xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision cba42d61)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/units.h"
24 #include "qapi/error.h"
25 #include "qemu/error-report.h"
26 #include "qemu/main-loop.h"
27 #include "qemu/module.h"
28 #include "hw/scsi/scsi.h"
29 #include "migration/qemu-file-types.h"
30 #include "migration/vmstate.h"
31 #include "hw/scsi/emulation.h"
32 #include "scsi/constants.h"
33 #include "sysemu/block-backend.h"
34 #include "sysemu/blockdev.h"
35 #include "hw/block/block.h"
36 #include "hw/qdev-properties.h"
37 #include "hw/qdev-properties-system.h"
38 #include "sysemu/dma.h"
39 #include "sysemu/sysemu.h"
40 #include "qemu/cutils.h"
41 #include "trace.h"
42 #include "qom/object.h"
43 
44 #ifdef __linux
45 #include <scsi/sg.h>
46 #endif
47 
48 #define SCSI_WRITE_SAME_MAX         (512 * KiB)
49 #define SCSI_DMA_BUF_SIZE           (128 * KiB)
50 #define SCSI_MAX_INQUIRY_LEN        256
51 #define SCSI_MAX_MODE_LEN           256
52 
53 #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
54 #define DEFAULT_MAX_UNMAP_SIZE      (1 * GiB)
55 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
56 
57 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
58 
59 OBJECT_DECLARE_TYPE(SCSIDiskState, SCSIDiskClass, SCSI_DISK_BASE)
60 
61 struct SCSIDiskClass {
62     SCSIDeviceClass parent_class;
63     DMAIOFunc       *dma_readv;
64     DMAIOFunc       *dma_writev;
65     bool            (*need_fua_emulation)(SCSICommand *cmd);
66     void            (*update_sense)(SCSIRequest *r);
67 };
68 
69 typedef struct SCSIDiskReq {
70     SCSIRequest req;
71     /* Both sector and sector_count are in terms of BDRV_SECTOR_SIZE bytes.  */
72     uint64_t sector;
73     uint32_t sector_count;
74     uint32_t buflen;
75     bool started;
76     bool need_fua_emulation;
77     struct iovec iov;
78     QEMUIOVector qiov;
79     BlockAcctCookie acct;
80 } SCSIDiskReq;
81 
82 #define SCSI_DISK_F_REMOVABLE             0
83 #define SCSI_DISK_F_DPOFUA                1
84 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
85 
86 struct SCSIDiskState {
87     SCSIDevice qdev;
88     uint32_t features;
89     bool media_changed;
90     bool media_event;
91     bool eject_request;
92     uint16_t port_index;
93     uint64_t max_unmap_size;
94     uint64_t max_io_size;
95     QEMUBH *bh;
96     char *version;
97     char *serial;
98     char *vendor;
99     char *product;
100     char *device_id;
101     bool tray_open;
102     bool tray_locked;
103     /*
104      * 0x0000        - rotation rate not reported
105      * 0x0001        - non-rotating medium (SSD)
106      * 0x0002-0x0400 - reserved
107      * 0x0401-0xffe  - rotations per minute
108      * 0xffff        - reserved
109      */
110     uint16_t rotation_rate;
111 };
112 
113 static void scsi_free_request(SCSIRequest *req)
114 {
115     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
116 
117     qemu_vfree(r->iov.iov_base);
118 }
119 
120 /* Helper function for command completion with sense.  */
121 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
122 {
123     trace_scsi_disk_check_condition(r->req.tag, sense.key, sense.asc,
124                                     sense.ascq);
125     scsi_req_build_sense(&r->req, sense);
126     scsi_req_complete(&r->req, CHECK_CONDITION);
127 }
128 
129 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
130 {
131     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
132 
133     if (!r->iov.iov_base) {
134         r->buflen = size;
135         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
136     }
137     r->iov.iov_len = MIN(r->sector_count * BDRV_SECTOR_SIZE, r->buflen);
138     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
139 }
140 
141 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
142 {
143     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
144 
145     qemu_put_be64s(f, &r->sector);
146     qemu_put_be32s(f, &r->sector_count);
147     qemu_put_be32s(f, &r->buflen);
148     if (r->buflen) {
149         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
150             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
151         } else if (!req->retry) {
152             uint32_t len = r->iov.iov_len;
153             qemu_put_be32s(f, &len);
154             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
155         }
156     }
157 }
158 
159 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
160 {
161     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
162 
163     qemu_get_be64s(f, &r->sector);
164     qemu_get_be32s(f, &r->sector_count);
165     qemu_get_be32s(f, &r->buflen);
166     if (r->buflen) {
167         scsi_init_iovec(r, r->buflen);
168         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
169             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
170         } else if (!r->req.retry) {
171             uint32_t len;
172             qemu_get_be32s(f, &len);
173             r->iov.iov_len = len;
174             assert(r->iov.iov_len <= r->buflen);
175             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
176         }
177     }
178 
179     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
180 }
181 
182 /*
183  * scsi_handle_rw_error has two return values.  False means that the error
184  * must be ignored, true means that the error has been processed and the
185  * caller should not do anything else for this request.  Note that
186  * scsi_handle_rw_error always manages its reference counts, independent
187  * of the return value.
188  */
189 static bool scsi_handle_rw_error(SCSIDiskReq *r, int ret, bool acct_failed)
190 {
191     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
192     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
193     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
194     SCSISense sense = SENSE_CODE(NO_SENSE);
195     int error = 0;
196     bool req_has_sense = false;
197     BlockErrorAction action;
198     int status;
199 
200     if (ret < 0) {
201         status = scsi_sense_from_errno(-ret, &sense);
202         error = -ret;
203     } else {
204         /* A passthrough command has completed with nonzero status.  */
205         status = ret;
206         if (status == CHECK_CONDITION) {
207             req_has_sense = true;
208             error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
209         } else {
210             error = EINVAL;
211         }
212     }
213 
214     /*
215      * Check whether the error has to be handled by the guest or should
216      * rather follow the rerror=/werror= settings.  Guest-handled errors
217      * are usually retried immediately, so do not post them to QMP and
218      * do not account them as failed I/O.
219      */
220     if (req_has_sense &&
221         scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
222         action = BLOCK_ERROR_ACTION_REPORT;
223         acct_failed = false;
224     } else {
225         action = blk_get_error_action(s->qdev.conf.blk, is_read, error);
226         blk_error_action(s->qdev.conf.blk, action, is_read, error);
227     }
228 
229     switch (action) {
230     case BLOCK_ERROR_ACTION_REPORT:
231         if (acct_failed) {
232             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
233         }
234         if (req_has_sense) {
235             sdc->update_sense(&r->req);
236         } else if (status == CHECK_CONDITION) {
237             scsi_req_build_sense(&r->req, sense);
238         }
239         scsi_req_complete(&r->req, status);
240         return true;
241 
242     case BLOCK_ERROR_ACTION_IGNORE:
243         return false;
244 
245     case BLOCK_ERROR_ACTION_STOP:
246         scsi_req_retry(&r->req);
247         return true;
248 
249     default:
250         g_assert_not_reached();
251     }
252 }
253 
254 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
255 {
256     if (r->req.io_canceled) {
257         scsi_req_cancel_complete(&r->req);
258         return true;
259     }
260 
261     if (ret < 0) {
262         return scsi_handle_rw_error(r, ret, acct_failed);
263     }
264 
265     return false;
266 }
267 
268 static void scsi_aio_complete(void *opaque, int ret)
269 {
270     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
271     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
272 
273     assert(r->req.aiocb != NULL);
274     r->req.aiocb = NULL;
275     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
276     if (scsi_disk_req_check_error(r, ret, true)) {
277         goto done;
278     }
279 
280     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
281     scsi_req_complete(&r->req, GOOD);
282 
283 done:
284     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
285     scsi_req_unref(&r->req);
286 }
287 
288 static bool scsi_is_cmd_fua(SCSICommand *cmd)
289 {
290     switch (cmd->buf[0]) {
291     case READ_10:
292     case READ_12:
293     case READ_16:
294     case WRITE_10:
295     case WRITE_12:
296     case WRITE_16:
297         return (cmd->buf[1] & 8) != 0;
298 
299     case VERIFY_10:
300     case VERIFY_12:
301     case VERIFY_16:
302     case WRITE_VERIFY_10:
303     case WRITE_VERIFY_12:
304     case WRITE_VERIFY_16:
305         return true;
306 
307     case READ_6:
308     case WRITE_6:
309     default:
310         return false;
311     }
312 }
313 
314 static void scsi_write_do_fua(SCSIDiskReq *r)
315 {
316     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
317 
318     assert(r->req.aiocb == NULL);
319     assert(!r->req.io_canceled);
320 
321     if (r->need_fua_emulation) {
322         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
323                          BLOCK_ACCT_FLUSH);
324         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
325         return;
326     }
327 
328     scsi_req_complete(&r->req, GOOD);
329     scsi_req_unref(&r->req);
330 }
331 
332 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
333 {
334     assert(r->req.aiocb == NULL);
335     if (scsi_disk_req_check_error(r, ret, false)) {
336         goto done;
337     }
338 
339     r->sector += r->sector_count;
340     r->sector_count = 0;
341     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
342         scsi_write_do_fua(r);
343         return;
344     } else {
345         scsi_req_complete(&r->req, GOOD);
346     }
347 
348 done:
349     scsi_req_unref(&r->req);
350 }
351 
352 static void scsi_dma_complete(void *opaque, int ret)
353 {
354     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
355     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
356 
357     assert(r->req.aiocb != NULL);
358     r->req.aiocb = NULL;
359 
360     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
361     if (ret < 0) {
362         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
363     } else {
364         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
365     }
366     scsi_dma_complete_noio(r, ret);
367     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
368 }
369 
370 static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
371 {
372     uint32_t n;
373 
374     assert(r->req.aiocb == NULL);
375     if (scsi_disk_req_check_error(r, ret, false)) {
376         goto done;
377     }
378 
379     n = r->qiov.size / BDRV_SECTOR_SIZE;
380     r->sector += n;
381     r->sector_count -= n;
382     scsi_req_data(&r->req, r->qiov.size);
383 
384 done:
385     scsi_req_unref(&r->req);
386 }
387 
388 static void scsi_read_complete(void *opaque, int ret)
389 {
390     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
391     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
392 
393     assert(r->req.aiocb != NULL);
394     r->req.aiocb = NULL;
395 
396     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
397     if (ret < 0) {
398         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
399     } else {
400         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
401         trace_scsi_disk_read_complete(r->req.tag, r->qiov.size);
402     }
403     scsi_read_complete_noio(r, ret);
404     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
405 }
406 
407 /* Actually issue a read to the block device.  */
408 static void scsi_do_read(SCSIDiskReq *r, int ret)
409 {
410     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
411     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
412 
413     assert (r->req.aiocb == NULL);
414     if (scsi_disk_req_check_error(r, ret, false)) {
415         goto done;
416     }
417 
418     /* The request is used as the AIO opaque value, so add a ref.  */
419     scsi_req_ref(&r->req);
420 
421     if (r->req.sg) {
422         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
423         r->req.resid -= r->req.sg->size;
424         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
425                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
426                                   BDRV_SECTOR_SIZE,
427                                   sdc->dma_readv, r, scsi_dma_complete, r,
428                                   DMA_DIRECTION_FROM_DEVICE);
429     } else {
430         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
431         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
432                          r->qiov.size, BLOCK_ACCT_READ);
433         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
434                                       scsi_read_complete, r, r);
435     }
436 
437 done:
438     scsi_req_unref(&r->req);
439 }
440 
441 static void scsi_do_read_cb(void *opaque, int ret)
442 {
443     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
444     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
445 
446     assert (r->req.aiocb != NULL);
447     r->req.aiocb = NULL;
448 
449     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
450     if (ret < 0) {
451         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
452     } else {
453         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
454     }
455     scsi_do_read(opaque, ret);
456     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
457 }
458 
459 /* Read more data from scsi device into buffer.  */
460 static void scsi_read_data(SCSIRequest *req)
461 {
462     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
463     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
464     bool first;
465 
466     trace_scsi_disk_read_data_count(r->sector_count);
467     if (r->sector_count == 0) {
468         /* This also clears the sense buffer for REQUEST SENSE.  */
469         scsi_req_complete(&r->req, GOOD);
470         return;
471     }
472 
473     /* No data transfer may already be in progress */
474     assert(r->req.aiocb == NULL);
475 
476     /* The request is used as the AIO opaque value, so add a ref.  */
477     scsi_req_ref(&r->req);
478     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
479         trace_scsi_disk_read_data_invalid();
480         scsi_read_complete_noio(r, -EINVAL);
481         return;
482     }
483 
484     if (!blk_is_available(req->dev->conf.blk)) {
485         scsi_read_complete_noio(r, -ENOMEDIUM);
486         return;
487     }
488 
489     first = !r->started;
490     r->started = true;
491     if (first && r->need_fua_emulation) {
492         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
493                          BLOCK_ACCT_FLUSH);
494         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
495     } else {
496         scsi_do_read(r, 0);
497     }
498 }
499 
500 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
501 {
502     uint32_t n;
503 
504     assert (r->req.aiocb == NULL);
505     if (scsi_disk_req_check_error(r, ret, false)) {
506         goto done;
507     }
508 
509     n = r->qiov.size / BDRV_SECTOR_SIZE;
510     r->sector += n;
511     r->sector_count -= n;
512     if (r->sector_count == 0) {
513         scsi_write_do_fua(r);
514         return;
515     } else {
516         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
517         trace_scsi_disk_write_complete_noio(r->req.tag, r->qiov.size);
518         scsi_req_data(&r->req, r->qiov.size);
519     }
520 
521 done:
522     scsi_req_unref(&r->req);
523 }
524 
525 static void scsi_write_complete(void * opaque, int ret)
526 {
527     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
528     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
529 
530     assert (r->req.aiocb != NULL);
531     r->req.aiocb = NULL;
532 
533     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
534     if (ret < 0) {
535         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
536     } else {
537         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
538     }
539     scsi_write_complete_noio(r, ret);
540     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
541 }
542 
543 static void scsi_write_data(SCSIRequest *req)
544 {
545     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
546     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
547     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
548 
549     /* No data transfer may already be in progress */
550     assert(r->req.aiocb == NULL);
551 
552     /* The request is used as the AIO opaque value, so add a ref.  */
553     scsi_req_ref(&r->req);
554     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
555         trace_scsi_disk_write_data_invalid();
556         scsi_write_complete_noio(r, -EINVAL);
557         return;
558     }
559 
560     if (!r->req.sg && !r->qiov.size) {
561         /* Called for the first time.  Ask the driver to send us more data.  */
562         r->started = true;
563         scsi_write_complete_noio(r, 0);
564         return;
565     }
566     if (!blk_is_available(req->dev->conf.blk)) {
567         scsi_write_complete_noio(r, -ENOMEDIUM);
568         return;
569     }
570 
571     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
572         r->req.cmd.buf[0] == VERIFY_16) {
573         if (r->req.sg) {
574             scsi_dma_complete_noio(r, 0);
575         } else {
576             scsi_write_complete_noio(r, 0);
577         }
578         return;
579     }
580 
581     if (r->req.sg) {
582         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
583         r->req.resid -= r->req.sg->size;
584         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
585                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
586                                   BDRV_SECTOR_SIZE,
587                                   sdc->dma_writev, r, scsi_dma_complete, r,
588                                   DMA_DIRECTION_TO_DEVICE);
589     } else {
590         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
591                          r->qiov.size, BLOCK_ACCT_WRITE);
592         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
593                                        scsi_write_complete, r, r);
594     }
595 }
596 
597 /* Return a pointer to the data buffer.  */
598 static uint8_t *scsi_get_buf(SCSIRequest *req)
599 {
600     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
601 
602     return (uint8_t *)r->iov.iov_base;
603 }
604 
605 static int scsi_disk_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf)
606 {
607     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
608     uint8_t page_code = req->cmd.buf[2];
609     int start, buflen = 0;
610 
611     outbuf[buflen++] = s->qdev.type & 0x1f;
612     outbuf[buflen++] = page_code;
613     outbuf[buflen++] = 0x00;
614     outbuf[buflen++] = 0x00;
615     start = buflen;
616 
617     switch (page_code) {
618     case 0x00: /* Supported page codes, mandatory */
619     {
620         trace_scsi_disk_emulate_vpd_page_00(req->cmd.xfer);
621         outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
622         if (s->serial) {
623             outbuf[buflen++] = 0x80; /* unit serial number */
624         }
625         outbuf[buflen++] = 0x83; /* device identification */
626         if (s->qdev.type == TYPE_DISK) {
627             outbuf[buflen++] = 0xb0; /* block limits */
628             outbuf[buflen++] = 0xb1; /* block device characteristics */
629             outbuf[buflen++] = 0xb2; /* thin provisioning */
630         }
631         break;
632     }
633     case 0x80: /* Device serial number, optional */
634     {
635         int l;
636 
637         if (!s->serial) {
638             trace_scsi_disk_emulate_vpd_page_80_not_supported();
639             return -1;
640         }
641 
642         l = strlen(s->serial);
643         if (l > 36) {
644             l = 36;
645         }
646 
647         trace_scsi_disk_emulate_vpd_page_80(req->cmd.xfer);
648         memcpy(outbuf + buflen, s->serial, l);
649         buflen += l;
650         break;
651     }
652 
653     case 0x83: /* Device identification page, mandatory */
654     {
655         int id_len = s->device_id ? MIN(strlen(s->device_id), 255 - 8) : 0;
656 
657         trace_scsi_disk_emulate_vpd_page_83(req->cmd.xfer);
658 
659         if (id_len) {
660             outbuf[buflen++] = 0x2; /* ASCII */
661             outbuf[buflen++] = 0;   /* not officially assigned */
662             outbuf[buflen++] = 0;   /* reserved */
663             outbuf[buflen++] = id_len; /* length of data following */
664             memcpy(outbuf + buflen, s->device_id, id_len);
665             buflen += id_len;
666         }
667 
668         if (s->qdev.wwn) {
669             outbuf[buflen++] = 0x1; /* Binary */
670             outbuf[buflen++] = 0x3; /* NAA */
671             outbuf[buflen++] = 0;   /* reserved */
672             outbuf[buflen++] = 8;
673             stq_be_p(&outbuf[buflen], s->qdev.wwn);
674             buflen += 8;
675         }
676 
677         if (s->qdev.port_wwn) {
678             outbuf[buflen++] = 0x61; /* SAS / Binary */
679             outbuf[buflen++] = 0x93; /* PIV / Target port / NAA */
680             outbuf[buflen++] = 0;    /* reserved */
681             outbuf[buflen++] = 8;
682             stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
683             buflen += 8;
684         }
685 
686         if (s->port_index) {
687             outbuf[buflen++] = 0x61; /* SAS / Binary */
688 
689             /* PIV/Target port/relative target port */
690             outbuf[buflen++] = 0x94;
691 
692             outbuf[buflen++] = 0;    /* reserved */
693             outbuf[buflen++] = 4;
694             stw_be_p(&outbuf[buflen + 2], s->port_index);
695             buflen += 4;
696         }
697         break;
698     }
699     case 0xb0: /* block limits */
700     {
701         SCSIBlockLimits bl = {};
702 
703         if (s->qdev.type == TYPE_ROM) {
704             trace_scsi_disk_emulate_vpd_page_b0_not_supported();
705             return -1;
706         }
707         bl.wsnz = 1;
708         bl.unmap_sectors =
709             s->qdev.conf.discard_granularity / s->qdev.blocksize;
710         bl.min_io_size =
711             s->qdev.conf.min_io_size / s->qdev.blocksize;
712         bl.opt_io_size =
713             s->qdev.conf.opt_io_size / s->qdev.blocksize;
714         bl.max_unmap_sectors =
715             s->max_unmap_size / s->qdev.blocksize;
716         bl.max_io_sectors =
717             s->max_io_size / s->qdev.blocksize;
718         /* 255 descriptors fit in 4 KiB with an 8-byte header */
719         bl.max_unmap_descr = 255;
720 
721         if (s->qdev.type == TYPE_DISK) {
722             int max_transfer_blk = blk_get_max_transfer(s->qdev.conf.blk);
723             int max_io_sectors_blk =
724                 max_transfer_blk / s->qdev.blocksize;
725 
726             bl.max_io_sectors =
727                 MIN_NON_ZERO(max_io_sectors_blk, bl.max_io_sectors);
728         }
729         buflen += scsi_emulate_block_limits(outbuf + buflen, &bl);
730         break;
731     }
732     case 0xb1: /* block device characteristics */
733     {
734         buflen = 0x40;
735         outbuf[4] = (s->rotation_rate >> 8) & 0xff;
736         outbuf[5] = s->rotation_rate & 0xff;
737         outbuf[6] = 0; /* PRODUCT TYPE */
738         outbuf[7] = 0; /* WABEREQ | WACEREQ | NOMINAL FORM FACTOR */
739         outbuf[8] = 0; /* VBULS */
740         break;
741     }
742     case 0xb2: /* thin provisioning */
743     {
744         buflen = 8;
745         outbuf[4] = 0;
746         outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
747         outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
748         outbuf[7] = 0;
749         break;
750     }
751     default:
752         return -1;
753     }
754     /* done with EVPD */
755     assert(buflen - start <= 255);
756     outbuf[start - 1] = buflen - start;
757     return buflen;
758 }
759 
760 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
761 {
762     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
763     int buflen = 0;
764 
765     if (req->cmd.buf[1] & 0x1) {
766         /* Vital product data */
767         return scsi_disk_emulate_vpd_page(req, outbuf);
768     }
769 
770     /* Standard INQUIRY data */
771     if (req->cmd.buf[2] != 0) {
772         return -1;
773     }
774 
775     /* PAGE CODE == 0 */
776     buflen = req->cmd.xfer;
777     if (buflen > SCSI_MAX_INQUIRY_LEN) {
778         buflen = SCSI_MAX_INQUIRY_LEN;
779     }
780 
781     outbuf[0] = s->qdev.type & 0x1f;
782     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
783 
784     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
785     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
786 
787     memset(&outbuf[32], 0, 4);
788     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
789     /*
790      * We claim conformance to SPC-3, which is required for guests
791      * to ask for modern features like READ CAPACITY(16) or the
792      * block characteristics VPD page by default.  Not all of SPC-3
793      * is actually implemented, but we're good enough.
794      */
795     outbuf[2] = s->qdev.default_scsi_version;
796     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
797 
798     if (buflen > 36) {
799         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
800     } else {
801         /* If the allocation length of CDB is too small,
802                the additional length is not adjusted */
803         outbuf[4] = 36 - 5;
804     }
805 
806     /* Sync data transfer and TCQ.  */
807     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
808     return buflen;
809 }
810 
811 static inline bool media_is_dvd(SCSIDiskState *s)
812 {
813     uint64_t nb_sectors;
814     if (s->qdev.type != TYPE_ROM) {
815         return false;
816     }
817     if (!blk_is_available(s->qdev.conf.blk)) {
818         return false;
819     }
820     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
821     return nb_sectors > CD_MAX_SECTORS;
822 }
823 
824 static inline bool media_is_cd(SCSIDiskState *s)
825 {
826     uint64_t nb_sectors;
827     if (s->qdev.type != TYPE_ROM) {
828         return false;
829     }
830     if (!blk_is_available(s->qdev.conf.blk)) {
831         return false;
832     }
833     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
834     return nb_sectors <= CD_MAX_SECTORS;
835 }
836 
837 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
838                                       uint8_t *outbuf)
839 {
840     uint8_t type = r->req.cmd.buf[1] & 7;
841 
842     if (s->qdev.type != TYPE_ROM) {
843         return -1;
844     }
845 
846     /* Types 1/2 are only defined for Blu-Ray.  */
847     if (type != 0) {
848         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
849         return -1;
850     }
851 
852     memset(outbuf, 0, 34);
853     outbuf[1] = 32;
854     outbuf[2] = 0xe; /* last session complete, disc finalized */
855     outbuf[3] = 1;   /* first track on disc */
856     outbuf[4] = 1;   /* # of sessions */
857     outbuf[5] = 1;   /* first track of last session */
858     outbuf[6] = 1;   /* last track of last session */
859     outbuf[7] = 0x20; /* unrestricted use */
860     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
861     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
862     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
863     /* 24-31: disc bar code */
864     /* 32: disc application code */
865     /* 33: number of OPC tables */
866 
867     return 34;
868 }
869 
870 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
871                                    uint8_t *outbuf)
872 {
873     static const int rds_caps_size[5] = {
874         [0] = 2048 + 4,
875         [1] = 4 + 4,
876         [3] = 188 + 4,
877         [4] = 2048 + 4,
878     };
879 
880     uint8_t media = r->req.cmd.buf[1];
881     uint8_t layer = r->req.cmd.buf[6];
882     uint8_t format = r->req.cmd.buf[7];
883     int size = -1;
884 
885     if (s->qdev.type != TYPE_ROM) {
886         return -1;
887     }
888     if (media != 0) {
889         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
890         return -1;
891     }
892 
893     if (format != 0xff) {
894         if (!blk_is_available(s->qdev.conf.blk)) {
895             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
896             return -1;
897         }
898         if (media_is_cd(s)) {
899             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
900             return -1;
901         }
902         if (format >= ARRAY_SIZE(rds_caps_size)) {
903             return -1;
904         }
905         size = rds_caps_size[format];
906         memset(outbuf, 0, size);
907     }
908 
909     switch (format) {
910     case 0x00: {
911         /* Physical format information */
912         uint64_t nb_sectors;
913         if (layer != 0) {
914             goto fail;
915         }
916         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
917 
918         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
919         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
920         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
921         outbuf[7] = 0;   /* default densities */
922 
923         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
924         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
925         break;
926     }
927 
928     case 0x01: /* DVD copyright information, all zeros */
929         break;
930 
931     case 0x03: /* BCA information - invalid field for no BCA info */
932         return -1;
933 
934     case 0x04: /* DVD disc manufacturing information, all zeros */
935         break;
936 
937     case 0xff: { /* List capabilities */
938         int i;
939         size = 4;
940         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
941             if (!rds_caps_size[i]) {
942                 continue;
943             }
944             outbuf[size] = i;
945             outbuf[size + 1] = 0x40; /* Not writable, readable */
946             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
947             size += 4;
948         }
949         break;
950      }
951 
952     default:
953         return -1;
954     }
955 
956     /* Size of buffer, not including 2 byte size field */
957     stw_be_p(outbuf, size - 2);
958     return size;
959 
960 fail:
961     return -1;
962 }
963 
964 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
965 {
966     uint8_t event_code, media_status;
967 
968     media_status = 0;
969     if (s->tray_open) {
970         media_status = MS_TRAY_OPEN;
971     } else if (blk_is_inserted(s->qdev.conf.blk)) {
972         media_status = MS_MEDIA_PRESENT;
973     }
974 
975     /* Event notification descriptor */
976     event_code = MEC_NO_CHANGE;
977     if (media_status != MS_TRAY_OPEN) {
978         if (s->media_event) {
979             event_code = MEC_NEW_MEDIA;
980             s->media_event = false;
981         } else if (s->eject_request) {
982             event_code = MEC_EJECT_REQUESTED;
983             s->eject_request = false;
984         }
985     }
986 
987     outbuf[0] = event_code;
988     outbuf[1] = media_status;
989 
990     /* These fields are reserved, just clear them. */
991     outbuf[2] = 0;
992     outbuf[3] = 0;
993     return 4;
994 }
995 
996 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
997                                               uint8_t *outbuf)
998 {
999     int size;
1000     uint8_t *buf = r->req.cmd.buf;
1001     uint8_t notification_class_request = buf[4];
1002     if (s->qdev.type != TYPE_ROM) {
1003         return -1;
1004     }
1005     if ((buf[1] & 1) == 0) {
1006         /* asynchronous */
1007         return -1;
1008     }
1009 
1010     size = 4;
1011     outbuf[0] = outbuf[1] = 0;
1012     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1013     if (notification_class_request & (1 << GESN_MEDIA)) {
1014         outbuf[2] = GESN_MEDIA;
1015         size += scsi_event_status_media(s, &outbuf[size]);
1016     } else {
1017         outbuf[2] = 0x80;
1018     }
1019     stw_be_p(outbuf, size - 4);
1020     return size;
1021 }
1022 
1023 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1024 {
1025     int current;
1026 
1027     if (s->qdev.type != TYPE_ROM) {
1028         return -1;
1029     }
1030 
1031     if (media_is_dvd(s)) {
1032         current = MMC_PROFILE_DVD_ROM;
1033     } else if (media_is_cd(s)) {
1034         current = MMC_PROFILE_CD_ROM;
1035     } else {
1036         current = MMC_PROFILE_NONE;
1037     }
1038 
1039     memset(outbuf, 0, 40);
1040     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1041     stw_be_p(&outbuf[6], current);
1042     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1043     outbuf[10] = 0x03; /* persistent, current */
1044     outbuf[11] = 8; /* two profiles */
1045     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1046     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1047     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1048     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1049     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1050     stw_be_p(&outbuf[20], 1);
1051     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1052     outbuf[23] = 8;
1053     stl_be_p(&outbuf[24], 1); /* SCSI */
1054     outbuf[28] = 1; /* DBE = 1, mandatory */
1055     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1056     stw_be_p(&outbuf[32], 3);
1057     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1058     outbuf[35] = 4;
1059     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1060     /* TODO: Random readable, CD read, DVD read, drive serial number,
1061        power management */
1062     return 40;
1063 }
1064 
1065 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1066 {
1067     if (s->qdev.type != TYPE_ROM) {
1068         return -1;
1069     }
1070     memset(outbuf, 0, 8);
1071     outbuf[5] = 1; /* CD-ROM */
1072     return 8;
1073 }
1074 
1075 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1076                            int page_control)
1077 {
1078     static const int mode_sense_valid[0x3f] = {
1079         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1080         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1081         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1082         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1083         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1084         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1085     };
1086 
1087     uint8_t *p = *p_outbuf + 2;
1088     int length;
1089 
1090     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1091         return -1;
1092     }
1093 
1094     /*
1095      * If Changeable Values are requested, a mask denoting those mode parameters
1096      * that are changeable shall be returned. As we currently don't support
1097      * parameter changes via MODE_SELECT all bits are returned set to zero.
1098      * The buffer was already menset to zero by the caller of this function.
1099      *
1100      * The offsets here are off by two compared to the descriptions in the
1101      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1102      * but it is done so that offsets are consistent within our implementation
1103      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1104      * 2-byte and 4-byte headers.
1105      */
1106     switch (page) {
1107     case MODE_PAGE_HD_GEOMETRY:
1108         length = 0x16;
1109         if (page_control == 1) { /* Changeable Values */
1110             break;
1111         }
1112         /* if a geometry hint is available, use it */
1113         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1114         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1115         p[2] = s->qdev.conf.cyls & 0xff;
1116         p[3] = s->qdev.conf.heads & 0xff;
1117         /* Write precomp start cylinder, disabled */
1118         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1119         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1120         p[6] = s->qdev.conf.cyls & 0xff;
1121         /* Reduced current start cylinder, disabled */
1122         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1123         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1124         p[9] = s->qdev.conf.cyls & 0xff;
1125         /* Device step rate [ns], 200ns */
1126         p[10] = 0;
1127         p[11] = 200;
1128         /* Landing zone cylinder */
1129         p[12] = 0xff;
1130         p[13] =  0xff;
1131         p[14] = 0xff;
1132         /* Medium rotation rate [rpm], 5400 rpm */
1133         p[18] = (5400 >> 8) & 0xff;
1134         p[19] = 5400 & 0xff;
1135         break;
1136 
1137     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1138         length = 0x1e;
1139         if (page_control == 1) { /* Changeable Values */
1140             break;
1141         }
1142         /* Transfer rate [kbit/s], 5Mbit/s */
1143         p[0] = 5000 >> 8;
1144         p[1] = 5000 & 0xff;
1145         /* if a geometry hint is available, use it */
1146         p[2] = s->qdev.conf.heads & 0xff;
1147         p[3] = s->qdev.conf.secs & 0xff;
1148         p[4] = s->qdev.blocksize >> 8;
1149         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1150         p[7] = s->qdev.conf.cyls & 0xff;
1151         /* Write precomp start cylinder, disabled */
1152         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1153         p[9] = s->qdev.conf.cyls & 0xff;
1154         /* Reduced current start cylinder, disabled */
1155         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1156         p[11] = s->qdev.conf.cyls & 0xff;
1157         /* Device step rate [100us], 100us */
1158         p[12] = 0;
1159         p[13] = 1;
1160         /* Device step pulse width [us], 1us */
1161         p[14] = 1;
1162         /* Device head settle delay [100us], 100us */
1163         p[15] = 0;
1164         p[16] = 1;
1165         /* Motor on delay [0.1s], 0.1s */
1166         p[17] = 1;
1167         /* Motor off delay [0.1s], 0.1s */
1168         p[18] = 1;
1169         /* Medium rotation rate [rpm], 5400 rpm */
1170         p[26] = (5400 >> 8) & 0xff;
1171         p[27] = 5400 & 0xff;
1172         break;
1173 
1174     case MODE_PAGE_CACHING:
1175         length = 0x12;
1176         if (page_control == 1 || /* Changeable Values */
1177             blk_enable_write_cache(s->qdev.conf.blk)) {
1178             p[0] = 4; /* WCE */
1179         }
1180         break;
1181 
1182     case MODE_PAGE_R_W_ERROR:
1183         length = 10;
1184         if (page_control == 1) { /* Changeable Values */
1185             break;
1186         }
1187         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1188         if (s->qdev.type == TYPE_ROM) {
1189             p[1] = 0x20; /* Read Retry Count */
1190         }
1191         break;
1192 
1193     case MODE_PAGE_AUDIO_CTL:
1194         length = 14;
1195         break;
1196 
1197     case MODE_PAGE_CAPABILITIES:
1198         length = 0x14;
1199         if (page_control == 1) { /* Changeable Values */
1200             break;
1201         }
1202 
1203         p[0] = 0x3b; /* CD-R & CD-RW read */
1204         p[1] = 0; /* Writing not supported */
1205         p[2] = 0x7f; /* Audio, composite, digital out,
1206                         mode 2 form 1&2, multi session */
1207         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1208                         RW corrected, C2 errors, ISRC,
1209                         UPC, Bar code */
1210         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1211         /* Locking supported, jumper present, eject, tray */
1212         p[5] = 0; /* no volume & mute control, no
1213                      changer */
1214         p[6] = (50 * 176) >> 8; /* 50x read speed */
1215         p[7] = (50 * 176) & 0xff;
1216         p[8] = 2 >> 8; /* Two volume levels */
1217         p[9] = 2 & 0xff;
1218         p[10] = 2048 >> 8; /* 2M buffer */
1219         p[11] = 2048 & 0xff;
1220         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1221         p[13] = (16 * 176) & 0xff;
1222         p[16] = (16 * 176) >> 8; /* 16x write speed */
1223         p[17] = (16 * 176) & 0xff;
1224         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1225         p[19] = (16 * 176) & 0xff;
1226         break;
1227 
1228     default:
1229         return -1;
1230     }
1231 
1232     assert(length < 256);
1233     (*p_outbuf)[0] = page;
1234     (*p_outbuf)[1] = length;
1235     *p_outbuf += length + 2;
1236     return length + 2;
1237 }
1238 
1239 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1240 {
1241     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1242     uint64_t nb_sectors;
1243     bool dbd;
1244     int page, buflen, ret, page_control;
1245     uint8_t *p;
1246     uint8_t dev_specific_param;
1247 
1248     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1249     page = r->req.cmd.buf[2] & 0x3f;
1250     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1251 
1252     trace_scsi_disk_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
1253                                        10, page, r->req.cmd.xfer, page_control);
1254     memset(outbuf, 0, r->req.cmd.xfer);
1255     p = outbuf;
1256 
1257     if (s->qdev.type == TYPE_DISK) {
1258         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1259         if (!blk_is_writable(s->qdev.conf.blk)) {
1260             dev_specific_param |= 0x80; /* Readonly.  */
1261         }
1262     } else {
1263         /* MMC prescribes that CD/DVD drives have no block descriptors,
1264          * and defines no device-specific parameter.  */
1265         dev_specific_param = 0x00;
1266         dbd = true;
1267     }
1268 
1269     if (r->req.cmd.buf[0] == MODE_SENSE) {
1270         p[1] = 0; /* Default media type.  */
1271         p[2] = dev_specific_param;
1272         p[3] = 0; /* Block descriptor length.  */
1273         p += 4;
1274     } else { /* MODE_SENSE_10 */
1275         p[2] = 0; /* Default media type.  */
1276         p[3] = dev_specific_param;
1277         p[6] = p[7] = 0; /* Block descriptor length.  */
1278         p += 8;
1279     }
1280 
1281     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1282     if (!dbd && nb_sectors) {
1283         if (r->req.cmd.buf[0] == MODE_SENSE) {
1284             outbuf[3] = 8; /* Block descriptor length  */
1285         } else { /* MODE_SENSE_10 */
1286             outbuf[7] = 8; /* Block descriptor length  */
1287         }
1288         nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1289         if (nb_sectors > 0xffffff) {
1290             nb_sectors = 0;
1291         }
1292         p[0] = 0; /* media density code */
1293         p[1] = (nb_sectors >> 16) & 0xff;
1294         p[2] = (nb_sectors >> 8) & 0xff;
1295         p[3] = nb_sectors & 0xff;
1296         p[4] = 0; /* reserved */
1297         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1298         p[6] = s->qdev.blocksize >> 8;
1299         p[7] = 0;
1300         p += 8;
1301     }
1302 
1303     if (page_control == 3) {
1304         /* Saved Values */
1305         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1306         return -1;
1307     }
1308 
1309     if (page == 0x3f) {
1310         for (page = 0; page <= 0x3e; page++) {
1311             mode_sense_page(s, page, &p, page_control);
1312         }
1313     } else {
1314         ret = mode_sense_page(s, page, &p, page_control);
1315         if (ret == -1) {
1316             return -1;
1317         }
1318     }
1319 
1320     buflen = p - outbuf;
1321     /*
1322      * The mode data length field specifies the length in bytes of the
1323      * following data that is available to be transferred. The mode data
1324      * length does not include itself.
1325      */
1326     if (r->req.cmd.buf[0] == MODE_SENSE) {
1327         outbuf[0] = buflen - 1;
1328     } else { /* MODE_SENSE_10 */
1329         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1330         outbuf[1] = (buflen - 2) & 0xff;
1331     }
1332     return buflen;
1333 }
1334 
1335 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1336 {
1337     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1338     int start_track, format, msf, toclen;
1339     uint64_t nb_sectors;
1340 
1341     msf = req->cmd.buf[1] & 2;
1342     format = req->cmd.buf[2] & 0xf;
1343     start_track = req->cmd.buf[6];
1344     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1345     trace_scsi_disk_emulate_read_toc(start_track, format, msf >> 1);
1346     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1347     switch (format) {
1348     case 0:
1349         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1350         break;
1351     case 1:
1352         /* multi session : only a single session defined */
1353         toclen = 12;
1354         memset(outbuf, 0, 12);
1355         outbuf[1] = 0x0a;
1356         outbuf[2] = 0x01;
1357         outbuf[3] = 0x01;
1358         break;
1359     case 2:
1360         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1361         break;
1362     default:
1363         return -1;
1364     }
1365     return toclen;
1366 }
1367 
1368 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1369 {
1370     SCSIRequest *req = &r->req;
1371     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1372     bool start = req->cmd.buf[4] & 1;
1373     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1374     int pwrcnd = req->cmd.buf[4] & 0xf0;
1375 
1376     if (pwrcnd) {
1377         /* eject/load only happens for power condition == 0 */
1378         return 0;
1379     }
1380 
1381     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1382         if (!start && !s->tray_open && s->tray_locked) {
1383             scsi_check_condition(r,
1384                                  blk_is_inserted(s->qdev.conf.blk)
1385                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1386                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1387             return -1;
1388         }
1389 
1390         if (s->tray_open != !start) {
1391             blk_eject(s->qdev.conf.blk, !start);
1392             s->tray_open = !start;
1393         }
1394     }
1395     return 0;
1396 }
1397 
1398 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1399 {
1400     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1401     int buflen = r->iov.iov_len;
1402 
1403     if (buflen) {
1404         trace_scsi_disk_emulate_read_data(buflen);
1405         r->iov.iov_len = 0;
1406         r->started = true;
1407         scsi_req_data(&r->req, buflen);
1408         return;
1409     }
1410 
1411     /* This also clears the sense buffer for REQUEST SENSE.  */
1412     scsi_req_complete(&r->req, GOOD);
1413 }
1414 
1415 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1416                                        uint8_t *inbuf, int inlen)
1417 {
1418     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1419     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1420     uint8_t *p;
1421     int len, expected_len, changeable_len, i;
1422 
1423     /* The input buffer does not include the page header, so it is
1424      * off by 2 bytes.
1425      */
1426     expected_len = inlen + 2;
1427     if (expected_len > SCSI_MAX_MODE_LEN) {
1428         return -1;
1429     }
1430 
1431     p = mode_current;
1432     memset(mode_current, 0, inlen + 2);
1433     len = mode_sense_page(s, page, &p, 0);
1434     if (len < 0 || len != expected_len) {
1435         return -1;
1436     }
1437 
1438     p = mode_changeable;
1439     memset(mode_changeable, 0, inlen + 2);
1440     changeable_len = mode_sense_page(s, page, &p, 1);
1441     assert(changeable_len == len);
1442 
1443     /* Check that unchangeable bits are the same as what MODE SENSE
1444      * would return.
1445      */
1446     for (i = 2; i < len; i++) {
1447         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1448             return -1;
1449         }
1450     }
1451     return 0;
1452 }
1453 
1454 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1455 {
1456     switch (page) {
1457     case MODE_PAGE_CACHING:
1458         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1459         break;
1460 
1461     default:
1462         break;
1463     }
1464 }
1465 
1466 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1467 {
1468     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1469 
1470     while (len > 0) {
1471         int page, subpage, page_len;
1472 
1473         /* Parse both possible formats for the mode page headers.  */
1474         page = p[0] & 0x3f;
1475         if (p[0] & 0x40) {
1476             if (len < 4) {
1477                 goto invalid_param_len;
1478             }
1479             subpage = p[1];
1480             page_len = lduw_be_p(&p[2]);
1481             p += 4;
1482             len -= 4;
1483         } else {
1484             if (len < 2) {
1485                 goto invalid_param_len;
1486             }
1487             subpage = 0;
1488             page_len = p[1];
1489             p += 2;
1490             len -= 2;
1491         }
1492 
1493         if (subpage) {
1494             goto invalid_param;
1495         }
1496         if (page_len > len) {
1497             goto invalid_param_len;
1498         }
1499 
1500         if (!change) {
1501             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1502                 goto invalid_param;
1503             }
1504         } else {
1505             scsi_disk_apply_mode_select(s, page, p);
1506         }
1507 
1508         p += page_len;
1509         len -= page_len;
1510     }
1511     return 0;
1512 
1513 invalid_param:
1514     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1515     return -1;
1516 
1517 invalid_param_len:
1518     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1519     return -1;
1520 }
1521 
1522 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1523 {
1524     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1525     uint8_t *p = inbuf;
1526     int cmd = r->req.cmd.buf[0];
1527     int len = r->req.cmd.xfer;
1528     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1529     int bd_len;
1530     int pass;
1531 
1532     /* We only support PF=1, SP=0.  */
1533     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1534         goto invalid_field;
1535     }
1536 
1537     if (len < hdr_len) {
1538         goto invalid_param_len;
1539     }
1540 
1541     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1542     len -= hdr_len;
1543     p += hdr_len;
1544     if (len < bd_len) {
1545         goto invalid_param_len;
1546     }
1547     if (bd_len != 0 && bd_len != 8) {
1548         goto invalid_param;
1549     }
1550 
1551     len -= bd_len;
1552     p += bd_len;
1553 
1554     /* Ensure no change is made if there is an error!  */
1555     for (pass = 0; pass < 2; pass++) {
1556         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1557             assert(pass == 0);
1558             return;
1559         }
1560     }
1561     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1562         /* The request is used as the AIO opaque value, so add a ref.  */
1563         scsi_req_ref(&r->req);
1564         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1565                          BLOCK_ACCT_FLUSH);
1566         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1567         return;
1568     }
1569 
1570     scsi_req_complete(&r->req, GOOD);
1571     return;
1572 
1573 invalid_param:
1574     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1575     return;
1576 
1577 invalid_param_len:
1578     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1579     return;
1580 
1581 invalid_field:
1582     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1583 }
1584 
1585 static inline bool check_lba_range(SCSIDiskState *s,
1586                                    uint64_t sector_num, uint32_t nb_sectors)
1587 {
1588     /*
1589      * The first line tests that no overflow happens when computing the last
1590      * sector.  The second line tests that the last accessed sector is in
1591      * range.
1592      *
1593      * Careful, the computations should not underflow for nb_sectors == 0,
1594      * and a 0-block read to the first LBA beyond the end of device is
1595      * valid.
1596      */
1597     return (sector_num <= sector_num + nb_sectors &&
1598             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1599 }
1600 
1601 typedef struct UnmapCBData {
1602     SCSIDiskReq *r;
1603     uint8_t *inbuf;
1604     int count;
1605 } UnmapCBData;
1606 
1607 static void scsi_unmap_complete(void *opaque, int ret);
1608 
1609 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1610 {
1611     SCSIDiskReq *r = data->r;
1612     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1613 
1614     assert(r->req.aiocb == NULL);
1615 
1616     if (data->count > 0) {
1617         r->sector = ldq_be_p(&data->inbuf[0])
1618             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1619         r->sector_count = (ldl_be_p(&data->inbuf[8]) & 0xffffffffULL)
1620             * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1621         if (!check_lba_range(s, r->sector, r->sector_count)) {
1622             block_acct_invalid(blk_get_stats(s->qdev.conf.blk),
1623                                BLOCK_ACCT_UNMAP);
1624             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1625             goto done;
1626         }
1627 
1628         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1629                          r->sector_count * BDRV_SECTOR_SIZE,
1630                          BLOCK_ACCT_UNMAP);
1631 
1632         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1633                                         r->sector * BDRV_SECTOR_SIZE,
1634                                         r->sector_count * BDRV_SECTOR_SIZE,
1635                                         scsi_unmap_complete, data);
1636         data->count--;
1637         data->inbuf += 16;
1638         return;
1639     }
1640 
1641     scsi_req_complete(&r->req, GOOD);
1642 
1643 done:
1644     scsi_req_unref(&r->req);
1645     g_free(data);
1646 }
1647 
1648 static void scsi_unmap_complete(void *opaque, int ret)
1649 {
1650     UnmapCBData *data = opaque;
1651     SCSIDiskReq *r = data->r;
1652     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1653 
1654     assert(r->req.aiocb != NULL);
1655     r->req.aiocb = NULL;
1656 
1657     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1658     if (scsi_disk_req_check_error(r, ret, true)) {
1659         scsi_req_unref(&r->req);
1660         g_free(data);
1661     } else {
1662         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1663         scsi_unmap_complete_noio(data, ret);
1664     }
1665     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1666 }
1667 
1668 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1669 {
1670     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1671     uint8_t *p = inbuf;
1672     int len = r->req.cmd.xfer;
1673     UnmapCBData *data;
1674 
1675     /* Reject ANCHOR=1.  */
1676     if (r->req.cmd.buf[1] & 0x1) {
1677         goto invalid_field;
1678     }
1679 
1680     if (len < 8) {
1681         goto invalid_param_len;
1682     }
1683     if (len < lduw_be_p(&p[0]) + 2) {
1684         goto invalid_param_len;
1685     }
1686     if (len < lduw_be_p(&p[2]) + 8) {
1687         goto invalid_param_len;
1688     }
1689     if (lduw_be_p(&p[2]) & 15) {
1690         goto invalid_param_len;
1691     }
1692 
1693     if (!blk_is_writable(s->qdev.conf.blk)) {
1694         block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1695         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1696         return;
1697     }
1698 
1699     data = g_new0(UnmapCBData, 1);
1700     data->r = r;
1701     data->inbuf = &p[8];
1702     data->count = lduw_be_p(&p[2]) >> 4;
1703 
1704     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1705     scsi_req_ref(&r->req);
1706     scsi_unmap_complete_noio(data, 0);
1707     return;
1708 
1709 invalid_param_len:
1710     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1711     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1712     return;
1713 
1714 invalid_field:
1715     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1716     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1717 }
1718 
1719 typedef struct WriteSameCBData {
1720     SCSIDiskReq *r;
1721     int64_t sector;
1722     int nb_sectors;
1723     QEMUIOVector qiov;
1724     struct iovec iov;
1725 } WriteSameCBData;
1726 
1727 static void scsi_write_same_complete(void *opaque, int ret)
1728 {
1729     WriteSameCBData *data = opaque;
1730     SCSIDiskReq *r = data->r;
1731     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1732 
1733     assert(r->req.aiocb != NULL);
1734     r->req.aiocb = NULL;
1735     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1736     if (scsi_disk_req_check_error(r, ret, true)) {
1737         goto done;
1738     }
1739 
1740     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1741 
1742     data->nb_sectors -= data->iov.iov_len / BDRV_SECTOR_SIZE;
1743     data->sector += data->iov.iov_len / BDRV_SECTOR_SIZE;
1744     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1745                             data->iov.iov_len);
1746     if (data->iov.iov_len) {
1747         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1748                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1749         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1750          * where final qiov may need smaller size */
1751         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1752         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1753                                        data->sector << BDRV_SECTOR_BITS,
1754                                        &data->qiov, 0,
1755                                        scsi_write_same_complete, data);
1756         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1757         return;
1758     }
1759 
1760     scsi_req_complete(&r->req, GOOD);
1761 
1762 done:
1763     scsi_req_unref(&r->req);
1764     qemu_vfree(data->iov.iov_base);
1765     g_free(data);
1766     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1767 }
1768 
1769 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1770 {
1771     SCSIRequest *req = &r->req;
1772     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1773     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1774     WriteSameCBData *data;
1775     uint8_t *buf;
1776     int i;
1777 
1778     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1779     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1780         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1781         return;
1782     }
1783 
1784     if (!blk_is_writable(s->qdev.conf.blk)) {
1785         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1786         return;
1787     }
1788     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1789         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1790         return;
1791     }
1792 
1793     if ((req->cmd.buf[1] & 0x1) || buffer_is_zero(inbuf, s->qdev.blocksize)) {
1794         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1795 
1796         /* The request is used as the AIO opaque value, so add a ref.  */
1797         scsi_req_ref(&r->req);
1798         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1799                          nb_sectors * s->qdev.blocksize,
1800                         BLOCK_ACCT_WRITE);
1801         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1802                                 r->req.cmd.lba * s->qdev.blocksize,
1803                                 nb_sectors * s->qdev.blocksize,
1804                                 flags, scsi_aio_complete, r);
1805         return;
1806     }
1807 
1808     data = g_new0(WriteSameCBData, 1);
1809     data->r = r;
1810     data->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1811     data->nb_sectors = nb_sectors * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1812     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1813                             SCSI_WRITE_SAME_MAX);
1814     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1815                                               data->iov.iov_len);
1816     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1817 
1818     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1819         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1820     }
1821 
1822     scsi_req_ref(&r->req);
1823     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1824                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1825     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1826                                    data->sector << BDRV_SECTOR_BITS,
1827                                    &data->qiov, 0,
1828                                    scsi_write_same_complete, data);
1829 }
1830 
1831 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1832 {
1833     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1834 
1835     if (r->iov.iov_len) {
1836         int buflen = r->iov.iov_len;
1837         trace_scsi_disk_emulate_write_data(buflen);
1838         r->iov.iov_len = 0;
1839         scsi_req_data(&r->req, buflen);
1840         return;
1841     }
1842 
1843     switch (req->cmd.buf[0]) {
1844     case MODE_SELECT:
1845     case MODE_SELECT_10:
1846         /* This also clears the sense buffer for REQUEST SENSE.  */
1847         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1848         break;
1849 
1850     case UNMAP:
1851         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1852         break;
1853 
1854     case VERIFY_10:
1855     case VERIFY_12:
1856     case VERIFY_16:
1857         if (r->req.status == -1) {
1858             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1859         }
1860         break;
1861 
1862     case WRITE_SAME_10:
1863     case WRITE_SAME_16:
1864         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1865         break;
1866 
1867     default:
1868         abort();
1869     }
1870 }
1871 
1872 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1873 {
1874     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1875     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1876     uint64_t nb_sectors;
1877     uint8_t *outbuf;
1878     int buflen;
1879 
1880     switch (req->cmd.buf[0]) {
1881     case INQUIRY:
1882     case MODE_SENSE:
1883     case MODE_SENSE_10:
1884     case RESERVE:
1885     case RESERVE_10:
1886     case RELEASE:
1887     case RELEASE_10:
1888     case START_STOP:
1889     case ALLOW_MEDIUM_REMOVAL:
1890     case GET_CONFIGURATION:
1891     case GET_EVENT_STATUS_NOTIFICATION:
1892     case MECHANISM_STATUS:
1893     case REQUEST_SENSE:
1894         break;
1895 
1896     default:
1897         if (!blk_is_available(s->qdev.conf.blk)) {
1898             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1899             return 0;
1900         }
1901         break;
1902     }
1903 
1904     /*
1905      * FIXME: we shouldn't return anything bigger than 4k, but the code
1906      * requires the buffer to be as big as req->cmd.xfer in several
1907      * places.  So, do not allow CDBs with a very large ALLOCATION
1908      * LENGTH.  The real fix would be to modify scsi_read_data and
1909      * dma_buf_read, so that they return data beyond the buflen
1910      * as all zeros.
1911      */
1912     if (req->cmd.xfer > 65536) {
1913         goto illegal_request;
1914     }
1915     r->buflen = MAX(4096, req->cmd.xfer);
1916 
1917     if (!r->iov.iov_base) {
1918         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1919     }
1920 
1921     outbuf = r->iov.iov_base;
1922     memset(outbuf, 0, r->buflen);
1923     switch (req->cmd.buf[0]) {
1924     case TEST_UNIT_READY:
1925         assert(blk_is_available(s->qdev.conf.blk));
1926         break;
1927     case INQUIRY:
1928         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1929         if (buflen < 0) {
1930             goto illegal_request;
1931         }
1932         break;
1933     case MODE_SENSE:
1934     case MODE_SENSE_10:
1935         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1936         if (buflen < 0) {
1937             goto illegal_request;
1938         }
1939         break;
1940     case READ_TOC:
1941         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1942         if (buflen < 0) {
1943             goto illegal_request;
1944         }
1945         break;
1946     case RESERVE:
1947         if (req->cmd.buf[1] & 1) {
1948             goto illegal_request;
1949         }
1950         break;
1951     case RESERVE_10:
1952         if (req->cmd.buf[1] & 3) {
1953             goto illegal_request;
1954         }
1955         break;
1956     case RELEASE:
1957         if (req->cmd.buf[1] & 1) {
1958             goto illegal_request;
1959         }
1960         break;
1961     case RELEASE_10:
1962         if (req->cmd.buf[1] & 3) {
1963             goto illegal_request;
1964         }
1965         break;
1966     case START_STOP:
1967         if (scsi_disk_emulate_start_stop(r) < 0) {
1968             return 0;
1969         }
1970         break;
1971     case ALLOW_MEDIUM_REMOVAL:
1972         s->tray_locked = req->cmd.buf[4] & 1;
1973         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1974         break;
1975     case READ_CAPACITY_10:
1976         /* The normal LEN field for this command is zero.  */
1977         memset(outbuf, 0, 8);
1978         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1979         if (!nb_sectors) {
1980             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1981             return 0;
1982         }
1983         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1984             goto illegal_request;
1985         }
1986         nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1987         /* Returned value is the address of the last sector.  */
1988         nb_sectors--;
1989         /* Remember the new size for read/write sanity checking. */
1990         s->qdev.max_lba = nb_sectors;
1991         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1992         if (nb_sectors > UINT32_MAX) {
1993             nb_sectors = UINT32_MAX;
1994         }
1995         outbuf[0] = (nb_sectors >> 24) & 0xff;
1996         outbuf[1] = (nb_sectors >> 16) & 0xff;
1997         outbuf[2] = (nb_sectors >> 8) & 0xff;
1998         outbuf[3] = nb_sectors & 0xff;
1999         outbuf[4] = 0;
2000         outbuf[5] = 0;
2001         outbuf[6] = s->qdev.blocksize >> 8;
2002         outbuf[7] = 0;
2003         break;
2004     case REQUEST_SENSE:
2005         /* Just return "NO SENSE".  */
2006         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
2007                                     (req->cmd.buf[1] & 1) == 0);
2008         if (buflen < 0) {
2009             goto illegal_request;
2010         }
2011         break;
2012     case MECHANISM_STATUS:
2013         buflen = scsi_emulate_mechanism_status(s, outbuf);
2014         if (buflen < 0) {
2015             goto illegal_request;
2016         }
2017         break;
2018     case GET_CONFIGURATION:
2019         buflen = scsi_get_configuration(s, outbuf);
2020         if (buflen < 0) {
2021             goto illegal_request;
2022         }
2023         break;
2024     case GET_EVENT_STATUS_NOTIFICATION:
2025         buflen = scsi_get_event_status_notification(s, r, outbuf);
2026         if (buflen < 0) {
2027             goto illegal_request;
2028         }
2029         break;
2030     case READ_DISC_INFORMATION:
2031         buflen = scsi_read_disc_information(s, r, outbuf);
2032         if (buflen < 0) {
2033             goto illegal_request;
2034         }
2035         break;
2036     case READ_DVD_STRUCTURE:
2037         buflen = scsi_read_dvd_structure(s, r, outbuf);
2038         if (buflen < 0) {
2039             goto illegal_request;
2040         }
2041         break;
2042     case SERVICE_ACTION_IN_16:
2043         /* Service Action In subcommands. */
2044         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2045             trace_scsi_disk_emulate_command_SAI_16();
2046             memset(outbuf, 0, req->cmd.xfer);
2047             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2048             if (!nb_sectors) {
2049                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2050                 return 0;
2051             }
2052             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2053                 goto illegal_request;
2054             }
2055             nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2056             /* Returned value is the address of the last sector.  */
2057             nb_sectors--;
2058             /* Remember the new size for read/write sanity checking. */
2059             s->qdev.max_lba = nb_sectors;
2060             outbuf[0] = (nb_sectors >> 56) & 0xff;
2061             outbuf[1] = (nb_sectors >> 48) & 0xff;
2062             outbuf[2] = (nb_sectors >> 40) & 0xff;
2063             outbuf[3] = (nb_sectors >> 32) & 0xff;
2064             outbuf[4] = (nb_sectors >> 24) & 0xff;
2065             outbuf[5] = (nb_sectors >> 16) & 0xff;
2066             outbuf[6] = (nb_sectors >> 8) & 0xff;
2067             outbuf[7] = nb_sectors & 0xff;
2068             outbuf[8] = 0;
2069             outbuf[9] = 0;
2070             outbuf[10] = s->qdev.blocksize >> 8;
2071             outbuf[11] = 0;
2072             outbuf[12] = 0;
2073             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2074 
2075             /* set TPE bit if the format supports discard */
2076             if (s->qdev.conf.discard_granularity) {
2077                 outbuf[14] = 0x80;
2078             }
2079 
2080             /* Protection, exponent and lowest lba field left blank. */
2081             break;
2082         }
2083         trace_scsi_disk_emulate_command_SAI_unsupported();
2084         goto illegal_request;
2085     case SYNCHRONIZE_CACHE:
2086         /* The request is used as the AIO opaque value, so add a ref.  */
2087         scsi_req_ref(&r->req);
2088         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2089                          BLOCK_ACCT_FLUSH);
2090         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2091         return 0;
2092     case SEEK_10:
2093         trace_scsi_disk_emulate_command_SEEK_10(r->req.cmd.lba);
2094         if (r->req.cmd.lba > s->qdev.max_lba) {
2095             goto illegal_lba;
2096         }
2097         break;
2098     case MODE_SELECT:
2099         trace_scsi_disk_emulate_command_MODE_SELECT(r->req.cmd.xfer);
2100         break;
2101     case MODE_SELECT_10:
2102         trace_scsi_disk_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
2103         break;
2104     case UNMAP:
2105         trace_scsi_disk_emulate_command_UNMAP(r->req.cmd.xfer);
2106         break;
2107     case VERIFY_10:
2108     case VERIFY_12:
2109     case VERIFY_16:
2110         trace_scsi_disk_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
2111         if (req->cmd.buf[1] & 6) {
2112             goto illegal_request;
2113         }
2114         break;
2115     case WRITE_SAME_10:
2116     case WRITE_SAME_16:
2117         trace_scsi_disk_emulate_command_WRITE_SAME(
2118                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16, r->req.cmd.xfer);
2119         break;
2120     default:
2121         trace_scsi_disk_emulate_command_UNKNOWN(buf[0],
2122                                                 scsi_command_name(buf[0]));
2123         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2124         return 0;
2125     }
2126     assert(!r->req.aiocb);
2127     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2128     if (r->iov.iov_len == 0) {
2129         scsi_req_complete(&r->req, GOOD);
2130     }
2131     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2132         assert(r->iov.iov_len == req->cmd.xfer);
2133         return -r->iov.iov_len;
2134     } else {
2135         return r->iov.iov_len;
2136     }
2137 
2138 illegal_request:
2139     if (r->req.status == -1) {
2140         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2141     }
2142     return 0;
2143 
2144 illegal_lba:
2145     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2146     return 0;
2147 }
2148 
2149 /* Execute a scsi command.  Returns the length of the data expected by the
2150    command.  This will be Positive for data transfers from the device
2151    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2152    and zero if the command does not transfer any data.  */
2153 
2154 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2155 {
2156     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2157     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2158     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2159     uint32_t len;
2160     uint8_t command;
2161 
2162     command = buf[0];
2163 
2164     if (!blk_is_available(s->qdev.conf.blk)) {
2165         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2166         return 0;
2167     }
2168 
2169     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2170     switch (command) {
2171     case READ_6:
2172     case READ_10:
2173     case READ_12:
2174     case READ_16:
2175         trace_scsi_disk_dma_command_READ(r->req.cmd.lba, len);
2176         /* Protection information is not supported.  For SCSI versions 2 and
2177          * older (as determined by snooping the guest's INQUIRY commands),
2178          * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2179          */
2180         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2181             goto illegal_request;
2182         }
2183         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2184             goto illegal_lba;
2185         }
2186         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2187         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2188         break;
2189     case WRITE_6:
2190     case WRITE_10:
2191     case WRITE_12:
2192     case WRITE_16:
2193     case WRITE_VERIFY_10:
2194     case WRITE_VERIFY_12:
2195     case WRITE_VERIFY_16:
2196         if (!blk_is_writable(s->qdev.conf.blk)) {
2197             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2198             return 0;
2199         }
2200         trace_scsi_disk_dma_command_WRITE(
2201                 (command & 0xe) == 0xe ? "And Verify " : "",
2202                 r->req.cmd.lba, len);
2203         /* fall through */
2204     case VERIFY_10:
2205     case VERIFY_12:
2206     case VERIFY_16:
2207         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2208          * As far as DMA is concerned, we can treat it the same as a write;
2209          * scsi_block_do_sgio will send VERIFY commands.
2210          */
2211         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2212             goto illegal_request;
2213         }
2214         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2215             goto illegal_lba;
2216         }
2217         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2218         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2219         break;
2220     default:
2221         abort();
2222     illegal_request:
2223         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2224         return 0;
2225     illegal_lba:
2226         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2227         return 0;
2228     }
2229     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2230     if (r->sector_count == 0) {
2231         scsi_req_complete(&r->req, GOOD);
2232     }
2233     assert(r->iov.iov_len == 0);
2234     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2235         return -r->sector_count * BDRV_SECTOR_SIZE;
2236     } else {
2237         return r->sector_count * BDRV_SECTOR_SIZE;
2238     }
2239 }
2240 
2241 static void scsi_disk_reset(DeviceState *dev)
2242 {
2243     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2244     uint64_t nb_sectors;
2245 
2246     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2247 
2248     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2249     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2250     if (nb_sectors) {
2251         nb_sectors--;
2252     }
2253     s->qdev.max_lba = nb_sectors;
2254     /* reset tray statuses */
2255     s->tray_locked = 0;
2256     s->tray_open = 0;
2257 
2258     s->qdev.scsi_version = s->qdev.default_scsi_version;
2259 }
2260 
2261 static void scsi_disk_resize_cb(void *opaque)
2262 {
2263     SCSIDiskState *s = opaque;
2264 
2265     /* SPC lists this sense code as available only for
2266      * direct-access devices.
2267      */
2268     if (s->qdev.type == TYPE_DISK) {
2269         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2270     }
2271 }
2272 
2273 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2274 {
2275     SCSIDiskState *s = opaque;
2276 
2277     /*
2278      * When a CD gets changed, we have to report an ejected state and
2279      * then a loaded state to guests so that they detect tray
2280      * open/close and media change events.  Guests that do not use
2281      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2282      * states rely on this behavior.
2283      *
2284      * media_changed governs the state machine used for unit attention
2285      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2286      */
2287     s->media_changed = load;
2288     s->tray_open = !load;
2289     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2290     s->media_event = true;
2291     s->eject_request = false;
2292 }
2293 
2294 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2295 {
2296     SCSIDiskState *s = opaque;
2297 
2298     s->eject_request = true;
2299     if (force) {
2300         s->tray_locked = false;
2301     }
2302 }
2303 
2304 static bool scsi_cd_is_tray_open(void *opaque)
2305 {
2306     return ((SCSIDiskState *)opaque)->tray_open;
2307 }
2308 
2309 static bool scsi_cd_is_medium_locked(void *opaque)
2310 {
2311     return ((SCSIDiskState *)opaque)->tray_locked;
2312 }
2313 
2314 static const BlockDevOps scsi_disk_removable_block_ops = {
2315     .change_media_cb = scsi_cd_change_media_cb,
2316     .eject_request_cb = scsi_cd_eject_request_cb,
2317     .is_tray_open = scsi_cd_is_tray_open,
2318     .is_medium_locked = scsi_cd_is_medium_locked,
2319 
2320     .resize_cb = scsi_disk_resize_cb,
2321 };
2322 
2323 static const BlockDevOps scsi_disk_block_ops = {
2324     .resize_cb = scsi_disk_resize_cb,
2325 };
2326 
2327 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2328 {
2329     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2330     if (s->media_changed) {
2331         s->media_changed = false;
2332         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2333     }
2334 }
2335 
2336 static void scsi_realize(SCSIDevice *dev, Error **errp)
2337 {
2338     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2339     bool read_only;
2340 
2341     if (!s->qdev.conf.blk) {
2342         error_setg(errp, "drive property not set");
2343         return;
2344     }
2345 
2346     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2347         !blk_is_inserted(s->qdev.conf.blk)) {
2348         error_setg(errp, "Device needs media, but drive is empty");
2349         return;
2350     }
2351 
2352     if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2353         return;
2354     }
2355 
2356     if (blk_get_aio_context(s->qdev.conf.blk) != qemu_get_aio_context() &&
2357         !s->qdev.hba_supports_iothread)
2358     {
2359         error_setg(errp, "HBA does not support iothreads");
2360         return;
2361     }
2362 
2363     if (dev->type == TYPE_DISK) {
2364         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2365             return;
2366         }
2367     }
2368 
2369     read_only = !blk_supports_write_perm(s->qdev.conf.blk);
2370     if (dev->type == TYPE_ROM) {
2371         read_only = true;
2372     }
2373 
2374     if (!blkconf_apply_backend_options(&dev->conf, read_only,
2375                                        dev->type == TYPE_DISK, errp)) {
2376         return;
2377     }
2378 
2379     if (s->qdev.conf.discard_granularity == -1) {
2380         s->qdev.conf.discard_granularity =
2381             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2382     }
2383 
2384     if (!s->version) {
2385         s->version = g_strdup(qemu_hw_version());
2386     }
2387     if (!s->vendor) {
2388         s->vendor = g_strdup("QEMU");
2389     }
2390     if (!s->device_id) {
2391         if (s->serial) {
2392             s->device_id = g_strdup_printf("%.20s", s->serial);
2393         } else {
2394             const char *str = blk_name(s->qdev.conf.blk);
2395             if (str && *str) {
2396                 s->device_id = g_strdup(str);
2397             }
2398         }
2399     }
2400 
2401     if (blk_is_sg(s->qdev.conf.blk)) {
2402         error_setg(errp, "unwanted /dev/sg*");
2403         return;
2404     }
2405 
2406     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2407             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2408         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2409     } else {
2410         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2411     }
2412     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2413 
2414     blk_iostatus_enable(s->qdev.conf.blk);
2415 
2416     add_boot_device_lchs(&dev->qdev, NULL,
2417                          dev->conf.lcyls,
2418                          dev->conf.lheads,
2419                          dev->conf.lsecs);
2420 }
2421 
2422 static void scsi_unrealize(SCSIDevice *dev)
2423 {
2424     del_boot_device_lchs(&dev->qdev, NULL);
2425 }
2426 
2427 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2428 {
2429     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2430     AioContext *ctx = NULL;
2431     /* can happen for devices without drive. The error message for missing
2432      * backend will be issued in scsi_realize
2433      */
2434     if (s->qdev.conf.blk) {
2435         ctx = blk_get_aio_context(s->qdev.conf.blk);
2436         aio_context_acquire(ctx);
2437         if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2438             goto out;
2439         }
2440     }
2441     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2442     s->qdev.type = TYPE_DISK;
2443     if (!s->product) {
2444         s->product = g_strdup("QEMU HARDDISK");
2445     }
2446     scsi_realize(&s->qdev, errp);
2447 out:
2448     if (ctx) {
2449         aio_context_release(ctx);
2450     }
2451 }
2452 
2453 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2454 {
2455     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2456     AioContext *ctx;
2457     int ret;
2458 
2459     if (!dev->conf.blk) {
2460         /* Anonymous BlockBackend for an empty drive. As we put it into
2461          * dev->conf, qdev takes care of detaching on unplug. */
2462         dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
2463         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2464         assert(ret == 0);
2465     }
2466 
2467     ctx = blk_get_aio_context(dev->conf.blk);
2468     aio_context_acquire(ctx);
2469     s->qdev.blocksize = 2048;
2470     s->qdev.type = TYPE_ROM;
2471     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2472     if (!s->product) {
2473         s->product = g_strdup("QEMU CD-ROM");
2474     }
2475     scsi_realize(&s->qdev, errp);
2476     aio_context_release(ctx);
2477 }
2478 
2479 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2480 {
2481     DriveInfo *dinfo;
2482     Error *local_err = NULL;
2483 
2484     warn_report("'scsi-disk' is deprecated, "
2485                 "please use 'scsi-hd' or 'scsi-cd' instead");
2486 
2487     if (!dev->conf.blk) {
2488         scsi_realize(dev, &local_err);
2489         assert(local_err);
2490         error_propagate(errp, local_err);
2491         return;
2492     }
2493 
2494     dinfo = blk_legacy_dinfo(dev->conf.blk);
2495     if (dinfo && dinfo->media_cd) {
2496         scsi_cd_realize(dev, errp);
2497     } else {
2498         scsi_hd_realize(dev, errp);
2499     }
2500 }
2501 
2502 static const SCSIReqOps scsi_disk_emulate_reqops = {
2503     .size         = sizeof(SCSIDiskReq),
2504     .free_req     = scsi_free_request,
2505     .send_command = scsi_disk_emulate_command,
2506     .read_data    = scsi_disk_emulate_read_data,
2507     .write_data   = scsi_disk_emulate_write_data,
2508     .get_buf      = scsi_get_buf,
2509 };
2510 
2511 static const SCSIReqOps scsi_disk_dma_reqops = {
2512     .size         = sizeof(SCSIDiskReq),
2513     .free_req     = scsi_free_request,
2514     .send_command = scsi_disk_dma_command,
2515     .read_data    = scsi_read_data,
2516     .write_data   = scsi_write_data,
2517     .get_buf      = scsi_get_buf,
2518     .load_request = scsi_disk_load_request,
2519     .save_request = scsi_disk_save_request,
2520 };
2521 
2522 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2523     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2524     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2525     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2526     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2527     [START_STOP]                      = &scsi_disk_emulate_reqops,
2528     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2529     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2530     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2531     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2532     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2533     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2534     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2535     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2536     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2537     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2538     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2539     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2540     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2541     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2542     [UNMAP]                           = &scsi_disk_emulate_reqops,
2543     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2544     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2545     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2546     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2547     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2548 
2549     [READ_6]                          = &scsi_disk_dma_reqops,
2550     [READ_10]                         = &scsi_disk_dma_reqops,
2551     [READ_12]                         = &scsi_disk_dma_reqops,
2552     [READ_16]                         = &scsi_disk_dma_reqops,
2553     [WRITE_6]                         = &scsi_disk_dma_reqops,
2554     [WRITE_10]                        = &scsi_disk_dma_reqops,
2555     [WRITE_12]                        = &scsi_disk_dma_reqops,
2556     [WRITE_16]                        = &scsi_disk_dma_reqops,
2557     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2558     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2559     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2560 };
2561 
2562 static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
2563 {
2564     int i;
2565     int len = scsi_cdb_length(buf);
2566     char *line_buffer, *p;
2567 
2568     line_buffer = g_malloc(len * 5 + 1);
2569 
2570     for (i = 0, p = line_buffer; i < len; i++) {
2571         p += sprintf(p, " 0x%02x", buf[i]);
2572     }
2573     trace_scsi_disk_new_request(lun, tag, line_buffer);
2574 
2575     g_free(line_buffer);
2576 }
2577 
2578 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2579                                      uint8_t *buf, void *hba_private)
2580 {
2581     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2582     SCSIRequest *req;
2583     const SCSIReqOps *ops;
2584     uint8_t command;
2585 
2586     command = buf[0];
2587     ops = scsi_disk_reqops_dispatch[command];
2588     if (!ops) {
2589         ops = &scsi_disk_emulate_reqops;
2590     }
2591     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2592 
2593     if (trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)) {
2594         scsi_disk_new_request_dump(lun, tag, buf);
2595     }
2596 
2597     return req;
2598 }
2599 
2600 #ifdef __linux__
2601 static int get_device_type(SCSIDiskState *s)
2602 {
2603     uint8_t cmd[16];
2604     uint8_t buf[36];
2605     int ret;
2606 
2607     memset(cmd, 0, sizeof(cmd));
2608     memset(buf, 0, sizeof(buf));
2609     cmd[0] = INQUIRY;
2610     cmd[4] = sizeof(buf);
2611 
2612     ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
2613                               buf, sizeof(buf), s->qdev.io_timeout);
2614     if (ret < 0) {
2615         return -1;
2616     }
2617     s->qdev.type = buf[0];
2618     if (buf[1] & 0x80) {
2619         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2620     }
2621     return 0;
2622 }
2623 
2624 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2625 {
2626     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2627     AioContext *ctx;
2628     int sg_version;
2629     int rc;
2630 
2631     if (!s->qdev.conf.blk) {
2632         error_setg(errp, "drive property not set");
2633         return;
2634     }
2635 
2636     if (s->rotation_rate) {
2637         error_report_once("rotation_rate is specified for scsi-block but is "
2638                           "not implemented. This option is deprecated and will "
2639                           "be removed in a future version");
2640     }
2641 
2642     ctx = blk_get_aio_context(s->qdev.conf.blk);
2643     aio_context_acquire(ctx);
2644 
2645     /* check we are using a driver managing SG_IO (version 3 and after) */
2646     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2647     if (rc < 0) {
2648         error_setg_errno(errp, -rc, "cannot get SG_IO version number");
2649         if (rc != -EPERM) {
2650             error_append_hint(errp, "Is this a SCSI device?\n");
2651         }
2652         goto out;
2653     }
2654     if (sg_version < 30000) {
2655         error_setg(errp, "scsi generic interface too old");
2656         goto out;
2657     }
2658 
2659     /* get device type from INQUIRY data */
2660     rc = get_device_type(s);
2661     if (rc < 0) {
2662         error_setg(errp, "INQUIRY failed");
2663         goto out;
2664     }
2665 
2666     /* Make a guess for the block size, we'll fix it when the guest sends.
2667      * READ CAPACITY.  If they don't, they likely would assume these sizes
2668      * anyway. (TODO: check in /sys).
2669      */
2670     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2671         s->qdev.blocksize = 2048;
2672     } else {
2673         s->qdev.blocksize = 512;
2674     }
2675 
2676     /* Makes the scsi-block device not removable by using HMP and QMP eject
2677      * command.
2678      */
2679     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2680 
2681     scsi_realize(&s->qdev, errp);
2682     scsi_generic_read_device_inquiry(&s->qdev);
2683 
2684 out:
2685     aio_context_release(ctx);
2686 }
2687 
2688 typedef struct SCSIBlockReq {
2689     SCSIDiskReq req;
2690     sg_io_hdr_t io_header;
2691 
2692     /* Selected bytes of the original CDB, copied into our own CDB.  */
2693     uint8_t cmd, cdb1, group_number;
2694 
2695     /* CDB passed to SG_IO.  */
2696     uint8_t cdb[16];
2697     BlockCompletionFunc *cb;
2698     void *cb_opaque;
2699 } SCSIBlockReq;
2700 
2701 static void scsi_block_sgio_complete(void *opaque, int ret)
2702 {
2703     SCSIBlockReq *req = (SCSIBlockReq *)opaque;
2704     SCSIDiskReq *r = &req->req;
2705     SCSIDevice *s = r->req.dev;
2706     sg_io_hdr_t *io_hdr = &req->io_header;
2707 
2708     if (ret == 0) {
2709         if (io_hdr->host_status != SCSI_HOST_OK) {
2710             scsi_req_complete_failed(&r->req, io_hdr->host_status);
2711             scsi_req_unref(&r->req);
2712             return;
2713         }
2714 
2715         if (io_hdr->driver_status & SG_ERR_DRIVER_TIMEOUT) {
2716             ret = BUSY;
2717         } else {
2718             ret = io_hdr->status;
2719         }
2720 
2721         if (ret > 0) {
2722             aio_context_acquire(blk_get_aio_context(s->conf.blk));
2723             if (scsi_handle_rw_error(r, ret, true)) {
2724                 aio_context_release(blk_get_aio_context(s->conf.blk));
2725                 scsi_req_unref(&r->req);
2726                 return;
2727             }
2728             aio_context_release(blk_get_aio_context(s->conf.blk));
2729 
2730             /* Ignore error.  */
2731             ret = 0;
2732         }
2733     }
2734 
2735     req->cb(req->cb_opaque, ret);
2736 }
2737 
2738 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2739                                       int64_t offset, QEMUIOVector *iov,
2740                                       int direction,
2741                                       BlockCompletionFunc *cb, void *opaque)
2742 {
2743     sg_io_hdr_t *io_header = &req->io_header;
2744     SCSIDiskReq *r = &req->req;
2745     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2746     int nb_logical_blocks;
2747     uint64_t lba;
2748     BlockAIOCB *aiocb;
2749 
2750     /* This is not supported yet.  It can only happen if the guest does
2751      * reads and writes that are not aligned to one logical sectors
2752      * _and_ cover multiple MemoryRegions.
2753      */
2754     assert(offset % s->qdev.blocksize == 0);
2755     assert(iov->size % s->qdev.blocksize == 0);
2756 
2757     io_header->interface_id = 'S';
2758 
2759     /* The data transfer comes from the QEMUIOVector.  */
2760     io_header->dxfer_direction = direction;
2761     io_header->dxfer_len = iov->size;
2762     io_header->dxferp = (void *)iov->iov;
2763     io_header->iovec_count = iov->niov;
2764     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2765 
2766     /* Build a new CDB with the LBA and length patched in, in case
2767      * DMA helpers split the transfer in multiple segments.  Do not
2768      * build a CDB smaller than what the guest wanted, and only build
2769      * a larger one if strictly necessary.
2770      */
2771     io_header->cmdp = req->cdb;
2772     lba = offset / s->qdev.blocksize;
2773     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2774 
2775     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2776         /* 6-byte CDB */
2777         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2778         req->cdb[4] = nb_logical_blocks;
2779         req->cdb[5] = 0;
2780         io_header->cmd_len = 6;
2781     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2782         /* 10-byte CDB */
2783         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2784         req->cdb[1] = req->cdb1;
2785         stl_be_p(&req->cdb[2], lba);
2786         req->cdb[6] = req->group_number;
2787         stw_be_p(&req->cdb[7], nb_logical_blocks);
2788         req->cdb[9] = 0;
2789         io_header->cmd_len = 10;
2790     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2791         /* 12-byte CDB */
2792         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2793         req->cdb[1] = req->cdb1;
2794         stl_be_p(&req->cdb[2], lba);
2795         stl_be_p(&req->cdb[6], nb_logical_blocks);
2796         req->cdb[10] = req->group_number;
2797         req->cdb[11] = 0;
2798         io_header->cmd_len = 12;
2799     } else {
2800         /* 16-byte CDB */
2801         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2802         req->cdb[1] = req->cdb1;
2803         stq_be_p(&req->cdb[2], lba);
2804         stl_be_p(&req->cdb[10], nb_logical_blocks);
2805         req->cdb[14] = req->group_number;
2806         req->cdb[15] = 0;
2807         io_header->cmd_len = 16;
2808     }
2809 
2810     /* The rest is as in scsi-generic.c.  */
2811     io_header->mx_sb_len = sizeof(r->req.sense);
2812     io_header->sbp = r->req.sense;
2813     io_header->timeout = s->qdev.io_timeout * 1000;
2814     io_header->usr_ptr = r;
2815     io_header->flags |= SG_FLAG_DIRECT_IO;
2816     req->cb = cb;
2817     req->cb_opaque = opaque;
2818     trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
2819                                      nb_logical_blocks, io_header->timeout);
2820     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, scsi_block_sgio_complete, req);
2821     assert(aiocb != NULL);
2822     return aiocb;
2823 }
2824 
2825 static bool scsi_block_no_fua(SCSICommand *cmd)
2826 {
2827     return false;
2828 }
2829 
2830 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2831                                         QEMUIOVector *iov,
2832                                         BlockCompletionFunc *cb, void *cb_opaque,
2833                                         void *opaque)
2834 {
2835     SCSIBlockReq *r = opaque;
2836     return scsi_block_do_sgio(r, offset, iov,
2837                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2838 }
2839 
2840 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2841                                          QEMUIOVector *iov,
2842                                          BlockCompletionFunc *cb, void *cb_opaque,
2843                                          void *opaque)
2844 {
2845     SCSIBlockReq *r = opaque;
2846     return scsi_block_do_sgio(r, offset, iov,
2847                               SG_DXFER_TO_DEV, cb, cb_opaque);
2848 }
2849 
2850 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2851 {
2852     switch (buf[0]) {
2853     case VERIFY_10:
2854     case VERIFY_12:
2855     case VERIFY_16:
2856         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2857          * for the number of logical blocks specified in the length
2858          * field).  For other modes, do not use scatter/gather operation.
2859          */
2860         if ((buf[1] & 6) == 2) {
2861             return false;
2862         }
2863         break;
2864 
2865     case READ_6:
2866     case READ_10:
2867     case READ_12:
2868     case READ_16:
2869     case WRITE_6:
2870     case WRITE_10:
2871     case WRITE_12:
2872     case WRITE_16:
2873     case WRITE_VERIFY_10:
2874     case WRITE_VERIFY_12:
2875     case WRITE_VERIFY_16:
2876         /* MMC writing cannot be done via DMA helpers, because it sometimes
2877          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2878          * We might use scsi_block_dma_reqops as long as no writing commands are
2879          * seen, but performance usually isn't paramount on optical media.  So,
2880          * just make scsi-block operate the same as scsi-generic for them.
2881          */
2882         if (s->qdev.type != TYPE_ROM) {
2883             return false;
2884         }
2885         break;
2886 
2887     default:
2888         break;
2889     }
2890 
2891     return true;
2892 }
2893 
2894 
2895 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2896 {
2897     SCSIBlockReq *r = (SCSIBlockReq *)req;
2898     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2899 
2900     r->cmd = req->cmd.buf[0];
2901     switch (r->cmd >> 5) {
2902     case 0:
2903         /* 6-byte CDB.  */
2904         r->cdb1 = r->group_number = 0;
2905         break;
2906     case 1:
2907         /* 10-byte CDB.  */
2908         r->cdb1 = req->cmd.buf[1];
2909         r->group_number = req->cmd.buf[6];
2910         break;
2911     case 4:
2912         /* 12-byte CDB.  */
2913         r->cdb1 = req->cmd.buf[1];
2914         r->group_number = req->cmd.buf[10];
2915         break;
2916     case 5:
2917         /* 16-byte CDB.  */
2918         r->cdb1 = req->cmd.buf[1];
2919         r->group_number = req->cmd.buf[14];
2920         break;
2921     default:
2922         abort();
2923     }
2924 
2925     /* Protection information is not supported.  For SCSI versions 2 and
2926      * older (as determined by snooping the guest's INQUIRY commands),
2927      * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2928      */
2929     if (s->qdev.scsi_version > 2 && (req->cmd.buf[1] & 0xe0)) {
2930         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2931         return 0;
2932     }
2933 
2934     return scsi_disk_dma_command(req, buf);
2935 }
2936 
2937 static const SCSIReqOps scsi_block_dma_reqops = {
2938     .size         = sizeof(SCSIBlockReq),
2939     .free_req     = scsi_free_request,
2940     .send_command = scsi_block_dma_command,
2941     .read_data    = scsi_read_data,
2942     .write_data   = scsi_write_data,
2943     .get_buf      = scsi_get_buf,
2944     .load_request = scsi_disk_load_request,
2945     .save_request = scsi_disk_save_request,
2946 };
2947 
2948 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2949                                            uint32_t lun, uint8_t *buf,
2950                                            void *hba_private)
2951 {
2952     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2953 
2954     if (scsi_block_is_passthrough(s, buf)) {
2955         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2956                               hba_private);
2957     } else {
2958         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2959                               hba_private);
2960     }
2961 }
2962 
2963 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2964                                   uint8_t *buf, void *hba_private)
2965 {
2966     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2967 
2968     if (scsi_block_is_passthrough(s, buf)) {
2969         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2970     } else {
2971         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2972     }
2973 }
2974 
2975 static void scsi_block_update_sense(SCSIRequest *req)
2976 {
2977     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2978     SCSIBlockReq *br = DO_UPCAST(SCSIBlockReq, req, r);
2979     r->req.sense_len = MIN(br->io_header.sb_len_wr, sizeof(r->req.sense));
2980 }
2981 #endif
2982 
2983 static
2984 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2985                            BlockCompletionFunc *cb, void *cb_opaque,
2986                            void *opaque)
2987 {
2988     SCSIDiskReq *r = opaque;
2989     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2990     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2991 }
2992 
2993 static
2994 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2995                             BlockCompletionFunc *cb, void *cb_opaque,
2996                             void *opaque)
2997 {
2998     SCSIDiskReq *r = opaque;
2999     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
3000     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
3001 }
3002 
3003 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
3004 {
3005     DeviceClass *dc = DEVICE_CLASS(klass);
3006     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3007 
3008     dc->fw_name = "disk";
3009     dc->reset = scsi_disk_reset;
3010     sdc->dma_readv = scsi_dma_readv;
3011     sdc->dma_writev = scsi_dma_writev;
3012     sdc->need_fua_emulation = scsi_is_cmd_fua;
3013 }
3014 
3015 static const TypeInfo scsi_disk_base_info = {
3016     .name          = TYPE_SCSI_DISK_BASE,
3017     .parent        = TYPE_SCSI_DEVICE,
3018     .class_init    = scsi_disk_base_class_initfn,
3019     .instance_size = sizeof(SCSIDiskState),
3020     .class_size    = sizeof(SCSIDiskClass),
3021     .abstract      = true,
3022 };
3023 
3024 #define DEFINE_SCSI_DISK_PROPERTIES()                                   \
3025     DEFINE_PROP_DRIVE_IOTHREAD("drive", SCSIDiskState, qdev.conf.blk),  \
3026     DEFINE_BLOCK_PROPERTIES_BASE(SCSIDiskState, qdev.conf),             \
3027     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),            \
3028     DEFINE_PROP_STRING("ver", SCSIDiskState, version),                  \
3029     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),                \
3030     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),                \
3031     DEFINE_PROP_STRING("product", SCSIDiskState, product),              \
3032     DEFINE_PROP_STRING("device_id", SCSIDiskState, device_id)
3033 
3034 
3035 static Property scsi_hd_properties[] = {
3036     DEFINE_SCSI_DISK_PROPERTIES(),
3037     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3038                     SCSI_DISK_F_REMOVABLE, false),
3039     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3040                     SCSI_DISK_F_DPOFUA, false),
3041     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3042     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3043     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3044     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3045                        DEFAULT_MAX_UNMAP_SIZE),
3046     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3047                        DEFAULT_MAX_IO_SIZE),
3048     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3049     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3050                       5),
3051     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
3052     DEFINE_PROP_END_OF_LIST(),
3053 };
3054 
3055 static const VMStateDescription vmstate_scsi_disk_state = {
3056     .name = "scsi-disk",
3057     .version_id = 1,
3058     .minimum_version_id = 1,
3059     .fields = (VMStateField[]) {
3060         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
3061         VMSTATE_BOOL(media_changed, SCSIDiskState),
3062         VMSTATE_BOOL(media_event, SCSIDiskState),
3063         VMSTATE_BOOL(eject_request, SCSIDiskState),
3064         VMSTATE_BOOL(tray_open, SCSIDiskState),
3065         VMSTATE_BOOL(tray_locked, SCSIDiskState),
3066         VMSTATE_END_OF_LIST()
3067     }
3068 };
3069 
3070 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
3071 {
3072     DeviceClass *dc = DEVICE_CLASS(klass);
3073     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3074 
3075     sc->realize      = scsi_hd_realize;
3076     sc->unrealize    = scsi_unrealize;
3077     sc->alloc_req    = scsi_new_request;
3078     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3079     dc->desc = "virtual SCSI disk";
3080     device_class_set_props(dc, scsi_hd_properties);
3081     dc->vmsd  = &vmstate_scsi_disk_state;
3082 }
3083 
3084 static const TypeInfo scsi_hd_info = {
3085     .name          = "scsi-hd",
3086     .parent        = TYPE_SCSI_DISK_BASE,
3087     .class_init    = scsi_hd_class_initfn,
3088 };
3089 
3090 static Property scsi_cd_properties[] = {
3091     DEFINE_SCSI_DISK_PROPERTIES(),
3092     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3093     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3094     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3095     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3096                        DEFAULT_MAX_IO_SIZE),
3097     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3098                       5),
3099     DEFINE_PROP_END_OF_LIST(),
3100 };
3101 
3102 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
3103 {
3104     DeviceClass *dc = DEVICE_CLASS(klass);
3105     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3106 
3107     sc->realize      = scsi_cd_realize;
3108     sc->alloc_req    = scsi_new_request;
3109     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3110     dc->desc = "virtual SCSI CD-ROM";
3111     device_class_set_props(dc, scsi_cd_properties);
3112     dc->vmsd  = &vmstate_scsi_disk_state;
3113 }
3114 
3115 static const TypeInfo scsi_cd_info = {
3116     .name          = "scsi-cd",
3117     .parent        = TYPE_SCSI_DISK_BASE,
3118     .class_init    = scsi_cd_class_initfn,
3119 };
3120 
3121 #ifdef __linux__
3122 static Property scsi_block_properties[] = {
3123     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),
3124     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3125     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3126     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3127     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3128                        DEFAULT_MAX_UNMAP_SIZE),
3129     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3130                        DEFAULT_MAX_IO_SIZE),
3131     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3132                       -1),
3133     DEFINE_PROP_UINT32("io_timeout", SCSIDiskState, qdev.io_timeout,
3134                        DEFAULT_IO_TIMEOUT),
3135     DEFINE_PROP_END_OF_LIST(),
3136 };
3137 
3138 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3139 {
3140     DeviceClass *dc = DEVICE_CLASS(klass);
3141     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3142     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3143 
3144     sc->realize      = scsi_block_realize;
3145     sc->alloc_req    = scsi_block_new_request;
3146     sc->parse_cdb    = scsi_block_parse_cdb;
3147     sdc->dma_readv   = scsi_block_dma_readv;
3148     sdc->dma_writev  = scsi_block_dma_writev;
3149     sdc->update_sense = scsi_block_update_sense;
3150     sdc->need_fua_emulation = scsi_block_no_fua;
3151     dc->desc = "SCSI block device passthrough";
3152     device_class_set_props(dc, scsi_block_properties);
3153     dc->vmsd  = &vmstate_scsi_disk_state;
3154 }
3155 
3156 static const TypeInfo scsi_block_info = {
3157     .name          = "scsi-block",
3158     .parent        = TYPE_SCSI_DISK_BASE,
3159     .class_init    = scsi_block_class_initfn,
3160 };
3161 #endif
3162 
3163 static Property scsi_disk_properties[] = {
3164     DEFINE_SCSI_DISK_PROPERTIES(),
3165     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3166                     SCSI_DISK_F_REMOVABLE, false),
3167     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3168                     SCSI_DISK_F_DPOFUA, false),
3169     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3170     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3171     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3172     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3173                        DEFAULT_MAX_UNMAP_SIZE),
3174     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3175                        DEFAULT_MAX_IO_SIZE),
3176     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3177                       5),
3178     DEFINE_PROP_END_OF_LIST(),
3179 };
3180 
3181 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
3182 {
3183     DeviceClass *dc = DEVICE_CLASS(klass);
3184     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3185 
3186     sc->realize      = scsi_disk_realize;
3187     sc->alloc_req    = scsi_new_request;
3188     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3189     dc->fw_name = "disk";
3190     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
3191     dc->reset = scsi_disk_reset;
3192     device_class_set_props(dc, scsi_disk_properties);
3193     dc->vmsd  = &vmstate_scsi_disk_state;
3194 }
3195 
3196 static const TypeInfo scsi_disk_info = {
3197     .name          = "scsi-disk",
3198     .parent        = TYPE_SCSI_DISK_BASE,
3199     .class_init    = scsi_disk_class_initfn,
3200 };
3201 
3202 static void scsi_disk_register_types(void)
3203 {
3204     type_register_static(&scsi_disk_base_info);
3205     type_register_static(&scsi_hd_info);
3206     type_register_static(&scsi_cd_info);
3207 #ifdef __linux__
3208     type_register_static(&scsi_block_info);
3209 #endif
3210     type_register_static(&scsi_disk_info);
3211 }
3212 
3213 type_init(scsi_disk_register_types)
3214