xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision acb0ef58)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu-common.h"
32 #include "qemu/error-report.h"
33 #include "hw/scsi/scsi.h"
34 #include "block/scsi.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/blockdev.h"
37 #include "hw/block/block.h"
38 #include "sysemu/dma.h"
39 
40 #ifdef __linux
41 #include <scsi/sg.h>
42 #endif
43 
44 #define SCSI_WRITE_SAME_MAX         524288
45 #define SCSI_DMA_BUF_SIZE           131072
46 #define SCSI_MAX_INQUIRY_LEN        256
47 #define SCSI_MAX_MODE_LEN           256
48 
49 #define DEFAULT_DISCARD_GRANULARITY 4096
50 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
51 
52 typedef struct SCSIDiskState SCSIDiskState;
53 
54 typedef struct SCSIDiskReq {
55     SCSIRequest req;
56     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
57     uint64_t sector;
58     uint32_t sector_count;
59     uint32_t buflen;
60     bool started;
61     struct iovec iov;
62     QEMUIOVector qiov;
63     BlockAcctCookie acct;
64 } SCSIDiskReq;
65 
66 #define SCSI_DISK_F_REMOVABLE             0
67 #define SCSI_DISK_F_DPOFUA                1
68 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
69 
70 struct SCSIDiskState
71 {
72     SCSIDevice qdev;
73     uint32_t features;
74     bool media_changed;
75     bool media_event;
76     bool eject_request;
77     uint64_t wwn;
78     uint64_t port_wwn;
79     uint16_t port_index;
80     uint64_t max_unmap_size;
81     QEMUBH *bh;
82     char *version;
83     char *serial;
84     char *vendor;
85     char *product;
86     bool tray_open;
87     bool tray_locked;
88 };
89 
90 static int scsi_handle_rw_error(SCSIDiskReq *r, int error);
91 
92 static void scsi_free_request(SCSIRequest *req)
93 {
94     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
95 
96     qemu_vfree(r->iov.iov_base);
97 }
98 
99 /* Helper function for command completion with sense.  */
100 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
101 {
102     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
103             r->req.tag, sense.key, sense.asc, sense.ascq);
104     scsi_req_build_sense(&r->req, sense);
105     scsi_req_complete(&r->req, CHECK_CONDITION);
106 }
107 
108 /* Cancel a pending data transfer.  */
109 static void scsi_cancel_io(SCSIRequest *req)
110 {
111     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
112 
113     DPRINTF("Cancel tag=0x%x\n", req->tag);
114     if (r->req.aiocb) {
115         bdrv_aio_cancel(r->req.aiocb);
116 
117         /* This reference was left in by scsi_*_data.  We take ownership of
118          * it the moment scsi_req_cancel is called, independent of whether
119          * bdrv_aio_cancel completes the request or not.  */
120         scsi_req_unref(&r->req);
121     }
122     r->req.aiocb = NULL;
123 }
124 
125 static uint32_t scsi_init_iovec(SCSIDiskReq *r, size_t size)
126 {
127     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
128 
129     if (!r->iov.iov_base) {
130         r->buflen = size;
131         r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen);
132     }
133     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
134     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
135     return r->qiov.size / 512;
136 }
137 
138 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
139 {
140     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
141 
142     qemu_put_be64s(f, &r->sector);
143     qemu_put_be32s(f, &r->sector_count);
144     qemu_put_be32s(f, &r->buflen);
145     if (r->buflen) {
146         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
147             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
148         } else if (!req->retry) {
149             uint32_t len = r->iov.iov_len;
150             qemu_put_be32s(f, &len);
151             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
152         }
153     }
154 }
155 
156 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
157 {
158     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
159 
160     qemu_get_be64s(f, &r->sector);
161     qemu_get_be32s(f, &r->sector_count);
162     qemu_get_be32s(f, &r->buflen);
163     if (r->buflen) {
164         scsi_init_iovec(r, r->buflen);
165         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
166             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
167         } else if (!r->req.retry) {
168             uint32_t len;
169             qemu_get_be32s(f, &len);
170             r->iov.iov_len = len;
171             assert(r->iov.iov_len <= r->buflen);
172             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
173         }
174     }
175 
176     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
177 }
178 
179 static void scsi_aio_complete(void *opaque, int ret)
180 {
181     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
182     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
183 
184     assert(r->req.aiocb != NULL);
185     r->req.aiocb = NULL;
186     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
187     if (r->req.io_canceled) {
188         goto done;
189     }
190 
191     if (ret < 0) {
192         if (scsi_handle_rw_error(r, -ret)) {
193             goto done;
194         }
195     }
196 
197     scsi_req_complete(&r->req, GOOD);
198 
199 done:
200     if (!r->req.io_canceled) {
201         scsi_req_unref(&r->req);
202     }
203 }
204 
205 static bool scsi_is_cmd_fua(SCSICommand *cmd)
206 {
207     switch (cmd->buf[0]) {
208     case READ_10:
209     case READ_12:
210     case READ_16:
211     case WRITE_10:
212     case WRITE_12:
213     case WRITE_16:
214         return (cmd->buf[1] & 8) != 0;
215 
216     case VERIFY_10:
217     case VERIFY_12:
218     case VERIFY_16:
219     case WRITE_VERIFY_10:
220     case WRITE_VERIFY_12:
221     case WRITE_VERIFY_16:
222         return true;
223 
224     case READ_6:
225     case WRITE_6:
226     default:
227         return false;
228     }
229 }
230 
231 static void scsi_write_do_fua(SCSIDiskReq *r)
232 {
233     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
234 
235     if (r->req.io_canceled) {
236         goto done;
237     }
238 
239     if (scsi_is_cmd_fua(&r->req.cmd)) {
240         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
241         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
242         return;
243     }
244 
245     scsi_req_complete(&r->req, GOOD);
246 
247 done:
248     if (!r->req.io_canceled) {
249         scsi_req_unref(&r->req);
250     }
251 }
252 
253 static void scsi_dma_complete_noio(void *opaque, int ret)
254 {
255     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
256     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
257 
258     if (r->req.aiocb != NULL) {
259         r->req.aiocb = NULL;
260         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
261     }
262     if (r->req.io_canceled) {
263         goto done;
264     }
265 
266     if (ret < 0) {
267         if (scsi_handle_rw_error(r, -ret)) {
268             goto done;
269         }
270     }
271 
272     r->sector += r->sector_count;
273     r->sector_count = 0;
274     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
275         scsi_write_do_fua(r);
276         return;
277     } else {
278         scsi_req_complete(&r->req, GOOD);
279     }
280 
281 done:
282     if (!r->req.io_canceled) {
283         scsi_req_unref(&r->req);
284     }
285 }
286 
287 static void scsi_dma_complete(void *opaque, int ret)
288 {
289     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
290 
291     assert(r->req.aiocb != NULL);
292     scsi_dma_complete_noio(opaque, ret);
293 }
294 
295 static void scsi_read_complete(void * opaque, int ret)
296 {
297     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
298     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
299     int n;
300 
301     assert(r->req.aiocb != NULL);
302     r->req.aiocb = NULL;
303     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
304     if (r->req.io_canceled) {
305         goto done;
306     }
307 
308     if (ret < 0) {
309         if (scsi_handle_rw_error(r, -ret)) {
310             goto done;
311         }
312     }
313 
314     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
315 
316     n = r->qiov.size / 512;
317     r->sector += n;
318     r->sector_count -= n;
319     scsi_req_data(&r->req, r->qiov.size);
320 
321 done:
322     if (!r->req.io_canceled) {
323         scsi_req_unref(&r->req);
324     }
325 }
326 
327 /* Actually issue a read to the block device.  */
328 static void scsi_do_read(void *opaque, int ret)
329 {
330     SCSIDiskReq *r = opaque;
331     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
332     uint32_t n;
333 
334     if (r->req.aiocb != NULL) {
335         r->req.aiocb = NULL;
336         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
337     }
338     if (r->req.io_canceled) {
339         goto done;
340     }
341 
342     if (ret < 0) {
343         if (scsi_handle_rw_error(r, -ret)) {
344             goto done;
345         }
346     }
347 
348     /* The request is used as the AIO opaque value, so add a ref.  */
349     scsi_req_ref(&r->req);
350 
351     if (r->req.sg) {
352         dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
353         r->req.resid -= r->req.sg->size;
354         r->req.aiocb = dma_bdrv_read(s->qdev.conf.bs, r->req.sg, r->sector,
355                                      scsi_dma_complete, r);
356     } else {
357         n = scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
358         bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_READ);
359         r->req.aiocb = bdrv_aio_readv(s->qdev.conf.bs, r->sector, &r->qiov, n,
360                                       scsi_read_complete, r);
361     }
362 
363 done:
364     if (!r->req.io_canceled) {
365         scsi_req_unref(&r->req);
366     }
367 }
368 
369 /* Read more data from scsi device into buffer.  */
370 static void scsi_read_data(SCSIRequest *req)
371 {
372     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
373     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
374     bool first;
375 
376     DPRINTF("Read sector_count=%d\n", r->sector_count);
377     if (r->sector_count == 0) {
378         /* This also clears the sense buffer for REQUEST SENSE.  */
379         scsi_req_complete(&r->req, GOOD);
380         return;
381     }
382 
383     /* No data transfer may already be in progress */
384     assert(r->req.aiocb == NULL);
385 
386     /* The request is used as the AIO opaque value, so add a ref.  */
387     scsi_req_ref(&r->req);
388     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
389         DPRINTF("Data transfer direction invalid\n");
390         scsi_read_complete(r, -EINVAL);
391         return;
392     }
393 
394     if (s->tray_open) {
395         scsi_read_complete(r, -ENOMEDIUM);
396         return;
397     }
398 
399     first = !r->started;
400     r->started = true;
401     if (first && scsi_is_cmd_fua(&r->req.cmd)) {
402         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
403         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_do_read, r);
404     } else {
405         scsi_do_read(r, 0);
406     }
407 }
408 
409 /*
410  * scsi_handle_rw_error has two return values.  0 means that the error
411  * must be ignored, 1 means that the error has been processed and the
412  * caller should not do anything else for this request.  Note that
413  * scsi_handle_rw_error always manages its reference counts, independent
414  * of the return value.
415  */
416 static int scsi_handle_rw_error(SCSIDiskReq *r, int error)
417 {
418     bool is_read = (r->req.cmd.xfer == SCSI_XFER_FROM_DEV);
419     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
420     BlockErrorAction action = bdrv_get_error_action(s->qdev.conf.bs, is_read, error);
421 
422     if (action == BDRV_ACTION_REPORT) {
423         switch (error) {
424         case ENOMEDIUM:
425             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
426             break;
427         case ENOMEM:
428             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
429             break;
430         case EINVAL:
431             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
432             break;
433         case ENOSPC:
434             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
435             break;
436         default:
437             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
438             break;
439         }
440     }
441     bdrv_error_action(s->qdev.conf.bs, action, is_read, error);
442     if (action == BDRV_ACTION_STOP) {
443         scsi_req_retry(&r->req);
444     }
445     return action != BDRV_ACTION_IGNORE;
446 }
447 
448 static void scsi_write_complete(void * opaque, int ret)
449 {
450     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
451     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
452     uint32_t n;
453 
454     if (r->req.aiocb != NULL) {
455         r->req.aiocb = NULL;
456         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
457     }
458     if (r->req.io_canceled) {
459         goto done;
460     }
461 
462     if (ret < 0) {
463         if (scsi_handle_rw_error(r, -ret)) {
464             goto done;
465         }
466     }
467 
468     n = r->qiov.size / 512;
469     r->sector += n;
470     r->sector_count -= n;
471     if (r->sector_count == 0) {
472         scsi_write_do_fua(r);
473         return;
474     } else {
475         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
476         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
477         scsi_req_data(&r->req, r->qiov.size);
478     }
479 
480 done:
481     if (!r->req.io_canceled) {
482         scsi_req_unref(&r->req);
483     }
484 }
485 
486 static void scsi_write_data(SCSIRequest *req)
487 {
488     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
489     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
490     uint32_t n;
491 
492     /* No data transfer may already be in progress */
493     assert(r->req.aiocb == NULL);
494 
495     /* The request is used as the AIO opaque value, so add a ref.  */
496     scsi_req_ref(&r->req);
497     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
498         DPRINTF("Data transfer direction invalid\n");
499         scsi_write_complete(r, -EINVAL);
500         return;
501     }
502 
503     if (!r->req.sg && !r->qiov.size) {
504         /* Called for the first time.  Ask the driver to send us more data.  */
505         r->started = true;
506         scsi_write_complete(r, 0);
507         return;
508     }
509     if (s->tray_open) {
510         scsi_write_complete(r, -ENOMEDIUM);
511         return;
512     }
513 
514     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
515         r->req.cmd.buf[0] == VERIFY_16) {
516         if (r->req.sg) {
517             scsi_dma_complete_noio(r, 0);
518         } else {
519             scsi_write_complete(r, 0);
520         }
521         return;
522     }
523 
524     if (r->req.sg) {
525         dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_WRITE);
526         r->req.resid -= r->req.sg->size;
527         r->req.aiocb = dma_bdrv_write(s->qdev.conf.bs, r->req.sg, r->sector,
528                                       scsi_dma_complete, r);
529     } else {
530         n = r->qiov.size / 512;
531         bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_WRITE);
532         r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, r->sector, &r->qiov, n,
533                                        scsi_write_complete, r);
534     }
535 }
536 
537 /* Return a pointer to the data buffer.  */
538 static uint8_t *scsi_get_buf(SCSIRequest *req)
539 {
540     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
541 
542     return (uint8_t *)r->iov.iov_base;
543 }
544 
545 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
546 {
547     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
548     int buflen = 0;
549     int start;
550 
551     if (req->cmd.buf[1] & 0x1) {
552         /* Vital product data */
553         uint8_t page_code = req->cmd.buf[2];
554 
555         outbuf[buflen++] = s->qdev.type & 0x1f;
556         outbuf[buflen++] = page_code ; // this page
557         outbuf[buflen++] = 0x00;
558         outbuf[buflen++] = 0x00;
559         start = buflen;
560 
561         switch (page_code) {
562         case 0x00: /* Supported page codes, mandatory */
563         {
564             DPRINTF("Inquiry EVPD[Supported pages] "
565                     "buffer size %zd\n", req->cmd.xfer);
566             outbuf[buflen++] = 0x00; // list of supported pages (this page)
567             if (s->serial) {
568                 outbuf[buflen++] = 0x80; // unit serial number
569             }
570             outbuf[buflen++] = 0x83; // device identification
571             if (s->qdev.type == TYPE_DISK) {
572                 outbuf[buflen++] = 0xb0; // block limits
573                 outbuf[buflen++] = 0xb2; // thin provisioning
574             }
575             break;
576         }
577         case 0x80: /* Device serial number, optional */
578         {
579             int l;
580 
581             if (!s->serial) {
582                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
583                 return -1;
584             }
585 
586             l = strlen(s->serial);
587             if (l > 20) {
588                 l = 20;
589             }
590 
591             DPRINTF("Inquiry EVPD[Serial number] "
592                     "buffer size %zd\n", req->cmd.xfer);
593             memcpy(outbuf+buflen, s->serial, l);
594             buflen += l;
595             break;
596         }
597 
598         case 0x83: /* Device identification page, mandatory */
599         {
600             const char *str = s->serial ?: bdrv_get_device_name(s->qdev.conf.bs);
601             int max_len = s->serial ? 20 : 255 - 8;
602             int id_len = strlen(str);
603 
604             if (id_len > max_len) {
605                 id_len = max_len;
606             }
607             DPRINTF("Inquiry EVPD[Device identification] "
608                     "buffer size %zd\n", req->cmd.xfer);
609 
610             outbuf[buflen++] = 0x2; // ASCII
611             outbuf[buflen++] = 0;   // not officially assigned
612             outbuf[buflen++] = 0;   // reserved
613             outbuf[buflen++] = id_len; // length of data following
614             memcpy(outbuf+buflen, str, id_len);
615             buflen += id_len;
616 
617             if (s->wwn) {
618                 outbuf[buflen++] = 0x1; // Binary
619                 outbuf[buflen++] = 0x3; // NAA
620                 outbuf[buflen++] = 0;   // reserved
621                 outbuf[buflen++] = 8;
622                 stq_be_p(&outbuf[buflen], s->wwn);
623                 buflen += 8;
624             }
625 
626             if (s->port_wwn) {
627                 outbuf[buflen++] = 0x61; // SAS / Binary
628                 outbuf[buflen++] = 0x93; // PIV / Target port / NAA
629                 outbuf[buflen++] = 0;    // reserved
630                 outbuf[buflen++] = 8;
631                 stq_be_p(&outbuf[buflen], s->port_wwn);
632                 buflen += 8;
633             }
634 
635             if (s->port_index) {
636                 outbuf[buflen++] = 0x61; // SAS / Binary
637                 outbuf[buflen++] = 0x94; // PIV / Target port / relative target port
638                 outbuf[buflen++] = 0;    // reserved
639                 outbuf[buflen++] = 4;
640                 stw_be_p(&outbuf[buflen + 2], s->port_index);
641                 buflen += 4;
642             }
643             break;
644         }
645         case 0xb0: /* block limits */
646         {
647             unsigned int unmap_sectors =
648                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
649             unsigned int min_io_size =
650                     s->qdev.conf.min_io_size / s->qdev.blocksize;
651             unsigned int opt_io_size =
652                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
653             unsigned int max_unmap_sectors =
654                     s->max_unmap_size / s->qdev.blocksize;
655 
656             if (s->qdev.type == TYPE_ROM) {
657                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
658                         page_code);
659                 return -1;
660             }
661             /* required VPD size with unmap support */
662             buflen = 0x40;
663             memset(outbuf + 4, 0, buflen - 4);
664 
665             outbuf[4] = 0x1; /* wsnz */
666 
667             /* optimal transfer length granularity */
668             outbuf[6] = (min_io_size >> 8) & 0xff;
669             outbuf[7] = min_io_size & 0xff;
670 
671             /* optimal transfer length */
672             outbuf[12] = (opt_io_size >> 24) & 0xff;
673             outbuf[13] = (opt_io_size >> 16) & 0xff;
674             outbuf[14] = (opt_io_size >> 8) & 0xff;
675             outbuf[15] = opt_io_size & 0xff;
676 
677             /* max unmap LBA count, default is 1GB */
678             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
679             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
680             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
681             outbuf[23] = max_unmap_sectors & 0xff;
682 
683             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
684             outbuf[24] = 0;
685             outbuf[25] = 0;
686             outbuf[26] = 0;
687             outbuf[27] = 255;
688 
689             /* optimal unmap granularity */
690             outbuf[28] = (unmap_sectors >> 24) & 0xff;
691             outbuf[29] = (unmap_sectors >> 16) & 0xff;
692             outbuf[30] = (unmap_sectors >> 8) & 0xff;
693             outbuf[31] = unmap_sectors & 0xff;
694             break;
695         }
696         case 0xb2: /* thin provisioning */
697         {
698             buflen = 8;
699             outbuf[4] = 0;
700             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
701             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
702             outbuf[7] = 0;
703             break;
704         }
705         default:
706             return -1;
707         }
708         /* done with EVPD */
709         assert(buflen - start <= 255);
710         outbuf[start - 1] = buflen - start;
711         return buflen;
712     }
713 
714     /* Standard INQUIRY data */
715     if (req->cmd.buf[2] != 0) {
716         return -1;
717     }
718 
719     /* PAGE CODE == 0 */
720     buflen = req->cmd.xfer;
721     if (buflen > SCSI_MAX_INQUIRY_LEN) {
722         buflen = SCSI_MAX_INQUIRY_LEN;
723     }
724 
725     outbuf[0] = s->qdev.type & 0x1f;
726     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
727 
728     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
729     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
730 
731     memset(&outbuf[32], 0, 4);
732     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
733     /*
734      * We claim conformance to SPC-3, which is required for guests
735      * to ask for modern features like READ CAPACITY(16) or the
736      * block characteristics VPD page by default.  Not all of SPC-3
737      * is actually implemented, but we're good enough.
738      */
739     outbuf[2] = 5;
740     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
741 
742     if (buflen > 36) {
743         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
744     } else {
745         /* If the allocation length of CDB is too small,
746                the additional length is not adjusted */
747         outbuf[4] = 36 - 5;
748     }
749 
750     /* Sync data transfer and TCQ.  */
751     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
752     return buflen;
753 }
754 
755 static inline bool media_is_dvd(SCSIDiskState *s)
756 {
757     uint64_t nb_sectors;
758     if (s->qdev.type != TYPE_ROM) {
759         return false;
760     }
761     if (!bdrv_is_inserted(s->qdev.conf.bs)) {
762         return false;
763     }
764     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
765     return nb_sectors > CD_MAX_SECTORS;
766 }
767 
768 static inline bool media_is_cd(SCSIDiskState *s)
769 {
770     uint64_t nb_sectors;
771     if (s->qdev.type != TYPE_ROM) {
772         return false;
773     }
774     if (!bdrv_is_inserted(s->qdev.conf.bs)) {
775         return false;
776     }
777     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
778     return nb_sectors <= CD_MAX_SECTORS;
779 }
780 
781 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
782                                       uint8_t *outbuf)
783 {
784     uint8_t type = r->req.cmd.buf[1] & 7;
785 
786     if (s->qdev.type != TYPE_ROM) {
787         return -1;
788     }
789 
790     /* Types 1/2 are only defined for Blu-Ray.  */
791     if (type != 0) {
792         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
793         return -1;
794     }
795 
796     memset(outbuf, 0, 34);
797     outbuf[1] = 32;
798     outbuf[2] = 0xe; /* last session complete, disc finalized */
799     outbuf[3] = 1;   /* first track on disc */
800     outbuf[4] = 1;   /* # of sessions */
801     outbuf[5] = 1;   /* first track of last session */
802     outbuf[6] = 1;   /* last track of last session */
803     outbuf[7] = 0x20; /* unrestricted use */
804     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
805     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
806     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
807     /* 24-31: disc bar code */
808     /* 32: disc application code */
809     /* 33: number of OPC tables */
810 
811     return 34;
812 }
813 
814 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
815                                    uint8_t *outbuf)
816 {
817     static const int rds_caps_size[5] = {
818         [0] = 2048 + 4,
819         [1] = 4 + 4,
820         [3] = 188 + 4,
821         [4] = 2048 + 4,
822     };
823 
824     uint8_t media = r->req.cmd.buf[1];
825     uint8_t layer = r->req.cmd.buf[6];
826     uint8_t format = r->req.cmd.buf[7];
827     int size = -1;
828 
829     if (s->qdev.type != TYPE_ROM) {
830         return -1;
831     }
832     if (media != 0) {
833         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
834         return -1;
835     }
836 
837     if (format != 0xff) {
838         if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
839             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
840             return -1;
841         }
842         if (media_is_cd(s)) {
843             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
844             return -1;
845         }
846         if (format >= ARRAY_SIZE(rds_caps_size)) {
847             return -1;
848         }
849         size = rds_caps_size[format];
850         memset(outbuf, 0, size);
851     }
852 
853     switch (format) {
854     case 0x00: {
855         /* Physical format information */
856         uint64_t nb_sectors;
857         if (layer != 0) {
858             goto fail;
859         }
860         bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
861 
862         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
863         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
864         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
865         outbuf[7] = 0;   /* default densities */
866 
867         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
868         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
869         break;
870     }
871 
872     case 0x01: /* DVD copyright information, all zeros */
873         break;
874 
875     case 0x03: /* BCA information - invalid field for no BCA info */
876         return -1;
877 
878     case 0x04: /* DVD disc manufacturing information, all zeros */
879         break;
880 
881     case 0xff: { /* List capabilities */
882         int i;
883         size = 4;
884         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
885             if (!rds_caps_size[i]) {
886                 continue;
887             }
888             outbuf[size] = i;
889             outbuf[size + 1] = 0x40; /* Not writable, readable */
890             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
891             size += 4;
892         }
893         break;
894      }
895 
896     default:
897         return -1;
898     }
899 
900     /* Size of buffer, not including 2 byte size field */
901     stw_be_p(outbuf, size - 2);
902     return size;
903 
904 fail:
905     return -1;
906 }
907 
908 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
909 {
910     uint8_t event_code, media_status;
911 
912     media_status = 0;
913     if (s->tray_open) {
914         media_status = MS_TRAY_OPEN;
915     } else if (bdrv_is_inserted(s->qdev.conf.bs)) {
916         media_status = MS_MEDIA_PRESENT;
917     }
918 
919     /* Event notification descriptor */
920     event_code = MEC_NO_CHANGE;
921     if (media_status != MS_TRAY_OPEN) {
922         if (s->media_event) {
923             event_code = MEC_NEW_MEDIA;
924             s->media_event = false;
925         } else if (s->eject_request) {
926             event_code = MEC_EJECT_REQUESTED;
927             s->eject_request = false;
928         }
929     }
930 
931     outbuf[0] = event_code;
932     outbuf[1] = media_status;
933 
934     /* These fields are reserved, just clear them. */
935     outbuf[2] = 0;
936     outbuf[3] = 0;
937     return 4;
938 }
939 
940 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
941                                               uint8_t *outbuf)
942 {
943     int size;
944     uint8_t *buf = r->req.cmd.buf;
945     uint8_t notification_class_request = buf[4];
946     if (s->qdev.type != TYPE_ROM) {
947         return -1;
948     }
949     if ((buf[1] & 1) == 0) {
950         /* asynchronous */
951         return -1;
952     }
953 
954     size = 4;
955     outbuf[0] = outbuf[1] = 0;
956     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
957     if (notification_class_request & (1 << GESN_MEDIA)) {
958         outbuf[2] = GESN_MEDIA;
959         size += scsi_event_status_media(s, &outbuf[size]);
960     } else {
961         outbuf[2] = 0x80;
962     }
963     stw_be_p(outbuf, size - 4);
964     return size;
965 }
966 
967 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
968 {
969     int current;
970 
971     if (s->qdev.type != TYPE_ROM) {
972         return -1;
973     }
974     current = media_is_dvd(s) ? MMC_PROFILE_DVD_ROM : MMC_PROFILE_CD_ROM;
975     memset(outbuf, 0, 40);
976     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
977     stw_be_p(&outbuf[6], current);
978     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
979     outbuf[10] = 0x03; /* persistent, current */
980     outbuf[11] = 8; /* two profiles */
981     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
982     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
983     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
984     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
985     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
986     stw_be_p(&outbuf[20], 1);
987     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
988     outbuf[23] = 8;
989     stl_be_p(&outbuf[24], 1); /* SCSI */
990     outbuf[28] = 1; /* DBE = 1, mandatory */
991     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
992     stw_be_p(&outbuf[32], 3);
993     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
994     outbuf[35] = 4;
995     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
996     /* TODO: Random readable, CD read, DVD read, drive serial number,
997        power management */
998     return 40;
999 }
1000 
1001 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1002 {
1003     if (s->qdev.type != TYPE_ROM) {
1004         return -1;
1005     }
1006     memset(outbuf, 0, 8);
1007     outbuf[5] = 1; /* CD-ROM */
1008     return 8;
1009 }
1010 
1011 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1012                            int page_control)
1013 {
1014     static const int mode_sense_valid[0x3f] = {
1015         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1016         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1017         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1018         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1019         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1020         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1021     };
1022 
1023     uint8_t *p = *p_outbuf + 2;
1024     int length;
1025 
1026     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1027         return -1;
1028     }
1029 
1030     /*
1031      * If Changeable Values are requested, a mask denoting those mode parameters
1032      * that are changeable shall be returned. As we currently don't support
1033      * parameter changes via MODE_SELECT all bits are returned set to zero.
1034      * The buffer was already menset to zero by the caller of this function.
1035      *
1036      * The offsets here are off by two compared to the descriptions in the
1037      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1038      * but it is done so that offsets are consistent within our implementation
1039      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1040      * 2-byte and 4-byte headers.
1041      */
1042     switch (page) {
1043     case MODE_PAGE_HD_GEOMETRY:
1044         length = 0x16;
1045         if (page_control == 1) { /* Changeable Values */
1046             break;
1047         }
1048         /* if a geometry hint is available, use it */
1049         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1050         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1051         p[2] = s->qdev.conf.cyls & 0xff;
1052         p[3] = s->qdev.conf.heads & 0xff;
1053         /* Write precomp start cylinder, disabled */
1054         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1055         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1056         p[6] = s->qdev.conf.cyls & 0xff;
1057         /* Reduced current start cylinder, disabled */
1058         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1059         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1060         p[9] = s->qdev.conf.cyls & 0xff;
1061         /* Device step rate [ns], 200ns */
1062         p[10] = 0;
1063         p[11] = 200;
1064         /* Landing zone cylinder */
1065         p[12] = 0xff;
1066         p[13] =  0xff;
1067         p[14] = 0xff;
1068         /* Medium rotation rate [rpm], 5400 rpm */
1069         p[18] = (5400 >> 8) & 0xff;
1070         p[19] = 5400 & 0xff;
1071         break;
1072 
1073     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1074         length = 0x1e;
1075         if (page_control == 1) { /* Changeable Values */
1076             break;
1077         }
1078         /* Transfer rate [kbit/s], 5Mbit/s */
1079         p[0] = 5000 >> 8;
1080         p[1] = 5000 & 0xff;
1081         /* if a geometry hint is available, use it */
1082         p[2] = s->qdev.conf.heads & 0xff;
1083         p[3] = s->qdev.conf.secs & 0xff;
1084         p[4] = s->qdev.blocksize >> 8;
1085         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1086         p[7] = s->qdev.conf.cyls & 0xff;
1087         /* Write precomp start cylinder, disabled */
1088         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1089         p[9] = s->qdev.conf.cyls & 0xff;
1090         /* Reduced current start cylinder, disabled */
1091         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1092         p[11] = s->qdev.conf.cyls & 0xff;
1093         /* Device step rate [100us], 100us */
1094         p[12] = 0;
1095         p[13] = 1;
1096         /* Device step pulse width [us], 1us */
1097         p[14] = 1;
1098         /* Device head settle delay [100us], 100us */
1099         p[15] = 0;
1100         p[16] = 1;
1101         /* Motor on delay [0.1s], 0.1s */
1102         p[17] = 1;
1103         /* Motor off delay [0.1s], 0.1s */
1104         p[18] = 1;
1105         /* Medium rotation rate [rpm], 5400 rpm */
1106         p[26] = (5400 >> 8) & 0xff;
1107         p[27] = 5400 & 0xff;
1108         break;
1109 
1110     case MODE_PAGE_CACHING:
1111         length = 0x12;
1112         if (page_control == 1 || /* Changeable Values */
1113             bdrv_enable_write_cache(s->qdev.conf.bs)) {
1114             p[0] = 4; /* WCE */
1115         }
1116         break;
1117 
1118     case MODE_PAGE_R_W_ERROR:
1119         length = 10;
1120         if (page_control == 1) { /* Changeable Values */
1121             break;
1122         }
1123         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1124         if (s->qdev.type == TYPE_ROM) {
1125             p[1] = 0x20; /* Read Retry Count */
1126         }
1127         break;
1128 
1129     case MODE_PAGE_AUDIO_CTL:
1130         length = 14;
1131         break;
1132 
1133     case MODE_PAGE_CAPABILITIES:
1134         length = 0x14;
1135         if (page_control == 1) { /* Changeable Values */
1136             break;
1137         }
1138 
1139         p[0] = 0x3b; /* CD-R & CD-RW read */
1140         p[1] = 0; /* Writing not supported */
1141         p[2] = 0x7f; /* Audio, composite, digital out,
1142                         mode 2 form 1&2, multi session */
1143         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1144                         RW corrected, C2 errors, ISRC,
1145                         UPC, Bar code */
1146         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1147         /* Locking supported, jumper present, eject, tray */
1148         p[5] = 0; /* no volume & mute control, no
1149                      changer */
1150         p[6] = (50 * 176) >> 8; /* 50x read speed */
1151         p[7] = (50 * 176) & 0xff;
1152         p[8] = 2 >> 8; /* Two volume levels */
1153         p[9] = 2 & 0xff;
1154         p[10] = 2048 >> 8; /* 2M buffer */
1155         p[11] = 2048 & 0xff;
1156         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1157         p[13] = (16 * 176) & 0xff;
1158         p[16] = (16 * 176) >> 8; /* 16x write speed */
1159         p[17] = (16 * 176) & 0xff;
1160         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1161         p[19] = (16 * 176) & 0xff;
1162         break;
1163 
1164     default:
1165         return -1;
1166     }
1167 
1168     assert(length < 256);
1169     (*p_outbuf)[0] = page;
1170     (*p_outbuf)[1] = length;
1171     *p_outbuf += length + 2;
1172     return length + 2;
1173 }
1174 
1175 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1176 {
1177     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1178     uint64_t nb_sectors;
1179     bool dbd;
1180     int page, buflen, ret, page_control;
1181     uint8_t *p;
1182     uint8_t dev_specific_param;
1183 
1184     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1185     page = r->req.cmd.buf[2] & 0x3f;
1186     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1187     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1188         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1189     memset(outbuf, 0, r->req.cmd.xfer);
1190     p = outbuf;
1191 
1192     if (s->qdev.type == TYPE_DISK) {
1193         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1194         if (bdrv_is_read_only(s->qdev.conf.bs)) {
1195             dev_specific_param |= 0x80; /* Readonly.  */
1196         }
1197     } else {
1198         /* MMC prescribes that CD/DVD drives have no block descriptors,
1199          * and defines no device-specific parameter.  */
1200         dev_specific_param = 0x00;
1201         dbd = true;
1202     }
1203 
1204     if (r->req.cmd.buf[0] == MODE_SENSE) {
1205         p[1] = 0; /* Default media type.  */
1206         p[2] = dev_specific_param;
1207         p[3] = 0; /* Block descriptor length.  */
1208         p += 4;
1209     } else { /* MODE_SENSE_10 */
1210         p[2] = 0; /* Default media type.  */
1211         p[3] = dev_specific_param;
1212         p[6] = p[7] = 0; /* Block descriptor length.  */
1213         p += 8;
1214     }
1215 
1216     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1217     if (!dbd && nb_sectors) {
1218         if (r->req.cmd.buf[0] == MODE_SENSE) {
1219             outbuf[3] = 8; /* Block descriptor length  */
1220         } else { /* MODE_SENSE_10 */
1221             outbuf[7] = 8; /* Block descriptor length  */
1222         }
1223         nb_sectors /= (s->qdev.blocksize / 512);
1224         if (nb_sectors > 0xffffff) {
1225             nb_sectors = 0;
1226         }
1227         p[0] = 0; /* media density code */
1228         p[1] = (nb_sectors >> 16) & 0xff;
1229         p[2] = (nb_sectors >> 8) & 0xff;
1230         p[3] = nb_sectors & 0xff;
1231         p[4] = 0; /* reserved */
1232         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1233         p[6] = s->qdev.blocksize >> 8;
1234         p[7] = 0;
1235         p += 8;
1236     }
1237 
1238     if (page_control == 3) {
1239         /* Saved Values */
1240         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1241         return -1;
1242     }
1243 
1244     if (page == 0x3f) {
1245         for (page = 0; page <= 0x3e; page++) {
1246             mode_sense_page(s, page, &p, page_control);
1247         }
1248     } else {
1249         ret = mode_sense_page(s, page, &p, page_control);
1250         if (ret == -1) {
1251             return -1;
1252         }
1253     }
1254 
1255     buflen = p - outbuf;
1256     /*
1257      * The mode data length field specifies the length in bytes of the
1258      * following data that is available to be transferred. The mode data
1259      * length does not include itself.
1260      */
1261     if (r->req.cmd.buf[0] == MODE_SENSE) {
1262         outbuf[0] = buflen - 1;
1263     } else { /* MODE_SENSE_10 */
1264         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1265         outbuf[1] = (buflen - 2) & 0xff;
1266     }
1267     return buflen;
1268 }
1269 
1270 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1271 {
1272     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1273     int start_track, format, msf, toclen;
1274     uint64_t nb_sectors;
1275 
1276     msf = req->cmd.buf[1] & 2;
1277     format = req->cmd.buf[2] & 0xf;
1278     start_track = req->cmd.buf[6];
1279     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1280     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1281     nb_sectors /= s->qdev.blocksize / 512;
1282     switch (format) {
1283     case 0:
1284         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1285         break;
1286     case 1:
1287         /* multi session : only a single session defined */
1288         toclen = 12;
1289         memset(outbuf, 0, 12);
1290         outbuf[1] = 0x0a;
1291         outbuf[2] = 0x01;
1292         outbuf[3] = 0x01;
1293         break;
1294     case 2:
1295         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1296         break;
1297     default:
1298         return -1;
1299     }
1300     return toclen;
1301 }
1302 
1303 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1304 {
1305     SCSIRequest *req = &r->req;
1306     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1307     bool start = req->cmd.buf[4] & 1;
1308     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1309     int pwrcnd = req->cmd.buf[4] & 0xf0;
1310 
1311     if (pwrcnd) {
1312         /* eject/load only happens for power condition == 0 */
1313         return 0;
1314     }
1315 
1316     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1317         if (!start && !s->tray_open && s->tray_locked) {
1318             scsi_check_condition(r,
1319                                  bdrv_is_inserted(s->qdev.conf.bs)
1320                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1321                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1322             return -1;
1323         }
1324 
1325         if (s->tray_open != !start) {
1326             bdrv_eject(s->qdev.conf.bs, !start);
1327             s->tray_open = !start;
1328         }
1329     }
1330     return 0;
1331 }
1332 
1333 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1334 {
1335     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1336     int buflen = r->iov.iov_len;
1337 
1338     if (buflen) {
1339         DPRINTF("Read buf_len=%d\n", buflen);
1340         r->iov.iov_len = 0;
1341         r->started = true;
1342         scsi_req_data(&r->req, buflen);
1343         return;
1344     }
1345 
1346     /* This also clears the sense buffer for REQUEST SENSE.  */
1347     scsi_req_complete(&r->req, GOOD);
1348 }
1349 
1350 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1351                                        uint8_t *inbuf, int inlen)
1352 {
1353     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1354     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1355     uint8_t *p;
1356     int len, expected_len, changeable_len, i;
1357 
1358     /* The input buffer does not include the page header, so it is
1359      * off by 2 bytes.
1360      */
1361     expected_len = inlen + 2;
1362     if (expected_len > SCSI_MAX_MODE_LEN) {
1363         return -1;
1364     }
1365 
1366     p = mode_current;
1367     memset(mode_current, 0, inlen + 2);
1368     len = mode_sense_page(s, page, &p, 0);
1369     if (len < 0 || len != expected_len) {
1370         return -1;
1371     }
1372 
1373     p = mode_changeable;
1374     memset(mode_changeable, 0, inlen + 2);
1375     changeable_len = mode_sense_page(s, page, &p, 1);
1376     assert(changeable_len == len);
1377 
1378     /* Check that unchangeable bits are the same as what MODE SENSE
1379      * would return.
1380      */
1381     for (i = 2; i < len; i++) {
1382         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1383             return -1;
1384         }
1385     }
1386     return 0;
1387 }
1388 
1389 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1390 {
1391     switch (page) {
1392     case MODE_PAGE_CACHING:
1393         bdrv_set_enable_write_cache(s->qdev.conf.bs, (p[0] & 4) != 0);
1394         break;
1395 
1396     default:
1397         break;
1398     }
1399 }
1400 
1401 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1402 {
1403     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1404 
1405     while (len > 0) {
1406         int page, subpage, page_len;
1407 
1408         /* Parse both possible formats for the mode page headers.  */
1409         page = p[0] & 0x3f;
1410         if (p[0] & 0x40) {
1411             if (len < 4) {
1412                 goto invalid_param_len;
1413             }
1414             subpage = p[1];
1415             page_len = lduw_be_p(&p[2]);
1416             p += 4;
1417             len -= 4;
1418         } else {
1419             if (len < 2) {
1420                 goto invalid_param_len;
1421             }
1422             subpage = 0;
1423             page_len = p[1];
1424             p += 2;
1425             len -= 2;
1426         }
1427 
1428         if (subpage) {
1429             goto invalid_param;
1430         }
1431         if (page_len > len) {
1432             goto invalid_param_len;
1433         }
1434 
1435         if (!change) {
1436             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1437                 goto invalid_param;
1438             }
1439         } else {
1440             scsi_disk_apply_mode_select(s, page, p);
1441         }
1442 
1443         p += page_len;
1444         len -= page_len;
1445     }
1446     return 0;
1447 
1448 invalid_param:
1449     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1450     return -1;
1451 
1452 invalid_param_len:
1453     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1454     return -1;
1455 }
1456 
1457 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1458 {
1459     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1460     uint8_t *p = inbuf;
1461     int cmd = r->req.cmd.buf[0];
1462     int len = r->req.cmd.xfer;
1463     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1464     int bd_len;
1465     int pass;
1466 
1467     /* We only support PF=1, SP=0.  */
1468     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1469         goto invalid_field;
1470     }
1471 
1472     if (len < hdr_len) {
1473         goto invalid_param_len;
1474     }
1475 
1476     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1477     len -= hdr_len;
1478     p += hdr_len;
1479     if (len < bd_len) {
1480         goto invalid_param_len;
1481     }
1482     if (bd_len != 0 && bd_len != 8) {
1483         goto invalid_param;
1484     }
1485 
1486     len -= bd_len;
1487     p += bd_len;
1488 
1489     /* Ensure no change is made if there is an error!  */
1490     for (pass = 0; pass < 2; pass++) {
1491         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1492             assert(pass == 0);
1493             return;
1494         }
1495     }
1496     if (!bdrv_enable_write_cache(s->qdev.conf.bs)) {
1497         /* The request is used as the AIO opaque value, so add a ref.  */
1498         scsi_req_ref(&r->req);
1499         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
1500         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
1501         return;
1502     }
1503 
1504     scsi_req_complete(&r->req, GOOD);
1505     return;
1506 
1507 invalid_param:
1508     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1509     return;
1510 
1511 invalid_param_len:
1512     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1513     return;
1514 
1515 invalid_field:
1516     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1517 }
1518 
1519 static inline bool check_lba_range(SCSIDiskState *s,
1520                                    uint64_t sector_num, uint32_t nb_sectors)
1521 {
1522     /*
1523      * The first line tests that no overflow happens when computing the last
1524      * sector.  The second line tests that the last accessed sector is in
1525      * range.
1526      *
1527      * Careful, the computations should not underflow for nb_sectors == 0,
1528      * and a 0-block read to the first LBA beyond the end of device is
1529      * valid.
1530      */
1531     return (sector_num <= sector_num + nb_sectors &&
1532             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1533 }
1534 
1535 typedef struct UnmapCBData {
1536     SCSIDiskReq *r;
1537     uint8_t *inbuf;
1538     int count;
1539 } UnmapCBData;
1540 
1541 static void scsi_unmap_complete(void *opaque, int ret)
1542 {
1543     UnmapCBData *data = opaque;
1544     SCSIDiskReq *r = data->r;
1545     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1546     uint64_t sector_num;
1547     uint32_t nb_sectors;
1548 
1549     r->req.aiocb = NULL;
1550     if (r->req.io_canceled) {
1551         goto done;
1552     }
1553 
1554     if (ret < 0) {
1555         if (scsi_handle_rw_error(r, -ret)) {
1556             goto done;
1557         }
1558     }
1559 
1560     if (data->count > 0) {
1561         sector_num = ldq_be_p(&data->inbuf[0]);
1562         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1563         if (!check_lba_range(s, sector_num, nb_sectors)) {
1564             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1565             goto done;
1566         }
1567 
1568         r->req.aiocb = bdrv_aio_discard(s->qdev.conf.bs,
1569                                         sector_num * (s->qdev.blocksize / 512),
1570                                         nb_sectors * (s->qdev.blocksize / 512),
1571                                         scsi_unmap_complete, data);
1572         data->count--;
1573         data->inbuf += 16;
1574         return;
1575     }
1576 
1577     scsi_req_complete(&r->req, GOOD);
1578 
1579 done:
1580     if (!r->req.io_canceled) {
1581         scsi_req_unref(&r->req);
1582     }
1583     g_free(data);
1584 }
1585 
1586 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1587 {
1588     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1589     uint8_t *p = inbuf;
1590     int len = r->req.cmd.xfer;
1591     UnmapCBData *data;
1592 
1593     /* Reject ANCHOR=1.  */
1594     if (r->req.cmd.buf[1] & 0x1) {
1595         goto invalid_field;
1596     }
1597 
1598     if (len < 8) {
1599         goto invalid_param_len;
1600     }
1601     if (len < lduw_be_p(&p[0]) + 2) {
1602         goto invalid_param_len;
1603     }
1604     if (len < lduw_be_p(&p[2]) + 8) {
1605         goto invalid_param_len;
1606     }
1607     if (lduw_be_p(&p[2]) & 15) {
1608         goto invalid_param_len;
1609     }
1610 
1611     if (bdrv_is_read_only(s->qdev.conf.bs)) {
1612         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1613         return;
1614     }
1615 
1616     data = g_new0(UnmapCBData, 1);
1617     data->r = r;
1618     data->inbuf = &p[8];
1619     data->count = lduw_be_p(&p[2]) >> 4;
1620 
1621     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1622     scsi_req_ref(&r->req);
1623     scsi_unmap_complete(data, 0);
1624     return;
1625 
1626 invalid_param_len:
1627     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1628     return;
1629 
1630 invalid_field:
1631     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1632 }
1633 
1634 typedef struct WriteSameCBData {
1635     SCSIDiskReq *r;
1636     int64_t sector;
1637     int nb_sectors;
1638     QEMUIOVector qiov;
1639     struct iovec iov;
1640 } WriteSameCBData;
1641 
1642 static void scsi_write_same_complete(void *opaque, int ret)
1643 {
1644     WriteSameCBData *data = opaque;
1645     SCSIDiskReq *r = data->r;
1646     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1647 
1648     assert(r->req.aiocb != NULL);
1649     r->req.aiocb = NULL;
1650     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
1651     if (r->req.io_canceled) {
1652         goto done;
1653     }
1654 
1655     if (ret < 0) {
1656         if (scsi_handle_rw_error(r, -ret)) {
1657             goto done;
1658         }
1659     }
1660 
1661     data->nb_sectors -= data->iov.iov_len / 512;
1662     data->sector += data->iov.iov_len / 512;
1663     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1664     if (data->iov.iov_len) {
1665         bdrv_acct_start(s->qdev.conf.bs, &r->acct, data->iov.iov_len, BDRV_ACCT_WRITE);
1666         r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, data->sector,
1667                                        &data->qiov, data->iov.iov_len / 512,
1668                                        scsi_write_same_complete, data);
1669         return;
1670     }
1671 
1672     scsi_req_complete(&r->req, GOOD);
1673 
1674 done:
1675     if (!r->req.io_canceled) {
1676         scsi_req_unref(&r->req);
1677     }
1678     qemu_vfree(data->iov.iov_base);
1679     g_free(data);
1680 }
1681 
1682 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1683 {
1684     SCSIRequest *req = &r->req;
1685     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1686     uint32_t nb_sectors = scsi_data_cdb_length(r->req.cmd.buf);
1687     WriteSameCBData *data;
1688     uint8_t *buf;
1689     int i;
1690 
1691     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1692     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1693         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1694         return;
1695     }
1696 
1697     if (bdrv_is_read_only(s->qdev.conf.bs)) {
1698         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1699         return;
1700     }
1701     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1702         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1703         return;
1704     }
1705 
1706     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1707         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1708 
1709         /* The request is used as the AIO opaque value, so add a ref.  */
1710         scsi_req_ref(&r->req);
1711         bdrv_acct_start(s->qdev.conf.bs, &r->acct, nb_sectors * s->qdev.blocksize,
1712                         BDRV_ACCT_WRITE);
1713         r->req.aiocb = bdrv_aio_write_zeroes(s->qdev.conf.bs,
1714                                              r->req.cmd.lba * (s->qdev.blocksize / 512),
1715                                              nb_sectors * (s->qdev.blocksize / 512),
1716                                              flags, scsi_aio_complete, r);
1717         return;
1718     }
1719 
1720     data = g_new0(WriteSameCBData, 1);
1721     data->r = r;
1722     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1723     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1724     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1725     data->iov.iov_base = buf = qemu_blockalign(s->qdev.conf.bs, data->iov.iov_len);
1726     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1727 
1728     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1729         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1730     }
1731 
1732     scsi_req_ref(&r->req);
1733     bdrv_acct_start(s->qdev.conf.bs, &r->acct, data->iov.iov_len, BDRV_ACCT_WRITE);
1734     r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, data->sector,
1735                                    &data->qiov, data->iov.iov_len / 512,
1736                                    scsi_write_same_complete, data);
1737 }
1738 
1739 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1740 {
1741     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1742 
1743     if (r->iov.iov_len) {
1744         int buflen = r->iov.iov_len;
1745         DPRINTF("Write buf_len=%d\n", buflen);
1746         r->iov.iov_len = 0;
1747         scsi_req_data(&r->req, buflen);
1748         return;
1749     }
1750 
1751     switch (req->cmd.buf[0]) {
1752     case MODE_SELECT:
1753     case MODE_SELECT_10:
1754         /* This also clears the sense buffer for REQUEST SENSE.  */
1755         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1756         break;
1757 
1758     case UNMAP:
1759         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1760         break;
1761 
1762     case VERIFY_10:
1763     case VERIFY_12:
1764     case VERIFY_16:
1765         if (r->req.status == -1) {
1766             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1767         }
1768         break;
1769 
1770     case WRITE_SAME_10:
1771     case WRITE_SAME_16:
1772         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1773         break;
1774 
1775     default:
1776         abort();
1777     }
1778 }
1779 
1780 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1781 {
1782     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1783     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1784     uint64_t nb_sectors;
1785     uint8_t *outbuf;
1786     int buflen;
1787 
1788     switch (req->cmd.buf[0]) {
1789     case INQUIRY:
1790     case MODE_SENSE:
1791     case MODE_SENSE_10:
1792     case RESERVE:
1793     case RESERVE_10:
1794     case RELEASE:
1795     case RELEASE_10:
1796     case START_STOP:
1797     case ALLOW_MEDIUM_REMOVAL:
1798     case GET_CONFIGURATION:
1799     case GET_EVENT_STATUS_NOTIFICATION:
1800     case MECHANISM_STATUS:
1801     case REQUEST_SENSE:
1802         break;
1803 
1804     default:
1805         if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
1806             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1807             return 0;
1808         }
1809         break;
1810     }
1811 
1812     /*
1813      * FIXME: we shouldn't return anything bigger than 4k, but the code
1814      * requires the buffer to be as big as req->cmd.xfer in several
1815      * places.  So, do not allow CDBs with a very large ALLOCATION
1816      * LENGTH.  The real fix would be to modify scsi_read_data and
1817      * dma_buf_read, so that they return data beyond the buflen
1818      * as all zeros.
1819      */
1820     if (req->cmd.xfer > 65536) {
1821         goto illegal_request;
1822     }
1823     r->buflen = MAX(4096, req->cmd.xfer);
1824 
1825     if (!r->iov.iov_base) {
1826         r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen);
1827     }
1828 
1829     buflen = req->cmd.xfer;
1830     outbuf = r->iov.iov_base;
1831     memset(outbuf, 0, r->buflen);
1832     switch (req->cmd.buf[0]) {
1833     case TEST_UNIT_READY:
1834         assert(!s->tray_open && bdrv_is_inserted(s->qdev.conf.bs));
1835         break;
1836     case INQUIRY:
1837         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1838         if (buflen < 0) {
1839             goto illegal_request;
1840         }
1841         break;
1842     case MODE_SENSE:
1843     case MODE_SENSE_10:
1844         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1845         if (buflen < 0) {
1846             goto illegal_request;
1847         }
1848         break;
1849     case READ_TOC:
1850         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1851         if (buflen < 0) {
1852             goto illegal_request;
1853         }
1854         break;
1855     case RESERVE:
1856         if (req->cmd.buf[1] & 1) {
1857             goto illegal_request;
1858         }
1859         break;
1860     case RESERVE_10:
1861         if (req->cmd.buf[1] & 3) {
1862             goto illegal_request;
1863         }
1864         break;
1865     case RELEASE:
1866         if (req->cmd.buf[1] & 1) {
1867             goto illegal_request;
1868         }
1869         break;
1870     case RELEASE_10:
1871         if (req->cmd.buf[1] & 3) {
1872             goto illegal_request;
1873         }
1874         break;
1875     case START_STOP:
1876         if (scsi_disk_emulate_start_stop(r) < 0) {
1877             return 0;
1878         }
1879         break;
1880     case ALLOW_MEDIUM_REMOVAL:
1881         s->tray_locked = req->cmd.buf[4] & 1;
1882         bdrv_lock_medium(s->qdev.conf.bs, req->cmd.buf[4] & 1);
1883         break;
1884     case READ_CAPACITY_10:
1885         /* The normal LEN field for this command is zero.  */
1886         memset(outbuf, 0, 8);
1887         bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1888         if (!nb_sectors) {
1889             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1890             return 0;
1891         }
1892         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1893             goto illegal_request;
1894         }
1895         nb_sectors /= s->qdev.blocksize / 512;
1896         /* Returned value is the address of the last sector.  */
1897         nb_sectors--;
1898         /* Remember the new size for read/write sanity checking. */
1899         s->qdev.max_lba = nb_sectors;
1900         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1901         if (nb_sectors > UINT32_MAX) {
1902             nb_sectors = UINT32_MAX;
1903         }
1904         outbuf[0] = (nb_sectors >> 24) & 0xff;
1905         outbuf[1] = (nb_sectors >> 16) & 0xff;
1906         outbuf[2] = (nb_sectors >> 8) & 0xff;
1907         outbuf[3] = nb_sectors & 0xff;
1908         outbuf[4] = 0;
1909         outbuf[5] = 0;
1910         outbuf[6] = s->qdev.blocksize >> 8;
1911         outbuf[7] = 0;
1912         break;
1913     case REQUEST_SENSE:
1914         /* Just return "NO SENSE".  */
1915         buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
1916                                   (req->cmd.buf[1] & 1) == 0);
1917         if (buflen < 0) {
1918             goto illegal_request;
1919         }
1920         break;
1921     case MECHANISM_STATUS:
1922         buflen = scsi_emulate_mechanism_status(s, outbuf);
1923         if (buflen < 0) {
1924             goto illegal_request;
1925         }
1926         break;
1927     case GET_CONFIGURATION:
1928         buflen = scsi_get_configuration(s, outbuf);
1929         if (buflen < 0) {
1930             goto illegal_request;
1931         }
1932         break;
1933     case GET_EVENT_STATUS_NOTIFICATION:
1934         buflen = scsi_get_event_status_notification(s, r, outbuf);
1935         if (buflen < 0) {
1936             goto illegal_request;
1937         }
1938         break;
1939     case READ_DISC_INFORMATION:
1940         buflen = scsi_read_disc_information(s, r, outbuf);
1941         if (buflen < 0) {
1942             goto illegal_request;
1943         }
1944         break;
1945     case READ_DVD_STRUCTURE:
1946         buflen = scsi_read_dvd_structure(s, r, outbuf);
1947         if (buflen < 0) {
1948             goto illegal_request;
1949         }
1950         break;
1951     case SERVICE_ACTION_IN_16:
1952         /* Service Action In subcommands. */
1953         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
1954             DPRINTF("SAI READ CAPACITY(16)\n");
1955             memset(outbuf, 0, req->cmd.xfer);
1956             bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1957             if (!nb_sectors) {
1958                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1959                 return 0;
1960             }
1961             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
1962                 goto illegal_request;
1963             }
1964             nb_sectors /= s->qdev.blocksize / 512;
1965             /* Returned value is the address of the last sector.  */
1966             nb_sectors--;
1967             /* Remember the new size for read/write sanity checking. */
1968             s->qdev.max_lba = nb_sectors;
1969             outbuf[0] = (nb_sectors >> 56) & 0xff;
1970             outbuf[1] = (nb_sectors >> 48) & 0xff;
1971             outbuf[2] = (nb_sectors >> 40) & 0xff;
1972             outbuf[3] = (nb_sectors >> 32) & 0xff;
1973             outbuf[4] = (nb_sectors >> 24) & 0xff;
1974             outbuf[5] = (nb_sectors >> 16) & 0xff;
1975             outbuf[6] = (nb_sectors >> 8) & 0xff;
1976             outbuf[7] = nb_sectors & 0xff;
1977             outbuf[8] = 0;
1978             outbuf[9] = 0;
1979             outbuf[10] = s->qdev.blocksize >> 8;
1980             outbuf[11] = 0;
1981             outbuf[12] = 0;
1982             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
1983 
1984             /* set TPE bit if the format supports discard */
1985             if (s->qdev.conf.discard_granularity) {
1986                 outbuf[14] = 0x80;
1987             }
1988 
1989             /* Protection, exponent and lowest lba field left blank. */
1990             break;
1991         }
1992         DPRINTF("Unsupported Service Action In\n");
1993         goto illegal_request;
1994     case SYNCHRONIZE_CACHE:
1995         /* The request is used as the AIO opaque value, so add a ref.  */
1996         scsi_req_ref(&r->req);
1997         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
1998         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
1999         return 0;
2000     case SEEK_10:
2001         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
2002         if (r->req.cmd.lba > s->qdev.max_lba) {
2003             goto illegal_lba;
2004         }
2005         break;
2006     case MODE_SELECT:
2007         DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
2008         break;
2009     case MODE_SELECT_10:
2010         DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
2011         break;
2012     case UNMAP:
2013         DPRINTF("Unmap (len %lu)\n", (long)r->req.cmd.xfer);
2014         break;
2015     case VERIFY_10:
2016     case VERIFY_12:
2017     case VERIFY_16:
2018         DPRINTF("Verify (bytchk %lu)\n", (r->req.buf[1] >> 1) & 3);
2019         if (req->cmd.buf[1] & 6) {
2020             goto illegal_request;
2021         }
2022         break;
2023     case WRITE_SAME_10:
2024     case WRITE_SAME_16:
2025         DPRINTF("WRITE SAME %d (len %lu)\n",
2026                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2027                 (long)r->req.cmd.xfer);
2028         break;
2029     default:
2030         DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
2031         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2032         return 0;
2033     }
2034     assert(!r->req.aiocb);
2035     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2036     if (r->iov.iov_len == 0) {
2037         scsi_req_complete(&r->req, GOOD);
2038     }
2039     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2040         assert(r->iov.iov_len == req->cmd.xfer);
2041         return -r->iov.iov_len;
2042     } else {
2043         return r->iov.iov_len;
2044     }
2045 
2046 illegal_request:
2047     if (r->req.status == -1) {
2048         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2049     }
2050     return 0;
2051 
2052 illegal_lba:
2053     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2054     return 0;
2055 }
2056 
2057 /* Execute a scsi command.  Returns the length of the data expected by the
2058    command.  This will be Positive for data transfers from the device
2059    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2060    and zero if the command does not transfer any data.  */
2061 
2062 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2063 {
2064     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2065     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2066     uint32_t len;
2067     uint8_t command;
2068 
2069     command = buf[0];
2070 
2071     if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
2072         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2073         return 0;
2074     }
2075 
2076     len = scsi_data_cdb_length(r->req.cmd.buf);
2077     switch (command) {
2078     case READ_6:
2079     case READ_10:
2080     case READ_12:
2081     case READ_16:
2082         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2083         if (r->req.cmd.buf[1] & 0xe0) {
2084             goto illegal_request;
2085         }
2086         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2087             goto illegal_lba;
2088         }
2089         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2090         r->sector_count = len * (s->qdev.blocksize / 512);
2091         break;
2092     case WRITE_6:
2093     case WRITE_10:
2094     case WRITE_12:
2095     case WRITE_16:
2096     case WRITE_VERIFY_10:
2097     case WRITE_VERIFY_12:
2098     case WRITE_VERIFY_16:
2099         if (bdrv_is_read_only(s->qdev.conf.bs)) {
2100             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2101             return 0;
2102         }
2103         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2104                 (command & 0xe) == 0xe ? "And Verify " : "",
2105                 r->req.cmd.lba, len);
2106         if (r->req.cmd.buf[1] & 0xe0) {
2107             goto illegal_request;
2108         }
2109         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2110             goto illegal_lba;
2111         }
2112         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2113         r->sector_count = len * (s->qdev.blocksize / 512);
2114         break;
2115     default:
2116         abort();
2117     illegal_request:
2118         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2119         return 0;
2120     illegal_lba:
2121         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2122         return 0;
2123     }
2124     if (r->sector_count == 0) {
2125         scsi_req_complete(&r->req, GOOD);
2126     }
2127     assert(r->iov.iov_len == 0);
2128     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2129         return -r->sector_count * 512;
2130     } else {
2131         return r->sector_count * 512;
2132     }
2133 }
2134 
2135 static void scsi_disk_reset(DeviceState *dev)
2136 {
2137     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2138     uint64_t nb_sectors;
2139 
2140     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2141 
2142     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
2143     nb_sectors /= s->qdev.blocksize / 512;
2144     if (nb_sectors) {
2145         nb_sectors--;
2146     }
2147     s->qdev.max_lba = nb_sectors;
2148     /* reset tray statuses */
2149     s->tray_locked = 0;
2150     s->tray_open = 0;
2151 }
2152 
2153 static void scsi_destroy(SCSIDevice *dev)
2154 {
2155     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2156 
2157     scsi_device_purge_requests(&s->qdev, SENSE_CODE(NO_SENSE));
2158     blockdev_mark_auto_del(s->qdev.conf.bs);
2159 }
2160 
2161 static void scsi_disk_resize_cb(void *opaque)
2162 {
2163     SCSIDiskState *s = opaque;
2164 
2165     /* SPC lists this sense code as available only for
2166      * direct-access devices.
2167      */
2168     if (s->qdev.type == TYPE_DISK) {
2169         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2170     }
2171 }
2172 
2173 static void scsi_cd_change_media_cb(void *opaque, bool load)
2174 {
2175     SCSIDiskState *s = opaque;
2176 
2177     /*
2178      * When a CD gets changed, we have to report an ejected state and
2179      * then a loaded state to guests so that they detect tray
2180      * open/close and media change events.  Guests that do not use
2181      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2182      * states rely on this behavior.
2183      *
2184      * media_changed governs the state machine used for unit attention
2185      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2186      */
2187     s->media_changed = load;
2188     s->tray_open = !load;
2189     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2190     s->media_event = true;
2191     s->eject_request = false;
2192 }
2193 
2194 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2195 {
2196     SCSIDiskState *s = opaque;
2197 
2198     s->eject_request = true;
2199     if (force) {
2200         s->tray_locked = false;
2201     }
2202 }
2203 
2204 static bool scsi_cd_is_tray_open(void *opaque)
2205 {
2206     return ((SCSIDiskState *)opaque)->tray_open;
2207 }
2208 
2209 static bool scsi_cd_is_medium_locked(void *opaque)
2210 {
2211     return ((SCSIDiskState *)opaque)->tray_locked;
2212 }
2213 
2214 static const BlockDevOps scsi_disk_removable_block_ops = {
2215     .change_media_cb = scsi_cd_change_media_cb,
2216     .eject_request_cb = scsi_cd_eject_request_cb,
2217     .is_tray_open = scsi_cd_is_tray_open,
2218     .is_medium_locked = scsi_cd_is_medium_locked,
2219 
2220     .resize_cb = scsi_disk_resize_cb,
2221 };
2222 
2223 static const BlockDevOps scsi_disk_block_ops = {
2224     .resize_cb = scsi_disk_resize_cb,
2225 };
2226 
2227 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2228 {
2229     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2230     if (s->media_changed) {
2231         s->media_changed = false;
2232         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2233     }
2234 }
2235 
2236 static int scsi_initfn(SCSIDevice *dev)
2237 {
2238     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2239 
2240     if (!s->qdev.conf.bs) {
2241         error_report("drive property not set");
2242         return -1;
2243     }
2244 
2245     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2246         !bdrv_is_inserted(s->qdev.conf.bs)) {
2247         error_report("Device needs media, but drive is empty");
2248         return -1;
2249     }
2250 
2251     blkconf_serial(&s->qdev.conf, &s->serial);
2252     if (dev->type == TYPE_DISK
2253         && blkconf_geometry(&dev->conf, NULL, 65535, 255, 255) < 0) {
2254         return -1;
2255     }
2256 
2257     if (s->qdev.conf.discard_granularity == -1) {
2258         s->qdev.conf.discard_granularity =
2259             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2260     }
2261 
2262     if (!s->version) {
2263         s->version = g_strdup(qemu_get_version());
2264     }
2265     if (!s->vendor) {
2266         s->vendor = g_strdup("QEMU");
2267     }
2268 
2269     if (bdrv_is_sg(s->qdev.conf.bs)) {
2270         error_report("unwanted /dev/sg*");
2271         return -1;
2272     }
2273 
2274     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2275             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2276         bdrv_set_dev_ops(s->qdev.conf.bs, &scsi_disk_removable_block_ops, s);
2277     } else {
2278         bdrv_set_dev_ops(s->qdev.conf.bs, &scsi_disk_block_ops, s);
2279     }
2280     bdrv_set_guest_block_size(s->qdev.conf.bs, s->qdev.blocksize);
2281 
2282     bdrv_iostatus_enable(s->qdev.conf.bs);
2283     add_boot_device_path(s->qdev.conf.bootindex, &dev->qdev, NULL);
2284     return 0;
2285 }
2286 
2287 static int scsi_hd_initfn(SCSIDevice *dev)
2288 {
2289     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2290     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2291     s->qdev.type = TYPE_DISK;
2292     if (!s->product) {
2293         s->product = g_strdup("QEMU HARDDISK");
2294     }
2295     return scsi_initfn(&s->qdev);
2296 }
2297 
2298 static int scsi_cd_initfn(SCSIDevice *dev)
2299 {
2300     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2301     s->qdev.blocksize = 2048;
2302     s->qdev.type = TYPE_ROM;
2303     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2304     if (!s->product) {
2305         s->product = g_strdup("QEMU CD-ROM");
2306     }
2307     return scsi_initfn(&s->qdev);
2308 }
2309 
2310 static int scsi_disk_initfn(SCSIDevice *dev)
2311 {
2312     DriveInfo *dinfo;
2313 
2314     if (!dev->conf.bs) {
2315         return scsi_initfn(dev);  /* ... and die there */
2316     }
2317 
2318     dinfo = drive_get_by_blockdev(dev->conf.bs);
2319     if (dinfo->media_cd) {
2320         return scsi_cd_initfn(dev);
2321     } else {
2322         return scsi_hd_initfn(dev);
2323     }
2324 }
2325 
2326 static const SCSIReqOps scsi_disk_emulate_reqops = {
2327     .size         = sizeof(SCSIDiskReq),
2328     .free_req     = scsi_free_request,
2329     .send_command = scsi_disk_emulate_command,
2330     .read_data    = scsi_disk_emulate_read_data,
2331     .write_data   = scsi_disk_emulate_write_data,
2332     .cancel_io    = scsi_cancel_io,
2333     .get_buf      = scsi_get_buf,
2334 };
2335 
2336 static const SCSIReqOps scsi_disk_dma_reqops = {
2337     .size         = sizeof(SCSIDiskReq),
2338     .free_req     = scsi_free_request,
2339     .send_command = scsi_disk_dma_command,
2340     .read_data    = scsi_read_data,
2341     .write_data   = scsi_write_data,
2342     .cancel_io    = scsi_cancel_io,
2343     .get_buf      = scsi_get_buf,
2344     .load_request = scsi_disk_load_request,
2345     .save_request = scsi_disk_save_request,
2346 };
2347 
2348 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2349     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2350     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2351     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2352     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2353     [START_STOP]                      = &scsi_disk_emulate_reqops,
2354     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2355     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2356     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2357     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2358     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2359     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2360     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2361     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2362     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2363     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2364     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2365     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2366     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2367     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2368     [UNMAP]                           = &scsi_disk_emulate_reqops,
2369     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2370     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2371     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2372     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2373     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2374 
2375     [READ_6]                          = &scsi_disk_dma_reqops,
2376     [READ_10]                         = &scsi_disk_dma_reqops,
2377     [READ_12]                         = &scsi_disk_dma_reqops,
2378     [READ_16]                         = &scsi_disk_dma_reqops,
2379     [WRITE_6]                         = &scsi_disk_dma_reqops,
2380     [WRITE_10]                        = &scsi_disk_dma_reqops,
2381     [WRITE_12]                        = &scsi_disk_dma_reqops,
2382     [WRITE_16]                        = &scsi_disk_dma_reqops,
2383     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2384     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2385     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2386 };
2387 
2388 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2389                                      uint8_t *buf, void *hba_private)
2390 {
2391     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2392     SCSIRequest *req;
2393     const SCSIReqOps *ops;
2394     uint8_t command;
2395 
2396     command = buf[0];
2397     ops = scsi_disk_reqops_dispatch[command];
2398     if (!ops) {
2399         ops = &scsi_disk_emulate_reqops;
2400     }
2401     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2402 
2403 #ifdef DEBUG_SCSI
2404     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2405     {
2406         int i;
2407         for (i = 1; i < req->cmd.len; i++) {
2408             printf(" 0x%02x", buf[i]);
2409         }
2410         printf("\n");
2411     }
2412 #endif
2413 
2414     return req;
2415 }
2416 
2417 #ifdef __linux__
2418 static int get_device_type(SCSIDiskState *s)
2419 {
2420     BlockDriverState *bdrv = s->qdev.conf.bs;
2421     uint8_t cmd[16];
2422     uint8_t buf[36];
2423     uint8_t sensebuf[8];
2424     sg_io_hdr_t io_header;
2425     int ret;
2426 
2427     memset(cmd, 0, sizeof(cmd));
2428     memset(buf, 0, sizeof(buf));
2429     cmd[0] = INQUIRY;
2430     cmd[4] = sizeof(buf);
2431 
2432     memset(&io_header, 0, sizeof(io_header));
2433     io_header.interface_id = 'S';
2434     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2435     io_header.dxfer_len = sizeof(buf);
2436     io_header.dxferp = buf;
2437     io_header.cmdp = cmd;
2438     io_header.cmd_len = sizeof(cmd);
2439     io_header.mx_sb_len = sizeof(sensebuf);
2440     io_header.sbp = sensebuf;
2441     io_header.timeout = 6000; /* XXX */
2442 
2443     ret = bdrv_ioctl(bdrv, SG_IO, &io_header);
2444     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2445         return -1;
2446     }
2447     s->qdev.type = buf[0];
2448     if (buf[1] & 0x80) {
2449         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2450     }
2451     return 0;
2452 }
2453 
2454 static int scsi_block_initfn(SCSIDevice *dev)
2455 {
2456     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2457     int sg_version;
2458     int rc;
2459 
2460     if (!s->qdev.conf.bs) {
2461         error_report("drive property not set");
2462         return -1;
2463     }
2464 
2465     /* check we are using a driver managing SG_IO (version 3 and after) */
2466     rc = bdrv_ioctl(s->qdev.conf.bs, SG_GET_VERSION_NUM, &sg_version);
2467     if (rc < 0) {
2468         error_report("cannot get SG_IO version number: %s.  "
2469                      "Is this a SCSI device?",
2470                      strerror(-rc));
2471         return -1;
2472     }
2473     if (sg_version < 30000) {
2474         error_report("scsi generic interface too old");
2475         return -1;
2476     }
2477 
2478     /* get device type from INQUIRY data */
2479     rc = get_device_type(s);
2480     if (rc < 0) {
2481         error_report("INQUIRY failed");
2482         return -1;
2483     }
2484 
2485     /* Make a guess for the block size, we'll fix it when the guest sends.
2486      * READ CAPACITY.  If they don't, they likely would assume these sizes
2487      * anyway. (TODO: check in /sys).
2488      */
2489     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2490         s->qdev.blocksize = 2048;
2491     } else {
2492         s->qdev.blocksize = 512;
2493     }
2494 
2495     /* Makes the scsi-block device not removable by using HMP and QMP eject
2496      * command.
2497      */
2498     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2499 
2500     return scsi_initfn(&s->qdev);
2501 }
2502 
2503 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2504                                            uint32_t lun, uint8_t *buf,
2505                                            void *hba_private)
2506 {
2507     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2508 
2509     switch (buf[0]) {
2510     case READ_6:
2511     case READ_10:
2512     case READ_12:
2513     case READ_16:
2514     case VERIFY_10:
2515     case VERIFY_12:
2516     case VERIFY_16:
2517     case WRITE_6:
2518     case WRITE_10:
2519     case WRITE_12:
2520     case WRITE_16:
2521     case WRITE_VERIFY_10:
2522     case WRITE_VERIFY_12:
2523     case WRITE_VERIFY_16:
2524         /* If we are not using O_DIRECT, we might read stale data from the
2525 	 * host cache if writes were made using other commands than these
2526 	 * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
2527 	 * O_DIRECT everything must go through SG_IO.
2528          */
2529         if (bdrv_get_flags(s->qdev.conf.bs) & BDRV_O_NOCACHE) {
2530             break;
2531         }
2532 
2533         /* MMC writing cannot be done via pread/pwrite, because it sometimes
2534          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2535          * And once you do these writes, reading from the block device is
2536          * unreliable, too.  It is even possible that reads deliver random data
2537          * from the host page cache (this is probably a Linux bug).
2538          *
2539          * We might use scsi_disk_dma_reqops as long as no writing commands are
2540          * seen, but performance usually isn't paramount on optical media.  So,
2541          * just make scsi-block operate the same as scsi-generic for them.
2542          */
2543         if (s->qdev.type != TYPE_ROM) {
2544             return scsi_req_alloc(&scsi_disk_dma_reqops, &s->qdev, tag, lun,
2545                                   hba_private);
2546         }
2547     }
2548 
2549     return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2550                           hba_private);
2551 }
2552 #endif
2553 
2554 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2555     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2556     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2557     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2558     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2559     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2560 
2561 static Property scsi_hd_properties[] = {
2562     DEFINE_SCSI_DISK_PROPERTIES(),
2563     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2564                     SCSI_DISK_F_REMOVABLE, false),
2565     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2566                     SCSI_DISK_F_DPOFUA, false),
2567     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2568     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2569     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2570     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2571                        DEFAULT_MAX_UNMAP_SIZE),
2572     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2573     DEFINE_PROP_END_OF_LIST(),
2574 };
2575 
2576 static const VMStateDescription vmstate_scsi_disk_state = {
2577     .name = "scsi-disk",
2578     .version_id = 1,
2579     .minimum_version_id = 1,
2580     .fields = (VMStateField[]) {
2581         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2582         VMSTATE_BOOL(media_changed, SCSIDiskState),
2583         VMSTATE_BOOL(media_event, SCSIDiskState),
2584         VMSTATE_BOOL(eject_request, SCSIDiskState),
2585         VMSTATE_BOOL(tray_open, SCSIDiskState),
2586         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2587         VMSTATE_END_OF_LIST()
2588     }
2589 };
2590 
2591 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2592 {
2593     DeviceClass *dc = DEVICE_CLASS(klass);
2594     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2595 
2596     sc->init         = scsi_hd_initfn;
2597     sc->destroy      = scsi_destroy;
2598     sc->alloc_req    = scsi_new_request;
2599     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2600     dc->fw_name = "disk";
2601     dc->desc = "virtual SCSI disk";
2602     dc->reset = scsi_disk_reset;
2603     dc->props = scsi_hd_properties;
2604     dc->vmsd  = &vmstate_scsi_disk_state;
2605 }
2606 
2607 static const TypeInfo scsi_hd_info = {
2608     .name          = "scsi-hd",
2609     .parent        = TYPE_SCSI_DEVICE,
2610     .instance_size = sizeof(SCSIDiskState),
2611     .class_init    = scsi_hd_class_initfn,
2612 };
2613 
2614 static Property scsi_cd_properties[] = {
2615     DEFINE_SCSI_DISK_PROPERTIES(),
2616     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2617     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2618     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2619     DEFINE_PROP_END_OF_LIST(),
2620 };
2621 
2622 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2623 {
2624     DeviceClass *dc = DEVICE_CLASS(klass);
2625     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2626 
2627     sc->init         = scsi_cd_initfn;
2628     sc->destroy      = scsi_destroy;
2629     sc->alloc_req    = scsi_new_request;
2630     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2631     dc->fw_name = "disk";
2632     dc->desc = "virtual SCSI CD-ROM";
2633     dc->reset = scsi_disk_reset;
2634     dc->props = scsi_cd_properties;
2635     dc->vmsd  = &vmstate_scsi_disk_state;
2636 }
2637 
2638 static const TypeInfo scsi_cd_info = {
2639     .name          = "scsi-cd",
2640     .parent        = TYPE_SCSI_DEVICE,
2641     .instance_size = sizeof(SCSIDiskState),
2642     .class_init    = scsi_cd_class_initfn,
2643 };
2644 
2645 #ifdef __linux__
2646 static Property scsi_block_properties[] = {
2647     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.bs),
2648     DEFINE_PROP_INT32("bootindex", SCSIDiskState, qdev.conf.bootindex, -1),
2649     DEFINE_PROP_END_OF_LIST(),
2650 };
2651 
2652 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
2653 {
2654     DeviceClass *dc = DEVICE_CLASS(klass);
2655     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2656 
2657     sc->init         = scsi_block_initfn;
2658     sc->destroy      = scsi_destroy;
2659     sc->alloc_req    = scsi_block_new_request;
2660     dc->fw_name = "disk";
2661     dc->desc = "SCSI block device passthrough";
2662     dc->reset = scsi_disk_reset;
2663     dc->props = scsi_block_properties;
2664     dc->vmsd  = &vmstate_scsi_disk_state;
2665 }
2666 
2667 static const TypeInfo scsi_block_info = {
2668     .name          = "scsi-block",
2669     .parent        = TYPE_SCSI_DEVICE,
2670     .instance_size = sizeof(SCSIDiskState),
2671     .class_init    = scsi_block_class_initfn,
2672 };
2673 #endif
2674 
2675 static Property scsi_disk_properties[] = {
2676     DEFINE_SCSI_DISK_PROPERTIES(),
2677     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2678                     SCSI_DISK_F_REMOVABLE, false),
2679     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2680                     SCSI_DISK_F_DPOFUA, false),
2681     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2682     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2683     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2684     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2685                        DEFAULT_MAX_UNMAP_SIZE),
2686     DEFINE_PROP_END_OF_LIST(),
2687 };
2688 
2689 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
2690 {
2691     DeviceClass *dc = DEVICE_CLASS(klass);
2692     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2693 
2694     sc->init         = scsi_disk_initfn;
2695     sc->destroy      = scsi_destroy;
2696     sc->alloc_req    = scsi_new_request;
2697     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2698     dc->fw_name = "disk";
2699     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
2700     dc->reset = scsi_disk_reset;
2701     dc->props = scsi_disk_properties;
2702     dc->vmsd  = &vmstate_scsi_disk_state;
2703 }
2704 
2705 static const TypeInfo scsi_disk_info = {
2706     .name          = "scsi-disk",
2707     .parent        = TYPE_SCSI_DEVICE,
2708     .instance_size = sizeof(SCSIDiskState),
2709     .class_init    = scsi_disk_class_initfn,
2710 };
2711 
2712 static void scsi_disk_register_types(void)
2713 {
2714     type_register_static(&scsi_hd_info);
2715     type_register_static(&scsi_cd_info);
2716 #ifdef __linux__
2717     type_register_static(&scsi_block_info);
2718 #endif
2719     type_register_static(&scsi_disk_info);
2720 }
2721 
2722 type_init(scsi_disk_register_types)
2723