xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision 99d423e5)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/units.h"
24 #include "qapi/error.h"
25 #include "qemu/error-report.h"
26 #include "hw/scsi/scsi.h"
27 #include "hw/scsi/emulation.h"
28 #include "scsi/constants.h"
29 #include "sysemu/sysemu.h"
30 #include "sysemu/block-backend.h"
31 #include "sysemu/blockdev.h"
32 #include "hw/block/block.h"
33 #include "sysemu/dma.h"
34 #include "qemu/cutils.h"
35 #include "trace.h"
36 
37 #ifdef __linux
38 #include <scsi/sg.h>
39 #endif
40 
41 #define SCSI_WRITE_SAME_MAX         (512 * KiB)
42 #define SCSI_DMA_BUF_SIZE           (128 * KiB)
43 #define SCSI_MAX_INQUIRY_LEN        256
44 #define SCSI_MAX_MODE_LEN           256
45 
46 #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
47 #define DEFAULT_MAX_UNMAP_SIZE      (1 * GiB)
48 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
49 
50 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
51 
52 #define SCSI_DISK_BASE(obj) \
53      OBJECT_CHECK(SCSIDiskState, (obj), TYPE_SCSI_DISK_BASE)
54 #define SCSI_DISK_BASE_CLASS(klass) \
55      OBJECT_CLASS_CHECK(SCSIDiskClass, (klass), TYPE_SCSI_DISK_BASE)
56 #define SCSI_DISK_BASE_GET_CLASS(obj) \
57      OBJECT_GET_CLASS(SCSIDiskClass, (obj), TYPE_SCSI_DISK_BASE)
58 
59 typedef struct SCSIDiskClass {
60     SCSIDeviceClass parent_class;
61     DMAIOFunc       *dma_readv;
62     DMAIOFunc       *dma_writev;
63     bool            (*need_fua_emulation)(SCSICommand *cmd);
64 } SCSIDiskClass;
65 
66 typedef struct SCSIDiskReq {
67     SCSIRequest req;
68     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
69     uint64_t sector;
70     uint32_t sector_count;
71     uint32_t buflen;
72     bool started;
73     bool need_fua_emulation;
74     struct iovec iov;
75     QEMUIOVector qiov;
76     BlockAcctCookie acct;
77     unsigned char *status;
78 } SCSIDiskReq;
79 
80 #define SCSI_DISK_F_REMOVABLE             0
81 #define SCSI_DISK_F_DPOFUA                1
82 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
83 
84 typedef struct SCSIDiskState
85 {
86     SCSIDevice qdev;
87     uint32_t features;
88     bool media_changed;
89     bool media_event;
90     bool eject_request;
91     uint16_t port_index;
92     uint64_t max_unmap_size;
93     uint64_t max_io_size;
94     QEMUBH *bh;
95     char *version;
96     char *serial;
97     char *vendor;
98     char *product;
99     char *device_id;
100     bool tray_open;
101     bool tray_locked;
102     /*
103      * 0x0000        - rotation rate not reported
104      * 0x0001        - non-rotating medium (SSD)
105      * 0x0002-0x0400 - reserved
106      * 0x0401-0xffe  - rotations per minute
107      * 0xffff        - reserved
108      */
109     uint16_t rotation_rate;
110 } SCSIDiskState;
111 
112 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed);
113 
114 static void scsi_free_request(SCSIRequest *req)
115 {
116     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
117 
118     qemu_vfree(r->iov.iov_base);
119 }
120 
121 /* Helper function for command completion with sense.  */
122 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
123 {
124     trace_scsi_disk_check_condition(r->req.tag, sense.key, sense.asc,
125                                     sense.ascq);
126     scsi_req_build_sense(&r->req, sense);
127     scsi_req_complete(&r->req, CHECK_CONDITION);
128 }
129 
130 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
131 {
132     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
133 
134     if (!r->iov.iov_base) {
135         r->buflen = size;
136         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
137     }
138     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
139     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
140 }
141 
142 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
143 {
144     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
145 
146     qemu_put_be64s(f, &r->sector);
147     qemu_put_be32s(f, &r->sector_count);
148     qemu_put_be32s(f, &r->buflen);
149     if (r->buflen) {
150         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
151             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
152         } else if (!req->retry) {
153             uint32_t len = r->iov.iov_len;
154             qemu_put_be32s(f, &len);
155             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
156         }
157     }
158 }
159 
160 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
161 {
162     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
163 
164     qemu_get_be64s(f, &r->sector);
165     qemu_get_be32s(f, &r->sector_count);
166     qemu_get_be32s(f, &r->buflen);
167     if (r->buflen) {
168         scsi_init_iovec(r, r->buflen);
169         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
170             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
171         } else if (!r->req.retry) {
172             uint32_t len;
173             qemu_get_be32s(f, &len);
174             r->iov.iov_len = len;
175             assert(r->iov.iov_len <= r->buflen);
176             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
177         }
178     }
179 
180     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
181 }
182 
183 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
184 {
185     if (r->req.io_canceled) {
186         scsi_req_cancel_complete(&r->req);
187         return true;
188     }
189 
190     if (ret < 0 || (r->status && *r->status)) {
191         return scsi_handle_rw_error(r, -ret, acct_failed);
192     }
193 
194     return false;
195 }
196 
197 static void scsi_aio_complete(void *opaque, int ret)
198 {
199     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
200     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
201 
202     assert(r->req.aiocb != NULL);
203     r->req.aiocb = NULL;
204     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
205     if (scsi_disk_req_check_error(r, ret, true)) {
206         goto done;
207     }
208 
209     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
210     scsi_req_complete(&r->req, GOOD);
211 
212 done:
213     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
214     scsi_req_unref(&r->req);
215 }
216 
217 static bool scsi_is_cmd_fua(SCSICommand *cmd)
218 {
219     switch (cmd->buf[0]) {
220     case READ_10:
221     case READ_12:
222     case READ_16:
223     case WRITE_10:
224     case WRITE_12:
225     case WRITE_16:
226         return (cmd->buf[1] & 8) != 0;
227 
228     case VERIFY_10:
229     case VERIFY_12:
230     case VERIFY_16:
231     case WRITE_VERIFY_10:
232     case WRITE_VERIFY_12:
233     case WRITE_VERIFY_16:
234         return true;
235 
236     case READ_6:
237     case WRITE_6:
238     default:
239         return false;
240     }
241 }
242 
243 static void scsi_write_do_fua(SCSIDiskReq *r)
244 {
245     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
246 
247     assert(r->req.aiocb == NULL);
248     assert(!r->req.io_canceled);
249 
250     if (r->need_fua_emulation) {
251         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
252                          BLOCK_ACCT_FLUSH);
253         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
254         return;
255     }
256 
257     scsi_req_complete(&r->req, GOOD);
258     scsi_req_unref(&r->req);
259 }
260 
261 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
262 {
263     assert(r->req.aiocb == NULL);
264     if (scsi_disk_req_check_error(r, ret, false)) {
265         goto done;
266     }
267 
268     r->sector += r->sector_count;
269     r->sector_count = 0;
270     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
271         scsi_write_do_fua(r);
272         return;
273     } else {
274         scsi_req_complete(&r->req, GOOD);
275     }
276 
277 done:
278     scsi_req_unref(&r->req);
279 }
280 
281 static void scsi_dma_complete(void *opaque, int ret)
282 {
283     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
284     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
285 
286     assert(r->req.aiocb != NULL);
287     r->req.aiocb = NULL;
288 
289     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
290     if (ret < 0) {
291         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
292     } else {
293         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
294     }
295     scsi_dma_complete_noio(r, ret);
296     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
297 }
298 
299 static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
300 {
301     uint32_t n;
302 
303     assert(r->req.aiocb == NULL);
304     if (scsi_disk_req_check_error(r, ret, false)) {
305         goto done;
306     }
307 
308     n = r->qiov.size / 512;
309     r->sector += n;
310     r->sector_count -= n;
311     scsi_req_data(&r->req, r->qiov.size);
312 
313 done:
314     scsi_req_unref(&r->req);
315 }
316 
317 static void scsi_read_complete(void *opaque, int ret)
318 {
319     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
320     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
321 
322     assert(r->req.aiocb != NULL);
323     r->req.aiocb = NULL;
324 
325     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
326     if (ret < 0) {
327         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
328     } else {
329         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
330         trace_scsi_disk_read_complete(r->req.tag, r->qiov.size);
331     }
332     scsi_read_complete_noio(r, ret);
333     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
334 }
335 
336 /* Actually issue a read to the block device.  */
337 static void scsi_do_read(SCSIDiskReq *r, int ret)
338 {
339     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
340     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
341 
342     assert (r->req.aiocb == NULL);
343     if (scsi_disk_req_check_error(r, ret, false)) {
344         goto done;
345     }
346 
347     /* The request is used as the AIO opaque value, so add a ref.  */
348     scsi_req_ref(&r->req);
349 
350     if (r->req.sg) {
351         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
352         r->req.resid -= r->req.sg->size;
353         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
354                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
355                                   BDRV_SECTOR_SIZE,
356                                   sdc->dma_readv, r, scsi_dma_complete, r,
357                                   DMA_DIRECTION_FROM_DEVICE);
358     } else {
359         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
360         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
361                          r->qiov.size, BLOCK_ACCT_READ);
362         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
363                                       scsi_read_complete, r, r);
364     }
365 
366 done:
367     scsi_req_unref(&r->req);
368 }
369 
370 static void scsi_do_read_cb(void *opaque, int ret)
371 {
372     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
373     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
374 
375     assert (r->req.aiocb != NULL);
376     r->req.aiocb = NULL;
377 
378     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
379     if (ret < 0) {
380         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
381     } else {
382         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
383     }
384     scsi_do_read(opaque, ret);
385     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
386 }
387 
388 /* Read more data from scsi device into buffer.  */
389 static void scsi_read_data(SCSIRequest *req)
390 {
391     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
392     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
393     bool first;
394 
395     trace_scsi_disk_read_data_count(r->sector_count);
396     if (r->sector_count == 0) {
397         /* This also clears the sense buffer for REQUEST SENSE.  */
398         scsi_req_complete(&r->req, GOOD);
399         return;
400     }
401 
402     /* No data transfer may already be in progress */
403     assert(r->req.aiocb == NULL);
404 
405     /* The request is used as the AIO opaque value, so add a ref.  */
406     scsi_req_ref(&r->req);
407     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
408         trace_scsi_disk_read_data_invalid();
409         scsi_read_complete_noio(r, -EINVAL);
410         return;
411     }
412 
413     if (!blk_is_available(req->dev->conf.blk)) {
414         scsi_read_complete_noio(r, -ENOMEDIUM);
415         return;
416     }
417 
418     first = !r->started;
419     r->started = true;
420     if (first && r->need_fua_emulation) {
421         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
422                          BLOCK_ACCT_FLUSH);
423         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
424     } else {
425         scsi_do_read(r, 0);
426     }
427 }
428 
429 /*
430  * scsi_handle_rw_error has two return values.  False means that the error
431  * must be ignored, true means that the error has been processed and the
432  * caller should not do anything else for this request.  Note that
433  * scsi_handle_rw_error always manages its reference counts, independent
434  * of the return value.
435  */
436 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
437 {
438     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
439     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
440     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
441                                                    is_read, error);
442 
443     if (action == BLOCK_ERROR_ACTION_REPORT) {
444         if (acct_failed) {
445             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
446         }
447         switch (error) {
448         case 0:
449             /* A passthrough command has run and has produced sense data; check
450              * whether the error has to be handled by the guest or should rather
451              * pause the host.
452              */
453             assert(r->status && *r->status);
454             error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
455             if (error == ECANCELED || error == EAGAIN || error == ENOTCONN ||
456                 error == 0)  {
457                 /* These errors are handled by guest. */
458                 scsi_req_complete(&r->req, *r->status);
459                 return true;
460             }
461             break;
462         case ENOMEDIUM:
463             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
464             break;
465         case ENOMEM:
466             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
467             break;
468         case EINVAL:
469             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
470             break;
471         case ENOSPC:
472             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
473             break;
474         default:
475             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
476             break;
477         }
478     }
479 
480     blk_error_action(s->qdev.conf.blk, action, is_read, error);
481     if (action == BLOCK_ERROR_ACTION_IGNORE) {
482         scsi_req_complete(&r->req, 0);
483         return true;
484     }
485 
486     if (action == BLOCK_ERROR_ACTION_STOP) {
487         scsi_req_retry(&r->req);
488     }
489     return true;
490 }
491 
492 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
493 {
494     uint32_t n;
495 
496     assert (r->req.aiocb == NULL);
497     if (scsi_disk_req_check_error(r, ret, false)) {
498         goto done;
499     }
500 
501     n = r->qiov.size / 512;
502     r->sector += n;
503     r->sector_count -= n;
504     if (r->sector_count == 0) {
505         scsi_write_do_fua(r);
506         return;
507     } else {
508         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
509         trace_scsi_disk_write_complete_noio(r->req.tag, r->qiov.size);
510         scsi_req_data(&r->req, r->qiov.size);
511     }
512 
513 done:
514     scsi_req_unref(&r->req);
515 }
516 
517 static void scsi_write_complete(void * opaque, int ret)
518 {
519     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
520     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
521 
522     assert (r->req.aiocb != NULL);
523     r->req.aiocb = NULL;
524 
525     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
526     if (ret < 0) {
527         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
528     } else {
529         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
530     }
531     scsi_write_complete_noio(r, ret);
532     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
533 }
534 
535 static void scsi_write_data(SCSIRequest *req)
536 {
537     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
538     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
539     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
540 
541     /* No data transfer may already be in progress */
542     assert(r->req.aiocb == NULL);
543 
544     /* The request is used as the AIO opaque value, so add a ref.  */
545     scsi_req_ref(&r->req);
546     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
547         trace_scsi_disk_write_data_invalid();
548         scsi_write_complete_noio(r, -EINVAL);
549         return;
550     }
551 
552     if (!r->req.sg && !r->qiov.size) {
553         /* Called for the first time.  Ask the driver to send us more data.  */
554         r->started = true;
555         scsi_write_complete_noio(r, 0);
556         return;
557     }
558     if (!blk_is_available(req->dev->conf.blk)) {
559         scsi_write_complete_noio(r, -ENOMEDIUM);
560         return;
561     }
562 
563     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
564         r->req.cmd.buf[0] == VERIFY_16) {
565         if (r->req.sg) {
566             scsi_dma_complete_noio(r, 0);
567         } else {
568             scsi_write_complete_noio(r, 0);
569         }
570         return;
571     }
572 
573     if (r->req.sg) {
574         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
575         r->req.resid -= r->req.sg->size;
576         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
577                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
578                                   BDRV_SECTOR_SIZE,
579                                   sdc->dma_writev, r, scsi_dma_complete, r,
580                                   DMA_DIRECTION_TO_DEVICE);
581     } else {
582         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
583                          r->qiov.size, BLOCK_ACCT_WRITE);
584         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
585                                        scsi_write_complete, r, r);
586     }
587 }
588 
589 /* Return a pointer to the data buffer.  */
590 static uint8_t *scsi_get_buf(SCSIRequest *req)
591 {
592     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
593 
594     return (uint8_t *)r->iov.iov_base;
595 }
596 
597 static int scsi_disk_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf)
598 {
599     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
600     uint8_t page_code = req->cmd.buf[2];
601     int start, buflen = 0;
602 
603     outbuf[buflen++] = s->qdev.type & 0x1f;
604     outbuf[buflen++] = page_code;
605     outbuf[buflen++] = 0x00;
606     outbuf[buflen++] = 0x00;
607     start = buflen;
608 
609     switch (page_code) {
610     case 0x00: /* Supported page codes, mandatory */
611     {
612         trace_scsi_disk_emulate_vpd_page_00(req->cmd.xfer);
613         outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
614         if (s->serial) {
615             outbuf[buflen++] = 0x80; /* unit serial number */
616         }
617         outbuf[buflen++] = 0x83; /* device identification */
618         if (s->qdev.type == TYPE_DISK) {
619             outbuf[buflen++] = 0xb0; /* block limits */
620             outbuf[buflen++] = 0xb1; /* block device characteristics */
621             outbuf[buflen++] = 0xb2; /* thin provisioning */
622         }
623         break;
624     }
625     case 0x80: /* Device serial number, optional */
626     {
627         int l;
628 
629         if (!s->serial) {
630             trace_scsi_disk_emulate_vpd_page_80_not_supported();
631             return -1;
632         }
633 
634         l = strlen(s->serial);
635         if (l > 36) {
636             l = 36;
637         }
638 
639         trace_scsi_disk_emulate_vpd_page_80(req->cmd.xfer);
640         memcpy(outbuf + buflen, s->serial, l);
641         buflen += l;
642         break;
643     }
644 
645     case 0x83: /* Device identification page, mandatory */
646     {
647         int id_len = s->device_id ? MIN(strlen(s->device_id), 255 - 8) : 0;
648 
649         trace_scsi_disk_emulate_vpd_page_83(req->cmd.xfer);
650 
651         if (id_len) {
652             outbuf[buflen++] = 0x2; /* ASCII */
653             outbuf[buflen++] = 0;   /* not officially assigned */
654             outbuf[buflen++] = 0;   /* reserved */
655             outbuf[buflen++] = id_len; /* length of data following */
656             memcpy(outbuf + buflen, s->device_id, id_len);
657             buflen += id_len;
658         }
659 
660         if (s->qdev.wwn) {
661             outbuf[buflen++] = 0x1; /* Binary */
662             outbuf[buflen++] = 0x3; /* NAA */
663             outbuf[buflen++] = 0;   /* reserved */
664             outbuf[buflen++] = 8;
665             stq_be_p(&outbuf[buflen], s->qdev.wwn);
666             buflen += 8;
667         }
668 
669         if (s->qdev.port_wwn) {
670             outbuf[buflen++] = 0x61; /* SAS / Binary */
671             outbuf[buflen++] = 0x93; /* PIV / Target port / NAA */
672             outbuf[buflen++] = 0;    /* reserved */
673             outbuf[buflen++] = 8;
674             stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
675             buflen += 8;
676         }
677 
678         if (s->port_index) {
679             outbuf[buflen++] = 0x61; /* SAS / Binary */
680 
681             /* PIV/Target port/relative target port */
682             outbuf[buflen++] = 0x94;
683 
684             outbuf[buflen++] = 0;    /* reserved */
685             outbuf[buflen++] = 4;
686             stw_be_p(&outbuf[buflen + 2], s->port_index);
687             buflen += 4;
688         }
689         break;
690     }
691     case 0xb0: /* block limits */
692     {
693         SCSIBlockLimits bl = {};
694 
695         if (s->qdev.type == TYPE_ROM) {
696             trace_scsi_disk_emulate_vpd_page_b0_not_supported();
697             return -1;
698         }
699         bl.wsnz = 1;
700         bl.unmap_sectors =
701             s->qdev.conf.discard_granularity / s->qdev.blocksize;
702         bl.min_io_size =
703             s->qdev.conf.min_io_size / s->qdev.blocksize;
704         bl.opt_io_size =
705             s->qdev.conf.opt_io_size / s->qdev.blocksize;
706         bl.max_unmap_sectors =
707             s->max_unmap_size / s->qdev.blocksize;
708         bl.max_io_sectors =
709             s->max_io_size / s->qdev.blocksize;
710         /* 255 descriptors fit in 4 KiB with an 8-byte header */
711         bl.max_unmap_descr = 255;
712 
713         if (s->qdev.type == TYPE_DISK) {
714             int max_transfer_blk = blk_get_max_transfer(s->qdev.conf.blk);
715             int max_io_sectors_blk =
716                 max_transfer_blk / s->qdev.blocksize;
717 
718             bl.max_io_sectors =
719                 MIN_NON_ZERO(max_io_sectors_blk, bl.max_io_sectors);
720         }
721         buflen += scsi_emulate_block_limits(outbuf + buflen, &bl);
722         break;
723     }
724     case 0xb1: /* block device characteristics */
725     {
726         buflen = 0x40;
727         outbuf[4] = (s->rotation_rate >> 8) & 0xff;
728         outbuf[5] = s->rotation_rate & 0xff;
729         outbuf[6] = 0; /* PRODUCT TYPE */
730         outbuf[7] = 0; /* WABEREQ | WACEREQ | NOMINAL FORM FACTOR */
731         outbuf[8] = 0; /* VBULS */
732         break;
733     }
734     case 0xb2: /* thin provisioning */
735     {
736         buflen = 8;
737         outbuf[4] = 0;
738         outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
739         outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
740         outbuf[7] = 0;
741         break;
742     }
743     default:
744         return -1;
745     }
746     /* done with EVPD */
747     assert(buflen - start <= 255);
748     outbuf[start - 1] = buflen - start;
749     return buflen;
750 }
751 
752 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
753 {
754     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
755     int buflen = 0;
756 
757     if (req->cmd.buf[1] & 0x1) {
758         /* Vital product data */
759         return scsi_disk_emulate_vpd_page(req, outbuf);
760     }
761 
762     /* Standard INQUIRY data */
763     if (req->cmd.buf[2] != 0) {
764         return -1;
765     }
766 
767     /* PAGE CODE == 0 */
768     buflen = req->cmd.xfer;
769     if (buflen > SCSI_MAX_INQUIRY_LEN) {
770         buflen = SCSI_MAX_INQUIRY_LEN;
771     }
772 
773     outbuf[0] = s->qdev.type & 0x1f;
774     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
775 
776     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
777     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
778 
779     memset(&outbuf[32], 0, 4);
780     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
781     /*
782      * We claim conformance to SPC-3, which is required for guests
783      * to ask for modern features like READ CAPACITY(16) or the
784      * block characteristics VPD page by default.  Not all of SPC-3
785      * is actually implemented, but we're good enough.
786      */
787     outbuf[2] = s->qdev.default_scsi_version;
788     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
789 
790     if (buflen > 36) {
791         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
792     } else {
793         /* If the allocation length of CDB is too small,
794                the additional length is not adjusted */
795         outbuf[4] = 36 - 5;
796     }
797 
798     /* Sync data transfer and TCQ.  */
799     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
800     return buflen;
801 }
802 
803 static inline bool media_is_dvd(SCSIDiskState *s)
804 {
805     uint64_t nb_sectors;
806     if (s->qdev.type != TYPE_ROM) {
807         return false;
808     }
809     if (!blk_is_available(s->qdev.conf.blk)) {
810         return false;
811     }
812     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
813     return nb_sectors > CD_MAX_SECTORS;
814 }
815 
816 static inline bool media_is_cd(SCSIDiskState *s)
817 {
818     uint64_t nb_sectors;
819     if (s->qdev.type != TYPE_ROM) {
820         return false;
821     }
822     if (!blk_is_available(s->qdev.conf.blk)) {
823         return false;
824     }
825     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
826     return nb_sectors <= CD_MAX_SECTORS;
827 }
828 
829 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
830                                       uint8_t *outbuf)
831 {
832     uint8_t type = r->req.cmd.buf[1] & 7;
833 
834     if (s->qdev.type != TYPE_ROM) {
835         return -1;
836     }
837 
838     /* Types 1/2 are only defined for Blu-Ray.  */
839     if (type != 0) {
840         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
841         return -1;
842     }
843 
844     memset(outbuf, 0, 34);
845     outbuf[1] = 32;
846     outbuf[2] = 0xe; /* last session complete, disc finalized */
847     outbuf[3] = 1;   /* first track on disc */
848     outbuf[4] = 1;   /* # of sessions */
849     outbuf[5] = 1;   /* first track of last session */
850     outbuf[6] = 1;   /* last track of last session */
851     outbuf[7] = 0x20; /* unrestricted use */
852     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
853     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
854     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
855     /* 24-31: disc bar code */
856     /* 32: disc application code */
857     /* 33: number of OPC tables */
858 
859     return 34;
860 }
861 
862 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
863                                    uint8_t *outbuf)
864 {
865     static const int rds_caps_size[5] = {
866         [0] = 2048 + 4,
867         [1] = 4 + 4,
868         [3] = 188 + 4,
869         [4] = 2048 + 4,
870     };
871 
872     uint8_t media = r->req.cmd.buf[1];
873     uint8_t layer = r->req.cmd.buf[6];
874     uint8_t format = r->req.cmd.buf[7];
875     int size = -1;
876 
877     if (s->qdev.type != TYPE_ROM) {
878         return -1;
879     }
880     if (media != 0) {
881         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
882         return -1;
883     }
884 
885     if (format != 0xff) {
886         if (!blk_is_available(s->qdev.conf.blk)) {
887             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
888             return -1;
889         }
890         if (media_is_cd(s)) {
891             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
892             return -1;
893         }
894         if (format >= ARRAY_SIZE(rds_caps_size)) {
895             return -1;
896         }
897         size = rds_caps_size[format];
898         memset(outbuf, 0, size);
899     }
900 
901     switch (format) {
902     case 0x00: {
903         /* Physical format information */
904         uint64_t nb_sectors;
905         if (layer != 0) {
906             goto fail;
907         }
908         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
909 
910         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
911         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
912         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
913         outbuf[7] = 0;   /* default densities */
914 
915         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
916         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
917         break;
918     }
919 
920     case 0x01: /* DVD copyright information, all zeros */
921         break;
922 
923     case 0x03: /* BCA information - invalid field for no BCA info */
924         return -1;
925 
926     case 0x04: /* DVD disc manufacturing information, all zeros */
927         break;
928 
929     case 0xff: { /* List capabilities */
930         int i;
931         size = 4;
932         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
933             if (!rds_caps_size[i]) {
934                 continue;
935             }
936             outbuf[size] = i;
937             outbuf[size + 1] = 0x40; /* Not writable, readable */
938             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
939             size += 4;
940         }
941         break;
942      }
943 
944     default:
945         return -1;
946     }
947 
948     /* Size of buffer, not including 2 byte size field */
949     stw_be_p(outbuf, size - 2);
950     return size;
951 
952 fail:
953     return -1;
954 }
955 
956 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
957 {
958     uint8_t event_code, media_status;
959 
960     media_status = 0;
961     if (s->tray_open) {
962         media_status = MS_TRAY_OPEN;
963     } else if (blk_is_inserted(s->qdev.conf.blk)) {
964         media_status = MS_MEDIA_PRESENT;
965     }
966 
967     /* Event notification descriptor */
968     event_code = MEC_NO_CHANGE;
969     if (media_status != MS_TRAY_OPEN) {
970         if (s->media_event) {
971             event_code = MEC_NEW_MEDIA;
972             s->media_event = false;
973         } else if (s->eject_request) {
974             event_code = MEC_EJECT_REQUESTED;
975             s->eject_request = false;
976         }
977     }
978 
979     outbuf[0] = event_code;
980     outbuf[1] = media_status;
981 
982     /* These fields are reserved, just clear them. */
983     outbuf[2] = 0;
984     outbuf[3] = 0;
985     return 4;
986 }
987 
988 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
989                                               uint8_t *outbuf)
990 {
991     int size;
992     uint8_t *buf = r->req.cmd.buf;
993     uint8_t notification_class_request = buf[4];
994     if (s->qdev.type != TYPE_ROM) {
995         return -1;
996     }
997     if ((buf[1] & 1) == 0) {
998         /* asynchronous */
999         return -1;
1000     }
1001 
1002     size = 4;
1003     outbuf[0] = outbuf[1] = 0;
1004     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1005     if (notification_class_request & (1 << GESN_MEDIA)) {
1006         outbuf[2] = GESN_MEDIA;
1007         size += scsi_event_status_media(s, &outbuf[size]);
1008     } else {
1009         outbuf[2] = 0x80;
1010     }
1011     stw_be_p(outbuf, size - 4);
1012     return size;
1013 }
1014 
1015 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1016 {
1017     int current;
1018 
1019     if (s->qdev.type != TYPE_ROM) {
1020         return -1;
1021     }
1022 
1023     if (media_is_dvd(s)) {
1024         current = MMC_PROFILE_DVD_ROM;
1025     } else if (media_is_cd(s)) {
1026         current = MMC_PROFILE_CD_ROM;
1027     } else {
1028         current = MMC_PROFILE_NONE;
1029     }
1030 
1031     memset(outbuf, 0, 40);
1032     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1033     stw_be_p(&outbuf[6], current);
1034     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1035     outbuf[10] = 0x03; /* persistent, current */
1036     outbuf[11] = 8; /* two profiles */
1037     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1038     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1039     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1040     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1041     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1042     stw_be_p(&outbuf[20], 1);
1043     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1044     outbuf[23] = 8;
1045     stl_be_p(&outbuf[24], 1); /* SCSI */
1046     outbuf[28] = 1; /* DBE = 1, mandatory */
1047     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1048     stw_be_p(&outbuf[32], 3);
1049     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1050     outbuf[35] = 4;
1051     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1052     /* TODO: Random readable, CD read, DVD read, drive serial number,
1053        power management */
1054     return 40;
1055 }
1056 
1057 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1058 {
1059     if (s->qdev.type != TYPE_ROM) {
1060         return -1;
1061     }
1062     memset(outbuf, 0, 8);
1063     outbuf[5] = 1; /* CD-ROM */
1064     return 8;
1065 }
1066 
1067 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1068                            int page_control)
1069 {
1070     static const int mode_sense_valid[0x3f] = {
1071         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1072         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1073         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1074         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1075         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1076         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1077     };
1078 
1079     uint8_t *p = *p_outbuf + 2;
1080     int length;
1081 
1082     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1083         return -1;
1084     }
1085 
1086     /*
1087      * If Changeable Values are requested, a mask denoting those mode parameters
1088      * that are changeable shall be returned. As we currently don't support
1089      * parameter changes via MODE_SELECT all bits are returned set to zero.
1090      * The buffer was already menset to zero by the caller of this function.
1091      *
1092      * The offsets here are off by two compared to the descriptions in the
1093      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1094      * but it is done so that offsets are consistent within our implementation
1095      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1096      * 2-byte and 4-byte headers.
1097      */
1098     switch (page) {
1099     case MODE_PAGE_HD_GEOMETRY:
1100         length = 0x16;
1101         if (page_control == 1) { /* Changeable Values */
1102             break;
1103         }
1104         /* if a geometry hint is available, use it */
1105         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1106         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1107         p[2] = s->qdev.conf.cyls & 0xff;
1108         p[3] = s->qdev.conf.heads & 0xff;
1109         /* Write precomp start cylinder, disabled */
1110         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1111         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1112         p[6] = s->qdev.conf.cyls & 0xff;
1113         /* Reduced current start cylinder, disabled */
1114         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1115         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1116         p[9] = s->qdev.conf.cyls & 0xff;
1117         /* Device step rate [ns], 200ns */
1118         p[10] = 0;
1119         p[11] = 200;
1120         /* Landing zone cylinder */
1121         p[12] = 0xff;
1122         p[13] =  0xff;
1123         p[14] = 0xff;
1124         /* Medium rotation rate [rpm], 5400 rpm */
1125         p[18] = (5400 >> 8) & 0xff;
1126         p[19] = 5400 & 0xff;
1127         break;
1128 
1129     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1130         length = 0x1e;
1131         if (page_control == 1) { /* Changeable Values */
1132             break;
1133         }
1134         /* Transfer rate [kbit/s], 5Mbit/s */
1135         p[0] = 5000 >> 8;
1136         p[1] = 5000 & 0xff;
1137         /* if a geometry hint is available, use it */
1138         p[2] = s->qdev.conf.heads & 0xff;
1139         p[3] = s->qdev.conf.secs & 0xff;
1140         p[4] = s->qdev.blocksize >> 8;
1141         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1142         p[7] = s->qdev.conf.cyls & 0xff;
1143         /* Write precomp start cylinder, disabled */
1144         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1145         p[9] = s->qdev.conf.cyls & 0xff;
1146         /* Reduced current start cylinder, disabled */
1147         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1148         p[11] = s->qdev.conf.cyls & 0xff;
1149         /* Device step rate [100us], 100us */
1150         p[12] = 0;
1151         p[13] = 1;
1152         /* Device step pulse width [us], 1us */
1153         p[14] = 1;
1154         /* Device head settle delay [100us], 100us */
1155         p[15] = 0;
1156         p[16] = 1;
1157         /* Motor on delay [0.1s], 0.1s */
1158         p[17] = 1;
1159         /* Motor off delay [0.1s], 0.1s */
1160         p[18] = 1;
1161         /* Medium rotation rate [rpm], 5400 rpm */
1162         p[26] = (5400 >> 8) & 0xff;
1163         p[27] = 5400 & 0xff;
1164         break;
1165 
1166     case MODE_PAGE_CACHING:
1167         length = 0x12;
1168         if (page_control == 1 || /* Changeable Values */
1169             blk_enable_write_cache(s->qdev.conf.blk)) {
1170             p[0] = 4; /* WCE */
1171         }
1172         break;
1173 
1174     case MODE_PAGE_R_W_ERROR:
1175         length = 10;
1176         if (page_control == 1) { /* Changeable Values */
1177             break;
1178         }
1179         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1180         if (s->qdev.type == TYPE_ROM) {
1181             p[1] = 0x20; /* Read Retry Count */
1182         }
1183         break;
1184 
1185     case MODE_PAGE_AUDIO_CTL:
1186         length = 14;
1187         break;
1188 
1189     case MODE_PAGE_CAPABILITIES:
1190         length = 0x14;
1191         if (page_control == 1) { /* Changeable Values */
1192             break;
1193         }
1194 
1195         p[0] = 0x3b; /* CD-R & CD-RW read */
1196         p[1] = 0; /* Writing not supported */
1197         p[2] = 0x7f; /* Audio, composite, digital out,
1198                         mode 2 form 1&2, multi session */
1199         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1200                         RW corrected, C2 errors, ISRC,
1201                         UPC, Bar code */
1202         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1203         /* Locking supported, jumper present, eject, tray */
1204         p[5] = 0; /* no volume & mute control, no
1205                      changer */
1206         p[6] = (50 * 176) >> 8; /* 50x read speed */
1207         p[7] = (50 * 176) & 0xff;
1208         p[8] = 2 >> 8; /* Two volume levels */
1209         p[9] = 2 & 0xff;
1210         p[10] = 2048 >> 8; /* 2M buffer */
1211         p[11] = 2048 & 0xff;
1212         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1213         p[13] = (16 * 176) & 0xff;
1214         p[16] = (16 * 176) >> 8; /* 16x write speed */
1215         p[17] = (16 * 176) & 0xff;
1216         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1217         p[19] = (16 * 176) & 0xff;
1218         break;
1219 
1220     default:
1221         return -1;
1222     }
1223 
1224     assert(length < 256);
1225     (*p_outbuf)[0] = page;
1226     (*p_outbuf)[1] = length;
1227     *p_outbuf += length + 2;
1228     return length + 2;
1229 }
1230 
1231 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1232 {
1233     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1234     uint64_t nb_sectors;
1235     bool dbd;
1236     int page, buflen, ret, page_control;
1237     uint8_t *p;
1238     uint8_t dev_specific_param;
1239 
1240     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1241     page = r->req.cmd.buf[2] & 0x3f;
1242     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1243 
1244     trace_scsi_disk_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
1245                                        10, page, r->req.cmd.xfer, page_control);
1246     memset(outbuf, 0, r->req.cmd.xfer);
1247     p = outbuf;
1248 
1249     if (s->qdev.type == TYPE_DISK) {
1250         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1251         if (blk_is_read_only(s->qdev.conf.blk)) {
1252             dev_specific_param |= 0x80; /* Readonly.  */
1253         }
1254     } else {
1255         /* MMC prescribes that CD/DVD drives have no block descriptors,
1256          * and defines no device-specific parameter.  */
1257         dev_specific_param = 0x00;
1258         dbd = true;
1259     }
1260 
1261     if (r->req.cmd.buf[0] == MODE_SENSE) {
1262         p[1] = 0; /* Default media type.  */
1263         p[2] = dev_specific_param;
1264         p[3] = 0; /* Block descriptor length.  */
1265         p += 4;
1266     } else { /* MODE_SENSE_10 */
1267         p[2] = 0; /* Default media type.  */
1268         p[3] = dev_specific_param;
1269         p[6] = p[7] = 0; /* Block descriptor length.  */
1270         p += 8;
1271     }
1272 
1273     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1274     if (!dbd && nb_sectors) {
1275         if (r->req.cmd.buf[0] == MODE_SENSE) {
1276             outbuf[3] = 8; /* Block descriptor length  */
1277         } else { /* MODE_SENSE_10 */
1278             outbuf[7] = 8; /* Block descriptor length  */
1279         }
1280         nb_sectors /= (s->qdev.blocksize / 512);
1281         if (nb_sectors > 0xffffff) {
1282             nb_sectors = 0;
1283         }
1284         p[0] = 0; /* media density code */
1285         p[1] = (nb_sectors >> 16) & 0xff;
1286         p[2] = (nb_sectors >> 8) & 0xff;
1287         p[3] = nb_sectors & 0xff;
1288         p[4] = 0; /* reserved */
1289         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1290         p[6] = s->qdev.blocksize >> 8;
1291         p[7] = 0;
1292         p += 8;
1293     }
1294 
1295     if (page_control == 3) {
1296         /* Saved Values */
1297         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1298         return -1;
1299     }
1300 
1301     if (page == 0x3f) {
1302         for (page = 0; page <= 0x3e; page++) {
1303             mode_sense_page(s, page, &p, page_control);
1304         }
1305     } else {
1306         ret = mode_sense_page(s, page, &p, page_control);
1307         if (ret == -1) {
1308             return -1;
1309         }
1310     }
1311 
1312     buflen = p - outbuf;
1313     /*
1314      * The mode data length field specifies the length in bytes of the
1315      * following data that is available to be transferred. The mode data
1316      * length does not include itself.
1317      */
1318     if (r->req.cmd.buf[0] == MODE_SENSE) {
1319         outbuf[0] = buflen - 1;
1320     } else { /* MODE_SENSE_10 */
1321         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1322         outbuf[1] = (buflen - 2) & 0xff;
1323     }
1324     return buflen;
1325 }
1326 
1327 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1328 {
1329     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1330     int start_track, format, msf, toclen;
1331     uint64_t nb_sectors;
1332 
1333     msf = req->cmd.buf[1] & 2;
1334     format = req->cmd.buf[2] & 0xf;
1335     start_track = req->cmd.buf[6];
1336     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1337     trace_scsi_disk_emulate_read_toc(start_track, format, msf >> 1);
1338     nb_sectors /= s->qdev.blocksize / 512;
1339     switch (format) {
1340     case 0:
1341         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1342         break;
1343     case 1:
1344         /* multi session : only a single session defined */
1345         toclen = 12;
1346         memset(outbuf, 0, 12);
1347         outbuf[1] = 0x0a;
1348         outbuf[2] = 0x01;
1349         outbuf[3] = 0x01;
1350         break;
1351     case 2:
1352         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1353         break;
1354     default:
1355         return -1;
1356     }
1357     return toclen;
1358 }
1359 
1360 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1361 {
1362     SCSIRequest *req = &r->req;
1363     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1364     bool start = req->cmd.buf[4] & 1;
1365     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1366     int pwrcnd = req->cmd.buf[4] & 0xf0;
1367 
1368     if (pwrcnd) {
1369         /* eject/load only happens for power condition == 0 */
1370         return 0;
1371     }
1372 
1373     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1374         if (!start && !s->tray_open && s->tray_locked) {
1375             scsi_check_condition(r,
1376                                  blk_is_inserted(s->qdev.conf.blk)
1377                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1378                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1379             return -1;
1380         }
1381 
1382         if (s->tray_open != !start) {
1383             blk_eject(s->qdev.conf.blk, !start);
1384             s->tray_open = !start;
1385         }
1386     }
1387     return 0;
1388 }
1389 
1390 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1391 {
1392     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1393     int buflen = r->iov.iov_len;
1394 
1395     if (buflen) {
1396         trace_scsi_disk_emulate_read_data(buflen);
1397         r->iov.iov_len = 0;
1398         r->started = true;
1399         scsi_req_data(&r->req, buflen);
1400         return;
1401     }
1402 
1403     /* This also clears the sense buffer for REQUEST SENSE.  */
1404     scsi_req_complete(&r->req, GOOD);
1405 }
1406 
1407 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1408                                        uint8_t *inbuf, int inlen)
1409 {
1410     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1411     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1412     uint8_t *p;
1413     int len, expected_len, changeable_len, i;
1414 
1415     /* The input buffer does not include the page header, so it is
1416      * off by 2 bytes.
1417      */
1418     expected_len = inlen + 2;
1419     if (expected_len > SCSI_MAX_MODE_LEN) {
1420         return -1;
1421     }
1422 
1423     p = mode_current;
1424     memset(mode_current, 0, inlen + 2);
1425     len = mode_sense_page(s, page, &p, 0);
1426     if (len < 0 || len != expected_len) {
1427         return -1;
1428     }
1429 
1430     p = mode_changeable;
1431     memset(mode_changeable, 0, inlen + 2);
1432     changeable_len = mode_sense_page(s, page, &p, 1);
1433     assert(changeable_len == len);
1434 
1435     /* Check that unchangeable bits are the same as what MODE SENSE
1436      * would return.
1437      */
1438     for (i = 2; i < len; i++) {
1439         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1440             return -1;
1441         }
1442     }
1443     return 0;
1444 }
1445 
1446 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1447 {
1448     switch (page) {
1449     case MODE_PAGE_CACHING:
1450         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1451         break;
1452 
1453     default:
1454         break;
1455     }
1456 }
1457 
1458 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1459 {
1460     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1461 
1462     while (len > 0) {
1463         int page, subpage, page_len;
1464 
1465         /* Parse both possible formats for the mode page headers.  */
1466         page = p[0] & 0x3f;
1467         if (p[0] & 0x40) {
1468             if (len < 4) {
1469                 goto invalid_param_len;
1470             }
1471             subpage = p[1];
1472             page_len = lduw_be_p(&p[2]);
1473             p += 4;
1474             len -= 4;
1475         } else {
1476             if (len < 2) {
1477                 goto invalid_param_len;
1478             }
1479             subpage = 0;
1480             page_len = p[1];
1481             p += 2;
1482             len -= 2;
1483         }
1484 
1485         if (subpage) {
1486             goto invalid_param;
1487         }
1488         if (page_len > len) {
1489             goto invalid_param_len;
1490         }
1491 
1492         if (!change) {
1493             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1494                 goto invalid_param;
1495             }
1496         } else {
1497             scsi_disk_apply_mode_select(s, page, p);
1498         }
1499 
1500         p += page_len;
1501         len -= page_len;
1502     }
1503     return 0;
1504 
1505 invalid_param:
1506     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1507     return -1;
1508 
1509 invalid_param_len:
1510     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1511     return -1;
1512 }
1513 
1514 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1515 {
1516     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1517     uint8_t *p = inbuf;
1518     int cmd = r->req.cmd.buf[0];
1519     int len = r->req.cmd.xfer;
1520     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1521     int bd_len;
1522     int pass;
1523 
1524     /* We only support PF=1, SP=0.  */
1525     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1526         goto invalid_field;
1527     }
1528 
1529     if (len < hdr_len) {
1530         goto invalid_param_len;
1531     }
1532 
1533     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1534     len -= hdr_len;
1535     p += hdr_len;
1536     if (len < bd_len) {
1537         goto invalid_param_len;
1538     }
1539     if (bd_len != 0 && bd_len != 8) {
1540         goto invalid_param;
1541     }
1542 
1543     len -= bd_len;
1544     p += bd_len;
1545 
1546     /* Ensure no change is made if there is an error!  */
1547     for (pass = 0; pass < 2; pass++) {
1548         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1549             assert(pass == 0);
1550             return;
1551         }
1552     }
1553     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1554         /* The request is used as the AIO opaque value, so add a ref.  */
1555         scsi_req_ref(&r->req);
1556         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1557                          BLOCK_ACCT_FLUSH);
1558         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1559         return;
1560     }
1561 
1562     scsi_req_complete(&r->req, GOOD);
1563     return;
1564 
1565 invalid_param:
1566     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1567     return;
1568 
1569 invalid_param_len:
1570     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1571     return;
1572 
1573 invalid_field:
1574     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1575 }
1576 
1577 static inline bool check_lba_range(SCSIDiskState *s,
1578                                    uint64_t sector_num, uint32_t nb_sectors)
1579 {
1580     /*
1581      * The first line tests that no overflow happens when computing the last
1582      * sector.  The second line tests that the last accessed sector is in
1583      * range.
1584      *
1585      * Careful, the computations should not underflow for nb_sectors == 0,
1586      * and a 0-block read to the first LBA beyond the end of device is
1587      * valid.
1588      */
1589     return (sector_num <= sector_num + nb_sectors &&
1590             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1591 }
1592 
1593 typedef struct UnmapCBData {
1594     SCSIDiskReq *r;
1595     uint8_t *inbuf;
1596     int count;
1597 } UnmapCBData;
1598 
1599 static void scsi_unmap_complete(void *opaque, int ret);
1600 
1601 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1602 {
1603     SCSIDiskReq *r = data->r;
1604     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1605     uint64_t sector_num;
1606     uint32_t nb_sectors;
1607 
1608     assert(r->req.aiocb == NULL);
1609     if (scsi_disk_req_check_error(r, ret, false)) {
1610         goto done;
1611     }
1612 
1613     if (data->count > 0) {
1614         sector_num = ldq_be_p(&data->inbuf[0]);
1615         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1616         if (!check_lba_range(s, sector_num, nb_sectors)) {
1617             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1618             goto done;
1619         }
1620 
1621         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1622                                         sector_num * s->qdev.blocksize,
1623                                         nb_sectors * s->qdev.blocksize,
1624                                         scsi_unmap_complete, data);
1625         data->count--;
1626         data->inbuf += 16;
1627         return;
1628     }
1629 
1630     scsi_req_complete(&r->req, GOOD);
1631 
1632 done:
1633     scsi_req_unref(&r->req);
1634     g_free(data);
1635 }
1636 
1637 static void scsi_unmap_complete(void *opaque, int ret)
1638 {
1639     UnmapCBData *data = opaque;
1640     SCSIDiskReq *r = data->r;
1641     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1642 
1643     assert(r->req.aiocb != NULL);
1644     r->req.aiocb = NULL;
1645 
1646     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1647     scsi_unmap_complete_noio(data, ret);
1648     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1649 }
1650 
1651 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1652 {
1653     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1654     uint8_t *p = inbuf;
1655     int len = r->req.cmd.xfer;
1656     UnmapCBData *data;
1657 
1658     /* Reject ANCHOR=1.  */
1659     if (r->req.cmd.buf[1] & 0x1) {
1660         goto invalid_field;
1661     }
1662 
1663     if (len < 8) {
1664         goto invalid_param_len;
1665     }
1666     if (len < lduw_be_p(&p[0]) + 2) {
1667         goto invalid_param_len;
1668     }
1669     if (len < lduw_be_p(&p[2]) + 8) {
1670         goto invalid_param_len;
1671     }
1672     if (lduw_be_p(&p[2]) & 15) {
1673         goto invalid_param_len;
1674     }
1675 
1676     if (blk_is_read_only(s->qdev.conf.blk)) {
1677         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1678         return;
1679     }
1680 
1681     data = g_new0(UnmapCBData, 1);
1682     data->r = r;
1683     data->inbuf = &p[8];
1684     data->count = lduw_be_p(&p[2]) >> 4;
1685 
1686     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1687     scsi_req_ref(&r->req);
1688     scsi_unmap_complete_noio(data, 0);
1689     return;
1690 
1691 invalid_param_len:
1692     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1693     return;
1694 
1695 invalid_field:
1696     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1697 }
1698 
1699 typedef struct WriteSameCBData {
1700     SCSIDiskReq *r;
1701     int64_t sector;
1702     int nb_sectors;
1703     QEMUIOVector qiov;
1704     struct iovec iov;
1705 } WriteSameCBData;
1706 
1707 static void scsi_write_same_complete(void *opaque, int ret)
1708 {
1709     WriteSameCBData *data = opaque;
1710     SCSIDiskReq *r = data->r;
1711     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1712 
1713     assert(r->req.aiocb != NULL);
1714     r->req.aiocb = NULL;
1715     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1716     if (scsi_disk_req_check_error(r, ret, true)) {
1717         goto done;
1718     }
1719 
1720     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1721 
1722     data->nb_sectors -= data->iov.iov_len / 512;
1723     data->sector += data->iov.iov_len / 512;
1724     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1725     if (data->iov.iov_len) {
1726         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1727                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1728         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1729          * where final qiov may need smaller size */
1730         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1731         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1732                                        data->sector << BDRV_SECTOR_BITS,
1733                                        &data->qiov, 0,
1734                                        scsi_write_same_complete, data);
1735         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1736         return;
1737     }
1738 
1739     scsi_req_complete(&r->req, GOOD);
1740 
1741 done:
1742     scsi_req_unref(&r->req);
1743     qemu_vfree(data->iov.iov_base);
1744     g_free(data);
1745     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1746 }
1747 
1748 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1749 {
1750     SCSIRequest *req = &r->req;
1751     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1752     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1753     WriteSameCBData *data;
1754     uint8_t *buf;
1755     int i;
1756 
1757     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1758     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1759         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1760         return;
1761     }
1762 
1763     if (blk_is_read_only(s->qdev.conf.blk)) {
1764         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1765         return;
1766     }
1767     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1768         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1769         return;
1770     }
1771 
1772     if ((req->cmd.buf[1] & 0x1) || buffer_is_zero(inbuf, s->qdev.blocksize)) {
1773         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1774 
1775         /* The request is used as the AIO opaque value, so add a ref.  */
1776         scsi_req_ref(&r->req);
1777         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1778                          nb_sectors * s->qdev.blocksize,
1779                         BLOCK_ACCT_WRITE);
1780         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1781                                 r->req.cmd.lba * s->qdev.blocksize,
1782                                 nb_sectors * s->qdev.blocksize,
1783                                 flags, scsi_aio_complete, r);
1784         return;
1785     }
1786 
1787     data = g_new0(WriteSameCBData, 1);
1788     data->r = r;
1789     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1790     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1791     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1792     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1793                                               data->iov.iov_len);
1794     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1795 
1796     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1797         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1798     }
1799 
1800     scsi_req_ref(&r->req);
1801     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1802                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1803     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1804                                    data->sector << BDRV_SECTOR_BITS,
1805                                    &data->qiov, 0,
1806                                    scsi_write_same_complete, data);
1807 }
1808 
1809 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1810 {
1811     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1812 
1813     if (r->iov.iov_len) {
1814         int buflen = r->iov.iov_len;
1815         trace_scsi_disk_emulate_write_data(buflen);
1816         r->iov.iov_len = 0;
1817         scsi_req_data(&r->req, buflen);
1818         return;
1819     }
1820 
1821     switch (req->cmd.buf[0]) {
1822     case MODE_SELECT:
1823     case MODE_SELECT_10:
1824         /* This also clears the sense buffer for REQUEST SENSE.  */
1825         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1826         break;
1827 
1828     case UNMAP:
1829         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1830         break;
1831 
1832     case VERIFY_10:
1833     case VERIFY_12:
1834     case VERIFY_16:
1835         if (r->req.status == -1) {
1836             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1837         }
1838         break;
1839 
1840     case WRITE_SAME_10:
1841     case WRITE_SAME_16:
1842         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1843         break;
1844 
1845     default:
1846         abort();
1847     }
1848 }
1849 
1850 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1851 {
1852     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1853     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1854     uint64_t nb_sectors;
1855     uint8_t *outbuf;
1856     int buflen;
1857 
1858     switch (req->cmd.buf[0]) {
1859     case INQUIRY:
1860     case MODE_SENSE:
1861     case MODE_SENSE_10:
1862     case RESERVE:
1863     case RESERVE_10:
1864     case RELEASE:
1865     case RELEASE_10:
1866     case START_STOP:
1867     case ALLOW_MEDIUM_REMOVAL:
1868     case GET_CONFIGURATION:
1869     case GET_EVENT_STATUS_NOTIFICATION:
1870     case MECHANISM_STATUS:
1871     case REQUEST_SENSE:
1872         break;
1873 
1874     default:
1875         if (!blk_is_available(s->qdev.conf.blk)) {
1876             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1877             return 0;
1878         }
1879         break;
1880     }
1881 
1882     /*
1883      * FIXME: we shouldn't return anything bigger than 4k, but the code
1884      * requires the buffer to be as big as req->cmd.xfer in several
1885      * places.  So, do not allow CDBs with a very large ALLOCATION
1886      * LENGTH.  The real fix would be to modify scsi_read_data and
1887      * dma_buf_read, so that they return data beyond the buflen
1888      * as all zeros.
1889      */
1890     if (req->cmd.xfer > 65536) {
1891         goto illegal_request;
1892     }
1893     r->buflen = MAX(4096, req->cmd.xfer);
1894 
1895     if (!r->iov.iov_base) {
1896         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1897     }
1898 
1899     buflen = req->cmd.xfer;
1900     outbuf = r->iov.iov_base;
1901     memset(outbuf, 0, r->buflen);
1902     switch (req->cmd.buf[0]) {
1903     case TEST_UNIT_READY:
1904         assert(blk_is_available(s->qdev.conf.blk));
1905         break;
1906     case INQUIRY:
1907         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1908         if (buflen < 0) {
1909             goto illegal_request;
1910         }
1911         break;
1912     case MODE_SENSE:
1913     case MODE_SENSE_10:
1914         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1915         if (buflen < 0) {
1916             goto illegal_request;
1917         }
1918         break;
1919     case READ_TOC:
1920         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1921         if (buflen < 0) {
1922             goto illegal_request;
1923         }
1924         break;
1925     case RESERVE:
1926         if (req->cmd.buf[1] & 1) {
1927             goto illegal_request;
1928         }
1929         break;
1930     case RESERVE_10:
1931         if (req->cmd.buf[1] & 3) {
1932             goto illegal_request;
1933         }
1934         break;
1935     case RELEASE:
1936         if (req->cmd.buf[1] & 1) {
1937             goto illegal_request;
1938         }
1939         break;
1940     case RELEASE_10:
1941         if (req->cmd.buf[1] & 3) {
1942             goto illegal_request;
1943         }
1944         break;
1945     case START_STOP:
1946         if (scsi_disk_emulate_start_stop(r) < 0) {
1947             return 0;
1948         }
1949         break;
1950     case ALLOW_MEDIUM_REMOVAL:
1951         s->tray_locked = req->cmd.buf[4] & 1;
1952         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1953         break;
1954     case READ_CAPACITY_10:
1955         /* The normal LEN field for this command is zero.  */
1956         memset(outbuf, 0, 8);
1957         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1958         if (!nb_sectors) {
1959             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1960             return 0;
1961         }
1962         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1963             goto illegal_request;
1964         }
1965         nb_sectors /= s->qdev.blocksize / 512;
1966         /* Returned value is the address of the last sector.  */
1967         nb_sectors--;
1968         /* Remember the new size for read/write sanity checking. */
1969         s->qdev.max_lba = nb_sectors;
1970         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1971         if (nb_sectors > UINT32_MAX) {
1972             nb_sectors = UINT32_MAX;
1973         }
1974         outbuf[0] = (nb_sectors >> 24) & 0xff;
1975         outbuf[1] = (nb_sectors >> 16) & 0xff;
1976         outbuf[2] = (nb_sectors >> 8) & 0xff;
1977         outbuf[3] = nb_sectors & 0xff;
1978         outbuf[4] = 0;
1979         outbuf[5] = 0;
1980         outbuf[6] = s->qdev.blocksize >> 8;
1981         outbuf[7] = 0;
1982         break;
1983     case REQUEST_SENSE:
1984         /* Just return "NO SENSE".  */
1985         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
1986                                     (req->cmd.buf[1] & 1) == 0);
1987         if (buflen < 0) {
1988             goto illegal_request;
1989         }
1990         break;
1991     case MECHANISM_STATUS:
1992         buflen = scsi_emulate_mechanism_status(s, outbuf);
1993         if (buflen < 0) {
1994             goto illegal_request;
1995         }
1996         break;
1997     case GET_CONFIGURATION:
1998         buflen = scsi_get_configuration(s, outbuf);
1999         if (buflen < 0) {
2000             goto illegal_request;
2001         }
2002         break;
2003     case GET_EVENT_STATUS_NOTIFICATION:
2004         buflen = scsi_get_event_status_notification(s, r, outbuf);
2005         if (buflen < 0) {
2006             goto illegal_request;
2007         }
2008         break;
2009     case READ_DISC_INFORMATION:
2010         buflen = scsi_read_disc_information(s, r, outbuf);
2011         if (buflen < 0) {
2012             goto illegal_request;
2013         }
2014         break;
2015     case READ_DVD_STRUCTURE:
2016         buflen = scsi_read_dvd_structure(s, r, outbuf);
2017         if (buflen < 0) {
2018             goto illegal_request;
2019         }
2020         break;
2021     case SERVICE_ACTION_IN_16:
2022         /* Service Action In subcommands. */
2023         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2024             trace_scsi_disk_emulate_command_SAI_16();
2025             memset(outbuf, 0, req->cmd.xfer);
2026             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2027             if (!nb_sectors) {
2028                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2029                 return 0;
2030             }
2031             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2032                 goto illegal_request;
2033             }
2034             nb_sectors /= s->qdev.blocksize / 512;
2035             /* Returned value is the address of the last sector.  */
2036             nb_sectors--;
2037             /* Remember the new size for read/write sanity checking. */
2038             s->qdev.max_lba = nb_sectors;
2039             outbuf[0] = (nb_sectors >> 56) & 0xff;
2040             outbuf[1] = (nb_sectors >> 48) & 0xff;
2041             outbuf[2] = (nb_sectors >> 40) & 0xff;
2042             outbuf[3] = (nb_sectors >> 32) & 0xff;
2043             outbuf[4] = (nb_sectors >> 24) & 0xff;
2044             outbuf[5] = (nb_sectors >> 16) & 0xff;
2045             outbuf[6] = (nb_sectors >> 8) & 0xff;
2046             outbuf[7] = nb_sectors & 0xff;
2047             outbuf[8] = 0;
2048             outbuf[9] = 0;
2049             outbuf[10] = s->qdev.blocksize >> 8;
2050             outbuf[11] = 0;
2051             outbuf[12] = 0;
2052             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2053 
2054             /* set TPE bit if the format supports discard */
2055             if (s->qdev.conf.discard_granularity) {
2056                 outbuf[14] = 0x80;
2057             }
2058 
2059             /* Protection, exponent and lowest lba field left blank. */
2060             break;
2061         }
2062         trace_scsi_disk_emulate_command_SAI_unsupported();
2063         goto illegal_request;
2064     case SYNCHRONIZE_CACHE:
2065         /* The request is used as the AIO opaque value, so add a ref.  */
2066         scsi_req_ref(&r->req);
2067         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2068                          BLOCK_ACCT_FLUSH);
2069         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2070         return 0;
2071     case SEEK_10:
2072         trace_scsi_disk_emulate_command_SEEK_10(r->req.cmd.lba);
2073         if (r->req.cmd.lba > s->qdev.max_lba) {
2074             goto illegal_lba;
2075         }
2076         break;
2077     case MODE_SELECT:
2078         trace_scsi_disk_emulate_command_MODE_SELECT(r->req.cmd.xfer);
2079         break;
2080     case MODE_SELECT_10:
2081         trace_scsi_disk_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
2082         break;
2083     case UNMAP:
2084         trace_scsi_disk_emulate_command_UNMAP(r->req.cmd.xfer);
2085         break;
2086     case VERIFY_10:
2087     case VERIFY_12:
2088     case VERIFY_16:
2089         trace_scsi_disk_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
2090         if (req->cmd.buf[1] & 6) {
2091             goto illegal_request;
2092         }
2093         break;
2094     case WRITE_SAME_10:
2095     case WRITE_SAME_16:
2096         trace_scsi_disk_emulate_command_WRITE_SAME(
2097                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16, r->req.cmd.xfer);
2098         break;
2099     default:
2100         trace_scsi_disk_emulate_command_UNKNOWN(buf[0],
2101                                                 scsi_command_name(buf[0]));
2102         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2103         return 0;
2104     }
2105     assert(!r->req.aiocb);
2106     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2107     if (r->iov.iov_len == 0) {
2108         scsi_req_complete(&r->req, GOOD);
2109     }
2110     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2111         assert(r->iov.iov_len == req->cmd.xfer);
2112         return -r->iov.iov_len;
2113     } else {
2114         return r->iov.iov_len;
2115     }
2116 
2117 illegal_request:
2118     if (r->req.status == -1) {
2119         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2120     }
2121     return 0;
2122 
2123 illegal_lba:
2124     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2125     return 0;
2126 }
2127 
2128 /* Execute a scsi command.  Returns the length of the data expected by the
2129    command.  This will be Positive for data transfers from the device
2130    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2131    and zero if the command does not transfer any data.  */
2132 
2133 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2134 {
2135     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2136     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2137     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2138     uint32_t len;
2139     uint8_t command;
2140 
2141     command = buf[0];
2142 
2143     if (!blk_is_available(s->qdev.conf.blk)) {
2144         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2145         return 0;
2146     }
2147 
2148     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2149     switch (command) {
2150     case READ_6:
2151     case READ_10:
2152     case READ_12:
2153     case READ_16:
2154         trace_scsi_disk_dma_command_READ(r->req.cmd.lba, len);
2155         /* Protection information is not supported.  For SCSI versions 2 and
2156          * older (as determined by snooping the guest's INQUIRY commands),
2157          * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2158          */
2159         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2160             goto illegal_request;
2161         }
2162         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2163             goto illegal_lba;
2164         }
2165         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2166         r->sector_count = len * (s->qdev.blocksize / 512);
2167         break;
2168     case WRITE_6:
2169     case WRITE_10:
2170     case WRITE_12:
2171     case WRITE_16:
2172     case WRITE_VERIFY_10:
2173     case WRITE_VERIFY_12:
2174     case WRITE_VERIFY_16:
2175         if (blk_is_read_only(s->qdev.conf.blk)) {
2176             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2177             return 0;
2178         }
2179         trace_scsi_disk_dma_command_WRITE(
2180                 (command & 0xe) == 0xe ? "And Verify " : "",
2181                 r->req.cmd.lba, len);
2182         /* fall through */
2183     case VERIFY_10:
2184     case VERIFY_12:
2185     case VERIFY_16:
2186         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2187          * As far as DMA is concerned, we can treat it the same as a write;
2188          * scsi_block_do_sgio will send VERIFY commands.
2189          */
2190         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2191             goto illegal_request;
2192         }
2193         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2194             goto illegal_lba;
2195         }
2196         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2197         r->sector_count = len * (s->qdev.blocksize / 512);
2198         break;
2199     default:
2200         abort();
2201     illegal_request:
2202         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2203         return 0;
2204     illegal_lba:
2205         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2206         return 0;
2207     }
2208     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2209     if (r->sector_count == 0) {
2210         scsi_req_complete(&r->req, GOOD);
2211     }
2212     assert(r->iov.iov_len == 0);
2213     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2214         return -r->sector_count * 512;
2215     } else {
2216         return r->sector_count * 512;
2217     }
2218 }
2219 
2220 static void scsi_disk_reset(DeviceState *dev)
2221 {
2222     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2223     uint64_t nb_sectors;
2224 
2225     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2226 
2227     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2228     nb_sectors /= s->qdev.blocksize / 512;
2229     if (nb_sectors) {
2230         nb_sectors--;
2231     }
2232     s->qdev.max_lba = nb_sectors;
2233     /* reset tray statuses */
2234     s->tray_locked = 0;
2235     s->tray_open = 0;
2236 
2237     s->qdev.scsi_version = s->qdev.default_scsi_version;
2238 }
2239 
2240 static void scsi_disk_resize_cb(void *opaque)
2241 {
2242     SCSIDiskState *s = opaque;
2243 
2244     /* SPC lists this sense code as available only for
2245      * direct-access devices.
2246      */
2247     if (s->qdev.type == TYPE_DISK) {
2248         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2249     }
2250 }
2251 
2252 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2253 {
2254     SCSIDiskState *s = opaque;
2255 
2256     /*
2257      * When a CD gets changed, we have to report an ejected state and
2258      * then a loaded state to guests so that they detect tray
2259      * open/close and media change events.  Guests that do not use
2260      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2261      * states rely on this behavior.
2262      *
2263      * media_changed governs the state machine used for unit attention
2264      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2265      */
2266     s->media_changed = load;
2267     s->tray_open = !load;
2268     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2269     s->media_event = true;
2270     s->eject_request = false;
2271 }
2272 
2273 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2274 {
2275     SCSIDiskState *s = opaque;
2276 
2277     s->eject_request = true;
2278     if (force) {
2279         s->tray_locked = false;
2280     }
2281 }
2282 
2283 static bool scsi_cd_is_tray_open(void *opaque)
2284 {
2285     return ((SCSIDiskState *)opaque)->tray_open;
2286 }
2287 
2288 static bool scsi_cd_is_medium_locked(void *opaque)
2289 {
2290     return ((SCSIDiskState *)opaque)->tray_locked;
2291 }
2292 
2293 static const BlockDevOps scsi_disk_removable_block_ops = {
2294     .change_media_cb = scsi_cd_change_media_cb,
2295     .eject_request_cb = scsi_cd_eject_request_cb,
2296     .is_tray_open = scsi_cd_is_tray_open,
2297     .is_medium_locked = scsi_cd_is_medium_locked,
2298 
2299     .resize_cb = scsi_disk_resize_cb,
2300 };
2301 
2302 static const BlockDevOps scsi_disk_block_ops = {
2303     .resize_cb = scsi_disk_resize_cb,
2304 };
2305 
2306 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2307 {
2308     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2309     if (s->media_changed) {
2310         s->media_changed = false;
2311         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2312     }
2313 }
2314 
2315 static void scsi_realize(SCSIDevice *dev, Error **errp)
2316 {
2317     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2318 
2319     if (!s->qdev.conf.blk) {
2320         error_setg(errp, "drive property not set");
2321         return;
2322     }
2323 
2324     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2325         !blk_is_inserted(s->qdev.conf.blk)) {
2326         error_setg(errp, "Device needs media, but drive is empty");
2327         return;
2328     }
2329 
2330     blkconf_blocksizes(&s->qdev.conf);
2331 
2332     if (s->qdev.conf.logical_block_size >
2333         s->qdev.conf.physical_block_size) {
2334         error_setg(errp,
2335                    "logical_block_size > physical_block_size not supported");
2336         return;
2337     }
2338 
2339     if (blk_get_aio_context(s->qdev.conf.blk) != qemu_get_aio_context() &&
2340         !s->qdev.hba_supports_iothread)
2341     {
2342         error_setg(errp, "HBA does not support iothreads");
2343         return;
2344     }
2345 
2346     if (dev->type == TYPE_DISK) {
2347         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2348             return;
2349         }
2350     }
2351     if (!blkconf_apply_backend_options(&dev->conf,
2352                                        blk_is_read_only(s->qdev.conf.blk),
2353                                        dev->type == TYPE_DISK, errp)) {
2354         return;
2355     }
2356 
2357     if (s->qdev.conf.discard_granularity == -1) {
2358         s->qdev.conf.discard_granularity =
2359             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2360     }
2361 
2362     if (!s->version) {
2363         s->version = g_strdup(qemu_hw_version());
2364     }
2365     if (!s->vendor) {
2366         s->vendor = g_strdup("QEMU");
2367     }
2368     if (!s->device_id) {
2369         if (s->serial) {
2370             s->device_id = g_strdup_printf("%.20s", s->serial);
2371         } else {
2372             const char *str = blk_name(s->qdev.conf.blk);
2373             if (str && *str) {
2374                 s->device_id = g_strdup(str);
2375             }
2376         }
2377     }
2378 
2379     if (blk_is_sg(s->qdev.conf.blk)) {
2380         error_setg(errp, "unwanted /dev/sg*");
2381         return;
2382     }
2383 
2384     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2385             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2386         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2387     } else {
2388         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2389     }
2390     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2391 
2392     blk_iostatus_enable(s->qdev.conf.blk);
2393 }
2394 
2395 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2396 {
2397     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2398     AioContext *ctx = NULL;
2399     /* can happen for devices without drive. The error message for missing
2400      * backend will be issued in scsi_realize
2401      */
2402     if (s->qdev.conf.blk) {
2403         ctx = blk_get_aio_context(s->qdev.conf.blk);
2404         aio_context_acquire(ctx);
2405         blkconf_blocksizes(&s->qdev.conf);
2406     }
2407     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2408     s->qdev.type = TYPE_DISK;
2409     if (!s->product) {
2410         s->product = g_strdup("QEMU HARDDISK");
2411     }
2412     scsi_realize(&s->qdev, errp);
2413     if (ctx) {
2414         aio_context_release(ctx);
2415     }
2416 }
2417 
2418 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2419 {
2420     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2421     AioContext *ctx;
2422     int ret;
2423 
2424     if (!dev->conf.blk) {
2425         /* Anonymous BlockBackend for an empty drive. As we put it into
2426          * dev->conf, qdev takes care of detaching on unplug. */
2427         dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
2428         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2429         assert(ret == 0);
2430     }
2431 
2432     ctx = blk_get_aio_context(dev->conf.blk);
2433     aio_context_acquire(ctx);
2434     s->qdev.blocksize = 2048;
2435     s->qdev.type = TYPE_ROM;
2436     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2437     if (!s->product) {
2438         s->product = g_strdup("QEMU CD-ROM");
2439     }
2440     scsi_realize(&s->qdev, errp);
2441     aio_context_release(ctx);
2442 }
2443 
2444 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2445 {
2446     DriveInfo *dinfo;
2447     Error *local_err = NULL;
2448 
2449     if (!dev->conf.blk) {
2450         scsi_realize(dev, &local_err);
2451         assert(local_err);
2452         error_propagate(errp, local_err);
2453         return;
2454     }
2455 
2456     dinfo = blk_legacy_dinfo(dev->conf.blk);
2457     if (dinfo && dinfo->media_cd) {
2458         scsi_cd_realize(dev, errp);
2459     } else {
2460         scsi_hd_realize(dev, errp);
2461     }
2462 }
2463 
2464 static const SCSIReqOps scsi_disk_emulate_reqops = {
2465     .size         = sizeof(SCSIDiskReq),
2466     .free_req     = scsi_free_request,
2467     .send_command = scsi_disk_emulate_command,
2468     .read_data    = scsi_disk_emulate_read_data,
2469     .write_data   = scsi_disk_emulate_write_data,
2470     .get_buf      = scsi_get_buf,
2471 };
2472 
2473 static const SCSIReqOps scsi_disk_dma_reqops = {
2474     .size         = sizeof(SCSIDiskReq),
2475     .free_req     = scsi_free_request,
2476     .send_command = scsi_disk_dma_command,
2477     .read_data    = scsi_read_data,
2478     .write_data   = scsi_write_data,
2479     .get_buf      = scsi_get_buf,
2480     .load_request = scsi_disk_load_request,
2481     .save_request = scsi_disk_save_request,
2482 };
2483 
2484 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2485     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2486     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2487     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2488     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2489     [START_STOP]                      = &scsi_disk_emulate_reqops,
2490     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2491     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2492     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2493     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2494     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2495     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2496     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2497     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2498     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2499     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2500     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2501     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2502     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2503     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2504     [UNMAP]                           = &scsi_disk_emulate_reqops,
2505     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2506     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2507     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2508     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2509     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2510 
2511     [READ_6]                          = &scsi_disk_dma_reqops,
2512     [READ_10]                         = &scsi_disk_dma_reqops,
2513     [READ_12]                         = &scsi_disk_dma_reqops,
2514     [READ_16]                         = &scsi_disk_dma_reqops,
2515     [WRITE_6]                         = &scsi_disk_dma_reqops,
2516     [WRITE_10]                        = &scsi_disk_dma_reqops,
2517     [WRITE_12]                        = &scsi_disk_dma_reqops,
2518     [WRITE_16]                        = &scsi_disk_dma_reqops,
2519     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2520     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2521     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2522 };
2523 
2524 static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
2525 {
2526     int i;
2527     int len = scsi_cdb_length(buf);
2528     char *line_buffer, *p;
2529 
2530     line_buffer = g_malloc(len * 5 + 1);
2531 
2532     for (i = 0, p = line_buffer; i < len; i++) {
2533         p += sprintf(p, " 0x%02x", buf[i]);
2534     }
2535     trace_scsi_disk_new_request(lun, tag, line_buffer);
2536 
2537     g_free(line_buffer);
2538 }
2539 
2540 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2541                                      uint8_t *buf, void *hba_private)
2542 {
2543     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2544     SCSIRequest *req;
2545     const SCSIReqOps *ops;
2546     uint8_t command;
2547 
2548     command = buf[0];
2549     ops = scsi_disk_reqops_dispatch[command];
2550     if (!ops) {
2551         ops = &scsi_disk_emulate_reqops;
2552     }
2553     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2554 
2555     if (trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)) {
2556         scsi_disk_new_request_dump(lun, tag, buf);
2557     }
2558 
2559     return req;
2560 }
2561 
2562 #ifdef __linux__
2563 static int get_device_type(SCSIDiskState *s)
2564 {
2565     uint8_t cmd[16];
2566     uint8_t buf[36];
2567     int ret;
2568 
2569     memset(cmd, 0, sizeof(cmd));
2570     memset(buf, 0, sizeof(buf));
2571     cmd[0] = INQUIRY;
2572     cmd[4] = sizeof(buf);
2573 
2574     ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
2575                               buf, sizeof(buf));
2576     if (ret < 0) {
2577         return -1;
2578     }
2579     s->qdev.type = buf[0];
2580     if (buf[1] & 0x80) {
2581         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2582     }
2583     return 0;
2584 }
2585 
2586 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2587 {
2588     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2589     AioContext *ctx;
2590     int sg_version;
2591     int rc;
2592 
2593     if (!s->qdev.conf.blk) {
2594         error_setg(errp, "drive property not set");
2595         return;
2596     }
2597 
2598     if (s->rotation_rate) {
2599         error_report_once("rotation_rate is specified for scsi-block but is "
2600                           "not implemented. This option is deprecated and will "
2601                           "be removed in a future version");
2602     }
2603 
2604     ctx = blk_get_aio_context(s->qdev.conf.blk);
2605     aio_context_acquire(ctx);
2606 
2607     /* check we are using a driver managing SG_IO (version 3 and after) */
2608     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2609     if (rc < 0) {
2610         error_setg_errno(errp, -rc, "cannot get SG_IO version number");
2611         if (rc != -EPERM) {
2612             error_append_hint(errp, "Is this a SCSI device?\n");
2613         }
2614         goto out;
2615     }
2616     if (sg_version < 30000) {
2617         error_setg(errp, "scsi generic interface too old");
2618         goto out;
2619     }
2620 
2621     /* get device type from INQUIRY data */
2622     rc = get_device_type(s);
2623     if (rc < 0) {
2624         error_setg(errp, "INQUIRY failed");
2625         goto out;
2626     }
2627 
2628     /* Make a guess for the block size, we'll fix it when the guest sends.
2629      * READ CAPACITY.  If they don't, they likely would assume these sizes
2630      * anyway. (TODO: check in /sys).
2631      */
2632     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2633         s->qdev.blocksize = 2048;
2634     } else {
2635         s->qdev.blocksize = 512;
2636     }
2637 
2638     /* Makes the scsi-block device not removable by using HMP and QMP eject
2639      * command.
2640      */
2641     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2642 
2643     scsi_realize(&s->qdev, errp);
2644     scsi_generic_read_device_inquiry(&s->qdev);
2645 
2646 out:
2647     aio_context_release(ctx);
2648 }
2649 
2650 typedef struct SCSIBlockReq {
2651     SCSIDiskReq req;
2652     sg_io_hdr_t io_header;
2653 
2654     /* Selected bytes of the original CDB, copied into our own CDB.  */
2655     uint8_t cmd, cdb1, group_number;
2656 
2657     /* CDB passed to SG_IO.  */
2658     uint8_t cdb[16];
2659 } SCSIBlockReq;
2660 
2661 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2662                                       int64_t offset, QEMUIOVector *iov,
2663                                       int direction,
2664                                       BlockCompletionFunc *cb, void *opaque)
2665 {
2666     sg_io_hdr_t *io_header = &req->io_header;
2667     SCSIDiskReq *r = &req->req;
2668     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2669     int nb_logical_blocks;
2670     uint64_t lba;
2671     BlockAIOCB *aiocb;
2672 
2673     /* This is not supported yet.  It can only happen if the guest does
2674      * reads and writes that are not aligned to one logical sectors
2675      * _and_ cover multiple MemoryRegions.
2676      */
2677     assert(offset % s->qdev.blocksize == 0);
2678     assert(iov->size % s->qdev.blocksize == 0);
2679 
2680     io_header->interface_id = 'S';
2681 
2682     /* The data transfer comes from the QEMUIOVector.  */
2683     io_header->dxfer_direction = direction;
2684     io_header->dxfer_len = iov->size;
2685     io_header->dxferp = (void *)iov->iov;
2686     io_header->iovec_count = iov->niov;
2687     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2688 
2689     /* Build a new CDB with the LBA and length patched in, in case
2690      * DMA helpers split the transfer in multiple segments.  Do not
2691      * build a CDB smaller than what the guest wanted, and only build
2692      * a larger one if strictly necessary.
2693      */
2694     io_header->cmdp = req->cdb;
2695     lba = offset / s->qdev.blocksize;
2696     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2697 
2698     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2699         /* 6-byte CDB */
2700         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2701         req->cdb[4] = nb_logical_blocks;
2702         req->cdb[5] = 0;
2703         io_header->cmd_len = 6;
2704     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2705         /* 10-byte CDB */
2706         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2707         req->cdb[1] = req->cdb1;
2708         stl_be_p(&req->cdb[2], lba);
2709         req->cdb[6] = req->group_number;
2710         stw_be_p(&req->cdb[7], nb_logical_blocks);
2711         req->cdb[9] = 0;
2712         io_header->cmd_len = 10;
2713     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2714         /* 12-byte CDB */
2715         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2716         req->cdb[1] = req->cdb1;
2717         stl_be_p(&req->cdb[2], lba);
2718         stl_be_p(&req->cdb[6], nb_logical_blocks);
2719         req->cdb[10] = req->group_number;
2720         req->cdb[11] = 0;
2721         io_header->cmd_len = 12;
2722     } else {
2723         /* 16-byte CDB */
2724         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2725         req->cdb[1] = req->cdb1;
2726         stq_be_p(&req->cdb[2], lba);
2727         stl_be_p(&req->cdb[10], nb_logical_blocks);
2728         req->cdb[14] = req->group_number;
2729         req->cdb[15] = 0;
2730         io_header->cmd_len = 16;
2731     }
2732 
2733     /* The rest is as in scsi-generic.c.  */
2734     io_header->mx_sb_len = sizeof(r->req.sense);
2735     io_header->sbp = r->req.sense;
2736     io_header->timeout = UINT_MAX;
2737     io_header->usr_ptr = r;
2738     io_header->flags |= SG_FLAG_DIRECT_IO;
2739 
2740     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
2741     assert(aiocb != NULL);
2742     return aiocb;
2743 }
2744 
2745 static bool scsi_block_no_fua(SCSICommand *cmd)
2746 {
2747     return false;
2748 }
2749 
2750 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2751                                         QEMUIOVector *iov,
2752                                         BlockCompletionFunc *cb, void *cb_opaque,
2753                                         void *opaque)
2754 {
2755     SCSIBlockReq *r = opaque;
2756     return scsi_block_do_sgio(r, offset, iov,
2757                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2758 }
2759 
2760 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2761                                          QEMUIOVector *iov,
2762                                          BlockCompletionFunc *cb, void *cb_opaque,
2763                                          void *opaque)
2764 {
2765     SCSIBlockReq *r = opaque;
2766     return scsi_block_do_sgio(r, offset, iov,
2767                               SG_DXFER_TO_DEV, cb, cb_opaque);
2768 }
2769 
2770 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2771 {
2772     switch (buf[0]) {
2773     case VERIFY_10:
2774     case VERIFY_12:
2775     case VERIFY_16:
2776         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2777          * for the number of logical blocks specified in the length
2778          * field).  For other modes, do not use scatter/gather operation.
2779          */
2780         if ((buf[1] & 6) == 2) {
2781             return false;
2782         }
2783         break;
2784 
2785     case READ_6:
2786     case READ_10:
2787     case READ_12:
2788     case READ_16:
2789     case WRITE_6:
2790     case WRITE_10:
2791     case WRITE_12:
2792     case WRITE_16:
2793     case WRITE_VERIFY_10:
2794     case WRITE_VERIFY_12:
2795     case WRITE_VERIFY_16:
2796         /* MMC writing cannot be done via DMA helpers, because it sometimes
2797          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2798          * We might use scsi_block_dma_reqops as long as no writing commands are
2799          * seen, but performance usually isn't paramount on optical media.  So,
2800          * just make scsi-block operate the same as scsi-generic for them.
2801          */
2802         if (s->qdev.type != TYPE_ROM) {
2803             return false;
2804         }
2805         break;
2806 
2807     default:
2808         break;
2809     }
2810 
2811     return true;
2812 }
2813 
2814 
2815 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2816 {
2817     SCSIBlockReq *r = (SCSIBlockReq *)req;
2818     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2819 
2820     r->cmd = req->cmd.buf[0];
2821     switch (r->cmd >> 5) {
2822     case 0:
2823         /* 6-byte CDB.  */
2824         r->cdb1 = r->group_number = 0;
2825         break;
2826     case 1:
2827         /* 10-byte CDB.  */
2828         r->cdb1 = req->cmd.buf[1];
2829         r->group_number = req->cmd.buf[6];
2830         break;
2831     case 4:
2832         /* 12-byte CDB.  */
2833         r->cdb1 = req->cmd.buf[1];
2834         r->group_number = req->cmd.buf[10];
2835         break;
2836     case 5:
2837         /* 16-byte CDB.  */
2838         r->cdb1 = req->cmd.buf[1];
2839         r->group_number = req->cmd.buf[14];
2840         break;
2841     default:
2842         abort();
2843     }
2844 
2845     /* Protection information is not supported.  For SCSI versions 2 and
2846      * older (as determined by snooping the guest's INQUIRY commands),
2847      * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2848      */
2849     if (s->qdev.scsi_version > 2 && (req->cmd.buf[1] & 0xe0)) {
2850         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2851         return 0;
2852     }
2853 
2854     r->req.status = &r->io_header.status;
2855     return scsi_disk_dma_command(req, buf);
2856 }
2857 
2858 static const SCSIReqOps scsi_block_dma_reqops = {
2859     .size         = sizeof(SCSIBlockReq),
2860     .free_req     = scsi_free_request,
2861     .send_command = scsi_block_dma_command,
2862     .read_data    = scsi_read_data,
2863     .write_data   = scsi_write_data,
2864     .get_buf      = scsi_get_buf,
2865     .load_request = scsi_disk_load_request,
2866     .save_request = scsi_disk_save_request,
2867 };
2868 
2869 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2870                                            uint32_t lun, uint8_t *buf,
2871                                            void *hba_private)
2872 {
2873     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2874 
2875     if (scsi_block_is_passthrough(s, buf)) {
2876         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2877                               hba_private);
2878     } else {
2879         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2880                               hba_private);
2881     }
2882 }
2883 
2884 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2885                                   uint8_t *buf, void *hba_private)
2886 {
2887     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2888 
2889     if (scsi_block_is_passthrough(s, buf)) {
2890         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2891     } else {
2892         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2893     }
2894 }
2895 
2896 #endif
2897 
2898 static
2899 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2900                            BlockCompletionFunc *cb, void *cb_opaque,
2901                            void *opaque)
2902 {
2903     SCSIDiskReq *r = opaque;
2904     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2905     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2906 }
2907 
2908 static
2909 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2910                             BlockCompletionFunc *cb, void *cb_opaque,
2911                             void *opaque)
2912 {
2913     SCSIDiskReq *r = opaque;
2914     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2915     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2916 }
2917 
2918 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2919 {
2920     DeviceClass *dc = DEVICE_CLASS(klass);
2921     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2922 
2923     dc->fw_name = "disk";
2924     dc->reset = scsi_disk_reset;
2925     sdc->dma_readv = scsi_dma_readv;
2926     sdc->dma_writev = scsi_dma_writev;
2927     sdc->need_fua_emulation = scsi_is_cmd_fua;
2928 }
2929 
2930 static const TypeInfo scsi_disk_base_info = {
2931     .name          = TYPE_SCSI_DISK_BASE,
2932     .parent        = TYPE_SCSI_DEVICE,
2933     .class_init    = scsi_disk_base_class_initfn,
2934     .instance_size = sizeof(SCSIDiskState),
2935     .class_size    = sizeof(SCSIDiskClass),
2936     .abstract      = true,
2937 };
2938 
2939 #define DEFINE_SCSI_DISK_PROPERTIES()                                   \
2940     DEFINE_PROP_DRIVE_IOTHREAD("drive", SCSIDiskState, qdev.conf.blk),  \
2941     DEFINE_BLOCK_PROPERTIES_BASE(SCSIDiskState, qdev.conf),             \
2942     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),            \
2943     DEFINE_PROP_STRING("ver", SCSIDiskState, version),                  \
2944     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),                \
2945     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),                \
2946     DEFINE_PROP_STRING("product", SCSIDiskState, product),              \
2947     DEFINE_PROP_STRING("device_id", SCSIDiskState, device_id)
2948 
2949 
2950 static Property scsi_hd_properties[] = {
2951     DEFINE_SCSI_DISK_PROPERTIES(),
2952     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2953                     SCSI_DISK_F_REMOVABLE, false),
2954     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2955                     SCSI_DISK_F_DPOFUA, false),
2956     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2957     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2958     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2959     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2960                        DEFAULT_MAX_UNMAP_SIZE),
2961     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2962                        DEFAULT_MAX_IO_SIZE),
2963     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
2964     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
2965                       5),
2966     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2967     DEFINE_PROP_END_OF_LIST(),
2968 };
2969 
2970 static const VMStateDescription vmstate_scsi_disk_state = {
2971     .name = "scsi-disk",
2972     .version_id = 1,
2973     .minimum_version_id = 1,
2974     .fields = (VMStateField[]) {
2975         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2976         VMSTATE_BOOL(media_changed, SCSIDiskState),
2977         VMSTATE_BOOL(media_event, SCSIDiskState),
2978         VMSTATE_BOOL(eject_request, SCSIDiskState),
2979         VMSTATE_BOOL(tray_open, SCSIDiskState),
2980         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2981         VMSTATE_END_OF_LIST()
2982     }
2983 };
2984 
2985 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2986 {
2987     DeviceClass *dc = DEVICE_CLASS(klass);
2988     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2989 
2990     sc->realize      = scsi_hd_realize;
2991     sc->alloc_req    = scsi_new_request;
2992     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2993     dc->desc = "virtual SCSI disk";
2994     dc->props = scsi_hd_properties;
2995     dc->vmsd  = &vmstate_scsi_disk_state;
2996 }
2997 
2998 static const TypeInfo scsi_hd_info = {
2999     .name          = "scsi-hd",
3000     .parent        = TYPE_SCSI_DISK_BASE,
3001     .class_init    = scsi_hd_class_initfn,
3002 };
3003 
3004 static Property scsi_cd_properties[] = {
3005     DEFINE_SCSI_DISK_PROPERTIES(),
3006     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3007     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3008     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3009     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3010                        DEFAULT_MAX_IO_SIZE),
3011     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3012                       5),
3013     DEFINE_PROP_END_OF_LIST(),
3014 };
3015 
3016 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
3017 {
3018     DeviceClass *dc = DEVICE_CLASS(klass);
3019     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3020 
3021     sc->realize      = scsi_cd_realize;
3022     sc->alloc_req    = scsi_new_request;
3023     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3024     dc->desc = "virtual SCSI CD-ROM";
3025     dc->props = scsi_cd_properties;
3026     dc->vmsd  = &vmstate_scsi_disk_state;
3027 }
3028 
3029 static const TypeInfo scsi_cd_info = {
3030     .name          = "scsi-cd",
3031     .parent        = TYPE_SCSI_DISK_BASE,
3032     .class_init    = scsi_cd_class_initfn,
3033 };
3034 
3035 #ifdef __linux__
3036 static Property scsi_block_properties[] = {
3037     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),         \
3038     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3039     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3040     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3041     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3042                        DEFAULT_MAX_UNMAP_SIZE),
3043     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3044                        DEFAULT_MAX_IO_SIZE),
3045     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3046                       -1),
3047     DEFINE_PROP_END_OF_LIST(),
3048 };
3049 
3050 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3051 {
3052     DeviceClass *dc = DEVICE_CLASS(klass);
3053     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3054     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3055 
3056     sc->realize      = scsi_block_realize;
3057     sc->alloc_req    = scsi_block_new_request;
3058     sc->parse_cdb    = scsi_block_parse_cdb;
3059     sdc->dma_readv   = scsi_block_dma_readv;
3060     sdc->dma_writev  = scsi_block_dma_writev;
3061     sdc->need_fua_emulation = scsi_block_no_fua;
3062     dc->desc = "SCSI block device passthrough";
3063     dc->props = scsi_block_properties;
3064     dc->vmsd  = &vmstate_scsi_disk_state;
3065 }
3066 
3067 static const TypeInfo scsi_block_info = {
3068     .name          = "scsi-block",
3069     .parent        = TYPE_SCSI_DISK_BASE,
3070     .class_init    = scsi_block_class_initfn,
3071 };
3072 #endif
3073 
3074 static Property scsi_disk_properties[] = {
3075     DEFINE_SCSI_DISK_PROPERTIES(),
3076     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3077                     SCSI_DISK_F_REMOVABLE, false),
3078     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3079                     SCSI_DISK_F_DPOFUA, false),
3080     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3081     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3082     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3083     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3084                        DEFAULT_MAX_UNMAP_SIZE),
3085     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3086                        DEFAULT_MAX_IO_SIZE),
3087     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3088                       5),
3089     DEFINE_PROP_END_OF_LIST(),
3090 };
3091 
3092 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
3093 {
3094     DeviceClass *dc = DEVICE_CLASS(klass);
3095     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3096 
3097     sc->realize      = scsi_disk_realize;
3098     sc->alloc_req    = scsi_new_request;
3099     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3100     dc->fw_name = "disk";
3101     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3102     dc->reset = scsi_disk_reset;
3103     dc->props = scsi_disk_properties;
3104     dc->vmsd  = &vmstate_scsi_disk_state;
3105 }
3106 
3107 static const TypeInfo scsi_disk_info = {
3108     .name          = "scsi-disk",
3109     .parent        = TYPE_SCSI_DISK_BASE,
3110     .class_init    = scsi_disk_class_initfn,
3111 };
3112 
3113 static void scsi_disk_register_types(void)
3114 {
3115     type_register_static(&scsi_disk_base_info);
3116     type_register_static(&scsi_hd_info);
3117     type_register_static(&scsi_cd_info);
3118 #ifdef __linux__
3119     type_register_static(&scsi_block_info);
3120 #endif
3121     type_register_static(&scsi_disk_info);
3122 }
3123 
3124 type_init(scsi_disk_register_types)
3125