xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision 8f0a3716)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu/osdep.h"
32 #include "qapi/error.h"
33 #include "qemu/error-report.h"
34 #include "hw/scsi/scsi.h"
35 #include "scsi/constants.h"
36 #include "sysemu/sysemu.h"
37 #include "sysemu/block-backend.h"
38 #include "sysemu/blockdev.h"
39 #include "hw/block/block.h"
40 #include "sysemu/dma.h"
41 #include "qemu/cutils.h"
42 
43 #ifdef __linux
44 #include <scsi/sg.h>
45 #endif
46 
47 #define SCSI_WRITE_SAME_MAX         524288
48 #define SCSI_DMA_BUF_SIZE           131072
49 #define SCSI_MAX_INQUIRY_LEN        256
50 #define SCSI_MAX_MODE_LEN           256
51 
52 #define DEFAULT_DISCARD_GRANULARITY 4096
53 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
54 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
55 
56 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
57 
58 #define SCSI_DISK_BASE(obj) \
59      OBJECT_CHECK(SCSIDiskState, (obj), TYPE_SCSI_DISK_BASE)
60 #define SCSI_DISK_BASE_CLASS(klass) \
61      OBJECT_CLASS_CHECK(SCSIDiskClass, (klass), TYPE_SCSI_DISK_BASE)
62 #define SCSI_DISK_BASE_GET_CLASS(obj) \
63      OBJECT_GET_CLASS(SCSIDiskClass, (obj), TYPE_SCSI_DISK_BASE)
64 
65 typedef struct SCSIDiskClass {
66     SCSIDeviceClass parent_class;
67     DMAIOFunc       *dma_readv;
68     DMAIOFunc       *dma_writev;
69     bool            (*need_fua_emulation)(SCSICommand *cmd);
70 } SCSIDiskClass;
71 
72 typedef struct SCSIDiskReq {
73     SCSIRequest req;
74     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
75     uint64_t sector;
76     uint32_t sector_count;
77     uint32_t buflen;
78     bool started;
79     bool need_fua_emulation;
80     struct iovec iov;
81     QEMUIOVector qiov;
82     BlockAcctCookie acct;
83     unsigned char *status;
84 } SCSIDiskReq;
85 
86 #define SCSI_DISK_F_REMOVABLE             0
87 #define SCSI_DISK_F_DPOFUA                1
88 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
89 
90 typedef struct SCSIDiskState
91 {
92     SCSIDevice qdev;
93     uint32_t features;
94     bool media_changed;
95     bool media_event;
96     bool eject_request;
97     uint16_t port_index;
98     uint64_t max_unmap_size;
99     uint64_t max_io_size;
100     QEMUBH *bh;
101     char *version;
102     char *serial;
103     char *vendor;
104     char *product;
105     bool tray_open;
106     bool tray_locked;
107     /*
108      * 0x0000        - rotation rate not reported
109      * 0x0001        - non-rotating medium (SSD)
110      * 0x0002-0x0400 - reserved
111      * 0x0401-0xffe  - rotations per minute
112      * 0xffff        - reserved
113      */
114     uint16_t rotation_rate;
115 } SCSIDiskState;
116 
117 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed);
118 
119 static void scsi_free_request(SCSIRequest *req)
120 {
121     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
122 
123     qemu_vfree(r->iov.iov_base);
124 }
125 
126 /* Helper function for command completion with sense.  */
127 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
128 {
129     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
130             r->req.tag, sense.key, sense.asc, sense.ascq);
131     scsi_req_build_sense(&r->req, sense);
132     scsi_req_complete(&r->req, CHECK_CONDITION);
133 }
134 
135 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
136 {
137     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
138 
139     if (!r->iov.iov_base) {
140         r->buflen = size;
141         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
142     }
143     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
144     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
145 }
146 
147 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
148 {
149     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
150 
151     qemu_put_be64s(f, &r->sector);
152     qemu_put_be32s(f, &r->sector_count);
153     qemu_put_be32s(f, &r->buflen);
154     if (r->buflen) {
155         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
156             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
157         } else if (!req->retry) {
158             uint32_t len = r->iov.iov_len;
159             qemu_put_be32s(f, &len);
160             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
161         }
162     }
163 }
164 
165 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
166 {
167     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
168 
169     qemu_get_be64s(f, &r->sector);
170     qemu_get_be32s(f, &r->sector_count);
171     qemu_get_be32s(f, &r->buflen);
172     if (r->buflen) {
173         scsi_init_iovec(r, r->buflen);
174         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
175             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
176         } else if (!r->req.retry) {
177             uint32_t len;
178             qemu_get_be32s(f, &len);
179             r->iov.iov_len = len;
180             assert(r->iov.iov_len <= r->buflen);
181             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
182         }
183     }
184 
185     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
186 }
187 
188 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
189 {
190     if (r->req.io_canceled) {
191         scsi_req_cancel_complete(&r->req);
192         return true;
193     }
194 
195     if (ret < 0 || (r->status && *r->status)) {
196         return scsi_handle_rw_error(r, -ret, acct_failed);
197     }
198 
199     return false;
200 }
201 
202 static void scsi_aio_complete(void *opaque, int ret)
203 {
204     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
205     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
206 
207     assert(r->req.aiocb != NULL);
208     r->req.aiocb = NULL;
209     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
210     if (scsi_disk_req_check_error(r, ret, true)) {
211         goto done;
212     }
213 
214     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
215     scsi_req_complete(&r->req, GOOD);
216 
217 done:
218     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
219     scsi_req_unref(&r->req);
220 }
221 
222 static bool scsi_is_cmd_fua(SCSICommand *cmd)
223 {
224     switch (cmd->buf[0]) {
225     case READ_10:
226     case READ_12:
227     case READ_16:
228     case WRITE_10:
229     case WRITE_12:
230     case WRITE_16:
231         return (cmd->buf[1] & 8) != 0;
232 
233     case VERIFY_10:
234     case VERIFY_12:
235     case VERIFY_16:
236     case WRITE_VERIFY_10:
237     case WRITE_VERIFY_12:
238     case WRITE_VERIFY_16:
239         return true;
240 
241     case READ_6:
242     case WRITE_6:
243     default:
244         return false;
245     }
246 }
247 
248 static void scsi_write_do_fua(SCSIDiskReq *r)
249 {
250     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
251 
252     assert(r->req.aiocb == NULL);
253     assert(!r->req.io_canceled);
254 
255     if (r->need_fua_emulation) {
256         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
257                          BLOCK_ACCT_FLUSH);
258         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
259         return;
260     }
261 
262     scsi_req_complete(&r->req, GOOD);
263     scsi_req_unref(&r->req);
264 }
265 
266 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
267 {
268     assert(r->req.aiocb == NULL);
269     if (scsi_disk_req_check_error(r, ret, false)) {
270         goto done;
271     }
272 
273     r->sector += r->sector_count;
274     r->sector_count = 0;
275     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
276         scsi_write_do_fua(r);
277         return;
278     } else {
279         scsi_req_complete(&r->req, GOOD);
280     }
281 
282 done:
283     scsi_req_unref(&r->req);
284 }
285 
286 static void scsi_dma_complete(void *opaque, int ret)
287 {
288     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
289     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
290 
291     assert(r->req.aiocb != NULL);
292     r->req.aiocb = NULL;
293 
294     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
295     if (ret < 0) {
296         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
297     } else {
298         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
299     }
300     scsi_dma_complete_noio(r, ret);
301     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
302 }
303 
304 static void scsi_read_complete(void * opaque, int ret)
305 {
306     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
307     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
308     int n;
309 
310     assert(r->req.aiocb != NULL);
311     r->req.aiocb = NULL;
312     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
313     if (scsi_disk_req_check_error(r, ret, true)) {
314         goto done;
315     }
316 
317     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
318     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
319 
320     n = r->qiov.size / 512;
321     r->sector += n;
322     r->sector_count -= n;
323     scsi_req_data(&r->req, r->qiov.size);
324 
325 done:
326     scsi_req_unref(&r->req);
327     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
328 }
329 
330 /* Actually issue a read to the block device.  */
331 static void scsi_do_read(SCSIDiskReq *r, int ret)
332 {
333     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
334     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
335 
336     assert (r->req.aiocb == NULL);
337     if (scsi_disk_req_check_error(r, ret, false)) {
338         goto done;
339     }
340 
341     /* The request is used as the AIO opaque value, so add a ref.  */
342     scsi_req_ref(&r->req);
343 
344     if (r->req.sg) {
345         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
346         r->req.resid -= r->req.sg->size;
347         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
348                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
349                                   BDRV_SECTOR_SIZE,
350                                   sdc->dma_readv, r, scsi_dma_complete, r,
351                                   DMA_DIRECTION_FROM_DEVICE);
352     } else {
353         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
354         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
355                          r->qiov.size, BLOCK_ACCT_READ);
356         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
357                                       scsi_read_complete, r, r);
358     }
359 
360 done:
361     scsi_req_unref(&r->req);
362 }
363 
364 static void scsi_do_read_cb(void *opaque, int ret)
365 {
366     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
367     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
368 
369     assert (r->req.aiocb != NULL);
370     r->req.aiocb = NULL;
371 
372     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
373     if (ret < 0) {
374         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
375     } else {
376         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
377     }
378     scsi_do_read(opaque, ret);
379     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
380 }
381 
382 /* Read more data from scsi device into buffer.  */
383 static void scsi_read_data(SCSIRequest *req)
384 {
385     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
386     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
387     bool first;
388 
389     DPRINTF("Read sector_count=%d\n", r->sector_count);
390     if (r->sector_count == 0) {
391         /* This also clears the sense buffer for REQUEST SENSE.  */
392         scsi_req_complete(&r->req, GOOD);
393         return;
394     }
395 
396     /* No data transfer may already be in progress */
397     assert(r->req.aiocb == NULL);
398 
399     /* The request is used as the AIO opaque value, so add a ref.  */
400     scsi_req_ref(&r->req);
401     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
402         DPRINTF("Data transfer direction invalid\n");
403         scsi_read_complete(r, -EINVAL);
404         return;
405     }
406 
407     if (!blk_is_available(req->dev->conf.blk)) {
408         scsi_read_complete(r, -ENOMEDIUM);
409         return;
410     }
411 
412     first = !r->started;
413     r->started = true;
414     if (first && r->need_fua_emulation) {
415         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
416                          BLOCK_ACCT_FLUSH);
417         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
418     } else {
419         scsi_do_read(r, 0);
420     }
421 }
422 
423 /*
424  * scsi_handle_rw_error has two return values.  False means that the error
425  * must be ignored, true means that the error has been processed and the
426  * caller should not do anything else for this request.  Note that
427  * scsi_handle_rw_error always manages its reference counts, independent
428  * of the return value.
429  */
430 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
431 {
432     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
433     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
434     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
435                                                    is_read, error);
436 
437     if (action == BLOCK_ERROR_ACTION_REPORT) {
438         if (acct_failed) {
439             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
440         }
441         switch (error) {
442         case 0:
443             /* The command has run, no need to fake sense.  */
444             assert(r->status && *r->status);
445             scsi_req_complete(&r->req, *r->status);
446             break;
447         case ENOMEDIUM:
448             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
449             break;
450         case ENOMEM:
451             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
452             break;
453         case EINVAL:
454             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
455             break;
456         case ENOSPC:
457             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
458             break;
459         default:
460             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
461             break;
462         }
463     }
464     if (!error) {
465         assert(r->status && *r->status);
466         error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
467 
468         if (error == ECANCELED || error == EAGAIN || error == ENOTCONN ||
469             error == 0)  {
470             /* These errors are handled by guest. */
471             scsi_req_complete(&r->req, *r->status);
472             return true;
473         }
474     }
475 
476     blk_error_action(s->qdev.conf.blk, action, is_read, error);
477     if (action == BLOCK_ERROR_ACTION_STOP) {
478         scsi_req_retry(&r->req);
479     }
480     return action != BLOCK_ERROR_ACTION_IGNORE;
481 }
482 
483 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
484 {
485     uint32_t n;
486 
487     assert (r->req.aiocb == NULL);
488     if (scsi_disk_req_check_error(r, ret, false)) {
489         goto done;
490     }
491 
492     n = r->qiov.size / 512;
493     r->sector += n;
494     r->sector_count -= n;
495     if (r->sector_count == 0) {
496         scsi_write_do_fua(r);
497         return;
498     } else {
499         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
500         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
501         scsi_req_data(&r->req, r->qiov.size);
502     }
503 
504 done:
505     scsi_req_unref(&r->req);
506 }
507 
508 static void scsi_write_complete(void * opaque, int ret)
509 {
510     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
511     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
512 
513     assert (r->req.aiocb != NULL);
514     r->req.aiocb = NULL;
515 
516     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
517     if (ret < 0) {
518         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
519     } else {
520         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
521     }
522     scsi_write_complete_noio(r, ret);
523     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
524 }
525 
526 static void scsi_write_data(SCSIRequest *req)
527 {
528     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
529     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
530     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
531 
532     /* No data transfer may already be in progress */
533     assert(r->req.aiocb == NULL);
534 
535     /* The request is used as the AIO opaque value, so add a ref.  */
536     scsi_req_ref(&r->req);
537     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
538         DPRINTF("Data transfer direction invalid\n");
539         scsi_write_complete_noio(r, -EINVAL);
540         return;
541     }
542 
543     if (!r->req.sg && !r->qiov.size) {
544         /* Called for the first time.  Ask the driver to send us more data.  */
545         r->started = true;
546         scsi_write_complete_noio(r, 0);
547         return;
548     }
549     if (!blk_is_available(req->dev->conf.blk)) {
550         scsi_write_complete_noio(r, -ENOMEDIUM);
551         return;
552     }
553 
554     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
555         r->req.cmd.buf[0] == VERIFY_16) {
556         if (r->req.sg) {
557             scsi_dma_complete_noio(r, 0);
558         } else {
559             scsi_write_complete_noio(r, 0);
560         }
561         return;
562     }
563 
564     if (r->req.sg) {
565         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
566         r->req.resid -= r->req.sg->size;
567         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
568                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
569                                   BDRV_SECTOR_SIZE,
570                                   sdc->dma_writev, r, scsi_dma_complete, r,
571                                   DMA_DIRECTION_TO_DEVICE);
572     } else {
573         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
574                          r->qiov.size, BLOCK_ACCT_WRITE);
575         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
576                                        scsi_write_complete, r, r);
577     }
578 }
579 
580 /* Return a pointer to the data buffer.  */
581 static uint8_t *scsi_get_buf(SCSIRequest *req)
582 {
583     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
584 
585     return (uint8_t *)r->iov.iov_base;
586 }
587 
588 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
589 {
590     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
591     int buflen = 0;
592     int start;
593 
594     if (req->cmd.buf[1] & 0x1) {
595         /* Vital product data */
596         uint8_t page_code = req->cmd.buf[2];
597 
598         outbuf[buflen++] = s->qdev.type & 0x1f;
599         outbuf[buflen++] = page_code ; // this page
600         outbuf[buflen++] = 0x00;
601         outbuf[buflen++] = 0x00;
602         start = buflen;
603 
604         switch (page_code) {
605         case 0x00: /* Supported page codes, mandatory */
606         {
607             DPRINTF("Inquiry EVPD[Supported pages] "
608                     "buffer size %zd\n", req->cmd.xfer);
609             outbuf[buflen++] = 0x00; // list of supported pages (this page)
610             if (s->serial) {
611                 outbuf[buflen++] = 0x80; // unit serial number
612             }
613             outbuf[buflen++] = 0x83; // device identification
614             if (s->qdev.type == TYPE_DISK) {
615                 outbuf[buflen++] = 0xb0; // block limits
616                 outbuf[buflen++] = 0xb1; /* block device characteristics */
617                 outbuf[buflen++] = 0xb2; // thin provisioning
618             }
619             break;
620         }
621         case 0x80: /* Device serial number, optional */
622         {
623             int l;
624 
625             if (!s->serial) {
626                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
627                 return -1;
628             }
629 
630             l = strlen(s->serial);
631             if (l > 36) {
632                 l = 36;
633             }
634 
635             DPRINTF("Inquiry EVPD[Serial number] "
636                     "buffer size %zd\n", req->cmd.xfer);
637             memcpy(outbuf+buflen, s->serial, l);
638             buflen += l;
639             break;
640         }
641 
642         case 0x83: /* Device identification page, mandatory */
643         {
644             const char *str = s->serial ?: blk_name(s->qdev.conf.blk);
645             int max_len = s->serial ? 20 : 255 - 8;
646             int id_len = strlen(str);
647 
648             if (id_len > max_len) {
649                 id_len = max_len;
650             }
651             DPRINTF("Inquiry EVPD[Device identification] "
652                     "buffer size %zd\n", req->cmd.xfer);
653 
654             outbuf[buflen++] = 0x2; // ASCII
655             outbuf[buflen++] = 0;   // not officially assigned
656             outbuf[buflen++] = 0;   // reserved
657             outbuf[buflen++] = id_len; // length of data following
658             memcpy(outbuf+buflen, str, id_len);
659             buflen += id_len;
660 
661             if (s->qdev.wwn) {
662                 outbuf[buflen++] = 0x1; // Binary
663                 outbuf[buflen++] = 0x3; // NAA
664                 outbuf[buflen++] = 0;   // reserved
665                 outbuf[buflen++] = 8;
666                 stq_be_p(&outbuf[buflen], s->qdev.wwn);
667                 buflen += 8;
668             }
669 
670             if (s->qdev.port_wwn) {
671                 outbuf[buflen++] = 0x61; // SAS / Binary
672                 outbuf[buflen++] = 0x93; // PIV / Target port / NAA
673                 outbuf[buflen++] = 0;    // reserved
674                 outbuf[buflen++] = 8;
675                 stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
676                 buflen += 8;
677             }
678 
679             if (s->port_index) {
680                 outbuf[buflen++] = 0x61; // SAS / Binary
681                 outbuf[buflen++] = 0x94; // PIV / Target port / relative target port
682                 outbuf[buflen++] = 0;    // reserved
683                 outbuf[buflen++] = 4;
684                 stw_be_p(&outbuf[buflen + 2], s->port_index);
685                 buflen += 4;
686             }
687             break;
688         }
689         case 0xb0: /* block limits */
690         {
691             unsigned int unmap_sectors =
692                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
693             unsigned int min_io_size =
694                     s->qdev.conf.min_io_size / s->qdev.blocksize;
695             unsigned int opt_io_size =
696                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
697             unsigned int max_unmap_sectors =
698                     s->max_unmap_size / s->qdev.blocksize;
699             unsigned int max_io_sectors =
700                     s->max_io_size / s->qdev.blocksize;
701 
702             if (s->qdev.type == TYPE_ROM) {
703                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
704                         page_code);
705                 return -1;
706             }
707             /* required VPD size with unmap support */
708             buflen = 0x40;
709             memset(outbuf + 4, 0, buflen - 4);
710 
711             outbuf[4] = 0x1; /* wsnz */
712 
713             /* optimal transfer length granularity */
714             outbuf[6] = (min_io_size >> 8) & 0xff;
715             outbuf[7] = min_io_size & 0xff;
716 
717             /* maximum transfer length */
718             outbuf[8] = (max_io_sectors >> 24) & 0xff;
719             outbuf[9] = (max_io_sectors >> 16) & 0xff;
720             outbuf[10] = (max_io_sectors >> 8) & 0xff;
721             outbuf[11] = max_io_sectors & 0xff;
722 
723             /* optimal transfer length */
724             outbuf[12] = (opt_io_size >> 24) & 0xff;
725             outbuf[13] = (opt_io_size >> 16) & 0xff;
726             outbuf[14] = (opt_io_size >> 8) & 0xff;
727             outbuf[15] = opt_io_size & 0xff;
728 
729             /* max unmap LBA count, default is 1GB */
730             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
731             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
732             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
733             outbuf[23] = max_unmap_sectors & 0xff;
734 
735             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
736             outbuf[24] = 0;
737             outbuf[25] = 0;
738             outbuf[26] = 0;
739             outbuf[27] = 255;
740 
741             /* optimal unmap granularity */
742             outbuf[28] = (unmap_sectors >> 24) & 0xff;
743             outbuf[29] = (unmap_sectors >> 16) & 0xff;
744             outbuf[30] = (unmap_sectors >> 8) & 0xff;
745             outbuf[31] = unmap_sectors & 0xff;
746 
747             /* max write same size */
748             outbuf[36] = 0;
749             outbuf[37] = 0;
750             outbuf[38] = 0;
751             outbuf[39] = 0;
752 
753             outbuf[40] = (max_io_sectors >> 24) & 0xff;
754             outbuf[41] = (max_io_sectors >> 16) & 0xff;
755             outbuf[42] = (max_io_sectors >> 8) & 0xff;
756             outbuf[43] = max_io_sectors & 0xff;
757             break;
758         }
759         case 0xb1: /* block device characteristics */
760         {
761             buflen = 8;
762             outbuf[4] = (s->rotation_rate >> 8) & 0xff;
763             outbuf[5] = s->rotation_rate & 0xff;
764             outbuf[6] = 0;
765             outbuf[7] = 0;
766             break;
767         }
768         case 0xb2: /* thin provisioning */
769         {
770             buflen = 8;
771             outbuf[4] = 0;
772             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
773             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
774             outbuf[7] = 0;
775             break;
776         }
777         default:
778             return -1;
779         }
780         /* done with EVPD */
781         assert(buflen - start <= 255);
782         outbuf[start - 1] = buflen - start;
783         return buflen;
784     }
785 
786     /* Standard INQUIRY data */
787     if (req->cmd.buf[2] != 0) {
788         return -1;
789     }
790 
791     /* PAGE CODE == 0 */
792     buflen = req->cmd.xfer;
793     if (buflen > SCSI_MAX_INQUIRY_LEN) {
794         buflen = SCSI_MAX_INQUIRY_LEN;
795     }
796 
797     outbuf[0] = s->qdev.type & 0x1f;
798     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
799 
800     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
801     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
802 
803     memset(&outbuf[32], 0, 4);
804     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
805     /*
806      * We claim conformance to SPC-3, which is required for guests
807      * to ask for modern features like READ CAPACITY(16) or the
808      * block characteristics VPD page by default.  Not all of SPC-3
809      * is actually implemented, but we're good enough.
810      */
811     outbuf[2] = 5;
812     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
813 
814     if (buflen > 36) {
815         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
816     } else {
817         /* If the allocation length of CDB is too small,
818                the additional length is not adjusted */
819         outbuf[4] = 36 - 5;
820     }
821 
822     /* Sync data transfer and TCQ.  */
823     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
824     return buflen;
825 }
826 
827 static inline bool media_is_dvd(SCSIDiskState *s)
828 {
829     uint64_t nb_sectors;
830     if (s->qdev.type != TYPE_ROM) {
831         return false;
832     }
833     if (!blk_is_available(s->qdev.conf.blk)) {
834         return false;
835     }
836     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
837     return nb_sectors > CD_MAX_SECTORS;
838 }
839 
840 static inline bool media_is_cd(SCSIDiskState *s)
841 {
842     uint64_t nb_sectors;
843     if (s->qdev.type != TYPE_ROM) {
844         return false;
845     }
846     if (!blk_is_available(s->qdev.conf.blk)) {
847         return false;
848     }
849     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
850     return nb_sectors <= CD_MAX_SECTORS;
851 }
852 
853 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
854                                       uint8_t *outbuf)
855 {
856     uint8_t type = r->req.cmd.buf[1] & 7;
857 
858     if (s->qdev.type != TYPE_ROM) {
859         return -1;
860     }
861 
862     /* Types 1/2 are only defined for Blu-Ray.  */
863     if (type != 0) {
864         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
865         return -1;
866     }
867 
868     memset(outbuf, 0, 34);
869     outbuf[1] = 32;
870     outbuf[2] = 0xe; /* last session complete, disc finalized */
871     outbuf[3] = 1;   /* first track on disc */
872     outbuf[4] = 1;   /* # of sessions */
873     outbuf[5] = 1;   /* first track of last session */
874     outbuf[6] = 1;   /* last track of last session */
875     outbuf[7] = 0x20; /* unrestricted use */
876     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
877     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
878     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
879     /* 24-31: disc bar code */
880     /* 32: disc application code */
881     /* 33: number of OPC tables */
882 
883     return 34;
884 }
885 
886 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
887                                    uint8_t *outbuf)
888 {
889     static const int rds_caps_size[5] = {
890         [0] = 2048 + 4,
891         [1] = 4 + 4,
892         [3] = 188 + 4,
893         [4] = 2048 + 4,
894     };
895 
896     uint8_t media = r->req.cmd.buf[1];
897     uint8_t layer = r->req.cmd.buf[6];
898     uint8_t format = r->req.cmd.buf[7];
899     int size = -1;
900 
901     if (s->qdev.type != TYPE_ROM) {
902         return -1;
903     }
904     if (media != 0) {
905         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
906         return -1;
907     }
908 
909     if (format != 0xff) {
910         if (!blk_is_available(s->qdev.conf.blk)) {
911             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
912             return -1;
913         }
914         if (media_is_cd(s)) {
915             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
916             return -1;
917         }
918         if (format >= ARRAY_SIZE(rds_caps_size)) {
919             return -1;
920         }
921         size = rds_caps_size[format];
922         memset(outbuf, 0, size);
923     }
924 
925     switch (format) {
926     case 0x00: {
927         /* Physical format information */
928         uint64_t nb_sectors;
929         if (layer != 0) {
930             goto fail;
931         }
932         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
933 
934         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
935         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
936         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
937         outbuf[7] = 0;   /* default densities */
938 
939         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
940         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
941         break;
942     }
943 
944     case 0x01: /* DVD copyright information, all zeros */
945         break;
946 
947     case 0x03: /* BCA information - invalid field for no BCA info */
948         return -1;
949 
950     case 0x04: /* DVD disc manufacturing information, all zeros */
951         break;
952 
953     case 0xff: { /* List capabilities */
954         int i;
955         size = 4;
956         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
957             if (!rds_caps_size[i]) {
958                 continue;
959             }
960             outbuf[size] = i;
961             outbuf[size + 1] = 0x40; /* Not writable, readable */
962             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
963             size += 4;
964         }
965         break;
966      }
967 
968     default:
969         return -1;
970     }
971 
972     /* Size of buffer, not including 2 byte size field */
973     stw_be_p(outbuf, size - 2);
974     return size;
975 
976 fail:
977     return -1;
978 }
979 
980 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
981 {
982     uint8_t event_code, media_status;
983 
984     media_status = 0;
985     if (s->tray_open) {
986         media_status = MS_TRAY_OPEN;
987     } else if (blk_is_inserted(s->qdev.conf.blk)) {
988         media_status = MS_MEDIA_PRESENT;
989     }
990 
991     /* Event notification descriptor */
992     event_code = MEC_NO_CHANGE;
993     if (media_status != MS_TRAY_OPEN) {
994         if (s->media_event) {
995             event_code = MEC_NEW_MEDIA;
996             s->media_event = false;
997         } else if (s->eject_request) {
998             event_code = MEC_EJECT_REQUESTED;
999             s->eject_request = false;
1000         }
1001     }
1002 
1003     outbuf[0] = event_code;
1004     outbuf[1] = media_status;
1005 
1006     /* These fields are reserved, just clear them. */
1007     outbuf[2] = 0;
1008     outbuf[3] = 0;
1009     return 4;
1010 }
1011 
1012 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
1013                                               uint8_t *outbuf)
1014 {
1015     int size;
1016     uint8_t *buf = r->req.cmd.buf;
1017     uint8_t notification_class_request = buf[4];
1018     if (s->qdev.type != TYPE_ROM) {
1019         return -1;
1020     }
1021     if ((buf[1] & 1) == 0) {
1022         /* asynchronous */
1023         return -1;
1024     }
1025 
1026     size = 4;
1027     outbuf[0] = outbuf[1] = 0;
1028     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1029     if (notification_class_request & (1 << GESN_MEDIA)) {
1030         outbuf[2] = GESN_MEDIA;
1031         size += scsi_event_status_media(s, &outbuf[size]);
1032     } else {
1033         outbuf[2] = 0x80;
1034     }
1035     stw_be_p(outbuf, size - 4);
1036     return size;
1037 }
1038 
1039 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1040 {
1041     int current;
1042 
1043     if (s->qdev.type != TYPE_ROM) {
1044         return -1;
1045     }
1046 
1047     if (media_is_dvd(s)) {
1048         current = MMC_PROFILE_DVD_ROM;
1049     } else if (media_is_cd(s)) {
1050         current = MMC_PROFILE_CD_ROM;
1051     } else {
1052         current = MMC_PROFILE_NONE;
1053     }
1054 
1055     memset(outbuf, 0, 40);
1056     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1057     stw_be_p(&outbuf[6], current);
1058     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1059     outbuf[10] = 0x03; /* persistent, current */
1060     outbuf[11] = 8; /* two profiles */
1061     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1062     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1063     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1064     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1065     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1066     stw_be_p(&outbuf[20], 1);
1067     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1068     outbuf[23] = 8;
1069     stl_be_p(&outbuf[24], 1); /* SCSI */
1070     outbuf[28] = 1; /* DBE = 1, mandatory */
1071     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1072     stw_be_p(&outbuf[32], 3);
1073     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1074     outbuf[35] = 4;
1075     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1076     /* TODO: Random readable, CD read, DVD read, drive serial number,
1077        power management */
1078     return 40;
1079 }
1080 
1081 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1082 {
1083     if (s->qdev.type != TYPE_ROM) {
1084         return -1;
1085     }
1086     memset(outbuf, 0, 8);
1087     outbuf[5] = 1; /* CD-ROM */
1088     return 8;
1089 }
1090 
1091 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1092                            int page_control)
1093 {
1094     static const int mode_sense_valid[0x3f] = {
1095         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1096         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1097         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1098         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1099         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1100         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1101     };
1102 
1103     uint8_t *p = *p_outbuf + 2;
1104     int length;
1105 
1106     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1107         return -1;
1108     }
1109 
1110     /*
1111      * If Changeable Values are requested, a mask denoting those mode parameters
1112      * that are changeable shall be returned. As we currently don't support
1113      * parameter changes via MODE_SELECT all bits are returned set to zero.
1114      * The buffer was already menset to zero by the caller of this function.
1115      *
1116      * The offsets here are off by two compared to the descriptions in the
1117      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1118      * but it is done so that offsets are consistent within our implementation
1119      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1120      * 2-byte and 4-byte headers.
1121      */
1122     switch (page) {
1123     case MODE_PAGE_HD_GEOMETRY:
1124         length = 0x16;
1125         if (page_control == 1) { /* Changeable Values */
1126             break;
1127         }
1128         /* if a geometry hint is available, use it */
1129         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1130         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1131         p[2] = s->qdev.conf.cyls & 0xff;
1132         p[3] = s->qdev.conf.heads & 0xff;
1133         /* Write precomp start cylinder, disabled */
1134         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1135         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1136         p[6] = s->qdev.conf.cyls & 0xff;
1137         /* Reduced current start cylinder, disabled */
1138         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1139         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1140         p[9] = s->qdev.conf.cyls & 0xff;
1141         /* Device step rate [ns], 200ns */
1142         p[10] = 0;
1143         p[11] = 200;
1144         /* Landing zone cylinder */
1145         p[12] = 0xff;
1146         p[13] =  0xff;
1147         p[14] = 0xff;
1148         /* Medium rotation rate [rpm], 5400 rpm */
1149         p[18] = (5400 >> 8) & 0xff;
1150         p[19] = 5400 & 0xff;
1151         break;
1152 
1153     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1154         length = 0x1e;
1155         if (page_control == 1) { /* Changeable Values */
1156             break;
1157         }
1158         /* Transfer rate [kbit/s], 5Mbit/s */
1159         p[0] = 5000 >> 8;
1160         p[1] = 5000 & 0xff;
1161         /* if a geometry hint is available, use it */
1162         p[2] = s->qdev.conf.heads & 0xff;
1163         p[3] = s->qdev.conf.secs & 0xff;
1164         p[4] = s->qdev.blocksize >> 8;
1165         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1166         p[7] = s->qdev.conf.cyls & 0xff;
1167         /* Write precomp start cylinder, disabled */
1168         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1169         p[9] = s->qdev.conf.cyls & 0xff;
1170         /* Reduced current start cylinder, disabled */
1171         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1172         p[11] = s->qdev.conf.cyls & 0xff;
1173         /* Device step rate [100us], 100us */
1174         p[12] = 0;
1175         p[13] = 1;
1176         /* Device step pulse width [us], 1us */
1177         p[14] = 1;
1178         /* Device head settle delay [100us], 100us */
1179         p[15] = 0;
1180         p[16] = 1;
1181         /* Motor on delay [0.1s], 0.1s */
1182         p[17] = 1;
1183         /* Motor off delay [0.1s], 0.1s */
1184         p[18] = 1;
1185         /* Medium rotation rate [rpm], 5400 rpm */
1186         p[26] = (5400 >> 8) & 0xff;
1187         p[27] = 5400 & 0xff;
1188         break;
1189 
1190     case MODE_PAGE_CACHING:
1191         length = 0x12;
1192         if (page_control == 1 || /* Changeable Values */
1193             blk_enable_write_cache(s->qdev.conf.blk)) {
1194             p[0] = 4; /* WCE */
1195         }
1196         break;
1197 
1198     case MODE_PAGE_R_W_ERROR:
1199         length = 10;
1200         if (page_control == 1) { /* Changeable Values */
1201             break;
1202         }
1203         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1204         if (s->qdev.type == TYPE_ROM) {
1205             p[1] = 0x20; /* Read Retry Count */
1206         }
1207         break;
1208 
1209     case MODE_PAGE_AUDIO_CTL:
1210         length = 14;
1211         break;
1212 
1213     case MODE_PAGE_CAPABILITIES:
1214         length = 0x14;
1215         if (page_control == 1) { /* Changeable Values */
1216             break;
1217         }
1218 
1219         p[0] = 0x3b; /* CD-R & CD-RW read */
1220         p[1] = 0; /* Writing not supported */
1221         p[2] = 0x7f; /* Audio, composite, digital out,
1222                         mode 2 form 1&2, multi session */
1223         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1224                         RW corrected, C2 errors, ISRC,
1225                         UPC, Bar code */
1226         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1227         /* Locking supported, jumper present, eject, tray */
1228         p[5] = 0; /* no volume & mute control, no
1229                      changer */
1230         p[6] = (50 * 176) >> 8; /* 50x read speed */
1231         p[7] = (50 * 176) & 0xff;
1232         p[8] = 2 >> 8; /* Two volume levels */
1233         p[9] = 2 & 0xff;
1234         p[10] = 2048 >> 8; /* 2M buffer */
1235         p[11] = 2048 & 0xff;
1236         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1237         p[13] = (16 * 176) & 0xff;
1238         p[16] = (16 * 176) >> 8; /* 16x write speed */
1239         p[17] = (16 * 176) & 0xff;
1240         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1241         p[19] = (16 * 176) & 0xff;
1242         break;
1243 
1244     default:
1245         return -1;
1246     }
1247 
1248     assert(length < 256);
1249     (*p_outbuf)[0] = page;
1250     (*p_outbuf)[1] = length;
1251     *p_outbuf += length + 2;
1252     return length + 2;
1253 }
1254 
1255 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1256 {
1257     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1258     uint64_t nb_sectors;
1259     bool dbd;
1260     int page, buflen, ret, page_control;
1261     uint8_t *p;
1262     uint8_t dev_specific_param;
1263 
1264     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1265     page = r->req.cmd.buf[2] & 0x3f;
1266     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1267     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1268         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1269     memset(outbuf, 0, r->req.cmd.xfer);
1270     p = outbuf;
1271 
1272     if (s->qdev.type == TYPE_DISK) {
1273         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1274         if (blk_is_read_only(s->qdev.conf.blk)) {
1275             dev_specific_param |= 0x80; /* Readonly.  */
1276         }
1277     } else {
1278         /* MMC prescribes that CD/DVD drives have no block descriptors,
1279          * and defines no device-specific parameter.  */
1280         dev_specific_param = 0x00;
1281         dbd = true;
1282     }
1283 
1284     if (r->req.cmd.buf[0] == MODE_SENSE) {
1285         p[1] = 0; /* Default media type.  */
1286         p[2] = dev_specific_param;
1287         p[3] = 0; /* Block descriptor length.  */
1288         p += 4;
1289     } else { /* MODE_SENSE_10 */
1290         p[2] = 0; /* Default media type.  */
1291         p[3] = dev_specific_param;
1292         p[6] = p[7] = 0; /* Block descriptor length.  */
1293         p += 8;
1294     }
1295 
1296     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1297     if (!dbd && nb_sectors) {
1298         if (r->req.cmd.buf[0] == MODE_SENSE) {
1299             outbuf[3] = 8; /* Block descriptor length  */
1300         } else { /* MODE_SENSE_10 */
1301             outbuf[7] = 8; /* Block descriptor length  */
1302         }
1303         nb_sectors /= (s->qdev.blocksize / 512);
1304         if (nb_sectors > 0xffffff) {
1305             nb_sectors = 0;
1306         }
1307         p[0] = 0; /* media density code */
1308         p[1] = (nb_sectors >> 16) & 0xff;
1309         p[2] = (nb_sectors >> 8) & 0xff;
1310         p[3] = nb_sectors & 0xff;
1311         p[4] = 0; /* reserved */
1312         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1313         p[6] = s->qdev.blocksize >> 8;
1314         p[7] = 0;
1315         p += 8;
1316     }
1317 
1318     if (page_control == 3) {
1319         /* Saved Values */
1320         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1321         return -1;
1322     }
1323 
1324     if (page == 0x3f) {
1325         for (page = 0; page <= 0x3e; page++) {
1326             mode_sense_page(s, page, &p, page_control);
1327         }
1328     } else {
1329         ret = mode_sense_page(s, page, &p, page_control);
1330         if (ret == -1) {
1331             return -1;
1332         }
1333     }
1334 
1335     buflen = p - outbuf;
1336     /*
1337      * The mode data length field specifies the length in bytes of the
1338      * following data that is available to be transferred. The mode data
1339      * length does not include itself.
1340      */
1341     if (r->req.cmd.buf[0] == MODE_SENSE) {
1342         outbuf[0] = buflen - 1;
1343     } else { /* MODE_SENSE_10 */
1344         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1345         outbuf[1] = (buflen - 2) & 0xff;
1346     }
1347     return buflen;
1348 }
1349 
1350 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1351 {
1352     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1353     int start_track, format, msf, toclen;
1354     uint64_t nb_sectors;
1355 
1356     msf = req->cmd.buf[1] & 2;
1357     format = req->cmd.buf[2] & 0xf;
1358     start_track = req->cmd.buf[6];
1359     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1360     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1361     nb_sectors /= s->qdev.blocksize / 512;
1362     switch (format) {
1363     case 0:
1364         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1365         break;
1366     case 1:
1367         /* multi session : only a single session defined */
1368         toclen = 12;
1369         memset(outbuf, 0, 12);
1370         outbuf[1] = 0x0a;
1371         outbuf[2] = 0x01;
1372         outbuf[3] = 0x01;
1373         break;
1374     case 2:
1375         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1376         break;
1377     default:
1378         return -1;
1379     }
1380     return toclen;
1381 }
1382 
1383 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1384 {
1385     SCSIRequest *req = &r->req;
1386     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1387     bool start = req->cmd.buf[4] & 1;
1388     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1389     int pwrcnd = req->cmd.buf[4] & 0xf0;
1390 
1391     if (pwrcnd) {
1392         /* eject/load only happens for power condition == 0 */
1393         return 0;
1394     }
1395 
1396     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1397         if (!start && !s->tray_open && s->tray_locked) {
1398             scsi_check_condition(r,
1399                                  blk_is_inserted(s->qdev.conf.blk)
1400                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1401                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1402             return -1;
1403         }
1404 
1405         if (s->tray_open != !start) {
1406             blk_eject(s->qdev.conf.blk, !start);
1407             s->tray_open = !start;
1408         }
1409     }
1410     return 0;
1411 }
1412 
1413 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1414 {
1415     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1416     int buflen = r->iov.iov_len;
1417 
1418     if (buflen) {
1419         DPRINTF("Read buf_len=%d\n", buflen);
1420         r->iov.iov_len = 0;
1421         r->started = true;
1422         scsi_req_data(&r->req, buflen);
1423         return;
1424     }
1425 
1426     /* This also clears the sense buffer for REQUEST SENSE.  */
1427     scsi_req_complete(&r->req, GOOD);
1428 }
1429 
1430 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1431                                        uint8_t *inbuf, int inlen)
1432 {
1433     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1434     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1435     uint8_t *p;
1436     int len, expected_len, changeable_len, i;
1437 
1438     /* The input buffer does not include the page header, so it is
1439      * off by 2 bytes.
1440      */
1441     expected_len = inlen + 2;
1442     if (expected_len > SCSI_MAX_MODE_LEN) {
1443         return -1;
1444     }
1445 
1446     p = mode_current;
1447     memset(mode_current, 0, inlen + 2);
1448     len = mode_sense_page(s, page, &p, 0);
1449     if (len < 0 || len != expected_len) {
1450         return -1;
1451     }
1452 
1453     p = mode_changeable;
1454     memset(mode_changeable, 0, inlen + 2);
1455     changeable_len = mode_sense_page(s, page, &p, 1);
1456     assert(changeable_len == len);
1457 
1458     /* Check that unchangeable bits are the same as what MODE SENSE
1459      * would return.
1460      */
1461     for (i = 2; i < len; i++) {
1462         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1463             return -1;
1464         }
1465     }
1466     return 0;
1467 }
1468 
1469 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1470 {
1471     switch (page) {
1472     case MODE_PAGE_CACHING:
1473         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1474         break;
1475 
1476     default:
1477         break;
1478     }
1479 }
1480 
1481 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1482 {
1483     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1484 
1485     while (len > 0) {
1486         int page, subpage, page_len;
1487 
1488         /* Parse both possible formats for the mode page headers.  */
1489         page = p[0] & 0x3f;
1490         if (p[0] & 0x40) {
1491             if (len < 4) {
1492                 goto invalid_param_len;
1493             }
1494             subpage = p[1];
1495             page_len = lduw_be_p(&p[2]);
1496             p += 4;
1497             len -= 4;
1498         } else {
1499             if (len < 2) {
1500                 goto invalid_param_len;
1501             }
1502             subpage = 0;
1503             page_len = p[1];
1504             p += 2;
1505             len -= 2;
1506         }
1507 
1508         if (subpage) {
1509             goto invalid_param;
1510         }
1511         if (page_len > len) {
1512             goto invalid_param_len;
1513         }
1514 
1515         if (!change) {
1516             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1517                 goto invalid_param;
1518             }
1519         } else {
1520             scsi_disk_apply_mode_select(s, page, p);
1521         }
1522 
1523         p += page_len;
1524         len -= page_len;
1525     }
1526     return 0;
1527 
1528 invalid_param:
1529     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1530     return -1;
1531 
1532 invalid_param_len:
1533     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1534     return -1;
1535 }
1536 
1537 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1538 {
1539     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1540     uint8_t *p = inbuf;
1541     int cmd = r->req.cmd.buf[0];
1542     int len = r->req.cmd.xfer;
1543     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1544     int bd_len;
1545     int pass;
1546 
1547     /* We only support PF=1, SP=0.  */
1548     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1549         goto invalid_field;
1550     }
1551 
1552     if (len < hdr_len) {
1553         goto invalid_param_len;
1554     }
1555 
1556     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1557     len -= hdr_len;
1558     p += hdr_len;
1559     if (len < bd_len) {
1560         goto invalid_param_len;
1561     }
1562     if (bd_len != 0 && bd_len != 8) {
1563         goto invalid_param;
1564     }
1565 
1566     len -= bd_len;
1567     p += bd_len;
1568 
1569     /* Ensure no change is made if there is an error!  */
1570     for (pass = 0; pass < 2; pass++) {
1571         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1572             assert(pass == 0);
1573             return;
1574         }
1575     }
1576     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1577         /* The request is used as the AIO opaque value, so add a ref.  */
1578         scsi_req_ref(&r->req);
1579         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1580                          BLOCK_ACCT_FLUSH);
1581         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1582         return;
1583     }
1584 
1585     scsi_req_complete(&r->req, GOOD);
1586     return;
1587 
1588 invalid_param:
1589     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1590     return;
1591 
1592 invalid_param_len:
1593     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1594     return;
1595 
1596 invalid_field:
1597     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1598 }
1599 
1600 static inline bool check_lba_range(SCSIDiskState *s,
1601                                    uint64_t sector_num, uint32_t nb_sectors)
1602 {
1603     /*
1604      * The first line tests that no overflow happens when computing the last
1605      * sector.  The second line tests that the last accessed sector is in
1606      * range.
1607      *
1608      * Careful, the computations should not underflow for nb_sectors == 0,
1609      * and a 0-block read to the first LBA beyond the end of device is
1610      * valid.
1611      */
1612     return (sector_num <= sector_num + nb_sectors &&
1613             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1614 }
1615 
1616 typedef struct UnmapCBData {
1617     SCSIDiskReq *r;
1618     uint8_t *inbuf;
1619     int count;
1620 } UnmapCBData;
1621 
1622 static void scsi_unmap_complete(void *opaque, int ret);
1623 
1624 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1625 {
1626     SCSIDiskReq *r = data->r;
1627     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1628     uint64_t sector_num;
1629     uint32_t nb_sectors;
1630 
1631     assert(r->req.aiocb == NULL);
1632     if (scsi_disk_req_check_error(r, ret, false)) {
1633         goto done;
1634     }
1635 
1636     if (data->count > 0) {
1637         sector_num = ldq_be_p(&data->inbuf[0]);
1638         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1639         if (!check_lba_range(s, sector_num, nb_sectors)) {
1640             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1641             goto done;
1642         }
1643 
1644         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1645                                         sector_num * s->qdev.blocksize,
1646                                         nb_sectors * s->qdev.blocksize,
1647                                         scsi_unmap_complete, data);
1648         data->count--;
1649         data->inbuf += 16;
1650         return;
1651     }
1652 
1653     scsi_req_complete(&r->req, GOOD);
1654 
1655 done:
1656     scsi_req_unref(&r->req);
1657     g_free(data);
1658 }
1659 
1660 static void scsi_unmap_complete(void *opaque, int ret)
1661 {
1662     UnmapCBData *data = opaque;
1663     SCSIDiskReq *r = data->r;
1664     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1665 
1666     assert(r->req.aiocb != NULL);
1667     r->req.aiocb = NULL;
1668 
1669     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1670     scsi_unmap_complete_noio(data, ret);
1671     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1672 }
1673 
1674 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1675 {
1676     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1677     uint8_t *p = inbuf;
1678     int len = r->req.cmd.xfer;
1679     UnmapCBData *data;
1680 
1681     /* Reject ANCHOR=1.  */
1682     if (r->req.cmd.buf[1] & 0x1) {
1683         goto invalid_field;
1684     }
1685 
1686     if (len < 8) {
1687         goto invalid_param_len;
1688     }
1689     if (len < lduw_be_p(&p[0]) + 2) {
1690         goto invalid_param_len;
1691     }
1692     if (len < lduw_be_p(&p[2]) + 8) {
1693         goto invalid_param_len;
1694     }
1695     if (lduw_be_p(&p[2]) & 15) {
1696         goto invalid_param_len;
1697     }
1698 
1699     if (blk_is_read_only(s->qdev.conf.blk)) {
1700         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1701         return;
1702     }
1703 
1704     data = g_new0(UnmapCBData, 1);
1705     data->r = r;
1706     data->inbuf = &p[8];
1707     data->count = lduw_be_p(&p[2]) >> 4;
1708 
1709     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1710     scsi_req_ref(&r->req);
1711     scsi_unmap_complete_noio(data, 0);
1712     return;
1713 
1714 invalid_param_len:
1715     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1716     return;
1717 
1718 invalid_field:
1719     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1720 }
1721 
1722 typedef struct WriteSameCBData {
1723     SCSIDiskReq *r;
1724     int64_t sector;
1725     int nb_sectors;
1726     QEMUIOVector qiov;
1727     struct iovec iov;
1728 } WriteSameCBData;
1729 
1730 static void scsi_write_same_complete(void *opaque, int ret)
1731 {
1732     WriteSameCBData *data = opaque;
1733     SCSIDiskReq *r = data->r;
1734     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1735 
1736     assert(r->req.aiocb != NULL);
1737     r->req.aiocb = NULL;
1738     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1739     if (scsi_disk_req_check_error(r, ret, true)) {
1740         goto done;
1741     }
1742 
1743     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1744 
1745     data->nb_sectors -= data->iov.iov_len / 512;
1746     data->sector += data->iov.iov_len / 512;
1747     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1748     if (data->iov.iov_len) {
1749         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1750                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1751         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1752          * where final qiov may need smaller size */
1753         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1754         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1755                                        data->sector << BDRV_SECTOR_BITS,
1756                                        &data->qiov, 0,
1757                                        scsi_write_same_complete, data);
1758         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1759         return;
1760     }
1761 
1762     scsi_req_complete(&r->req, GOOD);
1763 
1764 done:
1765     scsi_req_unref(&r->req);
1766     qemu_vfree(data->iov.iov_base);
1767     g_free(data);
1768     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1769 }
1770 
1771 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1772 {
1773     SCSIRequest *req = &r->req;
1774     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1775     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1776     WriteSameCBData *data;
1777     uint8_t *buf;
1778     int i;
1779 
1780     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1781     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1782         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1783         return;
1784     }
1785 
1786     if (blk_is_read_only(s->qdev.conf.blk)) {
1787         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1788         return;
1789     }
1790     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1791         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1792         return;
1793     }
1794 
1795     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1796         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1797 
1798         /* The request is used as the AIO opaque value, so add a ref.  */
1799         scsi_req_ref(&r->req);
1800         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1801                          nb_sectors * s->qdev.blocksize,
1802                         BLOCK_ACCT_WRITE);
1803         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1804                                 r->req.cmd.lba * s->qdev.blocksize,
1805                                 nb_sectors * s->qdev.blocksize,
1806                                 flags, scsi_aio_complete, r);
1807         return;
1808     }
1809 
1810     data = g_new0(WriteSameCBData, 1);
1811     data->r = r;
1812     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1813     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1814     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1815     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1816                                               data->iov.iov_len);
1817     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1818 
1819     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1820         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1821     }
1822 
1823     scsi_req_ref(&r->req);
1824     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1825                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1826     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1827                                    data->sector << BDRV_SECTOR_BITS,
1828                                    &data->qiov, 0,
1829                                    scsi_write_same_complete, data);
1830 }
1831 
1832 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1833 {
1834     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1835 
1836     if (r->iov.iov_len) {
1837         int buflen = r->iov.iov_len;
1838         DPRINTF("Write buf_len=%d\n", buflen);
1839         r->iov.iov_len = 0;
1840         scsi_req_data(&r->req, buflen);
1841         return;
1842     }
1843 
1844     switch (req->cmd.buf[0]) {
1845     case MODE_SELECT:
1846     case MODE_SELECT_10:
1847         /* This also clears the sense buffer for REQUEST SENSE.  */
1848         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1849         break;
1850 
1851     case UNMAP:
1852         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1853         break;
1854 
1855     case VERIFY_10:
1856     case VERIFY_12:
1857     case VERIFY_16:
1858         if (r->req.status == -1) {
1859             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1860         }
1861         break;
1862 
1863     case WRITE_SAME_10:
1864     case WRITE_SAME_16:
1865         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1866         break;
1867 
1868     default:
1869         abort();
1870     }
1871 }
1872 
1873 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1874 {
1875     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1876     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1877     uint64_t nb_sectors;
1878     uint8_t *outbuf;
1879     int buflen;
1880 
1881     switch (req->cmd.buf[0]) {
1882     case INQUIRY:
1883     case MODE_SENSE:
1884     case MODE_SENSE_10:
1885     case RESERVE:
1886     case RESERVE_10:
1887     case RELEASE:
1888     case RELEASE_10:
1889     case START_STOP:
1890     case ALLOW_MEDIUM_REMOVAL:
1891     case GET_CONFIGURATION:
1892     case GET_EVENT_STATUS_NOTIFICATION:
1893     case MECHANISM_STATUS:
1894     case REQUEST_SENSE:
1895         break;
1896 
1897     default:
1898         if (!blk_is_available(s->qdev.conf.blk)) {
1899             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1900             return 0;
1901         }
1902         break;
1903     }
1904 
1905     /*
1906      * FIXME: we shouldn't return anything bigger than 4k, but the code
1907      * requires the buffer to be as big as req->cmd.xfer in several
1908      * places.  So, do not allow CDBs with a very large ALLOCATION
1909      * LENGTH.  The real fix would be to modify scsi_read_data and
1910      * dma_buf_read, so that they return data beyond the buflen
1911      * as all zeros.
1912      */
1913     if (req->cmd.xfer > 65536) {
1914         goto illegal_request;
1915     }
1916     r->buflen = MAX(4096, req->cmd.xfer);
1917 
1918     if (!r->iov.iov_base) {
1919         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1920     }
1921 
1922     buflen = req->cmd.xfer;
1923     outbuf = r->iov.iov_base;
1924     memset(outbuf, 0, r->buflen);
1925     switch (req->cmd.buf[0]) {
1926     case TEST_UNIT_READY:
1927         assert(blk_is_available(s->qdev.conf.blk));
1928         break;
1929     case INQUIRY:
1930         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1931         if (buflen < 0) {
1932             goto illegal_request;
1933         }
1934         break;
1935     case MODE_SENSE:
1936     case MODE_SENSE_10:
1937         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1938         if (buflen < 0) {
1939             goto illegal_request;
1940         }
1941         break;
1942     case READ_TOC:
1943         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1944         if (buflen < 0) {
1945             goto illegal_request;
1946         }
1947         break;
1948     case RESERVE:
1949         if (req->cmd.buf[1] & 1) {
1950             goto illegal_request;
1951         }
1952         break;
1953     case RESERVE_10:
1954         if (req->cmd.buf[1] & 3) {
1955             goto illegal_request;
1956         }
1957         break;
1958     case RELEASE:
1959         if (req->cmd.buf[1] & 1) {
1960             goto illegal_request;
1961         }
1962         break;
1963     case RELEASE_10:
1964         if (req->cmd.buf[1] & 3) {
1965             goto illegal_request;
1966         }
1967         break;
1968     case START_STOP:
1969         if (scsi_disk_emulate_start_stop(r) < 0) {
1970             return 0;
1971         }
1972         break;
1973     case ALLOW_MEDIUM_REMOVAL:
1974         s->tray_locked = req->cmd.buf[4] & 1;
1975         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1976         break;
1977     case READ_CAPACITY_10:
1978         /* The normal LEN field for this command is zero.  */
1979         memset(outbuf, 0, 8);
1980         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1981         if (!nb_sectors) {
1982             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1983             return 0;
1984         }
1985         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1986             goto illegal_request;
1987         }
1988         nb_sectors /= s->qdev.blocksize / 512;
1989         /* Returned value is the address of the last sector.  */
1990         nb_sectors--;
1991         /* Remember the new size for read/write sanity checking. */
1992         s->qdev.max_lba = nb_sectors;
1993         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1994         if (nb_sectors > UINT32_MAX) {
1995             nb_sectors = UINT32_MAX;
1996         }
1997         outbuf[0] = (nb_sectors >> 24) & 0xff;
1998         outbuf[1] = (nb_sectors >> 16) & 0xff;
1999         outbuf[2] = (nb_sectors >> 8) & 0xff;
2000         outbuf[3] = nb_sectors & 0xff;
2001         outbuf[4] = 0;
2002         outbuf[5] = 0;
2003         outbuf[6] = s->qdev.blocksize >> 8;
2004         outbuf[7] = 0;
2005         break;
2006     case REQUEST_SENSE:
2007         /* Just return "NO SENSE".  */
2008         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
2009                                     (req->cmd.buf[1] & 1) == 0);
2010         if (buflen < 0) {
2011             goto illegal_request;
2012         }
2013         break;
2014     case MECHANISM_STATUS:
2015         buflen = scsi_emulate_mechanism_status(s, outbuf);
2016         if (buflen < 0) {
2017             goto illegal_request;
2018         }
2019         break;
2020     case GET_CONFIGURATION:
2021         buflen = scsi_get_configuration(s, outbuf);
2022         if (buflen < 0) {
2023             goto illegal_request;
2024         }
2025         break;
2026     case GET_EVENT_STATUS_NOTIFICATION:
2027         buflen = scsi_get_event_status_notification(s, r, outbuf);
2028         if (buflen < 0) {
2029             goto illegal_request;
2030         }
2031         break;
2032     case READ_DISC_INFORMATION:
2033         buflen = scsi_read_disc_information(s, r, outbuf);
2034         if (buflen < 0) {
2035             goto illegal_request;
2036         }
2037         break;
2038     case READ_DVD_STRUCTURE:
2039         buflen = scsi_read_dvd_structure(s, r, outbuf);
2040         if (buflen < 0) {
2041             goto illegal_request;
2042         }
2043         break;
2044     case SERVICE_ACTION_IN_16:
2045         /* Service Action In subcommands. */
2046         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2047             DPRINTF("SAI READ CAPACITY(16)\n");
2048             memset(outbuf, 0, req->cmd.xfer);
2049             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2050             if (!nb_sectors) {
2051                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2052                 return 0;
2053             }
2054             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2055                 goto illegal_request;
2056             }
2057             nb_sectors /= s->qdev.blocksize / 512;
2058             /* Returned value is the address of the last sector.  */
2059             nb_sectors--;
2060             /* Remember the new size for read/write sanity checking. */
2061             s->qdev.max_lba = nb_sectors;
2062             outbuf[0] = (nb_sectors >> 56) & 0xff;
2063             outbuf[1] = (nb_sectors >> 48) & 0xff;
2064             outbuf[2] = (nb_sectors >> 40) & 0xff;
2065             outbuf[3] = (nb_sectors >> 32) & 0xff;
2066             outbuf[4] = (nb_sectors >> 24) & 0xff;
2067             outbuf[5] = (nb_sectors >> 16) & 0xff;
2068             outbuf[6] = (nb_sectors >> 8) & 0xff;
2069             outbuf[7] = nb_sectors & 0xff;
2070             outbuf[8] = 0;
2071             outbuf[9] = 0;
2072             outbuf[10] = s->qdev.blocksize >> 8;
2073             outbuf[11] = 0;
2074             outbuf[12] = 0;
2075             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2076 
2077             /* set TPE bit if the format supports discard */
2078             if (s->qdev.conf.discard_granularity) {
2079                 outbuf[14] = 0x80;
2080             }
2081 
2082             /* Protection, exponent and lowest lba field left blank. */
2083             break;
2084         }
2085         DPRINTF("Unsupported Service Action In\n");
2086         goto illegal_request;
2087     case SYNCHRONIZE_CACHE:
2088         /* The request is used as the AIO opaque value, so add a ref.  */
2089         scsi_req_ref(&r->req);
2090         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2091                          BLOCK_ACCT_FLUSH);
2092         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2093         return 0;
2094     case SEEK_10:
2095         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
2096         if (r->req.cmd.lba > s->qdev.max_lba) {
2097             goto illegal_lba;
2098         }
2099         break;
2100     case MODE_SELECT:
2101         DPRINTF("Mode Select(6) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2102         break;
2103     case MODE_SELECT_10:
2104         DPRINTF("Mode Select(10) (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2105         break;
2106     case UNMAP:
2107         DPRINTF("Unmap (len %lu)\n", (unsigned long)r->req.cmd.xfer);
2108         break;
2109     case VERIFY_10:
2110     case VERIFY_12:
2111     case VERIFY_16:
2112         DPRINTF("Verify (bytchk %d)\n", (req->cmd.buf[1] >> 1) & 3);
2113         if (req->cmd.buf[1] & 6) {
2114             goto illegal_request;
2115         }
2116         break;
2117     case WRITE_SAME_10:
2118     case WRITE_SAME_16:
2119         DPRINTF("WRITE SAME %d (len %lu)\n",
2120                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2121                 (unsigned long)r->req.cmd.xfer);
2122         break;
2123     default:
2124         DPRINTF("Unknown SCSI command (%2.2x=%s)\n", buf[0],
2125                 scsi_command_name(buf[0]));
2126         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2127         return 0;
2128     }
2129     assert(!r->req.aiocb);
2130     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2131     if (r->iov.iov_len == 0) {
2132         scsi_req_complete(&r->req, GOOD);
2133     }
2134     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2135         assert(r->iov.iov_len == req->cmd.xfer);
2136         return -r->iov.iov_len;
2137     } else {
2138         return r->iov.iov_len;
2139     }
2140 
2141 illegal_request:
2142     if (r->req.status == -1) {
2143         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2144     }
2145     return 0;
2146 
2147 illegal_lba:
2148     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2149     return 0;
2150 }
2151 
2152 /* Execute a scsi command.  Returns the length of the data expected by the
2153    command.  This will be Positive for data transfers from the device
2154    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2155    and zero if the command does not transfer any data.  */
2156 
2157 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2158 {
2159     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2160     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2161     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2162     uint32_t len;
2163     uint8_t command;
2164 
2165     command = buf[0];
2166 
2167     if (!blk_is_available(s->qdev.conf.blk)) {
2168         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2169         return 0;
2170     }
2171 
2172     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2173     switch (command) {
2174     case READ_6:
2175     case READ_10:
2176     case READ_12:
2177     case READ_16:
2178         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2179         if (r->req.cmd.buf[1] & 0xe0) {
2180             goto illegal_request;
2181         }
2182         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2183             goto illegal_lba;
2184         }
2185         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2186         r->sector_count = len * (s->qdev.blocksize / 512);
2187         break;
2188     case WRITE_6:
2189     case WRITE_10:
2190     case WRITE_12:
2191     case WRITE_16:
2192     case WRITE_VERIFY_10:
2193     case WRITE_VERIFY_12:
2194     case WRITE_VERIFY_16:
2195         if (blk_is_read_only(s->qdev.conf.blk)) {
2196             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2197             return 0;
2198         }
2199         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2200                 (command & 0xe) == 0xe ? "And Verify " : "",
2201                 r->req.cmd.lba, len);
2202         /* fall through */
2203     case VERIFY_10:
2204     case VERIFY_12:
2205     case VERIFY_16:
2206         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2207          * As far as DMA is concerned, we can treat it the same as a write;
2208          * scsi_block_do_sgio will send VERIFY commands.
2209          */
2210         if (r->req.cmd.buf[1] & 0xe0) {
2211             goto illegal_request;
2212         }
2213         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2214             goto illegal_lba;
2215         }
2216         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2217         r->sector_count = len * (s->qdev.blocksize / 512);
2218         break;
2219     default:
2220         abort();
2221     illegal_request:
2222         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2223         return 0;
2224     illegal_lba:
2225         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2226         return 0;
2227     }
2228     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2229     if (r->sector_count == 0) {
2230         scsi_req_complete(&r->req, GOOD);
2231     }
2232     assert(r->iov.iov_len == 0);
2233     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2234         return -r->sector_count * 512;
2235     } else {
2236         return r->sector_count * 512;
2237     }
2238 }
2239 
2240 static void scsi_disk_reset(DeviceState *dev)
2241 {
2242     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2243     uint64_t nb_sectors;
2244 
2245     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2246 
2247     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2248     nb_sectors /= s->qdev.blocksize / 512;
2249     if (nb_sectors) {
2250         nb_sectors--;
2251     }
2252     s->qdev.max_lba = nb_sectors;
2253     /* reset tray statuses */
2254     s->tray_locked = 0;
2255     s->tray_open = 0;
2256 }
2257 
2258 static void scsi_disk_resize_cb(void *opaque)
2259 {
2260     SCSIDiskState *s = opaque;
2261 
2262     /* SPC lists this sense code as available only for
2263      * direct-access devices.
2264      */
2265     if (s->qdev.type == TYPE_DISK) {
2266         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2267     }
2268 }
2269 
2270 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2271 {
2272     SCSIDiskState *s = opaque;
2273 
2274     /*
2275      * When a CD gets changed, we have to report an ejected state and
2276      * then a loaded state to guests so that they detect tray
2277      * open/close and media change events.  Guests that do not use
2278      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2279      * states rely on this behavior.
2280      *
2281      * media_changed governs the state machine used for unit attention
2282      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2283      */
2284     s->media_changed = load;
2285     s->tray_open = !load;
2286     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2287     s->media_event = true;
2288     s->eject_request = false;
2289 }
2290 
2291 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2292 {
2293     SCSIDiskState *s = opaque;
2294 
2295     s->eject_request = true;
2296     if (force) {
2297         s->tray_locked = false;
2298     }
2299 }
2300 
2301 static bool scsi_cd_is_tray_open(void *opaque)
2302 {
2303     return ((SCSIDiskState *)opaque)->tray_open;
2304 }
2305 
2306 static bool scsi_cd_is_medium_locked(void *opaque)
2307 {
2308     return ((SCSIDiskState *)opaque)->tray_locked;
2309 }
2310 
2311 static const BlockDevOps scsi_disk_removable_block_ops = {
2312     .change_media_cb = scsi_cd_change_media_cb,
2313     .eject_request_cb = scsi_cd_eject_request_cb,
2314     .is_tray_open = scsi_cd_is_tray_open,
2315     .is_medium_locked = scsi_cd_is_medium_locked,
2316 
2317     .resize_cb = scsi_disk_resize_cb,
2318 };
2319 
2320 static const BlockDevOps scsi_disk_block_ops = {
2321     .resize_cb = scsi_disk_resize_cb,
2322 };
2323 
2324 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2325 {
2326     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2327     if (s->media_changed) {
2328         s->media_changed = false;
2329         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2330     }
2331 }
2332 
2333 static void scsi_realize(SCSIDevice *dev, Error **errp)
2334 {
2335     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2336 
2337     if (!s->qdev.conf.blk) {
2338         error_setg(errp, "drive property not set");
2339         return;
2340     }
2341 
2342     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2343         !blk_is_inserted(s->qdev.conf.blk)) {
2344         error_setg(errp, "Device needs media, but drive is empty");
2345         return;
2346     }
2347 
2348     blkconf_serial(&s->qdev.conf, &s->serial);
2349     blkconf_blocksizes(&s->qdev.conf);
2350 
2351     if (s->qdev.conf.logical_block_size >
2352         s->qdev.conf.physical_block_size) {
2353         error_setg(errp,
2354                    "logical_block_size > physical_block_size not supported");
2355         return;
2356     }
2357 
2358     if (dev->type == TYPE_DISK) {
2359         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2360             return;
2361         }
2362     }
2363     if (!blkconf_apply_backend_options(&dev->conf,
2364                                        blk_is_read_only(s->qdev.conf.blk),
2365                                        dev->type == TYPE_DISK, errp)) {
2366         return;
2367     }
2368 
2369     if (s->qdev.conf.discard_granularity == -1) {
2370         s->qdev.conf.discard_granularity =
2371             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2372     }
2373 
2374     if (!s->version) {
2375         s->version = g_strdup(qemu_hw_version());
2376     }
2377     if (!s->vendor) {
2378         s->vendor = g_strdup("QEMU");
2379     }
2380 
2381     if (blk_is_sg(s->qdev.conf.blk)) {
2382         error_setg(errp, "unwanted /dev/sg*");
2383         return;
2384     }
2385 
2386     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2387             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2388         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2389     } else {
2390         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2391     }
2392     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2393 
2394     blk_iostatus_enable(s->qdev.conf.blk);
2395 }
2396 
2397 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2398 {
2399     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2400     /* can happen for devices without drive. The error message for missing
2401      * backend will be issued in scsi_realize
2402      */
2403     if (s->qdev.conf.blk) {
2404         blkconf_blocksizes(&s->qdev.conf);
2405     }
2406     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2407     s->qdev.type = TYPE_DISK;
2408     if (!s->product) {
2409         s->product = g_strdup("QEMU HARDDISK");
2410     }
2411     scsi_realize(&s->qdev, errp);
2412 }
2413 
2414 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2415 {
2416     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2417     int ret;
2418 
2419     if (!dev->conf.blk) {
2420         /* Anonymous BlockBackend for an empty drive. As we put it into
2421          * dev->conf, qdev takes care of detaching on unplug. */
2422         dev->conf.blk = blk_new(0, BLK_PERM_ALL);
2423         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2424         assert(ret == 0);
2425     }
2426 
2427     s->qdev.blocksize = 2048;
2428     s->qdev.type = TYPE_ROM;
2429     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2430     if (!s->product) {
2431         s->product = g_strdup("QEMU CD-ROM");
2432     }
2433     scsi_realize(&s->qdev, errp);
2434 }
2435 
2436 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2437 {
2438     DriveInfo *dinfo;
2439     Error *local_err = NULL;
2440 
2441     if (!dev->conf.blk) {
2442         scsi_realize(dev, &local_err);
2443         assert(local_err);
2444         error_propagate(errp, local_err);
2445         return;
2446     }
2447 
2448     dinfo = blk_legacy_dinfo(dev->conf.blk);
2449     if (dinfo && dinfo->media_cd) {
2450         scsi_cd_realize(dev, errp);
2451     } else {
2452         scsi_hd_realize(dev, errp);
2453     }
2454 }
2455 
2456 static const SCSIReqOps scsi_disk_emulate_reqops = {
2457     .size         = sizeof(SCSIDiskReq),
2458     .free_req     = scsi_free_request,
2459     .send_command = scsi_disk_emulate_command,
2460     .read_data    = scsi_disk_emulate_read_data,
2461     .write_data   = scsi_disk_emulate_write_data,
2462     .get_buf      = scsi_get_buf,
2463 };
2464 
2465 static const SCSIReqOps scsi_disk_dma_reqops = {
2466     .size         = sizeof(SCSIDiskReq),
2467     .free_req     = scsi_free_request,
2468     .send_command = scsi_disk_dma_command,
2469     .read_data    = scsi_read_data,
2470     .write_data   = scsi_write_data,
2471     .get_buf      = scsi_get_buf,
2472     .load_request = scsi_disk_load_request,
2473     .save_request = scsi_disk_save_request,
2474 };
2475 
2476 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2477     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2478     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2479     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2480     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2481     [START_STOP]                      = &scsi_disk_emulate_reqops,
2482     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2483     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2484     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2485     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2486     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2487     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2488     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2489     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2490     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2491     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2492     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2493     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2494     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2495     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2496     [UNMAP]                           = &scsi_disk_emulate_reqops,
2497     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2498     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2499     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2500     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2501     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2502 
2503     [READ_6]                          = &scsi_disk_dma_reqops,
2504     [READ_10]                         = &scsi_disk_dma_reqops,
2505     [READ_12]                         = &scsi_disk_dma_reqops,
2506     [READ_16]                         = &scsi_disk_dma_reqops,
2507     [WRITE_6]                         = &scsi_disk_dma_reqops,
2508     [WRITE_10]                        = &scsi_disk_dma_reqops,
2509     [WRITE_12]                        = &scsi_disk_dma_reqops,
2510     [WRITE_16]                        = &scsi_disk_dma_reqops,
2511     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2512     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2513     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2514 };
2515 
2516 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2517                                      uint8_t *buf, void *hba_private)
2518 {
2519     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2520     SCSIRequest *req;
2521     const SCSIReqOps *ops;
2522     uint8_t command;
2523 
2524     command = buf[0];
2525     ops = scsi_disk_reqops_dispatch[command];
2526     if (!ops) {
2527         ops = &scsi_disk_emulate_reqops;
2528     }
2529     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2530 
2531 #ifdef DEBUG_SCSI
2532     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2533     {
2534         int i;
2535         for (i = 1; i < scsi_cdb_length(buf); i++) {
2536             printf(" 0x%02x", buf[i]);
2537         }
2538         printf("\n");
2539     }
2540 #endif
2541 
2542     return req;
2543 }
2544 
2545 #ifdef __linux__
2546 static int get_device_type(SCSIDiskState *s)
2547 {
2548     uint8_t cmd[16];
2549     uint8_t buf[36];
2550     uint8_t sensebuf[8];
2551     sg_io_hdr_t io_header;
2552     int ret;
2553 
2554     memset(cmd, 0, sizeof(cmd));
2555     memset(buf, 0, sizeof(buf));
2556     cmd[0] = INQUIRY;
2557     cmd[4] = sizeof(buf);
2558 
2559     memset(&io_header, 0, sizeof(io_header));
2560     io_header.interface_id = 'S';
2561     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2562     io_header.dxfer_len = sizeof(buf);
2563     io_header.dxferp = buf;
2564     io_header.cmdp = cmd;
2565     io_header.cmd_len = sizeof(cmd);
2566     io_header.mx_sb_len = sizeof(sensebuf);
2567     io_header.sbp = sensebuf;
2568     io_header.timeout = 6000; /* XXX */
2569 
2570     ret = blk_ioctl(s->qdev.conf.blk, SG_IO, &io_header);
2571     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2572         return -1;
2573     }
2574     s->qdev.type = buf[0];
2575     if (buf[1] & 0x80) {
2576         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2577     }
2578     return 0;
2579 }
2580 
2581 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2582 {
2583     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2584     int sg_version;
2585     int rc;
2586 
2587     if (!s->qdev.conf.blk) {
2588         error_setg(errp, "drive property not set");
2589         return;
2590     }
2591 
2592     /* check we are using a driver managing SG_IO (version 3 and after) */
2593     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2594     if (rc < 0) {
2595         error_setg(errp, "cannot get SG_IO version number: %s.  "
2596                      "Is this a SCSI device?",
2597                      strerror(-rc));
2598         return;
2599     }
2600     if (sg_version < 30000) {
2601         error_setg(errp, "scsi generic interface too old");
2602         return;
2603     }
2604 
2605     /* get device type from INQUIRY data */
2606     rc = get_device_type(s);
2607     if (rc < 0) {
2608         error_setg(errp, "INQUIRY failed");
2609         return;
2610     }
2611 
2612     /* Make a guess for the block size, we'll fix it when the guest sends.
2613      * READ CAPACITY.  If they don't, they likely would assume these sizes
2614      * anyway. (TODO: check in /sys).
2615      */
2616     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2617         s->qdev.blocksize = 2048;
2618     } else {
2619         s->qdev.blocksize = 512;
2620     }
2621 
2622     /* Makes the scsi-block device not removable by using HMP and QMP eject
2623      * command.
2624      */
2625     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2626 
2627     scsi_realize(&s->qdev, errp);
2628     scsi_generic_read_device_identification(&s->qdev);
2629 }
2630 
2631 typedef struct SCSIBlockReq {
2632     SCSIDiskReq req;
2633     sg_io_hdr_t io_header;
2634 
2635     /* Selected bytes of the original CDB, copied into our own CDB.  */
2636     uint8_t cmd, cdb1, group_number;
2637 
2638     /* CDB passed to SG_IO.  */
2639     uint8_t cdb[16];
2640 } SCSIBlockReq;
2641 
2642 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2643                                       int64_t offset, QEMUIOVector *iov,
2644                                       int direction,
2645                                       BlockCompletionFunc *cb, void *opaque)
2646 {
2647     sg_io_hdr_t *io_header = &req->io_header;
2648     SCSIDiskReq *r = &req->req;
2649     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2650     int nb_logical_blocks;
2651     uint64_t lba;
2652     BlockAIOCB *aiocb;
2653 
2654     /* This is not supported yet.  It can only happen if the guest does
2655      * reads and writes that are not aligned to one logical sectors
2656      * _and_ cover multiple MemoryRegions.
2657      */
2658     assert(offset % s->qdev.blocksize == 0);
2659     assert(iov->size % s->qdev.blocksize == 0);
2660 
2661     io_header->interface_id = 'S';
2662 
2663     /* The data transfer comes from the QEMUIOVector.  */
2664     io_header->dxfer_direction = direction;
2665     io_header->dxfer_len = iov->size;
2666     io_header->dxferp = (void *)iov->iov;
2667     io_header->iovec_count = iov->niov;
2668     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2669 
2670     /* Build a new CDB with the LBA and length patched in, in case
2671      * DMA helpers split the transfer in multiple segments.  Do not
2672      * build a CDB smaller than what the guest wanted, and only build
2673      * a larger one if strictly necessary.
2674      */
2675     io_header->cmdp = req->cdb;
2676     lba = offset / s->qdev.blocksize;
2677     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2678 
2679     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2680         /* 6-byte CDB */
2681         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2682         req->cdb[4] = nb_logical_blocks;
2683         req->cdb[5] = 0;
2684         io_header->cmd_len = 6;
2685     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2686         /* 10-byte CDB */
2687         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2688         req->cdb[1] = req->cdb1;
2689         stl_be_p(&req->cdb[2], lba);
2690         req->cdb[6] = req->group_number;
2691         stw_be_p(&req->cdb[7], nb_logical_blocks);
2692         req->cdb[9] = 0;
2693         io_header->cmd_len = 10;
2694     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2695         /* 12-byte CDB */
2696         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2697         req->cdb[1] = req->cdb1;
2698         stl_be_p(&req->cdb[2], lba);
2699         stl_be_p(&req->cdb[6], nb_logical_blocks);
2700         req->cdb[10] = req->group_number;
2701         req->cdb[11] = 0;
2702         io_header->cmd_len = 12;
2703     } else {
2704         /* 16-byte CDB */
2705         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2706         req->cdb[1] = req->cdb1;
2707         stq_be_p(&req->cdb[2], lba);
2708         stl_be_p(&req->cdb[10], nb_logical_blocks);
2709         req->cdb[14] = req->group_number;
2710         req->cdb[15] = 0;
2711         io_header->cmd_len = 16;
2712     }
2713 
2714     /* The rest is as in scsi-generic.c.  */
2715     io_header->mx_sb_len = sizeof(r->req.sense);
2716     io_header->sbp = r->req.sense;
2717     io_header->timeout = UINT_MAX;
2718     io_header->usr_ptr = r;
2719     io_header->flags |= SG_FLAG_DIRECT_IO;
2720 
2721     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
2722     assert(aiocb != NULL);
2723     return aiocb;
2724 }
2725 
2726 static bool scsi_block_no_fua(SCSICommand *cmd)
2727 {
2728     return false;
2729 }
2730 
2731 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2732                                         QEMUIOVector *iov,
2733                                         BlockCompletionFunc *cb, void *cb_opaque,
2734                                         void *opaque)
2735 {
2736     SCSIBlockReq *r = opaque;
2737     return scsi_block_do_sgio(r, offset, iov,
2738                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2739 }
2740 
2741 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2742                                          QEMUIOVector *iov,
2743                                          BlockCompletionFunc *cb, void *cb_opaque,
2744                                          void *opaque)
2745 {
2746     SCSIBlockReq *r = opaque;
2747     return scsi_block_do_sgio(r, offset, iov,
2748                               SG_DXFER_TO_DEV, cb, cb_opaque);
2749 }
2750 
2751 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2752 {
2753     switch (buf[0]) {
2754     case VERIFY_10:
2755     case VERIFY_12:
2756     case VERIFY_16:
2757         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2758          * for the number of logical blocks specified in the length
2759          * field).  For other modes, do not use scatter/gather operation.
2760          */
2761         if ((buf[1] & 6) == 2) {
2762             return false;
2763         }
2764         break;
2765 
2766     case READ_6:
2767     case READ_10:
2768     case READ_12:
2769     case READ_16:
2770     case WRITE_6:
2771     case WRITE_10:
2772     case WRITE_12:
2773     case WRITE_16:
2774     case WRITE_VERIFY_10:
2775     case WRITE_VERIFY_12:
2776     case WRITE_VERIFY_16:
2777         /* MMC writing cannot be done via DMA helpers, because it sometimes
2778          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2779          * We might use scsi_block_dma_reqops as long as no writing commands are
2780          * seen, but performance usually isn't paramount on optical media.  So,
2781          * just make scsi-block operate the same as scsi-generic for them.
2782          */
2783         if (s->qdev.type != TYPE_ROM) {
2784             return false;
2785         }
2786         break;
2787 
2788     default:
2789         break;
2790     }
2791 
2792     return true;
2793 }
2794 
2795 
2796 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2797 {
2798     SCSIBlockReq *r = (SCSIBlockReq *)req;
2799     r->cmd = req->cmd.buf[0];
2800     switch (r->cmd >> 5) {
2801     case 0:
2802         /* 6-byte CDB.  */
2803         r->cdb1 = r->group_number = 0;
2804         break;
2805     case 1:
2806         /* 10-byte CDB.  */
2807         r->cdb1 = req->cmd.buf[1];
2808         r->group_number = req->cmd.buf[6];
2809         break;
2810     case 4:
2811         /* 12-byte CDB.  */
2812         r->cdb1 = req->cmd.buf[1];
2813         r->group_number = req->cmd.buf[10];
2814         break;
2815     case 5:
2816         /* 16-byte CDB.  */
2817         r->cdb1 = req->cmd.buf[1];
2818         r->group_number = req->cmd.buf[14];
2819         break;
2820     default:
2821         abort();
2822     }
2823 
2824     if (r->cdb1 & 0xe0) {
2825         /* Protection information is not supported.  */
2826         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2827         return 0;
2828     }
2829 
2830     r->req.status = &r->io_header.status;
2831     return scsi_disk_dma_command(req, buf);
2832 }
2833 
2834 static const SCSIReqOps scsi_block_dma_reqops = {
2835     .size         = sizeof(SCSIBlockReq),
2836     .free_req     = scsi_free_request,
2837     .send_command = scsi_block_dma_command,
2838     .read_data    = scsi_read_data,
2839     .write_data   = scsi_write_data,
2840     .get_buf      = scsi_get_buf,
2841     .load_request = scsi_disk_load_request,
2842     .save_request = scsi_disk_save_request,
2843 };
2844 
2845 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2846                                            uint32_t lun, uint8_t *buf,
2847                                            void *hba_private)
2848 {
2849     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2850 
2851     if (scsi_block_is_passthrough(s, buf)) {
2852         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2853                               hba_private);
2854     } else {
2855         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2856                               hba_private);
2857     }
2858 }
2859 
2860 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2861                                   uint8_t *buf, void *hba_private)
2862 {
2863     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2864 
2865     if (scsi_block_is_passthrough(s, buf)) {
2866         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2867     } else {
2868         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2869     }
2870 }
2871 
2872 #endif
2873 
2874 static
2875 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2876                            BlockCompletionFunc *cb, void *cb_opaque,
2877                            void *opaque)
2878 {
2879     SCSIDiskReq *r = opaque;
2880     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2881     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2882 }
2883 
2884 static
2885 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2886                             BlockCompletionFunc *cb, void *cb_opaque,
2887                             void *opaque)
2888 {
2889     SCSIDiskReq *r = opaque;
2890     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2891     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2892 }
2893 
2894 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2895 {
2896     DeviceClass *dc = DEVICE_CLASS(klass);
2897     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2898 
2899     dc->fw_name = "disk";
2900     dc->reset = scsi_disk_reset;
2901     sdc->dma_readv = scsi_dma_readv;
2902     sdc->dma_writev = scsi_dma_writev;
2903     sdc->need_fua_emulation = scsi_is_cmd_fua;
2904 }
2905 
2906 static const TypeInfo scsi_disk_base_info = {
2907     .name          = TYPE_SCSI_DISK_BASE,
2908     .parent        = TYPE_SCSI_DEVICE,
2909     .class_init    = scsi_disk_base_class_initfn,
2910     .instance_size = sizeof(SCSIDiskState),
2911     .class_size    = sizeof(SCSIDiskClass),
2912     .abstract      = true,
2913 };
2914 
2915 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2916     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2917     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),         \
2918     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2919     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2920     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2921     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2922 
2923 static Property scsi_hd_properties[] = {
2924     DEFINE_SCSI_DISK_PROPERTIES(),
2925     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2926                     SCSI_DISK_F_REMOVABLE, false),
2927     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2928                     SCSI_DISK_F_DPOFUA, false),
2929     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2930     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2931     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2932     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2933                        DEFAULT_MAX_UNMAP_SIZE),
2934     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2935                        DEFAULT_MAX_IO_SIZE),
2936     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
2937     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2938     DEFINE_PROP_END_OF_LIST(),
2939 };
2940 
2941 static const VMStateDescription vmstate_scsi_disk_state = {
2942     .name = "scsi-disk",
2943     .version_id = 1,
2944     .minimum_version_id = 1,
2945     .fields = (VMStateField[]) {
2946         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2947         VMSTATE_BOOL(media_changed, SCSIDiskState),
2948         VMSTATE_BOOL(media_event, SCSIDiskState),
2949         VMSTATE_BOOL(eject_request, SCSIDiskState),
2950         VMSTATE_BOOL(tray_open, SCSIDiskState),
2951         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2952         VMSTATE_END_OF_LIST()
2953     }
2954 };
2955 
2956 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2957 {
2958     DeviceClass *dc = DEVICE_CLASS(klass);
2959     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2960 
2961     sc->realize      = scsi_hd_realize;
2962     sc->alloc_req    = scsi_new_request;
2963     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2964     dc->desc = "virtual SCSI disk";
2965     dc->props = scsi_hd_properties;
2966     dc->vmsd  = &vmstate_scsi_disk_state;
2967 }
2968 
2969 static const TypeInfo scsi_hd_info = {
2970     .name          = "scsi-hd",
2971     .parent        = TYPE_SCSI_DISK_BASE,
2972     .class_init    = scsi_hd_class_initfn,
2973 };
2974 
2975 static Property scsi_cd_properties[] = {
2976     DEFINE_SCSI_DISK_PROPERTIES(),
2977     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2978     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2979     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2980     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2981                        DEFAULT_MAX_IO_SIZE),
2982     DEFINE_PROP_END_OF_LIST(),
2983 };
2984 
2985 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2986 {
2987     DeviceClass *dc = DEVICE_CLASS(klass);
2988     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2989 
2990     sc->realize      = scsi_cd_realize;
2991     sc->alloc_req    = scsi_new_request;
2992     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2993     dc->desc = "virtual SCSI CD-ROM";
2994     dc->props = scsi_cd_properties;
2995     dc->vmsd  = &vmstate_scsi_disk_state;
2996 }
2997 
2998 static const TypeInfo scsi_cd_info = {
2999     .name          = "scsi-cd",
3000     .parent        = TYPE_SCSI_DISK_BASE,
3001     .class_init    = scsi_cd_class_initfn,
3002 };
3003 
3004 #ifdef __linux__
3005 static Property scsi_block_properties[] = {
3006     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),         \
3007     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3008     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3009     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3010     DEFINE_PROP_END_OF_LIST(),
3011 };
3012 
3013 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3014 {
3015     DeviceClass *dc = DEVICE_CLASS(klass);
3016     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3017     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3018 
3019     sc->realize      = scsi_block_realize;
3020     sc->alloc_req    = scsi_block_new_request;
3021     sc->parse_cdb    = scsi_block_parse_cdb;
3022     sdc->dma_readv   = scsi_block_dma_readv;
3023     sdc->dma_writev  = scsi_block_dma_writev;
3024     sdc->need_fua_emulation = scsi_block_no_fua;
3025     dc->desc = "SCSI block device passthrough";
3026     dc->props = scsi_block_properties;
3027     dc->vmsd  = &vmstate_scsi_disk_state;
3028 }
3029 
3030 static const TypeInfo scsi_block_info = {
3031     .name          = "scsi-block",
3032     .parent        = TYPE_SCSI_DISK_BASE,
3033     .class_init    = scsi_block_class_initfn,
3034 };
3035 #endif
3036 
3037 static Property scsi_disk_properties[] = {
3038     DEFINE_SCSI_DISK_PROPERTIES(),
3039     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3040                     SCSI_DISK_F_REMOVABLE, false),
3041     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3042                     SCSI_DISK_F_DPOFUA, false),
3043     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3044     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3045     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3046     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3047                        DEFAULT_MAX_UNMAP_SIZE),
3048     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3049                        DEFAULT_MAX_IO_SIZE),
3050     DEFINE_PROP_END_OF_LIST(),
3051 };
3052 
3053 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
3054 {
3055     DeviceClass *dc = DEVICE_CLASS(klass);
3056     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3057 
3058     sc->realize      = scsi_disk_realize;
3059     sc->alloc_req    = scsi_new_request;
3060     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3061     dc->fw_name = "disk";
3062     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3063     dc->reset = scsi_disk_reset;
3064     dc->props = scsi_disk_properties;
3065     dc->vmsd  = &vmstate_scsi_disk_state;
3066 }
3067 
3068 static const TypeInfo scsi_disk_info = {
3069     .name          = "scsi-disk",
3070     .parent        = TYPE_SCSI_DISK_BASE,
3071     .class_init    = scsi_disk_class_initfn,
3072 };
3073 
3074 static void scsi_disk_register_types(void)
3075 {
3076     type_register_static(&scsi_disk_base_info);
3077     type_register_static(&scsi_hd_info);
3078     type_register_static(&scsi_cd_info);
3079 #ifdef __linux__
3080     type_register_static(&scsi_block_info);
3081 #endif
3082     type_register_static(&scsi_disk_info);
3083 }
3084 
3085 type_init(scsi_disk_register_types)
3086