xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision 0694dabe)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/units.h"
24 #include "qapi/error.h"
25 #include "qemu/error-report.h"
26 #include "qemu/main-loop.h"
27 #include "qemu/module.h"
28 #include "hw/scsi/scsi.h"
29 #include "migration/qemu-file-types.h"
30 #include "migration/vmstate.h"
31 #include "hw/scsi/emulation.h"
32 #include "scsi/constants.h"
33 #include "sysemu/block-backend.h"
34 #include "sysemu/blockdev.h"
35 #include "hw/block/block.h"
36 #include "hw/qdev-properties.h"
37 #include "hw/qdev-properties-system.h"
38 #include "sysemu/dma.h"
39 #include "sysemu/sysemu.h"
40 #include "qemu/cutils.h"
41 #include "trace.h"
42 #include "qom/object.h"
43 
44 #ifdef __linux
45 #include <scsi/sg.h>
46 #endif
47 
48 #define SCSI_WRITE_SAME_MAX         (512 * KiB)
49 #define SCSI_DMA_BUF_SIZE           (128 * KiB)
50 #define SCSI_MAX_INQUIRY_LEN        256
51 #define SCSI_MAX_MODE_LEN           256
52 
53 #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
54 #define DEFAULT_MAX_UNMAP_SIZE      (1 * GiB)
55 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
56 
57 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
58 
59 OBJECT_DECLARE_TYPE(SCSIDiskState, SCSIDiskClass, SCSI_DISK_BASE)
60 
61 struct SCSIDiskClass {
62     SCSIDeviceClass parent_class;
63     DMAIOFunc       *dma_readv;
64     DMAIOFunc       *dma_writev;
65     bool            (*need_fua_emulation)(SCSICommand *cmd);
66     void            (*update_sense)(SCSIRequest *r);
67 };
68 
69 typedef struct SCSIDiskReq {
70     SCSIRequest req;
71     /* Both sector and sector_count are in terms of BDRV_SECTOR_SIZE bytes.  */
72     uint64_t sector;
73     uint32_t sector_count;
74     uint32_t buflen;
75     bool started;
76     bool need_fua_emulation;
77     struct iovec iov;
78     QEMUIOVector qiov;
79     BlockAcctCookie acct;
80     unsigned char *status;
81 } SCSIDiskReq;
82 
83 #define SCSI_DISK_F_REMOVABLE             0
84 #define SCSI_DISK_F_DPOFUA                1
85 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
86 
87 struct SCSIDiskState {
88     SCSIDevice qdev;
89     uint32_t features;
90     bool media_changed;
91     bool media_event;
92     bool eject_request;
93     uint16_t port_index;
94     uint64_t max_unmap_size;
95     uint64_t max_io_size;
96     QEMUBH *bh;
97     char *version;
98     char *serial;
99     char *vendor;
100     char *product;
101     char *device_id;
102     bool tray_open;
103     bool tray_locked;
104     /*
105      * 0x0000        - rotation rate not reported
106      * 0x0001        - non-rotating medium (SSD)
107      * 0x0002-0x0400 - reserved
108      * 0x0401-0xffe  - rotations per minute
109      * 0xffff        - reserved
110      */
111     uint16_t rotation_rate;
112 };
113 
114 static void scsi_free_request(SCSIRequest *req)
115 {
116     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
117 
118     qemu_vfree(r->iov.iov_base);
119 }
120 
121 /* Helper function for command completion with sense.  */
122 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
123 {
124     trace_scsi_disk_check_condition(r->req.tag, sense.key, sense.asc,
125                                     sense.ascq);
126     scsi_req_build_sense(&r->req, sense);
127     scsi_req_complete(&r->req, CHECK_CONDITION);
128 }
129 
130 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
131 {
132     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
133 
134     if (!r->iov.iov_base) {
135         r->buflen = size;
136         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
137     }
138     r->iov.iov_len = MIN(r->sector_count * BDRV_SECTOR_SIZE, r->buflen);
139     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
140 }
141 
142 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
143 {
144     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
145 
146     qemu_put_be64s(f, &r->sector);
147     qemu_put_be32s(f, &r->sector_count);
148     qemu_put_be32s(f, &r->buflen);
149     if (r->buflen) {
150         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
151             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
152         } else if (!req->retry) {
153             uint32_t len = r->iov.iov_len;
154             qemu_put_be32s(f, &len);
155             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
156         }
157     }
158 }
159 
160 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
161 {
162     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
163 
164     qemu_get_be64s(f, &r->sector);
165     qemu_get_be32s(f, &r->sector_count);
166     qemu_get_be32s(f, &r->buflen);
167     if (r->buflen) {
168         scsi_init_iovec(r, r->buflen);
169         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
170             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
171         } else if (!r->req.retry) {
172             uint32_t len;
173             qemu_get_be32s(f, &len);
174             r->iov.iov_len = len;
175             assert(r->iov.iov_len <= r->buflen);
176             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
177         }
178     }
179 
180     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
181 }
182 
183 /*
184  * scsi_handle_rw_error has two return values.  False means that the error
185  * must be ignored, true means that the error has been processed and the
186  * caller should not do anything else for this request.  Note that
187  * scsi_handle_rw_error always manages its reference counts, independent
188  * of the return value.
189  */
190 static bool scsi_handle_rw_error(SCSIDiskReq *r, int ret, bool acct_failed)
191 {
192     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
193     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
194     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
195     SCSISense sense = SENSE_CODE(NO_SENSE);
196     int error = 0;
197     bool req_has_sense = false;
198     BlockErrorAction action;
199     int status;
200 
201     if (ret < 0) {
202         status = scsi_sense_from_errno(-ret, &sense);
203         error = -ret;
204     } else {
205         /* A passthrough command has completed with nonzero status.  */
206         status = ret;
207         if (status == CHECK_CONDITION) {
208             req_has_sense = true;
209             error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
210         } else {
211             error = EINVAL;
212         }
213     }
214 
215     /*
216      * Check whether the error has to be handled by the guest or should
217      * rather follow the rerror=/werror= settings.  Guest-handled errors
218      * are usually retried immediately, so do not post them to QMP and
219      * do not account them as failed I/O.
220      */
221     if (req_has_sense &&
222         scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
223         action = BLOCK_ERROR_ACTION_REPORT;
224         acct_failed = false;
225     } else {
226         action = blk_get_error_action(s->qdev.conf.blk, is_read, error);
227         blk_error_action(s->qdev.conf.blk, action, is_read, error);
228     }
229 
230     switch (action) {
231     case BLOCK_ERROR_ACTION_REPORT:
232         if (acct_failed) {
233             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
234         }
235         if (req_has_sense) {
236             sdc->update_sense(&r->req);
237         } else if (status == CHECK_CONDITION) {
238             scsi_req_build_sense(&r->req, sense);
239         }
240         scsi_req_complete(&r->req, status);
241         return true;
242 
243     case BLOCK_ERROR_ACTION_IGNORE:
244         return false;
245 
246     case BLOCK_ERROR_ACTION_STOP:
247         scsi_req_retry(&r->req);
248         return true;
249 
250     default:
251         g_assert_not_reached();
252     }
253 }
254 
255 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
256 {
257     if (r->req.io_canceled) {
258         scsi_req_cancel_complete(&r->req);
259         return true;
260     }
261 
262     if (ret < 0) {
263         return scsi_handle_rw_error(r, ret, acct_failed);
264     } else if (r->status && *r->status) {
265         return scsi_handle_rw_error(r, *r->status, acct_failed);
266     }
267 
268     return false;
269 }
270 
271 static void scsi_aio_complete(void *opaque, int ret)
272 {
273     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
274     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
275 
276     assert(r->req.aiocb != NULL);
277     r->req.aiocb = NULL;
278     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
279     if (scsi_disk_req_check_error(r, ret, true)) {
280         goto done;
281     }
282 
283     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
284     scsi_req_complete(&r->req, GOOD);
285 
286 done:
287     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
288     scsi_req_unref(&r->req);
289 }
290 
291 static bool scsi_is_cmd_fua(SCSICommand *cmd)
292 {
293     switch (cmd->buf[0]) {
294     case READ_10:
295     case READ_12:
296     case READ_16:
297     case WRITE_10:
298     case WRITE_12:
299     case WRITE_16:
300         return (cmd->buf[1] & 8) != 0;
301 
302     case VERIFY_10:
303     case VERIFY_12:
304     case VERIFY_16:
305     case WRITE_VERIFY_10:
306     case WRITE_VERIFY_12:
307     case WRITE_VERIFY_16:
308         return true;
309 
310     case READ_6:
311     case WRITE_6:
312     default:
313         return false;
314     }
315 }
316 
317 static void scsi_write_do_fua(SCSIDiskReq *r)
318 {
319     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
320 
321     assert(r->req.aiocb == NULL);
322     assert(!r->req.io_canceled);
323 
324     if (r->need_fua_emulation) {
325         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
326                          BLOCK_ACCT_FLUSH);
327         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
328         return;
329     }
330 
331     scsi_req_complete(&r->req, GOOD);
332     scsi_req_unref(&r->req);
333 }
334 
335 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
336 {
337     assert(r->req.aiocb == NULL);
338     if (scsi_disk_req_check_error(r, ret, false)) {
339         goto done;
340     }
341 
342     r->sector += r->sector_count;
343     r->sector_count = 0;
344     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
345         scsi_write_do_fua(r);
346         return;
347     } else {
348         scsi_req_complete(&r->req, GOOD);
349     }
350 
351 done:
352     scsi_req_unref(&r->req);
353 }
354 
355 static void scsi_dma_complete(void *opaque, int ret)
356 {
357     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
358     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
359 
360     assert(r->req.aiocb != NULL);
361     r->req.aiocb = NULL;
362 
363     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
364     if (ret < 0) {
365         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
366     } else {
367         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
368     }
369     scsi_dma_complete_noio(r, ret);
370     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
371 }
372 
373 static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
374 {
375     uint32_t n;
376 
377     assert(r->req.aiocb == NULL);
378     if (scsi_disk_req_check_error(r, ret, false)) {
379         goto done;
380     }
381 
382     n = r->qiov.size / BDRV_SECTOR_SIZE;
383     r->sector += n;
384     r->sector_count -= n;
385     scsi_req_data(&r->req, r->qiov.size);
386 
387 done:
388     scsi_req_unref(&r->req);
389 }
390 
391 static void scsi_read_complete(void *opaque, int ret)
392 {
393     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
394     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
395 
396     assert(r->req.aiocb != NULL);
397     r->req.aiocb = NULL;
398 
399     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
400     if (ret < 0) {
401         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
402     } else {
403         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
404         trace_scsi_disk_read_complete(r->req.tag, r->qiov.size);
405     }
406     scsi_read_complete_noio(r, ret);
407     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
408 }
409 
410 /* Actually issue a read to the block device.  */
411 static void scsi_do_read(SCSIDiskReq *r, int ret)
412 {
413     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
414     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
415 
416     assert (r->req.aiocb == NULL);
417     if (scsi_disk_req_check_error(r, ret, false)) {
418         goto done;
419     }
420 
421     /* The request is used as the AIO opaque value, so add a ref.  */
422     scsi_req_ref(&r->req);
423 
424     if (r->req.sg) {
425         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
426         r->req.resid -= r->req.sg->size;
427         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
428                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
429                                   BDRV_SECTOR_SIZE,
430                                   sdc->dma_readv, r, scsi_dma_complete, r,
431                                   DMA_DIRECTION_FROM_DEVICE);
432     } else {
433         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
434         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
435                          r->qiov.size, BLOCK_ACCT_READ);
436         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
437                                       scsi_read_complete, r, r);
438     }
439 
440 done:
441     scsi_req_unref(&r->req);
442 }
443 
444 static void scsi_do_read_cb(void *opaque, int ret)
445 {
446     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
447     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
448 
449     assert (r->req.aiocb != NULL);
450     r->req.aiocb = NULL;
451 
452     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
453     if (ret < 0) {
454         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
455     } else {
456         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
457     }
458     scsi_do_read(opaque, ret);
459     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
460 }
461 
462 /* Read more data from scsi device into buffer.  */
463 static void scsi_read_data(SCSIRequest *req)
464 {
465     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
466     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
467     bool first;
468 
469     trace_scsi_disk_read_data_count(r->sector_count);
470     if (r->sector_count == 0) {
471         /* This also clears the sense buffer for REQUEST SENSE.  */
472         scsi_req_complete(&r->req, GOOD);
473         return;
474     }
475 
476     /* No data transfer may already be in progress */
477     assert(r->req.aiocb == NULL);
478 
479     /* The request is used as the AIO opaque value, so add a ref.  */
480     scsi_req_ref(&r->req);
481     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
482         trace_scsi_disk_read_data_invalid();
483         scsi_read_complete_noio(r, -EINVAL);
484         return;
485     }
486 
487     if (!blk_is_available(req->dev->conf.blk)) {
488         scsi_read_complete_noio(r, -ENOMEDIUM);
489         return;
490     }
491 
492     first = !r->started;
493     r->started = true;
494     if (first && r->need_fua_emulation) {
495         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
496                          BLOCK_ACCT_FLUSH);
497         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
498     } else {
499         scsi_do_read(r, 0);
500     }
501 }
502 
503 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
504 {
505     uint32_t n;
506 
507     assert (r->req.aiocb == NULL);
508     if (scsi_disk_req_check_error(r, ret, false)) {
509         goto done;
510     }
511 
512     n = r->qiov.size / BDRV_SECTOR_SIZE;
513     r->sector += n;
514     r->sector_count -= n;
515     if (r->sector_count == 0) {
516         scsi_write_do_fua(r);
517         return;
518     } else {
519         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
520         trace_scsi_disk_write_complete_noio(r->req.tag, r->qiov.size);
521         scsi_req_data(&r->req, r->qiov.size);
522     }
523 
524 done:
525     scsi_req_unref(&r->req);
526 }
527 
528 static void scsi_write_complete(void * opaque, int ret)
529 {
530     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
531     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
532 
533     assert (r->req.aiocb != NULL);
534     r->req.aiocb = NULL;
535 
536     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
537     if (ret < 0) {
538         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
539     } else {
540         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
541     }
542     scsi_write_complete_noio(r, ret);
543     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
544 }
545 
546 static void scsi_write_data(SCSIRequest *req)
547 {
548     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
549     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
550     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
551 
552     /* No data transfer may already be in progress */
553     assert(r->req.aiocb == NULL);
554 
555     /* The request is used as the AIO opaque value, so add a ref.  */
556     scsi_req_ref(&r->req);
557     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
558         trace_scsi_disk_write_data_invalid();
559         scsi_write_complete_noio(r, -EINVAL);
560         return;
561     }
562 
563     if (!r->req.sg && !r->qiov.size) {
564         /* Called for the first time.  Ask the driver to send us more data.  */
565         r->started = true;
566         scsi_write_complete_noio(r, 0);
567         return;
568     }
569     if (!blk_is_available(req->dev->conf.blk)) {
570         scsi_write_complete_noio(r, -ENOMEDIUM);
571         return;
572     }
573 
574     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
575         r->req.cmd.buf[0] == VERIFY_16) {
576         if (r->req.sg) {
577             scsi_dma_complete_noio(r, 0);
578         } else {
579             scsi_write_complete_noio(r, 0);
580         }
581         return;
582     }
583 
584     if (r->req.sg) {
585         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
586         r->req.resid -= r->req.sg->size;
587         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
588                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
589                                   BDRV_SECTOR_SIZE,
590                                   sdc->dma_writev, r, scsi_dma_complete, r,
591                                   DMA_DIRECTION_TO_DEVICE);
592     } else {
593         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
594                          r->qiov.size, BLOCK_ACCT_WRITE);
595         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
596                                        scsi_write_complete, r, r);
597     }
598 }
599 
600 /* Return a pointer to the data buffer.  */
601 static uint8_t *scsi_get_buf(SCSIRequest *req)
602 {
603     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
604 
605     return (uint8_t *)r->iov.iov_base;
606 }
607 
608 static int scsi_disk_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf)
609 {
610     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
611     uint8_t page_code = req->cmd.buf[2];
612     int start, buflen = 0;
613 
614     outbuf[buflen++] = s->qdev.type & 0x1f;
615     outbuf[buflen++] = page_code;
616     outbuf[buflen++] = 0x00;
617     outbuf[buflen++] = 0x00;
618     start = buflen;
619 
620     switch (page_code) {
621     case 0x00: /* Supported page codes, mandatory */
622     {
623         trace_scsi_disk_emulate_vpd_page_00(req->cmd.xfer);
624         outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
625         if (s->serial) {
626             outbuf[buflen++] = 0x80; /* unit serial number */
627         }
628         outbuf[buflen++] = 0x83; /* device identification */
629         if (s->qdev.type == TYPE_DISK) {
630             outbuf[buflen++] = 0xb0; /* block limits */
631             outbuf[buflen++] = 0xb1; /* block device characteristics */
632             outbuf[buflen++] = 0xb2; /* thin provisioning */
633         }
634         break;
635     }
636     case 0x80: /* Device serial number, optional */
637     {
638         int l;
639 
640         if (!s->serial) {
641             trace_scsi_disk_emulate_vpd_page_80_not_supported();
642             return -1;
643         }
644 
645         l = strlen(s->serial);
646         if (l > 36) {
647             l = 36;
648         }
649 
650         trace_scsi_disk_emulate_vpd_page_80(req->cmd.xfer);
651         memcpy(outbuf + buflen, s->serial, l);
652         buflen += l;
653         break;
654     }
655 
656     case 0x83: /* Device identification page, mandatory */
657     {
658         int id_len = s->device_id ? MIN(strlen(s->device_id), 255 - 8) : 0;
659 
660         trace_scsi_disk_emulate_vpd_page_83(req->cmd.xfer);
661 
662         if (id_len) {
663             outbuf[buflen++] = 0x2; /* ASCII */
664             outbuf[buflen++] = 0;   /* not officially assigned */
665             outbuf[buflen++] = 0;   /* reserved */
666             outbuf[buflen++] = id_len; /* length of data following */
667             memcpy(outbuf + buflen, s->device_id, id_len);
668             buflen += id_len;
669         }
670 
671         if (s->qdev.wwn) {
672             outbuf[buflen++] = 0x1; /* Binary */
673             outbuf[buflen++] = 0x3; /* NAA */
674             outbuf[buflen++] = 0;   /* reserved */
675             outbuf[buflen++] = 8;
676             stq_be_p(&outbuf[buflen], s->qdev.wwn);
677             buflen += 8;
678         }
679 
680         if (s->qdev.port_wwn) {
681             outbuf[buflen++] = 0x61; /* SAS / Binary */
682             outbuf[buflen++] = 0x93; /* PIV / Target port / NAA */
683             outbuf[buflen++] = 0;    /* reserved */
684             outbuf[buflen++] = 8;
685             stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
686             buflen += 8;
687         }
688 
689         if (s->port_index) {
690             outbuf[buflen++] = 0x61; /* SAS / Binary */
691 
692             /* PIV/Target port/relative target port */
693             outbuf[buflen++] = 0x94;
694 
695             outbuf[buflen++] = 0;    /* reserved */
696             outbuf[buflen++] = 4;
697             stw_be_p(&outbuf[buflen + 2], s->port_index);
698             buflen += 4;
699         }
700         break;
701     }
702     case 0xb0: /* block limits */
703     {
704         SCSIBlockLimits bl = {};
705 
706         if (s->qdev.type == TYPE_ROM) {
707             trace_scsi_disk_emulate_vpd_page_b0_not_supported();
708             return -1;
709         }
710         bl.wsnz = 1;
711         bl.unmap_sectors =
712             s->qdev.conf.discard_granularity / s->qdev.blocksize;
713         bl.min_io_size =
714             s->qdev.conf.min_io_size / s->qdev.blocksize;
715         bl.opt_io_size =
716             s->qdev.conf.opt_io_size / s->qdev.blocksize;
717         bl.max_unmap_sectors =
718             s->max_unmap_size / s->qdev.blocksize;
719         bl.max_io_sectors =
720             s->max_io_size / s->qdev.blocksize;
721         /* 255 descriptors fit in 4 KiB with an 8-byte header */
722         bl.max_unmap_descr = 255;
723 
724         if (s->qdev.type == TYPE_DISK) {
725             int max_transfer_blk = blk_get_max_transfer(s->qdev.conf.blk);
726             int max_io_sectors_blk =
727                 max_transfer_blk / s->qdev.blocksize;
728 
729             bl.max_io_sectors =
730                 MIN_NON_ZERO(max_io_sectors_blk, bl.max_io_sectors);
731         }
732         buflen += scsi_emulate_block_limits(outbuf + buflen, &bl);
733         break;
734     }
735     case 0xb1: /* block device characteristics */
736     {
737         buflen = 0x40;
738         outbuf[4] = (s->rotation_rate >> 8) & 0xff;
739         outbuf[5] = s->rotation_rate & 0xff;
740         outbuf[6] = 0; /* PRODUCT TYPE */
741         outbuf[7] = 0; /* WABEREQ | WACEREQ | NOMINAL FORM FACTOR */
742         outbuf[8] = 0; /* VBULS */
743         break;
744     }
745     case 0xb2: /* thin provisioning */
746     {
747         buflen = 8;
748         outbuf[4] = 0;
749         outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
750         outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
751         outbuf[7] = 0;
752         break;
753     }
754     default:
755         return -1;
756     }
757     /* done with EVPD */
758     assert(buflen - start <= 255);
759     outbuf[start - 1] = buflen - start;
760     return buflen;
761 }
762 
763 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
764 {
765     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
766     int buflen = 0;
767 
768     if (req->cmd.buf[1] & 0x1) {
769         /* Vital product data */
770         return scsi_disk_emulate_vpd_page(req, outbuf);
771     }
772 
773     /* Standard INQUIRY data */
774     if (req->cmd.buf[2] != 0) {
775         return -1;
776     }
777 
778     /* PAGE CODE == 0 */
779     buflen = req->cmd.xfer;
780     if (buflen > SCSI_MAX_INQUIRY_LEN) {
781         buflen = SCSI_MAX_INQUIRY_LEN;
782     }
783 
784     outbuf[0] = s->qdev.type & 0x1f;
785     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
786 
787     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
788     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
789 
790     memset(&outbuf[32], 0, 4);
791     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
792     /*
793      * We claim conformance to SPC-3, which is required for guests
794      * to ask for modern features like READ CAPACITY(16) or the
795      * block characteristics VPD page by default.  Not all of SPC-3
796      * is actually implemented, but we're good enough.
797      */
798     outbuf[2] = s->qdev.default_scsi_version;
799     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
800 
801     if (buflen > 36) {
802         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
803     } else {
804         /* If the allocation length of CDB is too small,
805                the additional length is not adjusted */
806         outbuf[4] = 36 - 5;
807     }
808 
809     /* Sync data transfer and TCQ.  */
810     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
811     return buflen;
812 }
813 
814 static inline bool media_is_dvd(SCSIDiskState *s)
815 {
816     uint64_t nb_sectors;
817     if (s->qdev.type != TYPE_ROM) {
818         return false;
819     }
820     if (!blk_is_available(s->qdev.conf.blk)) {
821         return false;
822     }
823     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
824     return nb_sectors > CD_MAX_SECTORS;
825 }
826 
827 static inline bool media_is_cd(SCSIDiskState *s)
828 {
829     uint64_t nb_sectors;
830     if (s->qdev.type != TYPE_ROM) {
831         return false;
832     }
833     if (!blk_is_available(s->qdev.conf.blk)) {
834         return false;
835     }
836     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
837     return nb_sectors <= CD_MAX_SECTORS;
838 }
839 
840 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
841                                       uint8_t *outbuf)
842 {
843     uint8_t type = r->req.cmd.buf[1] & 7;
844 
845     if (s->qdev.type != TYPE_ROM) {
846         return -1;
847     }
848 
849     /* Types 1/2 are only defined for Blu-Ray.  */
850     if (type != 0) {
851         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
852         return -1;
853     }
854 
855     memset(outbuf, 0, 34);
856     outbuf[1] = 32;
857     outbuf[2] = 0xe; /* last session complete, disc finalized */
858     outbuf[3] = 1;   /* first track on disc */
859     outbuf[4] = 1;   /* # of sessions */
860     outbuf[5] = 1;   /* first track of last session */
861     outbuf[6] = 1;   /* last track of last session */
862     outbuf[7] = 0x20; /* unrestricted use */
863     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
864     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
865     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
866     /* 24-31: disc bar code */
867     /* 32: disc application code */
868     /* 33: number of OPC tables */
869 
870     return 34;
871 }
872 
873 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
874                                    uint8_t *outbuf)
875 {
876     static const int rds_caps_size[5] = {
877         [0] = 2048 + 4,
878         [1] = 4 + 4,
879         [3] = 188 + 4,
880         [4] = 2048 + 4,
881     };
882 
883     uint8_t media = r->req.cmd.buf[1];
884     uint8_t layer = r->req.cmd.buf[6];
885     uint8_t format = r->req.cmd.buf[7];
886     int size = -1;
887 
888     if (s->qdev.type != TYPE_ROM) {
889         return -1;
890     }
891     if (media != 0) {
892         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
893         return -1;
894     }
895 
896     if (format != 0xff) {
897         if (!blk_is_available(s->qdev.conf.blk)) {
898             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
899             return -1;
900         }
901         if (media_is_cd(s)) {
902             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
903             return -1;
904         }
905         if (format >= ARRAY_SIZE(rds_caps_size)) {
906             return -1;
907         }
908         size = rds_caps_size[format];
909         memset(outbuf, 0, size);
910     }
911 
912     switch (format) {
913     case 0x00: {
914         /* Physical format information */
915         uint64_t nb_sectors;
916         if (layer != 0) {
917             goto fail;
918         }
919         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
920 
921         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
922         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
923         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
924         outbuf[7] = 0;   /* default densities */
925 
926         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
927         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
928         break;
929     }
930 
931     case 0x01: /* DVD copyright information, all zeros */
932         break;
933 
934     case 0x03: /* BCA information - invalid field for no BCA info */
935         return -1;
936 
937     case 0x04: /* DVD disc manufacturing information, all zeros */
938         break;
939 
940     case 0xff: { /* List capabilities */
941         int i;
942         size = 4;
943         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
944             if (!rds_caps_size[i]) {
945                 continue;
946             }
947             outbuf[size] = i;
948             outbuf[size + 1] = 0x40; /* Not writable, readable */
949             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
950             size += 4;
951         }
952         break;
953      }
954 
955     default:
956         return -1;
957     }
958 
959     /* Size of buffer, not including 2 byte size field */
960     stw_be_p(outbuf, size - 2);
961     return size;
962 
963 fail:
964     return -1;
965 }
966 
967 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
968 {
969     uint8_t event_code, media_status;
970 
971     media_status = 0;
972     if (s->tray_open) {
973         media_status = MS_TRAY_OPEN;
974     } else if (blk_is_inserted(s->qdev.conf.blk)) {
975         media_status = MS_MEDIA_PRESENT;
976     }
977 
978     /* Event notification descriptor */
979     event_code = MEC_NO_CHANGE;
980     if (media_status != MS_TRAY_OPEN) {
981         if (s->media_event) {
982             event_code = MEC_NEW_MEDIA;
983             s->media_event = false;
984         } else if (s->eject_request) {
985             event_code = MEC_EJECT_REQUESTED;
986             s->eject_request = false;
987         }
988     }
989 
990     outbuf[0] = event_code;
991     outbuf[1] = media_status;
992 
993     /* These fields are reserved, just clear them. */
994     outbuf[2] = 0;
995     outbuf[3] = 0;
996     return 4;
997 }
998 
999 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
1000                                               uint8_t *outbuf)
1001 {
1002     int size;
1003     uint8_t *buf = r->req.cmd.buf;
1004     uint8_t notification_class_request = buf[4];
1005     if (s->qdev.type != TYPE_ROM) {
1006         return -1;
1007     }
1008     if ((buf[1] & 1) == 0) {
1009         /* asynchronous */
1010         return -1;
1011     }
1012 
1013     size = 4;
1014     outbuf[0] = outbuf[1] = 0;
1015     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1016     if (notification_class_request & (1 << GESN_MEDIA)) {
1017         outbuf[2] = GESN_MEDIA;
1018         size += scsi_event_status_media(s, &outbuf[size]);
1019     } else {
1020         outbuf[2] = 0x80;
1021     }
1022     stw_be_p(outbuf, size - 4);
1023     return size;
1024 }
1025 
1026 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1027 {
1028     int current;
1029 
1030     if (s->qdev.type != TYPE_ROM) {
1031         return -1;
1032     }
1033 
1034     if (media_is_dvd(s)) {
1035         current = MMC_PROFILE_DVD_ROM;
1036     } else if (media_is_cd(s)) {
1037         current = MMC_PROFILE_CD_ROM;
1038     } else {
1039         current = MMC_PROFILE_NONE;
1040     }
1041 
1042     memset(outbuf, 0, 40);
1043     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1044     stw_be_p(&outbuf[6], current);
1045     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1046     outbuf[10] = 0x03; /* persistent, current */
1047     outbuf[11] = 8; /* two profiles */
1048     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1049     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1050     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1051     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1052     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1053     stw_be_p(&outbuf[20], 1);
1054     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1055     outbuf[23] = 8;
1056     stl_be_p(&outbuf[24], 1); /* SCSI */
1057     outbuf[28] = 1; /* DBE = 1, mandatory */
1058     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1059     stw_be_p(&outbuf[32], 3);
1060     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1061     outbuf[35] = 4;
1062     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1063     /* TODO: Random readable, CD read, DVD read, drive serial number,
1064        power management */
1065     return 40;
1066 }
1067 
1068 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1069 {
1070     if (s->qdev.type != TYPE_ROM) {
1071         return -1;
1072     }
1073     memset(outbuf, 0, 8);
1074     outbuf[5] = 1; /* CD-ROM */
1075     return 8;
1076 }
1077 
1078 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1079                            int page_control)
1080 {
1081     static const int mode_sense_valid[0x3f] = {
1082         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1083         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1084         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1085         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1086         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1087         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1088     };
1089 
1090     uint8_t *p = *p_outbuf + 2;
1091     int length;
1092 
1093     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1094         return -1;
1095     }
1096 
1097     /*
1098      * If Changeable Values are requested, a mask denoting those mode parameters
1099      * that are changeable shall be returned. As we currently don't support
1100      * parameter changes via MODE_SELECT all bits are returned set to zero.
1101      * The buffer was already menset to zero by the caller of this function.
1102      *
1103      * The offsets here are off by two compared to the descriptions in the
1104      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1105      * but it is done so that offsets are consistent within our implementation
1106      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1107      * 2-byte and 4-byte headers.
1108      */
1109     switch (page) {
1110     case MODE_PAGE_HD_GEOMETRY:
1111         length = 0x16;
1112         if (page_control == 1) { /* Changeable Values */
1113             break;
1114         }
1115         /* if a geometry hint is available, use it */
1116         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1117         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1118         p[2] = s->qdev.conf.cyls & 0xff;
1119         p[3] = s->qdev.conf.heads & 0xff;
1120         /* Write precomp start cylinder, disabled */
1121         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1122         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1123         p[6] = s->qdev.conf.cyls & 0xff;
1124         /* Reduced current start cylinder, disabled */
1125         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1126         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1127         p[9] = s->qdev.conf.cyls & 0xff;
1128         /* Device step rate [ns], 200ns */
1129         p[10] = 0;
1130         p[11] = 200;
1131         /* Landing zone cylinder */
1132         p[12] = 0xff;
1133         p[13] =  0xff;
1134         p[14] = 0xff;
1135         /* Medium rotation rate [rpm], 5400 rpm */
1136         p[18] = (5400 >> 8) & 0xff;
1137         p[19] = 5400 & 0xff;
1138         break;
1139 
1140     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1141         length = 0x1e;
1142         if (page_control == 1) { /* Changeable Values */
1143             break;
1144         }
1145         /* Transfer rate [kbit/s], 5Mbit/s */
1146         p[0] = 5000 >> 8;
1147         p[1] = 5000 & 0xff;
1148         /* if a geometry hint is available, use it */
1149         p[2] = s->qdev.conf.heads & 0xff;
1150         p[3] = s->qdev.conf.secs & 0xff;
1151         p[4] = s->qdev.blocksize >> 8;
1152         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1153         p[7] = s->qdev.conf.cyls & 0xff;
1154         /* Write precomp start cylinder, disabled */
1155         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1156         p[9] = s->qdev.conf.cyls & 0xff;
1157         /* Reduced current start cylinder, disabled */
1158         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1159         p[11] = s->qdev.conf.cyls & 0xff;
1160         /* Device step rate [100us], 100us */
1161         p[12] = 0;
1162         p[13] = 1;
1163         /* Device step pulse width [us], 1us */
1164         p[14] = 1;
1165         /* Device head settle delay [100us], 100us */
1166         p[15] = 0;
1167         p[16] = 1;
1168         /* Motor on delay [0.1s], 0.1s */
1169         p[17] = 1;
1170         /* Motor off delay [0.1s], 0.1s */
1171         p[18] = 1;
1172         /* Medium rotation rate [rpm], 5400 rpm */
1173         p[26] = (5400 >> 8) & 0xff;
1174         p[27] = 5400 & 0xff;
1175         break;
1176 
1177     case MODE_PAGE_CACHING:
1178         length = 0x12;
1179         if (page_control == 1 || /* Changeable Values */
1180             blk_enable_write_cache(s->qdev.conf.blk)) {
1181             p[0] = 4; /* WCE */
1182         }
1183         break;
1184 
1185     case MODE_PAGE_R_W_ERROR:
1186         length = 10;
1187         if (page_control == 1) { /* Changeable Values */
1188             break;
1189         }
1190         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1191         if (s->qdev.type == TYPE_ROM) {
1192             p[1] = 0x20; /* Read Retry Count */
1193         }
1194         break;
1195 
1196     case MODE_PAGE_AUDIO_CTL:
1197         length = 14;
1198         break;
1199 
1200     case MODE_PAGE_CAPABILITIES:
1201         length = 0x14;
1202         if (page_control == 1) { /* Changeable Values */
1203             break;
1204         }
1205 
1206         p[0] = 0x3b; /* CD-R & CD-RW read */
1207         p[1] = 0; /* Writing not supported */
1208         p[2] = 0x7f; /* Audio, composite, digital out,
1209                         mode 2 form 1&2, multi session */
1210         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1211                         RW corrected, C2 errors, ISRC,
1212                         UPC, Bar code */
1213         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1214         /* Locking supported, jumper present, eject, tray */
1215         p[5] = 0; /* no volume & mute control, no
1216                      changer */
1217         p[6] = (50 * 176) >> 8; /* 50x read speed */
1218         p[7] = (50 * 176) & 0xff;
1219         p[8] = 2 >> 8; /* Two volume levels */
1220         p[9] = 2 & 0xff;
1221         p[10] = 2048 >> 8; /* 2M buffer */
1222         p[11] = 2048 & 0xff;
1223         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1224         p[13] = (16 * 176) & 0xff;
1225         p[16] = (16 * 176) >> 8; /* 16x write speed */
1226         p[17] = (16 * 176) & 0xff;
1227         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1228         p[19] = (16 * 176) & 0xff;
1229         break;
1230 
1231     default:
1232         return -1;
1233     }
1234 
1235     assert(length < 256);
1236     (*p_outbuf)[0] = page;
1237     (*p_outbuf)[1] = length;
1238     *p_outbuf += length + 2;
1239     return length + 2;
1240 }
1241 
1242 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1243 {
1244     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1245     uint64_t nb_sectors;
1246     bool dbd;
1247     int page, buflen, ret, page_control;
1248     uint8_t *p;
1249     uint8_t dev_specific_param;
1250 
1251     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1252     page = r->req.cmd.buf[2] & 0x3f;
1253     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1254 
1255     trace_scsi_disk_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
1256                                        10, page, r->req.cmd.xfer, page_control);
1257     memset(outbuf, 0, r->req.cmd.xfer);
1258     p = outbuf;
1259 
1260     if (s->qdev.type == TYPE_DISK) {
1261         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1262         if (!blk_is_writable(s->qdev.conf.blk)) {
1263             dev_specific_param |= 0x80; /* Readonly.  */
1264         }
1265     } else {
1266         /* MMC prescribes that CD/DVD drives have no block descriptors,
1267          * and defines no device-specific parameter.  */
1268         dev_specific_param = 0x00;
1269         dbd = true;
1270     }
1271 
1272     if (r->req.cmd.buf[0] == MODE_SENSE) {
1273         p[1] = 0; /* Default media type.  */
1274         p[2] = dev_specific_param;
1275         p[3] = 0; /* Block descriptor length.  */
1276         p += 4;
1277     } else { /* MODE_SENSE_10 */
1278         p[2] = 0; /* Default media type.  */
1279         p[3] = dev_specific_param;
1280         p[6] = p[7] = 0; /* Block descriptor length.  */
1281         p += 8;
1282     }
1283 
1284     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1285     if (!dbd && nb_sectors) {
1286         if (r->req.cmd.buf[0] == MODE_SENSE) {
1287             outbuf[3] = 8; /* Block descriptor length  */
1288         } else { /* MODE_SENSE_10 */
1289             outbuf[7] = 8; /* Block descriptor length  */
1290         }
1291         nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1292         if (nb_sectors > 0xffffff) {
1293             nb_sectors = 0;
1294         }
1295         p[0] = 0; /* media density code */
1296         p[1] = (nb_sectors >> 16) & 0xff;
1297         p[2] = (nb_sectors >> 8) & 0xff;
1298         p[3] = nb_sectors & 0xff;
1299         p[4] = 0; /* reserved */
1300         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1301         p[6] = s->qdev.blocksize >> 8;
1302         p[7] = 0;
1303         p += 8;
1304     }
1305 
1306     if (page_control == 3) {
1307         /* Saved Values */
1308         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1309         return -1;
1310     }
1311 
1312     if (page == 0x3f) {
1313         for (page = 0; page <= 0x3e; page++) {
1314             mode_sense_page(s, page, &p, page_control);
1315         }
1316     } else {
1317         ret = mode_sense_page(s, page, &p, page_control);
1318         if (ret == -1) {
1319             return -1;
1320         }
1321     }
1322 
1323     buflen = p - outbuf;
1324     /*
1325      * The mode data length field specifies the length in bytes of the
1326      * following data that is available to be transferred. The mode data
1327      * length does not include itself.
1328      */
1329     if (r->req.cmd.buf[0] == MODE_SENSE) {
1330         outbuf[0] = buflen - 1;
1331     } else { /* MODE_SENSE_10 */
1332         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1333         outbuf[1] = (buflen - 2) & 0xff;
1334     }
1335     return buflen;
1336 }
1337 
1338 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1339 {
1340     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1341     int start_track, format, msf, toclen;
1342     uint64_t nb_sectors;
1343 
1344     msf = req->cmd.buf[1] & 2;
1345     format = req->cmd.buf[2] & 0xf;
1346     start_track = req->cmd.buf[6];
1347     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1348     trace_scsi_disk_emulate_read_toc(start_track, format, msf >> 1);
1349     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1350     switch (format) {
1351     case 0:
1352         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1353         break;
1354     case 1:
1355         /* multi session : only a single session defined */
1356         toclen = 12;
1357         memset(outbuf, 0, 12);
1358         outbuf[1] = 0x0a;
1359         outbuf[2] = 0x01;
1360         outbuf[3] = 0x01;
1361         break;
1362     case 2:
1363         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1364         break;
1365     default:
1366         return -1;
1367     }
1368     return toclen;
1369 }
1370 
1371 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1372 {
1373     SCSIRequest *req = &r->req;
1374     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1375     bool start = req->cmd.buf[4] & 1;
1376     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1377     int pwrcnd = req->cmd.buf[4] & 0xf0;
1378 
1379     if (pwrcnd) {
1380         /* eject/load only happens for power condition == 0 */
1381         return 0;
1382     }
1383 
1384     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1385         if (!start && !s->tray_open && s->tray_locked) {
1386             scsi_check_condition(r,
1387                                  blk_is_inserted(s->qdev.conf.blk)
1388                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1389                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1390             return -1;
1391         }
1392 
1393         if (s->tray_open != !start) {
1394             blk_eject(s->qdev.conf.blk, !start);
1395             s->tray_open = !start;
1396         }
1397     }
1398     return 0;
1399 }
1400 
1401 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1402 {
1403     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1404     int buflen = r->iov.iov_len;
1405 
1406     if (buflen) {
1407         trace_scsi_disk_emulate_read_data(buflen);
1408         r->iov.iov_len = 0;
1409         r->started = true;
1410         scsi_req_data(&r->req, buflen);
1411         return;
1412     }
1413 
1414     /* This also clears the sense buffer for REQUEST SENSE.  */
1415     scsi_req_complete(&r->req, GOOD);
1416 }
1417 
1418 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1419                                        uint8_t *inbuf, int inlen)
1420 {
1421     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1422     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1423     uint8_t *p;
1424     int len, expected_len, changeable_len, i;
1425 
1426     /* The input buffer does not include the page header, so it is
1427      * off by 2 bytes.
1428      */
1429     expected_len = inlen + 2;
1430     if (expected_len > SCSI_MAX_MODE_LEN) {
1431         return -1;
1432     }
1433 
1434     p = mode_current;
1435     memset(mode_current, 0, inlen + 2);
1436     len = mode_sense_page(s, page, &p, 0);
1437     if (len < 0 || len != expected_len) {
1438         return -1;
1439     }
1440 
1441     p = mode_changeable;
1442     memset(mode_changeable, 0, inlen + 2);
1443     changeable_len = mode_sense_page(s, page, &p, 1);
1444     assert(changeable_len == len);
1445 
1446     /* Check that unchangeable bits are the same as what MODE SENSE
1447      * would return.
1448      */
1449     for (i = 2; i < len; i++) {
1450         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1451             return -1;
1452         }
1453     }
1454     return 0;
1455 }
1456 
1457 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1458 {
1459     switch (page) {
1460     case MODE_PAGE_CACHING:
1461         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1462         break;
1463 
1464     default:
1465         break;
1466     }
1467 }
1468 
1469 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1470 {
1471     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1472 
1473     while (len > 0) {
1474         int page, subpage, page_len;
1475 
1476         /* Parse both possible formats for the mode page headers.  */
1477         page = p[0] & 0x3f;
1478         if (p[0] & 0x40) {
1479             if (len < 4) {
1480                 goto invalid_param_len;
1481             }
1482             subpage = p[1];
1483             page_len = lduw_be_p(&p[2]);
1484             p += 4;
1485             len -= 4;
1486         } else {
1487             if (len < 2) {
1488                 goto invalid_param_len;
1489             }
1490             subpage = 0;
1491             page_len = p[1];
1492             p += 2;
1493             len -= 2;
1494         }
1495 
1496         if (subpage) {
1497             goto invalid_param;
1498         }
1499         if (page_len > len) {
1500             goto invalid_param_len;
1501         }
1502 
1503         if (!change) {
1504             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1505                 goto invalid_param;
1506             }
1507         } else {
1508             scsi_disk_apply_mode_select(s, page, p);
1509         }
1510 
1511         p += page_len;
1512         len -= page_len;
1513     }
1514     return 0;
1515 
1516 invalid_param:
1517     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1518     return -1;
1519 
1520 invalid_param_len:
1521     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1522     return -1;
1523 }
1524 
1525 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1526 {
1527     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1528     uint8_t *p = inbuf;
1529     int cmd = r->req.cmd.buf[0];
1530     int len = r->req.cmd.xfer;
1531     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1532     int bd_len;
1533     int pass;
1534 
1535     /* We only support PF=1, SP=0.  */
1536     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1537         goto invalid_field;
1538     }
1539 
1540     if (len < hdr_len) {
1541         goto invalid_param_len;
1542     }
1543 
1544     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1545     len -= hdr_len;
1546     p += hdr_len;
1547     if (len < bd_len) {
1548         goto invalid_param_len;
1549     }
1550     if (bd_len != 0 && bd_len != 8) {
1551         goto invalid_param;
1552     }
1553 
1554     len -= bd_len;
1555     p += bd_len;
1556 
1557     /* Ensure no change is made if there is an error!  */
1558     for (pass = 0; pass < 2; pass++) {
1559         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1560             assert(pass == 0);
1561             return;
1562         }
1563     }
1564     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1565         /* The request is used as the AIO opaque value, so add a ref.  */
1566         scsi_req_ref(&r->req);
1567         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1568                          BLOCK_ACCT_FLUSH);
1569         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1570         return;
1571     }
1572 
1573     scsi_req_complete(&r->req, GOOD);
1574     return;
1575 
1576 invalid_param:
1577     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1578     return;
1579 
1580 invalid_param_len:
1581     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1582     return;
1583 
1584 invalid_field:
1585     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1586 }
1587 
1588 static inline bool check_lba_range(SCSIDiskState *s,
1589                                    uint64_t sector_num, uint32_t nb_sectors)
1590 {
1591     /*
1592      * The first line tests that no overflow happens when computing the last
1593      * sector.  The second line tests that the last accessed sector is in
1594      * range.
1595      *
1596      * Careful, the computations should not underflow for nb_sectors == 0,
1597      * and a 0-block read to the first LBA beyond the end of device is
1598      * valid.
1599      */
1600     return (sector_num <= sector_num + nb_sectors &&
1601             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1602 }
1603 
1604 typedef struct UnmapCBData {
1605     SCSIDiskReq *r;
1606     uint8_t *inbuf;
1607     int count;
1608 } UnmapCBData;
1609 
1610 static void scsi_unmap_complete(void *opaque, int ret);
1611 
1612 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1613 {
1614     SCSIDiskReq *r = data->r;
1615     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1616 
1617     assert(r->req.aiocb == NULL);
1618 
1619     if (data->count > 0) {
1620         r->sector = ldq_be_p(&data->inbuf[0])
1621             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1622         r->sector_count = (ldl_be_p(&data->inbuf[8]) & 0xffffffffULL)
1623             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1624         if (!check_lba_range(s, r->sector, r->sector_count)) {
1625             block_acct_invalid(blk_get_stats(s->qdev.conf.blk),
1626                                BLOCK_ACCT_UNMAP);
1627             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1628             goto done;
1629         }
1630 
1631         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1632                          r->sector_count * BDRV_SECTOR_SIZE,
1633                          BLOCK_ACCT_UNMAP);
1634 
1635         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1636                                         r->sector * BDRV_SECTOR_SIZE,
1637                                         r->sector_count * BDRV_SECTOR_SIZE,
1638                                         scsi_unmap_complete, data);
1639         data->count--;
1640         data->inbuf += 16;
1641         return;
1642     }
1643 
1644     scsi_req_complete(&r->req, GOOD);
1645 
1646 done:
1647     scsi_req_unref(&r->req);
1648     g_free(data);
1649 }
1650 
1651 static void scsi_unmap_complete(void *opaque, int ret)
1652 {
1653     UnmapCBData *data = opaque;
1654     SCSIDiskReq *r = data->r;
1655     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1656 
1657     assert(r->req.aiocb != NULL);
1658     r->req.aiocb = NULL;
1659 
1660     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1661     if (scsi_disk_req_check_error(r, ret, true)) {
1662         scsi_req_unref(&r->req);
1663         g_free(data);
1664     } else {
1665         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1666         scsi_unmap_complete_noio(data, ret);
1667     }
1668     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1669 }
1670 
1671 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1672 {
1673     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1674     uint8_t *p = inbuf;
1675     int len = r->req.cmd.xfer;
1676     UnmapCBData *data;
1677 
1678     /* Reject ANCHOR=1.  */
1679     if (r->req.cmd.buf[1] & 0x1) {
1680         goto invalid_field;
1681     }
1682 
1683     if (len < 8) {
1684         goto invalid_param_len;
1685     }
1686     if (len < lduw_be_p(&p[0]) + 2) {
1687         goto invalid_param_len;
1688     }
1689     if (len < lduw_be_p(&p[2]) + 8) {
1690         goto invalid_param_len;
1691     }
1692     if (lduw_be_p(&p[2]) & 15) {
1693         goto invalid_param_len;
1694     }
1695 
1696     if (!blk_is_writable(s->qdev.conf.blk)) {
1697         block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1698         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1699         return;
1700     }
1701 
1702     data = g_new0(UnmapCBData, 1);
1703     data->r = r;
1704     data->inbuf = &p[8];
1705     data->count = lduw_be_p(&p[2]) >> 4;
1706 
1707     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1708     scsi_req_ref(&r->req);
1709     scsi_unmap_complete_noio(data, 0);
1710     return;
1711 
1712 invalid_param_len:
1713     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1714     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1715     return;
1716 
1717 invalid_field:
1718     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1719     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1720 }
1721 
1722 typedef struct WriteSameCBData {
1723     SCSIDiskReq *r;
1724     int64_t sector;
1725     int nb_sectors;
1726     QEMUIOVector qiov;
1727     struct iovec iov;
1728 } WriteSameCBData;
1729 
1730 static void scsi_write_same_complete(void *opaque, int ret)
1731 {
1732     WriteSameCBData *data = opaque;
1733     SCSIDiskReq *r = data->r;
1734     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1735 
1736     assert(r->req.aiocb != NULL);
1737     r->req.aiocb = NULL;
1738     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1739     if (scsi_disk_req_check_error(r, ret, true)) {
1740         goto done;
1741     }
1742 
1743     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1744 
1745     data->nb_sectors -= data->iov.iov_len / BDRV_SECTOR_SIZE;
1746     data->sector += data->iov.iov_len / BDRV_SECTOR_SIZE;
1747     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1748                             data->iov.iov_len);
1749     if (data->iov.iov_len) {
1750         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1751                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1752         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1753          * where final qiov may need smaller size */
1754         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1755         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1756                                        data->sector << BDRV_SECTOR_BITS,
1757                                        &data->qiov, 0,
1758                                        scsi_write_same_complete, data);
1759         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1760         return;
1761     }
1762 
1763     scsi_req_complete(&r->req, GOOD);
1764 
1765 done:
1766     scsi_req_unref(&r->req);
1767     qemu_vfree(data->iov.iov_base);
1768     g_free(data);
1769     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1770 }
1771 
1772 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1773 {
1774     SCSIRequest *req = &r->req;
1775     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1776     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1777     WriteSameCBData *data;
1778     uint8_t *buf;
1779     int i;
1780 
1781     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1782     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1783         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1784         return;
1785     }
1786 
1787     if (!blk_is_writable(s->qdev.conf.blk)) {
1788         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1789         return;
1790     }
1791     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1792         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1793         return;
1794     }
1795 
1796     if ((req->cmd.buf[1] & 0x1) || buffer_is_zero(inbuf, s->qdev.blocksize)) {
1797         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1798 
1799         /* The request is used as the AIO opaque value, so add a ref.  */
1800         scsi_req_ref(&r->req);
1801         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1802                          nb_sectors * s->qdev.blocksize,
1803                         BLOCK_ACCT_WRITE);
1804         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1805                                 r->req.cmd.lba * s->qdev.blocksize,
1806                                 nb_sectors * s->qdev.blocksize,
1807                                 flags, scsi_aio_complete, r);
1808         return;
1809     }
1810 
1811     data = g_new0(WriteSameCBData, 1);
1812     data->r = r;
1813     data->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1814     data->nb_sectors = nb_sectors * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1815     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1816                             SCSI_WRITE_SAME_MAX);
1817     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1818                                               data->iov.iov_len);
1819     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1820 
1821     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1822         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1823     }
1824 
1825     scsi_req_ref(&r->req);
1826     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1827                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1828     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1829                                    data->sector << BDRV_SECTOR_BITS,
1830                                    &data->qiov, 0,
1831                                    scsi_write_same_complete, data);
1832 }
1833 
1834 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1835 {
1836     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1837 
1838     if (r->iov.iov_len) {
1839         int buflen = r->iov.iov_len;
1840         trace_scsi_disk_emulate_write_data(buflen);
1841         r->iov.iov_len = 0;
1842         scsi_req_data(&r->req, buflen);
1843         return;
1844     }
1845 
1846     switch (req->cmd.buf[0]) {
1847     case MODE_SELECT:
1848     case MODE_SELECT_10:
1849         /* This also clears the sense buffer for REQUEST SENSE.  */
1850         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1851         break;
1852 
1853     case UNMAP:
1854         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1855         break;
1856 
1857     case VERIFY_10:
1858     case VERIFY_12:
1859     case VERIFY_16:
1860         if (r->req.status == -1) {
1861             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1862         }
1863         break;
1864 
1865     case WRITE_SAME_10:
1866     case WRITE_SAME_16:
1867         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1868         break;
1869 
1870     default:
1871         abort();
1872     }
1873 }
1874 
1875 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1876 {
1877     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1878     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1879     uint64_t nb_sectors;
1880     uint8_t *outbuf;
1881     int buflen;
1882 
1883     switch (req->cmd.buf[0]) {
1884     case INQUIRY:
1885     case MODE_SENSE:
1886     case MODE_SENSE_10:
1887     case RESERVE:
1888     case RESERVE_10:
1889     case RELEASE:
1890     case RELEASE_10:
1891     case START_STOP:
1892     case ALLOW_MEDIUM_REMOVAL:
1893     case GET_CONFIGURATION:
1894     case GET_EVENT_STATUS_NOTIFICATION:
1895     case MECHANISM_STATUS:
1896     case REQUEST_SENSE:
1897         break;
1898 
1899     default:
1900         if (!blk_is_available(s->qdev.conf.blk)) {
1901             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1902             return 0;
1903         }
1904         break;
1905     }
1906 
1907     /*
1908      * FIXME: we shouldn't return anything bigger than 4k, but the code
1909      * requires the buffer to be as big as req->cmd.xfer in several
1910      * places.  So, do not allow CDBs with a very large ALLOCATION
1911      * LENGTH.  The real fix would be to modify scsi_read_data and
1912      * dma_buf_read, so that they return data beyond the buflen
1913      * as all zeros.
1914      */
1915     if (req->cmd.xfer > 65536) {
1916         goto illegal_request;
1917     }
1918     r->buflen = MAX(4096, req->cmd.xfer);
1919 
1920     if (!r->iov.iov_base) {
1921         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1922     }
1923 
1924     outbuf = r->iov.iov_base;
1925     memset(outbuf, 0, r->buflen);
1926     switch (req->cmd.buf[0]) {
1927     case TEST_UNIT_READY:
1928         assert(blk_is_available(s->qdev.conf.blk));
1929         break;
1930     case INQUIRY:
1931         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1932         if (buflen < 0) {
1933             goto illegal_request;
1934         }
1935         break;
1936     case MODE_SENSE:
1937     case MODE_SENSE_10:
1938         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1939         if (buflen < 0) {
1940             goto illegal_request;
1941         }
1942         break;
1943     case READ_TOC:
1944         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1945         if (buflen < 0) {
1946             goto illegal_request;
1947         }
1948         break;
1949     case RESERVE:
1950         if (req->cmd.buf[1] & 1) {
1951             goto illegal_request;
1952         }
1953         break;
1954     case RESERVE_10:
1955         if (req->cmd.buf[1] & 3) {
1956             goto illegal_request;
1957         }
1958         break;
1959     case RELEASE:
1960         if (req->cmd.buf[1] & 1) {
1961             goto illegal_request;
1962         }
1963         break;
1964     case RELEASE_10:
1965         if (req->cmd.buf[1] & 3) {
1966             goto illegal_request;
1967         }
1968         break;
1969     case START_STOP:
1970         if (scsi_disk_emulate_start_stop(r) < 0) {
1971             return 0;
1972         }
1973         break;
1974     case ALLOW_MEDIUM_REMOVAL:
1975         s->tray_locked = req->cmd.buf[4] & 1;
1976         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1977         break;
1978     case READ_CAPACITY_10:
1979         /* The normal LEN field for this command is zero.  */
1980         memset(outbuf, 0, 8);
1981         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1982         if (!nb_sectors) {
1983             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1984             return 0;
1985         }
1986         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1987             goto illegal_request;
1988         }
1989         nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1990         /* Returned value is the address of the last sector.  */
1991         nb_sectors--;
1992         /* Remember the new size for read/write sanity checking. */
1993         s->qdev.max_lba = nb_sectors;
1994         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1995         if (nb_sectors > UINT32_MAX) {
1996             nb_sectors = UINT32_MAX;
1997         }
1998         outbuf[0] = (nb_sectors >> 24) & 0xff;
1999         outbuf[1] = (nb_sectors >> 16) & 0xff;
2000         outbuf[2] = (nb_sectors >> 8) & 0xff;
2001         outbuf[3] = nb_sectors & 0xff;
2002         outbuf[4] = 0;
2003         outbuf[5] = 0;
2004         outbuf[6] = s->qdev.blocksize >> 8;
2005         outbuf[7] = 0;
2006         break;
2007     case REQUEST_SENSE:
2008         /* Just return "NO SENSE".  */
2009         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
2010                                     (req->cmd.buf[1] & 1) == 0);
2011         if (buflen < 0) {
2012             goto illegal_request;
2013         }
2014         break;
2015     case MECHANISM_STATUS:
2016         buflen = scsi_emulate_mechanism_status(s, outbuf);
2017         if (buflen < 0) {
2018             goto illegal_request;
2019         }
2020         break;
2021     case GET_CONFIGURATION:
2022         buflen = scsi_get_configuration(s, outbuf);
2023         if (buflen < 0) {
2024             goto illegal_request;
2025         }
2026         break;
2027     case GET_EVENT_STATUS_NOTIFICATION:
2028         buflen = scsi_get_event_status_notification(s, r, outbuf);
2029         if (buflen < 0) {
2030             goto illegal_request;
2031         }
2032         break;
2033     case READ_DISC_INFORMATION:
2034         buflen = scsi_read_disc_information(s, r, outbuf);
2035         if (buflen < 0) {
2036             goto illegal_request;
2037         }
2038         break;
2039     case READ_DVD_STRUCTURE:
2040         buflen = scsi_read_dvd_structure(s, r, outbuf);
2041         if (buflen < 0) {
2042             goto illegal_request;
2043         }
2044         break;
2045     case SERVICE_ACTION_IN_16:
2046         /* Service Action In subcommands. */
2047         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2048             trace_scsi_disk_emulate_command_SAI_16();
2049             memset(outbuf, 0, req->cmd.xfer);
2050             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2051             if (!nb_sectors) {
2052                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2053                 return 0;
2054             }
2055             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2056                 goto illegal_request;
2057             }
2058             nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2059             /* Returned value is the address of the last sector.  */
2060             nb_sectors--;
2061             /* Remember the new size for read/write sanity checking. */
2062             s->qdev.max_lba = nb_sectors;
2063             outbuf[0] = (nb_sectors >> 56) & 0xff;
2064             outbuf[1] = (nb_sectors >> 48) & 0xff;
2065             outbuf[2] = (nb_sectors >> 40) & 0xff;
2066             outbuf[3] = (nb_sectors >> 32) & 0xff;
2067             outbuf[4] = (nb_sectors >> 24) & 0xff;
2068             outbuf[5] = (nb_sectors >> 16) & 0xff;
2069             outbuf[6] = (nb_sectors >> 8) & 0xff;
2070             outbuf[7] = nb_sectors & 0xff;
2071             outbuf[8] = 0;
2072             outbuf[9] = 0;
2073             outbuf[10] = s->qdev.blocksize >> 8;
2074             outbuf[11] = 0;
2075             outbuf[12] = 0;
2076             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2077 
2078             /* set TPE bit if the format supports discard */
2079             if (s->qdev.conf.discard_granularity) {
2080                 outbuf[14] = 0x80;
2081             }
2082 
2083             /* Protection, exponent and lowest lba field left blank. */
2084             break;
2085         }
2086         trace_scsi_disk_emulate_command_SAI_unsupported();
2087         goto illegal_request;
2088     case SYNCHRONIZE_CACHE:
2089         /* The request is used as the AIO opaque value, so add a ref.  */
2090         scsi_req_ref(&r->req);
2091         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2092                          BLOCK_ACCT_FLUSH);
2093         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2094         return 0;
2095     case SEEK_10:
2096         trace_scsi_disk_emulate_command_SEEK_10(r->req.cmd.lba);
2097         if (r->req.cmd.lba > s->qdev.max_lba) {
2098             goto illegal_lba;
2099         }
2100         break;
2101     case MODE_SELECT:
2102         trace_scsi_disk_emulate_command_MODE_SELECT(r->req.cmd.xfer);
2103         break;
2104     case MODE_SELECT_10:
2105         trace_scsi_disk_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
2106         break;
2107     case UNMAP:
2108         trace_scsi_disk_emulate_command_UNMAP(r->req.cmd.xfer);
2109         break;
2110     case VERIFY_10:
2111     case VERIFY_12:
2112     case VERIFY_16:
2113         trace_scsi_disk_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
2114         if (req->cmd.buf[1] & 6) {
2115             goto illegal_request;
2116         }
2117         break;
2118     case WRITE_SAME_10:
2119     case WRITE_SAME_16:
2120         trace_scsi_disk_emulate_command_WRITE_SAME(
2121                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16, r->req.cmd.xfer);
2122         break;
2123     default:
2124         trace_scsi_disk_emulate_command_UNKNOWN(buf[0],
2125                                                 scsi_command_name(buf[0]));
2126         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2127         return 0;
2128     }
2129     assert(!r->req.aiocb);
2130     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2131     if (r->iov.iov_len == 0) {
2132         scsi_req_complete(&r->req, GOOD);
2133     }
2134     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2135         assert(r->iov.iov_len == req->cmd.xfer);
2136         return -r->iov.iov_len;
2137     } else {
2138         return r->iov.iov_len;
2139     }
2140 
2141 illegal_request:
2142     if (r->req.status == -1) {
2143         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2144     }
2145     return 0;
2146 
2147 illegal_lba:
2148     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2149     return 0;
2150 }
2151 
2152 /* Execute a scsi command.  Returns the length of the data expected by the
2153    command.  This will be Positive for data transfers from the device
2154    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2155    and zero if the command does not transfer any data.  */
2156 
2157 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2158 {
2159     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2160     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2161     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2162     uint32_t len;
2163     uint8_t command;
2164 
2165     command = buf[0];
2166 
2167     if (!blk_is_available(s->qdev.conf.blk)) {
2168         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2169         return 0;
2170     }
2171 
2172     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2173     switch (command) {
2174     case READ_6:
2175     case READ_10:
2176     case READ_12:
2177     case READ_16:
2178         trace_scsi_disk_dma_command_READ(r->req.cmd.lba, len);
2179         /* Protection information is not supported.  For SCSI versions 2 and
2180          * older (as determined by snooping the guest's INQUIRY commands),
2181          * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2182          */
2183         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2184             goto illegal_request;
2185         }
2186         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2187             goto illegal_lba;
2188         }
2189         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2190         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2191         break;
2192     case WRITE_6:
2193     case WRITE_10:
2194     case WRITE_12:
2195     case WRITE_16:
2196     case WRITE_VERIFY_10:
2197     case WRITE_VERIFY_12:
2198     case WRITE_VERIFY_16:
2199         if (!blk_is_writable(s->qdev.conf.blk)) {
2200             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2201             return 0;
2202         }
2203         trace_scsi_disk_dma_command_WRITE(
2204                 (command & 0xe) == 0xe ? "And Verify " : "",
2205                 r->req.cmd.lba, len);
2206         /* fall through */
2207     case VERIFY_10:
2208     case VERIFY_12:
2209     case VERIFY_16:
2210         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2211          * As far as DMA is concerned, we can treat it the same as a write;
2212          * scsi_block_do_sgio will send VERIFY commands.
2213          */
2214         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2215             goto illegal_request;
2216         }
2217         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2218             goto illegal_lba;
2219         }
2220         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2221         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2222         break;
2223     default:
2224         abort();
2225     illegal_request:
2226         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2227         return 0;
2228     illegal_lba:
2229         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2230         return 0;
2231     }
2232     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2233     if (r->sector_count == 0) {
2234         scsi_req_complete(&r->req, GOOD);
2235     }
2236     assert(r->iov.iov_len == 0);
2237     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2238         return -r->sector_count * BDRV_SECTOR_SIZE;
2239     } else {
2240         return r->sector_count * BDRV_SECTOR_SIZE;
2241     }
2242 }
2243 
2244 static void scsi_disk_reset(DeviceState *dev)
2245 {
2246     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2247     uint64_t nb_sectors;
2248 
2249     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2250 
2251     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2252     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2253     if (nb_sectors) {
2254         nb_sectors--;
2255     }
2256     s->qdev.max_lba = nb_sectors;
2257     /* reset tray statuses */
2258     s->tray_locked = 0;
2259     s->tray_open = 0;
2260 
2261     s->qdev.scsi_version = s->qdev.default_scsi_version;
2262 }
2263 
2264 static void scsi_disk_resize_cb(void *opaque)
2265 {
2266     SCSIDiskState *s = opaque;
2267 
2268     /* SPC lists this sense code as available only for
2269      * direct-access devices.
2270      */
2271     if (s->qdev.type == TYPE_DISK) {
2272         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2273     }
2274 }
2275 
2276 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2277 {
2278     SCSIDiskState *s = opaque;
2279 
2280     /*
2281      * When a CD gets changed, we have to report an ejected state and
2282      * then a loaded state to guests so that they detect tray
2283      * open/close and media change events.  Guests that do not use
2284      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2285      * states rely on this behavior.
2286      *
2287      * media_changed governs the state machine used for unit attention
2288      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2289      */
2290     s->media_changed = load;
2291     s->tray_open = !load;
2292     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2293     s->media_event = true;
2294     s->eject_request = false;
2295 }
2296 
2297 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2298 {
2299     SCSIDiskState *s = opaque;
2300 
2301     s->eject_request = true;
2302     if (force) {
2303         s->tray_locked = false;
2304     }
2305 }
2306 
2307 static bool scsi_cd_is_tray_open(void *opaque)
2308 {
2309     return ((SCSIDiskState *)opaque)->tray_open;
2310 }
2311 
2312 static bool scsi_cd_is_medium_locked(void *opaque)
2313 {
2314     return ((SCSIDiskState *)opaque)->tray_locked;
2315 }
2316 
2317 static const BlockDevOps scsi_disk_removable_block_ops = {
2318     .change_media_cb = scsi_cd_change_media_cb,
2319     .eject_request_cb = scsi_cd_eject_request_cb,
2320     .is_tray_open = scsi_cd_is_tray_open,
2321     .is_medium_locked = scsi_cd_is_medium_locked,
2322 
2323     .resize_cb = scsi_disk_resize_cb,
2324 };
2325 
2326 static const BlockDevOps scsi_disk_block_ops = {
2327     .resize_cb = scsi_disk_resize_cb,
2328 };
2329 
2330 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2331 {
2332     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2333     if (s->media_changed) {
2334         s->media_changed = false;
2335         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2336     }
2337 }
2338 
2339 static void scsi_realize(SCSIDevice *dev, Error **errp)
2340 {
2341     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2342     bool read_only;
2343 
2344     if (!s->qdev.conf.blk) {
2345         error_setg(errp, "drive property not set");
2346         return;
2347     }
2348 
2349     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2350         !blk_is_inserted(s->qdev.conf.blk)) {
2351         error_setg(errp, "Device needs media, but drive is empty");
2352         return;
2353     }
2354 
2355     if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2356         return;
2357     }
2358 
2359     if (blk_get_aio_context(s->qdev.conf.blk) != qemu_get_aio_context() &&
2360         !s->qdev.hba_supports_iothread)
2361     {
2362         error_setg(errp, "HBA does not support iothreads");
2363         return;
2364     }
2365 
2366     if (dev->type == TYPE_DISK) {
2367         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2368             return;
2369         }
2370     }
2371 
2372     read_only = !blk_supports_write_perm(s->qdev.conf.blk);
2373     if (dev->type == TYPE_ROM) {
2374         read_only = true;
2375     }
2376 
2377     if (!blkconf_apply_backend_options(&dev->conf, read_only,
2378                                        dev->type == TYPE_DISK, errp)) {
2379         return;
2380     }
2381 
2382     if (s->qdev.conf.discard_granularity == -1) {
2383         s->qdev.conf.discard_granularity =
2384             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2385     }
2386 
2387     if (!s->version) {
2388         s->version = g_strdup(qemu_hw_version());
2389     }
2390     if (!s->vendor) {
2391         s->vendor = g_strdup("QEMU");
2392     }
2393     if (!s->device_id) {
2394         if (s->serial) {
2395             s->device_id = g_strdup_printf("%.20s", s->serial);
2396         } else {
2397             const char *str = blk_name(s->qdev.conf.blk);
2398             if (str && *str) {
2399                 s->device_id = g_strdup(str);
2400             }
2401         }
2402     }
2403 
2404     if (blk_is_sg(s->qdev.conf.blk)) {
2405         error_setg(errp, "unwanted /dev/sg*");
2406         return;
2407     }
2408 
2409     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2410             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2411         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2412     } else {
2413         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2414     }
2415     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2416 
2417     blk_iostatus_enable(s->qdev.conf.blk);
2418 
2419     add_boot_device_lchs(&dev->qdev, NULL,
2420                          dev->conf.lcyls,
2421                          dev->conf.lheads,
2422                          dev->conf.lsecs);
2423 }
2424 
2425 static void scsi_unrealize(SCSIDevice *dev)
2426 {
2427     del_boot_device_lchs(&dev->qdev, NULL);
2428 }
2429 
2430 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2431 {
2432     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2433     AioContext *ctx = NULL;
2434     /* can happen for devices without drive. The error message for missing
2435      * backend will be issued in scsi_realize
2436      */
2437     if (s->qdev.conf.blk) {
2438         ctx = blk_get_aio_context(s->qdev.conf.blk);
2439         aio_context_acquire(ctx);
2440         if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2441             goto out;
2442         }
2443     }
2444     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2445     s->qdev.type = TYPE_DISK;
2446     if (!s->product) {
2447         s->product = g_strdup("QEMU HARDDISK");
2448     }
2449     scsi_realize(&s->qdev, errp);
2450 out:
2451     if (ctx) {
2452         aio_context_release(ctx);
2453     }
2454 }
2455 
2456 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2457 {
2458     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2459     AioContext *ctx;
2460     int ret;
2461 
2462     if (!dev->conf.blk) {
2463         /* Anonymous BlockBackend for an empty drive. As we put it into
2464          * dev->conf, qdev takes care of detaching on unplug. */
2465         dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
2466         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2467         assert(ret == 0);
2468     }
2469 
2470     ctx = blk_get_aio_context(dev->conf.blk);
2471     aio_context_acquire(ctx);
2472     s->qdev.blocksize = 2048;
2473     s->qdev.type = TYPE_ROM;
2474     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2475     if (!s->product) {
2476         s->product = g_strdup("QEMU CD-ROM");
2477     }
2478     scsi_realize(&s->qdev, errp);
2479     aio_context_release(ctx);
2480 }
2481 
2482 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2483 {
2484     DriveInfo *dinfo;
2485     Error *local_err = NULL;
2486 
2487     warn_report("'scsi-disk' is deprecated, "
2488                 "please use 'scsi-hd' or 'scsi-cd' instead");
2489 
2490     if (!dev->conf.blk) {
2491         scsi_realize(dev, &local_err);
2492         assert(local_err);
2493         error_propagate(errp, local_err);
2494         return;
2495     }
2496 
2497     dinfo = blk_legacy_dinfo(dev->conf.blk);
2498     if (dinfo && dinfo->media_cd) {
2499         scsi_cd_realize(dev, errp);
2500     } else {
2501         scsi_hd_realize(dev, errp);
2502     }
2503 }
2504 
2505 static const SCSIReqOps scsi_disk_emulate_reqops = {
2506     .size         = sizeof(SCSIDiskReq),
2507     .free_req     = scsi_free_request,
2508     .send_command = scsi_disk_emulate_command,
2509     .read_data    = scsi_disk_emulate_read_data,
2510     .write_data   = scsi_disk_emulate_write_data,
2511     .get_buf      = scsi_get_buf,
2512 };
2513 
2514 static const SCSIReqOps scsi_disk_dma_reqops = {
2515     .size         = sizeof(SCSIDiskReq),
2516     .free_req     = scsi_free_request,
2517     .send_command = scsi_disk_dma_command,
2518     .read_data    = scsi_read_data,
2519     .write_data   = scsi_write_data,
2520     .get_buf      = scsi_get_buf,
2521     .load_request = scsi_disk_load_request,
2522     .save_request = scsi_disk_save_request,
2523 };
2524 
2525 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2526     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2527     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2528     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2529     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2530     [START_STOP]                      = &scsi_disk_emulate_reqops,
2531     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2532     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2533     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2534     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2535     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2536     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2537     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2538     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2539     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2540     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2541     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2542     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2543     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2544     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2545     [UNMAP]                           = &scsi_disk_emulate_reqops,
2546     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2547     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2548     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2549     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2550     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2551 
2552     [READ_6]                          = &scsi_disk_dma_reqops,
2553     [READ_10]                         = &scsi_disk_dma_reqops,
2554     [READ_12]                         = &scsi_disk_dma_reqops,
2555     [READ_16]                         = &scsi_disk_dma_reqops,
2556     [WRITE_6]                         = &scsi_disk_dma_reqops,
2557     [WRITE_10]                        = &scsi_disk_dma_reqops,
2558     [WRITE_12]                        = &scsi_disk_dma_reqops,
2559     [WRITE_16]                        = &scsi_disk_dma_reqops,
2560     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2561     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2562     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2563 };
2564 
2565 static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
2566 {
2567     int i;
2568     int len = scsi_cdb_length(buf);
2569     char *line_buffer, *p;
2570 
2571     line_buffer = g_malloc(len * 5 + 1);
2572 
2573     for (i = 0, p = line_buffer; i < len; i++) {
2574         p += sprintf(p, " 0x%02x", buf[i]);
2575     }
2576     trace_scsi_disk_new_request(lun, tag, line_buffer);
2577 
2578     g_free(line_buffer);
2579 }
2580 
2581 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2582                                      uint8_t *buf, void *hba_private)
2583 {
2584     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2585     SCSIRequest *req;
2586     const SCSIReqOps *ops;
2587     uint8_t command;
2588 
2589     command = buf[0];
2590     ops = scsi_disk_reqops_dispatch[command];
2591     if (!ops) {
2592         ops = &scsi_disk_emulate_reqops;
2593     }
2594     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2595 
2596     if (trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)) {
2597         scsi_disk_new_request_dump(lun, tag, buf);
2598     }
2599 
2600     return req;
2601 }
2602 
2603 #ifdef __linux__
2604 static int get_device_type(SCSIDiskState *s)
2605 {
2606     uint8_t cmd[16];
2607     uint8_t buf[36];
2608     int ret;
2609 
2610     memset(cmd, 0, sizeof(cmd));
2611     memset(buf, 0, sizeof(buf));
2612     cmd[0] = INQUIRY;
2613     cmd[4] = sizeof(buf);
2614 
2615     ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
2616                               buf, sizeof(buf), s->qdev.io_timeout);
2617     if (ret < 0) {
2618         return -1;
2619     }
2620     s->qdev.type = buf[0];
2621     if (buf[1] & 0x80) {
2622         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2623     }
2624     return 0;
2625 }
2626 
2627 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2628 {
2629     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2630     AioContext *ctx;
2631     int sg_version;
2632     int rc;
2633 
2634     if (!s->qdev.conf.blk) {
2635         error_setg(errp, "drive property not set");
2636         return;
2637     }
2638 
2639     if (s->rotation_rate) {
2640         error_report_once("rotation_rate is specified for scsi-block but is "
2641                           "not implemented. This option is deprecated and will "
2642                           "be removed in a future version");
2643     }
2644 
2645     ctx = blk_get_aio_context(s->qdev.conf.blk);
2646     aio_context_acquire(ctx);
2647 
2648     /* check we are using a driver managing SG_IO (version 3 and after) */
2649     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2650     if (rc < 0) {
2651         error_setg_errno(errp, -rc, "cannot get SG_IO version number");
2652         if (rc != -EPERM) {
2653             error_append_hint(errp, "Is this a SCSI device?\n");
2654         }
2655         goto out;
2656     }
2657     if (sg_version < 30000) {
2658         error_setg(errp, "scsi generic interface too old");
2659         goto out;
2660     }
2661 
2662     /* get device type from INQUIRY data */
2663     rc = get_device_type(s);
2664     if (rc < 0) {
2665         error_setg(errp, "INQUIRY failed");
2666         goto out;
2667     }
2668 
2669     /* Make a guess for the block size, we'll fix it when the guest sends.
2670      * READ CAPACITY.  If they don't, they likely would assume these sizes
2671      * anyway. (TODO: check in /sys).
2672      */
2673     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2674         s->qdev.blocksize = 2048;
2675     } else {
2676         s->qdev.blocksize = 512;
2677     }
2678 
2679     /* Makes the scsi-block device not removable by using HMP and QMP eject
2680      * command.
2681      */
2682     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2683 
2684     scsi_realize(&s->qdev, errp);
2685     scsi_generic_read_device_inquiry(&s->qdev);
2686 
2687 out:
2688     aio_context_release(ctx);
2689 }
2690 
2691 typedef struct SCSIBlockReq {
2692     SCSIDiskReq req;
2693     sg_io_hdr_t io_header;
2694 
2695     /* Selected bytes of the original CDB, copied into our own CDB.  */
2696     uint8_t cmd, cdb1, group_number;
2697 
2698     /* CDB passed to SG_IO.  */
2699     uint8_t cdb[16];
2700 } SCSIBlockReq;
2701 
2702 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2703                                       int64_t offset, QEMUIOVector *iov,
2704                                       int direction,
2705                                       BlockCompletionFunc *cb, void *opaque)
2706 {
2707     sg_io_hdr_t *io_header = &req->io_header;
2708     SCSIDiskReq *r = &req->req;
2709     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2710     int nb_logical_blocks;
2711     uint64_t lba;
2712     BlockAIOCB *aiocb;
2713 
2714     /* This is not supported yet.  It can only happen if the guest does
2715      * reads and writes that are not aligned to one logical sectors
2716      * _and_ cover multiple MemoryRegions.
2717      */
2718     assert(offset % s->qdev.blocksize == 0);
2719     assert(iov->size % s->qdev.blocksize == 0);
2720 
2721     io_header->interface_id = 'S';
2722 
2723     /* The data transfer comes from the QEMUIOVector.  */
2724     io_header->dxfer_direction = direction;
2725     io_header->dxfer_len = iov->size;
2726     io_header->dxferp = (void *)iov->iov;
2727     io_header->iovec_count = iov->niov;
2728     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2729 
2730     /* Build a new CDB with the LBA and length patched in, in case
2731      * DMA helpers split the transfer in multiple segments.  Do not
2732      * build a CDB smaller than what the guest wanted, and only build
2733      * a larger one if strictly necessary.
2734      */
2735     io_header->cmdp = req->cdb;
2736     lba = offset / s->qdev.blocksize;
2737     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2738 
2739     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2740         /* 6-byte CDB */
2741         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2742         req->cdb[4] = nb_logical_blocks;
2743         req->cdb[5] = 0;
2744         io_header->cmd_len = 6;
2745     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2746         /* 10-byte CDB */
2747         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2748         req->cdb[1] = req->cdb1;
2749         stl_be_p(&req->cdb[2], lba);
2750         req->cdb[6] = req->group_number;
2751         stw_be_p(&req->cdb[7], nb_logical_blocks);
2752         req->cdb[9] = 0;
2753         io_header->cmd_len = 10;
2754     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2755         /* 12-byte CDB */
2756         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2757         req->cdb[1] = req->cdb1;
2758         stl_be_p(&req->cdb[2], lba);
2759         stl_be_p(&req->cdb[6], nb_logical_blocks);
2760         req->cdb[10] = req->group_number;
2761         req->cdb[11] = 0;
2762         io_header->cmd_len = 12;
2763     } else {
2764         /* 16-byte CDB */
2765         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2766         req->cdb[1] = req->cdb1;
2767         stq_be_p(&req->cdb[2], lba);
2768         stl_be_p(&req->cdb[10], nb_logical_blocks);
2769         req->cdb[14] = req->group_number;
2770         req->cdb[15] = 0;
2771         io_header->cmd_len = 16;
2772     }
2773 
2774     /* The rest is as in scsi-generic.c.  */
2775     io_header->mx_sb_len = sizeof(r->req.sense);
2776     io_header->sbp = r->req.sense;
2777     io_header->timeout = s->qdev.io_timeout * 1000;
2778     io_header->usr_ptr = r;
2779     io_header->flags |= SG_FLAG_DIRECT_IO;
2780     trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
2781                                      nb_logical_blocks, io_header->timeout);
2782     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
2783     assert(aiocb != NULL);
2784     return aiocb;
2785 }
2786 
2787 static bool scsi_block_no_fua(SCSICommand *cmd)
2788 {
2789     return false;
2790 }
2791 
2792 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2793                                         QEMUIOVector *iov,
2794                                         BlockCompletionFunc *cb, void *cb_opaque,
2795                                         void *opaque)
2796 {
2797     SCSIBlockReq *r = opaque;
2798     return scsi_block_do_sgio(r, offset, iov,
2799                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2800 }
2801 
2802 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2803                                          QEMUIOVector *iov,
2804                                          BlockCompletionFunc *cb, void *cb_opaque,
2805                                          void *opaque)
2806 {
2807     SCSIBlockReq *r = opaque;
2808     return scsi_block_do_sgio(r, offset, iov,
2809                               SG_DXFER_TO_DEV, cb, cb_opaque);
2810 }
2811 
2812 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2813 {
2814     switch (buf[0]) {
2815     case VERIFY_10:
2816     case VERIFY_12:
2817     case VERIFY_16:
2818         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2819          * for the number of logical blocks specified in the length
2820          * field).  For other modes, do not use scatter/gather operation.
2821          */
2822         if ((buf[1] & 6) == 2) {
2823             return false;
2824         }
2825         break;
2826 
2827     case READ_6:
2828     case READ_10:
2829     case READ_12:
2830     case READ_16:
2831     case WRITE_6:
2832     case WRITE_10:
2833     case WRITE_12:
2834     case WRITE_16:
2835     case WRITE_VERIFY_10:
2836     case WRITE_VERIFY_12:
2837     case WRITE_VERIFY_16:
2838         /* MMC writing cannot be done via DMA helpers, because it sometimes
2839          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2840          * We might use scsi_block_dma_reqops as long as no writing commands are
2841          * seen, but performance usually isn't paramount on optical media.  So,
2842          * just make scsi-block operate the same as scsi-generic for them.
2843          */
2844         if (s->qdev.type != TYPE_ROM) {
2845             return false;
2846         }
2847         break;
2848 
2849     default:
2850         break;
2851     }
2852 
2853     return true;
2854 }
2855 
2856 
2857 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2858 {
2859     SCSIBlockReq *r = (SCSIBlockReq *)req;
2860     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2861 
2862     r->cmd = req->cmd.buf[0];
2863     switch (r->cmd >> 5) {
2864     case 0:
2865         /* 6-byte CDB.  */
2866         r->cdb1 = r->group_number = 0;
2867         break;
2868     case 1:
2869         /* 10-byte CDB.  */
2870         r->cdb1 = req->cmd.buf[1];
2871         r->group_number = req->cmd.buf[6];
2872         break;
2873     case 4:
2874         /* 12-byte CDB.  */
2875         r->cdb1 = req->cmd.buf[1];
2876         r->group_number = req->cmd.buf[10];
2877         break;
2878     case 5:
2879         /* 16-byte CDB.  */
2880         r->cdb1 = req->cmd.buf[1];
2881         r->group_number = req->cmd.buf[14];
2882         break;
2883     default:
2884         abort();
2885     }
2886 
2887     /* Protection information is not supported.  For SCSI versions 2 and
2888      * older (as determined by snooping the guest's INQUIRY commands),
2889      * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2890      */
2891     if (s->qdev.scsi_version > 2 && (req->cmd.buf[1] & 0xe0)) {
2892         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2893         return 0;
2894     }
2895 
2896     r->req.status = &r->io_header.status;
2897     return scsi_disk_dma_command(req, buf);
2898 }
2899 
2900 static const SCSIReqOps scsi_block_dma_reqops = {
2901     .size         = sizeof(SCSIBlockReq),
2902     .free_req     = scsi_free_request,
2903     .send_command = scsi_block_dma_command,
2904     .read_data    = scsi_read_data,
2905     .write_data   = scsi_write_data,
2906     .get_buf      = scsi_get_buf,
2907     .load_request = scsi_disk_load_request,
2908     .save_request = scsi_disk_save_request,
2909 };
2910 
2911 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2912                                            uint32_t lun, uint8_t *buf,
2913                                            void *hba_private)
2914 {
2915     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2916 
2917     if (scsi_block_is_passthrough(s, buf)) {
2918         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2919                               hba_private);
2920     } else {
2921         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2922                               hba_private);
2923     }
2924 }
2925 
2926 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2927                                   uint8_t *buf, void *hba_private)
2928 {
2929     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2930 
2931     if (scsi_block_is_passthrough(s, buf)) {
2932         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2933     } else {
2934         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2935     }
2936 }
2937 
2938 static void scsi_block_update_sense(SCSIRequest *req)
2939 {
2940     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2941     SCSIBlockReq *br = DO_UPCAST(SCSIBlockReq, req, r);
2942     r->req.sense_len = MIN(br->io_header.sb_len_wr, sizeof(r->req.sense));
2943 }
2944 #endif
2945 
2946 static
2947 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2948                            BlockCompletionFunc *cb, void *cb_opaque,
2949                            void *opaque)
2950 {
2951     SCSIDiskReq *r = opaque;
2952     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2953     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2954 }
2955 
2956 static
2957 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2958                             BlockCompletionFunc *cb, void *cb_opaque,
2959                             void *opaque)
2960 {
2961     SCSIDiskReq *r = opaque;
2962     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2963     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2964 }
2965 
2966 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2967 {
2968     DeviceClass *dc = DEVICE_CLASS(klass);
2969     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2970 
2971     dc->fw_name = "disk";
2972     dc->reset = scsi_disk_reset;
2973     sdc->dma_readv = scsi_dma_readv;
2974     sdc->dma_writev = scsi_dma_writev;
2975     sdc->need_fua_emulation = scsi_is_cmd_fua;
2976 }
2977 
2978 static const TypeInfo scsi_disk_base_info = {
2979     .name          = TYPE_SCSI_DISK_BASE,
2980     .parent        = TYPE_SCSI_DEVICE,
2981     .class_init    = scsi_disk_base_class_initfn,
2982     .instance_size = sizeof(SCSIDiskState),
2983     .class_size    = sizeof(SCSIDiskClass),
2984     .abstract      = true,
2985 };
2986 
2987 #define DEFINE_SCSI_DISK_PROPERTIES()                                   \
2988     DEFINE_PROP_DRIVE_IOTHREAD("drive", SCSIDiskState, qdev.conf.blk),  \
2989     DEFINE_BLOCK_PROPERTIES_BASE(SCSIDiskState, qdev.conf),             \
2990     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),            \
2991     DEFINE_PROP_STRING("ver", SCSIDiskState, version),                  \
2992     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),                \
2993     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),                \
2994     DEFINE_PROP_STRING("product", SCSIDiskState, product),              \
2995     DEFINE_PROP_STRING("device_id", SCSIDiskState, device_id)
2996 
2997 
2998 static Property scsi_hd_properties[] = {
2999     DEFINE_SCSI_DISK_PROPERTIES(),
3000     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3001                     SCSI_DISK_F_REMOVABLE, false),
3002     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3003                     SCSI_DISK_F_DPOFUA, false),
3004     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3005     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3006     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3007     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3008                        DEFAULT_MAX_UNMAP_SIZE),
3009     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3010                        DEFAULT_MAX_IO_SIZE),
3011     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3012     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3013                       5),
3014     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
3015     DEFINE_PROP_END_OF_LIST(),
3016 };
3017 
3018 static const VMStateDescription vmstate_scsi_disk_state = {
3019     .name = "scsi-disk",
3020     .version_id = 1,
3021     .minimum_version_id = 1,
3022     .fields = (VMStateField[]) {
3023         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
3024         VMSTATE_BOOL(media_changed, SCSIDiskState),
3025         VMSTATE_BOOL(media_event, SCSIDiskState),
3026         VMSTATE_BOOL(eject_request, SCSIDiskState),
3027         VMSTATE_BOOL(tray_open, SCSIDiskState),
3028         VMSTATE_BOOL(tray_locked, SCSIDiskState),
3029         VMSTATE_END_OF_LIST()
3030     }
3031 };
3032 
3033 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
3034 {
3035     DeviceClass *dc = DEVICE_CLASS(klass);
3036     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3037 
3038     sc->realize      = scsi_hd_realize;
3039     sc->unrealize    = scsi_unrealize;
3040     sc->alloc_req    = scsi_new_request;
3041     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3042     dc->desc = "virtual SCSI disk";
3043     device_class_set_props(dc, scsi_hd_properties);
3044     dc->vmsd  = &vmstate_scsi_disk_state;
3045 }
3046 
3047 static const TypeInfo scsi_hd_info = {
3048     .name          = "scsi-hd",
3049     .parent        = TYPE_SCSI_DISK_BASE,
3050     .class_init    = scsi_hd_class_initfn,
3051 };
3052 
3053 static Property scsi_cd_properties[] = {
3054     DEFINE_SCSI_DISK_PROPERTIES(),
3055     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3056     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3057     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3058     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3059                        DEFAULT_MAX_IO_SIZE),
3060     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3061                       5),
3062     DEFINE_PROP_END_OF_LIST(),
3063 };
3064 
3065 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
3066 {
3067     DeviceClass *dc = DEVICE_CLASS(klass);
3068     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3069 
3070     sc->realize      = scsi_cd_realize;
3071     sc->alloc_req    = scsi_new_request;
3072     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3073     dc->desc = "virtual SCSI CD-ROM";
3074     device_class_set_props(dc, scsi_cd_properties);
3075     dc->vmsd  = &vmstate_scsi_disk_state;
3076 }
3077 
3078 static const TypeInfo scsi_cd_info = {
3079     .name          = "scsi-cd",
3080     .parent        = TYPE_SCSI_DISK_BASE,
3081     .class_init    = scsi_cd_class_initfn,
3082 };
3083 
3084 #ifdef __linux__
3085 static Property scsi_block_properties[] = {
3086     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),
3087     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3088     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3089     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3090     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3091                        DEFAULT_MAX_UNMAP_SIZE),
3092     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3093                        DEFAULT_MAX_IO_SIZE),
3094     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3095                       -1),
3096     DEFINE_PROP_UINT32("io_timeout", SCSIDiskState, qdev.io_timeout,
3097                        DEFAULT_IO_TIMEOUT),
3098     DEFINE_PROP_END_OF_LIST(),
3099 };
3100 
3101 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3102 {
3103     DeviceClass *dc = DEVICE_CLASS(klass);
3104     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3105     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3106 
3107     sc->realize      = scsi_block_realize;
3108     sc->alloc_req    = scsi_block_new_request;
3109     sc->parse_cdb    = scsi_block_parse_cdb;
3110     sdc->dma_readv   = scsi_block_dma_readv;
3111     sdc->dma_writev  = scsi_block_dma_writev;
3112     sdc->update_sense = scsi_block_update_sense;
3113     sdc->need_fua_emulation = scsi_block_no_fua;
3114     dc->desc = "SCSI block device passthrough";
3115     device_class_set_props(dc, scsi_block_properties);
3116     dc->vmsd  = &vmstate_scsi_disk_state;
3117 }
3118 
3119 static const TypeInfo scsi_block_info = {
3120     .name          = "scsi-block",
3121     .parent        = TYPE_SCSI_DISK_BASE,
3122     .class_init    = scsi_block_class_initfn,
3123 };
3124 #endif
3125 
3126 static Property scsi_disk_properties[] = {
3127     DEFINE_SCSI_DISK_PROPERTIES(),
3128     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3129                     SCSI_DISK_F_REMOVABLE, false),
3130     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3131                     SCSI_DISK_F_DPOFUA, false),
3132     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3133     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3134     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3135     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3136                        DEFAULT_MAX_UNMAP_SIZE),
3137     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3138                        DEFAULT_MAX_IO_SIZE),
3139     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3140                       5),
3141     DEFINE_PROP_END_OF_LIST(),
3142 };
3143 
3144 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
3145 {
3146     DeviceClass *dc = DEVICE_CLASS(klass);
3147     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3148 
3149     sc->realize      = scsi_disk_realize;
3150     sc->alloc_req    = scsi_new_request;
3151     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3152     dc->fw_name = "disk";
3153     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3154     dc->reset = scsi_disk_reset;
3155     device_class_set_props(dc, scsi_disk_properties);
3156     dc->vmsd  = &vmstate_scsi_disk_state;
3157 }
3158 
3159 static const TypeInfo scsi_disk_info = {
3160     .name          = "scsi-disk",
3161     .parent        = TYPE_SCSI_DISK_BASE,
3162     .class_init    = scsi_disk_class_initfn,
3163 };
3164 
3165 static void scsi_disk_register_types(void)
3166 {
3167     type_register_static(&scsi_disk_base_info);
3168     type_register_static(&scsi_hd_info);
3169     type_register_static(&scsi_cd_info);
3170 #ifdef __linux__
3171     type_register_static(&scsi_block_info);
3172 #endif
3173     type_register_static(&scsi_disk_info);
3174 }
3175 
3176 type_init(scsi_disk_register_types)
3177