xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision 77a8257e)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu-common.h"
32 #include "qemu/error-report.h"
33 #include "hw/scsi/scsi.h"
34 #include "block/scsi.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/block-backend.h"
37 #include "sysemu/blockdev.h"
38 #include "hw/block/block.h"
39 #include "sysemu/dma.h"
40 
41 #ifdef __linux
42 #include <scsi/sg.h>
43 #endif
44 
45 #define SCSI_WRITE_SAME_MAX         524288
46 #define SCSI_DMA_BUF_SIZE           131072
47 #define SCSI_MAX_INQUIRY_LEN        256
48 #define SCSI_MAX_MODE_LEN           256
49 
50 #define DEFAULT_DISCARD_GRANULARITY 4096
51 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
52 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
53 
54 typedef struct SCSIDiskState SCSIDiskState;
55 
56 typedef struct SCSIDiskReq {
57     SCSIRequest req;
58     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
59     uint64_t sector;
60     uint32_t sector_count;
61     uint32_t buflen;
62     bool started;
63     struct iovec iov;
64     QEMUIOVector qiov;
65     BlockAcctCookie acct;
66 } SCSIDiskReq;
67 
68 #define SCSI_DISK_F_REMOVABLE             0
69 #define SCSI_DISK_F_DPOFUA                1
70 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
71 
72 struct SCSIDiskState
73 {
74     SCSIDevice qdev;
75     uint32_t features;
76     bool media_changed;
77     bool media_event;
78     bool eject_request;
79     uint64_t wwn;
80     uint64_t port_wwn;
81     uint16_t port_index;
82     uint64_t max_unmap_size;
83     uint64_t max_io_size;
84     QEMUBH *bh;
85     char *version;
86     char *serial;
87     char *vendor;
88     char *product;
89     bool tray_open;
90     bool tray_locked;
91 };
92 
93 static int scsi_handle_rw_error(SCSIDiskReq *r, int error);
94 
95 static void scsi_free_request(SCSIRequest *req)
96 {
97     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
98 
99     qemu_vfree(r->iov.iov_base);
100 }
101 
102 /* Helper function for command completion with sense.  */
103 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
104 {
105     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
106             r->req.tag, sense.key, sense.asc, sense.ascq);
107     scsi_req_build_sense(&r->req, sense);
108     scsi_req_complete(&r->req, CHECK_CONDITION);
109 }
110 
111 static uint32_t scsi_init_iovec(SCSIDiskReq *r, size_t size)
112 {
113     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
114 
115     if (!r->iov.iov_base) {
116         r->buflen = size;
117         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
118     }
119     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
120     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
121     return r->qiov.size / 512;
122 }
123 
124 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
125 {
126     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
127 
128     qemu_put_be64s(f, &r->sector);
129     qemu_put_be32s(f, &r->sector_count);
130     qemu_put_be32s(f, &r->buflen);
131     if (r->buflen) {
132         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
133             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
134         } else if (!req->retry) {
135             uint32_t len = r->iov.iov_len;
136             qemu_put_be32s(f, &len);
137             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
138         }
139     }
140 }
141 
142 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
143 {
144     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
145 
146     qemu_get_be64s(f, &r->sector);
147     qemu_get_be32s(f, &r->sector_count);
148     qemu_get_be32s(f, &r->buflen);
149     if (r->buflen) {
150         scsi_init_iovec(r, r->buflen);
151         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
152             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
153         } else if (!r->req.retry) {
154             uint32_t len;
155             qemu_get_be32s(f, &len);
156             r->iov.iov_len = len;
157             assert(r->iov.iov_len <= r->buflen);
158             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
159         }
160     }
161 
162     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
163 }
164 
165 static void scsi_aio_complete(void *opaque, int ret)
166 {
167     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
168     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
169 
170     assert(r->req.aiocb != NULL);
171     r->req.aiocb = NULL;
172     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
173     if (r->req.io_canceled) {
174         scsi_req_cancel_complete(&r->req);
175         goto done;
176     }
177 
178     if (ret < 0) {
179         if (scsi_handle_rw_error(r, -ret)) {
180             goto done;
181         }
182     }
183 
184     scsi_req_complete(&r->req, GOOD);
185 
186 done:
187     scsi_req_unref(&r->req);
188 }
189 
190 static bool scsi_is_cmd_fua(SCSICommand *cmd)
191 {
192     switch (cmd->buf[0]) {
193     case READ_10:
194     case READ_12:
195     case READ_16:
196     case WRITE_10:
197     case WRITE_12:
198     case WRITE_16:
199         return (cmd->buf[1] & 8) != 0;
200 
201     case VERIFY_10:
202     case VERIFY_12:
203     case VERIFY_16:
204     case WRITE_VERIFY_10:
205     case WRITE_VERIFY_12:
206     case WRITE_VERIFY_16:
207         return true;
208 
209     case READ_6:
210     case WRITE_6:
211     default:
212         return false;
213     }
214 }
215 
216 static void scsi_write_do_fua(SCSIDiskReq *r)
217 {
218     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
219 
220     if (r->req.io_canceled) {
221         scsi_req_cancel_complete(&r->req);
222         goto done;
223     }
224 
225     if (scsi_is_cmd_fua(&r->req.cmd)) {
226         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
227                          BLOCK_ACCT_FLUSH);
228         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
229         return;
230     }
231 
232     scsi_req_complete(&r->req, GOOD);
233 
234 done:
235     scsi_req_unref(&r->req);
236 }
237 
238 static void scsi_dma_complete_noio(void *opaque, int ret)
239 {
240     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
241     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
242 
243     if (r->req.aiocb != NULL) {
244         r->req.aiocb = NULL;
245         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
246     }
247     if (r->req.io_canceled) {
248         scsi_req_cancel_complete(&r->req);
249         goto done;
250     }
251 
252     if (ret < 0) {
253         if (scsi_handle_rw_error(r, -ret)) {
254             goto done;
255         }
256     }
257 
258     r->sector += r->sector_count;
259     r->sector_count = 0;
260     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
261         scsi_write_do_fua(r);
262         return;
263     } else {
264         scsi_req_complete(&r->req, GOOD);
265     }
266 
267 done:
268     scsi_req_unref(&r->req);
269 }
270 
271 static void scsi_dma_complete(void *opaque, int ret)
272 {
273     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
274 
275     assert(r->req.aiocb != NULL);
276     scsi_dma_complete_noio(opaque, ret);
277 }
278 
279 static void scsi_read_complete(void * opaque, int ret)
280 {
281     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
282     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
283     int n;
284 
285     assert(r->req.aiocb != NULL);
286     r->req.aiocb = NULL;
287     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
288     if (r->req.io_canceled) {
289         scsi_req_cancel_complete(&r->req);
290         goto done;
291     }
292 
293     if (ret < 0) {
294         if (scsi_handle_rw_error(r, -ret)) {
295             goto done;
296         }
297     }
298 
299     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
300 
301     n = r->qiov.size / 512;
302     r->sector += n;
303     r->sector_count -= n;
304     scsi_req_data(&r->req, r->qiov.size);
305 
306 done:
307     scsi_req_unref(&r->req);
308 }
309 
310 /* Actually issue a read to the block device.  */
311 static void scsi_do_read(void *opaque, int ret)
312 {
313     SCSIDiskReq *r = opaque;
314     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
315     uint32_t n;
316 
317     if (r->req.aiocb != NULL) {
318         r->req.aiocb = NULL;
319         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
320     }
321     if (r->req.io_canceled) {
322         scsi_req_cancel_complete(&r->req);
323         goto done;
324     }
325 
326     if (ret < 0) {
327         if (scsi_handle_rw_error(r, -ret)) {
328             goto done;
329         }
330     }
331 
332     /* The request is used as the AIO opaque value, so add a ref.  */
333     scsi_req_ref(&r->req);
334 
335     if (r->req.sg) {
336         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
337         r->req.resid -= r->req.sg->size;
338         r->req.aiocb = dma_blk_read(s->qdev.conf.blk, r->req.sg, r->sector,
339                                     scsi_dma_complete, r);
340     } else {
341         n = scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
342         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
343                          n * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
344         r->req.aiocb = blk_aio_readv(s->qdev.conf.blk, r->sector, &r->qiov, n,
345                                      scsi_read_complete, r);
346     }
347 
348 done:
349     scsi_req_unref(&r->req);
350 }
351 
352 /* Read more data from scsi device into buffer.  */
353 static void scsi_read_data(SCSIRequest *req)
354 {
355     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
356     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
357     bool first;
358 
359     DPRINTF("Read sector_count=%d\n", r->sector_count);
360     if (r->sector_count == 0) {
361         /* This also clears the sense buffer for REQUEST SENSE.  */
362         scsi_req_complete(&r->req, GOOD);
363         return;
364     }
365 
366     /* No data transfer may already be in progress */
367     assert(r->req.aiocb == NULL);
368 
369     /* The request is used as the AIO opaque value, so add a ref.  */
370     scsi_req_ref(&r->req);
371     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
372         DPRINTF("Data transfer direction invalid\n");
373         scsi_read_complete(r, -EINVAL);
374         return;
375     }
376 
377     if (s->tray_open) {
378         scsi_read_complete(r, -ENOMEDIUM);
379         return;
380     }
381 
382     first = !r->started;
383     r->started = true;
384     if (first && scsi_is_cmd_fua(&r->req.cmd)) {
385         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
386                          BLOCK_ACCT_FLUSH);
387         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read, r);
388     } else {
389         scsi_do_read(r, 0);
390     }
391 }
392 
393 /*
394  * scsi_handle_rw_error has two return values.  0 means that the error
395  * must be ignored, 1 means that the error has been processed and the
396  * caller should not do anything else for this request.  Note that
397  * scsi_handle_rw_error always manages its reference counts, independent
398  * of the return value.
399  */
400 static int scsi_handle_rw_error(SCSIDiskReq *r, int error)
401 {
402     bool is_read = (r->req.cmd.xfer == SCSI_XFER_FROM_DEV);
403     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
404     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
405                                                    is_read, error);
406 
407     if (action == BLOCK_ERROR_ACTION_REPORT) {
408         switch (error) {
409         case ENOMEDIUM:
410             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
411             break;
412         case ENOMEM:
413             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
414             break;
415         case EINVAL:
416             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
417             break;
418         case ENOSPC:
419             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
420             break;
421         default:
422             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
423             break;
424         }
425     }
426     blk_error_action(s->qdev.conf.blk, action, is_read, error);
427     if (action == BLOCK_ERROR_ACTION_STOP) {
428         scsi_req_retry(&r->req);
429     }
430     return action != BLOCK_ERROR_ACTION_IGNORE;
431 }
432 
433 static void scsi_write_complete(void * opaque, int ret)
434 {
435     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
436     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
437     uint32_t n;
438 
439     if (r->req.aiocb != NULL) {
440         r->req.aiocb = NULL;
441         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
442     }
443     if (r->req.io_canceled) {
444         scsi_req_cancel_complete(&r->req);
445         goto done;
446     }
447 
448     if (ret < 0) {
449         if (scsi_handle_rw_error(r, -ret)) {
450             goto done;
451         }
452     }
453 
454     n = r->qiov.size / 512;
455     r->sector += n;
456     r->sector_count -= n;
457     if (r->sector_count == 0) {
458         scsi_write_do_fua(r);
459         return;
460     } else {
461         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
462         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
463         scsi_req_data(&r->req, r->qiov.size);
464     }
465 
466 done:
467     scsi_req_unref(&r->req);
468 }
469 
470 static void scsi_write_data(SCSIRequest *req)
471 {
472     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
473     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
474     uint32_t n;
475 
476     /* No data transfer may already be in progress */
477     assert(r->req.aiocb == NULL);
478 
479     /* The request is used as the AIO opaque value, so add a ref.  */
480     scsi_req_ref(&r->req);
481     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
482         DPRINTF("Data transfer direction invalid\n");
483         scsi_write_complete(r, -EINVAL);
484         return;
485     }
486 
487     if (!r->req.sg && !r->qiov.size) {
488         /* Called for the first time.  Ask the driver to send us more data.  */
489         r->started = true;
490         scsi_write_complete(r, 0);
491         return;
492     }
493     if (s->tray_open) {
494         scsi_write_complete(r, -ENOMEDIUM);
495         return;
496     }
497 
498     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
499         r->req.cmd.buf[0] == VERIFY_16) {
500         if (r->req.sg) {
501             scsi_dma_complete_noio(r, 0);
502         } else {
503             scsi_write_complete(r, 0);
504         }
505         return;
506     }
507 
508     if (r->req.sg) {
509         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
510         r->req.resid -= r->req.sg->size;
511         r->req.aiocb = dma_blk_write(s->qdev.conf.blk, r->req.sg, r->sector,
512                                      scsi_dma_complete, r);
513     } else {
514         n = r->qiov.size / 512;
515         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
516                          n * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
517         r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, r->sector, &r->qiov, n,
518                                       scsi_write_complete, r);
519     }
520 }
521 
522 /* Return a pointer to the data buffer.  */
523 static uint8_t *scsi_get_buf(SCSIRequest *req)
524 {
525     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
526 
527     return (uint8_t *)r->iov.iov_base;
528 }
529 
530 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
531 {
532     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
533     int buflen = 0;
534     int start;
535 
536     if (req->cmd.buf[1] & 0x1) {
537         /* Vital product data */
538         uint8_t page_code = req->cmd.buf[2];
539 
540         outbuf[buflen++] = s->qdev.type & 0x1f;
541         outbuf[buflen++] = page_code ; // this page
542         outbuf[buflen++] = 0x00;
543         outbuf[buflen++] = 0x00;
544         start = buflen;
545 
546         switch (page_code) {
547         case 0x00: /* Supported page codes, mandatory */
548         {
549             DPRINTF("Inquiry EVPD[Supported pages] "
550                     "buffer size %zd\n", req->cmd.xfer);
551             outbuf[buflen++] = 0x00; // list of supported pages (this page)
552             if (s->serial) {
553                 outbuf[buflen++] = 0x80; // unit serial number
554             }
555             outbuf[buflen++] = 0x83; // device identification
556             if (s->qdev.type == TYPE_DISK) {
557                 outbuf[buflen++] = 0xb0; // block limits
558                 outbuf[buflen++] = 0xb2; // thin provisioning
559             }
560             break;
561         }
562         case 0x80: /* Device serial number, optional */
563         {
564             int l;
565 
566             if (!s->serial) {
567                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
568                 return -1;
569             }
570 
571             l = strlen(s->serial);
572             if (l > 20) {
573                 l = 20;
574             }
575 
576             DPRINTF("Inquiry EVPD[Serial number] "
577                     "buffer size %zd\n", req->cmd.xfer);
578             memcpy(outbuf+buflen, s->serial, l);
579             buflen += l;
580             break;
581         }
582 
583         case 0x83: /* Device identification page, mandatory */
584         {
585             const char *str = s->serial ?: blk_name(s->qdev.conf.blk);
586             int max_len = s->serial ? 20 : 255 - 8;
587             int id_len = strlen(str);
588 
589             if (id_len > max_len) {
590                 id_len = max_len;
591             }
592             DPRINTF("Inquiry EVPD[Device identification] "
593                     "buffer size %zd\n", req->cmd.xfer);
594 
595             outbuf[buflen++] = 0x2; // ASCII
596             outbuf[buflen++] = 0;   // not officially assigned
597             outbuf[buflen++] = 0;   // reserved
598             outbuf[buflen++] = id_len; // length of data following
599             memcpy(outbuf+buflen, str, id_len);
600             buflen += id_len;
601 
602             if (s->wwn) {
603                 outbuf[buflen++] = 0x1; // Binary
604                 outbuf[buflen++] = 0x3; // NAA
605                 outbuf[buflen++] = 0;   // reserved
606                 outbuf[buflen++] = 8;
607                 stq_be_p(&outbuf[buflen], s->wwn);
608                 buflen += 8;
609             }
610 
611             if (s->port_wwn) {
612                 outbuf[buflen++] = 0x61; // SAS / Binary
613                 outbuf[buflen++] = 0x93; // PIV / Target port / NAA
614                 outbuf[buflen++] = 0;    // reserved
615                 outbuf[buflen++] = 8;
616                 stq_be_p(&outbuf[buflen], s->port_wwn);
617                 buflen += 8;
618             }
619 
620             if (s->port_index) {
621                 outbuf[buflen++] = 0x61; // SAS / Binary
622                 outbuf[buflen++] = 0x94; // PIV / Target port / relative target port
623                 outbuf[buflen++] = 0;    // reserved
624                 outbuf[buflen++] = 4;
625                 stw_be_p(&outbuf[buflen + 2], s->port_index);
626                 buflen += 4;
627             }
628             break;
629         }
630         case 0xb0: /* block limits */
631         {
632             unsigned int unmap_sectors =
633                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
634             unsigned int min_io_size =
635                     s->qdev.conf.min_io_size / s->qdev.blocksize;
636             unsigned int opt_io_size =
637                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
638             unsigned int max_unmap_sectors =
639                     s->max_unmap_size / s->qdev.blocksize;
640             unsigned int max_io_sectors =
641                     s->max_io_size / s->qdev.blocksize;
642 
643             if (s->qdev.type == TYPE_ROM) {
644                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
645                         page_code);
646                 return -1;
647             }
648             /* required VPD size with unmap support */
649             buflen = 0x40;
650             memset(outbuf + 4, 0, buflen - 4);
651 
652             outbuf[4] = 0x1; /* wsnz */
653 
654             /* optimal transfer length granularity */
655             outbuf[6] = (min_io_size >> 8) & 0xff;
656             outbuf[7] = min_io_size & 0xff;
657 
658             /* maximum transfer length */
659             outbuf[8] = (max_io_sectors >> 24) & 0xff;
660             outbuf[9] = (max_io_sectors >> 16) & 0xff;
661             outbuf[10] = (max_io_sectors >> 8) & 0xff;
662             outbuf[11] = max_io_sectors & 0xff;
663 
664             /* optimal transfer length */
665             outbuf[12] = (opt_io_size >> 24) & 0xff;
666             outbuf[13] = (opt_io_size >> 16) & 0xff;
667             outbuf[14] = (opt_io_size >> 8) & 0xff;
668             outbuf[15] = opt_io_size & 0xff;
669 
670             /* max unmap LBA count, default is 1GB */
671             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
672             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
673             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
674             outbuf[23] = max_unmap_sectors & 0xff;
675 
676             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
677             outbuf[24] = 0;
678             outbuf[25] = 0;
679             outbuf[26] = 0;
680             outbuf[27] = 255;
681 
682             /* optimal unmap granularity */
683             outbuf[28] = (unmap_sectors >> 24) & 0xff;
684             outbuf[29] = (unmap_sectors >> 16) & 0xff;
685             outbuf[30] = (unmap_sectors >> 8) & 0xff;
686             outbuf[31] = unmap_sectors & 0xff;
687 
688             /* max write same size */
689             outbuf[36] = 0;
690             outbuf[37] = 0;
691             outbuf[38] = 0;
692             outbuf[39] = 0;
693 
694             outbuf[40] = (max_io_sectors >> 24) & 0xff;
695             outbuf[41] = (max_io_sectors >> 16) & 0xff;
696             outbuf[42] = (max_io_sectors >> 8) & 0xff;
697             outbuf[43] = max_io_sectors & 0xff;
698             break;
699         }
700         case 0xb2: /* thin provisioning */
701         {
702             buflen = 8;
703             outbuf[4] = 0;
704             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
705             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
706             outbuf[7] = 0;
707             break;
708         }
709         default:
710             return -1;
711         }
712         /* done with EVPD */
713         assert(buflen - start <= 255);
714         outbuf[start - 1] = buflen - start;
715         return buflen;
716     }
717 
718     /* Standard INQUIRY data */
719     if (req->cmd.buf[2] != 0) {
720         return -1;
721     }
722 
723     /* PAGE CODE == 0 */
724     buflen = req->cmd.xfer;
725     if (buflen > SCSI_MAX_INQUIRY_LEN) {
726         buflen = SCSI_MAX_INQUIRY_LEN;
727     }
728 
729     outbuf[0] = s->qdev.type & 0x1f;
730     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
731 
732     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
733     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
734 
735     memset(&outbuf[32], 0, 4);
736     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
737     /*
738      * We claim conformance to SPC-3, which is required for guests
739      * to ask for modern features like READ CAPACITY(16) or the
740      * block characteristics VPD page by default.  Not all of SPC-3
741      * is actually implemented, but we're good enough.
742      */
743     outbuf[2] = 5;
744     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
745 
746     if (buflen > 36) {
747         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
748     } else {
749         /* If the allocation length of CDB is too small,
750                the additional length is not adjusted */
751         outbuf[4] = 36 - 5;
752     }
753 
754     /* Sync data transfer and TCQ.  */
755     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
756     return buflen;
757 }
758 
759 static inline bool media_is_dvd(SCSIDiskState *s)
760 {
761     uint64_t nb_sectors;
762     if (s->qdev.type != TYPE_ROM) {
763         return false;
764     }
765     if (!blk_is_inserted(s->qdev.conf.blk)) {
766         return false;
767     }
768     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
769     return nb_sectors > CD_MAX_SECTORS;
770 }
771 
772 static inline bool media_is_cd(SCSIDiskState *s)
773 {
774     uint64_t nb_sectors;
775     if (s->qdev.type != TYPE_ROM) {
776         return false;
777     }
778     if (!blk_is_inserted(s->qdev.conf.blk)) {
779         return false;
780     }
781     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
782     return nb_sectors <= CD_MAX_SECTORS;
783 }
784 
785 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
786                                       uint8_t *outbuf)
787 {
788     uint8_t type = r->req.cmd.buf[1] & 7;
789 
790     if (s->qdev.type != TYPE_ROM) {
791         return -1;
792     }
793 
794     /* Types 1/2 are only defined for Blu-Ray.  */
795     if (type != 0) {
796         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
797         return -1;
798     }
799 
800     memset(outbuf, 0, 34);
801     outbuf[1] = 32;
802     outbuf[2] = 0xe; /* last session complete, disc finalized */
803     outbuf[3] = 1;   /* first track on disc */
804     outbuf[4] = 1;   /* # of sessions */
805     outbuf[5] = 1;   /* first track of last session */
806     outbuf[6] = 1;   /* last track of last session */
807     outbuf[7] = 0x20; /* unrestricted use */
808     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
809     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
810     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
811     /* 24-31: disc bar code */
812     /* 32: disc application code */
813     /* 33: number of OPC tables */
814 
815     return 34;
816 }
817 
818 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
819                                    uint8_t *outbuf)
820 {
821     static const int rds_caps_size[5] = {
822         [0] = 2048 + 4,
823         [1] = 4 + 4,
824         [3] = 188 + 4,
825         [4] = 2048 + 4,
826     };
827 
828     uint8_t media = r->req.cmd.buf[1];
829     uint8_t layer = r->req.cmd.buf[6];
830     uint8_t format = r->req.cmd.buf[7];
831     int size = -1;
832 
833     if (s->qdev.type != TYPE_ROM) {
834         return -1;
835     }
836     if (media != 0) {
837         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
838         return -1;
839     }
840 
841     if (format != 0xff) {
842         if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
843             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
844             return -1;
845         }
846         if (media_is_cd(s)) {
847             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
848             return -1;
849         }
850         if (format >= ARRAY_SIZE(rds_caps_size)) {
851             return -1;
852         }
853         size = rds_caps_size[format];
854         memset(outbuf, 0, size);
855     }
856 
857     switch (format) {
858     case 0x00: {
859         /* Physical format information */
860         uint64_t nb_sectors;
861         if (layer != 0) {
862             goto fail;
863         }
864         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
865 
866         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
867         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
868         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
869         outbuf[7] = 0;   /* default densities */
870 
871         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
872         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
873         break;
874     }
875 
876     case 0x01: /* DVD copyright information, all zeros */
877         break;
878 
879     case 0x03: /* BCA information - invalid field for no BCA info */
880         return -1;
881 
882     case 0x04: /* DVD disc manufacturing information, all zeros */
883         break;
884 
885     case 0xff: { /* List capabilities */
886         int i;
887         size = 4;
888         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
889             if (!rds_caps_size[i]) {
890                 continue;
891             }
892             outbuf[size] = i;
893             outbuf[size + 1] = 0x40; /* Not writable, readable */
894             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
895             size += 4;
896         }
897         break;
898      }
899 
900     default:
901         return -1;
902     }
903 
904     /* Size of buffer, not including 2 byte size field */
905     stw_be_p(outbuf, size - 2);
906     return size;
907 
908 fail:
909     return -1;
910 }
911 
912 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
913 {
914     uint8_t event_code, media_status;
915 
916     media_status = 0;
917     if (s->tray_open) {
918         media_status = MS_TRAY_OPEN;
919     } else if (blk_is_inserted(s->qdev.conf.blk)) {
920         media_status = MS_MEDIA_PRESENT;
921     }
922 
923     /* Event notification descriptor */
924     event_code = MEC_NO_CHANGE;
925     if (media_status != MS_TRAY_OPEN) {
926         if (s->media_event) {
927             event_code = MEC_NEW_MEDIA;
928             s->media_event = false;
929         } else if (s->eject_request) {
930             event_code = MEC_EJECT_REQUESTED;
931             s->eject_request = false;
932         }
933     }
934 
935     outbuf[0] = event_code;
936     outbuf[1] = media_status;
937 
938     /* These fields are reserved, just clear them. */
939     outbuf[2] = 0;
940     outbuf[3] = 0;
941     return 4;
942 }
943 
944 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
945                                               uint8_t *outbuf)
946 {
947     int size;
948     uint8_t *buf = r->req.cmd.buf;
949     uint8_t notification_class_request = buf[4];
950     if (s->qdev.type != TYPE_ROM) {
951         return -1;
952     }
953     if ((buf[1] & 1) == 0) {
954         /* asynchronous */
955         return -1;
956     }
957 
958     size = 4;
959     outbuf[0] = outbuf[1] = 0;
960     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
961     if (notification_class_request & (1 << GESN_MEDIA)) {
962         outbuf[2] = GESN_MEDIA;
963         size += scsi_event_status_media(s, &outbuf[size]);
964     } else {
965         outbuf[2] = 0x80;
966     }
967     stw_be_p(outbuf, size - 4);
968     return size;
969 }
970 
971 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
972 {
973     int current;
974 
975     if (s->qdev.type != TYPE_ROM) {
976         return -1;
977     }
978     current = media_is_dvd(s) ? MMC_PROFILE_DVD_ROM : MMC_PROFILE_CD_ROM;
979     memset(outbuf, 0, 40);
980     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
981     stw_be_p(&outbuf[6], current);
982     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
983     outbuf[10] = 0x03; /* persistent, current */
984     outbuf[11] = 8; /* two profiles */
985     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
986     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
987     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
988     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
989     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
990     stw_be_p(&outbuf[20], 1);
991     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
992     outbuf[23] = 8;
993     stl_be_p(&outbuf[24], 1); /* SCSI */
994     outbuf[28] = 1; /* DBE = 1, mandatory */
995     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
996     stw_be_p(&outbuf[32], 3);
997     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
998     outbuf[35] = 4;
999     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1000     /* TODO: Random readable, CD read, DVD read, drive serial number,
1001        power management */
1002     return 40;
1003 }
1004 
1005 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1006 {
1007     if (s->qdev.type != TYPE_ROM) {
1008         return -1;
1009     }
1010     memset(outbuf, 0, 8);
1011     outbuf[5] = 1; /* CD-ROM */
1012     return 8;
1013 }
1014 
1015 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1016                            int page_control)
1017 {
1018     static const int mode_sense_valid[0x3f] = {
1019         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1020         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1021         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1022         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1023         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1024         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1025     };
1026 
1027     uint8_t *p = *p_outbuf + 2;
1028     int length;
1029 
1030     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1031         return -1;
1032     }
1033 
1034     /*
1035      * If Changeable Values are requested, a mask denoting those mode parameters
1036      * that are changeable shall be returned. As we currently don't support
1037      * parameter changes via MODE_SELECT all bits are returned set to zero.
1038      * The buffer was already menset to zero by the caller of this function.
1039      *
1040      * The offsets here are off by two compared to the descriptions in the
1041      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1042      * but it is done so that offsets are consistent within our implementation
1043      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1044      * 2-byte and 4-byte headers.
1045      */
1046     switch (page) {
1047     case MODE_PAGE_HD_GEOMETRY:
1048         length = 0x16;
1049         if (page_control == 1) { /* Changeable Values */
1050             break;
1051         }
1052         /* if a geometry hint is available, use it */
1053         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1054         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1055         p[2] = s->qdev.conf.cyls & 0xff;
1056         p[3] = s->qdev.conf.heads & 0xff;
1057         /* Write precomp start cylinder, disabled */
1058         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1059         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1060         p[6] = s->qdev.conf.cyls & 0xff;
1061         /* Reduced current start cylinder, disabled */
1062         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1063         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1064         p[9] = s->qdev.conf.cyls & 0xff;
1065         /* Device step rate [ns], 200ns */
1066         p[10] = 0;
1067         p[11] = 200;
1068         /* Landing zone cylinder */
1069         p[12] = 0xff;
1070         p[13] =  0xff;
1071         p[14] = 0xff;
1072         /* Medium rotation rate [rpm], 5400 rpm */
1073         p[18] = (5400 >> 8) & 0xff;
1074         p[19] = 5400 & 0xff;
1075         break;
1076 
1077     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1078         length = 0x1e;
1079         if (page_control == 1) { /* Changeable Values */
1080             break;
1081         }
1082         /* Transfer rate [kbit/s], 5Mbit/s */
1083         p[0] = 5000 >> 8;
1084         p[1] = 5000 & 0xff;
1085         /* if a geometry hint is available, use it */
1086         p[2] = s->qdev.conf.heads & 0xff;
1087         p[3] = s->qdev.conf.secs & 0xff;
1088         p[4] = s->qdev.blocksize >> 8;
1089         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1090         p[7] = s->qdev.conf.cyls & 0xff;
1091         /* Write precomp start cylinder, disabled */
1092         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1093         p[9] = s->qdev.conf.cyls & 0xff;
1094         /* Reduced current start cylinder, disabled */
1095         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1096         p[11] = s->qdev.conf.cyls & 0xff;
1097         /* Device step rate [100us], 100us */
1098         p[12] = 0;
1099         p[13] = 1;
1100         /* Device step pulse width [us], 1us */
1101         p[14] = 1;
1102         /* Device head settle delay [100us], 100us */
1103         p[15] = 0;
1104         p[16] = 1;
1105         /* Motor on delay [0.1s], 0.1s */
1106         p[17] = 1;
1107         /* Motor off delay [0.1s], 0.1s */
1108         p[18] = 1;
1109         /* Medium rotation rate [rpm], 5400 rpm */
1110         p[26] = (5400 >> 8) & 0xff;
1111         p[27] = 5400 & 0xff;
1112         break;
1113 
1114     case MODE_PAGE_CACHING:
1115         length = 0x12;
1116         if (page_control == 1 || /* Changeable Values */
1117             blk_enable_write_cache(s->qdev.conf.blk)) {
1118             p[0] = 4; /* WCE */
1119         }
1120         break;
1121 
1122     case MODE_PAGE_R_W_ERROR:
1123         length = 10;
1124         if (page_control == 1) { /* Changeable Values */
1125             break;
1126         }
1127         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1128         if (s->qdev.type == TYPE_ROM) {
1129             p[1] = 0x20; /* Read Retry Count */
1130         }
1131         break;
1132 
1133     case MODE_PAGE_AUDIO_CTL:
1134         length = 14;
1135         break;
1136 
1137     case MODE_PAGE_CAPABILITIES:
1138         length = 0x14;
1139         if (page_control == 1) { /* Changeable Values */
1140             break;
1141         }
1142 
1143         p[0] = 0x3b; /* CD-R & CD-RW read */
1144         p[1] = 0; /* Writing not supported */
1145         p[2] = 0x7f; /* Audio, composite, digital out,
1146                         mode 2 form 1&2, multi session */
1147         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1148                         RW corrected, C2 errors, ISRC,
1149                         UPC, Bar code */
1150         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1151         /* Locking supported, jumper present, eject, tray */
1152         p[5] = 0; /* no volume & mute control, no
1153                      changer */
1154         p[6] = (50 * 176) >> 8; /* 50x read speed */
1155         p[7] = (50 * 176) & 0xff;
1156         p[8] = 2 >> 8; /* Two volume levels */
1157         p[9] = 2 & 0xff;
1158         p[10] = 2048 >> 8; /* 2M buffer */
1159         p[11] = 2048 & 0xff;
1160         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1161         p[13] = (16 * 176) & 0xff;
1162         p[16] = (16 * 176) >> 8; /* 16x write speed */
1163         p[17] = (16 * 176) & 0xff;
1164         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1165         p[19] = (16 * 176) & 0xff;
1166         break;
1167 
1168     default:
1169         return -1;
1170     }
1171 
1172     assert(length < 256);
1173     (*p_outbuf)[0] = page;
1174     (*p_outbuf)[1] = length;
1175     *p_outbuf += length + 2;
1176     return length + 2;
1177 }
1178 
1179 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1180 {
1181     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1182     uint64_t nb_sectors;
1183     bool dbd;
1184     int page, buflen, ret, page_control;
1185     uint8_t *p;
1186     uint8_t dev_specific_param;
1187 
1188     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1189     page = r->req.cmd.buf[2] & 0x3f;
1190     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1191     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1192         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1193     memset(outbuf, 0, r->req.cmd.xfer);
1194     p = outbuf;
1195 
1196     if (s->qdev.type == TYPE_DISK) {
1197         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1198         if (blk_is_read_only(s->qdev.conf.blk)) {
1199             dev_specific_param |= 0x80; /* Readonly.  */
1200         }
1201     } else {
1202         /* MMC prescribes that CD/DVD drives have no block descriptors,
1203          * and defines no device-specific parameter.  */
1204         dev_specific_param = 0x00;
1205         dbd = true;
1206     }
1207 
1208     if (r->req.cmd.buf[0] == MODE_SENSE) {
1209         p[1] = 0; /* Default media type.  */
1210         p[2] = dev_specific_param;
1211         p[3] = 0; /* Block descriptor length.  */
1212         p += 4;
1213     } else { /* MODE_SENSE_10 */
1214         p[2] = 0; /* Default media type.  */
1215         p[3] = dev_specific_param;
1216         p[6] = p[7] = 0; /* Block descriptor length.  */
1217         p += 8;
1218     }
1219 
1220     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1221     if (!dbd && nb_sectors) {
1222         if (r->req.cmd.buf[0] == MODE_SENSE) {
1223             outbuf[3] = 8; /* Block descriptor length  */
1224         } else { /* MODE_SENSE_10 */
1225             outbuf[7] = 8; /* Block descriptor length  */
1226         }
1227         nb_sectors /= (s->qdev.blocksize / 512);
1228         if (nb_sectors > 0xffffff) {
1229             nb_sectors = 0;
1230         }
1231         p[0] = 0; /* media density code */
1232         p[1] = (nb_sectors >> 16) & 0xff;
1233         p[2] = (nb_sectors >> 8) & 0xff;
1234         p[3] = nb_sectors & 0xff;
1235         p[4] = 0; /* reserved */
1236         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1237         p[6] = s->qdev.blocksize >> 8;
1238         p[7] = 0;
1239         p += 8;
1240     }
1241 
1242     if (page_control == 3) {
1243         /* Saved Values */
1244         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1245         return -1;
1246     }
1247 
1248     if (page == 0x3f) {
1249         for (page = 0; page <= 0x3e; page++) {
1250             mode_sense_page(s, page, &p, page_control);
1251         }
1252     } else {
1253         ret = mode_sense_page(s, page, &p, page_control);
1254         if (ret == -1) {
1255             return -1;
1256         }
1257     }
1258 
1259     buflen = p - outbuf;
1260     /*
1261      * The mode data length field specifies the length in bytes of the
1262      * following data that is available to be transferred. The mode data
1263      * length does not include itself.
1264      */
1265     if (r->req.cmd.buf[0] == MODE_SENSE) {
1266         outbuf[0] = buflen - 1;
1267     } else { /* MODE_SENSE_10 */
1268         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1269         outbuf[1] = (buflen - 2) & 0xff;
1270     }
1271     return buflen;
1272 }
1273 
1274 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1275 {
1276     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1277     int start_track, format, msf, toclen;
1278     uint64_t nb_sectors;
1279 
1280     msf = req->cmd.buf[1] & 2;
1281     format = req->cmd.buf[2] & 0xf;
1282     start_track = req->cmd.buf[6];
1283     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1284     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1285     nb_sectors /= s->qdev.blocksize / 512;
1286     switch (format) {
1287     case 0:
1288         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1289         break;
1290     case 1:
1291         /* multi session : only a single session defined */
1292         toclen = 12;
1293         memset(outbuf, 0, 12);
1294         outbuf[1] = 0x0a;
1295         outbuf[2] = 0x01;
1296         outbuf[3] = 0x01;
1297         break;
1298     case 2:
1299         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1300         break;
1301     default:
1302         return -1;
1303     }
1304     return toclen;
1305 }
1306 
1307 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1308 {
1309     SCSIRequest *req = &r->req;
1310     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1311     bool start = req->cmd.buf[4] & 1;
1312     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1313     int pwrcnd = req->cmd.buf[4] & 0xf0;
1314 
1315     if (pwrcnd) {
1316         /* eject/load only happens for power condition == 0 */
1317         return 0;
1318     }
1319 
1320     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1321         if (!start && !s->tray_open && s->tray_locked) {
1322             scsi_check_condition(r,
1323                                  blk_is_inserted(s->qdev.conf.blk)
1324                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1325                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1326             return -1;
1327         }
1328 
1329         if (s->tray_open != !start) {
1330             blk_eject(s->qdev.conf.blk, !start);
1331             s->tray_open = !start;
1332         }
1333     }
1334     return 0;
1335 }
1336 
1337 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1338 {
1339     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1340     int buflen = r->iov.iov_len;
1341 
1342     if (buflen) {
1343         DPRINTF("Read buf_len=%d\n", buflen);
1344         r->iov.iov_len = 0;
1345         r->started = true;
1346         scsi_req_data(&r->req, buflen);
1347         return;
1348     }
1349 
1350     /* This also clears the sense buffer for REQUEST SENSE.  */
1351     scsi_req_complete(&r->req, GOOD);
1352 }
1353 
1354 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1355                                        uint8_t *inbuf, int inlen)
1356 {
1357     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1358     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1359     uint8_t *p;
1360     int len, expected_len, changeable_len, i;
1361 
1362     /* The input buffer does not include the page header, so it is
1363      * off by 2 bytes.
1364      */
1365     expected_len = inlen + 2;
1366     if (expected_len > SCSI_MAX_MODE_LEN) {
1367         return -1;
1368     }
1369 
1370     p = mode_current;
1371     memset(mode_current, 0, inlen + 2);
1372     len = mode_sense_page(s, page, &p, 0);
1373     if (len < 0 || len != expected_len) {
1374         return -1;
1375     }
1376 
1377     p = mode_changeable;
1378     memset(mode_changeable, 0, inlen + 2);
1379     changeable_len = mode_sense_page(s, page, &p, 1);
1380     assert(changeable_len == len);
1381 
1382     /* Check that unchangeable bits are the same as what MODE SENSE
1383      * would return.
1384      */
1385     for (i = 2; i < len; i++) {
1386         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1387             return -1;
1388         }
1389     }
1390     return 0;
1391 }
1392 
1393 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1394 {
1395     switch (page) {
1396     case MODE_PAGE_CACHING:
1397         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1398         break;
1399 
1400     default:
1401         break;
1402     }
1403 }
1404 
1405 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1406 {
1407     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1408 
1409     while (len > 0) {
1410         int page, subpage, page_len;
1411 
1412         /* Parse both possible formats for the mode page headers.  */
1413         page = p[0] & 0x3f;
1414         if (p[0] & 0x40) {
1415             if (len < 4) {
1416                 goto invalid_param_len;
1417             }
1418             subpage = p[1];
1419             page_len = lduw_be_p(&p[2]);
1420             p += 4;
1421             len -= 4;
1422         } else {
1423             if (len < 2) {
1424                 goto invalid_param_len;
1425             }
1426             subpage = 0;
1427             page_len = p[1];
1428             p += 2;
1429             len -= 2;
1430         }
1431 
1432         if (subpage) {
1433             goto invalid_param;
1434         }
1435         if (page_len > len) {
1436             goto invalid_param_len;
1437         }
1438 
1439         if (!change) {
1440             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1441                 goto invalid_param;
1442             }
1443         } else {
1444             scsi_disk_apply_mode_select(s, page, p);
1445         }
1446 
1447         p += page_len;
1448         len -= page_len;
1449     }
1450     return 0;
1451 
1452 invalid_param:
1453     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1454     return -1;
1455 
1456 invalid_param_len:
1457     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1458     return -1;
1459 }
1460 
1461 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1462 {
1463     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1464     uint8_t *p = inbuf;
1465     int cmd = r->req.cmd.buf[0];
1466     int len = r->req.cmd.xfer;
1467     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1468     int bd_len;
1469     int pass;
1470 
1471     /* We only support PF=1, SP=0.  */
1472     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1473         goto invalid_field;
1474     }
1475 
1476     if (len < hdr_len) {
1477         goto invalid_param_len;
1478     }
1479 
1480     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1481     len -= hdr_len;
1482     p += hdr_len;
1483     if (len < bd_len) {
1484         goto invalid_param_len;
1485     }
1486     if (bd_len != 0 && bd_len != 8) {
1487         goto invalid_param;
1488     }
1489 
1490     len -= bd_len;
1491     p += bd_len;
1492 
1493     /* Ensure no change is made if there is an error!  */
1494     for (pass = 0; pass < 2; pass++) {
1495         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1496             assert(pass == 0);
1497             return;
1498         }
1499     }
1500     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1501         /* The request is used as the AIO opaque value, so add a ref.  */
1502         scsi_req_ref(&r->req);
1503         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1504                          BLOCK_ACCT_FLUSH);
1505         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1506         return;
1507     }
1508 
1509     scsi_req_complete(&r->req, GOOD);
1510     return;
1511 
1512 invalid_param:
1513     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1514     return;
1515 
1516 invalid_param_len:
1517     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1518     return;
1519 
1520 invalid_field:
1521     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1522 }
1523 
1524 static inline bool check_lba_range(SCSIDiskState *s,
1525                                    uint64_t sector_num, uint32_t nb_sectors)
1526 {
1527     /*
1528      * The first line tests that no overflow happens when computing the last
1529      * sector.  The second line tests that the last accessed sector is in
1530      * range.
1531      *
1532      * Careful, the computations should not underflow for nb_sectors == 0,
1533      * and a 0-block read to the first LBA beyond the end of device is
1534      * valid.
1535      */
1536     return (sector_num <= sector_num + nb_sectors &&
1537             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1538 }
1539 
1540 typedef struct UnmapCBData {
1541     SCSIDiskReq *r;
1542     uint8_t *inbuf;
1543     int count;
1544 } UnmapCBData;
1545 
1546 static void scsi_unmap_complete(void *opaque, int ret)
1547 {
1548     UnmapCBData *data = opaque;
1549     SCSIDiskReq *r = data->r;
1550     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1551     uint64_t sector_num;
1552     uint32_t nb_sectors;
1553 
1554     r->req.aiocb = NULL;
1555     if (r->req.io_canceled) {
1556         scsi_req_cancel_complete(&r->req);
1557         goto done;
1558     }
1559 
1560     if (ret < 0) {
1561         if (scsi_handle_rw_error(r, -ret)) {
1562             goto done;
1563         }
1564     }
1565 
1566     if (data->count > 0) {
1567         sector_num = ldq_be_p(&data->inbuf[0]);
1568         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1569         if (!check_lba_range(s, sector_num, nb_sectors)) {
1570             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1571             goto done;
1572         }
1573 
1574         r->req.aiocb = blk_aio_discard(s->qdev.conf.blk,
1575                                        sector_num * (s->qdev.blocksize / 512),
1576                                        nb_sectors * (s->qdev.blocksize / 512),
1577                                        scsi_unmap_complete, data);
1578         data->count--;
1579         data->inbuf += 16;
1580         return;
1581     }
1582 
1583     scsi_req_complete(&r->req, GOOD);
1584 
1585 done:
1586     scsi_req_unref(&r->req);
1587     g_free(data);
1588 }
1589 
1590 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1591 {
1592     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1593     uint8_t *p = inbuf;
1594     int len = r->req.cmd.xfer;
1595     UnmapCBData *data;
1596 
1597     /* Reject ANCHOR=1.  */
1598     if (r->req.cmd.buf[1] & 0x1) {
1599         goto invalid_field;
1600     }
1601 
1602     if (len < 8) {
1603         goto invalid_param_len;
1604     }
1605     if (len < lduw_be_p(&p[0]) + 2) {
1606         goto invalid_param_len;
1607     }
1608     if (len < lduw_be_p(&p[2]) + 8) {
1609         goto invalid_param_len;
1610     }
1611     if (lduw_be_p(&p[2]) & 15) {
1612         goto invalid_param_len;
1613     }
1614 
1615     if (blk_is_read_only(s->qdev.conf.blk)) {
1616         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1617         return;
1618     }
1619 
1620     data = g_new0(UnmapCBData, 1);
1621     data->r = r;
1622     data->inbuf = &p[8];
1623     data->count = lduw_be_p(&p[2]) >> 4;
1624 
1625     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1626     scsi_req_ref(&r->req);
1627     scsi_unmap_complete(data, 0);
1628     return;
1629 
1630 invalid_param_len:
1631     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1632     return;
1633 
1634 invalid_field:
1635     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1636 }
1637 
1638 typedef struct WriteSameCBData {
1639     SCSIDiskReq *r;
1640     int64_t sector;
1641     int nb_sectors;
1642     QEMUIOVector qiov;
1643     struct iovec iov;
1644 } WriteSameCBData;
1645 
1646 static void scsi_write_same_complete(void *opaque, int ret)
1647 {
1648     WriteSameCBData *data = opaque;
1649     SCSIDiskReq *r = data->r;
1650     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1651 
1652     assert(r->req.aiocb != NULL);
1653     r->req.aiocb = NULL;
1654     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1655     if (r->req.io_canceled) {
1656         scsi_req_cancel_complete(&r->req);
1657         goto done;
1658     }
1659 
1660     if (ret < 0) {
1661         if (scsi_handle_rw_error(r, -ret)) {
1662             goto done;
1663         }
1664     }
1665 
1666     data->nb_sectors -= data->iov.iov_len / 512;
1667     data->sector += data->iov.iov_len / 512;
1668     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1669     if (data->iov.iov_len) {
1670         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1671                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1672         r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, data->sector,
1673                                       &data->qiov, data->iov.iov_len / 512,
1674                                       scsi_write_same_complete, data);
1675         return;
1676     }
1677 
1678     scsi_req_complete(&r->req, GOOD);
1679 
1680 done:
1681     scsi_req_unref(&r->req);
1682     qemu_vfree(data->iov.iov_base);
1683     g_free(data);
1684 }
1685 
1686 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1687 {
1688     SCSIRequest *req = &r->req;
1689     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1690     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1691     WriteSameCBData *data;
1692     uint8_t *buf;
1693     int i;
1694 
1695     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1696     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1697         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1698         return;
1699     }
1700 
1701     if (blk_is_read_only(s->qdev.conf.blk)) {
1702         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1703         return;
1704     }
1705     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1706         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1707         return;
1708     }
1709 
1710     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1711         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1712 
1713         /* The request is used as the AIO opaque value, so add a ref.  */
1714         scsi_req_ref(&r->req);
1715         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1716                          nb_sectors * s->qdev.blocksize,
1717                         BLOCK_ACCT_WRITE);
1718         r->req.aiocb = blk_aio_write_zeroes(s->qdev.conf.blk,
1719                                 r->req.cmd.lba * (s->qdev.blocksize / 512),
1720                                 nb_sectors * (s->qdev.blocksize / 512),
1721                                 flags, scsi_aio_complete, r);
1722         return;
1723     }
1724 
1725     data = g_new0(WriteSameCBData, 1);
1726     data->r = r;
1727     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1728     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1729     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1730     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1731                                               data->iov.iov_len);
1732     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1733 
1734     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1735         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1736     }
1737 
1738     scsi_req_ref(&r->req);
1739     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1740                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1741     r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, data->sector,
1742                                   &data->qiov, data->iov.iov_len / 512,
1743                                   scsi_write_same_complete, data);
1744 }
1745 
1746 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1747 {
1748     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1749 
1750     if (r->iov.iov_len) {
1751         int buflen = r->iov.iov_len;
1752         DPRINTF("Write buf_len=%d\n", buflen);
1753         r->iov.iov_len = 0;
1754         scsi_req_data(&r->req, buflen);
1755         return;
1756     }
1757 
1758     switch (req->cmd.buf[0]) {
1759     case MODE_SELECT:
1760     case MODE_SELECT_10:
1761         /* This also clears the sense buffer for REQUEST SENSE.  */
1762         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1763         break;
1764 
1765     case UNMAP:
1766         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1767         break;
1768 
1769     case VERIFY_10:
1770     case VERIFY_12:
1771     case VERIFY_16:
1772         if (r->req.status == -1) {
1773             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1774         }
1775         break;
1776 
1777     case WRITE_SAME_10:
1778     case WRITE_SAME_16:
1779         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1780         break;
1781 
1782     default:
1783         abort();
1784     }
1785 }
1786 
1787 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1788 {
1789     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1790     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1791     uint64_t nb_sectors;
1792     uint8_t *outbuf;
1793     int buflen;
1794 
1795     switch (req->cmd.buf[0]) {
1796     case INQUIRY:
1797     case MODE_SENSE:
1798     case MODE_SENSE_10:
1799     case RESERVE:
1800     case RESERVE_10:
1801     case RELEASE:
1802     case RELEASE_10:
1803     case START_STOP:
1804     case ALLOW_MEDIUM_REMOVAL:
1805     case GET_CONFIGURATION:
1806     case GET_EVENT_STATUS_NOTIFICATION:
1807     case MECHANISM_STATUS:
1808     case REQUEST_SENSE:
1809         break;
1810 
1811     default:
1812         if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
1813             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1814             return 0;
1815         }
1816         break;
1817     }
1818 
1819     /*
1820      * FIXME: we shouldn't return anything bigger than 4k, but the code
1821      * requires the buffer to be as big as req->cmd.xfer in several
1822      * places.  So, do not allow CDBs with a very large ALLOCATION
1823      * LENGTH.  The real fix would be to modify scsi_read_data and
1824      * dma_buf_read, so that they return data beyond the buflen
1825      * as all zeros.
1826      */
1827     if (req->cmd.xfer > 65536) {
1828         goto illegal_request;
1829     }
1830     r->buflen = MAX(4096, req->cmd.xfer);
1831 
1832     if (!r->iov.iov_base) {
1833         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1834     }
1835 
1836     buflen = req->cmd.xfer;
1837     outbuf = r->iov.iov_base;
1838     memset(outbuf, 0, r->buflen);
1839     switch (req->cmd.buf[0]) {
1840     case TEST_UNIT_READY:
1841         assert(!s->tray_open && blk_is_inserted(s->qdev.conf.blk));
1842         break;
1843     case INQUIRY:
1844         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1845         if (buflen < 0) {
1846             goto illegal_request;
1847         }
1848         break;
1849     case MODE_SENSE:
1850     case MODE_SENSE_10:
1851         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1852         if (buflen < 0) {
1853             goto illegal_request;
1854         }
1855         break;
1856     case READ_TOC:
1857         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1858         if (buflen < 0) {
1859             goto illegal_request;
1860         }
1861         break;
1862     case RESERVE:
1863         if (req->cmd.buf[1] & 1) {
1864             goto illegal_request;
1865         }
1866         break;
1867     case RESERVE_10:
1868         if (req->cmd.buf[1] & 3) {
1869             goto illegal_request;
1870         }
1871         break;
1872     case RELEASE:
1873         if (req->cmd.buf[1] & 1) {
1874             goto illegal_request;
1875         }
1876         break;
1877     case RELEASE_10:
1878         if (req->cmd.buf[1] & 3) {
1879             goto illegal_request;
1880         }
1881         break;
1882     case START_STOP:
1883         if (scsi_disk_emulate_start_stop(r) < 0) {
1884             return 0;
1885         }
1886         break;
1887     case ALLOW_MEDIUM_REMOVAL:
1888         s->tray_locked = req->cmd.buf[4] & 1;
1889         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1890         break;
1891     case READ_CAPACITY_10:
1892         /* The normal LEN field for this command is zero.  */
1893         memset(outbuf, 0, 8);
1894         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1895         if (!nb_sectors) {
1896             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1897             return 0;
1898         }
1899         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1900             goto illegal_request;
1901         }
1902         nb_sectors /= s->qdev.blocksize / 512;
1903         /* Returned value is the address of the last sector.  */
1904         nb_sectors--;
1905         /* Remember the new size for read/write sanity checking. */
1906         s->qdev.max_lba = nb_sectors;
1907         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1908         if (nb_sectors > UINT32_MAX) {
1909             nb_sectors = UINT32_MAX;
1910         }
1911         outbuf[0] = (nb_sectors >> 24) & 0xff;
1912         outbuf[1] = (nb_sectors >> 16) & 0xff;
1913         outbuf[2] = (nb_sectors >> 8) & 0xff;
1914         outbuf[3] = nb_sectors & 0xff;
1915         outbuf[4] = 0;
1916         outbuf[5] = 0;
1917         outbuf[6] = s->qdev.blocksize >> 8;
1918         outbuf[7] = 0;
1919         break;
1920     case REQUEST_SENSE:
1921         /* Just return "NO SENSE".  */
1922         buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
1923                                   (req->cmd.buf[1] & 1) == 0);
1924         if (buflen < 0) {
1925             goto illegal_request;
1926         }
1927         break;
1928     case MECHANISM_STATUS:
1929         buflen = scsi_emulate_mechanism_status(s, outbuf);
1930         if (buflen < 0) {
1931             goto illegal_request;
1932         }
1933         break;
1934     case GET_CONFIGURATION:
1935         buflen = scsi_get_configuration(s, outbuf);
1936         if (buflen < 0) {
1937             goto illegal_request;
1938         }
1939         break;
1940     case GET_EVENT_STATUS_NOTIFICATION:
1941         buflen = scsi_get_event_status_notification(s, r, outbuf);
1942         if (buflen < 0) {
1943             goto illegal_request;
1944         }
1945         break;
1946     case READ_DISC_INFORMATION:
1947         buflen = scsi_read_disc_information(s, r, outbuf);
1948         if (buflen < 0) {
1949             goto illegal_request;
1950         }
1951         break;
1952     case READ_DVD_STRUCTURE:
1953         buflen = scsi_read_dvd_structure(s, r, outbuf);
1954         if (buflen < 0) {
1955             goto illegal_request;
1956         }
1957         break;
1958     case SERVICE_ACTION_IN_16:
1959         /* Service Action In subcommands. */
1960         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
1961             DPRINTF("SAI READ CAPACITY(16)\n");
1962             memset(outbuf, 0, req->cmd.xfer);
1963             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1964             if (!nb_sectors) {
1965                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1966                 return 0;
1967             }
1968             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
1969                 goto illegal_request;
1970             }
1971             nb_sectors /= s->qdev.blocksize / 512;
1972             /* Returned value is the address of the last sector.  */
1973             nb_sectors--;
1974             /* Remember the new size for read/write sanity checking. */
1975             s->qdev.max_lba = nb_sectors;
1976             outbuf[0] = (nb_sectors >> 56) & 0xff;
1977             outbuf[1] = (nb_sectors >> 48) & 0xff;
1978             outbuf[2] = (nb_sectors >> 40) & 0xff;
1979             outbuf[3] = (nb_sectors >> 32) & 0xff;
1980             outbuf[4] = (nb_sectors >> 24) & 0xff;
1981             outbuf[5] = (nb_sectors >> 16) & 0xff;
1982             outbuf[6] = (nb_sectors >> 8) & 0xff;
1983             outbuf[7] = nb_sectors & 0xff;
1984             outbuf[8] = 0;
1985             outbuf[9] = 0;
1986             outbuf[10] = s->qdev.blocksize >> 8;
1987             outbuf[11] = 0;
1988             outbuf[12] = 0;
1989             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
1990 
1991             /* set TPE bit if the format supports discard */
1992             if (s->qdev.conf.discard_granularity) {
1993                 outbuf[14] = 0x80;
1994             }
1995 
1996             /* Protection, exponent and lowest lba field left blank. */
1997             break;
1998         }
1999         DPRINTF("Unsupported Service Action In\n");
2000         goto illegal_request;
2001     case SYNCHRONIZE_CACHE:
2002         /* The request is used as the AIO opaque value, so add a ref.  */
2003         scsi_req_ref(&r->req);
2004         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2005                          BLOCK_ACCT_FLUSH);
2006         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2007         return 0;
2008     case SEEK_10:
2009         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
2010         if (r->req.cmd.lba > s->qdev.max_lba) {
2011             goto illegal_lba;
2012         }
2013         break;
2014     case MODE_SELECT:
2015         DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
2016         break;
2017     case MODE_SELECT_10:
2018         DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
2019         break;
2020     case UNMAP:
2021         DPRINTF("Unmap (len %lu)\n", (long)r->req.cmd.xfer);
2022         break;
2023     case VERIFY_10:
2024     case VERIFY_12:
2025     case VERIFY_16:
2026         DPRINTF("Verify (bytchk %d)\n", (req->cmd.buf[1] >> 1) & 3);
2027         if (req->cmd.buf[1] & 6) {
2028             goto illegal_request;
2029         }
2030         break;
2031     case WRITE_SAME_10:
2032     case WRITE_SAME_16:
2033         DPRINTF("WRITE SAME %d (len %lu)\n",
2034                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2035                 (long)r->req.cmd.xfer);
2036         break;
2037     default:
2038         DPRINTF("Unknown SCSI command (%2.2x=%s)\n", buf[0],
2039                 scsi_command_name(buf[0]));
2040         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2041         return 0;
2042     }
2043     assert(!r->req.aiocb);
2044     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2045     if (r->iov.iov_len == 0) {
2046         scsi_req_complete(&r->req, GOOD);
2047     }
2048     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2049         assert(r->iov.iov_len == req->cmd.xfer);
2050         return -r->iov.iov_len;
2051     } else {
2052         return r->iov.iov_len;
2053     }
2054 
2055 illegal_request:
2056     if (r->req.status == -1) {
2057         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2058     }
2059     return 0;
2060 
2061 illegal_lba:
2062     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2063     return 0;
2064 }
2065 
2066 /* Execute a scsi command.  Returns the length of the data expected by the
2067    command.  This will be Positive for data transfers from the device
2068    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2069    and zero if the command does not transfer any data.  */
2070 
2071 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2072 {
2073     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2074     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2075     uint32_t len;
2076     uint8_t command;
2077 
2078     command = buf[0];
2079 
2080     if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
2081         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2082         return 0;
2083     }
2084 
2085     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2086     switch (command) {
2087     case READ_6:
2088     case READ_10:
2089     case READ_12:
2090     case READ_16:
2091         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2092         if (r->req.cmd.buf[1] & 0xe0) {
2093             goto illegal_request;
2094         }
2095         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2096             goto illegal_lba;
2097         }
2098         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2099         r->sector_count = len * (s->qdev.blocksize / 512);
2100         break;
2101     case WRITE_6:
2102     case WRITE_10:
2103     case WRITE_12:
2104     case WRITE_16:
2105     case WRITE_VERIFY_10:
2106     case WRITE_VERIFY_12:
2107     case WRITE_VERIFY_16:
2108         if (blk_is_read_only(s->qdev.conf.blk)) {
2109             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2110             return 0;
2111         }
2112         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2113                 (command & 0xe) == 0xe ? "And Verify " : "",
2114                 r->req.cmd.lba, len);
2115         if (r->req.cmd.buf[1] & 0xe0) {
2116             goto illegal_request;
2117         }
2118         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2119             goto illegal_lba;
2120         }
2121         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2122         r->sector_count = len * (s->qdev.blocksize / 512);
2123         break;
2124     default:
2125         abort();
2126     illegal_request:
2127         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2128         return 0;
2129     illegal_lba:
2130         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2131         return 0;
2132     }
2133     if (r->sector_count == 0) {
2134         scsi_req_complete(&r->req, GOOD);
2135     }
2136     assert(r->iov.iov_len == 0);
2137     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2138         return -r->sector_count * 512;
2139     } else {
2140         return r->sector_count * 512;
2141     }
2142 }
2143 
2144 static void scsi_disk_reset(DeviceState *dev)
2145 {
2146     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2147     uint64_t nb_sectors;
2148 
2149     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2150 
2151     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2152     nb_sectors /= s->qdev.blocksize / 512;
2153     if (nb_sectors) {
2154         nb_sectors--;
2155     }
2156     s->qdev.max_lba = nb_sectors;
2157     /* reset tray statuses */
2158     s->tray_locked = 0;
2159     s->tray_open = 0;
2160 }
2161 
2162 static void scsi_disk_resize_cb(void *opaque)
2163 {
2164     SCSIDiskState *s = opaque;
2165 
2166     /* SPC lists this sense code as available only for
2167      * direct-access devices.
2168      */
2169     if (s->qdev.type == TYPE_DISK) {
2170         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2171     }
2172 }
2173 
2174 static void scsi_cd_change_media_cb(void *opaque, bool load)
2175 {
2176     SCSIDiskState *s = opaque;
2177 
2178     /*
2179      * When a CD gets changed, we have to report an ejected state and
2180      * then a loaded state to guests so that they detect tray
2181      * open/close and media change events.  Guests that do not use
2182      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2183      * states rely on this behavior.
2184      *
2185      * media_changed governs the state machine used for unit attention
2186      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2187      */
2188     s->media_changed = load;
2189     s->tray_open = !load;
2190     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2191     s->media_event = true;
2192     s->eject_request = false;
2193 }
2194 
2195 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2196 {
2197     SCSIDiskState *s = opaque;
2198 
2199     s->eject_request = true;
2200     if (force) {
2201         s->tray_locked = false;
2202     }
2203 }
2204 
2205 static bool scsi_cd_is_tray_open(void *opaque)
2206 {
2207     return ((SCSIDiskState *)opaque)->tray_open;
2208 }
2209 
2210 static bool scsi_cd_is_medium_locked(void *opaque)
2211 {
2212     return ((SCSIDiskState *)opaque)->tray_locked;
2213 }
2214 
2215 static const BlockDevOps scsi_disk_removable_block_ops = {
2216     .change_media_cb = scsi_cd_change_media_cb,
2217     .eject_request_cb = scsi_cd_eject_request_cb,
2218     .is_tray_open = scsi_cd_is_tray_open,
2219     .is_medium_locked = scsi_cd_is_medium_locked,
2220 
2221     .resize_cb = scsi_disk_resize_cb,
2222 };
2223 
2224 static const BlockDevOps scsi_disk_block_ops = {
2225     .resize_cb = scsi_disk_resize_cb,
2226 };
2227 
2228 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2229 {
2230     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2231     if (s->media_changed) {
2232         s->media_changed = false;
2233         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2234     }
2235 }
2236 
2237 static void scsi_realize(SCSIDevice *dev, Error **errp)
2238 {
2239     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2240     Error *err = NULL;
2241 
2242     if (!s->qdev.conf.blk) {
2243         error_setg(errp, "drive property not set");
2244         return;
2245     }
2246 
2247     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2248         !blk_is_inserted(s->qdev.conf.blk)) {
2249         error_setg(errp, "Device needs media, but drive is empty");
2250         return;
2251     }
2252 
2253     blkconf_serial(&s->qdev.conf, &s->serial);
2254     blkconf_blocksizes(&s->qdev.conf);
2255     if (dev->type == TYPE_DISK) {
2256         blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, &err);
2257         if (err) {
2258             error_propagate(errp, err);
2259             return;
2260         }
2261     }
2262 
2263     if (s->qdev.conf.discard_granularity == -1) {
2264         s->qdev.conf.discard_granularity =
2265             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2266     }
2267 
2268     if (!s->version) {
2269         s->version = g_strdup(qemu_get_version());
2270     }
2271     if (!s->vendor) {
2272         s->vendor = g_strdup("QEMU");
2273     }
2274 
2275     if (blk_is_sg(s->qdev.conf.blk)) {
2276         error_setg(errp, "unwanted /dev/sg*");
2277         return;
2278     }
2279 
2280     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2281             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2282         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2283     } else {
2284         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2285     }
2286     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2287 
2288     blk_iostatus_enable(s->qdev.conf.blk);
2289 }
2290 
2291 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2292 {
2293     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2294     /* can happen for devices without drive. The error message for missing
2295      * backend will be issued in scsi_realize
2296      */
2297     if (s->qdev.conf.blk) {
2298         blkconf_blocksizes(&s->qdev.conf);
2299     }
2300     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2301     s->qdev.type = TYPE_DISK;
2302     if (!s->product) {
2303         s->product = g_strdup("QEMU HARDDISK");
2304     }
2305     scsi_realize(&s->qdev, errp);
2306 }
2307 
2308 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2309 {
2310     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2311     s->qdev.blocksize = 2048;
2312     s->qdev.type = TYPE_ROM;
2313     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2314     if (!s->product) {
2315         s->product = g_strdup("QEMU CD-ROM");
2316     }
2317     scsi_realize(&s->qdev, errp);
2318 }
2319 
2320 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2321 {
2322     DriveInfo *dinfo;
2323     Error *local_err = NULL;
2324 
2325     if (!dev->conf.blk) {
2326         scsi_realize(dev, &local_err);
2327         assert(local_err);
2328         error_propagate(errp, local_err);
2329         return;
2330     }
2331 
2332     dinfo = blk_legacy_dinfo(dev->conf.blk);
2333     if (dinfo && dinfo->media_cd) {
2334         scsi_cd_realize(dev, errp);
2335     } else {
2336         scsi_hd_realize(dev, errp);
2337     }
2338 }
2339 
2340 static const SCSIReqOps scsi_disk_emulate_reqops = {
2341     .size         = sizeof(SCSIDiskReq),
2342     .free_req     = scsi_free_request,
2343     .send_command = scsi_disk_emulate_command,
2344     .read_data    = scsi_disk_emulate_read_data,
2345     .write_data   = scsi_disk_emulate_write_data,
2346     .get_buf      = scsi_get_buf,
2347 };
2348 
2349 static const SCSIReqOps scsi_disk_dma_reqops = {
2350     .size         = sizeof(SCSIDiskReq),
2351     .free_req     = scsi_free_request,
2352     .send_command = scsi_disk_dma_command,
2353     .read_data    = scsi_read_data,
2354     .write_data   = scsi_write_data,
2355     .get_buf      = scsi_get_buf,
2356     .load_request = scsi_disk_load_request,
2357     .save_request = scsi_disk_save_request,
2358 };
2359 
2360 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2361     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2362     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2363     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2364     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2365     [START_STOP]                      = &scsi_disk_emulate_reqops,
2366     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2367     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2368     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2369     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2370     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2371     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2372     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2373     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2374     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2375     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2376     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2377     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2378     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2379     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2380     [UNMAP]                           = &scsi_disk_emulate_reqops,
2381     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2382     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2383     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2384     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2385     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2386 
2387     [READ_6]                          = &scsi_disk_dma_reqops,
2388     [READ_10]                         = &scsi_disk_dma_reqops,
2389     [READ_12]                         = &scsi_disk_dma_reqops,
2390     [READ_16]                         = &scsi_disk_dma_reqops,
2391     [WRITE_6]                         = &scsi_disk_dma_reqops,
2392     [WRITE_10]                        = &scsi_disk_dma_reqops,
2393     [WRITE_12]                        = &scsi_disk_dma_reqops,
2394     [WRITE_16]                        = &scsi_disk_dma_reqops,
2395     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2396     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2397     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2398 };
2399 
2400 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2401                                      uint8_t *buf, void *hba_private)
2402 {
2403     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2404     SCSIRequest *req;
2405     const SCSIReqOps *ops;
2406     uint8_t command;
2407 
2408     command = buf[0];
2409     ops = scsi_disk_reqops_dispatch[command];
2410     if (!ops) {
2411         ops = &scsi_disk_emulate_reqops;
2412     }
2413     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2414 
2415 #ifdef DEBUG_SCSI
2416     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2417     {
2418         int i;
2419         for (i = 1; i < scsi_cdb_length(buf); i++) {
2420             printf(" 0x%02x", buf[i]);
2421         }
2422         printf("\n");
2423     }
2424 #endif
2425 
2426     return req;
2427 }
2428 
2429 #ifdef __linux__
2430 static int get_device_type(SCSIDiskState *s)
2431 {
2432     uint8_t cmd[16];
2433     uint8_t buf[36];
2434     uint8_t sensebuf[8];
2435     sg_io_hdr_t io_header;
2436     int ret;
2437 
2438     memset(cmd, 0, sizeof(cmd));
2439     memset(buf, 0, sizeof(buf));
2440     cmd[0] = INQUIRY;
2441     cmd[4] = sizeof(buf);
2442 
2443     memset(&io_header, 0, sizeof(io_header));
2444     io_header.interface_id = 'S';
2445     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2446     io_header.dxfer_len = sizeof(buf);
2447     io_header.dxferp = buf;
2448     io_header.cmdp = cmd;
2449     io_header.cmd_len = sizeof(cmd);
2450     io_header.mx_sb_len = sizeof(sensebuf);
2451     io_header.sbp = sensebuf;
2452     io_header.timeout = 6000; /* XXX */
2453 
2454     ret = blk_ioctl(s->qdev.conf.blk, SG_IO, &io_header);
2455     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2456         return -1;
2457     }
2458     s->qdev.type = buf[0];
2459     if (buf[1] & 0x80) {
2460         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2461     }
2462     return 0;
2463 }
2464 
2465 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2466 {
2467     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2468     int sg_version;
2469     int rc;
2470 
2471     if (!s->qdev.conf.blk) {
2472         error_setg(errp, "drive property not set");
2473         return;
2474     }
2475 
2476     /* check we are using a driver managing SG_IO (version 3 and after) */
2477     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2478     if (rc < 0) {
2479         error_setg(errp, "cannot get SG_IO version number: %s.  "
2480                      "Is this a SCSI device?",
2481                      strerror(-rc));
2482         return;
2483     }
2484     if (sg_version < 30000) {
2485         error_setg(errp, "scsi generic interface too old");
2486         return;
2487     }
2488 
2489     /* get device type from INQUIRY data */
2490     rc = get_device_type(s);
2491     if (rc < 0) {
2492         error_setg(errp, "INQUIRY failed");
2493         return;
2494     }
2495 
2496     /* Make a guess for the block size, we'll fix it when the guest sends.
2497      * READ CAPACITY.  If they don't, they likely would assume these sizes
2498      * anyway. (TODO: check in /sys).
2499      */
2500     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2501         s->qdev.blocksize = 2048;
2502     } else {
2503         s->qdev.blocksize = 512;
2504     }
2505 
2506     /* Makes the scsi-block device not removable by using HMP and QMP eject
2507      * command.
2508      */
2509     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2510 
2511     scsi_realize(&s->qdev, errp);
2512 }
2513 
2514 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2515 {
2516     switch (buf[0]) {
2517     case READ_6:
2518     case READ_10:
2519     case READ_12:
2520     case READ_16:
2521     case VERIFY_10:
2522     case VERIFY_12:
2523     case VERIFY_16:
2524     case WRITE_6:
2525     case WRITE_10:
2526     case WRITE_12:
2527     case WRITE_16:
2528     case WRITE_VERIFY_10:
2529     case WRITE_VERIFY_12:
2530     case WRITE_VERIFY_16:
2531         /* If we are not using O_DIRECT, we might read stale data from the
2532          * host cache if writes were made using other commands than these
2533          * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
2534          * O_DIRECT everything must go through SG_IO.
2535          */
2536         if (!(blk_get_flags(s->qdev.conf.blk) & BDRV_O_NOCACHE)) {
2537             break;
2538         }
2539 
2540         /* MMC writing cannot be done via pread/pwrite, because it sometimes
2541          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2542          * And once you do these writes, reading from the block device is
2543          * unreliable, too.  It is even possible that reads deliver random data
2544          * from the host page cache (this is probably a Linux bug).
2545          *
2546          * We might use scsi_disk_dma_reqops as long as no writing commands are
2547          * seen, but performance usually isn't paramount on optical media.  So,
2548          * just make scsi-block operate the same as scsi-generic for them.
2549          */
2550         if (s->qdev.type != TYPE_ROM) {
2551             return false;
2552         }
2553         break;
2554 
2555     default:
2556         break;
2557     }
2558 
2559     return true;
2560 }
2561 
2562 
2563 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2564                                            uint32_t lun, uint8_t *buf,
2565                                            void *hba_private)
2566 {
2567     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2568 
2569     if (scsi_block_is_passthrough(s, buf)) {
2570         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2571                               hba_private);
2572     } else {
2573         return scsi_req_alloc(&scsi_disk_dma_reqops, &s->qdev, tag, lun,
2574                               hba_private);
2575     }
2576 }
2577 
2578 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2579                                   uint8_t *buf, void *hba_private)
2580 {
2581     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2582 
2583     if (scsi_block_is_passthrough(s, buf)) {
2584         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2585     } else {
2586         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2587     }
2588 }
2589 
2590 #endif
2591 
2592 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2593     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2594     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2595     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2596     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2597     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2598 
2599 static Property scsi_hd_properties[] = {
2600     DEFINE_SCSI_DISK_PROPERTIES(),
2601     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2602                     SCSI_DISK_F_REMOVABLE, false),
2603     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2604                     SCSI_DISK_F_DPOFUA, false),
2605     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2606     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2607     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2608     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2609                        DEFAULT_MAX_UNMAP_SIZE),
2610     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2611                        DEFAULT_MAX_IO_SIZE),
2612     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2613     DEFINE_PROP_END_OF_LIST(),
2614 };
2615 
2616 static const VMStateDescription vmstate_scsi_disk_state = {
2617     .name = "scsi-disk",
2618     .version_id = 1,
2619     .minimum_version_id = 1,
2620     .fields = (VMStateField[]) {
2621         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2622         VMSTATE_BOOL(media_changed, SCSIDiskState),
2623         VMSTATE_BOOL(media_event, SCSIDiskState),
2624         VMSTATE_BOOL(eject_request, SCSIDiskState),
2625         VMSTATE_BOOL(tray_open, SCSIDiskState),
2626         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2627         VMSTATE_END_OF_LIST()
2628     }
2629 };
2630 
2631 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2632 {
2633     DeviceClass *dc = DEVICE_CLASS(klass);
2634     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2635 
2636     sc->realize      = scsi_hd_realize;
2637     sc->alloc_req    = scsi_new_request;
2638     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2639     dc->fw_name = "disk";
2640     dc->desc = "virtual SCSI disk";
2641     dc->reset = scsi_disk_reset;
2642     dc->props = scsi_hd_properties;
2643     dc->vmsd  = &vmstate_scsi_disk_state;
2644 }
2645 
2646 static const TypeInfo scsi_hd_info = {
2647     .name          = "scsi-hd",
2648     .parent        = TYPE_SCSI_DEVICE,
2649     .instance_size = sizeof(SCSIDiskState),
2650     .class_init    = scsi_hd_class_initfn,
2651 };
2652 
2653 static Property scsi_cd_properties[] = {
2654     DEFINE_SCSI_DISK_PROPERTIES(),
2655     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2656     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2657     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2658     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2659                        DEFAULT_MAX_IO_SIZE),
2660     DEFINE_PROP_END_OF_LIST(),
2661 };
2662 
2663 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2664 {
2665     DeviceClass *dc = DEVICE_CLASS(klass);
2666     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2667 
2668     sc->realize      = scsi_cd_realize;
2669     sc->alloc_req    = scsi_new_request;
2670     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2671     dc->fw_name = "disk";
2672     dc->desc = "virtual SCSI CD-ROM";
2673     dc->reset = scsi_disk_reset;
2674     dc->props = scsi_cd_properties;
2675     dc->vmsd  = &vmstate_scsi_disk_state;
2676 }
2677 
2678 static const TypeInfo scsi_cd_info = {
2679     .name          = "scsi-cd",
2680     .parent        = TYPE_SCSI_DEVICE,
2681     .instance_size = sizeof(SCSIDiskState),
2682     .class_init    = scsi_cd_class_initfn,
2683 };
2684 
2685 #ifdef __linux__
2686 static Property scsi_block_properties[] = {
2687     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
2688     DEFINE_PROP_END_OF_LIST(),
2689 };
2690 
2691 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
2692 {
2693     DeviceClass *dc = DEVICE_CLASS(klass);
2694     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2695 
2696     sc->realize      = scsi_block_realize;
2697     sc->alloc_req    = scsi_block_new_request;
2698     sc->parse_cdb    = scsi_block_parse_cdb;
2699     dc->fw_name = "disk";
2700     dc->desc = "SCSI block device passthrough";
2701     dc->reset = scsi_disk_reset;
2702     dc->props = scsi_block_properties;
2703     dc->vmsd  = &vmstate_scsi_disk_state;
2704 }
2705 
2706 static const TypeInfo scsi_block_info = {
2707     .name          = "scsi-block",
2708     .parent        = TYPE_SCSI_DEVICE,
2709     .instance_size = sizeof(SCSIDiskState),
2710     .class_init    = scsi_block_class_initfn,
2711 };
2712 #endif
2713 
2714 static Property scsi_disk_properties[] = {
2715     DEFINE_SCSI_DISK_PROPERTIES(),
2716     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2717                     SCSI_DISK_F_REMOVABLE, false),
2718     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2719                     SCSI_DISK_F_DPOFUA, false),
2720     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2721     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2722     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2723     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2724                        DEFAULT_MAX_UNMAP_SIZE),
2725     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2726                        DEFAULT_MAX_IO_SIZE),
2727     DEFINE_PROP_END_OF_LIST(),
2728 };
2729 
2730 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
2731 {
2732     DeviceClass *dc = DEVICE_CLASS(klass);
2733     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2734 
2735     sc->realize      = scsi_disk_realize;
2736     sc->alloc_req    = scsi_new_request;
2737     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2738     dc->fw_name = "disk";
2739     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
2740     dc->reset = scsi_disk_reset;
2741     dc->props = scsi_disk_properties;
2742     dc->vmsd  = &vmstate_scsi_disk_state;
2743 }
2744 
2745 static const TypeInfo scsi_disk_info = {
2746     .name          = "scsi-disk",
2747     .parent        = TYPE_SCSI_DEVICE,
2748     .instance_size = sizeof(SCSIDiskState),
2749     .class_init    = scsi_disk_class_initfn,
2750 };
2751 
2752 static void scsi_disk_register_types(void)
2753 {
2754     type_register_static(&scsi_hd_info);
2755     type_register_static(&scsi_cd_info);
2756 #ifdef __linux__
2757     type_register_static(&scsi_block_info);
2758 #endif
2759     type_register_static(&scsi_disk_info);
2760 }
2761 
2762 type_init(scsi_disk_register_types)
2763