xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision 0ec7b3e7)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu/osdep.h"
32 #include "qapi/error.h"
33 #include "qemu/error-report.h"
34 #include "hw/scsi/scsi.h"
35 #include "block/scsi.h"
36 #include "sysemu/sysemu.h"
37 #include "sysemu/block-backend.h"
38 #include "sysemu/blockdev.h"
39 #include "hw/block/block.h"
40 #include "sysemu/dma.h"
41 #include "qemu/cutils.h"
42 
43 #ifdef __linux
44 #include <scsi/sg.h>
45 #endif
46 
47 #define SCSI_WRITE_SAME_MAX         524288
48 #define SCSI_DMA_BUF_SIZE           131072
49 #define SCSI_MAX_INQUIRY_LEN        256
50 #define SCSI_MAX_MODE_LEN           256
51 
52 #define DEFAULT_DISCARD_GRANULARITY 4096
53 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
54 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
55 
56 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
57 
58 #define SCSI_DISK_BASE(obj) \
59      OBJECT_CHECK(SCSIDiskState, (obj), TYPE_SCSI_DISK_BASE)
60 #define SCSI_DISK_BASE_CLASS(klass) \
61      OBJECT_CLASS_CHECK(SCSIDiskClass, (klass), TYPE_SCSI_DISK_BASE)
62 #define SCSI_DISK_BASE_GET_CLASS(obj) \
63      OBJECT_GET_CLASS(SCSIDiskClass, (obj), TYPE_SCSI_DISK_BASE)
64 
65 typedef struct SCSIDiskClass {
66     SCSIDeviceClass parent_class;
67     DMAIOFunc       *dma_readv;
68     DMAIOFunc       *dma_writev;
69     bool            (*need_fua_emulation)(SCSICommand *cmd);
70 } SCSIDiskClass;
71 
72 typedef struct SCSIDiskReq {
73     SCSIRequest req;
74     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
75     uint64_t sector;
76     uint32_t sector_count;
77     uint32_t buflen;
78     bool started;
79     bool need_fua_emulation;
80     struct iovec iov;
81     QEMUIOVector qiov;
82     BlockAcctCookie acct;
83     unsigned char *status;
84 } SCSIDiskReq;
85 
86 #define SCSI_DISK_F_REMOVABLE             0
87 #define SCSI_DISK_F_DPOFUA                1
88 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
89 
90 typedef struct SCSIDiskState
91 {
92     SCSIDevice qdev;
93     uint32_t features;
94     bool media_changed;
95     bool media_event;
96     bool eject_request;
97     uint16_t port_index;
98     uint64_t max_unmap_size;
99     uint64_t max_io_size;
100     QEMUBH *bh;
101     char *version;
102     char *serial;
103     char *vendor;
104     char *product;
105     bool tray_open;
106     bool tray_locked;
107 } SCSIDiskState;
108 
109 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed);
110 
111 static void scsi_free_request(SCSIRequest *req)
112 {
113     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
114 
115     qemu_vfree(r->iov.iov_base);
116 }
117 
118 /* Helper function for command completion with sense.  */
119 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
120 {
121     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
122             r->req.tag, sense.key, sense.asc, sense.ascq);
123     scsi_req_build_sense(&r->req, sense);
124     scsi_req_complete(&r->req, CHECK_CONDITION);
125 }
126 
127 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
128 {
129     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
130 
131     if (!r->iov.iov_base) {
132         r->buflen = size;
133         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
134     }
135     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
136     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
137 }
138 
139 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
140 {
141     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
142 
143     qemu_put_be64s(f, &r->sector);
144     qemu_put_be32s(f, &r->sector_count);
145     qemu_put_be32s(f, &r->buflen);
146     if (r->buflen) {
147         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
148             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
149         } else if (!req->retry) {
150             uint32_t len = r->iov.iov_len;
151             qemu_put_be32s(f, &len);
152             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
153         }
154     }
155 }
156 
157 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
158 {
159     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
160 
161     qemu_get_be64s(f, &r->sector);
162     qemu_get_be32s(f, &r->sector_count);
163     qemu_get_be32s(f, &r->buflen);
164     if (r->buflen) {
165         scsi_init_iovec(r, r->buflen);
166         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
167             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
168         } else if (!r->req.retry) {
169             uint32_t len;
170             qemu_get_be32s(f, &len);
171             r->iov.iov_len = len;
172             assert(r->iov.iov_len <= r->buflen);
173             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
174         }
175     }
176 
177     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
178 }
179 
180 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
181 {
182     if (r->req.io_canceled) {
183         scsi_req_cancel_complete(&r->req);
184         return true;
185     }
186 
187     if (ret < 0) {
188         return scsi_handle_rw_error(r, -ret, acct_failed);
189     }
190 
191     if (r->status && *r->status) {
192         if (acct_failed) {
193             SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
194             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
195         }
196         scsi_req_complete(&r->req, *r->status);
197         return true;
198     }
199 
200     return false;
201 }
202 
203 static void scsi_aio_complete(void *opaque, int ret)
204 {
205     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
206     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
207 
208     assert(r->req.aiocb != NULL);
209     r->req.aiocb = NULL;
210     if (scsi_disk_req_check_error(r, ret, true)) {
211         goto done;
212     }
213 
214     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
215     scsi_req_complete(&r->req, GOOD);
216 
217 done:
218     scsi_req_unref(&r->req);
219 }
220 
221 static bool scsi_is_cmd_fua(SCSICommand *cmd)
222 {
223     switch (cmd->buf[0]) {
224     case READ_10:
225     case READ_12:
226     case READ_16:
227     case WRITE_10:
228     case WRITE_12:
229     case WRITE_16:
230         return (cmd->buf[1] & 8) != 0;
231 
232     case VERIFY_10:
233     case VERIFY_12:
234     case VERIFY_16:
235     case WRITE_VERIFY_10:
236     case WRITE_VERIFY_12:
237     case WRITE_VERIFY_16:
238         return true;
239 
240     case READ_6:
241     case WRITE_6:
242     default:
243         return false;
244     }
245 }
246 
247 static void scsi_write_do_fua(SCSIDiskReq *r)
248 {
249     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
250 
251     assert(r->req.aiocb == NULL);
252     assert(!r->req.io_canceled);
253 
254     if (r->need_fua_emulation) {
255         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
256                          BLOCK_ACCT_FLUSH);
257         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
258         return;
259     }
260 
261     scsi_req_complete(&r->req, GOOD);
262     scsi_req_unref(&r->req);
263 }
264 
265 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
266 {
267     assert(r->req.aiocb == NULL);
268     if (scsi_disk_req_check_error(r, ret, false)) {
269         goto done;
270     }
271 
272     r->sector += r->sector_count;
273     r->sector_count = 0;
274     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
275         scsi_write_do_fua(r);
276         return;
277     } else {
278         scsi_req_complete(&r->req, GOOD);
279     }
280 
281 done:
282     scsi_req_unref(&r->req);
283 }
284 
285 static void scsi_dma_complete(void *opaque, int ret)
286 {
287     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
288     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
289 
290     assert(r->req.aiocb != NULL);
291     r->req.aiocb = NULL;
292 
293     if (ret < 0) {
294         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
295     } else {
296         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
297     }
298     scsi_dma_complete_noio(r, ret);
299 }
300 
301 static void scsi_read_complete(void * opaque, int ret)
302 {
303     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
304     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
305     int n;
306 
307     assert(r->req.aiocb != NULL);
308     r->req.aiocb = NULL;
309     if (scsi_disk_req_check_error(r, ret, true)) {
310         goto done;
311     }
312 
313     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
314     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
315 
316     n = r->qiov.size / 512;
317     r->sector += n;
318     r->sector_count -= n;
319     scsi_req_data(&r->req, r->qiov.size);
320 
321 done:
322     scsi_req_unref(&r->req);
323 }
324 
325 /* Actually issue a read to the block device.  */
326 static void scsi_do_read(SCSIDiskReq *r, int ret)
327 {
328     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
329     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
330 
331     assert (r->req.aiocb == NULL);
332     if (scsi_disk_req_check_error(r, ret, false)) {
333         goto done;
334     }
335 
336     /* The request is used as the AIO opaque value, so add a ref.  */
337     scsi_req_ref(&r->req);
338 
339     if (r->req.sg) {
340         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
341         r->req.resid -= r->req.sg->size;
342         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
343                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
344                                   BDRV_SECTOR_SIZE,
345                                   sdc->dma_readv, r, scsi_dma_complete, r,
346                                   DMA_DIRECTION_FROM_DEVICE);
347     } else {
348         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
349         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
350                          r->qiov.size, BLOCK_ACCT_READ);
351         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
352                                       scsi_read_complete, r, r);
353     }
354 
355 done:
356     scsi_req_unref(&r->req);
357 }
358 
359 static void scsi_do_read_cb(void *opaque, int ret)
360 {
361     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
362     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
363 
364     assert (r->req.aiocb != NULL);
365     r->req.aiocb = NULL;
366 
367     if (ret < 0) {
368         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
369     } else {
370         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
371     }
372     scsi_do_read(opaque, ret);
373 }
374 
375 /* Read more data from scsi device into buffer.  */
376 static void scsi_read_data(SCSIRequest *req)
377 {
378     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
379     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
380     bool first;
381 
382     DPRINTF("Read sector_count=%d\n", r->sector_count);
383     if (r->sector_count == 0) {
384         /* This also clears the sense buffer for REQUEST SENSE.  */
385         scsi_req_complete(&r->req, GOOD);
386         return;
387     }
388 
389     /* No data transfer may already be in progress */
390     assert(r->req.aiocb == NULL);
391 
392     /* The request is used as the AIO opaque value, so add a ref.  */
393     scsi_req_ref(&r->req);
394     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
395         DPRINTF("Data transfer direction invalid\n");
396         scsi_read_complete(r, -EINVAL);
397         return;
398     }
399 
400     if (!blk_is_available(req->dev->conf.blk)) {
401         scsi_read_complete(r, -ENOMEDIUM);
402         return;
403     }
404 
405     first = !r->started;
406     r->started = true;
407     if (first && r->need_fua_emulation) {
408         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
409                          BLOCK_ACCT_FLUSH);
410         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
411     } else {
412         scsi_do_read(r, 0);
413     }
414 }
415 
416 /*
417  * scsi_handle_rw_error has two return values.  0 means that the error
418  * must be ignored, 1 means that the error has been processed and the
419  * caller should not do anything else for this request.  Note that
420  * scsi_handle_rw_error always manages its reference counts, independent
421  * of the return value.
422  */
423 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
424 {
425     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
426     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
427     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
428                                                    is_read, error);
429 
430     if (action == BLOCK_ERROR_ACTION_REPORT) {
431         if (acct_failed) {
432             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
433         }
434         switch (error) {
435         case ENOMEDIUM:
436             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
437             break;
438         case ENOMEM:
439             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
440             break;
441         case EINVAL:
442             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
443             break;
444         case ENOSPC:
445             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
446             break;
447         default:
448             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
449             break;
450         }
451     }
452     blk_error_action(s->qdev.conf.blk, action, is_read, error);
453     if (action == BLOCK_ERROR_ACTION_STOP) {
454         scsi_req_retry(&r->req);
455     }
456     return action != BLOCK_ERROR_ACTION_IGNORE;
457 }
458 
459 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
460 {
461     uint32_t n;
462 
463     assert (r->req.aiocb == NULL);
464     if (scsi_disk_req_check_error(r, ret, false)) {
465         goto done;
466     }
467 
468     n = r->qiov.size / 512;
469     r->sector += n;
470     r->sector_count -= n;
471     if (r->sector_count == 0) {
472         scsi_write_do_fua(r);
473         return;
474     } else {
475         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
476         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
477         scsi_req_data(&r->req, r->qiov.size);
478     }
479 
480 done:
481     scsi_req_unref(&r->req);
482 }
483 
484 static void scsi_write_complete(void * opaque, int ret)
485 {
486     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
487     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
488 
489     assert (r->req.aiocb != NULL);
490     r->req.aiocb = NULL;
491 
492     if (ret < 0) {
493         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
494     } else {
495         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
496     }
497     scsi_write_complete_noio(r, ret);
498 }
499 
500 static void scsi_write_data(SCSIRequest *req)
501 {
502     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
503     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
504     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
505 
506     /* No data transfer may already be in progress */
507     assert(r->req.aiocb == NULL);
508 
509     /* The request is used as the AIO opaque value, so add a ref.  */
510     scsi_req_ref(&r->req);
511     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
512         DPRINTF("Data transfer direction invalid\n");
513         scsi_write_complete_noio(r, -EINVAL);
514         return;
515     }
516 
517     if (!r->req.sg && !r->qiov.size) {
518         /* Called for the first time.  Ask the driver to send us more data.  */
519         r->started = true;
520         scsi_write_complete_noio(r, 0);
521         return;
522     }
523     if (!blk_is_available(req->dev->conf.blk)) {
524         scsi_write_complete_noio(r, -ENOMEDIUM);
525         return;
526     }
527 
528     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
529         r->req.cmd.buf[0] == VERIFY_16) {
530         if (r->req.sg) {
531             scsi_dma_complete_noio(r, 0);
532         } else {
533             scsi_write_complete_noio(r, 0);
534         }
535         return;
536     }
537 
538     if (r->req.sg) {
539         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
540         r->req.resid -= r->req.sg->size;
541         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
542                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
543                                   BDRV_SECTOR_SIZE,
544                                   sdc->dma_writev, r, scsi_dma_complete, r,
545                                   DMA_DIRECTION_TO_DEVICE);
546     } else {
547         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
548                          r->qiov.size, BLOCK_ACCT_WRITE);
549         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
550                                        scsi_write_complete, r, r);
551     }
552 }
553 
554 /* Return a pointer to the data buffer.  */
555 static uint8_t *scsi_get_buf(SCSIRequest *req)
556 {
557     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
558 
559     return (uint8_t *)r->iov.iov_base;
560 }
561 
562 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
563 {
564     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
565     int buflen = 0;
566     int start;
567 
568     if (req->cmd.buf[1] & 0x1) {
569         /* Vital product data */
570         uint8_t page_code = req->cmd.buf[2];
571 
572         outbuf[buflen++] = s->qdev.type & 0x1f;
573         outbuf[buflen++] = page_code ; // this page
574         outbuf[buflen++] = 0x00;
575         outbuf[buflen++] = 0x00;
576         start = buflen;
577 
578         switch (page_code) {
579         case 0x00: /* Supported page codes, mandatory */
580         {
581             DPRINTF("Inquiry EVPD[Supported pages] "
582                     "buffer size %zd\n", req->cmd.xfer);
583             outbuf[buflen++] = 0x00; // list of supported pages (this page)
584             if (s->serial) {
585                 outbuf[buflen++] = 0x80; // unit serial number
586             }
587             outbuf[buflen++] = 0x83; // device identification
588             if (s->qdev.type == TYPE_DISK) {
589                 outbuf[buflen++] = 0xb0; // block limits
590                 outbuf[buflen++] = 0xb2; // thin provisioning
591             }
592             break;
593         }
594         case 0x80: /* Device serial number, optional */
595         {
596             int l;
597 
598             if (!s->serial) {
599                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
600                 return -1;
601             }
602 
603             l = strlen(s->serial);
604             if (l > 36) {
605                 l = 36;
606             }
607 
608             DPRINTF("Inquiry EVPD[Serial number] "
609                     "buffer size %zd\n", req->cmd.xfer);
610             memcpy(outbuf+buflen, s->serial, l);
611             buflen += l;
612             break;
613         }
614 
615         case 0x83: /* Device identification page, mandatory */
616         {
617             const char *str = s->serial ?: blk_name(s->qdev.conf.blk);
618             int max_len = s->serial ? 20 : 255 - 8;
619             int id_len = strlen(str);
620 
621             if (id_len > max_len) {
622                 id_len = max_len;
623             }
624             DPRINTF("Inquiry EVPD[Device identification] "
625                     "buffer size %zd\n", req->cmd.xfer);
626 
627             outbuf[buflen++] = 0x2; // ASCII
628             outbuf[buflen++] = 0;   // not officially assigned
629             outbuf[buflen++] = 0;   // reserved
630             outbuf[buflen++] = id_len; // length of data following
631             memcpy(outbuf+buflen, str, id_len);
632             buflen += id_len;
633 
634             if (s->qdev.wwn) {
635                 outbuf[buflen++] = 0x1; // Binary
636                 outbuf[buflen++] = 0x3; // NAA
637                 outbuf[buflen++] = 0;   // reserved
638                 outbuf[buflen++] = 8;
639                 stq_be_p(&outbuf[buflen], s->qdev.wwn);
640                 buflen += 8;
641             }
642 
643             if (s->qdev.port_wwn) {
644                 outbuf[buflen++] = 0x61; // SAS / Binary
645                 outbuf[buflen++] = 0x93; // PIV / Target port / NAA
646                 outbuf[buflen++] = 0;    // reserved
647                 outbuf[buflen++] = 8;
648                 stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
649                 buflen += 8;
650             }
651 
652             if (s->port_index) {
653                 outbuf[buflen++] = 0x61; // SAS / Binary
654                 outbuf[buflen++] = 0x94; // PIV / Target port / relative target port
655                 outbuf[buflen++] = 0;    // reserved
656                 outbuf[buflen++] = 4;
657                 stw_be_p(&outbuf[buflen + 2], s->port_index);
658                 buflen += 4;
659             }
660             break;
661         }
662         case 0xb0: /* block limits */
663         {
664             unsigned int unmap_sectors =
665                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
666             unsigned int min_io_size =
667                     s->qdev.conf.min_io_size / s->qdev.blocksize;
668             unsigned int opt_io_size =
669                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
670             unsigned int max_unmap_sectors =
671                     s->max_unmap_size / s->qdev.blocksize;
672             unsigned int max_io_sectors =
673                     s->max_io_size / s->qdev.blocksize;
674 
675             if (s->qdev.type == TYPE_ROM) {
676                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
677                         page_code);
678                 return -1;
679             }
680             /* required VPD size with unmap support */
681             buflen = 0x40;
682             memset(outbuf + 4, 0, buflen - 4);
683 
684             outbuf[4] = 0x1; /* wsnz */
685 
686             /* optimal transfer length granularity */
687             outbuf[6] = (min_io_size >> 8) & 0xff;
688             outbuf[7] = min_io_size & 0xff;
689 
690             /* maximum transfer length */
691             outbuf[8] = (max_io_sectors >> 24) & 0xff;
692             outbuf[9] = (max_io_sectors >> 16) & 0xff;
693             outbuf[10] = (max_io_sectors >> 8) & 0xff;
694             outbuf[11] = max_io_sectors & 0xff;
695 
696             /* optimal transfer length */
697             outbuf[12] = (opt_io_size >> 24) & 0xff;
698             outbuf[13] = (opt_io_size >> 16) & 0xff;
699             outbuf[14] = (opt_io_size >> 8) & 0xff;
700             outbuf[15] = opt_io_size & 0xff;
701 
702             /* max unmap LBA count, default is 1GB */
703             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
704             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
705             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
706             outbuf[23] = max_unmap_sectors & 0xff;
707 
708             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
709             outbuf[24] = 0;
710             outbuf[25] = 0;
711             outbuf[26] = 0;
712             outbuf[27] = 255;
713 
714             /* optimal unmap granularity */
715             outbuf[28] = (unmap_sectors >> 24) & 0xff;
716             outbuf[29] = (unmap_sectors >> 16) & 0xff;
717             outbuf[30] = (unmap_sectors >> 8) & 0xff;
718             outbuf[31] = unmap_sectors & 0xff;
719 
720             /* max write same size */
721             outbuf[36] = 0;
722             outbuf[37] = 0;
723             outbuf[38] = 0;
724             outbuf[39] = 0;
725 
726             outbuf[40] = (max_io_sectors >> 24) & 0xff;
727             outbuf[41] = (max_io_sectors >> 16) & 0xff;
728             outbuf[42] = (max_io_sectors >> 8) & 0xff;
729             outbuf[43] = max_io_sectors & 0xff;
730             break;
731         }
732         case 0xb2: /* thin provisioning */
733         {
734             buflen = 8;
735             outbuf[4] = 0;
736             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
737             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
738             outbuf[7] = 0;
739             break;
740         }
741         default:
742             return -1;
743         }
744         /* done with EVPD */
745         assert(buflen - start <= 255);
746         outbuf[start - 1] = buflen - start;
747         return buflen;
748     }
749 
750     /* Standard INQUIRY data */
751     if (req->cmd.buf[2] != 0) {
752         return -1;
753     }
754 
755     /* PAGE CODE == 0 */
756     buflen = req->cmd.xfer;
757     if (buflen > SCSI_MAX_INQUIRY_LEN) {
758         buflen = SCSI_MAX_INQUIRY_LEN;
759     }
760 
761     outbuf[0] = s->qdev.type & 0x1f;
762     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
763 
764     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
765     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
766 
767     memset(&outbuf[32], 0, 4);
768     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
769     /*
770      * We claim conformance to SPC-3, which is required for guests
771      * to ask for modern features like READ CAPACITY(16) or the
772      * block characteristics VPD page by default.  Not all of SPC-3
773      * is actually implemented, but we're good enough.
774      */
775     outbuf[2] = 5;
776     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
777 
778     if (buflen > 36) {
779         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
780     } else {
781         /* If the allocation length of CDB is too small,
782                the additional length is not adjusted */
783         outbuf[4] = 36 - 5;
784     }
785 
786     /* Sync data transfer and TCQ.  */
787     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
788     return buflen;
789 }
790 
791 static inline bool media_is_dvd(SCSIDiskState *s)
792 {
793     uint64_t nb_sectors;
794     if (s->qdev.type != TYPE_ROM) {
795         return false;
796     }
797     if (!blk_is_available(s->qdev.conf.blk)) {
798         return false;
799     }
800     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
801     return nb_sectors > CD_MAX_SECTORS;
802 }
803 
804 static inline bool media_is_cd(SCSIDiskState *s)
805 {
806     uint64_t nb_sectors;
807     if (s->qdev.type != TYPE_ROM) {
808         return false;
809     }
810     if (!blk_is_available(s->qdev.conf.blk)) {
811         return false;
812     }
813     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
814     return nb_sectors <= CD_MAX_SECTORS;
815 }
816 
817 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
818                                       uint8_t *outbuf)
819 {
820     uint8_t type = r->req.cmd.buf[1] & 7;
821 
822     if (s->qdev.type != TYPE_ROM) {
823         return -1;
824     }
825 
826     /* Types 1/2 are only defined for Blu-Ray.  */
827     if (type != 0) {
828         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
829         return -1;
830     }
831 
832     memset(outbuf, 0, 34);
833     outbuf[1] = 32;
834     outbuf[2] = 0xe; /* last session complete, disc finalized */
835     outbuf[3] = 1;   /* first track on disc */
836     outbuf[4] = 1;   /* # of sessions */
837     outbuf[5] = 1;   /* first track of last session */
838     outbuf[6] = 1;   /* last track of last session */
839     outbuf[7] = 0x20; /* unrestricted use */
840     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
841     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
842     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
843     /* 24-31: disc bar code */
844     /* 32: disc application code */
845     /* 33: number of OPC tables */
846 
847     return 34;
848 }
849 
850 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
851                                    uint8_t *outbuf)
852 {
853     static const int rds_caps_size[5] = {
854         [0] = 2048 + 4,
855         [1] = 4 + 4,
856         [3] = 188 + 4,
857         [4] = 2048 + 4,
858     };
859 
860     uint8_t media = r->req.cmd.buf[1];
861     uint8_t layer = r->req.cmd.buf[6];
862     uint8_t format = r->req.cmd.buf[7];
863     int size = -1;
864 
865     if (s->qdev.type != TYPE_ROM) {
866         return -1;
867     }
868     if (media != 0) {
869         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
870         return -1;
871     }
872 
873     if (format != 0xff) {
874         if (!blk_is_available(s->qdev.conf.blk)) {
875             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
876             return -1;
877         }
878         if (media_is_cd(s)) {
879             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
880             return -1;
881         }
882         if (format >= ARRAY_SIZE(rds_caps_size)) {
883             return -1;
884         }
885         size = rds_caps_size[format];
886         memset(outbuf, 0, size);
887     }
888 
889     switch (format) {
890     case 0x00: {
891         /* Physical format information */
892         uint64_t nb_sectors;
893         if (layer != 0) {
894             goto fail;
895         }
896         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
897 
898         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
899         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
900         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
901         outbuf[7] = 0;   /* default densities */
902 
903         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
904         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
905         break;
906     }
907 
908     case 0x01: /* DVD copyright information, all zeros */
909         break;
910 
911     case 0x03: /* BCA information - invalid field for no BCA info */
912         return -1;
913 
914     case 0x04: /* DVD disc manufacturing information, all zeros */
915         break;
916 
917     case 0xff: { /* List capabilities */
918         int i;
919         size = 4;
920         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
921             if (!rds_caps_size[i]) {
922                 continue;
923             }
924             outbuf[size] = i;
925             outbuf[size + 1] = 0x40; /* Not writable, readable */
926             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
927             size += 4;
928         }
929         break;
930      }
931 
932     default:
933         return -1;
934     }
935 
936     /* Size of buffer, not including 2 byte size field */
937     stw_be_p(outbuf, size - 2);
938     return size;
939 
940 fail:
941     return -1;
942 }
943 
944 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
945 {
946     uint8_t event_code, media_status;
947 
948     media_status = 0;
949     if (s->tray_open) {
950         media_status = MS_TRAY_OPEN;
951     } else if (blk_is_inserted(s->qdev.conf.blk)) {
952         media_status = MS_MEDIA_PRESENT;
953     }
954 
955     /* Event notification descriptor */
956     event_code = MEC_NO_CHANGE;
957     if (media_status != MS_TRAY_OPEN) {
958         if (s->media_event) {
959             event_code = MEC_NEW_MEDIA;
960             s->media_event = false;
961         } else if (s->eject_request) {
962             event_code = MEC_EJECT_REQUESTED;
963             s->eject_request = false;
964         }
965     }
966 
967     outbuf[0] = event_code;
968     outbuf[1] = media_status;
969 
970     /* These fields are reserved, just clear them. */
971     outbuf[2] = 0;
972     outbuf[3] = 0;
973     return 4;
974 }
975 
976 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
977                                               uint8_t *outbuf)
978 {
979     int size;
980     uint8_t *buf = r->req.cmd.buf;
981     uint8_t notification_class_request = buf[4];
982     if (s->qdev.type != TYPE_ROM) {
983         return -1;
984     }
985     if ((buf[1] & 1) == 0) {
986         /* asynchronous */
987         return -1;
988     }
989 
990     size = 4;
991     outbuf[0] = outbuf[1] = 0;
992     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
993     if (notification_class_request & (1 << GESN_MEDIA)) {
994         outbuf[2] = GESN_MEDIA;
995         size += scsi_event_status_media(s, &outbuf[size]);
996     } else {
997         outbuf[2] = 0x80;
998     }
999     stw_be_p(outbuf, size - 4);
1000     return size;
1001 }
1002 
1003 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1004 {
1005     int current;
1006 
1007     if (s->qdev.type != TYPE_ROM) {
1008         return -1;
1009     }
1010 
1011     if (media_is_dvd(s)) {
1012         current = MMC_PROFILE_DVD_ROM;
1013     } else if (media_is_cd(s)) {
1014         current = MMC_PROFILE_CD_ROM;
1015     } else {
1016         current = MMC_PROFILE_NONE;
1017     }
1018 
1019     memset(outbuf, 0, 40);
1020     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1021     stw_be_p(&outbuf[6], current);
1022     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1023     outbuf[10] = 0x03; /* persistent, current */
1024     outbuf[11] = 8; /* two profiles */
1025     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1026     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1027     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1028     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1029     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1030     stw_be_p(&outbuf[20], 1);
1031     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1032     outbuf[23] = 8;
1033     stl_be_p(&outbuf[24], 1); /* SCSI */
1034     outbuf[28] = 1; /* DBE = 1, mandatory */
1035     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1036     stw_be_p(&outbuf[32], 3);
1037     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1038     outbuf[35] = 4;
1039     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1040     /* TODO: Random readable, CD read, DVD read, drive serial number,
1041        power management */
1042     return 40;
1043 }
1044 
1045 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1046 {
1047     if (s->qdev.type != TYPE_ROM) {
1048         return -1;
1049     }
1050     memset(outbuf, 0, 8);
1051     outbuf[5] = 1; /* CD-ROM */
1052     return 8;
1053 }
1054 
1055 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1056                            int page_control)
1057 {
1058     static const int mode_sense_valid[0x3f] = {
1059         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1060         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1061         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1062         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1063         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1064         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1065     };
1066 
1067     uint8_t *p = *p_outbuf + 2;
1068     int length;
1069 
1070     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1071         return -1;
1072     }
1073 
1074     /*
1075      * If Changeable Values are requested, a mask denoting those mode parameters
1076      * that are changeable shall be returned. As we currently don't support
1077      * parameter changes via MODE_SELECT all bits are returned set to zero.
1078      * The buffer was already menset to zero by the caller of this function.
1079      *
1080      * The offsets here are off by two compared to the descriptions in the
1081      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1082      * but it is done so that offsets are consistent within our implementation
1083      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1084      * 2-byte and 4-byte headers.
1085      */
1086     switch (page) {
1087     case MODE_PAGE_HD_GEOMETRY:
1088         length = 0x16;
1089         if (page_control == 1) { /* Changeable Values */
1090             break;
1091         }
1092         /* if a geometry hint is available, use it */
1093         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1094         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1095         p[2] = s->qdev.conf.cyls & 0xff;
1096         p[3] = s->qdev.conf.heads & 0xff;
1097         /* Write precomp start cylinder, disabled */
1098         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1099         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1100         p[6] = s->qdev.conf.cyls & 0xff;
1101         /* Reduced current start cylinder, disabled */
1102         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1103         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1104         p[9] = s->qdev.conf.cyls & 0xff;
1105         /* Device step rate [ns], 200ns */
1106         p[10] = 0;
1107         p[11] = 200;
1108         /* Landing zone cylinder */
1109         p[12] = 0xff;
1110         p[13] =  0xff;
1111         p[14] = 0xff;
1112         /* Medium rotation rate [rpm], 5400 rpm */
1113         p[18] = (5400 >> 8) & 0xff;
1114         p[19] = 5400 & 0xff;
1115         break;
1116 
1117     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1118         length = 0x1e;
1119         if (page_control == 1) { /* Changeable Values */
1120             break;
1121         }
1122         /* Transfer rate [kbit/s], 5Mbit/s */
1123         p[0] = 5000 >> 8;
1124         p[1] = 5000 & 0xff;
1125         /* if a geometry hint is available, use it */
1126         p[2] = s->qdev.conf.heads & 0xff;
1127         p[3] = s->qdev.conf.secs & 0xff;
1128         p[4] = s->qdev.blocksize >> 8;
1129         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1130         p[7] = s->qdev.conf.cyls & 0xff;
1131         /* Write precomp start cylinder, disabled */
1132         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1133         p[9] = s->qdev.conf.cyls & 0xff;
1134         /* Reduced current start cylinder, disabled */
1135         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1136         p[11] = s->qdev.conf.cyls & 0xff;
1137         /* Device step rate [100us], 100us */
1138         p[12] = 0;
1139         p[13] = 1;
1140         /* Device step pulse width [us], 1us */
1141         p[14] = 1;
1142         /* Device head settle delay [100us], 100us */
1143         p[15] = 0;
1144         p[16] = 1;
1145         /* Motor on delay [0.1s], 0.1s */
1146         p[17] = 1;
1147         /* Motor off delay [0.1s], 0.1s */
1148         p[18] = 1;
1149         /* Medium rotation rate [rpm], 5400 rpm */
1150         p[26] = (5400 >> 8) & 0xff;
1151         p[27] = 5400 & 0xff;
1152         break;
1153 
1154     case MODE_PAGE_CACHING:
1155         length = 0x12;
1156         if (page_control == 1 || /* Changeable Values */
1157             blk_enable_write_cache(s->qdev.conf.blk)) {
1158             p[0] = 4; /* WCE */
1159         }
1160         break;
1161 
1162     case MODE_PAGE_R_W_ERROR:
1163         length = 10;
1164         if (page_control == 1) { /* Changeable Values */
1165             break;
1166         }
1167         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1168         if (s->qdev.type == TYPE_ROM) {
1169             p[1] = 0x20; /* Read Retry Count */
1170         }
1171         break;
1172 
1173     case MODE_PAGE_AUDIO_CTL:
1174         length = 14;
1175         break;
1176 
1177     case MODE_PAGE_CAPABILITIES:
1178         length = 0x14;
1179         if (page_control == 1) { /* Changeable Values */
1180             break;
1181         }
1182 
1183         p[0] = 0x3b; /* CD-R & CD-RW read */
1184         p[1] = 0; /* Writing not supported */
1185         p[2] = 0x7f; /* Audio, composite, digital out,
1186                         mode 2 form 1&2, multi session */
1187         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1188                         RW corrected, C2 errors, ISRC,
1189                         UPC, Bar code */
1190         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1191         /* Locking supported, jumper present, eject, tray */
1192         p[5] = 0; /* no volume & mute control, no
1193                      changer */
1194         p[6] = (50 * 176) >> 8; /* 50x read speed */
1195         p[7] = (50 * 176) & 0xff;
1196         p[8] = 2 >> 8; /* Two volume levels */
1197         p[9] = 2 & 0xff;
1198         p[10] = 2048 >> 8; /* 2M buffer */
1199         p[11] = 2048 & 0xff;
1200         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1201         p[13] = (16 * 176) & 0xff;
1202         p[16] = (16 * 176) >> 8; /* 16x write speed */
1203         p[17] = (16 * 176) & 0xff;
1204         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1205         p[19] = (16 * 176) & 0xff;
1206         break;
1207 
1208     default:
1209         return -1;
1210     }
1211 
1212     assert(length < 256);
1213     (*p_outbuf)[0] = page;
1214     (*p_outbuf)[1] = length;
1215     *p_outbuf += length + 2;
1216     return length + 2;
1217 }
1218 
1219 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1220 {
1221     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1222     uint64_t nb_sectors;
1223     bool dbd;
1224     int page, buflen, ret, page_control;
1225     uint8_t *p;
1226     uint8_t dev_specific_param;
1227 
1228     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1229     page = r->req.cmd.buf[2] & 0x3f;
1230     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1231     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1232         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1233     memset(outbuf, 0, r->req.cmd.xfer);
1234     p = outbuf;
1235 
1236     if (s->qdev.type == TYPE_DISK) {
1237         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1238         if (blk_is_read_only(s->qdev.conf.blk)) {
1239             dev_specific_param |= 0x80; /* Readonly.  */
1240         }
1241     } else {
1242         /* MMC prescribes that CD/DVD drives have no block descriptors,
1243          * and defines no device-specific parameter.  */
1244         dev_specific_param = 0x00;
1245         dbd = true;
1246     }
1247 
1248     if (r->req.cmd.buf[0] == MODE_SENSE) {
1249         p[1] = 0; /* Default media type.  */
1250         p[2] = dev_specific_param;
1251         p[3] = 0; /* Block descriptor length.  */
1252         p += 4;
1253     } else { /* MODE_SENSE_10 */
1254         p[2] = 0; /* Default media type.  */
1255         p[3] = dev_specific_param;
1256         p[6] = p[7] = 0; /* Block descriptor length.  */
1257         p += 8;
1258     }
1259 
1260     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1261     if (!dbd && nb_sectors) {
1262         if (r->req.cmd.buf[0] == MODE_SENSE) {
1263             outbuf[3] = 8; /* Block descriptor length  */
1264         } else { /* MODE_SENSE_10 */
1265             outbuf[7] = 8; /* Block descriptor length  */
1266         }
1267         nb_sectors /= (s->qdev.blocksize / 512);
1268         if (nb_sectors > 0xffffff) {
1269             nb_sectors = 0;
1270         }
1271         p[0] = 0; /* media density code */
1272         p[1] = (nb_sectors >> 16) & 0xff;
1273         p[2] = (nb_sectors >> 8) & 0xff;
1274         p[3] = nb_sectors & 0xff;
1275         p[4] = 0; /* reserved */
1276         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1277         p[6] = s->qdev.blocksize >> 8;
1278         p[7] = 0;
1279         p += 8;
1280     }
1281 
1282     if (page_control == 3) {
1283         /* Saved Values */
1284         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1285         return -1;
1286     }
1287 
1288     if (page == 0x3f) {
1289         for (page = 0; page <= 0x3e; page++) {
1290             mode_sense_page(s, page, &p, page_control);
1291         }
1292     } else {
1293         ret = mode_sense_page(s, page, &p, page_control);
1294         if (ret == -1) {
1295             return -1;
1296         }
1297     }
1298 
1299     buflen = p - outbuf;
1300     /*
1301      * The mode data length field specifies the length in bytes of the
1302      * following data that is available to be transferred. The mode data
1303      * length does not include itself.
1304      */
1305     if (r->req.cmd.buf[0] == MODE_SENSE) {
1306         outbuf[0] = buflen - 1;
1307     } else { /* MODE_SENSE_10 */
1308         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1309         outbuf[1] = (buflen - 2) & 0xff;
1310     }
1311     return buflen;
1312 }
1313 
1314 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1315 {
1316     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1317     int start_track, format, msf, toclen;
1318     uint64_t nb_sectors;
1319 
1320     msf = req->cmd.buf[1] & 2;
1321     format = req->cmd.buf[2] & 0xf;
1322     start_track = req->cmd.buf[6];
1323     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1324     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1325     nb_sectors /= s->qdev.blocksize / 512;
1326     switch (format) {
1327     case 0:
1328         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1329         break;
1330     case 1:
1331         /* multi session : only a single session defined */
1332         toclen = 12;
1333         memset(outbuf, 0, 12);
1334         outbuf[1] = 0x0a;
1335         outbuf[2] = 0x01;
1336         outbuf[3] = 0x01;
1337         break;
1338     case 2:
1339         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1340         break;
1341     default:
1342         return -1;
1343     }
1344     return toclen;
1345 }
1346 
1347 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1348 {
1349     SCSIRequest *req = &r->req;
1350     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1351     bool start = req->cmd.buf[4] & 1;
1352     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1353     int pwrcnd = req->cmd.buf[4] & 0xf0;
1354 
1355     if (pwrcnd) {
1356         /* eject/load only happens for power condition == 0 */
1357         return 0;
1358     }
1359 
1360     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1361         if (!start && !s->tray_open && s->tray_locked) {
1362             scsi_check_condition(r,
1363                                  blk_is_inserted(s->qdev.conf.blk)
1364                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1365                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1366             return -1;
1367         }
1368 
1369         if (s->tray_open != !start) {
1370             blk_eject(s->qdev.conf.blk, !start);
1371             s->tray_open = !start;
1372         }
1373     }
1374     return 0;
1375 }
1376 
1377 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1378 {
1379     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1380     int buflen = r->iov.iov_len;
1381 
1382     if (buflen) {
1383         DPRINTF("Read buf_len=%d\n", buflen);
1384         r->iov.iov_len = 0;
1385         r->started = true;
1386         scsi_req_data(&r->req, buflen);
1387         return;
1388     }
1389 
1390     /* This also clears the sense buffer for REQUEST SENSE.  */
1391     scsi_req_complete(&r->req, GOOD);
1392 }
1393 
1394 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1395                                        uint8_t *inbuf, int inlen)
1396 {
1397     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1398     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1399     uint8_t *p;
1400     int len, expected_len, changeable_len, i;
1401 
1402     /* The input buffer does not include the page header, so it is
1403      * off by 2 bytes.
1404      */
1405     expected_len = inlen + 2;
1406     if (expected_len > SCSI_MAX_MODE_LEN) {
1407         return -1;
1408     }
1409 
1410     p = mode_current;
1411     memset(mode_current, 0, inlen + 2);
1412     len = mode_sense_page(s, page, &p, 0);
1413     if (len < 0 || len != expected_len) {
1414         return -1;
1415     }
1416 
1417     p = mode_changeable;
1418     memset(mode_changeable, 0, inlen + 2);
1419     changeable_len = mode_sense_page(s, page, &p, 1);
1420     assert(changeable_len == len);
1421 
1422     /* Check that unchangeable bits are the same as what MODE SENSE
1423      * would return.
1424      */
1425     for (i = 2; i < len; i++) {
1426         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1427             return -1;
1428         }
1429     }
1430     return 0;
1431 }
1432 
1433 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1434 {
1435     switch (page) {
1436     case MODE_PAGE_CACHING:
1437         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1438         break;
1439 
1440     default:
1441         break;
1442     }
1443 }
1444 
1445 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1446 {
1447     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1448 
1449     while (len > 0) {
1450         int page, subpage, page_len;
1451 
1452         /* Parse both possible formats for the mode page headers.  */
1453         page = p[0] & 0x3f;
1454         if (p[0] & 0x40) {
1455             if (len < 4) {
1456                 goto invalid_param_len;
1457             }
1458             subpage = p[1];
1459             page_len = lduw_be_p(&p[2]);
1460             p += 4;
1461             len -= 4;
1462         } else {
1463             if (len < 2) {
1464                 goto invalid_param_len;
1465             }
1466             subpage = 0;
1467             page_len = p[1];
1468             p += 2;
1469             len -= 2;
1470         }
1471 
1472         if (subpage) {
1473             goto invalid_param;
1474         }
1475         if (page_len > len) {
1476             goto invalid_param_len;
1477         }
1478 
1479         if (!change) {
1480             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1481                 goto invalid_param;
1482             }
1483         } else {
1484             scsi_disk_apply_mode_select(s, page, p);
1485         }
1486 
1487         p += page_len;
1488         len -= page_len;
1489     }
1490     return 0;
1491 
1492 invalid_param:
1493     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1494     return -1;
1495 
1496 invalid_param_len:
1497     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1498     return -1;
1499 }
1500 
1501 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1502 {
1503     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1504     uint8_t *p = inbuf;
1505     int cmd = r->req.cmd.buf[0];
1506     int len = r->req.cmd.xfer;
1507     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1508     int bd_len;
1509     int pass;
1510 
1511     /* We only support PF=1, SP=0.  */
1512     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1513         goto invalid_field;
1514     }
1515 
1516     if (len < hdr_len) {
1517         goto invalid_param_len;
1518     }
1519 
1520     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1521     len -= hdr_len;
1522     p += hdr_len;
1523     if (len < bd_len) {
1524         goto invalid_param_len;
1525     }
1526     if (bd_len != 0 && bd_len != 8) {
1527         goto invalid_param;
1528     }
1529 
1530     len -= bd_len;
1531     p += bd_len;
1532 
1533     /* Ensure no change is made if there is an error!  */
1534     for (pass = 0; pass < 2; pass++) {
1535         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1536             assert(pass == 0);
1537             return;
1538         }
1539     }
1540     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1541         /* The request is used as the AIO opaque value, so add a ref.  */
1542         scsi_req_ref(&r->req);
1543         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1544                          BLOCK_ACCT_FLUSH);
1545         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1546         return;
1547     }
1548 
1549     scsi_req_complete(&r->req, GOOD);
1550     return;
1551 
1552 invalid_param:
1553     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1554     return;
1555 
1556 invalid_param_len:
1557     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1558     return;
1559 
1560 invalid_field:
1561     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1562 }
1563 
1564 static inline bool check_lba_range(SCSIDiskState *s,
1565                                    uint64_t sector_num, uint32_t nb_sectors)
1566 {
1567     /*
1568      * The first line tests that no overflow happens when computing the last
1569      * sector.  The second line tests that the last accessed sector is in
1570      * range.
1571      *
1572      * Careful, the computations should not underflow for nb_sectors == 0,
1573      * and a 0-block read to the first LBA beyond the end of device is
1574      * valid.
1575      */
1576     return (sector_num <= sector_num + nb_sectors &&
1577             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1578 }
1579 
1580 typedef struct UnmapCBData {
1581     SCSIDiskReq *r;
1582     uint8_t *inbuf;
1583     int count;
1584 } UnmapCBData;
1585 
1586 static void scsi_unmap_complete(void *opaque, int ret);
1587 
1588 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1589 {
1590     SCSIDiskReq *r = data->r;
1591     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1592     uint64_t sector_num;
1593     uint32_t nb_sectors;
1594 
1595     assert(r->req.aiocb == NULL);
1596     if (scsi_disk_req_check_error(r, ret, false)) {
1597         goto done;
1598     }
1599 
1600     if (data->count > 0) {
1601         sector_num = ldq_be_p(&data->inbuf[0]);
1602         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1603         if (!check_lba_range(s, sector_num, nb_sectors)) {
1604             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1605             goto done;
1606         }
1607 
1608         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1609                                         sector_num * s->qdev.blocksize,
1610                                         nb_sectors * s->qdev.blocksize,
1611                                         scsi_unmap_complete, data);
1612         data->count--;
1613         data->inbuf += 16;
1614         return;
1615     }
1616 
1617     scsi_req_complete(&r->req, GOOD);
1618 
1619 done:
1620     scsi_req_unref(&r->req);
1621     g_free(data);
1622 }
1623 
1624 static void scsi_unmap_complete(void *opaque, int ret)
1625 {
1626     UnmapCBData *data = opaque;
1627     SCSIDiskReq *r = data->r;
1628 
1629     assert(r->req.aiocb != NULL);
1630     r->req.aiocb = NULL;
1631 
1632     scsi_unmap_complete_noio(data, ret);
1633 }
1634 
1635 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1636 {
1637     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1638     uint8_t *p = inbuf;
1639     int len = r->req.cmd.xfer;
1640     UnmapCBData *data;
1641 
1642     /* Reject ANCHOR=1.  */
1643     if (r->req.cmd.buf[1] & 0x1) {
1644         goto invalid_field;
1645     }
1646 
1647     if (len < 8) {
1648         goto invalid_param_len;
1649     }
1650     if (len < lduw_be_p(&p[0]) + 2) {
1651         goto invalid_param_len;
1652     }
1653     if (len < lduw_be_p(&p[2]) + 8) {
1654         goto invalid_param_len;
1655     }
1656     if (lduw_be_p(&p[2]) & 15) {
1657         goto invalid_param_len;
1658     }
1659 
1660     if (blk_is_read_only(s->qdev.conf.blk)) {
1661         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1662         return;
1663     }
1664 
1665     data = g_new0(UnmapCBData, 1);
1666     data->r = r;
1667     data->inbuf = &p[8];
1668     data->count = lduw_be_p(&p[2]) >> 4;
1669 
1670     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1671     scsi_req_ref(&r->req);
1672     scsi_unmap_complete_noio(data, 0);
1673     return;
1674 
1675 invalid_param_len:
1676     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1677     return;
1678 
1679 invalid_field:
1680     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1681 }
1682 
1683 typedef struct WriteSameCBData {
1684     SCSIDiskReq *r;
1685     int64_t sector;
1686     int nb_sectors;
1687     QEMUIOVector qiov;
1688     struct iovec iov;
1689 } WriteSameCBData;
1690 
1691 static void scsi_write_same_complete(void *opaque, int ret)
1692 {
1693     WriteSameCBData *data = opaque;
1694     SCSIDiskReq *r = data->r;
1695     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1696 
1697     assert(r->req.aiocb != NULL);
1698     r->req.aiocb = NULL;
1699     if (scsi_disk_req_check_error(r, ret, true)) {
1700         goto done;
1701     }
1702 
1703     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1704 
1705     data->nb_sectors -= data->iov.iov_len / 512;
1706     data->sector += data->iov.iov_len / 512;
1707     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1708     if (data->iov.iov_len) {
1709         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1710                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1711         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1712          * where final qiov may need smaller size */
1713         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1714         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1715                                        data->sector << BDRV_SECTOR_BITS,
1716                                        &data->qiov, 0,
1717                                        scsi_write_same_complete, data);
1718         return;
1719     }
1720 
1721     scsi_req_complete(&r->req, GOOD);
1722 
1723 done:
1724     scsi_req_unref(&r->req);
1725     qemu_vfree(data->iov.iov_base);
1726     g_free(data);
1727 }
1728 
1729 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1730 {
1731     SCSIRequest *req = &r->req;
1732     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1733     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1734     WriteSameCBData *data;
1735     uint8_t *buf;
1736     int i;
1737 
1738     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1739     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1740         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1741         return;
1742     }
1743 
1744     if (blk_is_read_only(s->qdev.conf.blk)) {
1745         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1746         return;
1747     }
1748     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1749         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1750         return;
1751     }
1752 
1753     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1754         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1755 
1756         /* The request is used as the AIO opaque value, so add a ref.  */
1757         scsi_req_ref(&r->req);
1758         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1759                          nb_sectors * s->qdev.blocksize,
1760                         BLOCK_ACCT_WRITE);
1761         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1762                                 r->req.cmd.lba * s->qdev.blocksize,
1763                                 nb_sectors * s->qdev.blocksize,
1764                                 flags, scsi_aio_complete, r);
1765         return;
1766     }
1767 
1768     data = g_new0(WriteSameCBData, 1);
1769     data->r = r;
1770     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1771     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1772     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1773     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1774                                               data->iov.iov_len);
1775     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1776 
1777     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1778         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1779     }
1780 
1781     scsi_req_ref(&r->req);
1782     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1783                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1784     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1785                                    data->sector << BDRV_SECTOR_BITS,
1786                                    &data->qiov, 0,
1787                                    scsi_write_same_complete, data);
1788 }
1789 
1790 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1791 {
1792     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1793 
1794     if (r->iov.iov_len) {
1795         int buflen = r->iov.iov_len;
1796         DPRINTF("Write buf_len=%d\n", buflen);
1797         r->iov.iov_len = 0;
1798         scsi_req_data(&r->req, buflen);
1799         return;
1800     }
1801 
1802     switch (req->cmd.buf[0]) {
1803     case MODE_SELECT:
1804     case MODE_SELECT_10:
1805         /* This also clears the sense buffer for REQUEST SENSE.  */
1806         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1807         break;
1808 
1809     case UNMAP:
1810         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1811         break;
1812 
1813     case VERIFY_10:
1814     case VERIFY_12:
1815     case VERIFY_16:
1816         if (r->req.status == -1) {
1817             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1818         }
1819         break;
1820 
1821     case WRITE_SAME_10:
1822     case WRITE_SAME_16:
1823         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1824         break;
1825 
1826     default:
1827         abort();
1828     }
1829 }
1830 
1831 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1832 {
1833     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1834     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1835     uint64_t nb_sectors;
1836     uint8_t *outbuf;
1837     int buflen;
1838 
1839     switch (req->cmd.buf[0]) {
1840     case INQUIRY:
1841     case MODE_SENSE:
1842     case MODE_SENSE_10:
1843     case RESERVE:
1844     case RESERVE_10:
1845     case RELEASE:
1846     case RELEASE_10:
1847     case START_STOP:
1848     case ALLOW_MEDIUM_REMOVAL:
1849     case GET_CONFIGURATION:
1850     case GET_EVENT_STATUS_NOTIFICATION:
1851     case MECHANISM_STATUS:
1852     case REQUEST_SENSE:
1853         break;
1854 
1855     default:
1856         if (!blk_is_available(s->qdev.conf.blk)) {
1857             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1858             return 0;
1859         }
1860         break;
1861     }
1862 
1863     /*
1864      * FIXME: we shouldn't return anything bigger than 4k, but the code
1865      * requires the buffer to be as big as req->cmd.xfer in several
1866      * places.  So, do not allow CDBs with a very large ALLOCATION
1867      * LENGTH.  The real fix would be to modify scsi_read_data and
1868      * dma_buf_read, so that they return data beyond the buflen
1869      * as all zeros.
1870      */
1871     if (req->cmd.xfer > 65536) {
1872         goto illegal_request;
1873     }
1874     r->buflen = MAX(4096, req->cmd.xfer);
1875 
1876     if (!r->iov.iov_base) {
1877         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1878     }
1879 
1880     buflen = req->cmd.xfer;
1881     outbuf = r->iov.iov_base;
1882     memset(outbuf, 0, r->buflen);
1883     switch (req->cmd.buf[0]) {
1884     case TEST_UNIT_READY:
1885         assert(blk_is_available(s->qdev.conf.blk));
1886         break;
1887     case INQUIRY:
1888         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1889         if (buflen < 0) {
1890             goto illegal_request;
1891         }
1892         break;
1893     case MODE_SENSE:
1894     case MODE_SENSE_10:
1895         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1896         if (buflen < 0) {
1897             goto illegal_request;
1898         }
1899         break;
1900     case READ_TOC:
1901         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1902         if (buflen < 0) {
1903             goto illegal_request;
1904         }
1905         break;
1906     case RESERVE:
1907         if (req->cmd.buf[1] & 1) {
1908             goto illegal_request;
1909         }
1910         break;
1911     case RESERVE_10:
1912         if (req->cmd.buf[1] & 3) {
1913             goto illegal_request;
1914         }
1915         break;
1916     case RELEASE:
1917         if (req->cmd.buf[1] & 1) {
1918             goto illegal_request;
1919         }
1920         break;
1921     case RELEASE_10:
1922         if (req->cmd.buf[1] & 3) {
1923             goto illegal_request;
1924         }
1925         break;
1926     case START_STOP:
1927         if (scsi_disk_emulate_start_stop(r) < 0) {
1928             return 0;
1929         }
1930         break;
1931     case ALLOW_MEDIUM_REMOVAL:
1932         s->tray_locked = req->cmd.buf[4] & 1;
1933         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1934         break;
1935     case READ_CAPACITY_10:
1936         /* The normal LEN field for this command is zero.  */
1937         memset(outbuf, 0, 8);
1938         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1939         if (!nb_sectors) {
1940             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1941             return 0;
1942         }
1943         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1944             goto illegal_request;
1945         }
1946         nb_sectors /= s->qdev.blocksize / 512;
1947         /* Returned value is the address of the last sector.  */
1948         nb_sectors--;
1949         /* Remember the new size for read/write sanity checking. */
1950         s->qdev.max_lba = nb_sectors;
1951         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1952         if (nb_sectors > UINT32_MAX) {
1953             nb_sectors = UINT32_MAX;
1954         }
1955         outbuf[0] = (nb_sectors >> 24) & 0xff;
1956         outbuf[1] = (nb_sectors >> 16) & 0xff;
1957         outbuf[2] = (nb_sectors >> 8) & 0xff;
1958         outbuf[3] = nb_sectors & 0xff;
1959         outbuf[4] = 0;
1960         outbuf[5] = 0;
1961         outbuf[6] = s->qdev.blocksize >> 8;
1962         outbuf[7] = 0;
1963         break;
1964     case REQUEST_SENSE:
1965         /* Just return "NO SENSE".  */
1966         buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
1967                                   (req->cmd.buf[1] & 1) == 0);
1968         if (buflen < 0) {
1969             goto illegal_request;
1970         }
1971         break;
1972     case MECHANISM_STATUS:
1973         buflen = scsi_emulate_mechanism_status(s, outbuf);
1974         if (buflen < 0) {
1975             goto illegal_request;
1976         }
1977         break;
1978     case GET_CONFIGURATION:
1979         buflen = scsi_get_configuration(s, outbuf);
1980         if (buflen < 0) {
1981             goto illegal_request;
1982         }
1983         break;
1984     case GET_EVENT_STATUS_NOTIFICATION:
1985         buflen = scsi_get_event_status_notification(s, r, outbuf);
1986         if (buflen < 0) {
1987             goto illegal_request;
1988         }
1989         break;
1990     case READ_DISC_INFORMATION:
1991         buflen = scsi_read_disc_information(s, r, outbuf);
1992         if (buflen < 0) {
1993             goto illegal_request;
1994         }
1995         break;
1996     case READ_DVD_STRUCTURE:
1997         buflen = scsi_read_dvd_structure(s, r, outbuf);
1998         if (buflen < 0) {
1999             goto illegal_request;
2000         }
2001         break;
2002     case SERVICE_ACTION_IN_16:
2003         /* Service Action In subcommands. */
2004         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2005             DPRINTF("SAI READ CAPACITY(16)\n");
2006             memset(outbuf, 0, req->cmd.xfer);
2007             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2008             if (!nb_sectors) {
2009                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2010                 return 0;
2011             }
2012             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2013                 goto illegal_request;
2014             }
2015             nb_sectors /= s->qdev.blocksize / 512;
2016             /* Returned value is the address of the last sector.  */
2017             nb_sectors--;
2018             /* Remember the new size for read/write sanity checking. */
2019             s->qdev.max_lba = nb_sectors;
2020             outbuf[0] = (nb_sectors >> 56) & 0xff;
2021             outbuf[1] = (nb_sectors >> 48) & 0xff;
2022             outbuf[2] = (nb_sectors >> 40) & 0xff;
2023             outbuf[3] = (nb_sectors >> 32) & 0xff;
2024             outbuf[4] = (nb_sectors >> 24) & 0xff;
2025             outbuf[5] = (nb_sectors >> 16) & 0xff;
2026             outbuf[6] = (nb_sectors >> 8) & 0xff;
2027             outbuf[7] = nb_sectors & 0xff;
2028             outbuf[8] = 0;
2029             outbuf[9] = 0;
2030             outbuf[10] = s->qdev.blocksize >> 8;
2031             outbuf[11] = 0;
2032             outbuf[12] = 0;
2033             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2034 
2035             /* set TPE bit if the format supports discard */
2036             if (s->qdev.conf.discard_granularity) {
2037                 outbuf[14] = 0x80;
2038             }
2039 
2040             /* Protection, exponent and lowest lba field left blank. */
2041             break;
2042         }
2043         DPRINTF("Unsupported Service Action In\n");
2044         goto illegal_request;
2045     case SYNCHRONIZE_CACHE:
2046         /* The request is used as the AIO opaque value, so add a ref.  */
2047         scsi_req_ref(&r->req);
2048         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2049                          BLOCK_ACCT_FLUSH);
2050         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2051         return 0;
2052     case SEEK_10:
2053         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
2054         if (r->req.cmd.lba > s->qdev.max_lba) {
2055             goto illegal_lba;
2056         }
2057         break;
2058     case MODE_SELECT:
2059         DPRINTF("Mode Select(6) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2060         break;
2061     case MODE_SELECT_10:
2062         DPRINTF("Mode Select(10) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2063         break;
2064     case UNMAP:
2065         DPRINTF("Unmap (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2066         break;
2067     case VERIFY_10:
2068     case VERIFY_12:
2069     case VERIFY_16:
2070         DPRINTF("Verify (bytchk %d)\n", (req->cmd.buf[1] >> 1) & 3);
2071         if (req->cmd.buf[1] & 6) {
2072             goto illegal_request;
2073         }
2074         break;
2075     case WRITE_SAME_10:
2076     case WRITE_SAME_16:
2077         DPRINTF("WRITE SAME %d (len %lu)\n",
2078                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2079                 (unsigned long)r->req.cmd.xfer);
2080         break;
2081     default:
2082         DPRINTF("Unknown SCSI command (%2.2x=%s)\n", buf[0],
2083                 scsi_command_name(buf[0]));
2084         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2085         return 0;
2086     }
2087     assert(!r->req.aiocb);
2088     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2089     if (r->iov.iov_len == 0) {
2090         scsi_req_complete(&r->req, GOOD);
2091     }
2092     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2093         assert(r->iov.iov_len == req->cmd.xfer);
2094         return -r->iov.iov_len;
2095     } else {
2096         return r->iov.iov_len;
2097     }
2098 
2099 illegal_request:
2100     if (r->req.status == -1) {
2101         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2102     }
2103     return 0;
2104 
2105 illegal_lba:
2106     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2107     return 0;
2108 }
2109 
2110 /* Execute a scsi command.  Returns the length of the data expected by the
2111    command.  This will be Positive for data transfers from the device
2112    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2113    and zero if the command does not transfer any data.  */
2114 
2115 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2116 {
2117     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2118     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2119     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2120     uint32_t len;
2121     uint8_t command;
2122 
2123     command = buf[0];
2124 
2125     if (!blk_is_available(s->qdev.conf.blk)) {
2126         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2127         return 0;
2128     }
2129 
2130     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2131     switch (command) {
2132     case READ_6:
2133     case READ_10:
2134     case READ_12:
2135     case READ_16:
2136         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2137         if (r->req.cmd.buf[1] & 0xe0) {
2138             goto illegal_request;
2139         }
2140         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2141             goto illegal_lba;
2142         }
2143         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2144         r->sector_count = len * (s->qdev.blocksize / 512);
2145         break;
2146     case WRITE_6:
2147     case WRITE_10:
2148     case WRITE_12:
2149     case WRITE_16:
2150     case WRITE_VERIFY_10:
2151     case WRITE_VERIFY_12:
2152     case WRITE_VERIFY_16:
2153         if (blk_is_read_only(s->qdev.conf.blk)) {
2154             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2155             return 0;
2156         }
2157         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2158                 (command & 0xe) == 0xe ? "And Verify " : "",
2159                 r->req.cmd.lba, len);
2160         /* fall through */
2161     case VERIFY_10:
2162     case VERIFY_12:
2163     case VERIFY_16:
2164         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2165          * As far as DMA is concerned, we can treat it the same as a write;
2166          * scsi_block_do_sgio will send VERIFY commands.
2167          */
2168         if (r->req.cmd.buf[1] & 0xe0) {
2169             goto illegal_request;
2170         }
2171         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2172             goto illegal_lba;
2173         }
2174         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2175         r->sector_count = len * (s->qdev.blocksize / 512);
2176         break;
2177     default:
2178         abort();
2179     illegal_request:
2180         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2181         return 0;
2182     illegal_lba:
2183         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2184         return 0;
2185     }
2186     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2187     if (r->sector_count == 0) {
2188         scsi_req_complete(&r->req, GOOD);
2189     }
2190     assert(r->iov.iov_len == 0);
2191     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2192         return -r->sector_count * 512;
2193     } else {
2194         return r->sector_count * 512;
2195     }
2196 }
2197 
2198 static void scsi_disk_reset(DeviceState *dev)
2199 {
2200     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2201     uint64_t nb_sectors;
2202 
2203     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2204 
2205     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2206     nb_sectors /= s->qdev.blocksize / 512;
2207     if (nb_sectors) {
2208         nb_sectors--;
2209     }
2210     s->qdev.max_lba = nb_sectors;
2211     /* reset tray statuses */
2212     s->tray_locked = 0;
2213     s->tray_open = 0;
2214 }
2215 
2216 static void scsi_disk_resize_cb(void *opaque)
2217 {
2218     SCSIDiskState *s = opaque;
2219 
2220     /* SPC lists this sense code as available only for
2221      * direct-access devices.
2222      */
2223     if (s->qdev.type == TYPE_DISK) {
2224         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2225     }
2226 }
2227 
2228 static void scsi_cd_change_media_cb(void *opaque, bool load)
2229 {
2230     SCSIDiskState *s = opaque;
2231 
2232     /*
2233      * When a CD gets changed, we have to report an ejected state and
2234      * then a loaded state to guests so that they detect tray
2235      * open/close and media change events.  Guests that do not use
2236      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2237      * states rely on this behavior.
2238      *
2239      * media_changed governs the state machine used for unit attention
2240      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2241      */
2242     s->media_changed = load;
2243     s->tray_open = !load;
2244     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2245     s->media_event = true;
2246     s->eject_request = false;
2247 }
2248 
2249 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2250 {
2251     SCSIDiskState *s = opaque;
2252 
2253     s->eject_request = true;
2254     if (force) {
2255         s->tray_locked = false;
2256     }
2257 }
2258 
2259 static bool scsi_cd_is_tray_open(void *opaque)
2260 {
2261     return ((SCSIDiskState *)opaque)->tray_open;
2262 }
2263 
2264 static bool scsi_cd_is_medium_locked(void *opaque)
2265 {
2266     return ((SCSIDiskState *)opaque)->tray_locked;
2267 }
2268 
2269 static const BlockDevOps scsi_disk_removable_block_ops = {
2270     .change_media_cb = scsi_cd_change_media_cb,
2271     .eject_request_cb = scsi_cd_eject_request_cb,
2272     .is_tray_open = scsi_cd_is_tray_open,
2273     .is_medium_locked = scsi_cd_is_medium_locked,
2274 
2275     .resize_cb = scsi_disk_resize_cb,
2276 };
2277 
2278 static const BlockDevOps scsi_disk_block_ops = {
2279     .resize_cb = scsi_disk_resize_cb,
2280 };
2281 
2282 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2283 {
2284     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2285     if (s->media_changed) {
2286         s->media_changed = false;
2287         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2288     }
2289 }
2290 
2291 static void scsi_realize(SCSIDevice *dev, Error **errp)
2292 {
2293     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2294     Error *err = NULL;
2295 
2296     if (!s->qdev.conf.blk) {
2297         error_setg(errp, "drive property not set");
2298         return;
2299     }
2300 
2301     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2302         !blk_is_inserted(s->qdev.conf.blk)) {
2303         error_setg(errp, "Device needs media, but drive is empty");
2304         return;
2305     }
2306 
2307     blkconf_serial(&s->qdev.conf, &s->serial);
2308     blkconf_blocksizes(&s->qdev.conf);
2309     if (dev->type == TYPE_DISK) {
2310         blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, &err);
2311         if (err) {
2312             error_propagate(errp, err);
2313             return;
2314         }
2315     }
2316     blkconf_apply_backend_options(&dev->conf);
2317 
2318     if (s->qdev.conf.discard_granularity == -1) {
2319         s->qdev.conf.discard_granularity =
2320             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2321     }
2322 
2323     if (!s->version) {
2324         s->version = g_strdup(qemu_hw_version());
2325     }
2326     if (!s->vendor) {
2327         s->vendor = g_strdup("QEMU");
2328     }
2329 
2330     if (blk_is_sg(s->qdev.conf.blk)) {
2331         error_setg(errp, "unwanted /dev/sg*");
2332         return;
2333     }
2334 
2335     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2336             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2337         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2338     } else {
2339         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2340     }
2341     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2342 
2343     blk_iostatus_enable(s->qdev.conf.blk);
2344 }
2345 
2346 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2347 {
2348     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2349     /* can happen for devices without drive. The error message for missing
2350      * backend will be issued in scsi_realize
2351      */
2352     if (s->qdev.conf.blk) {
2353         blkconf_blocksizes(&s->qdev.conf);
2354     }
2355     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2356     s->qdev.type = TYPE_DISK;
2357     if (!s->product) {
2358         s->product = g_strdup("QEMU HARDDISK");
2359     }
2360     scsi_realize(&s->qdev, errp);
2361 }
2362 
2363 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2364 {
2365     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2366 
2367     if (!dev->conf.blk) {
2368         dev->conf.blk = blk_new();
2369     }
2370 
2371     s->qdev.blocksize = 2048;
2372     s->qdev.type = TYPE_ROM;
2373     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2374     if (!s->product) {
2375         s->product = g_strdup("QEMU CD-ROM");
2376     }
2377     scsi_realize(&s->qdev, errp);
2378 }
2379 
2380 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2381 {
2382     DriveInfo *dinfo;
2383     Error *local_err = NULL;
2384 
2385     if (!dev->conf.blk) {
2386         scsi_realize(dev, &local_err);
2387         assert(local_err);
2388         error_propagate(errp, local_err);
2389         return;
2390     }
2391 
2392     dinfo = blk_legacy_dinfo(dev->conf.blk);
2393     if (dinfo && dinfo->media_cd) {
2394         scsi_cd_realize(dev, errp);
2395     } else {
2396         scsi_hd_realize(dev, errp);
2397     }
2398 }
2399 
2400 static const SCSIReqOps scsi_disk_emulate_reqops = {
2401     .size         = sizeof(SCSIDiskReq),
2402     .free_req     = scsi_free_request,
2403     .send_command = scsi_disk_emulate_command,
2404     .read_data    = scsi_disk_emulate_read_data,
2405     .write_data   = scsi_disk_emulate_write_data,
2406     .get_buf      = scsi_get_buf,
2407 };
2408 
2409 static const SCSIReqOps scsi_disk_dma_reqops = {
2410     .size         = sizeof(SCSIDiskReq),
2411     .free_req     = scsi_free_request,
2412     .send_command = scsi_disk_dma_command,
2413     .read_data    = scsi_read_data,
2414     .write_data   = scsi_write_data,
2415     .get_buf      = scsi_get_buf,
2416     .load_request = scsi_disk_load_request,
2417     .save_request = scsi_disk_save_request,
2418 };
2419 
2420 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2421     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2422     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2423     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2424     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2425     [START_STOP]                      = &scsi_disk_emulate_reqops,
2426     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2427     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2428     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2429     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2430     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2431     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2432     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2433     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2434     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2435     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2436     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2437     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2438     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2439     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2440     [UNMAP]                           = &scsi_disk_emulate_reqops,
2441     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2442     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2443     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2444     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2445     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2446 
2447     [READ_6]                          = &scsi_disk_dma_reqops,
2448     [READ_10]                         = &scsi_disk_dma_reqops,
2449     [READ_12]                         = &scsi_disk_dma_reqops,
2450     [READ_16]                         = &scsi_disk_dma_reqops,
2451     [WRITE_6]                         = &scsi_disk_dma_reqops,
2452     [WRITE_10]                        = &scsi_disk_dma_reqops,
2453     [WRITE_12]                        = &scsi_disk_dma_reqops,
2454     [WRITE_16]                        = &scsi_disk_dma_reqops,
2455     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2456     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2457     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2458 };
2459 
2460 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2461                                      uint8_t *buf, void *hba_private)
2462 {
2463     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2464     SCSIRequest *req;
2465     const SCSIReqOps *ops;
2466     uint8_t command;
2467 
2468     command = buf[0];
2469     ops = scsi_disk_reqops_dispatch[command];
2470     if (!ops) {
2471         ops = &scsi_disk_emulate_reqops;
2472     }
2473     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2474 
2475 #ifdef DEBUG_SCSI
2476     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2477     {
2478         int i;
2479         for (i = 1; i < scsi_cdb_length(buf); i++) {
2480             printf(" 0x%02x", buf[i]);
2481         }
2482         printf("\n");
2483     }
2484 #endif
2485 
2486     return req;
2487 }
2488 
2489 #ifdef __linux__
2490 static int get_device_type(SCSIDiskState *s)
2491 {
2492     uint8_t cmd[16];
2493     uint8_t buf[36];
2494     uint8_t sensebuf[8];
2495     sg_io_hdr_t io_header;
2496     int ret;
2497 
2498     memset(cmd, 0, sizeof(cmd));
2499     memset(buf, 0, sizeof(buf));
2500     cmd[0] = INQUIRY;
2501     cmd[4] = sizeof(buf);
2502 
2503     memset(&io_header, 0, sizeof(io_header));
2504     io_header.interface_id = 'S';
2505     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2506     io_header.dxfer_len = sizeof(buf);
2507     io_header.dxferp = buf;
2508     io_header.cmdp = cmd;
2509     io_header.cmd_len = sizeof(cmd);
2510     io_header.mx_sb_len = sizeof(sensebuf);
2511     io_header.sbp = sensebuf;
2512     io_header.timeout = 6000; /* XXX */
2513 
2514     ret = blk_ioctl(s->qdev.conf.blk, SG_IO, &io_header);
2515     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2516         return -1;
2517     }
2518     s->qdev.type = buf[0];
2519     if (buf[1] & 0x80) {
2520         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2521     }
2522     return 0;
2523 }
2524 
2525 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2526 {
2527     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2528     int sg_version;
2529     int rc;
2530 
2531     if (!s->qdev.conf.blk) {
2532         error_setg(errp, "drive property not set");
2533         return;
2534     }
2535 
2536     /* check we are using a driver managing SG_IO (version 3 and after) */
2537     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2538     if (rc < 0) {
2539         error_setg(errp, "cannot get SG_IO version number: %s.  "
2540                      "Is this a SCSI device?",
2541                      strerror(-rc));
2542         return;
2543     }
2544     if (sg_version < 30000) {
2545         error_setg(errp, "scsi generic interface too old");
2546         return;
2547     }
2548 
2549     /* get device type from INQUIRY data */
2550     rc = get_device_type(s);
2551     if (rc < 0) {
2552         error_setg(errp, "INQUIRY failed");
2553         return;
2554     }
2555 
2556     /* Make a guess for the block size, we'll fix it when the guest sends.
2557      * READ CAPACITY.  If they don't, they likely would assume these sizes
2558      * anyway. (TODO: check in /sys).
2559      */
2560     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2561         s->qdev.blocksize = 2048;
2562     } else {
2563         s->qdev.blocksize = 512;
2564     }
2565 
2566     /* Makes the scsi-block device not removable by using HMP and QMP eject
2567      * command.
2568      */
2569     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2570 
2571     scsi_realize(&s->qdev, errp);
2572     scsi_generic_read_device_identification(&s->qdev);
2573 }
2574 
2575 typedef struct SCSIBlockReq {
2576     SCSIDiskReq req;
2577     sg_io_hdr_t io_header;
2578 
2579     /* Selected bytes of the original CDB, copied into our own CDB.  */
2580     uint8_t cmd, cdb1, group_number;
2581 
2582     /* CDB passed to SG_IO.  */
2583     uint8_t cdb[16];
2584 } SCSIBlockReq;
2585 
2586 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2587                                       int64_t offset, QEMUIOVector *iov,
2588                                       int direction,
2589                                       BlockCompletionFunc *cb, void *opaque)
2590 {
2591     sg_io_hdr_t *io_header = &req->io_header;
2592     SCSIDiskReq *r = &req->req;
2593     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2594     int nb_logical_blocks;
2595     uint64_t lba;
2596     BlockAIOCB *aiocb;
2597 
2598     /* This is not supported yet.  It can only happen if the guest does
2599      * reads and writes that are not aligned to one logical sectors
2600      * _and_ cover multiple MemoryRegions.
2601      */
2602     assert(offset % s->qdev.blocksize == 0);
2603     assert(iov->size % s->qdev.blocksize == 0);
2604 
2605     io_header->interface_id = 'S';
2606 
2607     /* The data transfer comes from the QEMUIOVector.  */
2608     io_header->dxfer_direction = direction;
2609     io_header->dxfer_len = iov->size;
2610     io_header->dxferp = (void *)iov->iov;
2611     io_header->iovec_count = iov->niov;
2612     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2613 
2614     /* Build a new CDB with the LBA and length patched in, in case
2615      * DMA helpers split the transfer in multiple segments.  Do not
2616      * build a CDB smaller than what the guest wanted, and only build
2617      * a larger one if strictly necessary.
2618      */
2619     io_header->cmdp = req->cdb;
2620     lba = offset / s->qdev.blocksize;
2621     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2622 
2623     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2624         /* 6-byte CDB */
2625         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2626         req->cdb[4] = nb_logical_blocks;
2627         req->cdb[5] = 0;
2628         io_header->cmd_len = 6;
2629     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2630         /* 10-byte CDB */
2631         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2632         req->cdb[1] = req->cdb1;
2633         stl_be_p(&req->cdb[2], lba);
2634         req->cdb[6] = req->group_number;
2635         stw_be_p(&req->cdb[7], nb_logical_blocks);
2636         req->cdb[9] = 0;
2637         io_header->cmd_len = 10;
2638     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2639         /* 12-byte CDB */
2640         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2641         req->cdb[1] = req->cdb1;
2642         stl_be_p(&req->cdb[2], lba);
2643         stl_be_p(&req->cdb[6], nb_logical_blocks);
2644         req->cdb[10] = req->group_number;
2645         req->cdb[11] = 0;
2646         io_header->cmd_len = 12;
2647     } else {
2648         /* 16-byte CDB */
2649         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2650         req->cdb[1] = req->cdb1;
2651         stq_be_p(&req->cdb[2], lba);
2652         stl_be_p(&req->cdb[10], nb_logical_blocks);
2653         req->cdb[14] = req->group_number;
2654         req->cdb[15] = 0;
2655         io_header->cmd_len = 16;
2656     }
2657 
2658     /* The rest is as in scsi-generic.c.  */
2659     io_header->mx_sb_len = sizeof(r->req.sense);
2660     io_header->sbp = r->req.sense;
2661     io_header->timeout = UINT_MAX;
2662     io_header->usr_ptr = r;
2663     io_header->flags |= SG_FLAG_DIRECT_IO;
2664 
2665     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
2666     assert(aiocb != NULL);
2667     return aiocb;
2668 }
2669 
2670 static bool scsi_block_no_fua(SCSICommand *cmd)
2671 {
2672     return false;
2673 }
2674 
2675 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2676                                         QEMUIOVector *iov,
2677                                         BlockCompletionFunc *cb, void *cb_opaque,
2678                                         void *opaque)
2679 {
2680     SCSIBlockReq *r = opaque;
2681     return scsi_block_do_sgio(r, offset, iov,
2682                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2683 }
2684 
2685 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2686                                          QEMUIOVector *iov,
2687                                          BlockCompletionFunc *cb, void *cb_opaque,
2688                                          void *opaque)
2689 {
2690     SCSIBlockReq *r = opaque;
2691     return scsi_block_do_sgio(r, offset, iov,
2692                               SG_DXFER_TO_DEV, cb, cb_opaque);
2693 }
2694 
2695 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2696 {
2697     switch (buf[0]) {
2698     case VERIFY_10:
2699     case VERIFY_12:
2700     case VERIFY_16:
2701         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2702          * for the number of logical blocks specified in the length
2703          * field).  For other modes, do not use scatter/gather operation.
2704          */
2705         if ((buf[1] & 6) == 2) {
2706             return false;
2707         }
2708         break;
2709 
2710     case READ_6:
2711     case READ_10:
2712     case READ_12:
2713     case READ_16:
2714     case WRITE_6:
2715     case WRITE_10:
2716     case WRITE_12:
2717     case WRITE_16:
2718     case WRITE_VERIFY_10:
2719     case WRITE_VERIFY_12:
2720     case WRITE_VERIFY_16:
2721         /* MMC writing cannot be done via DMA helpers, because it sometimes
2722          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2723          * We might use scsi_block_dma_reqops as long as no writing commands are
2724          * seen, but performance usually isn't paramount on optical media.  So,
2725          * just make scsi-block operate the same as scsi-generic for them.
2726          */
2727         if (s->qdev.type != TYPE_ROM) {
2728             return false;
2729         }
2730         break;
2731 
2732     default:
2733         break;
2734     }
2735 
2736     return true;
2737 }
2738 
2739 
2740 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2741 {
2742     SCSIBlockReq *r = (SCSIBlockReq *)req;
2743     r->cmd = req->cmd.buf[0];
2744     switch (r->cmd >> 5) {
2745     case 0:
2746         /* 6-byte CDB.  */
2747         r->cdb1 = r->group_number = 0;
2748         break;
2749     case 1:
2750         /* 10-byte CDB.  */
2751         r->cdb1 = req->cmd.buf[1];
2752         r->group_number = req->cmd.buf[6];
2753         break;
2754     case 4:
2755         /* 12-byte CDB.  */
2756         r->cdb1 = req->cmd.buf[1];
2757         r->group_number = req->cmd.buf[10];
2758         break;
2759     case 5:
2760         /* 16-byte CDB.  */
2761         r->cdb1 = req->cmd.buf[1];
2762         r->group_number = req->cmd.buf[14];
2763         break;
2764     default:
2765         abort();
2766     }
2767 
2768     if (r->cdb1 & 0xe0) {
2769         /* Protection information is not supported.  */
2770         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2771         return 0;
2772     }
2773 
2774     r->req.status = &r->io_header.status;
2775     return scsi_disk_dma_command(req, buf);
2776 }
2777 
2778 static const SCSIReqOps scsi_block_dma_reqops = {
2779     .size         = sizeof(SCSIBlockReq),
2780     .free_req     = scsi_free_request,
2781     .send_command = scsi_block_dma_command,
2782     .read_data    = scsi_read_data,
2783     .write_data   = scsi_write_data,
2784     .get_buf      = scsi_get_buf,
2785     .load_request = scsi_disk_load_request,
2786     .save_request = scsi_disk_save_request,
2787 };
2788 
2789 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2790                                            uint32_t lun, uint8_t *buf,
2791                                            void *hba_private)
2792 {
2793     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2794 
2795     if (scsi_block_is_passthrough(s, buf)) {
2796         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2797                               hba_private);
2798     } else {
2799         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2800                               hba_private);
2801     }
2802 }
2803 
2804 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2805                                   uint8_t *buf, void *hba_private)
2806 {
2807     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2808 
2809     if (scsi_block_is_passthrough(s, buf)) {
2810         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2811     } else {
2812         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2813     }
2814 }
2815 
2816 #endif
2817 
2818 static
2819 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2820                            BlockCompletionFunc *cb, void *cb_opaque,
2821                            void *opaque)
2822 {
2823     SCSIDiskReq *r = opaque;
2824     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2825     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2826 }
2827 
2828 static
2829 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2830                             BlockCompletionFunc *cb, void *cb_opaque,
2831                             void *opaque)
2832 {
2833     SCSIDiskReq *r = opaque;
2834     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2835     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2836 }
2837 
2838 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2839 {
2840     DeviceClass *dc = DEVICE_CLASS(klass);
2841     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2842 
2843     dc->fw_name = "disk";
2844     dc->reset = scsi_disk_reset;
2845     sdc->dma_readv = scsi_dma_readv;
2846     sdc->dma_writev = scsi_dma_writev;
2847     sdc->need_fua_emulation = scsi_is_cmd_fua;
2848 }
2849 
2850 static const TypeInfo scsi_disk_base_info = {
2851     .name          = TYPE_SCSI_DISK_BASE,
2852     .parent        = TYPE_SCSI_DEVICE,
2853     .class_init    = scsi_disk_base_class_initfn,
2854     .instance_size = sizeof(SCSIDiskState),
2855     .class_size    = sizeof(SCSIDiskClass),
2856     .abstract      = true,
2857 };
2858 
2859 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2860     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2861     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),         \
2862     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2863     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2864     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2865     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2866 
2867 static Property scsi_hd_properties[] = {
2868     DEFINE_SCSI_DISK_PROPERTIES(),
2869     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2870                     SCSI_DISK_F_REMOVABLE, false),
2871     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2872                     SCSI_DISK_F_DPOFUA, false),
2873     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2874     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2875     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2876     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2877                        DEFAULT_MAX_UNMAP_SIZE),
2878     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2879                        DEFAULT_MAX_IO_SIZE),
2880     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2881     DEFINE_PROP_END_OF_LIST(),
2882 };
2883 
2884 static const VMStateDescription vmstate_scsi_disk_state = {
2885     .name = "scsi-disk",
2886     .version_id = 1,
2887     .minimum_version_id = 1,
2888     .fields = (VMStateField[]) {
2889         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2890         VMSTATE_BOOL(media_changed, SCSIDiskState),
2891         VMSTATE_BOOL(media_event, SCSIDiskState),
2892         VMSTATE_BOOL(eject_request, SCSIDiskState),
2893         VMSTATE_BOOL(tray_open, SCSIDiskState),
2894         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2895         VMSTATE_END_OF_LIST()
2896     }
2897 };
2898 
2899 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2900 {
2901     DeviceClass *dc = DEVICE_CLASS(klass);
2902     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2903 
2904     sc->realize      = scsi_hd_realize;
2905     sc->alloc_req    = scsi_new_request;
2906     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2907     dc->desc = "virtual SCSI disk";
2908     dc->props = scsi_hd_properties;
2909     dc->vmsd  = &vmstate_scsi_disk_state;
2910 }
2911 
2912 static const TypeInfo scsi_hd_info = {
2913     .name          = "scsi-hd",
2914     .parent        = TYPE_SCSI_DISK_BASE,
2915     .class_init    = scsi_hd_class_initfn,
2916 };
2917 
2918 static Property scsi_cd_properties[] = {
2919     DEFINE_SCSI_DISK_PROPERTIES(),
2920     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2921     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2922     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2923     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2924                        DEFAULT_MAX_IO_SIZE),
2925     DEFINE_PROP_END_OF_LIST(),
2926 };
2927 
2928 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2929 {
2930     DeviceClass *dc = DEVICE_CLASS(klass);
2931     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2932 
2933     sc->realize      = scsi_cd_realize;
2934     sc->alloc_req    = scsi_new_request;
2935     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2936     dc->desc = "virtual SCSI CD-ROM";
2937     dc->props = scsi_cd_properties;
2938     dc->vmsd  = &vmstate_scsi_disk_state;
2939 }
2940 
2941 static const TypeInfo scsi_cd_info = {
2942     .name          = "scsi-cd",
2943     .parent        = TYPE_SCSI_DISK_BASE,
2944     .class_init    = scsi_cd_class_initfn,
2945 };
2946 
2947 #ifdef __linux__
2948 static Property scsi_block_properties[] = {
2949     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
2950     DEFINE_PROP_END_OF_LIST(),
2951 };
2952 
2953 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
2954 {
2955     DeviceClass *dc = DEVICE_CLASS(klass);
2956     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2957     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2958 
2959     sc->realize      = scsi_block_realize;
2960     sc->alloc_req    = scsi_block_new_request;
2961     sc->parse_cdb    = scsi_block_parse_cdb;
2962     sdc->dma_readv   = scsi_block_dma_readv;
2963     sdc->dma_writev  = scsi_block_dma_writev;
2964     sdc->need_fua_emulation = scsi_block_no_fua;
2965     dc->desc = "SCSI block device passthrough";
2966     dc->props = scsi_block_properties;
2967     dc->vmsd  = &vmstate_scsi_disk_state;
2968 }
2969 
2970 static const TypeInfo scsi_block_info = {
2971     .name          = "scsi-block",
2972     .parent        = TYPE_SCSI_DISK_BASE,
2973     .class_init    = scsi_block_class_initfn,
2974 };
2975 #endif
2976 
2977 static Property scsi_disk_properties[] = {
2978     DEFINE_SCSI_DISK_PROPERTIES(),
2979     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2980                     SCSI_DISK_F_REMOVABLE, false),
2981     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2982                     SCSI_DISK_F_DPOFUA, false),
2983     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2984     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2985     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2986     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2987                        DEFAULT_MAX_UNMAP_SIZE),
2988     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2989                        DEFAULT_MAX_IO_SIZE),
2990     DEFINE_PROP_END_OF_LIST(),
2991 };
2992 
2993 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
2994 {
2995     DeviceClass *dc = DEVICE_CLASS(klass);
2996     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2997 
2998     sc->realize      = scsi_disk_realize;
2999     sc->alloc_req    = scsi_new_request;
3000     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3001     dc->fw_name = "disk";
3002     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3003     dc->reset = scsi_disk_reset;
3004     dc->props = scsi_disk_properties;
3005     dc->vmsd  = &vmstate_scsi_disk_state;
3006 }
3007 
3008 static const TypeInfo scsi_disk_info = {
3009     .name          = "scsi-disk",
3010     .parent        = TYPE_SCSI_DISK_BASE,
3011     .class_init    = scsi_disk_class_initfn,
3012 };
3013 
3014 static void scsi_disk_register_types(void)
3015 {
3016     type_register_static(&scsi_disk_base_info);
3017     type_register_static(&scsi_hd_info);
3018     type_register_static(&scsi_cd_info);
3019 #ifdef __linux__
3020     type_register_static(&scsi_block_info);
3021 #endif
3022     type_register_static(&scsi_disk_info);
3023 }
3024 
3025 type_init(scsi_disk_register_types)
3026