xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision b8bcf811)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu-common.h"
32 #include "qemu/error-report.h"
33 #include "hw/scsi/scsi.h"
34 #include "block/scsi.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/blockdev.h"
37 #include "hw/block/block.h"
38 #include "sysemu/dma.h"
39 
40 #ifdef __linux
41 #include <scsi/sg.h>
42 #endif
43 
44 #define SCSI_WRITE_SAME_MAX         524288
45 #define SCSI_DMA_BUF_SIZE           131072
46 #define SCSI_MAX_INQUIRY_LEN        256
47 #define SCSI_MAX_MODE_LEN           256
48 
49 #define DEFAULT_DISCARD_GRANULARITY 4096
50 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
51 
52 typedef struct SCSIDiskState SCSIDiskState;
53 
54 typedef struct SCSIDiskReq {
55     SCSIRequest req;
56     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
57     uint64_t sector;
58     uint32_t sector_count;
59     uint32_t buflen;
60     bool started;
61     struct iovec iov;
62     QEMUIOVector qiov;
63     BlockAcctCookie acct;
64 } SCSIDiskReq;
65 
66 #define SCSI_DISK_F_REMOVABLE             0
67 #define SCSI_DISK_F_DPOFUA                1
68 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
69 
70 struct SCSIDiskState
71 {
72     SCSIDevice qdev;
73     uint32_t features;
74     bool media_changed;
75     bool media_event;
76     bool eject_request;
77     uint64_t wwn;
78     uint64_t max_unmap_size;
79     QEMUBH *bh;
80     char *version;
81     char *serial;
82     char *vendor;
83     char *product;
84     bool tray_open;
85     bool tray_locked;
86 };
87 
88 static int scsi_handle_rw_error(SCSIDiskReq *r, int error);
89 
90 static void scsi_free_request(SCSIRequest *req)
91 {
92     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
93 
94     qemu_vfree(r->iov.iov_base);
95 }
96 
97 /* Helper function for command completion with sense.  */
98 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
99 {
100     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
101             r->req.tag, sense.key, sense.asc, sense.ascq);
102     scsi_req_build_sense(&r->req, sense);
103     scsi_req_complete(&r->req, CHECK_CONDITION);
104 }
105 
106 /* Cancel a pending data transfer.  */
107 static void scsi_cancel_io(SCSIRequest *req)
108 {
109     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
110 
111     DPRINTF("Cancel tag=0x%x\n", req->tag);
112     if (r->req.aiocb) {
113         bdrv_aio_cancel(r->req.aiocb);
114 
115         /* This reference was left in by scsi_*_data.  We take ownership of
116          * it the moment scsi_req_cancel is called, independent of whether
117          * bdrv_aio_cancel completes the request or not.  */
118         scsi_req_unref(&r->req);
119     }
120     r->req.aiocb = NULL;
121 }
122 
123 static uint32_t scsi_init_iovec(SCSIDiskReq *r, size_t size)
124 {
125     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
126 
127     if (!r->iov.iov_base) {
128         r->buflen = size;
129         r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen);
130     }
131     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
132     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
133     return r->qiov.size / 512;
134 }
135 
136 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
137 {
138     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
139 
140     qemu_put_be64s(f, &r->sector);
141     qemu_put_be32s(f, &r->sector_count);
142     qemu_put_be32s(f, &r->buflen);
143     if (r->buflen) {
144         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
145             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
146         } else if (!req->retry) {
147             uint32_t len = r->iov.iov_len;
148             qemu_put_be32s(f, &len);
149             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
150         }
151     }
152 }
153 
154 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
155 {
156     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
157 
158     qemu_get_be64s(f, &r->sector);
159     qemu_get_be32s(f, &r->sector_count);
160     qemu_get_be32s(f, &r->buflen);
161     if (r->buflen) {
162         scsi_init_iovec(r, r->buflen);
163         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
164             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
165         } else if (!r->req.retry) {
166             uint32_t len;
167             qemu_get_be32s(f, &len);
168             r->iov.iov_len = len;
169             assert(r->iov.iov_len <= r->buflen);
170             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
171         }
172     }
173 
174     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
175 }
176 
177 static void scsi_aio_complete(void *opaque, int ret)
178 {
179     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
180     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
181 
182     assert(r->req.aiocb != NULL);
183     r->req.aiocb = NULL;
184     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
185     if (r->req.io_canceled) {
186         goto done;
187     }
188 
189     if (ret < 0) {
190         if (scsi_handle_rw_error(r, -ret)) {
191             goto done;
192         }
193     }
194 
195     scsi_req_complete(&r->req, GOOD);
196 
197 done:
198     if (!r->req.io_canceled) {
199         scsi_req_unref(&r->req);
200     }
201 }
202 
203 static bool scsi_is_cmd_fua(SCSICommand *cmd)
204 {
205     switch (cmd->buf[0]) {
206     case READ_10:
207     case READ_12:
208     case READ_16:
209     case WRITE_10:
210     case WRITE_12:
211     case WRITE_16:
212         return (cmd->buf[1] & 8) != 0;
213 
214     case VERIFY_10:
215     case VERIFY_12:
216     case VERIFY_16:
217     case WRITE_VERIFY_10:
218     case WRITE_VERIFY_12:
219     case WRITE_VERIFY_16:
220         return true;
221 
222     case READ_6:
223     case WRITE_6:
224     default:
225         return false;
226     }
227 }
228 
229 static void scsi_write_do_fua(SCSIDiskReq *r)
230 {
231     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
232 
233     if (r->req.io_canceled) {
234         goto done;
235     }
236 
237     if (scsi_is_cmd_fua(&r->req.cmd)) {
238         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
239         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
240         return;
241     }
242 
243     scsi_req_complete(&r->req, GOOD);
244 
245 done:
246     if (!r->req.io_canceled) {
247         scsi_req_unref(&r->req);
248     }
249 }
250 
251 static void scsi_dma_complete_noio(void *opaque, int ret)
252 {
253     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
254     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
255 
256     if (r->req.aiocb != NULL) {
257         r->req.aiocb = NULL;
258         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
259     }
260     if (r->req.io_canceled) {
261         goto done;
262     }
263 
264     if (ret < 0) {
265         if (scsi_handle_rw_error(r, -ret)) {
266             goto done;
267         }
268     }
269 
270     r->sector += r->sector_count;
271     r->sector_count = 0;
272     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
273         scsi_write_do_fua(r);
274         return;
275     } else {
276         scsi_req_complete(&r->req, GOOD);
277     }
278 
279 done:
280     if (!r->req.io_canceled) {
281         scsi_req_unref(&r->req);
282     }
283 }
284 
285 static void scsi_dma_complete(void *opaque, int ret)
286 {
287     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
288 
289     assert(r->req.aiocb != NULL);
290     scsi_dma_complete_noio(opaque, ret);
291 }
292 
293 static void scsi_read_complete(void * opaque, int ret)
294 {
295     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
296     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
297     int n;
298 
299     assert(r->req.aiocb != NULL);
300     r->req.aiocb = NULL;
301     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
302     if (r->req.io_canceled) {
303         goto done;
304     }
305 
306     if (ret < 0) {
307         if (scsi_handle_rw_error(r, -ret)) {
308             goto done;
309         }
310     }
311 
312     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
313 
314     n = r->qiov.size / 512;
315     r->sector += n;
316     r->sector_count -= n;
317     scsi_req_data(&r->req, r->qiov.size);
318 
319 done:
320     if (!r->req.io_canceled) {
321         scsi_req_unref(&r->req);
322     }
323 }
324 
325 /* Actually issue a read to the block device.  */
326 static void scsi_do_read(void *opaque, int ret)
327 {
328     SCSIDiskReq *r = opaque;
329     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
330     uint32_t n;
331 
332     if (r->req.aiocb != NULL) {
333         r->req.aiocb = NULL;
334         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
335     }
336     if (r->req.io_canceled) {
337         goto done;
338     }
339 
340     if (ret < 0) {
341         if (scsi_handle_rw_error(r, -ret)) {
342             goto done;
343         }
344     }
345 
346     /* The request is used as the AIO opaque value, so add a ref.  */
347     scsi_req_ref(&r->req);
348 
349     if (r->req.sg) {
350         dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
351         r->req.resid -= r->req.sg->size;
352         r->req.aiocb = dma_bdrv_read(s->qdev.conf.bs, r->req.sg, r->sector,
353                                      scsi_dma_complete, r);
354     } else {
355         n = scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
356         bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_READ);
357         r->req.aiocb = bdrv_aio_readv(s->qdev.conf.bs, r->sector, &r->qiov, n,
358                                       scsi_read_complete, r);
359     }
360 
361 done:
362     if (!r->req.io_canceled) {
363         scsi_req_unref(&r->req);
364     }
365 }
366 
367 /* Read more data from scsi device into buffer.  */
368 static void scsi_read_data(SCSIRequest *req)
369 {
370     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
371     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
372     bool first;
373 
374     DPRINTF("Read sector_count=%d\n", r->sector_count);
375     if (r->sector_count == 0) {
376         /* This also clears the sense buffer for REQUEST SENSE.  */
377         scsi_req_complete(&r->req, GOOD);
378         return;
379     }
380 
381     /* No data transfer may already be in progress */
382     assert(r->req.aiocb == NULL);
383 
384     /* The request is used as the AIO opaque value, so add a ref.  */
385     scsi_req_ref(&r->req);
386     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
387         DPRINTF("Data transfer direction invalid\n");
388         scsi_read_complete(r, -EINVAL);
389         return;
390     }
391 
392     if (s->tray_open) {
393         scsi_read_complete(r, -ENOMEDIUM);
394         return;
395     }
396 
397     first = !r->started;
398     r->started = true;
399     if (first && scsi_is_cmd_fua(&r->req.cmd)) {
400         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
401         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_do_read, r);
402     } else {
403         scsi_do_read(r, 0);
404     }
405 }
406 
407 /*
408  * scsi_handle_rw_error has two return values.  0 means that the error
409  * must be ignored, 1 means that the error has been processed and the
410  * caller should not do anything else for this request.  Note that
411  * scsi_handle_rw_error always manages its reference counts, independent
412  * of the return value.
413  */
414 static int scsi_handle_rw_error(SCSIDiskReq *r, int error)
415 {
416     bool is_read = (r->req.cmd.xfer == SCSI_XFER_FROM_DEV);
417     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
418     BlockErrorAction action = bdrv_get_error_action(s->qdev.conf.bs, is_read, error);
419 
420     if (action == BDRV_ACTION_REPORT) {
421         switch (error) {
422         case ENOMEDIUM:
423             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
424             break;
425         case ENOMEM:
426             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
427             break;
428         case EINVAL:
429             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
430             break;
431         default:
432             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
433             break;
434         }
435     }
436     bdrv_error_action(s->qdev.conf.bs, action, is_read, error);
437     if (action == BDRV_ACTION_STOP) {
438         scsi_req_retry(&r->req);
439     }
440     return action != BDRV_ACTION_IGNORE;
441 }
442 
443 static void scsi_write_complete(void * opaque, int ret)
444 {
445     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
446     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
447     uint32_t n;
448 
449     if (r->req.aiocb != NULL) {
450         r->req.aiocb = NULL;
451         bdrv_acct_done(s->qdev.conf.bs, &r->acct);
452     }
453     if (r->req.io_canceled) {
454         goto done;
455     }
456 
457     if (ret < 0) {
458         if (scsi_handle_rw_error(r, -ret)) {
459             goto done;
460         }
461     }
462 
463     n = r->qiov.size / 512;
464     r->sector += n;
465     r->sector_count -= n;
466     if (r->sector_count == 0) {
467         scsi_write_do_fua(r);
468         return;
469     } else {
470         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
471         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
472         scsi_req_data(&r->req, r->qiov.size);
473     }
474 
475 done:
476     if (!r->req.io_canceled) {
477         scsi_req_unref(&r->req);
478     }
479 }
480 
481 static void scsi_write_data(SCSIRequest *req)
482 {
483     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
484     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
485     uint32_t n;
486 
487     /* No data transfer may already be in progress */
488     assert(r->req.aiocb == NULL);
489 
490     /* The request is used as the AIO opaque value, so add a ref.  */
491     scsi_req_ref(&r->req);
492     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
493         DPRINTF("Data transfer direction invalid\n");
494         scsi_write_complete(r, -EINVAL);
495         return;
496     }
497 
498     if (!r->req.sg && !r->qiov.size) {
499         /* Called for the first time.  Ask the driver to send us more data.  */
500         r->started = true;
501         scsi_write_complete(r, 0);
502         return;
503     }
504     if (s->tray_open) {
505         scsi_write_complete(r, -ENOMEDIUM);
506         return;
507     }
508 
509     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
510         r->req.cmd.buf[0] == VERIFY_16) {
511         if (r->req.sg) {
512             scsi_dma_complete_noio(r, 0);
513         } else {
514             scsi_write_complete(r, 0);
515         }
516         return;
517     }
518 
519     if (r->req.sg) {
520         dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_WRITE);
521         r->req.resid -= r->req.sg->size;
522         r->req.aiocb = dma_bdrv_write(s->qdev.conf.bs, r->req.sg, r->sector,
523                                       scsi_dma_complete, r);
524     } else {
525         n = r->qiov.size / 512;
526         bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_WRITE);
527         r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, r->sector, &r->qiov, n,
528                                        scsi_write_complete, r);
529     }
530 }
531 
532 /* Return a pointer to the data buffer.  */
533 static uint8_t *scsi_get_buf(SCSIRequest *req)
534 {
535     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
536 
537     return (uint8_t *)r->iov.iov_base;
538 }
539 
540 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
541 {
542     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
543     int buflen = 0;
544     int start;
545 
546     if (req->cmd.buf[1] & 0x1) {
547         /* Vital product data */
548         uint8_t page_code = req->cmd.buf[2];
549 
550         outbuf[buflen++] = s->qdev.type & 0x1f;
551         outbuf[buflen++] = page_code ; // this page
552         outbuf[buflen++] = 0x00;
553         outbuf[buflen++] = 0x00;
554         start = buflen;
555 
556         switch (page_code) {
557         case 0x00: /* Supported page codes, mandatory */
558         {
559             DPRINTF("Inquiry EVPD[Supported pages] "
560                     "buffer size %zd\n", req->cmd.xfer);
561             outbuf[buflen++] = 0x00; // list of supported pages (this page)
562             if (s->serial) {
563                 outbuf[buflen++] = 0x80; // unit serial number
564             }
565             outbuf[buflen++] = 0x83; // device identification
566             if (s->qdev.type == TYPE_DISK) {
567                 outbuf[buflen++] = 0xb0; // block limits
568                 outbuf[buflen++] = 0xb2; // thin provisioning
569             }
570             break;
571         }
572         case 0x80: /* Device serial number, optional */
573         {
574             int l;
575 
576             if (!s->serial) {
577                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
578                 return -1;
579             }
580 
581             l = strlen(s->serial);
582             if (l > 20) {
583                 l = 20;
584             }
585 
586             DPRINTF("Inquiry EVPD[Serial number] "
587                     "buffer size %zd\n", req->cmd.xfer);
588             memcpy(outbuf+buflen, s->serial, l);
589             buflen += l;
590             break;
591         }
592 
593         case 0x83: /* Device identification page, mandatory */
594         {
595             const char *str = s->serial ?: bdrv_get_device_name(s->qdev.conf.bs);
596             int max_len = s->serial ? 20 : 255 - 8;
597             int id_len = strlen(str);
598 
599             if (id_len > max_len) {
600                 id_len = max_len;
601             }
602             DPRINTF("Inquiry EVPD[Device identification] "
603                     "buffer size %zd\n", req->cmd.xfer);
604 
605             outbuf[buflen++] = 0x2; // ASCII
606             outbuf[buflen++] = 0;   // not officially assigned
607             outbuf[buflen++] = 0;   // reserved
608             outbuf[buflen++] = id_len; // length of data following
609             memcpy(outbuf+buflen, str, id_len);
610             buflen += id_len;
611 
612             if (s->wwn) {
613                 outbuf[buflen++] = 0x1; // Binary
614                 outbuf[buflen++] = 0x3; // NAA
615                 outbuf[buflen++] = 0;   // reserved
616                 outbuf[buflen++] = 8;
617                 stq_be_p(&outbuf[buflen], s->wwn);
618                 buflen += 8;
619             }
620             break;
621         }
622         case 0xb0: /* block limits */
623         {
624             unsigned int unmap_sectors =
625                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
626             unsigned int min_io_size =
627                     s->qdev.conf.min_io_size / s->qdev.blocksize;
628             unsigned int opt_io_size =
629                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
630             unsigned int max_unmap_sectors =
631                     s->max_unmap_size / s->qdev.blocksize;
632 
633             if (s->qdev.type == TYPE_ROM) {
634                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
635                         page_code);
636                 return -1;
637             }
638             /* required VPD size with unmap support */
639             buflen = 0x40;
640             memset(outbuf + 4, 0, buflen - 4);
641 
642             outbuf[4] = 0x1; /* wsnz */
643 
644             /* optimal transfer length granularity */
645             outbuf[6] = (min_io_size >> 8) & 0xff;
646             outbuf[7] = min_io_size & 0xff;
647 
648             /* optimal transfer length */
649             outbuf[12] = (opt_io_size >> 24) & 0xff;
650             outbuf[13] = (opt_io_size >> 16) & 0xff;
651             outbuf[14] = (opt_io_size >> 8) & 0xff;
652             outbuf[15] = opt_io_size & 0xff;
653 
654             /* max unmap LBA count, default is 1GB */
655             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
656             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
657             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
658             outbuf[23] = max_unmap_sectors & 0xff;
659 
660             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
661             outbuf[24] = 0;
662             outbuf[25] = 0;
663             outbuf[26] = 0;
664             outbuf[27] = 255;
665 
666             /* optimal unmap granularity */
667             outbuf[28] = (unmap_sectors >> 24) & 0xff;
668             outbuf[29] = (unmap_sectors >> 16) & 0xff;
669             outbuf[30] = (unmap_sectors >> 8) & 0xff;
670             outbuf[31] = unmap_sectors & 0xff;
671             break;
672         }
673         case 0xb2: /* thin provisioning */
674         {
675             buflen = 8;
676             outbuf[4] = 0;
677             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
678             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
679             outbuf[7] = 0;
680             break;
681         }
682         default:
683             return -1;
684         }
685         /* done with EVPD */
686         assert(buflen - start <= 255);
687         outbuf[start - 1] = buflen - start;
688         return buflen;
689     }
690 
691     /* Standard INQUIRY data */
692     if (req->cmd.buf[2] != 0) {
693         return -1;
694     }
695 
696     /* PAGE CODE == 0 */
697     buflen = req->cmd.xfer;
698     if (buflen > SCSI_MAX_INQUIRY_LEN) {
699         buflen = SCSI_MAX_INQUIRY_LEN;
700     }
701 
702     outbuf[0] = s->qdev.type & 0x1f;
703     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
704 
705     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
706     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
707 
708     memset(&outbuf[32], 0, 4);
709     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
710     /*
711      * We claim conformance to SPC-3, which is required for guests
712      * to ask for modern features like READ CAPACITY(16) or the
713      * block characteristics VPD page by default.  Not all of SPC-3
714      * is actually implemented, but we're good enough.
715      */
716     outbuf[2] = 5;
717     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
718 
719     if (buflen > 36) {
720         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
721     } else {
722         /* If the allocation length of CDB is too small,
723                the additional length is not adjusted */
724         outbuf[4] = 36 - 5;
725     }
726 
727     /* Sync data transfer and TCQ.  */
728     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
729     return buflen;
730 }
731 
732 static inline bool media_is_dvd(SCSIDiskState *s)
733 {
734     uint64_t nb_sectors;
735     if (s->qdev.type != TYPE_ROM) {
736         return false;
737     }
738     if (!bdrv_is_inserted(s->qdev.conf.bs)) {
739         return false;
740     }
741     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
742     return nb_sectors > CD_MAX_SECTORS;
743 }
744 
745 static inline bool media_is_cd(SCSIDiskState *s)
746 {
747     uint64_t nb_sectors;
748     if (s->qdev.type != TYPE_ROM) {
749         return false;
750     }
751     if (!bdrv_is_inserted(s->qdev.conf.bs)) {
752         return false;
753     }
754     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
755     return nb_sectors <= CD_MAX_SECTORS;
756 }
757 
758 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
759                                       uint8_t *outbuf)
760 {
761     uint8_t type = r->req.cmd.buf[1] & 7;
762 
763     if (s->qdev.type != TYPE_ROM) {
764         return -1;
765     }
766 
767     /* Types 1/2 are only defined for Blu-Ray.  */
768     if (type != 0) {
769         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
770         return -1;
771     }
772 
773     memset(outbuf, 0, 34);
774     outbuf[1] = 32;
775     outbuf[2] = 0xe; /* last session complete, disc finalized */
776     outbuf[3] = 1;   /* first track on disc */
777     outbuf[4] = 1;   /* # of sessions */
778     outbuf[5] = 1;   /* first track of last session */
779     outbuf[6] = 1;   /* last track of last session */
780     outbuf[7] = 0x20; /* unrestricted use */
781     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
782     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
783     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
784     /* 24-31: disc bar code */
785     /* 32: disc application code */
786     /* 33: number of OPC tables */
787 
788     return 34;
789 }
790 
791 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
792                                    uint8_t *outbuf)
793 {
794     static const int rds_caps_size[5] = {
795         [0] = 2048 + 4,
796         [1] = 4 + 4,
797         [3] = 188 + 4,
798         [4] = 2048 + 4,
799     };
800 
801     uint8_t media = r->req.cmd.buf[1];
802     uint8_t layer = r->req.cmd.buf[6];
803     uint8_t format = r->req.cmd.buf[7];
804     int size = -1;
805 
806     if (s->qdev.type != TYPE_ROM) {
807         return -1;
808     }
809     if (media != 0) {
810         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
811         return -1;
812     }
813 
814     if (format != 0xff) {
815         if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
816             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
817             return -1;
818         }
819         if (media_is_cd(s)) {
820             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
821             return -1;
822         }
823         if (format >= ARRAY_SIZE(rds_caps_size)) {
824             return -1;
825         }
826         size = rds_caps_size[format];
827         memset(outbuf, 0, size);
828     }
829 
830     switch (format) {
831     case 0x00: {
832         /* Physical format information */
833         uint64_t nb_sectors;
834         if (layer != 0) {
835             goto fail;
836         }
837         bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
838 
839         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
840         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
841         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
842         outbuf[7] = 0;   /* default densities */
843 
844         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
845         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
846         break;
847     }
848 
849     case 0x01: /* DVD copyright information, all zeros */
850         break;
851 
852     case 0x03: /* BCA information - invalid field for no BCA info */
853         return -1;
854 
855     case 0x04: /* DVD disc manufacturing information, all zeros */
856         break;
857 
858     case 0xff: { /* List capabilities */
859         int i;
860         size = 4;
861         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
862             if (!rds_caps_size[i]) {
863                 continue;
864             }
865             outbuf[size] = i;
866             outbuf[size + 1] = 0x40; /* Not writable, readable */
867             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
868             size += 4;
869         }
870         break;
871      }
872 
873     default:
874         return -1;
875     }
876 
877     /* Size of buffer, not including 2 byte size field */
878     stw_be_p(outbuf, size - 2);
879     return size;
880 
881 fail:
882     return -1;
883 }
884 
885 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
886 {
887     uint8_t event_code, media_status;
888 
889     media_status = 0;
890     if (s->tray_open) {
891         media_status = MS_TRAY_OPEN;
892     } else if (bdrv_is_inserted(s->qdev.conf.bs)) {
893         media_status = MS_MEDIA_PRESENT;
894     }
895 
896     /* Event notification descriptor */
897     event_code = MEC_NO_CHANGE;
898     if (media_status != MS_TRAY_OPEN) {
899         if (s->media_event) {
900             event_code = MEC_NEW_MEDIA;
901             s->media_event = false;
902         } else if (s->eject_request) {
903             event_code = MEC_EJECT_REQUESTED;
904             s->eject_request = false;
905         }
906     }
907 
908     outbuf[0] = event_code;
909     outbuf[1] = media_status;
910 
911     /* These fields are reserved, just clear them. */
912     outbuf[2] = 0;
913     outbuf[3] = 0;
914     return 4;
915 }
916 
917 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
918                                               uint8_t *outbuf)
919 {
920     int size;
921     uint8_t *buf = r->req.cmd.buf;
922     uint8_t notification_class_request = buf[4];
923     if (s->qdev.type != TYPE_ROM) {
924         return -1;
925     }
926     if ((buf[1] & 1) == 0) {
927         /* asynchronous */
928         return -1;
929     }
930 
931     size = 4;
932     outbuf[0] = outbuf[1] = 0;
933     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
934     if (notification_class_request & (1 << GESN_MEDIA)) {
935         outbuf[2] = GESN_MEDIA;
936         size += scsi_event_status_media(s, &outbuf[size]);
937     } else {
938         outbuf[2] = 0x80;
939     }
940     stw_be_p(outbuf, size - 4);
941     return size;
942 }
943 
944 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
945 {
946     int current;
947 
948     if (s->qdev.type != TYPE_ROM) {
949         return -1;
950     }
951     current = media_is_dvd(s) ? MMC_PROFILE_DVD_ROM : MMC_PROFILE_CD_ROM;
952     memset(outbuf, 0, 40);
953     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
954     stw_be_p(&outbuf[6], current);
955     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
956     outbuf[10] = 0x03; /* persistent, current */
957     outbuf[11] = 8; /* two profiles */
958     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
959     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
960     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
961     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
962     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
963     stw_be_p(&outbuf[20], 1);
964     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
965     outbuf[23] = 8;
966     stl_be_p(&outbuf[24], 1); /* SCSI */
967     outbuf[28] = 1; /* DBE = 1, mandatory */
968     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
969     stw_be_p(&outbuf[32], 3);
970     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
971     outbuf[35] = 4;
972     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
973     /* TODO: Random readable, CD read, DVD read, drive serial number,
974        power management */
975     return 40;
976 }
977 
978 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
979 {
980     if (s->qdev.type != TYPE_ROM) {
981         return -1;
982     }
983     memset(outbuf, 0, 8);
984     outbuf[5] = 1; /* CD-ROM */
985     return 8;
986 }
987 
988 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
989                            int page_control)
990 {
991     static const int mode_sense_valid[0x3f] = {
992         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
993         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
994         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
995         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
996         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
997         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
998     };
999 
1000     uint8_t *p = *p_outbuf + 2;
1001     int length;
1002 
1003     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1004         return -1;
1005     }
1006 
1007     /*
1008      * If Changeable Values are requested, a mask denoting those mode parameters
1009      * that are changeable shall be returned. As we currently don't support
1010      * parameter changes via MODE_SELECT all bits are returned set to zero.
1011      * The buffer was already menset to zero by the caller of this function.
1012      *
1013      * The offsets here are off by two compared to the descriptions in the
1014      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1015      * but it is done so that offsets are consistent within our implementation
1016      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1017      * 2-byte and 4-byte headers.
1018      */
1019     switch (page) {
1020     case MODE_PAGE_HD_GEOMETRY:
1021         length = 0x16;
1022         if (page_control == 1) { /* Changeable Values */
1023             break;
1024         }
1025         /* if a geometry hint is available, use it */
1026         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1027         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1028         p[2] = s->qdev.conf.cyls & 0xff;
1029         p[3] = s->qdev.conf.heads & 0xff;
1030         /* Write precomp start cylinder, disabled */
1031         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1032         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1033         p[6] = s->qdev.conf.cyls & 0xff;
1034         /* Reduced current start cylinder, disabled */
1035         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1036         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1037         p[9] = s->qdev.conf.cyls & 0xff;
1038         /* Device step rate [ns], 200ns */
1039         p[10] = 0;
1040         p[11] = 200;
1041         /* Landing zone cylinder */
1042         p[12] = 0xff;
1043         p[13] =  0xff;
1044         p[14] = 0xff;
1045         /* Medium rotation rate [rpm], 5400 rpm */
1046         p[18] = (5400 >> 8) & 0xff;
1047         p[19] = 5400 & 0xff;
1048         break;
1049 
1050     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1051         length = 0x1e;
1052         if (page_control == 1) { /* Changeable Values */
1053             break;
1054         }
1055         /* Transfer rate [kbit/s], 5Mbit/s */
1056         p[0] = 5000 >> 8;
1057         p[1] = 5000 & 0xff;
1058         /* if a geometry hint is available, use it */
1059         p[2] = s->qdev.conf.heads & 0xff;
1060         p[3] = s->qdev.conf.secs & 0xff;
1061         p[4] = s->qdev.blocksize >> 8;
1062         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1063         p[7] = s->qdev.conf.cyls & 0xff;
1064         /* Write precomp start cylinder, disabled */
1065         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1066         p[9] = s->qdev.conf.cyls & 0xff;
1067         /* Reduced current start cylinder, disabled */
1068         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1069         p[11] = s->qdev.conf.cyls & 0xff;
1070         /* Device step rate [100us], 100us */
1071         p[12] = 0;
1072         p[13] = 1;
1073         /* Device step pulse width [us], 1us */
1074         p[14] = 1;
1075         /* Device head settle delay [100us], 100us */
1076         p[15] = 0;
1077         p[16] = 1;
1078         /* Motor on delay [0.1s], 0.1s */
1079         p[17] = 1;
1080         /* Motor off delay [0.1s], 0.1s */
1081         p[18] = 1;
1082         /* Medium rotation rate [rpm], 5400 rpm */
1083         p[26] = (5400 >> 8) & 0xff;
1084         p[27] = 5400 & 0xff;
1085         break;
1086 
1087     case MODE_PAGE_CACHING:
1088         length = 0x12;
1089         if (page_control == 1 || /* Changeable Values */
1090             bdrv_enable_write_cache(s->qdev.conf.bs)) {
1091             p[0] = 4; /* WCE */
1092         }
1093         break;
1094 
1095     case MODE_PAGE_R_W_ERROR:
1096         length = 10;
1097         if (page_control == 1) { /* Changeable Values */
1098             break;
1099         }
1100         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1101         if (s->qdev.type == TYPE_ROM) {
1102             p[1] = 0x20; /* Read Retry Count */
1103         }
1104         break;
1105 
1106     case MODE_PAGE_AUDIO_CTL:
1107         length = 14;
1108         break;
1109 
1110     case MODE_PAGE_CAPABILITIES:
1111         length = 0x14;
1112         if (page_control == 1) { /* Changeable Values */
1113             break;
1114         }
1115 
1116         p[0] = 0x3b; /* CD-R & CD-RW read */
1117         p[1] = 0; /* Writing not supported */
1118         p[2] = 0x7f; /* Audio, composite, digital out,
1119                         mode 2 form 1&2, multi session */
1120         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1121                         RW corrected, C2 errors, ISRC,
1122                         UPC, Bar code */
1123         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1124         /* Locking supported, jumper present, eject, tray */
1125         p[5] = 0; /* no volume & mute control, no
1126                      changer */
1127         p[6] = (50 * 176) >> 8; /* 50x read speed */
1128         p[7] = (50 * 176) & 0xff;
1129         p[8] = 2 >> 8; /* Two volume levels */
1130         p[9] = 2 & 0xff;
1131         p[10] = 2048 >> 8; /* 2M buffer */
1132         p[11] = 2048 & 0xff;
1133         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1134         p[13] = (16 * 176) & 0xff;
1135         p[16] = (16 * 176) >> 8; /* 16x write speed */
1136         p[17] = (16 * 176) & 0xff;
1137         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1138         p[19] = (16 * 176) & 0xff;
1139         break;
1140 
1141     default:
1142         return -1;
1143     }
1144 
1145     assert(length < 256);
1146     (*p_outbuf)[0] = page;
1147     (*p_outbuf)[1] = length;
1148     *p_outbuf += length + 2;
1149     return length + 2;
1150 }
1151 
1152 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1153 {
1154     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1155     uint64_t nb_sectors;
1156     bool dbd;
1157     int page, buflen, ret, page_control;
1158     uint8_t *p;
1159     uint8_t dev_specific_param;
1160 
1161     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1162     page = r->req.cmd.buf[2] & 0x3f;
1163     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1164     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1165         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1166     memset(outbuf, 0, r->req.cmd.xfer);
1167     p = outbuf;
1168 
1169     if (s->qdev.type == TYPE_DISK) {
1170         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1171         if (bdrv_is_read_only(s->qdev.conf.bs)) {
1172             dev_specific_param |= 0x80; /* Readonly.  */
1173         }
1174     } else {
1175         /* MMC prescribes that CD/DVD drives have no block descriptors,
1176          * and defines no device-specific parameter.  */
1177         dev_specific_param = 0x00;
1178         dbd = true;
1179     }
1180 
1181     if (r->req.cmd.buf[0] == MODE_SENSE) {
1182         p[1] = 0; /* Default media type.  */
1183         p[2] = dev_specific_param;
1184         p[3] = 0; /* Block descriptor length.  */
1185         p += 4;
1186     } else { /* MODE_SENSE_10 */
1187         p[2] = 0; /* Default media type.  */
1188         p[3] = dev_specific_param;
1189         p[6] = p[7] = 0; /* Block descriptor length.  */
1190         p += 8;
1191     }
1192 
1193     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1194     if (!dbd && nb_sectors) {
1195         if (r->req.cmd.buf[0] == MODE_SENSE) {
1196             outbuf[3] = 8; /* Block descriptor length  */
1197         } else { /* MODE_SENSE_10 */
1198             outbuf[7] = 8; /* Block descriptor length  */
1199         }
1200         nb_sectors /= (s->qdev.blocksize / 512);
1201         if (nb_sectors > 0xffffff) {
1202             nb_sectors = 0;
1203         }
1204         p[0] = 0; /* media density code */
1205         p[1] = (nb_sectors >> 16) & 0xff;
1206         p[2] = (nb_sectors >> 8) & 0xff;
1207         p[3] = nb_sectors & 0xff;
1208         p[4] = 0; /* reserved */
1209         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1210         p[6] = s->qdev.blocksize >> 8;
1211         p[7] = 0;
1212         p += 8;
1213     }
1214 
1215     if (page_control == 3) {
1216         /* Saved Values */
1217         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1218         return -1;
1219     }
1220 
1221     if (page == 0x3f) {
1222         for (page = 0; page <= 0x3e; page++) {
1223             mode_sense_page(s, page, &p, page_control);
1224         }
1225     } else {
1226         ret = mode_sense_page(s, page, &p, page_control);
1227         if (ret == -1) {
1228             return -1;
1229         }
1230     }
1231 
1232     buflen = p - outbuf;
1233     /*
1234      * The mode data length field specifies the length in bytes of the
1235      * following data that is available to be transferred. The mode data
1236      * length does not include itself.
1237      */
1238     if (r->req.cmd.buf[0] == MODE_SENSE) {
1239         outbuf[0] = buflen - 1;
1240     } else { /* MODE_SENSE_10 */
1241         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1242         outbuf[1] = (buflen - 2) & 0xff;
1243     }
1244     return buflen;
1245 }
1246 
1247 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1248 {
1249     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1250     int start_track, format, msf, toclen;
1251     uint64_t nb_sectors;
1252 
1253     msf = req->cmd.buf[1] & 2;
1254     format = req->cmd.buf[2] & 0xf;
1255     start_track = req->cmd.buf[6];
1256     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1257     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1258     nb_sectors /= s->qdev.blocksize / 512;
1259     switch (format) {
1260     case 0:
1261         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1262         break;
1263     case 1:
1264         /* multi session : only a single session defined */
1265         toclen = 12;
1266         memset(outbuf, 0, 12);
1267         outbuf[1] = 0x0a;
1268         outbuf[2] = 0x01;
1269         outbuf[3] = 0x01;
1270         break;
1271     case 2:
1272         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1273         break;
1274     default:
1275         return -1;
1276     }
1277     return toclen;
1278 }
1279 
1280 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1281 {
1282     SCSIRequest *req = &r->req;
1283     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1284     bool start = req->cmd.buf[4] & 1;
1285     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1286     int pwrcnd = req->cmd.buf[4] & 0xf0;
1287 
1288     if (pwrcnd) {
1289         /* eject/load only happens for power condition == 0 */
1290         return 0;
1291     }
1292 
1293     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1294         if (!start && !s->tray_open && s->tray_locked) {
1295             scsi_check_condition(r,
1296                                  bdrv_is_inserted(s->qdev.conf.bs)
1297                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1298                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1299             return -1;
1300         }
1301 
1302         if (s->tray_open != !start) {
1303             bdrv_eject(s->qdev.conf.bs, !start);
1304             s->tray_open = !start;
1305         }
1306     }
1307     return 0;
1308 }
1309 
1310 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1311 {
1312     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1313     int buflen = r->iov.iov_len;
1314 
1315     if (buflen) {
1316         DPRINTF("Read buf_len=%d\n", buflen);
1317         r->iov.iov_len = 0;
1318         r->started = true;
1319         scsi_req_data(&r->req, buflen);
1320         return;
1321     }
1322 
1323     /* This also clears the sense buffer for REQUEST SENSE.  */
1324     scsi_req_complete(&r->req, GOOD);
1325 }
1326 
1327 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1328                                        uint8_t *inbuf, int inlen)
1329 {
1330     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1331     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1332     uint8_t *p;
1333     int len, expected_len, changeable_len, i;
1334 
1335     /* The input buffer does not include the page header, so it is
1336      * off by 2 bytes.
1337      */
1338     expected_len = inlen + 2;
1339     if (expected_len > SCSI_MAX_MODE_LEN) {
1340         return -1;
1341     }
1342 
1343     p = mode_current;
1344     memset(mode_current, 0, inlen + 2);
1345     len = mode_sense_page(s, page, &p, 0);
1346     if (len < 0 || len != expected_len) {
1347         return -1;
1348     }
1349 
1350     p = mode_changeable;
1351     memset(mode_changeable, 0, inlen + 2);
1352     changeable_len = mode_sense_page(s, page, &p, 1);
1353     assert(changeable_len == len);
1354 
1355     /* Check that unchangeable bits are the same as what MODE SENSE
1356      * would return.
1357      */
1358     for (i = 2; i < len; i++) {
1359         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1360             return -1;
1361         }
1362     }
1363     return 0;
1364 }
1365 
1366 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1367 {
1368     switch (page) {
1369     case MODE_PAGE_CACHING:
1370         bdrv_set_enable_write_cache(s->qdev.conf.bs, (p[0] & 4) != 0);
1371         break;
1372 
1373     default:
1374         break;
1375     }
1376 }
1377 
1378 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1379 {
1380     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1381 
1382     while (len > 0) {
1383         int page, subpage, page_len;
1384 
1385         /* Parse both possible formats for the mode page headers.  */
1386         page = p[0] & 0x3f;
1387         if (p[0] & 0x40) {
1388             if (len < 4) {
1389                 goto invalid_param_len;
1390             }
1391             subpage = p[1];
1392             page_len = lduw_be_p(&p[2]);
1393             p += 4;
1394             len -= 4;
1395         } else {
1396             if (len < 2) {
1397                 goto invalid_param_len;
1398             }
1399             subpage = 0;
1400             page_len = p[1];
1401             p += 2;
1402             len -= 2;
1403         }
1404 
1405         if (subpage) {
1406             goto invalid_param;
1407         }
1408         if (page_len > len) {
1409             goto invalid_param_len;
1410         }
1411 
1412         if (!change) {
1413             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1414                 goto invalid_param;
1415             }
1416         } else {
1417             scsi_disk_apply_mode_select(s, page, p);
1418         }
1419 
1420         p += page_len;
1421         len -= page_len;
1422     }
1423     return 0;
1424 
1425 invalid_param:
1426     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1427     return -1;
1428 
1429 invalid_param_len:
1430     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1431     return -1;
1432 }
1433 
1434 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1435 {
1436     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1437     uint8_t *p = inbuf;
1438     int cmd = r->req.cmd.buf[0];
1439     int len = r->req.cmd.xfer;
1440     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1441     int bd_len;
1442     int pass;
1443 
1444     /* We only support PF=1, SP=0.  */
1445     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1446         goto invalid_field;
1447     }
1448 
1449     if (len < hdr_len) {
1450         goto invalid_param_len;
1451     }
1452 
1453     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1454     len -= hdr_len;
1455     p += hdr_len;
1456     if (len < bd_len) {
1457         goto invalid_param_len;
1458     }
1459     if (bd_len != 0 && bd_len != 8) {
1460         goto invalid_param;
1461     }
1462 
1463     len -= bd_len;
1464     p += bd_len;
1465 
1466     /* Ensure no change is made if there is an error!  */
1467     for (pass = 0; pass < 2; pass++) {
1468         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1469             assert(pass == 0);
1470             return;
1471         }
1472     }
1473     if (!bdrv_enable_write_cache(s->qdev.conf.bs)) {
1474         /* The request is used as the AIO opaque value, so add a ref.  */
1475         scsi_req_ref(&r->req);
1476         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
1477         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
1478         return;
1479     }
1480 
1481     scsi_req_complete(&r->req, GOOD);
1482     return;
1483 
1484 invalid_param:
1485     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1486     return;
1487 
1488 invalid_param_len:
1489     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1490     return;
1491 
1492 invalid_field:
1493     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1494 }
1495 
1496 static inline bool check_lba_range(SCSIDiskState *s,
1497                                    uint64_t sector_num, uint32_t nb_sectors)
1498 {
1499     /*
1500      * The first line tests that no overflow happens when computing the last
1501      * sector.  The second line tests that the last accessed sector is in
1502      * range.
1503      *
1504      * Careful, the computations should not underflow for nb_sectors == 0,
1505      * and a 0-block read to the first LBA beyond the end of device is
1506      * valid.
1507      */
1508     return (sector_num <= sector_num + nb_sectors &&
1509             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1510 }
1511 
1512 typedef struct UnmapCBData {
1513     SCSIDiskReq *r;
1514     uint8_t *inbuf;
1515     int count;
1516 } UnmapCBData;
1517 
1518 static void scsi_unmap_complete(void *opaque, int ret)
1519 {
1520     UnmapCBData *data = opaque;
1521     SCSIDiskReq *r = data->r;
1522     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1523     uint64_t sector_num;
1524     uint32_t nb_sectors;
1525 
1526     r->req.aiocb = NULL;
1527     if (r->req.io_canceled) {
1528         goto done;
1529     }
1530 
1531     if (ret < 0) {
1532         if (scsi_handle_rw_error(r, -ret)) {
1533             goto done;
1534         }
1535     }
1536 
1537     if (data->count > 0) {
1538         sector_num = ldq_be_p(&data->inbuf[0]);
1539         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1540         if (!check_lba_range(s, sector_num, nb_sectors)) {
1541             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1542             goto done;
1543         }
1544 
1545         r->req.aiocb = bdrv_aio_discard(s->qdev.conf.bs,
1546                                         sector_num * (s->qdev.blocksize / 512),
1547                                         nb_sectors * (s->qdev.blocksize / 512),
1548                                         scsi_unmap_complete, data);
1549         data->count--;
1550         data->inbuf += 16;
1551         return;
1552     }
1553 
1554     scsi_req_complete(&r->req, GOOD);
1555 
1556 done:
1557     if (!r->req.io_canceled) {
1558         scsi_req_unref(&r->req);
1559     }
1560     g_free(data);
1561 }
1562 
1563 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1564 {
1565     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1566     uint8_t *p = inbuf;
1567     int len = r->req.cmd.xfer;
1568     UnmapCBData *data;
1569 
1570     /* Reject ANCHOR=1.  */
1571     if (r->req.cmd.buf[1] & 0x1) {
1572         goto invalid_field;
1573     }
1574 
1575     if (len < 8) {
1576         goto invalid_param_len;
1577     }
1578     if (len < lduw_be_p(&p[0]) + 2) {
1579         goto invalid_param_len;
1580     }
1581     if (len < lduw_be_p(&p[2]) + 8) {
1582         goto invalid_param_len;
1583     }
1584     if (lduw_be_p(&p[2]) & 15) {
1585         goto invalid_param_len;
1586     }
1587 
1588     if (bdrv_is_read_only(s->qdev.conf.bs)) {
1589         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1590         return;
1591     }
1592 
1593     data = g_new0(UnmapCBData, 1);
1594     data->r = r;
1595     data->inbuf = &p[8];
1596     data->count = lduw_be_p(&p[2]) >> 4;
1597 
1598     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1599     scsi_req_ref(&r->req);
1600     scsi_unmap_complete(data, 0);
1601     return;
1602 
1603 invalid_param_len:
1604     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1605     return;
1606 
1607 invalid_field:
1608     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1609 }
1610 
1611 typedef struct WriteSameCBData {
1612     SCSIDiskReq *r;
1613     int64_t sector;
1614     int nb_sectors;
1615     QEMUIOVector qiov;
1616     struct iovec iov;
1617 } WriteSameCBData;
1618 
1619 static void scsi_write_same_complete(void *opaque, int ret)
1620 {
1621     WriteSameCBData *data = opaque;
1622     SCSIDiskReq *r = data->r;
1623     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1624 
1625     assert(r->req.aiocb != NULL);
1626     r->req.aiocb = NULL;
1627     bdrv_acct_done(s->qdev.conf.bs, &r->acct);
1628     if (r->req.io_canceled) {
1629         goto done;
1630     }
1631 
1632     if (ret < 0) {
1633         if (scsi_handle_rw_error(r, -ret)) {
1634             goto done;
1635         }
1636     }
1637 
1638     data->nb_sectors -= data->iov.iov_len / 512;
1639     data->sector += data->iov.iov_len / 512;
1640     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1641     if (data->iov.iov_len) {
1642         bdrv_acct_start(s->qdev.conf.bs, &r->acct, data->iov.iov_len, BDRV_ACCT_WRITE);
1643         r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, data->sector,
1644                                        &data->qiov, data->iov.iov_len / 512,
1645                                        scsi_write_same_complete, data);
1646         return;
1647     }
1648 
1649     scsi_req_complete(&r->req, GOOD);
1650 
1651 done:
1652     if (!r->req.io_canceled) {
1653         scsi_req_unref(&r->req);
1654     }
1655     qemu_vfree(data->iov.iov_base);
1656     g_free(data);
1657 }
1658 
1659 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1660 {
1661     SCSIRequest *req = &r->req;
1662     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1663     uint32_t nb_sectors = scsi_data_cdb_length(r->req.cmd.buf);
1664     WriteSameCBData *data;
1665     uint8_t *buf;
1666     int i;
1667 
1668     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1669     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1670         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1671         return;
1672     }
1673 
1674     if (bdrv_is_read_only(s->qdev.conf.bs)) {
1675         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1676         return;
1677     }
1678     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1679         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1680         return;
1681     }
1682 
1683     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1684         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1685 
1686         /* The request is used as the AIO opaque value, so add a ref.  */
1687         scsi_req_ref(&r->req);
1688         bdrv_acct_start(s->qdev.conf.bs, &r->acct, nb_sectors * s->qdev.blocksize,
1689                         BDRV_ACCT_WRITE);
1690         r->req.aiocb = bdrv_aio_write_zeroes(s->qdev.conf.bs,
1691                                              r->req.cmd.lba * (s->qdev.blocksize / 512),
1692                                              nb_sectors * (s->qdev.blocksize / 512),
1693                                              flags, scsi_aio_complete, r);
1694         return;
1695     }
1696 
1697     data = g_new0(WriteSameCBData, 1);
1698     data->r = r;
1699     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1700     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1701     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1702     data->iov.iov_base = buf = qemu_blockalign(s->qdev.conf.bs, data->iov.iov_len);
1703     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1704 
1705     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1706         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1707     }
1708 
1709     scsi_req_ref(&r->req);
1710     bdrv_acct_start(s->qdev.conf.bs, &r->acct, data->iov.iov_len, BDRV_ACCT_WRITE);
1711     r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, data->sector,
1712                                    &data->qiov, data->iov.iov_len / 512,
1713                                    scsi_write_same_complete, data);
1714 }
1715 
1716 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1717 {
1718     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1719 
1720     if (r->iov.iov_len) {
1721         int buflen = r->iov.iov_len;
1722         DPRINTF("Write buf_len=%d\n", buflen);
1723         r->iov.iov_len = 0;
1724         scsi_req_data(&r->req, buflen);
1725         return;
1726     }
1727 
1728     switch (req->cmd.buf[0]) {
1729     case MODE_SELECT:
1730     case MODE_SELECT_10:
1731         /* This also clears the sense buffer for REQUEST SENSE.  */
1732         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1733         break;
1734 
1735     case UNMAP:
1736         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1737         break;
1738 
1739     case VERIFY_10:
1740     case VERIFY_12:
1741     case VERIFY_16:
1742         if (r->req.status == -1) {
1743             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1744         }
1745         break;
1746 
1747     case WRITE_SAME_10:
1748     case WRITE_SAME_16:
1749         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1750         break;
1751 
1752     default:
1753         abort();
1754     }
1755 }
1756 
1757 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1758 {
1759     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1760     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1761     uint64_t nb_sectors;
1762     uint8_t *outbuf;
1763     int buflen;
1764 
1765     switch (req->cmd.buf[0]) {
1766     case INQUIRY:
1767     case MODE_SENSE:
1768     case MODE_SENSE_10:
1769     case RESERVE:
1770     case RESERVE_10:
1771     case RELEASE:
1772     case RELEASE_10:
1773     case START_STOP:
1774     case ALLOW_MEDIUM_REMOVAL:
1775     case GET_CONFIGURATION:
1776     case GET_EVENT_STATUS_NOTIFICATION:
1777     case MECHANISM_STATUS:
1778     case REQUEST_SENSE:
1779         break;
1780 
1781     default:
1782         if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
1783             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1784             return 0;
1785         }
1786         break;
1787     }
1788 
1789     /*
1790      * FIXME: we shouldn't return anything bigger than 4k, but the code
1791      * requires the buffer to be as big as req->cmd.xfer in several
1792      * places.  So, do not allow CDBs with a very large ALLOCATION
1793      * LENGTH.  The real fix would be to modify scsi_read_data and
1794      * dma_buf_read, so that they return data beyond the buflen
1795      * as all zeros.
1796      */
1797     if (req->cmd.xfer > 65536) {
1798         goto illegal_request;
1799     }
1800     r->buflen = MAX(4096, req->cmd.xfer);
1801 
1802     if (!r->iov.iov_base) {
1803         r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen);
1804     }
1805 
1806     buflen = req->cmd.xfer;
1807     outbuf = r->iov.iov_base;
1808     memset(outbuf, 0, r->buflen);
1809     switch (req->cmd.buf[0]) {
1810     case TEST_UNIT_READY:
1811         assert(!s->tray_open && bdrv_is_inserted(s->qdev.conf.bs));
1812         break;
1813     case INQUIRY:
1814         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1815         if (buflen < 0) {
1816             goto illegal_request;
1817         }
1818         break;
1819     case MODE_SENSE:
1820     case MODE_SENSE_10:
1821         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1822         if (buflen < 0) {
1823             goto illegal_request;
1824         }
1825         break;
1826     case READ_TOC:
1827         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1828         if (buflen < 0) {
1829             goto illegal_request;
1830         }
1831         break;
1832     case RESERVE:
1833         if (req->cmd.buf[1] & 1) {
1834             goto illegal_request;
1835         }
1836         break;
1837     case RESERVE_10:
1838         if (req->cmd.buf[1] & 3) {
1839             goto illegal_request;
1840         }
1841         break;
1842     case RELEASE:
1843         if (req->cmd.buf[1] & 1) {
1844             goto illegal_request;
1845         }
1846         break;
1847     case RELEASE_10:
1848         if (req->cmd.buf[1] & 3) {
1849             goto illegal_request;
1850         }
1851         break;
1852     case START_STOP:
1853         if (scsi_disk_emulate_start_stop(r) < 0) {
1854             return 0;
1855         }
1856         break;
1857     case ALLOW_MEDIUM_REMOVAL:
1858         s->tray_locked = req->cmd.buf[4] & 1;
1859         bdrv_lock_medium(s->qdev.conf.bs, req->cmd.buf[4] & 1);
1860         break;
1861     case READ_CAPACITY_10:
1862         /* The normal LEN field for this command is zero.  */
1863         memset(outbuf, 0, 8);
1864         bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1865         if (!nb_sectors) {
1866             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1867             return 0;
1868         }
1869         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1870             goto illegal_request;
1871         }
1872         nb_sectors /= s->qdev.blocksize / 512;
1873         /* Returned value is the address of the last sector.  */
1874         nb_sectors--;
1875         /* Remember the new size for read/write sanity checking. */
1876         s->qdev.max_lba = nb_sectors;
1877         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1878         if (nb_sectors > UINT32_MAX) {
1879             nb_sectors = UINT32_MAX;
1880         }
1881         outbuf[0] = (nb_sectors >> 24) & 0xff;
1882         outbuf[1] = (nb_sectors >> 16) & 0xff;
1883         outbuf[2] = (nb_sectors >> 8) & 0xff;
1884         outbuf[3] = nb_sectors & 0xff;
1885         outbuf[4] = 0;
1886         outbuf[5] = 0;
1887         outbuf[6] = s->qdev.blocksize >> 8;
1888         outbuf[7] = 0;
1889         break;
1890     case REQUEST_SENSE:
1891         /* Just return "NO SENSE".  */
1892         buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
1893                                   (req->cmd.buf[1] & 1) == 0);
1894         if (buflen < 0) {
1895             goto illegal_request;
1896         }
1897         break;
1898     case MECHANISM_STATUS:
1899         buflen = scsi_emulate_mechanism_status(s, outbuf);
1900         if (buflen < 0) {
1901             goto illegal_request;
1902         }
1903         break;
1904     case GET_CONFIGURATION:
1905         buflen = scsi_get_configuration(s, outbuf);
1906         if (buflen < 0) {
1907             goto illegal_request;
1908         }
1909         break;
1910     case GET_EVENT_STATUS_NOTIFICATION:
1911         buflen = scsi_get_event_status_notification(s, r, outbuf);
1912         if (buflen < 0) {
1913             goto illegal_request;
1914         }
1915         break;
1916     case READ_DISC_INFORMATION:
1917         buflen = scsi_read_disc_information(s, r, outbuf);
1918         if (buflen < 0) {
1919             goto illegal_request;
1920         }
1921         break;
1922     case READ_DVD_STRUCTURE:
1923         buflen = scsi_read_dvd_structure(s, r, outbuf);
1924         if (buflen < 0) {
1925             goto illegal_request;
1926         }
1927         break;
1928     case SERVICE_ACTION_IN_16:
1929         /* Service Action In subcommands. */
1930         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
1931             DPRINTF("SAI READ CAPACITY(16)\n");
1932             memset(outbuf, 0, req->cmd.xfer);
1933             bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
1934             if (!nb_sectors) {
1935                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1936                 return 0;
1937             }
1938             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
1939                 goto illegal_request;
1940             }
1941             nb_sectors /= s->qdev.blocksize / 512;
1942             /* Returned value is the address of the last sector.  */
1943             nb_sectors--;
1944             /* Remember the new size for read/write sanity checking. */
1945             s->qdev.max_lba = nb_sectors;
1946             outbuf[0] = (nb_sectors >> 56) & 0xff;
1947             outbuf[1] = (nb_sectors >> 48) & 0xff;
1948             outbuf[2] = (nb_sectors >> 40) & 0xff;
1949             outbuf[3] = (nb_sectors >> 32) & 0xff;
1950             outbuf[4] = (nb_sectors >> 24) & 0xff;
1951             outbuf[5] = (nb_sectors >> 16) & 0xff;
1952             outbuf[6] = (nb_sectors >> 8) & 0xff;
1953             outbuf[7] = nb_sectors & 0xff;
1954             outbuf[8] = 0;
1955             outbuf[9] = 0;
1956             outbuf[10] = s->qdev.blocksize >> 8;
1957             outbuf[11] = 0;
1958             outbuf[12] = 0;
1959             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
1960 
1961             /* set TPE bit if the format supports discard */
1962             if (s->qdev.conf.discard_granularity) {
1963                 outbuf[14] = 0x80;
1964             }
1965 
1966             /* Protection, exponent and lowest lba field left blank. */
1967             break;
1968         }
1969         DPRINTF("Unsupported Service Action In\n");
1970         goto illegal_request;
1971     case SYNCHRONIZE_CACHE:
1972         /* The request is used as the AIO opaque value, so add a ref.  */
1973         scsi_req_ref(&r->req);
1974         bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
1975         r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_aio_complete, r);
1976         return 0;
1977     case SEEK_10:
1978         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
1979         if (r->req.cmd.lba > s->qdev.max_lba) {
1980             goto illegal_lba;
1981         }
1982         break;
1983     case MODE_SELECT:
1984         DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
1985         break;
1986     case MODE_SELECT_10:
1987         DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
1988         break;
1989     case UNMAP:
1990         DPRINTF("Unmap (len %lu)\n", (long)r->req.cmd.xfer);
1991         break;
1992     case VERIFY_10:
1993     case VERIFY_12:
1994     case VERIFY_16:
1995         DPRINTF("Verify (bytchk %lu)\n", (r->req.buf[1] >> 1) & 3);
1996         if (req->cmd.buf[1] & 6) {
1997             goto illegal_request;
1998         }
1999         break;
2000     case WRITE_SAME_10:
2001     case WRITE_SAME_16:
2002         DPRINTF("WRITE SAME %d (len %lu)\n",
2003                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2004                 (long)r->req.cmd.xfer);
2005         break;
2006     default:
2007         DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
2008         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2009         return 0;
2010     }
2011     assert(!r->req.aiocb);
2012     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2013     if (r->iov.iov_len == 0) {
2014         scsi_req_complete(&r->req, GOOD);
2015     }
2016     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2017         assert(r->iov.iov_len == req->cmd.xfer);
2018         return -r->iov.iov_len;
2019     } else {
2020         return r->iov.iov_len;
2021     }
2022 
2023 illegal_request:
2024     if (r->req.status == -1) {
2025         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2026     }
2027     return 0;
2028 
2029 illegal_lba:
2030     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2031     return 0;
2032 }
2033 
2034 /* Execute a scsi command.  Returns the length of the data expected by the
2035    command.  This will be Positive for data transfers from the device
2036    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2037    and zero if the command does not transfer any data.  */
2038 
2039 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2040 {
2041     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2042     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2043     uint32_t len;
2044     uint8_t command;
2045 
2046     command = buf[0];
2047 
2048     if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
2049         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2050         return 0;
2051     }
2052 
2053     len = scsi_data_cdb_length(r->req.cmd.buf);
2054     switch (command) {
2055     case READ_6:
2056     case READ_10:
2057     case READ_12:
2058     case READ_16:
2059         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2060         if (r->req.cmd.buf[1] & 0xe0) {
2061             goto illegal_request;
2062         }
2063         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2064             goto illegal_lba;
2065         }
2066         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2067         r->sector_count = len * (s->qdev.blocksize / 512);
2068         break;
2069     case WRITE_6:
2070     case WRITE_10:
2071     case WRITE_12:
2072     case WRITE_16:
2073     case WRITE_VERIFY_10:
2074     case WRITE_VERIFY_12:
2075     case WRITE_VERIFY_16:
2076         if (bdrv_is_read_only(s->qdev.conf.bs)) {
2077             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2078             return 0;
2079         }
2080         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2081                 (command & 0xe) == 0xe ? "And Verify " : "",
2082                 r->req.cmd.lba, len);
2083         if (r->req.cmd.buf[1] & 0xe0) {
2084             goto illegal_request;
2085         }
2086         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2087             goto illegal_lba;
2088         }
2089         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2090         r->sector_count = len * (s->qdev.blocksize / 512);
2091         break;
2092     default:
2093         abort();
2094     illegal_request:
2095         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2096         return 0;
2097     illegal_lba:
2098         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2099         return 0;
2100     }
2101     if (r->sector_count == 0) {
2102         scsi_req_complete(&r->req, GOOD);
2103     }
2104     assert(r->iov.iov_len == 0);
2105     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2106         return -r->sector_count * 512;
2107     } else {
2108         return r->sector_count * 512;
2109     }
2110 }
2111 
2112 static void scsi_disk_reset(DeviceState *dev)
2113 {
2114     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2115     uint64_t nb_sectors;
2116 
2117     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2118 
2119     bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
2120     nb_sectors /= s->qdev.blocksize / 512;
2121     if (nb_sectors) {
2122         nb_sectors--;
2123     }
2124     s->qdev.max_lba = nb_sectors;
2125     /* reset tray statuses */
2126     s->tray_locked = 0;
2127     s->tray_open = 0;
2128 }
2129 
2130 static void scsi_destroy(SCSIDevice *dev)
2131 {
2132     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2133 
2134     scsi_device_purge_requests(&s->qdev, SENSE_CODE(NO_SENSE));
2135     blockdev_mark_auto_del(s->qdev.conf.bs);
2136 }
2137 
2138 static void scsi_disk_resize_cb(void *opaque)
2139 {
2140     SCSIDiskState *s = opaque;
2141 
2142     /* SPC lists this sense code as available only for
2143      * direct-access devices.
2144      */
2145     if (s->qdev.type == TYPE_DISK) {
2146         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2147     }
2148 }
2149 
2150 static void scsi_cd_change_media_cb(void *opaque, bool load)
2151 {
2152     SCSIDiskState *s = opaque;
2153 
2154     /*
2155      * When a CD gets changed, we have to report an ejected state and
2156      * then a loaded state to guests so that they detect tray
2157      * open/close and media change events.  Guests that do not use
2158      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2159      * states rely on this behavior.
2160      *
2161      * media_changed governs the state machine used for unit attention
2162      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2163      */
2164     s->media_changed = load;
2165     s->tray_open = !load;
2166     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2167     s->media_event = true;
2168     s->eject_request = false;
2169 }
2170 
2171 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2172 {
2173     SCSIDiskState *s = opaque;
2174 
2175     s->eject_request = true;
2176     if (force) {
2177         s->tray_locked = false;
2178     }
2179 }
2180 
2181 static bool scsi_cd_is_tray_open(void *opaque)
2182 {
2183     return ((SCSIDiskState *)opaque)->tray_open;
2184 }
2185 
2186 static bool scsi_cd_is_medium_locked(void *opaque)
2187 {
2188     return ((SCSIDiskState *)opaque)->tray_locked;
2189 }
2190 
2191 static const BlockDevOps scsi_disk_removable_block_ops = {
2192     .change_media_cb = scsi_cd_change_media_cb,
2193     .eject_request_cb = scsi_cd_eject_request_cb,
2194     .is_tray_open = scsi_cd_is_tray_open,
2195     .is_medium_locked = scsi_cd_is_medium_locked,
2196 
2197     .resize_cb = scsi_disk_resize_cb,
2198 };
2199 
2200 static const BlockDevOps scsi_disk_block_ops = {
2201     .resize_cb = scsi_disk_resize_cb,
2202 };
2203 
2204 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2205 {
2206     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2207     if (s->media_changed) {
2208         s->media_changed = false;
2209         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2210     }
2211 }
2212 
2213 static int scsi_initfn(SCSIDevice *dev)
2214 {
2215     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2216 
2217     if (!s->qdev.conf.bs) {
2218         error_report("drive property not set");
2219         return -1;
2220     }
2221 
2222     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2223         !bdrv_is_inserted(s->qdev.conf.bs)) {
2224         error_report("Device needs media, but drive is empty");
2225         return -1;
2226     }
2227 
2228     blkconf_serial(&s->qdev.conf, &s->serial);
2229     if (dev->type == TYPE_DISK
2230         && blkconf_geometry(&dev->conf, NULL, 65535, 255, 255) < 0) {
2231         return -1;
2232     }
2233 
2234     if (s->qdev.conf.discard_granularity == -1) {
2235         s->qdev.conf.discard_granularity =
2236             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2237     }
2238 
2239     if (!s->version) {
2240         s->version = g_strdup(qemu_get_version());
2241     }
2242     if (!s->vendor) {
2243         s->vendor = g_strdup("QEMU");
2244     }
2245 
2246     if (bdrv_is_sg(s->qdev.conf.bs)) {
2247         error_report("unwanted /dev/sg*");
2248         return -1;
2249     }
2250 
2251     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2252             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2253         bdrv_set_dev_ops(s->qdev.conf.bs, &scsi_disk_removable_block_ops, s);
2254     } else {
2255         bdrv_set_dev_ops(s->qdev.conf.bs, &scsi_disk_block_ops, s);
2256     }
2257     bdrv_set_guest_block_size(s->qdev.conf.bs, s->qdev.blocksize);
2258 
2259     bdrv_iostatus_enable(s->qdev.conf.bs);
2260     add_boot_device_path(s->qdev.conf.bootindex, &dev->qdev, NULL);
2261     return 0;
2262 }
2263 
2264 static int scsi_hd_initfn(SCSIDevice *dev)
2265 {
2266     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2267     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2268     s->qdev.type = TYPE_DISK;
2269     if (!s->product) {
2270         s->product = g_strdup("QEMU HARDDISK");
2271     }
2272     return scsi_initfn(&s->qdev);
2273 }
2274 
2275 static int scsi_cd_initfn(SCSIDevice *dev)
2276 {
2277     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2278     s->qdev.blocksize = 2048;
2279     s->qdev.type = TYPE_ROM;
2280     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2281     if (!s->product) {
2282         s->product = g_strdup("QEMU CD-ROM");
2283     }
2284     return scsi_initfn(&s->qdev);
2285 }
2286 
2287 static int scsi_disk_initfn(SCSIDevice *dev)
2288 {
2289     DriveInfo *dinfo;
2290 
2291     if (!dev->conf.bs) {
2292         return scsi_initfn(dev);  /* ... and die there */
2293     }
2294 
2295     dinfo = drive_get_by_blockdev(dev->conf.bs);
2296     if (dinfo->media_cd) {
2297         return scsi_cd_initfn(dev);
2298     } else {
2299         return scsi_hd_initfn(dev);
2300     }
2301 }
2302 
2303 static const SCSIReqOps scsi_disk_emulate_reqops = {
2304     .size         = sizeof(SCSIDiskReq),
2305     .free_req     = scsi_free_request,
2306     .send_command = scsi_disk_emulate_command,
2307     .read_data    = scsi_disk_emulate_read_data,
2308     .write_data   = scsi_disk_emulate_write_data,
2309     .cancel_io    = scsi_cancel_io,
2310     .get_buf      = scsi_get_buf,
2311 };
2312 
2313 static const SCSIReqOps scsi_disk_dma_reqops = {
2314     .size         = sizeof(SCSIDiskReq),
2315     .free_req     = scsi_free_request,
2316     .send_command = scsi_disk_dma_command,
2317     .read_data    = scsi_read_data,
2318     .write_data   = scsi_write_data,
2319     .cancel_io    = scsi_cancel_io,
2320     .get_buf      = scsi_get_buf,
2321     .load_request = scsi_disk_load_request,
2322     .save_request = scsi_disk_save_request,
2323 };
2324 
2325 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2326     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2327     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2328     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2329     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2330     [START_STOP]                      = &scsi_disk_emulate_reqops,
2331     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2332     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2333     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2334     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2335     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2336     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2337     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2338     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2339     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2340     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2341     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2342     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2343     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2344     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2345     [UNMAP]                           = &scsi_disk_emulate_reqops,
2346     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2347     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2348     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2349     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2350     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2351 
2352     [READ_6]                          = &scsi_disk_dma_reqops,
2353     [READ_10]                         = &scsi_disk_dma_reqops,
2354     [READ_12]                         = &scsi_disk_dma_reqops,
2355     [READ_16]                         = &scsi_disk_dma_reqops,
2356     [WRITE_6]                         = &scsi_disk_dma_reqops,
2357     [WRITE_10]                        = &scsi_disk_dma_reqops,
2358     [WRITE_12]                        = &scsi_disk_dma_reqops,
2359     [WRITE_16]                        = &scsi_disk_dma_reqops,
2360     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2361     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2362     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2363 };
2364 
2365 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2366                                      uint8_t *buf, void *hba_private)
2367 {
2368     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2369     SCSIRequest *req;
2370     const SCSIReqOps *ops;
2371     uint8_t command;
2372 
2373     command = buf[0];
2374     ops = scsi_disk_reqops_dispatch[command];
2375     if (!ops) {
2376         ops = &scsi_disk_emulate_reqops;
2377     }
2378     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2379 
2380 #ifdef DEBUG_SCSI
2381     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2382     {
2383         int i;
2384         for (i = 1; i < req->cmd.len; i++) {
2385             printf(" 0x%02x", buf[i]);
2386         }
2387         printf("\n");
2388     }
2389 #endif
2390 
2391     return req;
2392 }
2393 
2394 #ifdef __linux__
2395 static int get_device_type(SCSIDiskState *s)
2396 {
2397     BlockDriverState *bdrv = s->qdev.conf.bs;
2398     uint8_t cmd[16];
2399     uint8_t buf[36];
2400     uint8_t sensebuf[8];
2401     sg_io_hdr_t io_header;
2402     int ret;
2403 
2404     memset(cmd, 0, sizeof(cmd));
2405     memset(buf, 0, sizeof(buf));
2406     cmd[0] = INQUIRY;
2407     cmd[4] = sizeof(buf);
2408 
2409     memset(&io_header, 0, sizeof(io_header));
2410     io_header.interface_id = 'S';
2411     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2412     io_header.dxfer_len = sizeof(buf);
2413     io_header.dxferp = buf;
2414     io_header.cmdp = cmd;
2415     io_header.cmd_len = sizeof(cmd);
2416     io_header.mx_sb_len = sizeof(sensebuf);
2417     io_header.sbp = sensebuf;
2418     io_header.timeout = 6000; /* XXX */
2419 
2420     ret = bdrv_ioctl(bdrv, SG_IO, &io_header);
2421     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2422         return -1;
2423     }
2424     s->qdev.type = buf[0];
2425     if (buf[1] & 0x80) {
2426         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2427     }
2428     return 0;
2429 }
2430 
2431 static int scsi_block_initfn(SCSIDevice *dev)
2432 {
2433     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2434     int sg_version;
2435     int rc;
2436 
2437     if (!s->qdev.conf.bs) {
2438         error_report("scsi-block: drive property not set");
2439         return -1;
2440     }
2441 
2442     /* check we are using a driver managing SG_IO (version 3 and after) */
2443     if (bdrv_ioctl(s->qdev.conf.bs, SG_GET_VERSION_NUM, &sg_version) < 0 ||
2444         sg_version < 30000) {
2445         error_report("scsi-block: scsi generic interface too old");
2446         return -1;
2447     }
2448 
2449     /* get device type from INQUIRY data */
2450     rc = get_device_type(s);
2451     if (rc < 0) {
2452         error_report("scsi-block: INQUIRY failed");
2453         return -1;
2454     }
2455 
2456     /* Make a guess for the block size, we'll fix it when the guest sends.
2457      * READ CAPACITY.  If they don't, they likely would assume these sizes
2458      * anyway. (TODO: check in /sys).
2459      */
2460     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2461         s->qdev.blocksize = 2048;
2462     } else {
2463         s->qdev.blocksize = 512;
2464     }
2465 
2466     /* Makes the scsi-block device not removable by using HMP and QMP eject
2467      * command.
2468      */
2469     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2470 
2471     return scsi_initfn(&s->qdev);
2472 }
2473 
2474 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2475                                            uint32_t lun, uint8_t *buf,
2476                                            void *hba_private)
2477 {
2478     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2479 
2480     switch (buf[0]) {
2481     case READ_6:
2482     case READ_10:
2483     case READ_12:
2484     case READ_16:
2485     case VERIFY_10:
2486     case VERIFY_12:
2487     case VERIFY_16:
2488     case WRITE_6:
2489     case WRITE_10:
2490     case WRITE_12:
2491     case WRITE_16:
2492     case WRITE_VERIFY_10:
2493     case WRITE_VERIFY_12:
2494     case WRITE_VERIFY_16:
2495         /* If we are not using O_DIRECT, we might read stale data from the
2496 	 * host cache if writes were made using other commands than these
2497 	 * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
2498 	 * O_DIRECT everything must go through SG_IO.
2499          */
2500         if (bdrv_get_flags(s->qdev.conf.bs) & BDRV_O_NOCACHE) {
2501             break;
2502         }
2503 
2504         /* MMC writing cannot be done via pread/pwrite, because it sometimes
2505          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2506          * And once you do these writes, reading from the block device is
2507          * unreliable, too.  It is even possible that reads deliver random data
2508          * from the host page cache (this is probably a Linux bug).
2509          *
2510          * We might use scsi_disk_dma_reqops as long as no writing commands are
2511          * seen, but performance usually isn't paramount on optical media.  So,
2512          * just make scsi-block operate the same as scsi-generic for them.
2513          */
2514         if (s->qdev.type != TYPE_ROM) {
2515             return scsi_req_alloc(&scsi_disk_dma_reqops, &s->qdev, tag, lun,
2516                                   hba_private);
2517         }
2518     }
2519 
2520     return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2521                           hba_private);
2522 }
2523 #endif
2524 
2525 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2526     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2527     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2528     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2529     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2530     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2531 
2532 static Property scsi_hd_properties[] = {
2533     DEFINE_SCSI_DISK_PROPERTIES(),
2534     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2535                     SCSI_DISK_F_REMOVABLE, false),
2536     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2537                     SCSI_DISK_F_DPOFUA, false),
2538     DEFINE_PROP_HEX64("wwn", SCSIDiskState, wwn, 0),
2539     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2540                        DEFAULT_MAX_UNMAP_SIZE),
2541     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2542     DEFINE_PROP_END_OF_LIST(),
2543 };
2544 
2545 static const VMStateDescription vmstate_scsi_disk_state = {
2546     .name = "scsi-disk",
2547     .version_id = 1,
2548     .minimum_version_id = 1,
2549     .minimum_version_id_old = 1,
2550     .fields = (VMStateField[]) {
2551         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2552         VMSTATE_BOOL(media_changed, SCSIDiskState),
2553         VMSTATE_BOOL(media_event, SCSIDiskState),
2554         VMSTATE_BOOL(eject_request, SCSIDiskState),
2555         VMSTATE_BOOL(tray_open, SCSIDiskState),
2556         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2557         VMSTATE_END_OF_LIST()
2558     }
2559 };
2560 
2561 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2562 {
2563     DeviceClass *dc = DEVICE_CLASS(klass);
2564     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2565 
2566     sc->init         = scsi_hd_initfn;
2567     sc->destroy      = scsi_destroy;
2568     sc->alloc_req    = scsi_new_request;
2569     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2570     dc->fw_name = "disk";
2571     dc->desc = "virtual SCSI disk";
2572     dc->reset = scsi_disk_reset;
2573     dc->props = scsi_hd_properties;
2574     dc->vmsd  = &vmstate_scsi_disk_state;
2575 }
2576 
2577 static const TypeInfo scsi_hd_info = {
2578     .name          = "scsi-hd",
2579     .parent        = TYPE_SCSI_DEVICE,
2580     .instance_size = sizeof(SCSIDiskState),
2581     .class_init    = scsi_hd_class_initfn,
2582 };
2583 
2584 static Property scsi_cd_properties[] = {
2585     DEFINE_SCSI_DISK_PROPERTIES(),
2586     DEFINE_PROP_HEX64("wwn", SCSIDiskState, wwn, 0),
2587     DEFINE_PROP_END_OF_LIST(),
2588 };
2589 
2590 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2591 {
2592     DeviceClass *dc = DEVICE_CLASS(klass);
2593     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2594 
2595     sc->init         = scsi_cd_initfn;
2596     sc->destroy      = scsi_destroy;
2597     sc->alloc_req    = scsi_new_request;
2598     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2599     dc->fw_name = "disk";
2600     dc->desc = "virtual SCSI CD-ROM";
2601     dc->reset = scsi_disk_reset;
2602     dc->props = scsi_cd_properties;
2603     dc->vmsd  = &vmstate_scsi_disk_state;
2604 }
2605 
2606 static const TypeInfo scsi_cd_info = {
2607     .name          = "scsi-cd",
2608     .parent        = TYPE_SCSI_DEVICE,
2609     .instance_size = sizeof(SCSIDiskState),
2610     .class_init    = scsi_cd_class_initfn,
2611 };
2612 
2613 #ifdef __linux__
2614 static Property scsi_block_properties[] = {
2615     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.bs),
2616     DEFINE_PROP_INT32("bootindex", SCSIDiskState, qdev.conf.bootindex, -1),
2617     DEFINE_PROP_END_OF_LIST(),
2618 };
2619 
2620 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
2621 {
2622     DeviceClass *dc = DEVICE_CLASS(klass);
2623     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2624 
2625     sc->init         = scsi_block_initfn;
2626     sc->destroy      = scsi_destroy;
2627     sc->alloc_req    = scsi_block_new_request;
2628     dc->fw_name = "disk";
2629     dc->desc = "SCSI block device passthrough";
2630     dc->reset = scsi_disk_reset;
2631     dc->props = scsi_block_properties;
2632     dc->vmsd  = &vmstate_scsi_disk_state;
2633 }
2634 
2635 static const TypeInfo scsi_block_info = {
2636     .name          = "scsi-block",
2637     .parent        = TYPE_SCSI_DEVICE,
2638     .instance_size = sizeof(SCSIDiskState),
2639     .class_init    = scsi_block_class_initfn,
2640 };
2641 #endif
2642 
2643 static Property scsi_disk_properties[] = {
2644     DEFINE_SCSI_DISK_PROPERTIES(),
2645     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2646                     SCSI_DISK_F_REMOVABLE, false),
2647     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2648                     SCSI_DISK_F_DPOFUA, false),
2649     DEFINE_PROP_HEX64("wwn", SCSIDiskState, wwn, 0),
2650     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2651                        DEFAULT_MAX_UNMAP_SIZE),
2652     DEFINE_PROP_END_OF_LIST(),
2653 };
2654 
2655 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
2656 {
2657     DeviceClass *dc = DEVICE_CLASS(klass);
2658     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2659 
2660     sc->init         = scsi_disk_initfn;
2661     sc->destroy      = scsi_destroy;
2662     sc->alloc_req    = scsi_new_request;
2663     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2664     dc->fw_name = "disk";
2665     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
2666     dc->reset = scsi_disk_reset;
2667     dc->props = scsi_disk_properties;
2668     dc->vmsd  = &vmstate_scsi_disk_state;
2669 }
2670 
2671 static const TypeInfo scsi_disk_info = {
2672     .name          = "scsi-disk",
2673     .parent        = TYPE_SCSI_DEVICE,
2674     .instance_size = sizeof(SCSIDiskState),
2675     .class_init    = scsi_disk_class_initfn,
2676 };
2677 
2678 static void scsi_disk_register_types(void)
2679 {
2680     type_register_static(&scsi_hd_info);
2681     type_register_static(&scsi_cd_info);
2682 #ifdef __linux__
2683     type_register_static(&scsi_block_info);
2684 #endif
2685     type_register_static(&scsi_disk_info);
2686 }
2687 
2688 type_init(scsi_disk_register_types)
2689