xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision a68694cd)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/units.h"
24 #include "qapi/error.h"
25 #include "qemu/error-report.h"
26 #include "qemu/main-loop.h"
27 #include "qemu/module.h"
28 #include "hw/scsi/scsi.h"
29 #include "migration/qemu-file-types.h"
30 #include "migration/vmstate.h"
31 #include "hw/scsi/emulation.h"
32 #include "scsi/constants.h"
33 #include "sysemu/block-backend.h"
34 #include "sysemu/blockdev.h"
35 #include "hw/block/block.h"
36 #include "hw/qdev-properties.h"
37 #include "sysemu/dma.h"
38 #include "sysemu/sysemu.h"
39 #include "qemu/cutils.h"
40 #include "trace.h"
41 #include "qom/object.h"
42 
43 #ifdef __linux
44 #include <scsi/sg.h>
45 #endif
46 
47 #define SCSI_WRITE_SAME_MAX         (512 * KiB)
48 #define SCSI_DMA_BUF_SIZE           (128 * KiB)
49 #define SCSI_MAX_INQUIRY_LEN        256
50 #define SCSI_MAX_MODE_LEN           256
51 
52 #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
53 #define DEFAULT_MAX_UNMAP_SIZE      (1 * GiB)
54 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
55 
56 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
57 
58 typedef struct SCSIDiskClass SCSIDiskClass;
59 typedef struct SCSIDiskState SCSIDiskState;
60 DECLARE_OBJ_CHECKERS(SCSIDiskState, SCSIDiskClass,
61                      SCSI_DISK_BASE, TYPE_SCSI_DISK_BASE)
62 
63 struct SCSIDiskClass {
64     SCSIDeviceClass parent_class;
65     DMAIOFunc       *dma_readv;
66     DMAIOFunc       *dma_writev;
67     bool            (*need_fua_emulation)(SCSICommand *cmd);
68     void            (*update_sense)(SCSIRequest *r);
69 };
70 
71 typedef struct SCSIDiskReq {
72     SCSIRequest req;
73     /* Both sector and sector_count are in terms of BDRV_SECTOR_SIZE bytes.  */
74     uint64_t sector;
75     uint32_t sector_count;
76     uint32_t buflen;
77     bool started;
78     bool need_fua_emulation;
79     struct iovec iov;
80     QEMUIOVector qiov;
81     BlockAcctCookie acct;
82     unsigned char *status;
83 } SCSIDiskReq;
84 
85 #define SCSI_DISK_F_REMOVABLE             0
86 #define SCSI_DISK_F_DPOFUA                1
87 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
88 
89 struct SCSIDiskState {
90     SCSIDevice qdev;
91     uint32_t features;
92     bool media_changed;
93     bool media_event;
94     bool eject_request;
95     uint16_t port_index;
96     uint64_t max_unmap_size;
97     uint64_t max_io_size;
98     QEMUBH *bh;
99     char *version;
100     char *serial;
101     char *vendor;
102     char *product;
103     char *device_id;
104     bool tray_open;
105     bool tray_locked;
106     /*
107      * 0x0000        - rotation rate not reported
108      * 0x0001        - non-rotating medium (SSD)
109      * 0x0002-0x0400 - reserved
110      * 0x0401-0xffe  - rotations per minute
111      * 0xffff        - reserved
112      */
113     uint16_t rotation_rate;
114 };
115 
116 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed);
117 
118 static void scsi_free_request(SCSIRequest *req)
119 {
120     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
121 
122     qemu_vfree(r->iov.iov_base);
123 }
124 
125 /* Helper function for command completion with sense.  */
126 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
127 {
128     trace_scsi_disk_check_condition(r->req.tag, sense.key, sense.asc,
129                                     sense.ascq);
130     scsi_req_build_sense(&r->req, sense);
131     scsi_req_complete(&r->req, CHECK_CONDITION);
132 }
133 
134 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
135 {
136     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
137 
138     if (!r->iov.iov_base) {
139         r->buflen = size;
140         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
141     }
142     r->iov.iov_len = MIN(r->sector_count * BDRV_SECTOR_SIZE, r->buflen);
143     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
144 }
145 
146 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
147 {
148     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
149 
150     qemu_put_be64s(f, &r->sector);
151     qemu_put_be32s(f, &r->sector_count);
152     qemu_put_be32s(f, &r->buflen);
153     if (r->buflen) {
154         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
155             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
156         } else if (!req->retry) {
157             uint32_t len = r->iov.iov_len;
158             qemu_put_be32s(f, &len);
159             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
160         }
161     }
162 }
163 
164 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
165 {
166     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
167 
168     qemu_get_be64s(f, &r->sector);
169     qemu_get_be32s(f, &r->sector_count);
170     qemu_get_be32s(f, &r->buflen);
171     if (r->buflen) {
172         scsi_init_iovec(r, r->buflen);
173         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
174             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
175         } else if (!r->req.retry) {
176             uint32_t len;
177             qemu_get_be32s(f, &len);
178             r->iov.iov_len = len;
179             assert(r->iov.iov_len <= r->buflen);
180             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
181         }
182     }
183 
184     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
185 }
186 
187 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
188 {
189     if (r->req.io_canceled) {
190         scsi_req_cancel_complete(&r->req);
191         return true;
192     }
193 
194     if (ret < 0 || (r->status && *r->status)) {
195         return scsi_handle_rw_error(r, -ret, acct_failed);
196     }
197 
198     return false;
199 }
200 
201 static void scsi_aio_complete(void *opaque, int ret)
202 {
203     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
204     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
205 
206     assert(r->req.aiocb != NULL);
207     r->req.aiocb = NULL;
208     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
209     if (scsi_disk_req_check_error(r, ret, true)) {
210         goto done;
211     }
212 
213     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
214     scsi_req_complete(&r->req, GOOD);
215 
216 done:
217     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
218     scsi_req_unref(&r->req);
219 }
220 
221 static bool scsi_is_cmd_fua(SCSICommand *cmd)
222 {
223     switch (cmd->buf[0]) {
224     case READ_10:
225     case READ_12:
226     case READ_16:
227     case WRITE_10:
228     case WRITE_12:
229     case WRITE_16:
230         return (cmd->buf[1] & 8) != 0;
231 
232     case VERIFY_10:
233     case VERIFY_12:
234     case VERIFY_16:
235     case WRITE_VERIFY_10:
236     case WRITE_VERIFY_12:
237     case WRITE_VERIFY_16:
238         return true;
239 
240     case READ_6:
241     case WRITE_6:
242     default:
243         return false;
244     }
245 }
246 
247 static void scsi_write_do_fua(SCSIDiskReq *r)
248 {
249     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
250 
251     assert(r->req.aiocb == NULL);
252     assert(!r->req.io_canceled);
253 
254     if (r->need_fua_emulation) {
255         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
256                          BLOCK_ACCT_FLUSH);
257         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
258         return;
259     }
260 
261     scsi_req_complete(&r->req, GOOD);
262     scsi_req_unref(&r->req);
263 }
264 
265 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
266 {
267     assert(r->req.aiocb == NULL);
268     if (scsi_disk_req_check_error(r, ret, false)) {
269         goto done;
270     }
271 
272     r->sector += r->sector_count;
273     r->sector_count = 0;
274     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
275         scsi_write_do_fua(r);
276         return;
277     } else {
278         scsi_req_complete(&r->req, GOOD);
279     }
280 
281 done:
282     scsi_req_unref(&r->req);
283 }
284 
285 static void scsi_dma_complete(void *opaque, int ret)
286 {
287     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
288     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
289 
290     assert(r->req.aiocb != NULL);
291     r->req.aiocb = NULL;
292 
293     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
294     if (ret < 0) {
295         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
296     } else {
297         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
298     }
299     scsi_dma_complete_noio(r, ret);
300     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
301 }
302 
303 static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
304 {
305     uint32_t n;
306 
307     assert(r->req.aiocb == NULL);
308     if (scsi_disk_req_check_error(r, ret, false)) {
309         goto done;
310     }
311 
312     n = r->qiov.size / BDRV_SECTOR_SIZE;
313     r->sector += n;
314     r->sector_count -= n;
315     scsi_req_data(&r->req, r->qiov.size);
316 
317 done:
318     scsi_req_unref(&r->req);
319 }
320 
321 static void scsi_read_complete(void *opaque, int ret)
322 {
323     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
324     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
325 
326     assert(r->req.aiocb != NULL);
327     r->req.aiocb = NULL;
328 
329     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
330     if (ret < 0) {
331         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
332     } else {
333         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
334         trace_scsi_disk_read_complete(r->req.tag, r->qiov.size);
335     }
336     scsi_read_complete_noio(r, ret);
337     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
338 }
339 
340 /* Actually issue a read to the block device.  */
341 static void scsi_do_read(SCSIDiskReq *r, int ret)
342 {
343     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
344     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
345 
346     assert (r->req.aiocb == NULL);
347     if (scsi_disk_req_check_error(r, ret, false)) {
348         goto done;
349     }
350 
351     /* The request is used as the AIO opaque value, so add a ref.  */
352     scsi_req_ref(&r->req);
353 
354     if (r->req.sg) {
355         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
356         r->req.resid -= r->req.sg->size;
357         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
358                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
359                                   BDRV_SECTOR_SIZE,
360                                   sdc->dma_readv, r, scsi_dma_complete, r,
361                                   DMA_DIRECTION_FROM_DEVICE);
362     } else {
363         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
364         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
365                          r->qiov.size, BLOCK_ACCT_READ);
366         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
367                                       scsi_read_complete, r, r);
368     }
369 
370 done:
371     scsi_req_unref(&r->req);
372 }
373 
374 static void scsi_do_read_cb(void *opaque, int ret)
375 {
376     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
377     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
378 
379     assert (r->req.aiocb != NULL);
380     r->req.aiocb = NULL;
381 
382     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
383     if (ret < 0) {
384         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
385     } else {
386         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
387     }
388     scsi_do_read(opaque, ret);
389     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
390 }
391 
392 /* Read more data from scsi device into buffer.  */
393 static void scsi_read_data(SCSIRequest *req)
394 {
395     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
396     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
397     bool first;
398 
399     trace_scsi_disk_read_data_count(r->sector_count);
400     if (r->sector_count == 0) {
401         /* This also clears the sense buffer for REQUEST SENSE.  */
402         scsi_req_complete(&r->req, GOOD);
403         return;
404     }
405 
406     /* No data transfer may already be in progress */
407     assert(r->req.aiocb == NULL);
408 
409     /* The request is used as the AIO opaque value, so add a ref.  */
410     scsi_req_ref(&r->req);
411     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
412         trace_scsi_disk_read_data_invalid();
413         scsi_read_complete_noio(r, -EINVAL);
414         return;
415     }
416 
417     if (!blk_is_available(req->dev->conf.blk)) {
418         scsi_read_complete_noio(r, -ENOMEDIUM);
419         return;
420     }
421 
422     first = !r->started;
423     r->started = true;
424     if (first && r->need_fua_emulation) {
425         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
426                          BLOCK_ACCT_FLUSH);
427         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
428     } else {
429         scsi_do_read(r, 0);
430     }
431 }
432 
433 /*
434  * scsi_handle_rw_error has two return values.  False means that the error
435  * must be ignored, true means that the error has been processed and the
436  * caller should not do anything else for this request.  Note that
437  * scsi_handle_rw_error always manages its reference counts, independent
438  * of the return value.
439  */
440 static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
441 {
442     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
443     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
444     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
445     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
446                                                    is_read, error);
447 
448     if (action == BLOCK_ERROR_ACTION_REPORT) {
449         if (acct_failed) {
450             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
451         }
452         switch (error) {
453         case 0:
454             /* A passthrough command has run and has produced sense data; check
455              * whether the error has to be handled by the guest or should rather
456              * pause the host.
457              */
458             assert(r->status && *r->status);
459             if (scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
460                 /* These errors are handled by guest. */
461                 sdc->update_sense(&r->req);
462                 scsi_req_complete(&r->req, *r->status);
463                 return true;
464             }
465             error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
466             break;
467         case ENOMEDIUM:
468             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
469             break;
470         case ENOMEM:
471             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
472             break;
473         case EINVAL:
474             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
475             break;
476         case ENOSPC:
477             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
478             break;
479         default:
480             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
481             break;
482         }
483     }
484 
485     blk_error_action(s->qdev.conf.blk, action, is_read, error);
486     if (action == BLOCK_ERROR_ACTION_IGNORE) {
487         scsi_req_complete(&r->req, 0);
488         return true;
489     }
490 
491     if (action == BLOCK_ERROR_ACTION_STOP) {
492         scsi_req_retry(&r->req);
493     }
494     return true;
495 }
496 
497 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
498 {
499     uint32_t n;
500 
501     assert (r->req.aiocb == NULL);
502     if (scsi_disk_req_check_error(r, ret, false)) {
503         goto done;
504     }
505 
506     n = r->qiov.size / BDRV_SECTOR_SIZE;
507     r->sector += n;
508     r->sector_count -= n;
509     if (r->sector_count == 0) {
510         scsi_write_do_fua(r);
511         return;
512     } else {
513         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
514         trace_scsi_disk_write_complete_noio(r->req.tag, r->qiov.size);
515         scsi_req_data(&r->req, r->qiov.size);
516     }
517 
518 done:
519     scsi_req_unref(&r->req);
520 }
521 
522 static void scsi_write_complete(void * opaque, int ret)
523 {
524     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
525     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
526 
527     assert (r->req.aiocb != NULL);
528     r->req.aiocb = NULL;
529 
530     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
531     if (ret < 0) {
532         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
533     } else {
534         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
535     }
536     scsi_write_complete_noio(r, ret);
537     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
538 }
539 
540 static void scsi_write_data(SCSIRequest *req)
541 {
542     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
543     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
544     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
545 
546     /* No data transfer may already be in progress */
547     assert(r->req.aiocb == NULL);
548 
549     /* The request is used as the AIO opaque value, so add a ref.  */
550     scsi_req_ref(&r->req);
551     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
552         trace_scsi_disk_write_data_invalid();
553         scsi_write_complete_noio(r, -EINVAL);
554         return;
555     }
556 
557     if (!r->req.sg && !r->qiov.size) {
558         /* Called for the first time.  Ask the driver to send us more data.  */
559         r->started = true;
560         scsi_write_complete_noio(r, 0);
561         return;
562     }
563     if (!blk_is_available(req->dev->conf.blk)) {
564         scsi_write_complete_noio(r, -ENOMEDIUM);
565         return;
566     }
567 
568     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
569         r->req.cmd.buf[0] == VERIFY_16) {
570         if (r->req.sg) {
571             scsi_dma_complete_noio(r, 0);
572         } else {
573             scsi_write_complete_noio(r, 0);
574         }
575         return;
576     }
577 
578     if (r->req.sg) {
579         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
580         r->req.resid -= r->req.sg->size;
581         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
582                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
583                                   BDRV_SECTOR_SIZE,
584                                   sdc->dma_writev, r, scsi_dma_complete, r,
585                                   DMA_DIRECTION_TO_DEVICE);
586     } else {
587         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
588                          r->qiov.size, BLOCK_ACCT_WRITE);
589         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
590                                        scsi_write_complete, r, r);
591     }
592 }
593 
594 /* Return a pointer to the data buffer.  */
595 static uint8_t *scsi_get_buf(SCSIRequest *req)
596 {
597     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
598 
599     return (uint8_t *)r->iov.iov_base;
600 }
601 
602 static int scsi_disk_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf)
603 {
604     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
605     uint8_t page_code = req->cmd.buf[2];
606     int start, buflen = 0;
607 
608     outbuf[buflen++] = s->qdev.type & 0x1f;
609     outbuf[buflen++] = page_code;
610     outbuf[buflen++] = 0x00;
611     outbuf[buflen++] = 0x00;
612     start = buflen;
613 
614     switch (page_code) {
615     case 0x00: /* Supported page codes, mandatory */
616     {
617         trace_scsi_disk_emulate_vpd_page_00(req->cmd.xfer);
618         outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
619         if (s->serial) {
620             outbuf[buflen++] = 0x80; /* unit serial number */
621         }
622         outbuf[buflen++] = 0x83; /* device identification */
623         if (s->qdev.type == TYPE_DISK) {
624             outbuf[buflen++] = 0xb0; /* block limits */
625             outbuf[buflen++] = 0xb1; /* block device characteristics */
626             outbuf[buflen++] = 0xb2; /* thin provisioning */
627         }
628         break;
629     }
630     case 0x80: /* Device serial number, optional */
631     {
632         int l;
633 
634         if (!s->serial) {
635             trace_scsi_disk_emulate_vpd_page_80_not_supported();
636             return -1;
637         }
638 
639         l = strlen(s->serial);
640         if (l > 36) {
641             l = 36;
642         }
643 
644         trace_scsi_disk_emulate_vpd_page_80(req->cmd.xfer);
645         memcpy(outbuf + buflen, s->serial, l);
646         buflen += l;
647         break;
648     }
649 
650     case 0x83: /* Device identification page, mandatory */
651     {
652         int id_len = s->device_id ? MIN(strlen(s->device_id), 255 - 8) : 0;
653 
654         trace_scsi_disk_emulate_vpd_page_83(req->cmd.xfer);
655 
656         if (id_len) {
657             outbuf[buflen++] = 0x2; /* ASCII */
658             outbuf[buflen++] = 0;   /* not officially assigned */
659             outbuf[buflen++] = 0;   /* reserved */
660             outbuf[buflen++] = id_len; /* length of data following */
661             memcpy(outbuf + buflen, s->device_id, id_len);
662             buflen += id_len;
663         }
664 
665         if (s->qdev.wwn) {
666             outbuf[buflen++] = 0x1; /* Binary */
667             outbuf[buflen++] = 0x3; /* NAA */
668             outbuf[buflen++] = 0;   /* reserved */
669             outbuf[buflen++] = 8;
670             stq_be_p(&outbuf[buflen], s->qdev.wwn);
671             buflen += 8;
672         }
673 
674         if (s->qdev.port_wwn) {
675             outbuf[buflen++] = 0x61; /* SAS / Binary */
676             outbuf[buflen++] = 0x93; /* PIV / Target port / NAA */
677             outbuf[buflen++] = 0;    /* reserved */
678             outbuf[buflen++] = 8;
679             stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
680             buflen += 8;
681         }
682 
683         if (s->port_index) {
684             outbuf[buflen++] = 0x61; /* SAS / Binary */
685 
686             /* PIV/Target port/relative target port */
687             outbuf[buflen++] = 0x94;
688 
689             outbuf[buflen++] = 0;    /* reserved */
690             outbuf[buflen++] = 4;
691             stw_be_p(&outbuf[buflen + 2], s->port_index);
692             buflen += 4;
693         }
694         break;
695     }
696     case 0xb0: /* block limits */
697     {
698         SCSIBlockLimits bl = {};
699 
700         if (s->qdev.type == TYPE_ROM) {
701             trace_scsi_disk_emulate_vpd_page_b0_not_supported();
702             return -1;
703         }
704         bl.wsnz = 1;
705         bl.unmap_sectors =
706             s->qdev.conf.discard_granularity / s->qdev.blocksize;
707         bl.min_io_size =
708             s->qdev.conf.min_io_size / s->qdev.blocksize;
709         bl.opt_io_size =
710             s->qdev.conf.opt_io_size / s->qdev.blocksize;
711         bl.max_unmap_sectors =
712             s->max_unmap_size / s->qdev.blocksize;
713         bl.max_io_sectors =
714             s->max_io_size / s->qdev.blocksize;
715         /* 255 descriptors fit in 4 KiB with an 8-byte header */
716         bl.max_unmap_descr = 255;
717 
718         if (s->qdev.type == TYPE_DISK) {
719             int max_transfer_blk = blk_get_max_transfer(s->qdev.conf.blk);
720             int max_io_sectors_blk =
721                 max_transfer_blk / s->qdev.blocksize;
722 
723             bl.max_io_sectors =
724                 MIN_NON_ZERO(max_io_sectors_blk, bl.max_io_sectors);
725         }
726         buflen += scsi_emulate_block_limits(outbuf + buflen, &bl);
727         break;
728     }
729     case 0xb1: /* block device characteristics */
730     {
731         buflen = 0x40;
732         outbuf[4] = (s->rotation_rate >> 8) & 0xff;
733         outbuf[5] = s->rotation_rate & 0xff;
734         outbuf[6] = 0; /* PRODUCT TYPE */
735         outbuf[7] = 0; /* WABEREQ | WACEREQ | NOMINAL FORM FACTOR */
736         outbuf[8] = 0; /* VBULS */
737         break;
738     }
739     case 0xb2: /* thin provisioning */
740     {
741         buflen = 8;
742         outbuf[4] = 0;
743         outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
744         outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
745         outbuf[7] = 0;
746         break;
747     }
748     default:
749         return -1;
750     }
751     /* done with EVPD */
752     assert(buflen - start <= 255);
753     outbuf[start - 1] = buflen - start;
754     return buflen;
755 }
756 
757 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
758 {
759     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
760     int buflen = 0;
761 
762     if (req->cmd.buf[1] & 0x1) {
763         /* Vital product data */
764         return scsi_disk_emulate_vpd_page(req, outbuf);
765     }
766 
767     /* Standard INQUIRY data */
768     if (req->cmd.buf[2] != 0) {
769         return -1;
770     }
771 
772     /* PAGE CODE == 0 */
773     buflen = req->cmd.xfer;
774     if (buflen > SCSI_MAX_INQUIRY_LEN) {
775         buflen = SCSI_MAX_INQUIRY_LEN;
776     }
777 
778     outbuf[0] = s->qdev.type & 0x1f;
779     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
780 
781     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
782     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
783 
784     memset(&outbuf[32], 0, 4);
785     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
786     /*
787      * We claim conformance to SPC-3, which is required for guests
788      * to ask for modern features like READ CAPACITY(16) or the
789      * block characteristics VPD page by default.  Not all of SPC-3
790      * is actually implemented, but we're good enough.
791      */
792     outbuf[2] = s->qdev.default_scsi_version;
793     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
794 
795     if (buflen > 36) {
796         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
797     } else {
798         /* If the allocation length of CDB is too small,
799                the additional length is not adjusted */
800         outbuf[4] = 36 - 5;
801     }
802 
803     /* Sync data transfer and TCQ.  */
804     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
805     return buflen;
806 }
807 
808 static inline bool media_is_dvd(SCSIDiskState *s)
809 {
810     uint64_t nb_sectors;
811     if (s->qdev.type != TYPE_ROM) {
812         return false;
813     }
814     if (!blk_is_available(s->qdev.conf.blk)) {
815         return false;
816     }
817     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
818     return nb_sectors > CD_MAX_SECTORS;
819 }
820 
821 static inline bool media_is_cd(SCSIDiskState *s)
822 {
823     uint64_t nb_sectors;
824     if (s->qdev.type != TYPE_ROM) {
825         return false;
826     }
827     if (!blk_is_available(s->qdev.conf.blk)) {
828         return false;
829     }
830     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
831     return nb_sectors <= CD_MAX_SECTORS;
832 }
833 
834 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
835                                       uint8_t *outbuf)
836 {
837     uint8_t type = r->req.cmd.buf[1] & 7;
838 
839     if (s->qdev.type != TYPE_ROM) {
840         return -1;
841     }
842 
843     /* Types 1/2 are only defined for Blu-Ray.  */
844     if (type != 0) {
845         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
846         return -1;
847     }
848 
849     memset(outbuf, 0, 34);
850     outbuf[1] = 32;
851     outbuf[2] = 0xe; /* last session complete, disc finalized */
852     outbuf[3] = 1;   /* first track on disc */
853     outbuf[4] = 1;   /* # of sessions */
854     outbuf[5] = 1;   /* first track of last session */
855     outbuf[6] = 1;   /* last track of last session */
856     outbuf[7] = 0x20; /* unrestricted use */
857     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
858     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
859     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
860     /* 24-31: disc bar code */
861     /* 32: disc application code */
862     /* 33: number of OPC tables */
863 
864     return 34;
865 }
866 
867 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
868                                    uint8_t *outbuf)
869 {
870     static const int rds_caps_size[5] = {
871         [0] = 2048 + 4,
872         [1] = 4 + 4,
873         [3] = 188 + 4,
874         [4] = 2048 + 4,
875     };
876 
877     uint8_t media = r->req.cmd.buf[1];
878     uint8_t layer = r->req.cmd.buf[6];
879     uint8_t format = r->req.cmd.buf[7];
880     int size = -1;
881 
882     if (s->qdev.type != TYPE_ROM) {
883         return -1;
884     }
885     if (media != 0) {
886         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
887         return -1;
888     }
889 
890     if (format != 0xff) {
891         if (!blk_is_available(s->qdev.conf.blk)) {
892             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
893             return -1;
894         }
895         if (media_is_cd(s)) {
896             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
897             return -1;
898         }
899         if (format >= ARRAY_SIZE(rds_caps_size)) {
900             return -1;
901         }
902         size = rds_caps_size[format];
903         memset(outbuf, 0, size);
904     }
905 
906     switch (format) {
907     case 0x00: {
908         /* Physical format information */
909         uint64_t nb_sectors;
910         if (layer != 0) {
911             goto fail;
912         }
913         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
914 
915         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
916         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
917         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
918         outbuf[7] = 0;   /* default densities */
919 
920         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
921         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
922         break;
923     }
924 
925     case 0x01: /* DVD copyright information, all zeros */
926         break;
927 
928     case 0x03: /* BCA information - invalid field for no BCA info */
929         return -1;
930 
931     case 0x04: /* DVD disc manufacturing information, all zeros */
932         break;
933 
934     case 0xff: { /* List capabilities */
935         int i;
936         size = 4;
937         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
938             if (!rds_caps_size[i]) {
939                 continue;
940             }
941             outbuf[size] = i;
942             outbuf[size + 1] = 0x40; /* Not writable, readable */
943             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
944             size += 4;
945         }
946         break;
947      }
948 
949     default:
950         return -1;
951     }
952 
953     /* Size of buffer, not including 2 byte size field */
954     stw_be_p(outbuf, size - 2);
955     return size;
956 
957 fail:
958     return -1;
959 }
960 
961 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
962 {
963     uint8_t event_code, media_status;
964 
965     media_status = 0;
966     if (s->tray_open) {
967         media_status = MS_TRAY_OPEN;
968     } else if (blk_is_inserted(s->qdev.conf.blk)) {
969         media_status = MS_MEDIA_PRESENT;
970     }
971 
972     /* Event notification descriptor */
973     event_code = MEC_NO_CHANGE;
974     if (media_status != MS_TRAY_OPEN) {
975         if (s->media_event) {
976             event_code = MEC_NEW_MEDIA;
977             s->media_event = false;
978         } else if (s->eject_request) {
979             event_code = MEC_EJECT_REQUESTED;
980             s->eject_request = false;
981         }
982     }
983 
984     outbuf[0] = event_code;
985     outbuf[1] = media_status;
986 
987     /* These fields are reserved, just clear them. */
988     outbuf[2] = 0;
989     outbuf[3] = 0;
990     return 4;
991 }
992 
993 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
994                                               uint8_t *outbuf)
995 {
996     int size;
997     uint8_t *buf = r->req.cmd.buf;
998     uint8_t notification_class_request = buf[4];
999     if (s->qdev.type != TYPE_ROM) {
1000         return -1;
1001     }
1002     if ((buf[1] & 1) == 0) {
1003         /* asynchronous */
1004         return -1;
1005     }
1006 
1007     size = 4;
1008     outbuf[0] = outbuf[1] = 0;
1009     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1010     if (notification_class_request & (1 << GESN_MEDIA)) {
1011         outbuf[2] = GESN_MEDIA;
1012         size += scsi_event_status_media(s, &outbuf[size]);
1013     } else {
1014         outbuf[2] = 0x80;
1015     }
1016     stw_be_p(outbuf, size - 4);
1017     return size;
1018 }
1019 
1020 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1021 {
1022     int current;
1023 
1024     if (s->qdev.type != TYPE_ROM) {
1025         return -1;
1026     }
1027 
1028     if (media_is_dvd(s)) {
1029         current = MMC_PROFILE_DVD_ROM;
1030     } else if (media_is_cd(s)) {
1031         current = MMC_PROFILE_CD_ROM;
1032     } else {
1033         current = MMC_PROFILE_NONE;
1034     }
1035 
1036     memset(outbuf, 0, 40);
1037     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1038     stw_be_p(&outbuf[6], current);
1039     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1040     outbuf[10] = 0x03; /* persistent, current */
1041     outbuf[11] = 8; /* two profiles */
1042     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1043     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1044     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1045     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1046     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1047     stw_be_p(&outbuf[20], 1);
1048     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1049     outbuf[23] = 8;
1050     stl_be_p(&outbuf[24], 1); /* SCSI */
1051     outbuf[28] = 1; /* DBE = 1, mandatory */
1052     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1053     stw_be_p(&outbuf[32], 3);
1054     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1055     outbuf[35] = 4;
1056     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1057     /* TODO: Random readable, CD read, DVD read, drive serial number,
1058        power management */
1059     return 40;
1060 }
1061 
1062 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1063 {
1064     if (s->qdev.type != TYPE_ROM) {
1065         return -1;
1066     }
1067     memset(outbuf, 0, 8);
1068     outbuf[5] = 1; /* CD-ROM */
1069     return 8;
1070 }
1071 
1072 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1073                            int page_control)
1074 {
1075     static const int mode_sense_valid[0x3f] = {
1076         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1077         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1078         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1079         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1080         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1081         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1082     };
1083 
1084     uint8_t *p = *p_outbuf + 2;
1085     int length;
1086 
1087     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1088         return -1;
1089     }
1090 
1091     /*
1092      * If Changeable Values are requested, a mask denoting those mode parameters
1093      * that are changeable shall be returned. As we currently don't support
1094      * parameter changes via MODE_SELECT all bits are returned set to zero.
1095      * The buffer was already menset to zero by the caller of this function.
1096      *
1097      * The offsets here are off by two compared to the descriptions in the
1098      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1099      * but it is done so that offsets are consistent within our implementation
1100      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1101      * 2-byte and 4-byte headers.
1102      */
1103     switch (page) {
1104     case MODE_PAGE_HD_GEOMETRY:
1105         length = 0x16;
1106         if (page_control == 1) { /* Changeable Values */
1107             break;
1108         }
1109         /* if a geometry hint is available, use it */
1110         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1111         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1112         p[2] = s->qdev.conf.cyls & 0xff;
1113         p[3] = s->qdev.conf.heads & 0xff;
1114         /* Write precomp start cylinder, disabled */
1115         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1116         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1117         p[6] = s->qdev.conf.cyls & 0xff;
1118         /* Reduced current start cylinder, disabled */
1119         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1120         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1121         p[9] = s->qdev.conf.cyls & 0xff;
1122         /* Device step rate [ns], 200ns */
1123         p[10] = 0;
1124         p[11] = 200;
1125         /* Landing zone cylinder */
1126         p[12] = 0xff;
1127         p[13] =  0xff;
1128         p[14] = 0xff;
1129         /* Medium rotation rate [rpm], 5400 rpm */
1130         p[18] = (5400 >> 8) & 0xff;
1131         p[19] = 5400 & 0xff;
1132         break;
1133 
1134     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1135         length = 0x1e;
1136         if (page_control == 1) { /* Changeable Values */
1137             break;
1138         }
1139         /* Transfer rate [kbit/s], 5Mbit/s */
1140         p[0] = 5000 >> 8;
1141         p[1] = 5000 & 0xff;
1142         /* if a geometry hint is available, use it */
1143         p[2] = s->qdev.conf.heads & 0xff;
1144         p[3] = s->qdev.conf.secs & 0xff;
1145         p[4] = s->qdev.blocksize >> 8;
1146         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1147         p[7] = s->qdev.conf.cyls & 0xff;
1148         /* Write precomp start cylinder, disabled */
1149         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1150         p[9] = s->qdev.conf.cyls & 0xff;
1151         /* Reduced current start cylinder, disabled */
1152         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1153         p[11] = s->qdev.conf.cyls & 0xff;
1154         /* Device step rate [100us], 100us */
1155         p[12] = 0;
1156         p[13] = 1;
1157         /* Device step pulse width [us], 1us */
1158         p[14] = 1;
1159         /* Device head settle delay [100us], 100us */
1160         p[15] = 0;
1161         p[16] = 1;
1162         /* Motor on delay [0.1s], 0.1s */
1163         p[17] = 1;
1164         /* Motor off delay [0.1s], 0.1s */
1165         p[18] = 1;
1166         /* Medium rotation rate [rpm], 5400 rpm */
1167         p[26] = (5400 >> 8) & 0xff;
1168         p[27] = 5400 & 0xff;
1169         break;
1170 
1171     case MODE_PAGE_CACHING:
1172         length = 0x12;
1173         if (page_control == 1 || /* Changeable Values */
1174             blk_enable_write_cache(s->qdev.conf.blk)) {
1175             p[0] = 4; /* WCE */
1176         }
1177         break;
1178 
1179     case MODE_PAGE_R_W_ERROR:
1180         length = 10;
1181         if (page_control == 1) { /* Changeable Values */
1182             break;
1183         }
1184         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1185         if (s->qdev.type == TYPE_ROM) {
1186             p[1] = 0x20; /* Read Retry Count */
1187         }
1188         break;
1189 
1190     case MODE_PAGE_AUDIO_CTL:
1191         length = 14;
1192         break;
1193 
1194     case MODE_PAGE_CAPABILITIES:
1195         length = 0x14;
1196         if (page_control == 1) { /* Changeable Values */
1197             break;
1198         }
1199 
1200         p[0] = 0x3b; /* CD-R & CD-RW read */
1201         p[1] = 0; /* Writing not supported */
1202         p[2] = 0x7f; /* Audio, composite, digital out,
1203                         mode 2 form 1&2, multi session */
1204         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1205                         RW corrected, C2 errors, ISRC,
1206                         UPC, Bar code */
1207         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1208         /* Locking supported, jumper present, eject, tray */
1209         p[5] = 0; /* no volume & mute control, no
1210                      changer */
1211         p[6] = (50 * 176) >> 8; /* 50x read speed */
1212         p[7] = (50 * 176) & 0xff;
1213         p[8] = 2 >> 8; /* Two volume levels */
1214         p[9] = 2 & 0xff;
1215         p[10] = 2048 >> 8; /* 2M buffer */
1216         p[11] = 2048 & 0xff;
1217         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1218         p[13] = (16 * 176) & 0xff;
1219         p[16] = (16 * 176) >> 8; /* 16x write speed */
1220         p[17] = (16 * 176) & 0xff;
1221         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1222         p[19] = (16 * 176) & 0xff;
1223         break;
1224 
1225     default:
1226         return -1;
1227     }
1228 
1229     assert(length < 256);
1230     (*p_outbuf)[0] = page;
1231     (*p_outbuf)[1] = length;
1232     *p_outbuf += length + 2;
1233     return length + 2;
1234 }
1235 
1236 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1237 {
1238     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1239     uint64_t nb_sectors;
1240     bool dbd;
1241     int page, buflen, ret, page_control;
1242     uint8_t *p;
1243     uint8_t dev_specific_param;
1244 
1245     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1246     page = r->req.cmd.buf[2] & 0x3f;
1247     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1248 
1249     trace_scsi_disk_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
1250                                        10, page, r->req.cmd.xfer, page_control);
1251     memset(outbuf, 0, r->req.cmd.xfer);
1252     p = outbuf;
1253 
1254     if (s->qdev.type == TYPE_DISK) {
1255         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1256         if (blk_is_read_only(s->qdev.conf.blk)) {
1257             dev_specific_param |= 0x80; /* Readonly.  */
1258         }
1259     } else {
1260         /* MMC prescribes that CD/DVD drives have no block descriptors,
1261          * and defines no device-specific parameter.  */
1262         dev_specific_param = 0x00;
1263         dbd = true;
1264     }
1265 
1266     if (r->req.cmd.buf[0] == MODE_SENSE) {
1267         p[1] = 0; /* Default media type.  */
1268         p[2] = dev_specific_param;
1269         p[3] = 0; /* Block descriptor length.  */
1270         p += 4;
1271     } else { /* MODE_SENSE_10 */
1272         p[2] = 0; /* Default media type.  */
1273         p[3] = dev_specific_param;
1274         p[6] = p[7] = 0; /* Block descriptor length.  */
1275         p += 8;
1276     }
1277 
1278     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1279     if (!dbd && nb_sectors) {
1280         if (r->req.cmd.buf[0] == MODE_SENSE) {
1281             outbuf[3] = 8; /* Block descriptor length  */
1282         } else { /* MODE_SENSE_10 */
1283             outbuf[7] = 8; /* Block descriptor length  */
1284         }
1285         nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1286         if (nb_sectors > 0xffffff) {
1287             nb_sectors = 0;
1288         }
1289         p[0] = 0; /* media density code */
1290         p[1] = (nb_sectors >> 16) & 0xff;
1291         p[2] = (nb_sectors >> 8) & 0xff;
1292         p[3] = nb_sectors & 0xff;
1293         p[4] = 0; /* reserved */
1294         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1295         p[6] = s->qdev.blocksize >> 8;
1296         p[7] = 0;
1297         p += 8;
1298     }
1299 
1300     if (page_control == 3) {
1301         /* Saved Values */
1302         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1303         return -1;
1304     }
1305 
1306     if (page == 0x3f) {
1307         for (page = 0; page <= 0x3e; page++) {
1308             mode_sense_page(s, page, &p, page_control);
1309         }
1310     } else {
1311         ret = mode_sense_page(s, page, &p, page_control);
1312         if (ret == -1) {
1313             return -1;
1314         }
1315     }
1316 
1317     buflen = p - outbuf;
1318     /*
1319      * The mode data length field specifies the length in bytes of the
1320      * following data that is available to be transferred. The mode data
1321      * length does not include itself.
1322      */
1323     if (r->req.cmd.buf[0] == MODE_SENSE) {
1324         outbuf[0] = buflen - 1;
1325     } else { /* MODE_SENSE_10 */
1326         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1327         outbuf[1] = (buflen - 2) & 0xff;
1328     }
1329     return buflen;
1330 }
1331 
1332 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1333 {
1334     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1335     int start_track, format, msf, toclen;
1336     uint64_t nb_sectors;
1337 
1338     msf = req->cmd.buf[1] & 2;
1339     format = req->cmd.buf[2] & 0xf;
1340     start_track = req->cmd.buf[6];
1341     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1342     trace_scsi_disk_emulate_read_toc(start_track, format, msf >> 1);
1343     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1344     switch (format) {
1345     case 0:
1346         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1347         break;
1348     case 1:
1349         /* multi session : only a single session defined */
1350         toclen = 12;
1351         memset(outbuf, 0, 12);
1352         outbuf[1] = 0x0a;
1353         outbuf[2] = 0x01;
1354         outbuf[3] = 0x01;
1355         break;
1356     case 2:
1357         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1358         break;
1359     default:
1360         return -1;
1361     }
1362     return toclen;
1363 }
1364 
1365 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1366 {
1367     SCSIRequest *req = &r->req;
1368     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1369     bool start = req->cmd.buf[4] & 1;
1370     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1371     int pwrcnd = req->cmd.buf[4] & 0xf0;
1372 
1373     if (pwrcnd) {
1374         /* eject/load only happens for power condition == 0 */
1375         return 0;
1376     }
1377 
1378     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1379         if (!start && !s->tray_open && s->tray_locked) {
1380             scsi_check_condition(r,
1381                                  blk_is_inserted(s->qdev.conf.blk)
1382                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1383                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1384             return -1;
1385         }
1386 
1387         if (s->tray_open != !start) {
1388             blk_eject(s->qdev.conf.blk, !start);
1389             s->tray_open = !start;
1390         }
1391     }
1392     return 0;
1393 }
1394 
1395 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1396 {
1397     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1398     int buflen = r->iov.iov_len;
1399 
1400     if (buflen) {
1401         trace_scsi_disk_emulate_read_data(buflen);
1402         r->iov.iov_len = 0;
1403         r->started = true;
1404         scsi_req_data(&r->req, buflen);
1405         return;
1406     }
1407 
1408     /* This also clears the sense buffer for REQUEST SENSE.  */
1409     scsi_req_complete(&r->req, GOOD);
1410 }
1411 
1412 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1413                                        uint8_t *inbuf, int inlen)
1414 {
1415     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1416     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1417     uint8_t *p;
1418     int len, expected_len, changeable_len, i;
1419 
1420     /* The input buffer does not include the page header, so it is
1421      * off by 2 bytes.
1422      */
1423     expected_len = inlen + 2;
1424     if (expected_len > SCSI_MAX_MODE_LEN) {
1425         return -1;
1426     }
1427 
1428     p = mode_current;
1429     memset(mode_current, 0, inlen + 2);
1430     len = mode_sense_page(s, page, &p, 0);
1431     if (len < 0 || len != expected_len) {
1432         return -1;
1433     }
1434 
1435     p = mode_changeable;
1436     memset(mode_changeable, 0, inlen + 2);
1437     changeable_len = mode_sense_page(s, page, &p, 1);
1438     assert(changeable_len == len);
1439 
1440     /* Check that unchangeable bits are the same as what MODE SENSE
1441      * would return.
1442      */
1443     for (i = 2; i < len; i++) {
1444         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1445             return -1;
1446         }
1447     }
1448     return 0;
1449 }
1450 
1451 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1452 {
1453     switch (page) {
1454     case MODE_PAGE_CACHING:
1455         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1456         break;
1457 
1458     default:
1459         break;
1460     }
1461 }
1462 
1463 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1464 {
1465     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1466 
1467     while (len > 0) {
1468         int page, subpage, page_len;
1469 
1470         /* Parse both possible formats for the mode page headers.  */
1471         page = p[0] & 0x3f;
1472         if (p[0] & 0x40) {
1473             if (len < 4) {
1474                 goto invalid_param_len;
1475             }
1476             subpage = p[1];
1477             page_len = lduw_be_p(&p[2]);
1478             p += 4;
1479             len -= 4;
1480         } else {
1481             if (len < 2) {
1482                 goto invalid_param_len;
1483             }
1484             subpage = 0;
1485             page_len = p[1];
1486             p += 2;
1487             len -= 2;
1488         }
1489 
1490         if (subpage) {
1491             goto invalid_param;
1492         }
1493         if (page_len > len) {
1494             goto invalid_param_len;
1495         }
1496 
1497         if (!change) {
1498             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1499                 goto invalid_param;
1500             }
1501         } else {
1502             scsi_disk_apply_mode_select(s, page, p);
1503         }
1504 
1505         p += page_len;
1506         len -= page_len;
1507     }
1508     return 0;
1509 
1510 invalid_param:
1511     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1512     return -1;
1513 
1514 invalid_param_len:
1515     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1516     return -1;
1517 }
1518 
1519 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1520 {
1521     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1522     uint8_t *p = inbuf;
1523     int cmd = r->req.cmd.buf[0];
1524     int len = r->req.cmd.xfer;
1525     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1526     int bd_len;
1527     int pass;
1528 
1529     /* We only support PF=1, SP=0.  */
1530     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1531         goto invalid_field;
1532     }
1533 
1534     if (len < hdr_len) {
1535         goto invalid_param_len;
1536     }
1537 
1538     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1539     len -= hdr_len;
1540     p += hdr_len;
1541     if (len < bd_len) {
1542         goto invalid_param_len;
1543     }
1544     if (bd_len != 0 && bd_len != 8) {
1545         goto invalid_param;
1546     }
1547 
1548     len -= bd_len;
1549     p += bd_len;
1550 
1551     /* Ensure no change is made if there is an error!  */
1552     for (pass = 0; pass < 2; pass++) {
1553         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1554             assert(pass == 0);
1555             return;
1556         }
1557     }
1558     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1559         /* The request is used as the AIO opaque value, so add a ref.  */
1560         scsi_req_ref(&r->req);
1561         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1562                          BLOCK_ACCT_FLUSH);
1563         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1564         return;
1565     }
1566 
1567     scsi_req_complete(&r->req, GOOD);
1568     return;
1569 
1570 invalid_param:
1571     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1572     return;
1573 
1574 invalid_param_len:
1575     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1576     return;
1577 
1578 invalid_field:
1579     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1580 }
1581 
1582 static inline bool check_lba_range(SCSIDiskState *s,
1583                                    uint64_t sector_num, uint32_t nb_sectors)
1584 {
1585     /*
1586      * The first line tests that no overflow happens when computing the last
1587      * sector.  The second line tests that the last accessed sector is in
1588      * range.
1589      *
1590      * Careful, the computations should not underflow for nb_sectors == 0,
1591      * and a 0-block read to the first LBA beyond the end of device is
1592      * valid.
1593      */
1594     return (sector_num <= sector_num + nb_sectors &&
1595             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1596 }
1597 
1598 typedef struct UnmapCBData {
1599     SCSIDiskReq *r;
1600     uint8_t *inbuf;
1601     int count;
1602 } UnmapCBData;
1603 
1604 static void scsi_unmap_complete(void *opaque, int ret);
1605 
1606 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1607 {
1608     SCSIDiskReq *r = data->r;
1609     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1610 
1611     assert(r->req.aiocb == NULL);
1612 
1613     if (data->count > 0) {
1614         r->sector = ldq_be_p(&data->inbuf[0])
1615             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1616         r->sector_count = (ldl_be_p(&data->inbuf[8]) & 0xffffffffULL)
1617             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1618         if (!check_lba_range(s, r->sector, r->sector_count)) {
1619             block_acct_invalid(blk_get_stats(s->qdev.conf.blk),
1620                                BLOCK_ACCT_UNMAP);
1621             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1622             goto done;
1623         }
1624 
1625         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1626                          r->sector_count * BDRV_SECTOR_SIZE,
1627                          BLOCK_ACCT_UNMAP);
1628 
1629         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1630                                         r->sector * BDRV_SECTOR_SIZE,
1631                                         r->sector_count * BDRV_SECTOR_SIZE,
1632                                         scsi_unmap_complete, data);
1633         data->count--;
1634         data->inbuf += 16;
1635         return;
1636     }
1637 
1638     scsi_req_complete(&r->req, GOOD);
1639 
1640 done:
1641     scsi_req_unref(&r->req);
1642     g_free(data);
1643 }
1644 
1645 static void scsi_unmap_complete(void *opaque, int ret)
1646 {
1647     UnmapCBData *data = opaque;
1648     SCSIDiskReq *r = data->r;
1649     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1650 
1651     assert(r->req.aiocb != NULL);
1652     r->req.aiocb = NULL;
1653 
1654     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1655     if (scsi_disk_req_check_error(r, ret, true)) {
1656         scsi_req_unref(&r->req);
1657         g_free(data);
1658     } else {
1659         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1660         scsi_unmap_complete_noio(data, ret);
1661     }
1662     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1663 }
1664 
1665 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1666 {
1667     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1668     uint8_t *p = inbuf;
1669     int len = r->req.cmd.xfer;
1670     UnmapCBData *data;
1671 
1672     /* Reject ANCHOR=1.  */
1673     if (r->req.cmd.buf[1] & 0x1) {
1674         goto invalid_field;
1675     }
1676 
1677     if (len < 8) {
1678         goto invalid_param_len;
1679     }
1680     if (len < lduw_be_p(&p[0]) + 2) {
1681         goto invalid_param_len;
1682     }
1683     if (len < lduw_be_p(&p[2]) + 8) {
1684         goto invalid_param_len;
1685     }
1686     if (lduw_be_p(&p[2]) & 15) {
1687         goto invalid_param_len;
1688     }
1689 
1690     if (blk_is_read_only(s->qdev.conf.blk)) {
1691         block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1692         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1693         return;
1694     }
1695 
1696     data = g_new0(UnmapCBData, 1);
1697     data->r = r;
1698     data->inbuf = &p[8];
1699     data->count = lduw_be_p(&p[2]) >> 4;
1700 
1701     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1702     scsi_req_ref(&r->req);
1703     scsi_unmap_complete_noio(data, 0);
1704     return;
1705 
1706 invalid_param_len:
1707     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1708     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1709     return;
1710 
1711 invalid_field:
1712     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1713     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1714 }
1715 
1716 typedef struct WriteSameCBData {
1717     SCSIDiskReq *r;
1718     int64_t sector;
1719     int nb_sectors;
1720     QEMUIOVector qiov;
1721     struct iovec iov;
1722 } WriteSameCBData;
1723 
1724 static void scsi_write_same_complete(void *opaque, int ret)
1725 {
1726     WriteSameCBData *data = opaque;
1727     SCSIDiskReq *r = data->r;
1728     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1729 
1730     assert(r->req.aiocb != NULL);
1731     r->req.aiocb = NULL;
1732     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1733     if (scsi_disk_req_check_error(r, ret, true)) {
1734         goto done;
1735     }
1736 
1737     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1738 
1739     data->nb_sectors -= data->iov.iov_len / BDRV_SECTOR_SIZE;
1740     data->sector += data->iov.iov_len / BDRV_SECTOR_SIZE;
1741     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1742                             data->iov.iov_len);
1743     if (data->iov.iov_len) {
1744         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1745                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1746         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1747          * where final qiov may need smaller size */
1748         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1749         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1750                                        data->sector << BDRV_SECTOR_BITS,
1751                                        &data->qiov, 0,
1752                                        scsi_write_same_complete, data);
1753         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1754         return;
1755     }
1756 
1757     scsi_req_complete(&r->req, GOOD);
1758 
1759 done:
1760     scsi_req_unref(&r->req);
1761     qemu_vfree(data->iov.iov_base);
1762     g_free(data);
1763     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1764 }
1765 
1766 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1767 {
1768     SCSIRequest *req = &r->req;
1769     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1770     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1771     WriteSameCBData *data;
1772     uint8_t *buf;
1773     int i;
1774 
1775     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1776     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1777         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1778         return;
1779     }
1780 
1781     if (blk_is_read_only(s->qdev.conf.blk)) {
1782         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1783         return;
1784     }
1785     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1786         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1787         return;
1788     }
1789 
1790     if ((req->cmd.buf[1] & 0x1) || buffer_is_zero(inbuf, s->qdev.blocksize)) {
1791         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1792 
1793         /* The request is used as the AIO opaque value, so add a ref.  */
1794         scsi_req_ref(&r->req);
1795         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1796                          nb_sectors * s->qdev.blocksize,
1797                         BLOCK_ACCT_WRITE);
1798         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1799                                 r->req.cmd.lba * s->qdev.blocksize,
1800                                 nb_sectors * s->qdev.blocksize,
1801                                 flags, scsi_aio_complete, r);
1802         return;
1803     }
1804 
1805     data = g_new0(WriteSameCBData, 1);
1806     data->r = r;
1807     data->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1808     data->nb_sectors = nb_sectors * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1809     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1810                             SCSI_WRITE_SAME_MAX);
1811     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1812                                               data->iov.iov_len);
1813     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1814 
1815     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1816         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1817     }
1818 
1819     scsi_req_ref(&r->req);
1820     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1821                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1822     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1823                                    data->sector << BDRV_SECTOR_BITS,
1824                                    &data->qiov, 0,
1825                                    scsi_write_same_complete, data);
1826 }
1827 
1828 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1829 {
1830     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1831 
1832     if (r->iov.iov_len) {
1833         int buflen = r->iov.iov_len;
1834         trace_scsi_disk_emulate_write_data(buflen);
1835         r->iov.iov_len = 0;
1836         scsi_req_data(&r->req, buflen);
1837         return;
1838     }
1839 
1840     switch (req->cmd.buf[0]) {
1841     case MODE_SELECT:
1842     case MODE_SELECT_10:
1843         /* This also clears the sense buffer for REQUEST SENSE.  */
1844         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1845         break;
1846 
1847     case UNMAP:
1848         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1849         break;
1850 
1851     case VERIFY_10:
1852     case VERIFY_12:
1853     case VERIFY_16:
1854         if (r->req.status == -1) {
1855             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1856         }
1857         break;
1858 
1859     case WRITE_SAME_10:
1860     case WRITE_SAME_16:
1861         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1862         break;
1863 
1864     default:
1865         abort();
1866     }
1867 }
1868 
1869 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1870 {
1871     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1872     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1873     uint64_t nb_sectors;
1874     uint8_t *outbuf;
1875     int buflen;
1876 
1877     switch (req->cmd.buf[0]) {
1878     case INQUIRY:
1879     case MODE_SENSE:
1880     case MODE_SENSE_10:
1881     case RESERVE:
1882     case RESERVE_10:
1883     case RELEASE:
1884     case RELEASE_10:
1885     case START_STOP:
1886     case ALLOW_MEDIUM_REMOVAL:
1887     case GET_CONFIGURATION:
1888     case GET_EVENT_STATUS_NOTIFICATION:
1889     case MECHANISM_STATUS:
1890     case REQUEST_SENSE:
1891         break;
1892 
1893     default:
1894         if (!blk_is_available(s->qdev.conf.blk)) {
1895             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1896             return 0;
1897         }
1898         break;
1899     }
1900 
1901     /*
1902      * FIXME: we shouldn't return anything bigger than 4k, but the code
1903      * requires the buffer to be as big as req->cmd.xfer in several
1904      * places.  So, do not allow CDBs with a very large ALLOCATION
1905      * LENGTH.  The real fix would be to modify scsi_read_data and
1906      * dma_buf_read, so that they return data beyond the buflen
1907      * as all zeros.
1908      */
1909     if (req->cmd.xfer > 65536) {
1910         goto illegal_request;
1911     }
1912     r->buflen = MAX(4096, req->cmd.xfer);
1913 
1914     if (!r->iov.iov_base) {
1915         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1916     }
1917 
1918     outbuf = r->iov.iov_base;
1919     memset(outbuf, 0, r->buflen);
1920     switch (req->cmd.buf[0]) {
1921     case TEST_UNIT_READY:
1922         assert(blk_is_available(s->qdev.conf.blk));
1923         break;
1924     case INQUIRY:
1925         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1926         if (buflen < 0) {
1927             goto illegal_request;
1928         }
1929         break;
1930     case MODE_SENSE:
1931     case MODE_SENSE_10:
1932         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1933         if (buflen < 0) {
1934             goto illegal_request;
1935         }
1936         break;
1937     case READ_TOC:
1938         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1939         if (buflen < 0) {
1940             goto illegal_request;
1941         }
1942         break;
1943     case RESERVE:
1944         if (req->cmd.buf[1] & 1) {
1945             goto illegal_request;
1946         }
1947         break;
1948     case RESERVE_10:
1949         if (req->cmd.buf[1] & 3) {
1950             goto illegal_request;
1951         }
1952         break;
1953     case RELEASE:
1954         if (req->cmd.buf[1] & 1) {
1955             goto illegal_request;
1956         }
1957         break;
1958     case RELEASE_10:
1959         if (req->cmd.buf[1] & 3) {
1960             goto illegal_request;
1961         }
1962         break;
1963     case START_STOP:
1964         if (scsi_disk_emulate_start_stop(r) < 0) {
1965             return 0;
1966         }
1967         break;
1968     case ALLOW_MEDIUM_REMOVAL:
1969         s->tray_locked = req->cmd.buf[4] & 1;
1970         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1971         break;
1972     case READ_CAPACITY_10:
1973         /* The normal LEN field for this command is zero.  */
1974         memset(outbuf, 0, 8);
1975         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1976         if (!nb_sectors) {
1977             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1978             return 0;
1979         }
1980         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1981             goto illegal_request;
1982         }
1983         nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1984         /* Returned value is the address of the last sector.  */
1985         nb_sectors--;
1986         /* Remember the new size for read/write sanity checking. */
1987         s->qdev.max_lba = nb_sectors;
1988         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1989         if (nb_sectors > UINT32_MAX) {
1990             nb_sectors = UINT32_MAX;
1991         }
1992         outbuf[0] = (nb_sectors >> 24) & 0xff;
1993         outbuf[1] = (nb_sectors >> 16) & 0xff;
1994         outbuf[2] = (nb_sectors >> 8) & 0xff;
1995         outbuf[3] = nb_sectors & 0xff;
1996         outbuf[4] = 0;
1997         outbuf[5] = 0;
1998         outbuf[6] = s->qdev.blocksize >> 8;
1999         outbuf[7] = 0;
2000         break;
2001     case REQUEST_SENSE:
2002         /* Just return "NO SENSE".  */
2003         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
2004                                     (req->cmd.buf[1] & 1) == 0);
2005         if (buflen < 0) {
2006             goto illegal_request;
2007         }
2008         break;
2009     case MECHANISM_STATUS:
2010         buflen = scsi_emulate_mechanism_status(s, outbuf);
2011         if (buflen < 0) {
2012             goto illegal_request;
2013         }
2014         break;
2015     case GET_CONFIGURATION:
2016         buflen = scsi_get_configuration(s, outbuf);
2017         if (buflen < 0) {
2018             goto illegal_request;
2019         }
2020         break;
2021     case GET_EVENT_STATUS_NOTIFICATION:
2022         buflen = scsi_get_event_status_notification(s, r, outbuf);
2023         if (buflen < 0) {
2024             goto illegal_request;
2025         }
2026         break;
2027     case READ_DISC_INFORMATION:
2028         buflen = scsi_read_disc_information(s, r, outbuf);
2029         if (buflen < 0) {
2030             goto illegal_request;
2031         }
2032         break;
2033     case READ_DVD_STRUCTURE:
2034         buflen = scsi_read_dvd_structure(s, r, outbuf);
2035         if (buflen < 0) {
2036             goto illegal_request;
2037         }
2038         break;
2039     case SERVICE_ACTION_IN_16:
2040         /* Service Action In subcommands. */
2041         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2042             trace_scsi_disk_emulate_command_SAI_16();
2043             memset(outbuf, 0, req->cmd.xfer);
2044             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2045             if (!nb_sectors) {
2046                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2047                 return 0;
2048             }
2049             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2050                 goto illegal_request;
2051             }
2052             nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2053             /* Returned value is the address of the last sector.  */
2054             nb_sectors--;
2055             /* Remember the new size for read/write sanity checking. */
2056             s->qdev.max_lba = nb_sectors;
2057             outbuf[0] = (nb_sectors >> 56) & 0xff;
2058             outbuf[1] = (nb_sectors >> 48) & 0xff;
2059             outbuf[2] = (nb_sectors >> 40) & 0xff;
2060             outbuf[3] = (nb_sectors >> 32) & 0xff;
2061             outbuf[4] = (nb_sectors >> 24) & 0xff;
2062             outbuf[5] = (nb_sectors >> 16) & 0xff;
2063             outbuf[6] = (nb_sectors >> 8) & 0xff;
2064             outbuf[7] = nb_sectors & 0xff;
2065             outbuf[8] = 0;
2066             outbuf[9] = 0;
2067             outbuf[10] = s->qdev.blocksize >> 8;
2068             outbuf[11] = 0;
2069             outbuf[12] = 0;
2070             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2071 
2072             /* set TPE bit if the format supports discard */
2073             if (s->qdev.conf.discard_granularity) {
2074                 outbuf[14] = 0x80;
2075             }
2076 
2077             /* Protection, exponent and lowest lba field left blank. */
2078             break;
2079         }
2080         trace_scsi_disk_emulate_command_SAI_unsupported();
2081         goto illegal_request;
2082     case SYNCHRONIZE_CACHE:
2083         /* The request is used as the AIO opaque value, so add a ref.  */
2084         scsi_req_ref(&r->req);
2085         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2086                          BLOCK_ACCT_FLUSH);
2087         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2088         return 0;
2089     case SEEK_10:
2090         trace_scsi_disk_emulate_command_SEEK_10(r->req.cmd.lba);
2091         if (r->req.cmd.lba > s->qdev.max_lba) {
2092             goto illegal_lba;
2093         }
2094         break;
2095     case MODE_SELECT:
2096         trace_scsi_disk_emulate_command_MODE_SELECT(r->req.cmd.xfer);
2097         break;
2098     case MODE_SELECT_10:
2099         trace_scsi_disk_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
2100         break;
2101     case UNMAP:
2102         trace_scsi_disk_emulate_command_UNMAP(r->req.cmd.xfer);
2103         break;
2104     case VERIFY_10:
2105     case VERIFY_12:
2106     case VERIFY_16:
2107         trace_scsi_disk_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
2108         if (req->cmd.buf[1] & 6) {
2109             goto illegal_request;
2110         }
2111         break;
2112     case WRITE_SAME_10:
2113     case WRITE_SAME_16:
2114         trace_scsi_disk_emulate_command_WRITE_SAME(
2115                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16, r->req.cmd.xfer);
2116         break;
2117     default:
2118         trace_scsi_disk_emulate_command_UNKNOWN(buf[0],
2119                                                 scsi_command_name(buf[0]));
2120         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2121         return 0;
2122     }
2123     assert(!r->req.aiocb);
2124     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2125     if (r->iov.iov_len == 0) {
2126         scsi_req_complete(&r->req, GOOD);
2127     }
2128     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2129         assert(r->iov.iov_len == req->cmd.xfer);
2130         return -r->iov.iov_len;
2131     } else {
2132         return r->iov.iov_len;
2133     }
2134 
2135 illegal_request:
2136     if (r->req.status == -1) {
2137         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2138     }
2139     return 0;
2140 
2141 illegal_lba:
2142     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2143     return 0;
2144 }
2145 
2146 /* Execute a scsi command.  Returns the length of the data expected by the
2147    command.  This will be Positive for data transfers from the device
2148    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2149    and zero if the command does not transfer any data.  */
2150 
2151 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2152 {
2153     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2154     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2155     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2156     uint32_t len;
2157     uint8_t command;
2158 
2159     command = buf[0];
2160 
2161     if (!blk_is_available(s->qdev.conf.blk)) {
2162         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2163         return 0;
2164     }
2165 
2166     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2167     switch (command) {
2168     case READ_6:
2169     case READ_10:
2170     case READ_12:
2171     case READ_16:
2172         trace_scsi_disk_dma_command_READ(r->req.cmd.lba, len);
2173         /* Protection information is not supported.  For SCSI versions 2 and
2174          * older (as determined by snooping the guest's INQUIRY commands),
2175          * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2176          */
2177         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2178             goto illegal_request;
2179         }
2180         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2181             goto illegal_lba;
2182         }
2183         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2184         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2185         break;
2186     case WRITE_6:
2187     case WRITE_10:
2188     case WRITE_12:
2189     case WRITE_16:
2190     case WRITE_VERIFY_10:
2191     case WRITE_VERIFY_12:
2192     case WRITE_VERIFY_16:
2193         if (blk_is_read_only(s->qdev.conf.blk)) {
2194             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2195             return 0;
2196         }
2197         trace_scsi_disk_dma_command_WRITE(
2198                 (command & 0xe) == 0xe ? "And Verify " : "",
2199                 r->req.cmd.lba, len);
2200         /* fall through */
2201     case VERIFY_10:
2202     case VERIFY_12:
2203     case VERIFY_16:
2204         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2205          * As far as DMA is concerned, we can treat it the same as a write;
2206          * scsi_block_do_sgio will send VERIFY commands.
2207          */
2208         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2209             goto illegal_request;
2210         }
2211         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2212             goto illegal_lba;
2213         }
2214         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2215         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2216         break;
2217     default:
2218         abort();
2219     illegal_request:
2220         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2221         return 0;
2222     illegal_lba:
2223         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2224         return 0;
2225     }
2226     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2227     if (r->sector_count == 0) {
2228         scsi_req_complete(&r->req, GOOD);
2229     }
2230     assert(r->iov.iov_len == 0);
2231     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2232         return -r->sector_count * BDRV_SECTOR_SIZE;
2233     } else {
2234         return r->sector_count * BDRV_SECTOR_SIZE;
2235     }
2236 }
2237 
2238 static void scsi_disk_reset(DeviceState *dev)
2239 {
2240     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2241     uint64_t nb_sectors;
2242 
2243     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2244 
2245     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2246     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2247     if (nb_sectors) {
2248         nb_sectors--;
2249     }
2250     s->qdev.max_lba = nb_sectors;
2251     /* reset tray statuses */
2252     s->tray_locked = 0;
2253     s->tray_open = 0;
2254 
2255     s->qdev.scsi_version = s->qdev.default_scsi_version;
2256 }
2257 
2258 static void scsi_disk_resize_cb(void *opaque)
2259 {
2260     SCSIDiskState *s = opaque;
2261 
2262     /* SPC lists this sense code as available only for
2263      * direct-access devices.
2264      */
2265     if (s->qdev.type == TYPE_DISK) {
2266         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2267     }
2268 }
2269 
2270 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2271 {
2272     SCSIDiskState *s = opaque;
2273 
2274     /*
2275      * When a CD gets changed, we have to report an ejected state and
2276      * then a loaded state to guests so that they detect tray
2277      * open/close and media change events.  Guests that do not use
2278      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2279      * states rely on this behavior.
2280      *
2281      * media_changed governs the state machine used for unit attention
2282      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2283      */
2284     s->media_changed = load;
2285     s->tray_open = !load;
2286     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2287     s->media_event = true;
2288     s->eject_request = false;
2289 }
2290 
2291 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2292 {
2293     SCSIDiskState *s = opaque;
2294 
2295     s->eject_request = true;
2296     if (force) {
2297         s->tray_locked = false;
2298     }
2299 }
2300 
2301 static bool scsi_cd_is_tray_open(void *opaque)
2302 {
2303     return ((SCSIDiskState *)opaque)->tray_open;
2304 }
2305 
2306 static bool scsi_cd_is_medium_locked(void *opaque)
2307 {
2308     return ((SCSIDiskState *)opaque)->tray_locked;
2309 }
2310 
2311 static const BlockDevOps scsi_disk_removable_block_ops = {
2312     .change_media_cb = scsi_cd_change_media_cb,
2313     .eject_request_cb = scsi_cd_eject_request_cb,
2314     .is_tray_open = scsi_cd_is_tray_open,
2315     .is_medium_locked = scsi_cd_is_medium_locked,
2316 
2317     .resize_cb = scsi_disk_resize_cb,
2318 };
2319 
2320 static const BlockDevOps scsi_disk_block_ops = {
2321     .resize_cb = scsi_disk_resize_cb,
2322 };
2323 
2324 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2325 {
2326     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2327     if (s->media_changed) {
2328         s->media_changed = false;
2329         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2330     }
2331 }
2332 
2333 static void scsi_realize(SCSIDevice *dev, Error **errp)
2334 {
2335     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2336     bool read_only;
2337 
2338     if (!s->qdev.conf.blk) {
2339         error_setg(errp, "drive property not set");
2340         return;
2341     }
2342 
2343     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2344         !blk_is_inserted(s->qdev.conf.blk)) {
2345         error_setg(errp, "Device needs media, but drive is empty");
2346         return;
2347     }
2348 
2349     if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2350         return;
2351     }
2352 
2353     if (blk_get_aio_context(s->qdev.conf.blk) != qemu_get_aio_context() &&
2354         !s->qdev.hba_supports_iothread)
2355     {
2356         error_setg(errp, "HBA does not support iothreads");
2357         return;
2358     }
2359 
2360     if (dev->type == TYPE_DISK) {
2361         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2362             return;
2363         }
2364     }
2365 
2366     read_only = blk_is_read_only(s->qdev.conf.blk);
2367     if (dev->type == TYPE_ROM) {
2368         read_only = true;
2369     }
2370 
2371     if (!blkconf_apply_backend_options(&dev->conf, read_only,
2372                                        dev->type == TYPE_DISK, errp)) {
2373         return;
2374     }
2375 
2376     if (s->qdev.conf.discard_granularity == -1) {
2377         s->qdev.conf.discard_granularity =
2378             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2379     }
2380 
2381     if (!s->version) {
2382         s->version = g_strdup(qemu_hw_version());
2383     }
2384     if (!s->vendor) {
2385         s->vendor = g_strdup("QEMU");
2386     }
2387     if (!s->device_id) {
2388         if (s->serial) {
2389             s->device_id = g_strdup_printf("%.20s", s->serial);
2390         } else {
2391             const char *str = blk_name(s->qdev.conf.blk);
2392             if (str && *str) {
2393                 s->device_id = g_strdup(str);
2394             }
2395         }
2396     }
2397 
2398     if (blk_is_sg(s->qdev.conf.blk)) {
2399         error_setg(errp, "unwanted /dev/sg*");
2400         return;
2401     }
2402 
2403     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2404             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2405         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2406     } else {
2407         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2408     }
2409     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2410 
2411     blk_iostatus_enable(s->qdev.conf.blk);
2412 
2413     add_boot_device_lchs(&dev->qdev, NULL,
2414                          dev->conf.lcyls,
2415                          dev->conf.lheads,
2416                          dev->conf.lsecs);
2417 }
2418 
2419 static void scsi_unrealize(SCSIDevice *dev)
2420 {
2421     del_boot_device_lchs(&dev->qdev, NULL);
2422 }
2423 
2424 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2425 {
2426     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2427     AioContext *ctx = NULL;
2428     /* can happen for devices without drive. The error message for missing
2429      * backend will be issued in scsi_realize
2430      */
2431     if (s->qdev.conf.blk) {
2432         ctx = blk_get_aio_context(s->qdev.conf.blk);
2433         aio_context_acquire(ctx);
2434         if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2435             goto out;
2436         }
2437     }
2438     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2439     s->qdev.type = TYPE_DISK;
2440     if (!s->product) {
2441         s->product = g_strdup("QEMU HARDDISK");
2442     }
2443     scsi_realize(&s->qdev, errp);
2444 out:
2445     if (ctx) {
2446         aio_context_release(ctx);
2447     }
2448 }
2449 
2450 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2451 {
2452     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2453     AioContext *ctx;
2454     int ret;
2455 
2456     if (!dev->conf.blk) {
2457         /* Anonymous BlockBackend for an empty drive. As we put it into
2458          * dev->conf, qdev takes care of detaching on unplug. */
2459         dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
2460         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2461         assert(ret == 0);
2462     }
2463 
2464     ctx = blk_get_aio_context(dev->conf.blk);
2465     aio_context_acquire(ctx);
2466     s->qdev.blocksize = 2048;
2467     s->qdev.type = TYPE_ROM;
2468     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2469     if (!s->product) {
2470         s->product = g_strdup("QEMU CD-ROM");
2471     }
2472     scsi_realize(&s->qdev, errp);
2473     aio_context_release(ctx);
2474 }
2475 
2476 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2477 {
2478     DriveInfo *dinfo;
2479     Error *local_err = NULL;
2480 
2481     warn_report("'scsi-disk' is deprecated, "
2482                 "please use 'scsi-hd' or 'scsi-cd' instead");
2483 
2484     if (!dev->conf.blk) {
2485         scsi_realize(dev, &local_err);
2486         assert(local_err);
2487         error_propagate(errp, local_err);
2488         return;
2489     }
2490 
2491     dinfo = blk_legacy_dinfo(dev->conf.blk);
2492     if (dinfo && dinfo->media_cd) {
2493         scsi_cd_realize(dev, errp);
2494     } else {
2495         scsi_hd_realize(dev, errp);
2496     }
2497 }
2498 
2499 static const SCSIReqOps scsi_disk_emulate_reqops = {
2500     .size         = sizeof(SCSIDiskReq),
2501     .free_req     = scsi_free_request,
2502     .send_command = scsi_disk_emulate_command,
2503     .read_data    = scsi_disk_emulate_read_data,
2504     .write_data   = scsi_disk_emulate_write_data,
2505     .get_buf      = scsi_get_buf,
2506 };
2507 
2508 static const SCSIReqOps scsi_disk_dma_reqops = {
2509     .size         = sizeof(SCSIDiskReq),
2510     .free_req     = scsi_free_request,
2511     .send_command = scsi_disk_dma_command,
2512     .read_data    = scsi_read_data,
2513     .write_data   = scsi_write_data,
2514     .get_buf      = scsi_get_buf,
2515     .load_request = scsi_disk_load_request,
2516     .save_request = scsi_disk_save_request,
2517 };
2518 
2519 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2520     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2521     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2522     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2523     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2524     [START_STOP]                      = &scsi_disk_emulate_reqops,
2525     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2526     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2527     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2528     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2529     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2530     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2531     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2532     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2533     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2534     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2535     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2536     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2537     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2538     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2539     [UNMAP]                           = &scsi_disk_emulate_reqops,
2540     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2541     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2542     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2543     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2544     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2545 
2546     [READ_6]                          = &scsi_disk_dma_reqops,
2547     [READ_10]                         = &scsi_disk_dma_reqops,
2548     [READ_12]                         = &scsi_disk_dma_reqops,
2549     [READ_16]                         = &scsi_disk_dma_reqops,
2550     [WRITE_6]                         = &scsi_disk_dma_reqops,
2551     [WRITE_10]                        = &scsi_disk_dma_reqops,
2552     [WRITE_12]                        = &scsi_disk_dma_reqops,
2553     [WRITE_16]                        = &scsi_disk_dma_reqops,
2554     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2555     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2556     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2557 };
2558 
2559 static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
2560 {
2561     int i;
2562     int len = scsi_cdb_length(buf);
2563     char *line_buffer, *p;
2564 
2565     line_buffer = g_malloc(len * 5 + 1);
2566 
2567     for (i = 0, p = line_buffer; i < len; i++) {
2568         p += sprintf(p, " 0x%02x", buf[i]);
2569     }
2570     trace_scsi_disk_new_request(lun, tag, line_buffer);
2571 
2572     g_free(line_buffer);
2573 }
2574 
2575 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2576                                      uint8_t *buf, void *hba_private)
2577 {
2578     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2579     SCSIRequest *req;
2580     const SCSIReqOps *ops;
2581     uint8_t command;
2582 
2583     command = buf[0];
2584     ops = scsi_disk_reqops_dispatch[command];
2585     if (!ops) {
2586         ops = &scsi_disk_emulate_reqops;
2587     }
2588     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2589 
2590     if (trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)) {
2591         scsi_disk_new_request_dump(lun, tag, buf);
2592     }
2593 
2594     return req;
2595 }
2596 
2597 #ifdef __linux__
2598 static int get_device_type(SCSIDiskState *s)
2599 {
2600     uint8_t cmd[16];
2601     uint8_t buf[36];
2602     int ret;
2603 
2604     memset(cmd, 0, sizeof(cmd));
2605     memset(buf, 0, sizeof(buf));
2606     cmd[0] = INQUIRY;
2607     cmd[4] = sizeof(buf);
2608 
2609     ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
2610                               buf, sizeof(buf));
2611     if (ret < 0) {
2612         return -1;
2613     }
2614     s->qdev.type = buf[0];
2615     if (buf[1] & 0x80) {
2616         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2617     }
2618     return 0;
2619 }
2620 
2621 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2622 {
2623     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2624     AioContext *ctx;
2625     int sg_version;
2626     int rc;
2627 
2628     if (!s->qdev.conf.blk) {
2629         error_setg(errp, "drive property not set");
2630         return;
2631     }
2632 
2633     if (s->rotation_rate) {
2634         error_report_once("rotation_rate is specified for scsi-block but is "
2635                           "not implemented. This option is deprecated and will "
2636                           "be removed in a future version");
2637     }
2638 
2639     ctx = blk_get_aio_context(s->qdev.conf.blk);
2640     aio_context_acquire(ctx);
2641 
2642     /* check we are using a driver managing SG_IO (version 3 and after) */
2643     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2644     if (rc < 0) {
2645         error_setg_errno(errp, -rc, "cannot get SG_IO version number");
2646         if (rc != -EPERM) {
2647             error_append_hint(errp, "Is this a SCSI device?\n");
2648         }
2649         goto out;
2650     }
2651     if (sg_version < 30000) {
2652         error_setg(errp, "scsi generic interface too old");
2653         goto out;
2654     }
2655 
2656     /* get device type from INQUIRY data */
2657     rc = get_device_type(s);
2658     if (rc < 0) {
2659         error_setg(errp, "INQUIRY failed");
2660         goto out;
2661     }
2662 
2663     /* Make a guess for the block size, we'll fix it when the guest sends.
2664      * READ CAPACITY.  If they don't, they likely would assume these sizes
2665      * anyway. (TODO: check in /sys).
2666      */
2667     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2668         s->qdev.blocksize = 2048;
2669     } else {
2670         s->qdev.blocksize = 512;
2671     }
2672 
2673     /* Makes the scsi-block device not removable by using HMP and QMP eject
2674      * command.
2675      */
2676     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2677 
2678     scsi_realize(&s->qdev, errp);
2679     scsi_generic_read_device_inquiry(&s->qdev);
2680 
2681 out:
2682     aio_context_release(ctx);
2683 }
2684 
2685 typedef struct SCSIBlockReq {
2686     SCSIDiskReq req;
2687     sg_io_hdr_t io_header;
2688 
2689     /* Selected bytes of the original CDB, copied into our own CDB.  */
2690     uint8_t cmd, cdb1, group_number;
2691 
2692     /* CDB passed to SG_IO.  */
2693     uint8_t cdb[16];
2694 } SCSIBlockReq;
2695 
2696 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2697                                       int64_t offset, QEMUIOVector *iov,
2698                                       int direction,
2699                                       BlockCompletionFunc *cb, void *opaque)
2700 {
2701     sg_io_hdr_t *io_header = &req->io_header;
2702     SCSIDiskReq *r = &req->req;
2703     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2704     int nb_logical_blocks;
2705     uint64_t lba;
2706     BlockAIOCB *aiocb;
2707 
2708     /* This is not supported yet.  It can only happen if the guest does
2709      * reads and writes that are not aligned to one logical sectors
2710      * _and_ cover multiple MemoryRegions.
2711      */
2712     assert(offset % s->qdev.blocksize == 0);
2713     assert(iov->size % s->qdev.blocksize == 0);
2714 
2715     io_header->interface_id = 'S';
2716 
2717     /* The data transfer comes from the QEMUIOVector.  */
2718     io_header->dxfer_direction = direction;
2719     io_header->dxfer_len = iov->size;
2720     io_header->dxferp = (void *)iov->iov;
2721     io_header->iovec_count = iov->niov;
2722     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2723 
2724     /* Build a new CDB with the LBA and length patched in, in case
2725      * DMA helpers split the transfer in multiple segments.  Do not
2726      * build a CDB smaller than what the guest wanted, and only build
2727      * a larger one if strictly necessary.
2728      */
2729     io_header->cmdp = req->cdb;
2730     lba = offset / s->qdev.blocksize;
2731     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2732 
2733     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2734         /* 6-byte CDB */
2735         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2736         req->cdb[4] = nb_logical_blocks;
2737         req->cdb[5] = 0;
2738         io_header->cmd_len = 6;
2739     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2740         /* 10-byte CDB */
2741         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2742         req->cdb[1] = req->cdb1;
2743         stl_be_p(&req->cdb[2], lba);
2744         req->cdb[6] = req->group_number;
2745         stw_be_p(&req->cdb[7], nb_logical_blocks);
2746         req->cdb[9] = 0;
2747         io_header->cmd_len = 10;
2748     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2749         /* 12-byte CDB */
2750         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2751         req->cdb[1] = req->cdb1;
2752         stl_be_p(&req->cdb[2], lba);
2753         stl_be_p(&req->cdb[6], nb_logical_blocks);
2754         req->cdb[10] = req->group_number;
2755         req->cdb[11] = 0;
2756         io_header->cmd_len = 12;
2757     } else {
2758         /* 16-byte CDB */
2759         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2760         req->cdb[1] = req->cdb1;
2761         stq_be_p(&req->cdb[2], lba);
2762         stl_be_p(&req->cdb[10], nb_logical_blocks);
2763         req->cdb[14] = req->group_number;
2764         req->cdb[15] = 0;
2765         io_header->cmd_len = 16;
2766     }
2767 
2768     /* The rest is as in scsi-generic.c.  */
2769     io_header->mx_sb_len = sizeof(r->req.sense);
2770     io_header->sbp = r->req.sense;
2771     io_header->timeout = UINT_MAX;
2772     io_header->usr_ptr = r;
2773     io_header->flags |= SG_FLAG_DIRECT_IO;
2774 
2775     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
2776     assert(aiocb != NULL);
2777     return aiocb;
2778 }
2779 
2780 static bool scsi_block_no_fua(SCSICommand *cmd)
2781 {
2782     return false;
2783 }
2784 
2785 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2786                                         QEMUIOVector *iov,
2787                                         BlockCompletionFunc *cb, void *cb_opaque,
2788                                         void *opaque)
2789 {
2790     SCSIBlockReq *r = opaque;
2791     return scsi_block_do_sgio(r, offset, iov,
2792                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2793 }
2794 
2795 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2796                                          QEMUIOVector *iov,
2797                                          BlockCompletionFunc *cb, void *cb_opaque,
2798                                          void *opaque)
2799 {
2800     SCSIBlockReq *r = opaque;
2801     return scsi_block_do_sgio(r, offset, iov,
2802                               SG_DXFER_TO_DEV, cb, cb_opaque);
2803 }
2804 
2805 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2806 {
2807     switch (buf[0]) {
2808     case VERIFY_10:
2809     case VERIFY_12:
2810     case VERIFY_16:
2811         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2812          * for the number of logical blocks specified in the length
2813          * field).  For other modes, do not use scatter/gather operation.
2814          */
2815         if ((buf[1] & 6) == 2) {
2816             return false;
2817         }
2818         break;
2819 
2820     case READ_6:
2821     case READ_10:
2822     case READ_12:
2823     case READ_16:
2824     case WRITE_6:
2825     case WRITE_10:
2826     case WRITE_12:
2827     case WRITE_16:
2828     case WRITE_VERIFY_10:
2829     case WRITE_VERIFY_12:
2830     case WRITE_VERIFY_16:
2831         /* MMC writing cannot be done via DMA helpers, because it sometimes
2832          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2833          * We might use scsi_block_dma_reqops as long as no writing commands are
2834          * seen, but performance usually isn't paramount on optical media.  So,
2835          * just make scsi-block operate the same as scsi-generic for them.
2836          */
2837         if (s->qdev.type != TYPE_ROM) {
2838             return false;
2839         }
2840         break;
2841 
2842     default:
2843         break;
2844     }
2845 
2846     return true;
2847 }
2848 
2849 
2850 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2851 {
2852     SCSIBlockReq *r = (SCSIBlockReq *)req;
2853     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2854 
2855     r->cmd = req->cmd.buf[0];
2856     switch (r->cmd >> 5) {
2857     case 0:
2858         /* 6-byte CDB.  */
2859         r->cdb1 = r->group_number = 0;
2860         break;
2861     case 1:
2862         /* 10-byte CDB.  */
2863         r->cdb1 = req->cmd.buf[1];
2864         r->group_number = req->cmd.buf[6];
2865         break;
2866     case 4:
2867         /* 12-byte CDB.  */
2868         r->cdb1 = req->cmd.buf[1];
2869         r->group_number = req->cmd.buf[10];
2870         break;
2871     case 5:
2872         /* 16-byte CDB.  */
2873         r->cdb1 = req->cmd.buf[1];
2874         r->group_number = req->cmd.buf[14];
2875         break;
2876     default:
2877         abort();
2878     }
2879 
2880     /* Protection information is not supported.  For SCSI versions 2 and
2881      * older (as determined by snooping the guest's INQUIRY commands),
2882      * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2883      */
2884     if (s->qdev.scsi_version > 2 && (req->cmd.buf[1] & 0xe0)) {
2885         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2886         return 0;
2887     }
2888 
2889     r->req.status = &r->io_header.status;
2890     return scsi_disk_dma_command(req, buf);
2891 }
2892 
2893 static const SCSIReqOps scsi_block_dma_reqops = {
2894     .size         = sizeof(SCSIBlockReq),
2895     .free_req     = scsi_free_request,
2896     .send_command = scsi_block_dma_command,
2897     .read_data    = scsi_read_data,
2898     .write_data   = scsi_write_data,
2899     .get_buf      = scsi_get_buf,
2900     .load_request = scsi_disk_load_request,
2901     .save_request = scsi_disk_save_request,
2902 };
2903 
2904 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2905                                            uint32_t lun, uint8_t *buf,
2906                                            void *hba_private)
2907 {
2908     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2909 
2910     if (scsi_block_is_passthrough(s, buf)) {
2911         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2912                               hba_private);
2913     } else {
2914         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2915                               hba_private);
2916     }
2917 }
2918 
2919 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2920                                   uint8_t *buf, void *hba_private)
2921 {
2922     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2923 
2924     if (scsi_block_is_passthrough(s, buf)) {
2925         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2926     } else {
2927         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2928     }
2929 }
2930 
2931 static void scsi_block_update_sense(SCSIRequest *req)
2932 {
2933     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2934     SCSIBlockReq *br = DO_UPCAST(SCSIBlockReq, req, r);
2935     r->req.sense_len = MIN(br->io_header.sb_len_wr, sizeof(r->req.sense));
2936 }
2937 #endif
2938 
2939 static
2940 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2941                            BlockCompletionFunc *cb, void *cb_opaque,
2942                            void *opaque)
2943 {
2944     SCSIDiskReq *r = opaque;
2945     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2946     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2947 }
2948 
2949 static
2950 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2951                             BlockCompletionFunc *cb, void *cb_opaque,
2952                             void *opaque)
2953 {
2954     SCSIDiskReq *r = opaque;
2955     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2956     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2957 }
2958 
2959 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2960 {
2961     DeviceClass *dc = DEVICE_CLASS(klass);
2962     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2963 
2964     dc->fw_name = "disk";
2965     dc->reset = scsi_disk_reset;
2966     sdc->dma_readv = scsi_dma_readv;
2967     sdc->dma_writev = scsi_dma_writev;
2968     sdc->need_fua_emulation = scsi_is_cmd_fua;
2969 }
2970 
2971 static const TypeInfo scsi_disk_base_info = {
2972     .name          = TYPE_SCSI_DISK_BASE,
2973     .parent        = TYPE_SCSI_DEVICE,
2974     .class_init    = scsi_disk_base_class_initfn,
2975     .instance_size = sizeof(SCSIDiskState),
2976     .class_size    = sizeof(SCSIDiskClass),
2977     .abstract      = true,
2978 };
2979 
2980 #define DEFINE_SCSI_DISK_PROPERTIES()                                   \
2981     DEFINE_PROP_DRIVE_IOTHREAD("drive", SCSIDiskState, qdev.conf.blk),  \
2982     DEFINE_BLOCK_PROPERTIES_BASE(SCSIDiskState, qdev.conf),             \
2983     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),            \
2984     DEFINE_PROP_STRING("ver", SCSIDiskState, version),                  \
2985     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),                \
2986     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),                \
2987     DEFINE_PROP_STRING("product", SCSIDiskState, product),              \
2988     DEFINE_PROP_STRING("device_id", SCSIDiskState, device_id)
2989 
2990 
2991 static Property scsi_hd_properties[] = {
2992     DEFINE_SCSI_DISK_PROPERTIES(),
2993     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2994                     SCSI_DISK_F_REMOVABLE, false),
2995     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2996                     SCSI_DISK_F_DPOFUA, false),
2997     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
2998     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
2999     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3000     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3001                        DEFAULT_MAX_UNMAP_SIZE),
3002     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3003                        DEFAULT_MAX_IO_SIZE),
3004     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3005     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3006                       5),
3007     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
3008     DEFINE_PROP_END_OF_LIST(),
3009 };
3010 
3011 static const VMStateDescription vmstate_scsi_disk_state = {
3012     .name = "scsi-disk",
3013     .version_id = 1,
3014     .minimum_version_id = 1,
3015     .fields = (VMStateField[]) {
3016         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
3017         VMSTATE_BOOL(media_changed, SCSIDiskState),
3018         VMSTATE_BOOL(media_event, SCSIDiskState),
3019         VMSTATE_BOOL(eject_request, SCSIDiskState),
3020         VMSTATE_BOOL(tray_open, SCSIDiskState),
3021         VMSTATE_BOOL(tray_locked, SCSIDiskState),
3022         VMSTATE_END_OF_LIST()
3023     }
3024 };
3025 
3026 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
3027 {
3028     DeviceClass *dc = DEVICE_CLASS(klass);
3029     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3030 
3031     sc->realize      = scsi_hd_realize;
3032     sc->unrealize    = scsi_unrealize;
3033     sc->alloc_req    = scsi_new_request;
3034     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3035     dc->desc = "virtual SCSI disk";
3036     device_class_set_props(dc, scsi_hd_properties);
3037     dc->vmsd  = &vmstate_scsi_disk_state;
3038 }
3039 
3040 static const TypeInfo scsi_hd_info = {
3041     .name          = "scsi-hd",
3042     .parent        = TYPE_SCSI_DISK_BASE,
3043     .class_init    = scsi_hd_class_initfn,
3044 };
3045 
3046 static Property scsi_cd_properties[] = {
3047     DEFINE_SCSI_DISK_PROPERTIES(),
3048     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3049     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3050     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3051     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3052                        DEFAULT_MAX_IO_SIZE),
3053     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3054                       5),
3055     DEFINE_PROP_END_OF_LIST(),
3056 };
3057 
3058 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
3059 {
3060     DeviceClass *dc = DEVICE_CLASS(klass);
3061     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3062 
3063     sc->realize      = scsi_cd_realize;
3064     sc->alloc_req    = scsi_new_request;
3065     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3066     dc->desc = "virtual SCSI CD-ROM";
3067     device_class_set_props(dc, scsi_cd_properties);
3068     dc->vmsd  = &vmstate_scsi_disk_state;
3069 }
3070 
3071 static const TypeInfo scsi_cd_info = {
3072     .name          = "scsi-cd",
3073     .parent        = TYPE_SCSI_DISK_BASE,
3074     .class_init    = scsi_cd_class_initfn,
3075 };
3076 
3077 #ifdef __linux__
3078 static Property scsi_block_properties[] = {
3079     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),
3080     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3081     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3082     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3083     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3084                        DEFAULT_MAX_UNMAP_SIZE),
3085     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3086                        DEFAULT_MAX_IO_SIZE),
3087     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3088                       -1),
3089     DEFINE_PROP_END_OF_LIST(),
3090 };
3091 
3092 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3093 {
3094     DeviceClass *dc = DEVICE_CLASS(klass);
3095     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3096     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3097 
3098     sc->realize      = scsi_block_realize;
3099     sc->alloc_req    = scsi_block_new_request;
3100     sc->parse_cdb    = scsi_block_parse_cdb;
3101     sdc->dma_readv   = scsi_block_dma_readv;
3102     sdc->dma_writev  = scsi_block_dma_writev;
3103     sdc->update_sense = scsi_block_update_sense;
3104     sdc->need_fua_emulation = scsi_block_no_fua;
3105     dc->desc = "SCSI block device passthrough";
3106     device_class_set_props(dc, scsi_block_properties);
3107     dc->vmsd  = &vmstate_scsi_disk_state;
3108 }
3109 
3110 static const TypeInfo scsi_block_info = {
3111     .name          = "scsi-block",
3112     .parent        = TYPE_SCSI_DISK_BASE,
3113     .class_init    = scsi_block_class_initfn,
3114 };
3115 #endif
3116 
3117 static Property scsi_disk_properties[] = {
3118     DEFINE_SCSI_DISK_PROPERTIES(),
3119     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3120                     SCSI_DISK_F_REMOVABLE, false),
3121     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3122                     SCSI_DISK_F_DPOFUA, false),
3123     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3124     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3125     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3126     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3127                        DEFAULT_MAX_UNMAP_SIZE),
3128     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3129                        DEFAULT_MAX_IO_SIZE),
3130     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3131                       5),
3132     DEFINE_PROP_END_OF_LIST(),
3133 };
3134 
3135 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
3136 {
3137     DeviceClass *dc = DEVICE_CLASS(klass);
3138     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3139 
3140     sc->realize      = scsi_disk_realize;
3141     sc->alloc_req    = scsi_new_request;
3142     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3143     dc->fw_name = "disk";
3144     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3145     dc->reset = scsi_disk_reset;
3146     device_class_set_props(dc, scsi_disk_properties);
3147     dc->vmsd  = &vmstate_scsi_disk_state;
3148 }
3149 
3150 static const TypeInfo scsi_disk_info = {
3151     .name          = "scsi-disk",
3152     .parent        = TYPE_SCSI_DISK_BASE,
3153     .class_init    = scsi_disk_class_initfn,
3154 };
3155 
3156 static void scsi_disk_register_types(void)
3157 {
3158     type_register_static(&scsi_disk_base_info);
3159     type_register_static(&scsi_hd_info);
3160     type_register_static(&scsi_cd_info);
3161 #ifdef __linux__
3162     type_register_static(&scsi_block_info);
3163 #endif
3164     type_register_static(&scsi_disk_info);
3165 }
3166 
3167 type_init(scsi_disk_register_types)
3168