Reset the Active bit, but don't raise an
892          * interrupt. */
893         s->status = READY_STAT | SEEK_STAT;
894         dma_buf_commit(s, 0);
895         goto eot;
896     }
897 
898     trace_ide_dma_cb(s, sector_num, n, IDE_DMA_CMD_str(s->dma_cmd));
899 
900     if ((s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) &&
901         !ide_sect_range_ok(s, sector_num, n)) {
902         ide_dma_error(s);
903         block_acct_invalid(blk_get_stats(s->blk), s->acct.type);
904         return;
905     }
906 
907     offset = sector_num << BDRV_SECTOR_BITS;
908     switch (s->dma_cmd) {
909     case IDE_DMA_READ:
910         s->bus->dma->aiocb = dma_blk_read(s->blk, &s->sg, offset,
911                                           BDRV_SECTOR_SIZE, ide_dma_cb, s);
912         break;
913     case IDE_DMA_WRITE:
914         s->bus->dma->aiocb = dma_blk_write(s->blk, &s->sg, offset,
915                                            BDRV_SECTOR_SIZE, ide_dma_cb, s);
916         break;
917     case IDE_DMA_TRIM:
918         s->bus->dma->aiocb = dma_blk_io(blk_get_aio_context(s->blk),
919                                         &s->sg, offset, BDRV_SECTOR_SIZE,
920                                         ide_issue_trim, s, ide_dma_cb, s,
921                                         DMA_DIRECTION_TO_DEVICE);
922         break;
923     default:
924         abort();
925     }
926     return;
927 
928 eot:
929     if (s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) {
930         block_acct_done(blk_get_stats(s->blk), &s->acct);
931     }
932     ide_set_inactive(s, stay_active);
933 }
934 
935 static void ide_sector_start_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
936 {
937     s->status = READY_STAT | SEEK_STAT | DRQ_STAT;
938     s->io_buffer_size = 0;
939     s->dma_cmd = dma_cmd;
940 
941     switch (dma_cmd) {
942     case IDE_DMA_READ:
943         block_acct_start(blk_get_stats(s->blk), &s->acct,
944                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
945         break;
946     case IDE_DMA_WRITE:
947         block_acct_start(blk_get_stats(s->blk), &s->acct,
948                          s->nsector * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
949         break;
950     default:
951         break;
952     }
953 
954     ide_start_dma(s, ide_dma_cb);
955 }
956 
957 void ide_start_dma(IDEState *s, BlockCompletionFunc *cb)
958 {
959     s->io_buffer_index = 0;
960     ide_set_retry(s);
961     if (s->bus->dma->ops->start_dma) {
962         s->bus->dma->ops->start_dma(s->bus->dma, s, cb);
963     }
964 }
965 
966 static void ide_sector_write(IDEState *s);
967 
968 static void ide_sector_write_timer_cb(void *opaque)
969 {
970     IDEState *s = opaque;
971     ide_set_irq(s->bus);
972 }
973 
974 static void ide_sector_write_cb(void *opaque, int ret)
975 {
976     IDEState *s = opaque;
977     int n;
978 
979     if (ret == -ECANCELED) {
980         return;
981     }
982 
983     s->pio_aiocb = NULL;
984     s->status &= ~BUSY_STAT;
985 
986     if (ret != 0) {
987         if (ide_handle_rw_error(s, -ret, IDE_RETRY_PIO)) {
988             return;
989         }
990     }
991 
992     block_acct_done(blk_get_stats(s->blk), &s->acct);
993 
994     n = s->nsector;
995     if (n > s->req_nb_sectors) {
996         n = s->req_nb_sectors;
997     }
998     s->nsector -= n;
999 
1000     ide_set_sector(s, ide_get_sector(s) + n);
1001     if (s->nsector == 0) {
1002         /* no more sectors to write */
1003         ide_transfer_stop(s);
1004     } else {
1005         int n1 = s->nsector;
1006         if (n1 > s->req_nb_sectors) {
1007             n1 = s->req_nb_sectors;
1008         }
1009         ide_transfer_start(s, s->io_buffer, n1 * BDRV_SECTOR_SIZE,
1010                            ide_sector_write);
1011     }
1012 
1013     if (win2k_install_hack && ((++s->irq_count % 16) == 0)) {
1014         /* It seems there is a bug in the Windows 2000 installer HDD
1015            IDE driver which fills the disk with empty logs when the
1016            IDE write IRQ comes too early. This hack tries to correct
1017            that at the expense of slower write performances. Use this
1018            option _only_ to install Windows 2000. You must disable it
1019            for normal use. */
1020         timer_mod(s->sector_write_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
1021                   (NANOSECONDS_PER_SECOND / 1000));
1022     } else {
1023         ide_set_irq(s->bus);
1024     }
1025 }
1026 
1027 static void ide_sector_write(IDEState *s)
1028 {
1029     int64_t sector_num;
1030     int n;
1031 
1032     s->status = READY_STAT | SEEK_STAT | BUSY_STAT;
1033     sector_num = ide_get_sector(s);
1034 
1035     n = s->nsector;
1036     if (n > s->req_nb_sectors) {
1037         n = s->req_nb_sectors;
1038     }
1039 
1040     trace_ide_sector_write(sector_num, n);
1041 
1042     if (!ide_sect_range_ok(s, sector_num, n)) {
1043         ide_rw_error(s);
1044         block_acct_invalid(blk_get_stats(s->blk), BLOCK_ACCT_WRITE);
1045         return;
1046     }
1047 
1048     s->iov.iov_base = s->io_buffer;
1049     s->iov.iov_len  = n * BDRV_SECTOR_SIZE;
1050     qemu_iovec_init_external(&s->qiov, &s->iov, 1);
1051 
1052     block_acct_start(blk_get_stats(s->blk), &s->acct,
1053                      n * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
1054     s->pio_aiocb = blk_aio_pwritev(s->blk, sector_num << BDRV_SECTOR_BITS,
1055                                    &s->qiov, 0, ide_sector_write_cb, s);
1056 }
1057 
1058 static void ide_flush_cb(void *opaque, int ret)
1059 {
1060     IDEState *s = opaque;
1061 
1062     s->pio_aiocb = NULL;
1063 
1064     if (ret == -ECANCELED) {
1065         return;
1066     }
1067     if (ret < 0) {
1068         /* XXX: What sector number to set here? */
1069         if (ide_handle_rw_error(s, -ret, IDE_RETRY_FLUSH)) {
1070             return;
1071         }
1072     }
1073 
1074     if (s->blk) {
1075         block_acct_done(blk_get_stats(s->blk), &s->acct);
1076     }
1077     s->status = READY_STAT | SEEK_STAT;
1078     ide_cmd_done(s);
1079     ide_set_irq(s->bus);
1080 }
1081 
1082 static void ide_flush_cache(IDEState *s)
1083 {
1084     if (s->blk == NULL) {
1085         ide_flush_cb(s, 0);
1086         return;
1087     }
1088 
1089     s->status |= BUSY_STAT;
1090     ide_set_retry(s);
1091     block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
1092     s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
1093 }
1094 
1095 static void ide_cfata_metadata_inquiry(IDEState *s)
1096 {
1097     uint16_t *p;
1098     uint32_t spd;
1099 
1100     p = (uint16_t *) s->io_buffer;
1101     memset(p, 0, 0x200);
1102     spd = ((s->mdata_size - 1) >> 9) + 1;
1103 
1104     put_le16(p + 0, 0x0001);			/* Data format revision */
1105     put_le16(p + 1, 0x0000);			/* Media property: silicon */
1106     put_le16(p + 2, s->media_changed);		/* Media status */
1107     put_le16(p + 3, s->mdata_size & 0xffff);	/* Capacity in bytes (low) */
1108     put_le16(p + 4, s->mdata_size >> 16);	/* Capacity in bytes (high) */
1109     put_le16(p + 5, spd & 0xffff);		/* Sectors per device (low) */
1110     put_le16(p + 6, spd >> 16);			/* Sectors per device (high) */
1111 }
1112 
1113 static void ide_cfata_metadata_read(IDEState *s)
1114 {
1115     uint16_t *p;
1116 
1117     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1118         s->status = ERR_STAT;
1119         s->error = ABRT_ERR;
1120         return;
1121     }
1122 
1123     p = (uint16_t *) s->io_buffer;
1124     memset(p, 0, 0x200);
1125 
1126     put_le16(p + 0, s->media_changed);		/* Media status */
1127     memcpy(p + 1, s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1128                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1129                                     s->nsector << 9), 0x200 - 2));
1130 }
1131 
1132 static void ide_cfata_metadata_write(IDEState *s)
1133 {
1134     if (((s->hcyl << 16) | s->lcyl) << 9 > s->mdata_size + 2) {
1135         s->status = ERR_STAT;
1136         s->error = ABRT_ERR;
1137         return;
1138     }
1139 
1140     s->media_changed = 0;
1141 
1142     memcpy(s->mdata_storage + (((s->hcyl << 16) | s->lcyl) << 9),
1143                     s->io_buffer + 2,
1144                     MIN(MIN(s->mdata_size - (((s->hcyl << 16) | s->lcyl) << 9),
1145                                     s->nsector << 9), 0x200 - 2));
1146 }
1147 
1148 /* called when the inserted state of the media has changed */
1149 static void ide_cd_change_cb(void *opaque, bool load, Error **errp)
1150 {
1151     IDEState *s = opaque;
1152     uint64_t nb_sectors;
1153 
1154     s->tray_open = !load;
1155     blk_get_geometry(s->blk, &nb_sectors);
1156     s->nb_sectors = nb_sectors;
1157 
1158     /*
1159      * First indicate to the guest that a CD has been removed.  That's
1160      * done on the next command the guest sends us.
1161      *
1162      * Then we set UNIT_ATTENTION, by which the guest will
1163      * detect a new CD in the drive.  See ide_atapi_cmd() for details.
1164      */
1165     s->cdrom_changed = 1;
1166     s->events.new_media = true;
1167     s->events.eject_request = false;
1168     ide_set_irq(s->bus);
1169 }
1170 
1171 static void ide_cd_eject_request_cb(void *opaque, bool force)
1172 {
1173     IDEState *s = opaque;
1174 
1175     s->events.eject_request = true;
1176     if (force) {
1177         s->tray_locked = false;
1178     }
1179     ide_set_irq(s->bus);
1180 }
1181 
1182 static void ide_cmd_lba48_transform(IDEState *s, int lba48)
1183 {
1184     s->lba48 = lba48;
1185 
1186     /* handle the 'magic' 0 nsector count conversion here. to avoid
1187      * fiddling with the rest of the read logic, we just store the
1188      * full sector count in ->nsector and ignore ->hob_nsector from now
1189      */
1190     if (!s->lba48) {
1191         if (!s->nsector)
1192             s->nsector = 256;
1193     } else {
1194         if (!s->nsector && !s->hob_nsector)
1195             s->nsector = 65536;
1196         else {
1197             int lo = s->nsector;
1198             int hi = s->hob_nsector;
1199 
1200             s->nsector = (hi << 8) | lo;
1201         }
1202     }
1203 }
1204 
1205 static void ide_clear_hob(IDEBus *bus)
1206 {
1207     /* any write clears HOB high bit of device control register */
1208     bus->ifs[0].select &= ~(1 << 7);
1209     bus->ifs[1].select &= ~(1 << 7);
1210 }
1211 
1212 /* IOport [W]rite [R]egisters */
1213 enum ATA_IOPORT_WR {
1214     ATA_IOPORT_WR_DATA = 0,
1215     ATA_IOPORT_WR_FEATURES = 1,
1216     ATA_IOPORT_WR_SECTOR_COUNT = 2,
1217     ATA_IOPORT_WR_SECTOR_NUMBER = 3,
1218     ATA_IOPORT_WR_CYLINDER_LOW = 4,
1219     ATA_IOPORT_WR_CYLINDER_HIGH = 5,
1220     ATA_IOPORT_WR_DEVICE_HEAD = 6,
1221     ATA_IOPORT_WR_COMMAND = 7,
1222     ATA_IOPORT_WR_NUM_REGISTERS,
1223 };
1224 
1225 const char *ATA_IOPORT_WR_lookup[ATA_IOPORT_WR_NUM_REGISTERS] = {
1226     [ATA_IOPORT_WR_DATA] = "Data",
1227     [ATA_IOPORT_WR_FEATURES] = "Features",
1228     [ATA_IOPORT_WR_SECTOR_COUNT] = "Sector Count",
1229     [ATA_IOPORT_WR_SECTOR_NUMBER] = "Sector Number",
1230     [ATA_IOPORT_WR_CYLINDER_LOW] = "Cylinder Low",
1231     [ATA_IOPORT_WR_CYLINDER_HIGH] = "Cylinder High",
1232     [ATA_IOPORT_WR_DEVICE_HEAD] = "Device/Head",
1233     [ATA_IOPORT_WR_COMMAND] = "Command"
1234 };
1235 
1236 void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
1237 {
1238     IDEBus *bus = opaque;
1239     IDEState *s = idebus_active_if(bus);
1240     int reg_num = addr & 7;
1241 
1242     trace_ide_ioport_write(addr, ATA_IOPORT_WR_lookup[reg_num], val, bus, s);
1243 
1244     /* ignore writes to command block while busy with previous command */
1245     if (reg_num != 7 && (s->status & (BUSY_STAT|DRQ_STAT))) {
1246         return;
1247     }
1248 
1249     switch (reg_num) {
1250     case 0:
1251         break;
1252     case ATA_IOPORT_WR_FEATURES:
1253         ide_clear_hob(bus);
1254         /* NOTE: data is written to the two drives */
1255         bus->ifs[0].hob_feature = bus->ifs[0].feature;
1256         bus->ifs[1].hob_feature = bus->ifs[1].feature;
1257         bus->ifs[0].feature = val;
1258         bus->ifs[1].feature = val;
1259         break;
1260     case ATA_IOPORT_WR_SECTOR_COUNT:
1261         ide_clear_hob(bus);
1262         bus->ifs[0].hob_nsector = bus->ifs[0].nsector;
1263         bus->ifs[1].hob_nsector = bus->ifs[1].nsector;
1264         bus->ifs[0].nsector = val;
1265         bus->ifs[1].nsector = val;
1266         break;
1267     case ATA_IOPORT_WR_SECTOR_NUMBER:
1268         ide_clear_hob(bus);
1269         bus->ifs[0].hob_sector = bus->ifs[0].sector;
1270         bus->ifs[1].hob_sector = bus->ifs[1].sector;
1271         bus->ifs[0].sector = val;
1272         bus->ifs[1].sector = val;
1273         break;
1274     case ATA_IOPORT_WR_CYLINDER_LOW:
1275         ide_clear_hob(bus);
1276         bus->ifs[0].hob_lcyl = bus->ifs[0].lcyl;
1277         bus->ifs[1].hob_lcyl = bus->ifs[1].lcyl;
1278         bus->ifs[0].lcyl = val;
1279         bus->ifs[1].lcyl = val;
1280         break;
1281     case ATA_IOPORT_WR_CYLINDER_HIGH:
1282         ide_clear_hob(bus);
1283         bus->ifs[0].hob_hcyl = bus->ifs[0].hcyl;
1284         bus->ifs[1].hob_hcyl = bus->ifs[1].hcyl;
1285         bus->ifs[0].hcyl = val;
1286         bus->ifs[1].hcyl = val;
1287         break;
1288     case ATA_IOPORT_WR_DEVICE_HEAD:
1289         /* FIXME: HOB readback uses bit 7 */
1290         bus->ifs[0].select = (val & ~0x10) | 0xa0;
1291         bus->ifs[1].select = (val | 0x10) | 0xa0;
1292         /* select drive */
1293         bus->unit = (val >> 4) & 1;
1294         break;
1295     default:
1296     case ATA_IOPORT_WR_COMMAND:
1297         /* command */
1298         ide_exec_cmd(bus, val);
1299         break;
1300     }
1301 }
1302 
1303 static void ide_reset(IDEState *s)
1304 {
1305     trace_ide_reset(s);
1306 
1307     if (s->pio_aiocb) {
1308         blk_aio_cancel(s->pio_aiocb);
1309         s->pio_aiocb = NULL;
1310     }
1311 
1312     if (s->drive_kind == IDE_CFATA)
1313         s->mult_sectors = 0;
1314     else
1315         s->mult_sectors = MAX_MULT_SECTORS;
1316     /* ide regs */
1317     s->feature = 0;
1318     s->error = 0;
1319     s->nsector = 0;
1320     s->sector = 0;
1321     s->lcyl = 0;
1322     s->hcyl = 0;
1323 
1324     /* lba48 */
1325     s->hob_feature = 0;
1326     s->hob_sector = 0;
1327     s->hob_nsector = 0;
1328     s->hob_lcyl = 0;
1329     s->hob_hcyl = 0;
1330 
1331     s->select = 0xa0;
1332     s->status = READY_STAT | SEEK_STAT;
1333 
1334     s->lba48 = 0;
1335 
1336     /* ATAPI specific */
1337     s->sense_key = 0;
1338     s->asc = 0;
1339     s->cdrom_changed = 0;
1340     s->packet_transfer_size = 0;
1341     s->elementary_transfer_size = 0;
1342     s->io_buffer_index = 0;
1343     s->cd_sector_size = 0;
1344     s->atapi_dma = 0;
1345     s->tray_locked = 0;
1346     s->tray_open = 0;
1347     /* ATA DMA state */
1348     s->io_buffer_size = 0;
1349     s->req_nb_sectors = 0;
1350 
1351     ide_set_signature(s);
1352     /* init the transfer handler so that 0xffff is returned on data
1353        accesses */
1354     s->end_transfer_func = ide_dummy_transfer_stop;
1355     ide_dummy_transfer_stop(s);
1356     s->media_changed = 0;
1357 }
1358 
1359 static bool cmd_nop(IDEState *s, uint8_t cmd)
1360 {
1361     return true;
1362 }
1363 
1364 static bool cmd_device_reset(IDEState *s, uint8_t cmd)
1365 {
1366     /* Halt PIO (in the DRQ phase), then DMA */
1367     ide_transfer_halt(s);
1368     ide_cancel_dma_sync(s);
1369 
1370     /* Reset any PIO commands, reset signature, etc */
1371     ide_reset(s);
1372 
1373     /* RESET: ATA8-ACS3 7.10.4 "Normal Outputs";
1374      * ATA8-ACS3 Table 184 "Device Signatures for Normal Output" */
1375     s->status = 0x00;
1376 
1377     /* Do not overwrite status register */
1378     return false;
1379 }
1380 
1381 static bool cmd_data_set_management(IDEState *s, uint8_t cmd)
1382 {
1383     switch (s->feature) {
1384     case DSM_TRIM:
1385         if (s->blk) {
1386             ide_sector_start_dma(s, IDE_DMA_TRIM);
1387             return false;
1388         }
1389         break;
1390     }
1391 
1392     ide_abort_command(s);
1393     return true;
1394 }
1395 
1396 static bool cmd_identify(IDEState *s, uint8_t cmd)
1397 {
1398     if (s->blk && s->drive_kind != IDE_CD) {
1399         if (s->drive_kind != IDE_CFATA) {
1400             ide_identify(s);
1401         } else {
1402             ide_cfata_identify(s);
1403         }
1404         s->status = READY_STAT | SEEK_STAT;
1405         ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1406         ide_set_irq(s->bus);
1407         return false;
1408     } else {
1409         if (s->drive_kind == IDE_CD) {
1410             ide_set_signature(s);
1411         }
1412         ide_abort_command(s);
1413     }
1414 
1415     return true;
1416 }
1417 
1418 static bool cmd_verify(IDEState *s, uint8_t cmd)
1419 {
1420     bool lba48 = (cmd == WIN_VERIFY_EXT);
1421 
1422     /* do sector number check ? */
1423     ide_cmd_lba48_transform(s, lba48);
1424 
1425     return true;
1426 }
1427 
1428 static bool cmd_set_multiple_mode(IDEState *s, uint8_t cmd)
1429 {
1430     if (s->drive_kind == IDE_CFATA && s->nsector == 0) {
1431         /* Disable Read and Write Multiple */
1432         s->mult_sectors = 0;
1433     } else if ((s->nsector & 0xff) != 0 &&
1434         ((s->nsector & 0xff) > MAX_MULT_SECTORS ||
1435          (s->nsector & (s->nsector - 1)) != 0)) {
1436         ide_abort_command(s);
1437     } else {
1438         s->mult_sectors = s->nsector & 0xff;
1439     }
1440 
1441     return true;
1442 }
1443 
1444 static bool cmd_read_multiple(IDEState *s, uint8_t cmd)
1445 {
1446     bool lba48 = (cmd == WIN_MULTREAD_EXT);
1447 
1448     if (!s->blk || !s->mult_sectors) {
1449         ide_abort_command(s);
1450         return true;
1451     }
1452 
1453     ide_cmd_lba48_transform(s, lba48);
1454     s->req_nb_sectors = s->mult_sectors;
1455     ide_sector_read(s);
1456     return false;
1457 }
1458 
1459 static bool cmd_write_multiple(IDEState *s, uint8_t cmd)
1460 {
1461     bool lba48 = (cmd == WIN_MULTWRITE_EXT);
1462     int n;
1463 
1464     if (!s->blk || !s->mult_sectors) {
1465         ide_abort_command(s);
1466         return true;
1467     }
1468 
1469     ide_cmd_lba48_transform(s, lba48);
1470 
1471     s->req_nb_sectors = s->mult_sectors;
1472     n = MIN(s->nsector, s->req_nb_sectors);
1473 
1474     s->status = SEEK_STAT | READY_STAT;
1475     ide_transfer_start(s, s->io_buffer, 512 * n, ide_sector_write);
1476 
1477     s->media_changed = 1;
1478 
1479     return false;
1480 }
1481 
1482 static bool cmd_read_pio(IDEState *s, uint8_t cmd)
1483 {
1484     bool lba48 = (cmd == WIN_READ_EXT);
1485 
1486     if (s->drive_kind == IDE_CD) {
1487         ide_set_signature(s); /* odd, but ATA4 8.27.5.2 requires it */
1488         ide_abort_command(s);
1489         return true;
1490     }
1491 
1492     if (!s->blk) {
1493         ide_abort_command(s);
1494         return true;
1495     }
1496 
1497     ide_cmd_lba48_transform(s, lba48);
1498     s->req_nb_sectors = 1;
1499     ide_sector_read(s);
1500 
1501     return false;
1502 }
1503 
1504 static bool cmd_write_pio(IDEState *s, uint8_t cmd)
1505 {
1506     bool lba48 = (cmd == WIN_WRITE_EXT);
1507 
1508     if (!s->blk) {
1509         ide_abort_command(s);
1510         return true;
1511     }
1512 
1513     ide_cmd_lba48_transform(s, lba48);
1514 
1515     s->req_nb_sectors = 1;
1516     s->status = SEEK_STAT | READY_STAT;
1517     ide_transfer_start(s, s->io_buffer, 512, ide_sector_write);
1518 
1519     s->media_changed = 1;
1520 
1521     return false;
1522 }
1523 
1524 static bool cmd_read_dma(IDEState *s, uint8_t cmd)
1525 {
1526     bool lba48 = (cmd == WIN_READDMA_EXT);
1527 
1528     if (!s->blk) {
1529         ide_abort_command(s);
1530         return true;
1531     }
1532 
1533     ide_cmd_lba48_transform(s, lba48);
1534     ide_sector_start_dma(s, IDE_DMA_READ);
1535 
1536     return false;
1537 }
1538 
1539 static bool cmd_write_dma(IDEState *s, uint8_t cmd)
1540 {
1541     bool lba48 = (cmd == WIN_WRITEDMA_EXT);
1542 
1543     if (!s->blk) {
1544         ide_abort_command(s);
1545         return true;
1546     }
1547 
1548     ide_cmd_lba48_transform(s, lba48);
1549     ide_sector_start_dma(s, IDE_DMA_WRITE);
1550 
1551     s->media_changed = 1;
1552 
1553     return false;
1554 }
1555 
1556 static bool cmd_flush_cache(IDEState *s, uint8_t cmd)
1557 {
1558     ide_flush_cache(s);
1559     return false;
1560 }
1561 
1562 static bool cmd_seek(IDEState *s, uint8_t cmd)
1563 {
1564     /* XXX: Check that seek is within bounds */
1565     return true;
1566 }
1567 
1568 static bool cmd_read_native_max(IDEState *s, uint8_t cmd)
1569 {
1570     bool lba48 = (cmd == WIN_READ_NATIVE_MAX_EXT);
1571 
1572     /* Refuse if no sectors are addressable (e.g. medium not inserted) */
1573     if (s->nb_sectors == 0) {
1574         ide_abort_command(s);
1575         return true;
1576     }
1577 
1578     ide_cmd_lba48_transform(s, lba48);
1579     ide_set_sector(s, s->nb_sectors - 1);
1580 
1581     return true;
1582 }
1583 
1584 static bool cmd_check_power_mode(IDEState *s, uint8_t cmd)
1585 {
1586     s->nsector = 0xff; /* device active or idle */
1587     return true;
1588 }
1589 
1590 static bool cmd_set_features(IDEState *s, uint8_t cmd)
1591 {
1592     uint16_t *identify_data;
1593 
1594     if (!s->blk) {
1595         ide_abort_command(s);
1596         return true;
1597     }
1598 
1599     /* XXX: valid for CDROM ? */
1600     switch (s->feature) {
1601     case 0x02: /* write cache enable */
1602         blk_set_enable_write_cache(s->blk, true);
1603         identify_data = (uint16_t *)s->identify_data;
1604         put_le16(identify_data + 85, (1 << 14) | (1 << 5) | 1);
1605         return true;
1606     case 0x82: /* write cache disable */
1607         blk_set_enable_write_cache(s->blk, false);
1608         identify_data = (uint16_t *)s->identify_data;
1609         put_le16(identify_data + 85, (1 << 14) | 1);
1610         ide_flush_cache(s);
1611         return false;
1612     case 0xcc: /* reverting to power-on defaults enable */
1613     case 0x66: /* reverting to power-on defaults disable */
1614     case 0xaa: /* read look-ahead enable */
1615     case 0x55: /* read look-ahead disable */
1616     case 0x05: /* set advanced power management mode */
1617     case 0x85: /* disable advanced power management mode */
1618     case 0x69: /* NOP */
1619     case 0x67: /* NOP */
1620     case 0x96: /* NOP */
1621     case 0x9a: /* NOP */
1622     case 0x42: /* enable Automatic Acoustic Mode */
1623     case 0xc2: /* disable Automatic Acoustic Mode */
1624         return true;
1625     case 0x03: /* set transfer mode */
1626         {
1627             uint8_t val = s->nsector & 0x07;
1628             identify_data = (uint16_t *)s->identify_data;
1629 
1630             switch (s->nsector >> 3) {
1631             case 0x00: /* pio default */
1632             case 0x01: /* pio mode */
1633                 put_le16(identify_data + 62, 0x07);
1634                 put_le16(identify_data + 63, 0x07);
1635                 put_le16(identify_data + 88, 0x3f);
1636                 break;
1637             case 0x02: /* sigle word dma mode*/
1638                 put_le16(identify_data + 62, 0x07 | (1 << (val + 8)));
1639                 put_le16(identify_data + 63, 0x07);
1640                 put_le16(identify_data + 88, 0x3f);
1641                 break;
1642             case 0x04: /* mdma mode */
1643                 put_le16(identify_data + 62, 0x07);
1644                 put_le16(identify_data + 63, 0x07 | (1 << (val + 8)));
1645                 put_le16(identify_data + 88, 0x3f);
1646                 break;
1647             case 0x08: /* udma mode */
1648                 put_le16(identify_data + 62, 0x07);
1649                 put_le16(identify_data + 63, 0x07);
1650                 put_le16(identify_data + 88, 0x3f | (1 << (val + 8)));
1651                 break;
1652             default:
1653                 goto abort_cmd;
1654             }
1655             return true;
1656         }
1657     }
1658 
1659 abort_cmd:
1660     ide_abort_command(s);
1661     return true;
1662 }
1663 
1664 
1665 /*** ATAPI commands ***/
1666 
1667 static bool cmd_identify_packet(IDEState *s, uint8_t cmd)
1668 {
1669     ide_atapi_identify(s);
1670     s->status = READY_STAT | SEEK_STAT;
1671     ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
1672     ide_set_irq(s->bus);
1673     return false;
1674 }
1675 
1676 static bool cmd_exec_dev_diagnostic(IDEState *s, uint8_t cmd)
1677 {
1678     ide_set_signature(s);
1679 
1680     if (s->drive_kind == IDE_CD) {
1681         s->status = 0; /* ATAPI spec (v6) section 9.10 defines packet
1682                         * devices to return a clear status register
1683                         * with READY_STAT *not* set. */
1684         s->error = 0x01;
1685     } else {
1686         s->status = READY_STAT | SEEK_STAT;
1687         /* The bits of the error register are not as usual for this command!
1688          * They are part of the regular output (this is why ERR_STAT isn't set)
1689          * Device 0 passed, Device 1 passed or not present. */
1690         s->error = 0x01;
1691         ide_set_irq(s->bus);
1692     }
1693 
1694     return false;
1695 }
1696 
1697 static bool cmd_packet(IDEState *s, uint8_t cmd)
1698 {
1699     /* overlapping commands not supported */
1700     if (s->feature & 0x02) {
1701         ide_abort_command(s);
1702         return true;
1703     }
1704 
1705     s->status = READY_STAT | SEEK_STAT;
1706     s->atapi_dma = s->feature & 1;
1707     if (s->atapi_dma) {
1708         s->dma_cmd = IDE_DMA_ATAPI;
1709     }
1710     s->nsector = 1;
1711     ide_transfer_start(s, s->io_buffer, ATAPI_PACKET_SIZE,
1712                        ide_atapi_cmd);
1713     return false;
1714 }
1715 
1716 
1717 /*** CF-ATA commands ***/
1718 
1719 static bool cmd_cfa_req_ext_error_code(IDEState *s, uint8_t cmd)
1720 {
1721     s->error = 0x09;    /* miscellaneous error */
1722     s->status = READY_STAT | SEEK_STAT;
1723     ide_set_irq(s->bus);
1724 
1725     return false;
1726 }
1727 
1728 static bool cmd_cfa_erase_sectors(IDEState *s, uint8_t cmd)
1729 {
1730     /* WIN_SECURITY_FREEZE_LOCK has the same ID as CFA_WEAR_LEVEL and is
1731      * required for Windows 8 to work with AHCI */
1732 
1733     if (cmd == CFA_WEAR_LEVEL) {
1734         s->nsector = 0;
1735     }
1736 
1737     if (cmd == CFA_ERASE_SECTORS) {
1738         s->media_changed = 1;
1739     }
1740 
1741     return true;
1742 }
1743 
1744 static bool cmd_cfa_translate_sector(IDEState *s, uint8_t cmd)
1745 {
1746     s->status = READY_STAT | SEEK_STAT;
1747 
1748     memset(s->io_buffer, 0, 0x200);
1749     s->io_buffer[0x00] = s->hcyl;                   /* Cyl MSB */
1750     s->io_buffer[0x01] = s->lcyl;                   /* Cyl LSB */
1751     s->io_buffer[0x02] = s->select;                 /* Head */
1752     s->io_buffer[0x03] = s->sector;                 /* Sector */
1753     s->io_buffer[0x04] = ide_get_sector(s) >> 16;   /* LBA MSB */
1754     s->io_buffer[0x05] = ide_get_sector(s) >> 8;    /* LBA */
1755     s->io_buffer[0x06] = ide_get_sector(s) >> 0;    /* LBA LSB */
1756     s->io_buffer[0x13] = 0x00;                      /* Erase flag */
1757     s->io_buffer[0x18] = 0x00;                      /* Hot count */
1758     s->io_buffer[0x19] = 0x00;                      /* Hot count */
1759     s->io_buffer[0x1a] = 0x01;                      /* Hot count */
1760 
1761     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1762     ide_set_irq(s->bus);
1763 
1764     return false;
1765 }
1766 
1767 static bool cmd_cfa_access_metadata_storage(IDEState *s, uint8_t cmd)
1768 {
1769     switch (s->feature) {
1770     case 0x02:  /* Inquiry Metadata Storage */
1771         ide_cfata_metadata_inquiry(s);
1772         break;
1773     case 0x03:  /* Read Metadata Storage */
1774         ide_cfata_metadata_read(s);
1775         break;
1776     case 0x04:  /* Write Metadata Storage */
1777         ide_cfata_metadata_write(s);
1778         break;
1779     default:
1780         ide_abort_command(s);
1781         return true;
1782     }
1783 
1784     ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1785     s->status = 0x00; /* NOTE: READY is _not_ set */
1786     ide_set_irq(s->bus);
1787 
1788     return false;
1789 }
1790 
1791 static bool cmd_ibm_sense_condition(IDEState *s, uint8_t cmd)
1792 {
1793     switch (s->feature) {
1794     case 0x01:  /* sense temperature in device */
1795         s->nsector = 0x50;      /* +20 C */
1796         break;
1797     default:
1798         ide_abort_command(s);
1799         return true;
1800     }
1801 
1802     return true;
1803 }
1804 
1805 
1806 /*** SMART commands ***/
1807 
1808 static bool cmd_smart(IDEState *s, uint8_t cmd)
1809 {
1810     int n;
1811 
1812     if (s->hcyl != 0xc2 || s->lcyl != 0x4f) {
1813         goto abort_cmd;
1814     }
1815 
1816     if (!s->smart_enabled && s->feature != SMART_ENABLE) {
1817         goto abort_cmd;
1818     }
1819 
1820     switch (s->feature) {
1821     case SMART_DISABLE:
1822         s->smart_enabled = 0;
1823         return true;
1824 
1825     case SMART_ENABLE:
1826         s->smart_enabled = 1;
1827         return true;
1828 
1829     case SMART_ATTR_AUTOSAVE:
1830         switch (s->sector) {
1831         case 0x00:
1832             s->smart_autosave = 0;
1833             break;
1834         case 0xf1:
1835             s->smart_autosave = 1;
1836             break;
1837         default:
1838             goto abort_cmd;
1839         }
1840         return true;
1841 
1842     case SMART_STATUS:
1843         if (!s->smart_errors) {
1844             s->hcyl = 0xc2;
1845             s->lcyl = 0x4f;
1846         } else {
1847             s->hcyl = 0x2c;
1848             s->lcyl = 0xf4;
1849         }
1850         return true;
1851 
1852     case SMART_READ_THRESH:
1853         memset(s->io_buffer, 0, 0x200);
1854         s->io_buffer[0] = 0x01; /* smart struct version */
1855 
1856         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1857             s->io_buffer[2 + 0 + (n * 12)] = smart_attributes[n][0];
1858             s->io_buffer[2 + 1 + (n * 12)] = smart_attributes[n][11];
1859         }
1860 
1861         /* checksum */
1862         for (n = 0; n < 511; n++) {
1863             s->io_buffer[511] += s->io_buffer[n];
1864         }
1865         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1866 
1867         s->status = READY_STAT | SEEK_STAT;
1868         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1869         ide_set_irq(s->bus);
1870         return false;
1871 
1872     case SMART_READ_DATA:
1873         memset(s->io_buffer, 0, 0x200);
1874         s->io_buffer[0] = 0x01; /* smart struct version */
1875 
1876         for (n = 0; n < ARRAY_SIZE(smart_attributes); n++) {
1877             int i;
1878             for (i = 0; i < 11; i++) {
1879                 s->io_buffer[2 + i + (n * 12)] = smart_attributes[n][i];
1880             }
1881         }
1882 
1883         s->io_buffer[362] = 0x02 | (s->smart_autosave ? 0x80 : 0x00);
1884         if (s->smart_selftest_count == 0) {
1885             s->io_buffer[363] = 0;
1886         } else {
1887             s->io_buffer[363] =
1888                 s->smart_selftest_data[3 +
1889                            (s->smart_selftest_count - 1) *
1890                            24];
1891         }
1892         s->io_buffer[364] = 0x20;
1893         s->io_buffer[365] = 0x01;
1894         /* offline data collection capacity: execute + self-test*/
1895         s->io_buffer[367] = (1 << 4 | 1 << 3 | 1);
1896         s->io_buffer[368] = 0x03; /* smart capability (1) */
1897         s->io_buffer[369] = 0x00; /* smart capability (2) */
1898         s->io_buffer[370] = 0x01; /* error logging supported */
1899         s->io_buffer[372] = 0x02; /* minutes for poll short test */
1900         s->io_buffer[373] = 0x36; /* minutes for poll ext test */
1901         s->io_buffer[374] = 0x01; /* minutes for poll conveyance */
1902 
1903         for (n = 0; n < 511; n++) {
1904             s->io_buffer[511] += s->io_buffer[n];
1905         }
1906         s->io_buffer[511] = 0x100 - s->io_buffer[511];
1907 
1908         s->status = READY_STAT | SEEK_STAT;
1909         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1910         ide_set_irq(s->bus);
1911         return false;
1912 
1913     case SMART_READ_LOG:
1914         switch (s->sector) {
1915         case 0x01: /* summary smart error log */
1916             memset(s->io_buffer, 0, 0x200);
1917             s->io_buffer[0] = 0x01;
1918             s->io_buffer[1] = 0x00; /* no error entries */
1919             s->io_buffer[452] = s->smart_errors & 0xff;
1920             s->io_buffer[453] = (s->smart_errors & 0xff00) >> 8;
1921 
1922             for (n = 0; n < 511; n++) {
1923                 s->io_buffer[511] += s->io_buffer[n];
1924             }
1925             s->io_buffer[511] = 0x100 - s->io_buffer[511];
1926             break;
1927         case 0x06: /* smart self test log */
1928             memset(s->io_buffer, 0, 0x200);
1929             s->io_buffer[0] = 0x01;
1930             if (s->smart_selftest_count == 0) {
1931                 s->io_buffer[508] = 0;
1932             } else {
1933                 s->io_buffer[508] = s->smart_selftest_count;
1934                 for (n = 2; n < 506; n++)  {
1935                     s->io_buffer[n] = s->smart_selftest_data[n];
1936                 }
1937             }
1938 
1939             for (n = 0; n < 511; n++) {
1940                 s->io_buffer[511] += s->io_buffer[n];
1941             }
1942             s->io_buffer[511] = 0x100 - s->io_buffer[511];
1943             break;
1944         default:
1945             goto abort_cmd;
1946         }
1947         s->status = READY_STAT | SEEK_STAT;
1948         ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
1949         ide_set_irq(s->bus);
1950         return false;
1951 
1952     case SMART_EXECUTE_OFFLINE:
1953         switch (s->sector) {
1954         case 0: /* off-line routine */
1955         case 1: /* short self test */
1956         case 2: /* extended self test */
1957             s->smart_selftest_count++;
1958             if (s->smart_selftest_count > 21) {
1959                 s->smart_selftest_count = 1;
1960             }
1961             n = 2 + (s->smart_selftest_count - 1) * 24;
1962             s->smart_selftest_data[n] = s->sector;
1963             s->smart_selftest_data[n + 1] = 0x00; /* OK and finished */
1964             s->smart_selftest_data[n + 2] = 0x34; /* hour count lsb */
1965             s->smart_selftest_data[n + 3] = 0x12; /* hour count msb */
1966             break;
1967         default:
1968             goto abort_cmd;
1969         }
1970         return true;
1971     }
1972 
1973 abort_cmd:
1974     ide_abort_command(s);
1975     return true;
1976 }
1977 
1978 #define HD_OK (1u << IDE_HD)
1979 #define CD_OK (1u << IDE_CD)
1980 #define CFA_OK (1u << IDE_CFATA)
1981 #define HD_CFA_OK (HD_OK | CFA_OK)
1982 #define ALL_OK (HD_OK | CD_OK | CFA_OK)
1983 
1984 /* Set the Disk Seek Completed status bit during completion */
1985 #define SET_DSC (1u << 8)
1986 
1987 /* See ACS-2 T13/2015-D Table B.2 Command codes */
1988 static const struct {
1989     /* Returns true if the completion code should be run */
1990     bool (*handler)(IDEState *s, uint8_t cmd);
1991     int flags;
1992 } ide_cmd_table[0x100] = {
1993     /* NOP not implemented, mandatory for CD */
1994     [CFA_REQ_EXT_ERROR_CODE]      = { cmd_cfa_req_ext_error_code, CFA_OK },
1995     [WIN_DSM]                     = { cmd_data_set_management, HD_CFA_OK },
1996     [WIN_DEVICE_RESET]            = { cmd_device_reset, CD_OK },
1997     [WIN_RECAL]                   = { cmd_nop, HD_CFA_OK | SET_DSC},
1998     [WIN_READ]                    = { cmd_read_pio, ALL_OK },
1999     [WIN_READ_ONCE]               = { cmd_read_pio, HD_CFA_OK },
2000     [WIN_READ_EXT]                = { cmd_read_pio, HD_CFA_OK },
2001     [WIN_READDMA_EXT]             = { cmd_read_dma, HD_CFA_OK },
2002     [WIN_READ_NATIVE_MAX_EXT]     = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2003     [WIN_MULTREAD_EXT]            = { cmd_read_multiple, HD_CFA_OK },
2004     [WIN_WRITE]                   = { cmd_write_pio, HD_CFA_OK },
2005     [WIN_WRITE_ONCE]              = { cmd_write_pio, HD_CFA_OK },
2006     [WIN_WRITE_EXT]               = { cmd_write_pio, HD_CFA_OK },
2007     [WIN_WRITEDMA_EXT]            = { cmd_write_dma, HD_CFA_OK },
2008     [CFA_WRITE_SECT_WO_ERASE]     = { cmd_write_pio, CFA_OK },
2009     [WIN_MULTWRITE_EXT]           = { cmd_write_multiple, HD_CFA_OK },
2010     [WIN_WRITE_VERIFY]            = { cmd_write_pio, HD_CFA_OK },
2011     [WIN_VERIFY]                  = { cmd_verify, HD_CFA_OK | SET_DSC },
2012     [WIN_VERIFY_ONCE]             = { cmd_verify, HD_CFA_OK | SET_DSC },
2013     [WIN_VERIFY_EXT]              = { cmd_verify, HD_CFA_OK | SET_DSC },
2014     [WIN_SEEK]                    = { cmd_seek, HD_CFA_OK | SET_DSC },
2015     [CFA_TRANSLATE_SECTOR]        = { cmd_cfa_translate_sector, CFA_OK },
2016     [WIN_DIAGNOSE]                = { cmd_exec_dev_diagnostic, ALL_OK },
2017     [WIN_SPECIFY]                 = { cmd_nop, HD_CFA_OK | SET_DSC },
2018     [WIN_STANDBYNOW2]             = { cmd_nop, HD_CFA_OK },
2019     [WIN_IDLEIMMEDIATE2]          = { cmd_nop, HD_CFA_OK },
2020     [WIN_STANDBY2]                = { cmd_nop, HD_CFA_OK },
2021     [WIN_SETIDLE2]                = { cmd_nop, HD_CFA_OK },
2022     [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2023     [WIN_SLEEPNOW2]               = { cmd_nop, HD_CFA_OK },
2024     [WIN_PACKETCMD]               = { cmd_packet, CD_OK },
2025     [WIN_PIDENTIFY]               = { cmd_identify_packet, CD_OK },
2026     [WIN_SMART]                   = { cmd_smart, HD_CFA_OK | SET_DSC },
2027     [CFA_ACCESS_METADATA_STORAGE] = { cmd_cfa_access_metadata_storage, CFA_OK },
2028     [CFA_ERASE_SECTORS]           = { cmd_cfa_erase_sectors, CFA_OK | SET_DSC },
2029     [WIN_MULTREAD]                = { cmd_read_multiple, HD_CFA_OK },
2030     [WIN_MULTWRITE]               = { cmd_write_multiple, HD_CFA_OK },
2031     [WIN_SETMULT]                 = { cmd_set_multiple_mode, HD_CFA_OK | SET_DSC },
2032     [WIN_READDMA]                 = { cmd_read_dma, HD_CFA_OK },
2033     [WIN_READDMA_ONCE]            = { cmd_read_dma, HD_CFA_OK },
2034     [WIN_WRITEDMA]                = { cmd_write_dma, HD_CFA_OK },
2035     [WIN_WRITEDMA_ONCE]           = { cmd_write_dma, HD_CFA_OK },
2036     [CFA_WRITE_MULTI_WO_ERASE]    = { cmd_write_multiple, CFA_OK },
2037     [WIN_STANDBYNOW1]             = { cmd_nop, HD_CFA_OK },
2038     [WIN_IDLEIMMEDIATE]           = { cmd_nop, HD_CFA_OK },
2039     [WIN_STANDBY]                 = { cmd_nop, HD_CFA_OK },
2040     [WIN_SETIDLE1]                = { cmd_nop, HD_CFA_OK },
2041     [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
2042     [WIN_SLEEPNOW1]               = { cmd_nop, HD_CFA_OK },
2043     [WIN_FLUSH_CACHE]             = { cmd_flush_cache, ALL_OK },
2044     [WIN_FLUSH_CACHE_EXT]         = { cmd_flush_cache, HD_CFA_OK },
2045     [WIN_IDENTIFY]                = { cmd_identify, ALL_OK },
2046     [WIN_SETFEATURES]             = { cmd_set_features, ALL_OK | SET_DSC },
2047     [IBM_SENSE_CONDITION]         = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
2048     [CFA_WEAR_LEVEL]              = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
2049     [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
2050 };
2051 
2052 static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
2053 {
2054     return cmd < ARRAY_SIZE(ide_cmd_table)
2055         && (ide_cmd_table[cmd].flags & (1u << s->drive_kind));
2056 }
2057 
2058 void ide_exec_cmd(IDEBus *bus, uint32_t val)
2059 {
2060     IDEState *s;
2061     bool complete;
2062 
2063     s = idebus_active_if(bus);
2064     trace_ide_exec_cmd(bus, s, val);
2065 
2066     /* ignore commands to non existent slave */
2067     if (s != bus->ifs && !s->blk) {
2068         return;
2069     }
2070 
2071     /* Only RESET is allowed while BSY and/or DRQ are set,
2072      * and only to ATAPI devices. */
2073     if (s->status & (BUSY_STAT|DRQ_STAT)) {
2074         if (val != WIN_DEVICE_RESET || s->drive_kind != IDE_CD) {
2075             return;
2076         }
2077     }
2078 
2079     if (!ide_cmd_permitted(s, val)) {
2080         ide_abort_command(s);
2081         ide_set_irq(s->bus);
2082         return;
2083     }
2084 
2085     s->status = READY_STAT | BUSY_STAT;
2086     s->error = 0;
2087     s->io_buffer_offset = 0;
2088 
2089     complete = ide_cmd_table[val].handler(s, val);
2090     if (complete) {
2091         s->status &= ~BUSY_STAT;
2092         assert(!!s->error == !!(s->status & ERR_STAT));
2093 
2094         if ((ide_cmd_table[val].flags & SET_DSC) && !s->error) {
2095             s->status |= SEEK_STAT;
2096         }
2097 
2098         ide_cmd_done(s);
2099         ide_set_irq(s->bus);
2100     }
2101 }
2102 
2103 /* IOport [R]ead [R]egisters */
2104 enum ATA_IOPORT_RR {
2105     ATA_IOPORT_RR_DATA = 0,
2106     ATA_IOPORT_RR_ERROR = 1,
2107     ATA_IOPORT_RR_SECTOR_COUNT = 2,
2108     ATA_IOPORT_RR_SECTOR_NUMBER = 3,
2109     ATA_IOPORT_RR_CYLINDER_LOW = 4,
2110     ATA_IOPORT_RR_CYLINDER_HIGH = 5,
2111     ATA_IOPORT_RR_DEVICE_HEAD = 6,
2112     ATA_IOPORT_RR_STATUS = 7,
2113     ATA_IOPORT_RR_NUM_REGISTERS,
2114 };
2115 
2116 const char *ATA_IOPORT_RR_lookup[ATA_IOPORT_RR_NUM_REGISTERS] = {
2117     [ATA_IOPORT_RR_DATA] = "Data",
2118     [ATA_IOPORT_RR_ERROR] = "Error",
2119     [ATA_IOPORT_RR_SECTOR_COUNT] = "Sector Count",
2120     [ATA_IOPORT_RR_SECTOR_NUMBER] = "Sector Number",
2121     [ATA_IOPORT_RR_CYLINDER_LOW] = "Cylinder Low",
2122     [ATA_IOPORT_RR_CYLINDER_HIGH] = "Cylinder High",
2123     [ATA_IOPORT_RR_DEVICE_HEAD] = "Device/Head",
2124     [ATA_IOPORT_RR_STATUS] = "Status"
2125 };
2126 
2127 uint32_t ide_ioport_read(void *opaque, uint32_t addr)
2128 {
2129     IDEBus *bus = opaque;
2130     IDEState *s = idebus_active_if(bus);
2131     uint32_t reg_num;
2132     int ret, hob;
2133 
2134     reg_num = addr & 7;
2135     /* FIXME: HOB readback uses bit 7, but it's always set right now */
2136     //hob = s->select & (1 << 7);
2137     hob = 0;
2138     switch (reg_num) {
2139     case ATA_IOPORT_RR_DATA:
2140         ret = 0xff;
2141         break;
2142     case ATA_IOPORT_RR_ERROR:
2143         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2144             (s != bus->ifs && !s->blk)) {
2145             ret = 0;
2146         } else if (!hob) {
2147             ret = s->error;
2148         } else {
2149             ret = s->hob_feature;
2150         }
2151         break;
2152     case ATA_IOPORT_RR_SECTOR_COUNT:
2153         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2154             ret = 0;
2155         } else if (!hob) {
2156             ret = s->nsector & 0xff;
2157         } else {
2158             ret = s->hob_nsector;
2159         }
2160         break;
2161     case ATA_IOPORT_RR_SECTOR_NUMBER:
2162         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2163             ret = 0;
2164         } else if (!hob) {
2165             ret = s->sector;
2166         } else {
2167             ret = s->hob_sector;
2168         }
2169         break;
2170     case ATA_IOPORT_RR_CYLINDER_LOW:
2171         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2172             ret = 0;
2173         } else if (!hob) {
2174             ret = s->lcyl;
2175         } else {
2176             ret = s->hob_lcyl;
2177         }
2178         break;
2179     case ATA_IOPORT_RR_CYLINDER_HIGH:
2180         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2181             ret = 0;
2182         } else if (!hob) {
2183             ret = s->hcyl;
2184         } else {
2185             ret = s->hob_hcyl;
2186         }
2187         break;
2188     case ATA_IOPORT_RR_DEVICE_HEAD:
2189         if (!bus->ifs[0].blk && !bus->ifs[1].blk) {
2190             ret = 0;
2191         } else {
2192             ret = s->select;
2193         }
2194         break;
2195     default:
2196     case ATA_IOPORT_RR_STATUS:
2197         if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2198             (s != bus->ifs && !s->blk)) {
2199             ret = 0;
2200         } else {
2201             ret = s->status;
2202         }
2203         qemu_irq_lower(bus->irq);
2204         break;
2205     }
2206 
2207     trace_ide_ioport_read(addr, ATA_IOPORT_RR_lookup[reg_num], ret, bus, s);
2208     return ret;
2209 }
2210 
2211 uint32_t ide_status_read(void *opaque, uint32_t addr)
2212 {
2213     IDEBus *bus = opaque;
2214     IDEState *s = idebus_active_if(bus);
2215     int ret;
2216 
2217     if ((!bus->ifs[0].blk && !bus->ifs[1].blk) ||
2218         (s != bus->ifs && !s->blk)) {
2219         ret = 0;
2220     } else {
2221         ret = s->status;
2222     }
2223 
2224     trace_ide_status_read(addr, ret, bus, s);
2225     return ret;
2226 }
2227 
2228 void ide_cmd_write(void *opaque, uint32_t addr, uint32_t val)
2229 {
2230     IDEBus *bus = opaque;
2231     IDEState *s;
2232     int i;
2233 
2234     trace_ide_cmd_write(addr, val, bus);
2235 
2236     /* common for both drives */
2237     if (!(bus->cmd & IDE_CMD_RESET) &&
2238         (val & IDE_CMD_RESET)) {
2239         /* reset low to high */
2240         for(i = 0;i < 2; i++) {
2241             s = &bus->ifs[i];
2242             s->status = BUSY_STAT | SEEK_STAT;
2243             s->error = 0x01;
2244         }
2245     } else if ((bus->cmd & IDE_CMD_RESET) &&
2246                !(val & IDE_CMD_RESET)) {
2247         /* high to low */
2248         for(i = 0;i < 2; i++) {
2249             s = &bus->ifs[i];
2250             if (s->drive_kind == IDE_CD)
2251                 s->status = 0x00; /* NOTE: READY is _not_ set */
2252             else
2253                 s->status = READY_STAT | SEEK_STAT;
2254             ide_set_signature(s);
2255         }
2256     }
2257 
2258     bus->cmd = val;
2259 }
2260 
2261 /*
2262  * Returns true if the running PIO transfer is a PIO out (i.e. data is
2263  * transferred from the device to the guest), false if it's a PIO in
2264  */
2265 static bool ide_is_pio_out(IDEState *s)
2266 {
2267     if (s->end_transfer_func == ide_sector_write ||
2268         s->end_transfer_func == ide_atapi_cmd) {
2269         return false;
2270     } else if (s->end_transfer_func == ide_sector_read ||
2271                s->end_transfer_func == ide_transfer_stop ||
2272                s->end_transfer_func == ide_atapi_cmd_reply_end ||
2273                s->end_transfer_func == ide_dummy_transfer_stop) {
2274         return true;
2275     }
2276 
2277     abort();
2278 }
2279 
2280 void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
2281 {
2282     IDEBus *bus = opaque;
2283     IDEState *s = idebus_active_if(bus);
2284     uint8_t *p;
2285 
2286     trace_ide_data_writew(addr, val, bus, s);
2287 
2288     /* PIO data access allowed only when DRQ bit is set. The result of a write
2289      * during PIO out is indeterminate, just ignore it. */
2290     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2291         return;
2292     }
2293 
2294     p = s->data_ptr;
2295     if (p + 2 > s->data_end) {
2296         return;
2297     }
2298 
2299     *(uint16_t *)p = le16_to_cpu(val);
2300     p += 2;
2301     s->data_ptr = p;
2302     if (p >= s->data_end) {
2303         s->status &= ~DRQ_STAT;
2304         s->end_transfer_func(s);
2305     }
2306 }
2307 
2308 uint32_t ide_data_readw(void *opaque, uint32_t addr)
2309 {
2310     IDEBus *bus = opaque;
2311     IDEState *s = idebus_active_if(bus);
2312     uint8_t *p;
2313     int ret;
2314 
2315     /* PIO data access allowed only when DRQ bit is set. The result of a read
2316      * during PIO in is indeterminate, return 0 and don't move forward. */
2317     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2318         return 0;
2319     }
2320 
2321     p = s->data_ptr;
2322     if (p + 2 > s->data_end) {
2323         return 0;
2324     }
2325 
2326     ret = cpu_to_le16(*(uint16_t *)p);
2327     p += 2;
2328     s->data_ptr = p;
2329     if (p >= s->data_end) {
2330         s->status &= ~DRQ_STAT;
2331         s->end_transfer_func(s);
2332     }
2333 
2334     trace_ide_data_readw(addr, ret, bus, s);
2335     return ret;
2336 }
2337 
2338 void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
2339 {
2340     IDEBus *bus = opaque;
2341     IDEState *s = idebus_active_if(bus);
2342     uint8_t *p;
2343 
2344     trace_ide_data_writel(addr, val, bus, s);
2345 
2346     /* PIO data access allowed only when DRQ bit is set. The result of a write
2347      * during PIO out is indeterminate, just ignore it. */
2348     if (!(s->status & DRQ_STAT) || ide_is_pio_out(s)) {
2349         return;
2350     }
2351 
2352     p = s->data_ptr;
2353     if (p + 4 > s->data_end) {
2354         return;
2355     }
2356 
2357     *(uint32_t *)p = le32_to_cpu(val);
2358     p += 4;
2359     s->data_ptr = p;
2360     if (p >= s->data_end) {
2361         s->status &= ~DRQ_STAT;
2362         s->end_transfer_func(s);
2363     }
2364 }
2365 
2366 uint32_t ide_data_readl(void *opaque, uint32_t addr)
2367 {
2368     IDEBus *bus = opaque;
2369     IDEState *s = idebus_active_if(bus);
2370     uint8_t *p;
2371     int ret;
2372 
2373     /* PIO data access allowed only when DRQ bit is set. The result of a read
2374      * during PIO in is indeterminate, return 0 and don't move forward. */
2375     if (!(s->status & DRQ_STAT) || !ide_is_pio_out(s)) {
2376         ret = 0;
2377         goto out;
2378     }
2379 
2380     p = s->data_ptr;
2381     if (p + 4 > s->data_end) {
2382         return 0;
2383     }
2384 
2385     ret = cpu_to_le32(*(uint32_t *)p);
2386     p += 4;
2387     s->data_ptr = p;
2388     if (p >= s->data_end) {
2389         s->status &= ~DRQ_STAT;
2390         s->end_transfer_func(s);
2391     }
2392 
2393 out:
2394     trace_ide_data_readl(addr, ret, bus, s);
2395     return ret;
2396 }
2397 
2398 static void ide_dummy_transfer_stop(IDEState *s)
2399 {
2400     s->data_ptr = s->io_buffer;
2401     s->data_end = s->io_buffer;
2402     s->io_buffer[0] = 0xff;
2403     s->io_buffer[1] = 0xff;
2404     s->io_buffer[2] = 0xff;
2405     s->io_buffer[3] = 0xff;
2406 }
2407 
2408 void ide_bus_reset(IDEBus *bus)
2409 {
2410     bus->unit = 0;
2411     bus->cmd = 0;
2412     ide_reset(&bus->ifs[0]);
2413     ide_reset(&bus->ifs[1]);
2414     ide_clear_hob(bus);
2415 
2416     /* pending async DMA */
2417     if (bus->dma->aiocb) {
2418         trace_ide_bus_reset_aio();
2419         blk_aio_cancel(bus->dma->aiocb);
2420         bus->dma->aiocb = NULL;
2421     }
2422 
2423     /* reset dma provider too */
2424     if (bus->dma->ops->reset) {
2425         bus->dma->ops->reset(bus->dma);
2426     }
2427 }
2428 
2429 static bool ide_cd_is_tray_open(void *opaque)
2430 {
2431     return ((IDEState *)opaque)->tray_open;
2432 }
2433 
2434 static bool ide_cd_is_medium_locked(void *opaque)
2435 {
2436     return ((IDEState *)opaque)->tray_locked;
2437 }
2438 
2439 static void ide_resize_cb(void *opaque)
2440 {
2441     IDEState *s = opaque;
2442     uint64_t nb_sectors;
2443 
2444     if (!s->identify_set) {
2445         return;
2446     }
2447 
2448     blk_get_geometry(s->blk, &nb_sectors);
2449     s->nb_sectors = nb_sectors;
2450 
2451     /* Update the identify data buffer. */
2452     if (s->drive_kind == IDE_CFATA) {
2453         ide_cfata_identify_size(s);
2454     } else {
2455         /* IDE_CD uses a different set of callbacks entirely. */
2456         assert(s->drive_kind != IDE_CD);
2457         ide_identify_size(s);
2458     }
2459 }
2460 
2461 static const BlockDevOps ide_cd_block_ops = {
2462     .change_media_cb = ide_cd_change_cb,
2463     .eject_request_cb = ide_cd_eject_request_cb,
2464     .is_tray_open = ide_cd_is_tray_open,
2465     .is_medium_locked = ide_cd_is_medium_locked,
2466 };
2467 
2468 static const BlockDevOps ide_hd_block_ops = {
2469     .resize_cb = ide_resize_cb,
2470 };
2471 
2472 int ide_init_drive(IDEState *s, BlockBackend *blk, IDEDriveKind kind,
2473                    const char *version, const char *serial, const char *model,
2474                    uint64_t wwn,
2475                    uint32_t cylinders, uint32_t heads, uint32_t secs,
2476                    int chs_trans, Error **errp)
2477 {
2478     uint64_t nb_sectors;
2479 
2480     s->blk = blk;
2481     s->drive_kind = kind;
2482 
2483     blk_get_geometry(blk, &nb_sectors);
2484     s->cylinders = cylinders;
2485     s->heads = heads;
2486     s->sectors = secs;
2487     s->chs_trans = chs_trans;
2488     s->nb_sectors = nb_sectors;
2489     s->wwn = wwn;
2490     /* The SMART values should be preserved across power cycles
2491        but they aren't.  */
2492     s->smart_enabled = 1;
2493     s->smart_autosave = 1;
2494     s->smart_errors = 0;
2495     s->smart_selftest_count = 0;
2496     if (kind == IDE_CD) {
2497         blk_set_dev_ops(blk, &ide_cd_block_ops, s);
2498         blk_set_guest_block_size(blk, 2048);
2499     } else {
2500         if (!blk_is_inserted(s->blk)) {
2501             error_setg(errp, "Device needs media, but drive is empty");
2502             return -1;
2503         }
2504         if (blk_is_read_only(blk)) {
2505             error_setg(errp, "Can't use a read-only drive");
2506             return -1;
2507         }
2508         blk_set_dev_ops(blk, &ide_hd_block_ops, s);
2509     }
2510     if (serial) {
2511         pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), serial);
2512     } else {
2513         snprintf(s->drive_serial_str, sizeof(s->drive_serial_str),
2514                  "QM%05d", s->drive_serial);
2515     }
2516     if (model) {
2517         pstrcpy(s->drive_model_str, sizeof(s->drive_model_str), model);
2518     } else {
2519         switch (kind) {
2520         case IDE_CD:
2521             strcpy(s->drive_model_str, "QEMU DVD-ROM");
2522             break;
2523         case IDE_CFATA:
2524             strcpy(s->drive_model_str, "QEMU MICRODRIVE");
2525             break;
2526         default:
2527             strcpy(s->drive_model_str, "QEMU HARDDISK");
2528             break;
2529         }
2530     }
2531 
2532     if (version) {
2533         pstrcpy(s->version, sizeof(s->version), version);
2534     } else {
2535         pstrcpy(s->version, sizeof(s->version), qemu_hw_version());
2536     }
2537 
2538     ide_reset(s);
2539     blk_iostatus_enable(blk);
2540     return 0;
2541 }
2542 
2543 static void ide_init1(IDEBus *bus, int unit)
2544 {
2545     static int drive_serial = 1;
2546     IDEState *s = &bus->ifs[unit];
2547 
2548     s->bus = bus;
2549     s->unit = unit;
2550     s->drive_serial = drive_serial++;
2551     /* we need at least 2k alignment for accessing CDROMs using O_DIRECT */
2552     s->io_buffer_total_len = IDE_DMA_BUF_SECTORS*512 + 4;
2553     s->io_buffer = qemu_memalign(2048, s->io_buffer_total_len);
2554     memset(s->io_buffer, 0, s->io_buffer_total_len);
2555 
2556     s->smart_selftest_data = blk_blockalign(s->blk, 512);
2557     memset(s->smart_selftest_data, 0, 512);
2558 
2559     s->sector_write_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
2560                                            ide_sector_write_timer_cb, s);
2561 }
2562 
2563 static int ide_nop_int(IDEDMA *dma, int x)
2564 {
2565     return 0;
2566 }
2567 
2568 static void ide_nop(IDEDMA *dma)
2569 {
2570 }
2571 
2572 static int32_t ide_nop_int32(IDEDMA *dma, int32_t l)
2573 {
2574     return 0;
2575 }
2576 
2577 static const IDEDMAOps ide_dma_nop_ops = {
2578     .prepare_buf    = ide_nop_int32,
2579     .restart_dma    = ide_nop,
2580     .rw_buf         = ide_nop_int,
2581 };
2582 
2583 static void ide_restart_dma(IDEState *s, enum ide_dma_cmd dma_cmd)
2584 {
2585     s->unit = s->bus->retry_unit;
2586     ide_set_sector(s, s->bus->retry_sector_num);
2587     s->nsector = s->bus->retry_nsector;
2588     s->bus->dma->ops->restart_dma(s->bus->dma);
2589     s->io_buffer_size = 0;
2590     s->dma_cmd = dma_cmd;
2591     ide_start_dma(s, ide_dma_cb);
2592 }
2593 
2594 static void ide_restart_bh(void *opaque)
2595 {
2596     IDEBus *bus = opaque;
2597     IDEState *s;
2598     bool is_read;
2599     int error_status;
2600 
2601     qemu_bh_delete(bus->bh);
2602     bus->bh = NULL;
2603 
2604     error_status = bus->error_status;
2605     if (bus->error_status == 0) {
2606         return;
2607     }
2608 
2609     s = idebus_active_if(bus);
2610     is_read = (bus->error_status & IDE_RETRY_READ) != 0;
2611 
2612     /* The error status must be cleared before resubmitting the request: The
2613      * request may fail again, and this case can only be distinguished if the
2614      * called function can set a new error status. */
2615     bus->error_status = 0;
2616 
2617     /* The HBA has generically asked to be kicked on retry */
2618     if (error_status & IDE_RETRY_HBA) {
2619         if (s->bus->dma->ops->restart) {
2620             s->bus->dma->ops->restart(s->bus->dma);
2621         }
2622     } else if (IS_IDE_RETRY_DMA(error_status)) {
2623         if (error_status & IDE_RETRY_TRIM) {
2624             ide_restart_dma(s, IDE_DMA_TRIM);
2625         } else {
2626             ide_restart_dma(s, is_read ? IDE_DMA_READ : IDE_DMA_WRITE);
2627         }
2628     } else if (IS_IDE_RETRY_PIO(error_status)) {
2629         if (is_read) {
2630             ide_sector_read(s);
2631         } else {
2632             ide_sector_write(s);
2633         }
2634     } else if (error_status & IDE_RETRY_FLUSH) {
2635         ide_flush_cache(s);
2636     } else if (IS_IDE_RETRY_ATAPI(error_status)) {
2637         assert(s->end_transfer_func == ide_atapi_cmd);
2638         ide_atapi_dma_restart(s);
2639     } else {
2640         abort();
2641     }
2642 }
2643 
2644 static void ide_restart_cb(void *opaque, int running, RunState state)
2645 {
2646     IDEBus *bus = opaque;
2647 
2648     if (!running)
2649         return;
2650 
2651     if (!bus->bh) {
2652         bus->bh = qemu_bh_new(ide_restart_bh, bus);
2653         qemu_bh_schedule(bus->bh);
2654     }
2655 }
2656 
2657 void ide_register_restart_cb(IDEBus *bus)
2658 {
2659     if (bus->dma->ops->restart_dma) {
2660         bus->vmstate = qemu_add_vm_change_state_handler(ide_restart_cb, bus);
2661     }
2662 }
2663 
2664 static IDEDMA ide_dma_nop = {
2665     .ops = &ide_dma_nop_ops,
2666     .aiocb = NULL,
2667 };
2668 
2669 void ide_init2(IDEBus *bus, qemu_irq irq)
2670 {
2671     int i;
2672 
2673     for(i = 0; i < 2; i++) {
2674         ide_init1(bus, i);
2675         ide_reset(&bus->ifs[i]);
2676     }
2677     bus->irq = irq;
2678     bus->dma = &ide_dma_nop;
2679 }
2680 
2681 void ide_exit(IDEState *s)
2682 {
2683     timer_del(s->sector_write_timer);
2684     timer_free(s->sector_write_timer);
2685     qemu_vfree(s->smart_selftest_data);
2686     qemu_vfree(s->io_buffer);
2687 }
2688 
2689 static bool is_identify_set(void *opaque, int version_id)
2690 {
2691     IDEState *s = opaque;
2692 
2693     return s->identify_set != 0;
2694 }
2695 
2696 static EndTransferFunc* transfer_end_table[] = {
2697         ide_sector_read,
2698         ide_sector_write,
2699         ide_transfer_stop,
2700         ide_atapi_cmd_reply_end,
2701         ide_atapi_cmd,
2702         ide_dummy_transfer_stop,
2703 };
2704 
2705 static int transfer_end_table_idx(EndTransferFunc *fn)
2706 {
2707     int i;
2708 
2709     for (i = 0; i < ARRAY_SIZE(transfer_end_table); i++)
2710         if (transfer_end_table[i] == fn)
2711             return i;
2712 
2713     return -1;
2714 }
2715 
2716 static int ide_drive_post_load(void *opaque, int version_id)
2717 {
2718     IDEState *s = opaque;
2719 
2720     if (s->blk && s->identify_set) {
2721         blk_set_enable_write_cache(s->blk, !!(s->identify_data[85] & (1 << 5)));
2722     }
2723     return 0;
2724 }
2725 
2726 static int ide_drive_pio_post_load(void *opaque, int version_id)
2727 {
2728     IDEState *s = opaque;
2729 
2730     if (s->end_transfer_fn_idx >= ARRAY_SIZE(transfer_end_table)) {
2731         return -EINVAL;
2732     }
2733     s->end_transfer_func = transfer_end_table[s->end_transfer_fn_idx];
2734     s->data_ptr = s->io_buffer + s->cur_io_buffer_offset;
2735     s->data_end = s->data_ptr + s->cur_io_buffer_len;
2736     s->atapi_dma = s->feature & 1; /* as per cmd_packet */
2737 
2738     return 0;
2739 }
2740 
2741 static int ide_drive_pio_pre_save(void *opaque)
2742 {
2743     IDEState *s = opaque;
2744     int idx;
2745 
2746     s->cur_io_buffer_offset = s->data_ptr - s->io_buffer;
2747     s->cur_io_buffer_len = s->data_end - s->data_ptr;
2748 
2749     idx = transfer_end_table_idx(s->end_transfer_func);
2750     if (idx == -1) {
2751         fprintf(stderr, "%s: invalid end_transfer_func for DRQ_STAT\n",
2752                         __func__);
2753         s->end_transfer_fn_idx = 2;
2754     } else {
2755         s->end_transfer_fn_idx = idx;
2756     }
2757 
2758     return 0;
2759 }
2760 
2761 static bool ide_drive_pio_state_needed(void *opaque)
2762 {
2763     IDEState *s = opaque;
2764 
2765     return ((s->status & DRQ_STAT) != 0)
2766         || (s->bus->error_status & IDE_RETRY_PIO);
2767 }
2768 
2769 static bool ide_tray_state_needed(void *opaque)
2770 {
2771     IDEState *s = opaque;
2772 
2773     return s->tray_open || s->tray_locked;
2774 }
2775 
2776 static bool ide_atapi_gesn_needed(void *opaque)
2777 {
2778     IDEState *s = opaque;
2779 
2780     return s->events.new_media || s->events.eject_request;
2781 }
2782 
2783 static bool ide_error_needed(void *opaque)
2784 {
2785     IDEBus *bus = opaque;
2786 
2787     return (bus->error_status != 0);
2788 }
2789 
2790 /* Fields for GET_EVENT_STATUS_NOTIFICATION ATAPI command */
2791 static const VMStateDescription vmstate_ide_atapi_gesn_state = {
2792     .name ="ide_drive/atapi/gesn_state",
2793     .version_id = 1,
2794     .minimum_version_id = 1,
2795     .needed = ide_atapi_gesn_needed,
2796     .fields = (VMStateField[]) {
2797         VMSTATE_BOOL(events.new_media, IDEState),
2798         VMSTATE_BOOL(events.eject_request, IDEState),
2799         VMSTATE_END_OF_LIST()
2800     }
2801 };
2802 
2803 static const VMStateDescription vmstate_ide_tray_state = {
2804     .name = "ide_drive/tray_state",
2805     .version_id = 1,
2806     .minimum_version_id = 1,
2807     .needed = ide_tray_state_needed,
2808     .fields = (VMStateField[]) {
2809         VMSTATE_BOOL(tray_open, IDEState),
2810         VMSTATE_BOOL(tray_locked, IDEState),
2811         VMSTATE_END_OF_LIST()
2812     }
2813 };
2814 
2815 static const VMStateDescription vmstate_ide_drive_pio_state = {
2816     .name = "ide_drive/pio_state",
2817     .version_id = 1,
2818     .minimum_version_id = 1,
2819     .pre_save = ide_drive_pio_pre_save,
2820     .post_load = ide_drive_pio_post_load,
2821     .needed = ide_drive_pio_state_needed,
2822     .fields = (VMStateField[]) {
2823         VMSTATE_INT32(req_nb_sectors, IDEState),
2824         VMSTATE_VARRAY_INT32(io_buffer, IDEState, io_buffer_total_len, 1,
2825                              vmstate_info_uint8, uint8_t),
2826         VMSTATE_INT32(cur_io_buffer_offset, IDEState),
2827         VMSTATE_INT32(cur_io_buffer_len, IDEState),
2828         VMSTATE_UINT8(end_transfer_fn_idx, IDEState),
2829         VMSTATE_INT32(elementary_transfer_size, IDEState),
2830         VMSTATE_INT32(packet_transfer_size, IDEState),
2831         VMSTATE_END_OF_LIST()
2832     }
2833 };
2834 
2835 const VMStateDescription vmstate_ide_drive = {
2836     .name = "ide_drive",
2837     .version_id = 3,
2838     .minimum_version_id = 0,
2839     .post_load = ide_drive_post_load,
2840     .fields = (VMStateField[]) {
2841         VMSTATE_INT32(mult_sectors, IDEState),
2842         VMSTATE_INT32(identify_set, IDEState),
2843         VMSTATE_BUFFER_TEST(identify_data, IDEState, is_identify_set),
2844         VMSTATE_UINT8(feature, IDEState),
2845         VMSTATE_UINT8(error, IDEState),
2846         VMSTATE_UINT32(nsector, IDEState),
2847         VMSTATE_UINT8(sector, IDEState),
2848         VMSTATE_UINT8(lcyl, IDEState),
2849         VMSTATE_UINT8(hcyl, IDEState),
2850         VMSTATE_UINT8(hob_feature, IDEState),
2851         VMSTATE_UINT8(hob_sector, IDEState),
2852         VMSTATE_UINT8(hob_nsector, IDEState),
2853         VMSTATE_UINT8(hob_lcyl, IDEState),
2854         VMSTATE_UINT8(hob_hcyl, IDEState),
2855         VMSTATE_UINT8(select, IDEState),
2856         VMSTATE_UINT8(status, IDEState),
2857         VMSTATE_UINT8(lba48, IDEState),
2858         VMSTATE_UINT8(sense_key, IDEState),
2859         VMSTATE_UINT8(asc, IDEState),
2860         VMSTATE_UINT8_V(cdrom_changed, IDEState, 3),
2861         VMSTATE_END_OF_LIST()
2862     },
2863     .subsections = (const VMStateDescription*[]) {
2864         &vmstate_ide_drive_pio_state,
2865         &vmstate_ide_tray_state,
2866         &vmstate_ide_atapi_gesn_state,
2867         NULL
2868     }
2869 };
2870 
2871 static const VMStateDescription vmstate_ide_error_status = {
2872     .name ="ide_bus/error",
2873     .version_id = 2,
2874     .minimum_version_id = 1,
2875     .needed = ide_error_needed,
2876     .fields = (VMStateField[]) {
2877         VMSTATE_INT32(error_status, IDEBus),
2878         VMSTATE_INT64_V(retry_sector_num, IDEBus, 2),
2879         VMSTATE_UINT32_V(retry_nsector, IDEBus, 2),
2880         VMSTATE_UINT8_V(retry_unit, IDEBus, 2),
2881         VMSTATE_END_OF_LIST()
2882     }
2883 };
2884 
2885 const VMStateDescription vmstate_ide_bus = {
2886     .name = "ide_bus",
2887     .version_id = 1,
2888     .minimum_version_id = 1,
2889     .fields = (VMStateField[]) {
2890         VMSTATE_UINT8(cmd, IDEBus),
2891         VMSTATE_UINT8(unit, IDEBus),
2892         VMSTATE_END_OF_LIST()
2893     },
2894     .subsections = (const VMStateDescription*[]) {
2895         &vmstate_ide_error_status,
2896         NULL
2897     }
2898 };
2899 
2900 void ide_drive_get(DriveInfo **hd, int n)
2901 {
2902     int i;
2903 
2904     for (i = 0; i < n; i++) {
2905         hd[i] = drive_get_by_index(IF_IDE, i);
2906     }
2907 }
2908