xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision e3ae2bbf)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 #include "qemu/osdep.h"
23 #include "qemu/units.h"
24 #include "qapi/error.h"
25 #include "qemu/error-report.h"
26 #include "qemu/main-loop.h"
27 #include "qemu/module.h"
28 #include "hw/scsi/scsi.h"
29 #include "migration/qemu-file-types.h"
30 #include "migration/vmstate.h"
31 #include "hw/scsi/emulation.h"
32 #include "scsi/constants.h"
33 #include "sysemu/block-backend.h"
34 #include "sysemu/blockdev.h"
35 #include "hw/block/block.h"
36 #include "hw/qdev-properties.h"
37 #include "hw/qdev-properties-system.h"
38 #include "sysemu/dma.h"
39 #include "sysemu/sysemu.h"
40 #include "qemu/cutils.h"
41 #include "trace.h"
42 #include "qom/object.h"
43 
44 #ifdef __linux
45 #include <scsi/sg.h>
46 #endif
47 
48 #define SCSI_WRITE_SAME_MAX         (512 * KiB)
49 #define SCSI_DMA_BUF_SIZE           (128 * KiB)
50 #define SCSI_MAX_INQUIRY_LEN        256
51 #define SCSI_MAX_MODE_LEN           256
52 
53 #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
54 #define DEFAULT_MAX_UNMAP_SIZE      (1 * GiB)
55 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
56 
57 #define TYPE_SCSI_DISK_BASE         "scsi-disk-base"
58 
59 OBJECT_DECLARE_TYPE(SCSIDiskState, SCSIDiskClass, SCSI_DISK_BASE)
60 
61 struct SCSIDiskClass {
62     SCSIDeviceClass parent_class;
63     DMAIOFunc       *dma_readv;
64     DMAIOFunc       *dma_writev;
65     bool            (*need_fua_emulation)(SCSICommand *cmd);
66     void            (*update_sense)(SCSIRequest *r);
67 };
68 
69 typedef struct SCSIDiskReq {
70     SCSIRequest req;
71     /* Both sector and sector_count are in terms of BDRV_SECTOR_SIZE bytes.  */
72     uint64_t sector;
73     uint32_t sector_count;
74     uint32_t buflen;
75     bool started;
76     bool need_fua_emulation;
77     struct iovec iov;
78     QEMUIOVector qiov;
79     BlockAcctCookie acct;
80 } SCSIDiskReq;
81 
82 #define SCSI_DISK_F_REMOVABLE             0
83 #define SCSI_DISK_F_DPOFUA                1
84 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
85 
86 struct SCSIDiskState {
87     SCSIDevice qdev;
88     uint32_t features;
89     bool media_changed;
90     bool media_event;
91     bool eject_request;
92     uint16_t port_index;
93     uint64_t max_unmap_size;
94     uint64_t max_io_size;
95     QEMUBH *bh;
96     char *version;
97     char *serial;
98     char *vendor;
99     char *product;
100     char *device_id;
101     bool tray_open;
102     bool tray_locked;
103     /*
104      * 0x0000        - rotation rate not reported
105      * 0x0001        - non-rotating medium (SSD)
106      * 0x0002-0x0400 - reserved
107      * 0x0401-0xffe  - rotations per minute
108      * 0xffff        - reserved
109      */
110     uint16_t rotation_rate;
111 };
112 
113 static void scsi_free_request(SCSIRequest *req)
114 {
115     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
116 
117     qemu_vfree(r->iov.iov_base);
118 }
119 
120 /* Helper function for command completion with sense.  */
121 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
122 {
123     trace_scsi_disk_check_condition(r->req.tag, sense.key, sense.asc,
124                                     sense.ascq);
125     scsi_req_build_sense(&r->req, sense);
126     scsi_req_complete(&r->req, CHECK_CONDITION);
127 }
128 
129 static void scsi_init_iovec(SCSIDiskReq *r, size_t size)
130 {
131     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
132 
133     if (!r->iov.iov_base) {
134         r->buflen = size;
135         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
136     }
137     r->iov.iov_len = MIN(r->sector_count * BDRV_SECTOR_SIZE, r->buflen);
138     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
139 }
140 
141 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
142 {
143     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
144 
145     qemu_put_be64s(f, &r->sector);
146     qemu_put_be32s(f, &r->sector_count);
147     qemu_put_be32s(f, &r->buflen);
148     if (r->buflen) {
149         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
150             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
151         } else if (!req->retry) {
152             uint32_t len = r->iov.iov_len;
153             qemu_put_be32s(f, &len);
154             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
155         }
156     }
157 }
158 
159 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
160 {
161     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
162 
163     qemu_get_be64s(f, &r->sector);
164     qemu_get_be32s(f, &r->sector_count);
165     qemu_get_be32s(f, &r->buflen);
166     if (r->buflen) {
167         scsi_init_iovec(r, r->buflen);
168         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
169             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
170         } else if (!r->req.retry) {
171             uint32_t len;
172             qemu_get_be32s(f, &len);
173             r->iov.iov_len = len;
174             assert(r->iov.iov_len <= r->buflen);
175             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
176         }
177     }
178 
179     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
180 }
181 
182 /*
183  * scsi_handle_rw_error has two return values.  False means that the error
184  * must be ignored, true means that the error has been processed and the
185  * caller should not do anything else for this request.  Note that
186  * scsi_handle_rw_error always manages its reference counts, independent
187  * of the return value.
188  */
189 static bool scsi_handle_rw_error(SCSIDiskReq *r, int ret, bool acct_failed)
190 {
191     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
192     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
193     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
194     SCSISense sense = SENSE_CODE(NO_SENSE);
195     int error = 0;
196     bool req_has_sense = false;
197     BlockErrorAction action;
198     int status;
199 
200     if (ret < 0) {
201         status = scsi_sense_from_errno(-ret, &sense);
202         error = -ret;
203     } else {
204         /* A passthrough command has completed with nonzero status.  */
205         status = ret;
206         if (status == CHECK_CONDITION) {
207             req_has_sense = true;
208             error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
209         } else {
210             error = EINVAL;
211         }
212     }
213 
214     /*
215      * Check whether the error has to be handled by the guest or should
216      * rather follow the rerror=/werror= settings.  Guest-handled errors
217      * are usually retried immediately, so do not post them to QMP and
218      * do not account them as failed I/O.
219      */
220     if (req_has_sense &&
221         scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
222         action = BLOCK_ERROR_ACTION_REPORT;
223         acct_failed = false;
224     } else {
225         action = blk_get_error_action(s->qdev.conf.blk, is_read, error);
226         blk_error_action(s->qdev.conf.blk, action, is_read, error);
227     }
228 
229     switch (action) {
230     case BLOCK_ERROR_ACTION_REPORT:
231         if (acct_failed) {
232             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
233         }
234         if (req_has_sense) {
235             sdc->update_sense(&r->req);
236         } else if (status == CHECK_CONDITION) {
237             scsi_req_build_sense(&r->req, sense);
238         }
239         scsi_req_complete(&r->req, status);
240         return true;
241 
242     case BLOCK_ERROR_ACTION_IGNORE:
243         return false;
244 
245     case BLOCK_ERROR_ACTION_STOP:
246         scsi_req_retry(&r->req);
247         return true;
248 
249     default:
250         g_assert_not_reached();
251     }
252 }
253 
254 static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
255 {
256     if (r->req.io_canceled) {
257         scsi_req_cancel_complete(&r->req);
258         return true;
259     }
260 
261     if (ret < 0) {
262         return scsi_handle_rw_error(r, ret, acct_failed);
263     }
264 
265     return false;
266 }
267 
268 static void scsi_aio_complete(void *opaque, int ret)
269 {
270     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
271     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
272 
273     assert(r->req.aiocb != NULL);
274     r->req.aiocb = NULL;
275     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
276     if (scsi_disk_req_check_error(r, ret, true)) {
277         goto done;
278     }
279 
280     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
281     scsi_req_complete(&r->req, GOOD);
282 
283 done:
284     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
285     scsi_req_unref(&r->req);
286 }
287 
288 static bool scsi_is_cmd_fua(SCSICommand *cmd)
289 {
290     switch (cmd->buf[0]) {
291     case READ_10:
292     case READ_12:
293     case READ_16:
294     case WRITE_10:
295     case WRITE_12:
296     case WRITE_16:
297         return (cmd->buf[1] & 8) != 0;
298 
299     case VERIFY_10:
300     case VERIFY_12:
301     case VERIFY_16:
302     case WRITE_VERIFY_10:
303     case WRITE_VERIFY_12:
304     case WRITE_VERIFY_16:
305         return true;
306 
307     case READ_6:
308     case WRITE_6:
309     default:
310         return false;
311     }
312 }
313 
314 static void scsi_write_do_fua(SCSIDiskReq *r)
315 {
316     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
317 
318     assert(r->req.aiocb == NULL);
319     assert(!r->req.io_canceled);
320 
321     if (r->need_fua_emulation) {
322         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
323                          BLOCK_ACCT_FLUSH);
324         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
325         return;
326     }
327 
328     scsi_req_complete(&r->req, GOOD);
329     scsi_req_unref(&r->req);
330 }
331 
332 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
333 {
334     assert(r->req.aiocb == NULL);
335     if (scsi_disk_req_check_error(r, ret, false)) {
336         goto done;
337     }
338 
339     r->sector += r->sector_count;
340     r->sector_count = 0;
341     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
342         scsi_write_do_fua(r);
343         return;
344     } else {
345         scsi_req_complete(&r->req, GOOD);
346     }
347 
348 done:
349     scsi_req_unref(&r->req);
350 }
351 
352 static void scsi_dma_complete(void *opaque, int ret)
353 {
354     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
355     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
356 
357     assert(r->req.aiocb != NULL);
358     r->req.aiocb = NULL;
359 
360     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
361     if (ret < 0) {
362         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
363     } else {
364         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
365     }
366     scsi_dma_complete_noio(r, ret);
367     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
368 }
369 
370 static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
371 {
372     uint32_t n;
373 
374     assert(r->req.aiocb == NULL);
375     if (scsi_disk_req_check_error(r, ret, false)) {
376         goto done;
377     }
378 
379     n = r->qiov.size / BDRV_SECTOR_SIZE;
380     r->sector += n;
381     r->sector_count -= n;
382     scsi_req_data(&r->req, r->qiov.size);
383 
384 done:
385     scsi_req_unref(&r->req);
386 }
387 
388 static void scsi_read_complete(void *opaque, int ret)
389 {
390     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
391     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
392 
393     assert(r->req.aiocb != NULL);
394     r->req.aiocb = NULL;
395 
396     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
397     if (ret < 0) {
398         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
399     } else {
400         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
401         trace_scsi_disk_read_complete(r->req.tag, r->qiov.size);
402     }
403     scsi_read_complete_noio(r, ret);
404     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
405 }
406 
407 /* Actually issue a read to the block device.  */
408 static void scsi_do_read(SCSIDiskReq *r, int ret)
409 {
410     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
411     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
412 
413     assert (r->req.aiocb == NULL);
414     if (scsi_disk_req_check_error(r, ret, false)) {
415         goto done;
416     }
417 
418     /* The request is used as the AIO opaque value, so add a ref.  */
419     scsi_req_ref(&r->req);
420 
421     if (r->req.sg) {
422         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
423         r->req.resid -= r->req.sg->size;
424         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
425                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
426                                   BDRV_SECTOR_SIZE,
427                                   sdc->dma_readv, r, scsi_dma_complete, r,
428                                   DMA_DIRECTION_FROM_DEVICE);
429     } else {
430         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
431         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
432                          r->qiov.size, BLOCK_ACCT_READ);
433         r->req.aiocb = sdc->dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
434                                       scsi_read_complete, r, r);
435     }
436 
437 done:
438     scsi_req_unref(&r->req);
439 }
440 
441 static void scsi_do_read_cb(void *opaque, int ret)
442 {
443     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
444     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
445 
446     assert (r->req.aiocb != NULL);
447     r->req.aiocb = NULL;
448 
449     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
450     if (ret < 0) {
451         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
452     } else {
453         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
454     }
455     scsi_do_read(opaque, ret);
456     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
457 }
458 
459 /* Read more data from scsi device into buffer.  */
460 static void scsi_read_data(SCSIRequest *req)
461 {
462     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
463     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
464     bool first;
465 
466     trace_scsi_disk_read_data_count(r->sector_count);
467     if (r->sector_count == 0) {
468         /* This also clears the sense buffer for REQUEST SENSE.  */
469         scsi_req_complete(&r->req, GOOD);
470         return;
471     }
472 
473     /* No data transfer may already be in progress */
474     assert(r->req.aiocb == NULL);
475 
476     /* The request is used as the AIO opaque value, so add a ref.  */
477     scsi_req_ref(&r->req);
478     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
479         trace_scsi_disk_read_data_invalid();
480         scsi_read_complete_noio(r, -EINVAL);
481         return;
482     }
483 
484     if (!blk_is_available(req->dev->conf.blk)) {
485         scsi_read_complete_noio(r, -ENOMEDIUM);
486         return;
487     }
488 
489     first = !r->started;
490     r->started = true;
491     if (first && r->need_fua_emulation) {
492         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
493                          BLOCK_ACCT_FLUSH);
494         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
495     } else {
496         scsi_do_read(r, 0);
497     }
498 }
499 
500 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
501 {
502     uint32_t n;
503 
504     assert (r->req.aiocb == NULL);
505     if (scsi_disk_req_check_error(r, ret, false)) {
506         goto done;
507     }
508 
509     n = r->qiov.size / BDRV_SECTOR_SIZE;
510     r->sector += n;
511     r->sector_count -= n;
512     if (r->sector_count == 0) {
513         scsi_write_do_fua(r);
514         return;
515     } else {
516         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
517         trace_scsi_disk_write_complete_noio(r->req.tag, r->qiov.size);
518         scsi_req_data(&r->req, r->qiov.size);
519     }
520 
521 done:
522     scsi_req_unref(&r->req);
523 }
524 
525 static void scsi_write_complete(void * opaque, int ret)
526 {
527     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
528     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
529 
530     assert (r->req.aiocb != NULL);
531     r->req.aiocb = NULL;
532 
533     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
534     if (ret < 0) {
535         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
536     } else {
537         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
538     }
539     scsi_write_complete_noio(r, ret);
540     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
541 }
542 
543 static void scsi_write_data(SCSIRequest *req)
544 {
545     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
546     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
547     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
548 
549     /* No data transfer may already be in progress */
550     assert(r->req.aiocb == NULL);
551 
552     /* The request is used as the AIO opaque value, so add a ref.  */
553     scsi_req_ref(&r->req);
554     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
555         trace_scsi_disk_write_data_invalid();
556         scsi_write_complete_noio(r, -EINVAL);
557         return;
558     }
559 
560     if (!r->req.sg && !r->qiov.size) {
561         /* Called for the first time.  Ask the driver to send us more data.  */
562         r->started = true;
563         scsi_write_complete_noio(r, 0);
564         return;
565     }
566     if (!blk_is_available(req->dev->conf.blk)) {
567         scsi_write_complete_noio(r, -ENOMEDIUM);
568         return;
569     }
570 
571     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
572         r->req.cmd.buf[0] == VERIFY_16) {
573         if (r->req.sg) {
574             scsi_dma_complete_noio(r, 0);
575         } else {
576             scsi_write_complete_noio(r, 0);
577         }
578         return;
579     }
580 
581     if (r->req.sg) {
582         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
583         r->req.resid -= r->req.sg->size;
584         r->req.aiocb = dma_blk_io(blk_get_aio_context(s->qdev.conf.blk),
585                                   r->req.sg, r->sector << BDRV_SECTOR_BITS,
586                                   BDRV_SECTOR_SIZE,
587                                   sdc->dma_writev, r, scsi_dma_complete, r,
588                                   DMA_DIRECTION_TO_DEVICE);
589     } else {
590         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
591                          r->qiov.size, BLOCK_ACCT_WRITE);
592         r->req.aiocb = sdc->dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
593                                        scsi_write_complete, r, r);
594     }
595 }
596 
597 /* Return a pointer to the data buffer.  */
598 static uint8_t *scsi_get_buf(SCSIRequest *req)
599 {
600     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
601 
602     return (uint8_t *)r->iov.iov_base;
603 }
604 
605 static int scsi_disk_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf)
606 {
607     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
608     uint8_t page_code = req->cmd.buf[2];
609     int start, buflen = 0;
610 
611     outbuf[buflen++] = s->qdev.type & 0x1f;
612     outbuf[buflen++] = page_code;
613     outbuf[buflen++] = 0x00;
614     outbuf[buflen++] = 0x00;
615     start = buflen;
616 
617     switch (page_code) {
618     case 0x00: /* Supported page codes, mandatory */
619     {
620         trace_scsi_disk_emulate_vpd_page_00(req->cmd.xfer);
621         outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
622         if (s->serial) {
623             outbuf[buflen++] = 0x80; /* unit serial number */
624         }
625         outbuf[buflen++] = 0x83; /* device identification */
626         if (s->qdev.type == TYPE_DISK) {
627             outbuf[buflen++] = 0xb0; /* block limits */
628             outbuf[buflen++] = 0xb1; /* block device characteristics */
629             outbuf[buflen++] = 0xb2; /* thin provisioning */
630         }
631         break;
632     }
633     case 0x80: /* Device serial number, optional */
634     {
635         int l;
636 
637         if (!s->serial) {
638             trace_scsi_disk_emulate_vpd_page_80_not_supported();
639             return -1;
640         }
641 
642         l = strlen(s->serial);
643         if (l > 36) {
644             l = 36;
645         }
646 
647         trace_scsi_disk_emulate_vpd_page_80(req->cmd.xfer);
648         memcpy(outbuf + buflen, s->serial, l);
649         buflen += l;
650         break;
651     }
652 
653     case 0x83: /* Device identification page, mandatory */
654     {
655         int id_len = s->device_id ? MIN(strlen(s->device_id), 255 - 8) : 0;
656 
657         trace_scsi_disk_emulate_vpd_page_83(req->cmd.xfer);
658 
659         if (id_len) {
660             outbuf[buflen++] = 0x2; /* ASCII */
661             outbuf[buflen++] = 0;   /* not officially assigned */
662             outbuf[buflen++] = 0;   /* reserved */
663             outbuf[buflen++] = id_len; /* length of data following */
664             memcpy(outbuf + buflen, s->device_id, id_len);
665             buflen += id_len;
666         }
667 
668         if (s->qdev.wwn) {
669             outbuf[buflen++] = 0x1; /* Binary */
670             outbuf[buflen++] = 0x3; /* NAA */
671             outbuf[buflen++] = 0;   /* reserved */
672             outbuf[buflen++] = 8;
673             stq_be_p(&outbuf[buflen], s->qdev.wwn);
674             buflen += 8;
675         }
676 
677         if (s->qdev.port_wwn) {
678             outbuf[buflen++] = 0x61; /* SAS / Binary */
679             outbuf[buflen++] = 0x93; /* PIV / Target port / NAA */
680             outbuf[buflen++] = 0;    /* reserved */
681             outbuf[buflen++] = 8;
682             stq_be_p(&outbuf[buflen], s->qdev.port_wwn);
683             buflen += 8;
684         }
685 
686         if (s->port_index) {
687             outbuf[buflen++] = 0x61; /* SAS / Binary */
688 
689             /* PIV/Target port/relative target port */
690             outbuf[buflen++] = 0x94;
691 
692             outbuf[buflen++] = 0;    /* reserved */
693             outbuf[buflen++] = 4;
694             stw_be_p(&outbuf[buflen + 2], s->port_index);
695             buflen += 4;
696         }
697         break;
698     }
699     case 0xb0: /* block limits */
700     {
701         SCSIBlockLimits bl = {};
702 
703         if (s->qdev.type == TYPE_ROM) {
704             trace_scsi_disk_emulate_vpd_page_b0_not_supported();
705             return -1;
706         }
707         bl.wsnz = 1;
708         bl.unmap_sectors =
709             s->qdev.conf.discard_granularity / s->qdev.blocksize;
710         bl.min_io_size =
711             s->qdev.conf.min_io_size / s->qdev.blocksize;
712         bl.opt_io_size =
713             s->qdev.conf.opt_io_size / s->qdev.blocksize;
714         bl.max_unmap_sectors =
715             s->max_unmap_size / s->qdev.blocksize;
716         bl.max_io_sectors =
717             s->max_io_size / s->qdev.blocksize;
718         /* 255 descriptors fit in 4 KiB with an 8-byte header */
719         bl.max_unmap_descr = 255;
720 
721         if (s->qdev.type == TYPE_DISK) {
722             int max_transfer_blk = blk_get_max_transfer(s->qdev.conf.blk);
723             int max_io_sectors_blk =
724                 max_transfer_blk / s->qdev.blocksize;
725 
726             bl.max_io_sectors =
727                 MIN_NON_ZERO(max_io_sectors_blk, bl.max_io_sectors);
728         }
729         buflen += scsi_emulate_block_limits(outbuf + buflen, &bl);
730         break;
731     }
732     case 0xb1: /* block device characteristics */
733     {
734         buflen = 0x40;
735         outbuf[4] = (s->rotation_rate >> 8) & 0xff;
736         outbuf[5] = s->rotation_rate & 0xff;
737         outbuf[6] = 0; /* PRODUCT TYPE */
738         outbuf[7] = 0; /* WABEREQ | WACEREQ | NOMINAL FORM FACTOR */
739         outbuf[8] = 0; /* VBULS */
740         break;
741     }
742     case 0xb2: /* thin provisioning */
743     {
744         buflen = 8;
745         outbuf[4] = 0;
746         outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
747         outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
748         outbuf[7] = 0;
749         break;
750     }
751     default:
752         return -1;
753     }
754     /* done with EVPD */
755     assert(buflen - start <= 255);
756     outbuf[start - 1] = buflen - start;
757     return buflen;
758 }
759 
760 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
761 {
762     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
763     int buflen = 0;
764 
765     if (req->cmd.buf[1] & 0x1) {
766         /* Vital product data */
767         return scsi_disk_emulate_vpd_page(req, outbuf);
768     }
769 
770     /* Standard INQUIRY data */
771     if (req->cmd.buf[2] != 0) {
772         return -1;
773     }
774 
775     /* PAGE CODE == 0 */
776     buflen = req->cmd.xfer;
777     if (buflen > SCSI_MAX_INQUIRY_LEN) {
778         buflen = SCSI_MAX_INQUIRY_LEN;
779     }
780 
781     outbuf[0] = s->qdev.type & 0x1f;
782     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
783 
784     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
785     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
786 
787     memset(&outbuf[32], 0, 4);
788     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
789     /*
790      * We claim conformance to SPC-3, which is required for guests
791      * to ask for modern features like READ CAPACITY(16) or the
792      * block characteristics VPD page by default.  Not all of SPC-3
793      * is actually implemented, but we're good enough.
794      */
795     outbuf[2] = s->qdev.default_scsi_version;
796     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
797 
798     if (buflen > 36) {
799         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
800     } else {
801         /* If the allocation length of CDB is too small,
802                the additional length is not adjusted */
803         outbuf[4] = 36 - 5;
804     }
805 
806     /* Sync data transfer and TCQ.  */
807     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
808     return buflen;
809 }
810 
811 static inline bool media_is_dvd(SCSIDiskState *s)
812 {
813     uint64_t nb_sectors;
814     if (s->qdev.type != TYPE_ROM) {
815         return false;
816     }
817     if (!blk_is_available(s->qdev.conf.blk)) {
818         return false;
819     }
820     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
821     return nb_sectors > CD_MAX_SECTORS;
822 }
823 
824 static inline bool media_is_cd(SCSIDiskState *s)
825 {
826     uint64_t nb_sectors;
827     if (s->qdev.type != TYPE_ROM) {
828         return false;
829     }
830     if (!blk_is_available(s->qdev.conf.blk)) {
831         return false;
832     }
833     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
834     return nb_sectors <= CD_MAX_SECTORS;
835 }
836 
837 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
838                                       uint8_t *outbuf)
839 {
840     uint8_t type = r->req.cmd.buf[1] & 7;
841 
842     if (s->qdev.type != TYPE_ROM) {
843         return -1;
844     }
845 
846     /* Types 1/2 are only defined for Blu-Ray.  */
847     if (type != 0) {
848         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
849         return -1;
850     }
851 
852     memset(outbuf, 0, 34);
853     outbuf[1] = 32;
854     outbuf[2] = 0xe; /* last session complete, disc finalized */
855     outbuf[3] = 1;   /* first track on disc */
856     outbuf[4] = 1;   /* # of sessions */
857     outbuf[5] = 1;   /* first track of last session */
858     outbuf[6] = 1;   /* last track of last session */
859     outbuf[7] = 0x20; /* unrestricted use */
860     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
861     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
862     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
863     /* 24-31: disc bar code */
864     /* 32: disc application code */
865     /* 33: number of OPC tables */
866 
867     return 34;
868 }
869 
870 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
871                                    uint8_t *outbuf)
872 {
873     static const int rds_caps_size[5] = {
874         [0] = 2048 + 4,
875         [1] = 4 + 4,
876         [3] = 188 + 4,
877         [4] = 2048 + 4,
878     };
879 
880     uint8_t media = r->req.cmd.buf[1];
881     uint8_t layer = r->req.cmd.buf[6];
882     uint8_t format = r->req.cmd.buf[7];
883     int size = -1;
884 
885     if (s->qdev.type != TYPE_ROM) {
886         return -1;
887     }
888     if (media != 0) {
889         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
890         return -1;
891     }
892 
893     if (format != 0xff) {
894         if (!blk_is_available(s->qdev.conf.blk)) {
895             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
896             return -1;
897         }
898         if (media_is_cd(s)) {
899             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
900             return -1;
901         }
902         if (format >= ARRAY_SIZE(rds_caps_size)) {
903             return -1;
904         }
905         size = rds_caps_size[format];
906         memset(outbuf, 0, size);
907     }
908 
909     switch (format) {
910     case 0x00: {
911         /* Physical format information */
912         uint64_t nb_sectors;
913         if (layer != 0) {
914             goto fail;
915         }
916         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
917 
918         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
919         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
920         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
921         outbuf[7] = 0;   /* default densities */
922 
923         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
924         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
925         break;
926     }
927 
928     case 0x01: /* DVD copyright information, all zeros */
929         break;
930 
931     case 0x03: /* BCA information - invalid field for no BCA info */
932         return -1;
933 
934     case 0x04: /* DVD disc manufacturing information, all zeros */
935         break;
936 
937     case 0xff: { /* List capabilities */
938         int i;
939         size = 4;
940         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
941             if (!rds_caps_size[i]) {
942                 continue;
943             }
944             outbuf[size] = i;
945             outbuf[size + 1] = 0x40; /* Not writable, readable */
946             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
947             size += 4;
948         }
949         break;
950      }
951 
952     default:
953         return -1;
954     }
955 
956     /* Size of buffer, not including 2 byte size field */
957     stw_be_p(outbuf, size - 2);
958     return size;
959 
960 fail:
961     return -1;
962 }
963 
964 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
965 {
966     uint8_t event_code, media_status;
967 
968     media_status = 0;
969     if (s->tray_open) {
970         media_status = MS_TRAY_OPEN;
971     } else if (blk_is_inserted(s->qdev.conf.blk)) {
972         media_status = MS_MEDIA_PRESENT;
973     }
974 
975     /* Event notification descriptor */
976     event_code = MEC_NO_CHANGE;
977     if (media_status != MS_TRAY_OPEN) {
978         if (s->media_event) {
979             event_code = MEC_NEW_MEDIA;
980             s->media_event = false;
981         } else if (s->eject_request) {
982             event_code = MEC_EJECT_REQUESTED;
983             s->eject_request = false;
984         }
985     }
986 
987     outbuf[0] = event_code;
988     outbuf[1] = media_status;
989 
990     /* These fields are reserved, just clear them. */
991     outbuf[2] = 0;
992     outbuf[3] = 0;
993     return 4;
994 }
995 
996 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
997                                               uint8_t *outbuf)
998 {
999     int size;
1000     uint8_t *buf = r->req.cmd.buf;
1001     uint8_t notification_class_request = buf[4];
1002     if (s->qdev.type != TYPE_ROM) {
1003         return -1;
1004     }
1005     if ((buf[1] & 1) == 0) {
1006         /* asynchronous */
1007         return -1;
1008     }
1009 
1010     size = 4;
1011     outbuf[0] = outbuf[1] = 0;
1012     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1013     if (notification_class_request & (1 << GESN_MEDIA)) {
1014         outbuf[2] = GESN_MEDIA;
1015         size += scsi_event_status_media(s, &outbuf[size]);
1016     } else {
1017         outbuf[2] = 0x80;
1018     }
1019     stw_be_p(outbuf, size - 4);
1020     return size;
1021 }
1022 
1023 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1024 {
1025     int current;
1026 
1027     if (s->qdev.type != TYPE_ROM) {
1028         return -1;
1029     }
1030 
1031     if (media_is_dvd(s)) {
1032         current = MMC_PROFILE_DVD_ROM;
1033     } else if (media_is_cd(s)) {
1034         current = MMC_PROFILE_CD_ROM;
1035     } else {
1036         current = MMC_PROFILE_NONE;
1037     }
1038 
1039     memset(outbuf, 0, 40);
1040     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1041     stw_be_p(&outbuf[6], current);
1042     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1043     outbuf[10] = 0x03; /* persistent, current */
1044     outbuf[11] = 8; /* two profiles */
1045     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1046     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1047     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1048     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1049     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1050     stw_be_p(&outbuf[20], 1);
1051     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1052     outbuf[23] = 8;
1053     stl_be_p(&outbuf[24], 1); /* SCSI */
1054     outbuf[28] = 1; /* DBE = 1, mandatory */
1055     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1056     stw_be_p(&outbuf[32], 3);
1057     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1058     outbuf[35] = 4;
1059     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1060     /* TODO: Random readable, CD read, DVD read, drive serial number,
1061        power management */
1062     return 40;
1063 }
1064 
1065 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1066 {
1067     if (s->qdev.type != TYPE_ROM) {
1068         return -1;
1069     }
1070     memset(outbuf, 0, 8);
1071     outbuf[5] = 1; /* CD-ROM */
1072     return 8;
1073 }
1074 
1075 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1076                            int page_control)
1077 {
1078     static const int mode_sense_valid[0x3f] = {
1079         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1080         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1081         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1082         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1083         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1084         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1085     };
1086 
1087     uint8_t *p = *p_outbuf + 2;
1088     int length;
1089 
1090     assert(page < ARRAY_SIZE(mode_sense_valid));
1091     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1092         return -1;
1093     }
1094 
1095     /*
1096      * If Changeable Values are requested, a mask denoting those mode parameters
1097      * that are changeable shall be returned. As we currently don't support
1098      * parameter changes via MODE_SELECT all bits are returned set to zero.
1099      * The buffer was already menset to zero by the caller of this function.
1100      *
1101      * The offsets here are off by two compared to the descriptions in the
1102      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1103      * but it is done so that offsets are consistent within our implementation
1104      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1105      * 2-byte and 4-byte headers.
1106      */
1107     switch (page) {
1108     case MODE_PAGE_HD_GEOMETRY:
1109         length = 0x16;
1110         if (page_control == 1) { /* Changeable Values */
1111             break;
1112         }
1113         /* if a geometry hint is available, use it */
1114         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1115         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1116         p[2] = s->qdev.conf.cyls & 0xff;
1117         p[3] = s->qdev.conf.heads & 0xff;
1118         /* Write precomp start cylinder, disabled */
1119         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1120         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1121         p[6] = s->qdev.conf.cyls & 0xff;
1122         /* Reduced current start cylinder, disabled */
1123         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1124         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1125         p[9] = s->qdev.conf.cyls & 0xff;
1126         /* Device step rate [ns], 200ns */
1127         p[10] = 0;
1128         p[11] = 200;
1129         /* Landing zone cylinder */
1130         p[12] = 0xff;
1131         p[13] =  0xff;
1132         p[14] = 0xff;
1133         /* Medium rotation rate [rpm], 5400 rpm */
1134         p[18] = (5400 >> 8) & 0xff;
1135         p[19] = 5400 & 0xff;
1136         break;
1137 
1138     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1139         length = 0x1e;
1140         if (page_control == 1) { /* Changeable Values */
1141             break;
1142         }
1143         /* Transfer rate [kbit/s], 5Mbit/s */
1144         p[0] = 5000 >> 8;
1145         p[1] = 5000 & 0xff;
1146         /* if a geometry hint is available, use it */
1147         p[2] = s->qdev.conf.heads & 0xff;
1148         p[3] = s->qdev.conf.secs & 0xff;
1149         p[4] = s->qdev.blocksize >> 8;
1150         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1151         p[7] = s->qdev.conf.cyls & 0xff;
1152         /* Write precomp start cylinder, disabled */
1153         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1154         p[9] = s->qdev.conf.cyls & 0xff;
1155         /* Reduced current start cylinder, disabled */
1156         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1157         p[11] = s->qdev.conf.cyls & 0xff;
1158         /* Device step rate [100us], 100us */
1159         p[12] = 0;
1160         p[13] = 1;
1161         /* Device step pulse width [us], 1us */
1162         p[14] = 1;
1163         /* Device head settle delay [100us], 100us */
1164         p[15] = 0;
1165         p[16] = 1;
1166         /* Motor on delay [0.1s], 0.1s */
1167         p[17] = 1;
1168         /* Motor off delay [0.1s], 0.1s */
1169         p[18] = 1;
1170         /* Medium rotation rate [rpm], 5400 rpm */
1171         p[26] = (5400 >> 8) & 0xff;
1172         p[27] = 5400 & 0xff;
1173         break;
1174 
1175     case MODE_PAGE_CACHING:
1176         length = 0x12;
1177         if (page_control == 1 || /* Changeable Values */
1178             blk_enable_write_cache(s->qdev.conf.blk)) {
1179             p[0] = 4; /* WCE */
1180         }
1181         break;
1182 
1183     case MODE_PAGE_R_W_ERROR:
1184         length = 10;
1185         if (page_control == 1) { /* Changeable Values */
1186             break;
1187         }
1188         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1189         if (s->qdev.type == TYPE_ROM) {
1190             p[1] = 0x20; /* Read Retry Count */
1191         }
1192         break;
1193 
1194     case MODE_PAGE_AUDIO_CTL:
1195         length = 14;
1196         break;
1197 
1198     case MODE_PAGE_CAPABILITIES:
1199         length = 0x14;
1200         if (page_control == 1) { /* Changeable Values */
1201             break;
1202         }
1203 
1204         p[0] = 0x3b; /* CD-R & CD-RW read */
1205         p[1] = 0; /* Writing not supported */
1206         p[2] = 0x7f; /* Audio, composite, digital out,
1207                         mode 2 form 1&2, multi session */
1208         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1209                         RW corrected, C2 errors, ISRC,
1210                         UPC, Bar code */
1211         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1212         /* Locking supported, jumper present, eject, tray */
1213         p[5] = 0; /* no volume & mute control, no
1214                      changer */
1215         p[6] = (50 * 176) >> 8; /* 50x read speed */
1216         p[7] = (50 * 176) & 0xff;
1217         p[8] = 2 >> 8; /* Two volume levels */
1218         p[9] = 2 & 0xff;
1219         p[10] = 2048 >> 8; /* 2M buffer */
1220         p[11] = 2048 & 0xff;
1221         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1222         p[13] = (16 * 176) & 0xff;
1223         p[16] = (16 * 176) >> 8; /* 16x write speed */
1224         p[17] = (16 * 176) & 0xff;
1225         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1226         p[19] = (16 * 176) & 0xff;
1227         break;
1228 
1229     default:
1230         return -1;
1231     }
1232 
1233     assert(length < 256);
1234     (*p_outbuf)[0] = page;
1235     (*p_outbuf)[1] = length;
1236     *p_outbuf += length + 2;
1237     return length + 2;
1238 }
1239 
1240 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1241 {
1242     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1243     uint64_t nb_sectors;
1244     bool dbd;
1245     int page, buflen, ret, page_control;
1246     uint8_t *p;
1247     uint8_t dev_specific_param;
1248 
1249     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1250     page = r->req.cmd.buf[2] & 0x3f;
1251     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1252 
1253     trace_scsi_disk_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
1254                                        10, page, r->req.cmd.xfer, page_control);
1255     memset(outbuf, 0, r->req.cmd.xfer);
1256     p = outbuf;
1257 
1258     if (s->qdev.type == TYPE_DISK) {
1259         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1260         if (!blk_is_writable(s->qdev.conf.blk)) {
1261             dev_specific_param |= 0x80; /* Readonly.  */
1262         }
1263     } else {
1264         /* MMC prescribes that CD/DVD drives have no block descriptors,
1265          * and defines no device-specific parameter.  */
1266         dev_specific_param = 0x00;
1267         dbd = true;
1268     }
1269 
1270     if (r->req.cmd.buf[0] == MODE_SENSE) {
1271         p[1] = 0; /* Default media type.  */
1272         p[2] = dev_specific_param;
1273         p[3] = 0; /* Block descriptor length.  */
1274         p += 4;
1275     } else { /* MODE_SENSE_10 */
1276         p[2] = 0; /* Default media type.  */
1277         p[3] = dev_specific_param;
1278         p[6] = p[7] = 0; /* Block descriptor length.  */
1279         p += 8;
1280     }
1281 
1282     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1283     if (!dbd && nb_sectors) {
1284         if (r->req.cmd.buf[0] == MODE_SENSE) {
1285             outbuf[3] = 8; /* Block descriptor length  */
1286         } else { /* MODE_SENSE_10 */
1287             outbuf[7] = 8; /* Block descriptor length  */
1288         }
1289         nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1290         if (nb_sectors > 0xffffff) {
1291             nb_sectors = 0;
1292         }
1293         p[0] = 0; /* media density code */
1294         p[1] = (nb_sectors >> 16) & 0xff;
1295         p[2] = (nb_sectors >> 8) & 0xff;
1296         p[3] = nb_sectors & 0xff;
1297         p[4] = 0; /* reserved */
1298         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1299         p[6] = s->qdev.blocksize >> 8;
1300         p[7] = 0;
1301         p += 8;
1302     }
1303 
1304     if (page_control == 3) {
1305         /* Saved Values */
1306         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1307         return -1;
1308     }
1309 
1310     if (page == 0x3f) {
1311         for (page = 0; page <= 0x3e; page++) {
1312             mode_sense_page(s, page, &p, page_control);
1313         }
1314     } else {
1315         ret = mode_sense_page(s, page, &p, page_control);
1316         if (ret == -1) {
1317             return -1;
1318         }
1319     }
1320 
1321     buflen = p - outbuf;
1322     /*
1323      * The mode data length field specifies the length in bytes of the
1324      * following data that is available to be transferred. The mode data
1325      * length does not include itself.
1326      */
1327     if (r->req.cmd.buf[0] == MODE_SENSE) {
1328         outbuf[0] = buflen - 1;
1329     } else { /* MODE_SENSE_10 */
1330         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1331         outbuf[1] = (buflen - 2) & 0xff;
1332     }
1333     return buflen;
1334 }
1335 
1336 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1337 {
1338     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1339     int start_track, format, msf, toclen;
1340     uint64_t nb_sectors;
1341 
1342     msf = req->cmd.buf[1] & 2;
1343     format = req->cmd.buf[2] & 0xf;
1344     start_track = req->cmd.buf[6];
1345     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1346     trace_scsi_disk_emulate_read_toc(start_track, format, msf >> 1);
1347     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1348     switch (format) {
1349     case 0:
1350         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1351         break;
1352     case 1:
1353         /* multi session : only a single session defined */
1354         toclen = 12;
1355         memset(outbuf, 0, 12);
1356         outbuf[1] = 0x0a;
1357         outbuf[2] = 0x01;
1358         outbuf[3] = 0x01;
1359         break;
1360     case 2:
1361         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1362         break;
1363     default:
1364         return -1;
1365     }
1366     return toclen;
1367 }
1368 
1369 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1370 {
1371     SCSIRequest *req = &r->req;
1372     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1373     bool start = req->cmd.buf[4] & 1;
1374     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1375     int pwrcnd = req->cmd.buf[4] & 0xf0;
1376 
1377     if (pwrcnd) {
1378         /* eject/load only happens for power condition == 0 */
1379         return 0;
1380     }
1381 
1382     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1383         if (!start && !s->tray_open && s->tray_locked) {
1384             scsi_check_condition(r,
1385                                  blk_is_inserted(s->qdev.conf.blk)
1386                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1387                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1388             return -1;
1389         }
1390 
1391         if (s->tray_open != !start) {
1392             blk_eject(s->qdev.conf.blk, !start);
1393             s->tray_open = !start;
1394         }
1395     }
1396     return 0;
1397 }
1398 
1399 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1400 {
1401     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1402     int buflen = r->iov.iov_len;
1403 
1404     if (buflen) {
1405         trace_scsi_disk_emulate_read_data(buflen);
1406         r->iov.iov_len = 0;
1407         r->started = true;
1408         scsi_req_data(&r->req, buflen);
1409         return;
1410     }
1411 
1412     /* This also clears the sense buffer for REQUEST SENSE.  */
1413     scsi_req_complete(&r->req, GOOD);
1414 }
1415 
1416 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1417                                        uint8_t *inbuf, int inlen)
1418 {
1419     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1420     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1421     uint8_t *p;
1422     int len, expected_len, changeable_len, i;
1423 
1424     /* The input buffer does not include the page header, so it is
1425      * off by 2 bytes.
1426      */
1427     expected_len = inlen + 2;
1428     if (expected_len > SCSI_MAX_MODE_LEN) {
1429         return -1;
1430     }
1431 
1432     /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
1433     if (page == MODE_PAGE_ALLS) {
1434         return -1;
1435     }
1436 
1437     p = mode_current;
1438     memset(mode_current, 0, inlen + 2);
1439     len = mode_sense_page(s, page, &p, 0);
1440     if (len < 0 || len != expected_len) {
1441         return -1;
1442     }
1443 
1444     p = mode_changeable;
1445     memset(mode_changeable, 0, inlen + 2);
1446     changeable_len = mode_sense_page(s, page, &p, 1);
1447     assert(changeable_len == len);
1448 
1449     /* Check that unchangeable bits are the same as what MODE SENSE
1450      * would return.
1451      */
1452     for (i = 2; i < len; i++) {
1453         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1454             return -1;
1455         }
1456     }
1457     return 0;
1458 }
1459 
1460 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1461 {
1462     switch (page) {
1463     case MODE_PAGE_CACHING:
1464         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1465         break;
1466 
1467     default:
1468         break;
1469     }
1470 }
1471 
1472 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1473 {
1474     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1475 
1476     while (len > 0) {
1477         int page, subpage, page_len;
1478 
1479         /* Parse both possible formats for the mode page headers.  */
1480         page = p[0] & 0x3f;
1481         if (p[0] & 0x40) {
1482             if (len < 4) {
1483                 goto invalid_param_len;
1484             }
1485             subpage = p[1];
1486             page_len = lduw_be_p(&p[2]);
1487             p += 4;
1488             len -= 4;
1489         } else {
1490             if (len < 2) {
1491                 goto invalid_param_len;
1492             }
1493             subpage = 0;
1494             page_len = p[1];
1495             p += 2;
1496             len -= 2;
1497         }
1498 
1499         if (subpage) {
1500             goto invalid_param;
1501         }
1502         if (page_len > len) {
1503             goto invalid_param_len;
1504         }
1505 
1506         if (!change) {
1507             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1508                 goto invalid_param;
1509             }
1510         } else {
1511             scsi_disk_apply_mode_select(s, page, p);
1512         }
1513 
1514         p += page_len;
1515         len -= page_len;
1516     }
1517     return 0;
1518 
1519 invalid_param:
1520     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1521     return -1;
1522 
1523 invalid_param_len:
1524     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1525     return -1;
1526 }
1527 
1528 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1529 {
1530     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1531     uint8_t *p = inbuf;
1532     int cmd = r->req.cmd.buf[0];
1533     int len = r->req.cmd.xfer;
1534     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1535     int bd_len;
1536     int pass;
1537 
1538     /* We only support PF=1, SP=0.  */
1539     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1540         goto invalid_field;
1541     }
1542 
1543     if (len < hdr_len) {
1544         goto invalid_param_len;
1545     }
1546 
1547     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1548     len -= hdr_len;
1549     p += hdr_len;
1550     if (len < bd_len) {
1551         goto invalid_param_len;
1552     }
1553     if (bd_len != 0 && bd_len != 8) {
1554         goto invalid_param;
1555     }
1556 
1557     len -= bd_len;
1558     p += bd_len;
1559 
1560     /* Ensure no change is made if there is an error!  */
1561     for (pass = 0; pass < 2; pass++) {
1562         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1563             assert(pass == 0);
1564             return;
1565         }
1566     }
1567     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1568         /* The request is used as the AIO opaque value, so add a ref.  */
1569         scsi_req_ref(&r->req);
1570         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1571                          BLOCK_ACCT_FLUSH);
1572         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1573         return;
1574     }
1575 
1576     scsi_req_complete(&r->req, GOOD);
1577     return;
1578 
1579 invalid_param:
1580     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1581     return;
1582 
1583 invalid_param_len:
1584     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1585     return;
1586 
1587 invalid_field:
1588     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1589 }
1590 
1591 /* sector_num and nb_sectors expected to be in qdev blocksize */
1592 static inline bool check_lba_range(SCSIDiskState *s,
1593                                    uint64_t sector_num, uint32_t nb_sectors)
1594 {
1595     /*
1596      * The first line tests that no overflow happens when computing the last
1597      * sector.  The second line tests that the last accessed sector is in
1598      * range.
1599      *
1600      * Careful, the computations should not underflow for nb_sectors == 0,
1601      * and a 0-block read to the first LBA beyond the end of device is
1602      * valid.
1603      */
1604     return (sector_num <= sector_num + nb_sectors &&
1605             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1606 }
1607 
1608 typedef struct UnmapCBData {
1609     SCSIDiskReq *r;
1610     uint8_t *inbuf;
1611     int count;
1612 } UnmapCBData;
1613 
1614 static void scsi_unmap_complete(void *opaque, int ret);
1615 
1616 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1617 {
1618     SCSIDiskReq *r = data->r;
1619     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1620 
1621     assert(r->req.aiocb == NULL);
1622 
1623     if (data->count > 0) {
1624         uint64_t sector_num = ldq_be_p(&data->inbuf[0]);
1625         uint32_t nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1626         r->sector = sector_num * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1627         r->sector_count = nb_sectors * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1628 
1629         if (!check_lba_range(s, sector_num, nb_sectors)) {
1630             block_acct_invalid(blk_get_stats(s->qdev.conf.blk),
1631                                BLOCK_ACCT_UNMAP);
1632             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1633             goto done;
1634         }
1635 
1636         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1637                          r->sector_count * BDRV_SECTOR_SIZE,
1638                          BLOCK_ACCT_UNMAP);
1639 
1640         r->req.aiocb = blk_aio_pdiscard(s->qdev.conf.blk,
1641                                         r->sector * BDRV_SECTOR_SIZE,
1642                                         r->sector_count * BDRV_SECTOR_SIZE,
1643                                         scsi_unmap_complete, data);
1644         data->count--;
1645         data->inbuf += 16;
1646         return;
1647     }
1648 
1649     scsi_req_complete(&r->req, GOOD);
1650 
1651 done:
1652     scsi_req_unref(&r->req);
1653     g_free(data);
1654 }
1655 
1656 static void scsi_unmap_complete(void *opaque, int ret)
1657 {
1658     UnmapCBData *data = opaque;
1659     SCSIDiskReq *r = data->r;
1660     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1661 
1662     assert(r->req.aiocb != NULL);
1663     r->req.aiocb = NULL;
1664 
1665     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1666     if (scsi_disk_req_check_error(r, ret, true)) {
1667         scsi_req_unref(&r->req);
1668         g_free(data);
1669     } else {
1670         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1671         scsi_unmap_complete_noio(data, ret);
1672     }
1673     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1674 }
1675 
1676 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1677 {
1678     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1679     uint8_t *p = inbuf;
1680     int len = r->req.cmd.xfer;
1681     UnmapCBData *data;
1682 
1683     /* Reject ANCHOR=1.  */
1684     if (r->req.cmd.buf[1] & 0x1) {
1685         goto invalid_field;
1686     }
1687 
1688     if (len < 8) {
1689         goto invalid_param_len;
1690     }
1691     if (len < lduw_be_p(&p[0]) + 2) {
1692         goto invalid_param_len;
1693     }
1694     if (len < lduw_be_p(&p[2]) + 8) {
1695         goto invalid_param_len;
1696     }
1697     if (lduw_be_p(&p[2]) & 15) {
1698         goto invalid_param_len;
1699     }
1700 
1701     if (!blk_is_writable(s->qdev.conf.blk)) {
1702         block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1703         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1704         return;
1705     }
1706 
1707     data = g_new0(UnmapCBData, 1);
1708     data->r = r;
1709     data->inbuf = &p[8];
1710     data->count = lduw_be_p(&p[2]) >> 4;
1711 
1712     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1713     scsi_req_ref(&r->req);
1714     scsi_unmap_complete_noio(data, 0);
1715     return;
1716 
1717 invalid_param_len:
1718     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1719     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1720     return;
1721 
1722 invalid_field:
1723     block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
1724     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1725 }
1726 
1727 typedef struct WriteSameCBData {
1728     SCSIDiskReq *r;
1729     int64_t sector;
1730     int nb_sectors;
1731     QEMUIOVector qiov;
1732     struct iovec iov;
1733 } WriteSameCBData;
1734 
1735 static void scsi_write_same_complete(void *opaque, int ret)
1736 {
1737     WriteSameCBData *data = opaque;
1738     SCSIDiskReq *r = data->r;
1739     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1740 
1741     assert(r->req.aiocb != NULL);
1742     r->req.aiocb = NULL;
1743     aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
1744     if (scsi_disk_req_check_error(r, ret, true)) {
1745         goto done;
1746     }
1747 
1748     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1749 
1750     data->nb_sectors -= data->iov.iov_len / BDRV_SECTOR_SIZE;
1751     data->sector += data->iov.iov_len / BDRV_SECTOR_SIZE;
1752     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1753                             data->iov.iov_len);
1754     if (data->iov.iov_len) {
1755         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1756                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1757         /* Reinitialize qiov, to handle unaligned WRITE SAME request
1758          * where final qiov may need smaller size */
1759         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1760         r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1761                                        data->sector << BDRV_SECTOR_BITS,
1762                                        &data->qiov, 0,
1763                                        scsi_write_same_complete, data);
1764         aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1765         return;
1766     }
1767 
1768     scsi_req_complete(&r->req, GOOD);
1769 
1770 done:
1771     scsi_req_unref(&r->req);
1772     qemu_vfree(data->iov.iov_base);
1773     g_free(data);
1774     aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
1775 }
1776 
1777 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1778 {
1779     SCSIRequest *req = &r->req;
1780     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1781     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1782     WriteSameCBData *data;
1783     uint8_t *buf;
1784     int i;
1785 
1786     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1787     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1788         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1789         return;
1790     }
1791 
1792     if (!blk_is_writable(s->qdev.conf.blk)) {
1793         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1794         return;
1795     }
1796     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1797         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1798         return;
1799     }
1800 
1801     if ((req->cmd.buf[1] & 0x1) || buffer_is_zero(inbuf, s->qdev.blocksize)) {
1802         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1803 
1804         /* The request is used as the AIO opaque value, so add a ref.  */
1805         scsi_req_ref(&r->req);
1806         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1807                          nb_sectors * s->qdev.blocksize,
1808                         BLOCK_ACCT_WRITE);
1809         r->req.aiocb = blk_aio_pwrite_zeroes(s->qdev.conf.blk,
1810                                 r->req.cmd.lba * s->qdev.blocksize,
1811                                 nb_sectors * s->qdev.blocksize,
1812                                 flags, scsi_aio_complete, r);
1813         return;
1814     }
1815 
1816     data = g_new0(WriteSameCBData, 1);
1817     data->r = r;
1818     data->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1819     data->nb_sectors = nb_sectors * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
1820     data->iov.iov_len = MIN(data->nb_sectors * BDRV_SECTOR_SIZE,
1821                             SCSI_WRITE_SAME_MAX);
1822     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1823                                               data->iov.iov_len);
1824     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1825 
1826     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1827         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1828     }
1829 
1830     scsi_req_ref(&r->req);
1831     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1832                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1833     r->req.aiocb = blk_aio_pwritev(s->qdev.conf.blk,
1834                                    data->sector << BDRV_SECTOR_BITS,
1835                                    &data->qiov, 0,
1836                                    scsi_write_same_complete, data);
1837 }
1838 
1839 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1840 {
1841     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1842 
1843     if (r->iov.iov_len) {
1844         int buflen = r->iov.iov_len;
1845         trace_scsi_disk_emulate_write_data(buflen);
1846         r->iov.iov_len = 0;
1847         scsi_req_data(&r->req, buflen);
1848         return;
1849     }
1850 
1851     switch (req->cmd.buf[0]) {
1852     case MODE_SELECT:
1853     case MODE_SELECT_10:
1854         /* This also clears the sense buffer for REQUEST SENSE.  */
1855         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1856         break;
1857 
1858     case UNMAP:
1859         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1860         break;
1861 
1862     case VERIFY_10:
1863     case VERIFY_12:
1864     case VERIFY_16:
1865         if (r->req.status == -1) {
1866             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1867         }
1868         break;
1869 
1870     case WRITE_SAME_10:
1871     case WRITE_SAME_16:
1872         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1873         break;
1874 
1875     default:
1876         abort();
1877     }
1878 }
1879 
1880 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1881 {
1882     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1883     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1884     uint64_t nb_sectors;
1885     uint8_t *outbuf;
1886     int buflen;
1887 
1888     switch (req->cmd.buf[0]) {
1889     case INQUIRY:
1890     case MODE_SENSE:
1891     case MODE_SENSE_10:
1892     case RESERVE:
1893     case RESERVE_10:
1894     case RELEASE:
1895     case RELEASE_10:
1896     case START_STOP:
1897     case ALLOW_MEDIUM_REMOVAL:
1898     case GET_CONFIGURATION:
1899     case GET_EVENT_STATUS_NOTIFICATION:
1900     case MECHANISM_STATUS:
1901     case REQUEST_SENSE:
1902         break;
1903 
1904     default:
1905         if (!blk_is_available(s->qdev.conf.blk)) {
1906             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1907             return 0;
1908         }
1909         break;
1910     }
1911 
1912     /*
1913      * FIXME: we shouldn't return anything bigger than 4k, but the code
1914      * requires the buffer to be as big as req->cmd.xfer in several
1915      * places.  So, do not allow CDBs with a very large ALLOCATION
1916      * LENGTH.  The real fix would be to modify scsi_read_data and
1917      * dma_buf_read, so that they return data beyond the buflen
1918      * as all zeros.
1919      */
1920     if (req->cmd.xfer > 65536) {
1921         goto illegal_request;
1922     }
1923     r->buflen = MAX(4096, req->cmd.xfer);
1924 
1925     if (!r->iov.iov_base) {
1926         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1927     }
1928 
1929     outbuf = r->iov.iov_base;
1930     memset(outbuf, 0, r->buflen);
1931     switch (req->cmd.buf[0]) {
1932     case TEST_UNIT_READY:
1933         assert(blk_is_available(s->qdev.conf.blk));
1934         break;
1935     case INQUIRY:
1936         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1937         if (buflen < 0) {
1938             goto illegal_request;
1939         }
1940         break;
1941     case MODE_SENSE:
1942     case MODE_SENSE_10:
1943         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1944         if (buflen < 0) {
1945             goto illegal_request;
1946         }
1947         break;
1948     case READ_TOC:
1949         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1950         if (buflen < 0) {
1951             goto illegal_request;
1952         }
1953         break;
1954     case RESERVE:
1955         if (req->cmd.buf[1] & 1) {
1956             goto illegal_request;
1957         }
1958         break;
1959     case RESERVE_10:
1960         if (req->cmd.buf[1] & 3) {
1961             goto illegal_request;
1962         }
1963         break;
1964     case RELEASE:
1965         if (req->cmd.buf[1] & 1) {
1966             goto illegal_request;
1967         }
1968         break;
1969     case RELEASE_10:
1970         if (req->cmd.buf[1] & 3) {
1971             goto illegal_request;
1972         }
1973         break;
1974     case START_STOP:
1975         if (scsi_disk_emulate_start_stop(r) < 0) {
1976             return 0;
1977         }
1978         break;
1979     case ALLOW_MEDIUM_REMOVAL:
1980         s->tray_locked = req->cmd.buf[4] & 1;
1981         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1982         break;
1983     case READ_CAPACITY_10:
1984         /* The normal LEN field for this command is zero.  */
1985         memset(outbuf, 0, 8);
1986         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1987         if (!nb_sectors) {
1988             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1989             return 0;
1990         }
1991         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1992             goto illegal_request;
1993         }
1994         nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
1995         /* Returned value is the address of the last sector.  */
1996         nb_sectors--;
1997         /* Remember the new size for read/write sanity checking. */
1998         s->qdev.max_lba = nb_sectors;
1999         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
2000         if (nb_sectors > UINT32_MAX) {
2001             nb_sectors = UINT32_MAX;
2002         }
2003         outbuf[0] = (nb_sectors >> 24) & 0xff;
2004         outbuf[1] = (nb_sectors >> 16) & 0xff;
2005         outbuf[2] = (nb_sectors >> 8) & 0xff;
2006         outbuf[3] = nb_sectors & 0xff;
2007         outbuf[4] = 0;
2008         outbuf[5] = 0;
2009         outbuf[6] = s->qdev.blocksize >> 8;
2010         outbuf[7] = 0;
2011         break;
2012     case REQUEST_SENSE:
2013         /* Just return "NO SENSE".  */
2014         buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
2015                                     (req->cmd.buf[1] & 1) == 0);
2016         if (buflen < 0) {
2017             goto illegal_request;
2018         }
2019         break;
2020     case MECHANISM_STATUS:
2021         buflen = scsi_emulate_mechanism_status(s, outbuf);
2022         if (buflen < 0) {
2023             goto illegal_request;
2024         }
2025         break;
2026     case GET_CONFIGURATION:
2027         buflen = scsi_get_configuration(s, outbuf);
2028         if (buflen < 0) {
2029             goto illegal_request;
2030         }
2031         break;
2032     case GET_EVENT_STATUS_NOTIFICATION:
2033         buflen = scsi_get_event_status_notification(s, r, outbuf);
2034         if (buflen < 0) {
2035             goto illegal_request;
2036         }
2037         break;
2038     case READ_DISC_INFORMATION:
2039         buflen = scsi_read_disc_information(s, r, outbuf);
2040         if (buflen < 0) {
2041             goto illegal_request;
2042         }
2043         break;
2044     case READ_DVD_STRUCTURE:
2045         buflen = scsi_read_dvd_structure(s, r, outbuf);
2046         if (buflen < 0) {
2047             goto illegal_request;
2048         }
2049         break;
2050     case SERVICE_ACTION_IN_16:
2051         /* Service Action In subcommands. */
2052         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2053             trace_scsi_disk_emulate_command_SAI_16();
2054             memset(outbuf, 0, req->cmd.xfer);
2055             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2056             if (!nb_sectors) {
2057                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2058                 return 0;
2059             }
2060             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2061                 goto illegal_request;
2062             }
2063             nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2064             /* Returned value is the address of the last sector.  */
2065             nb_sectors--;
2066             /* Remember the new size for read/write sanity checking. */
2067             s->qdev.max_lba = nb_sectors;
2068             outbuf[0] = (nb_sectors >> 56) & 0xff;
2069             outbuf[1] = (nb_sectors >> 48) & 0xff;
2070             outbuf[2] = (nb_sectors >> 40) & 0xff;
2071             outbuf[3] = (nb_sectors >> 32) & 0xff;
2072             outbuf[4] = (nb_sectors >> 24) & 0xff;
2073             outbuf[5] = (nb_sectors >> 16) & 0xff;
2074             outbuf[6] = (nb_sectors >> 8) & 0xff;
2075             outbuf[7] = nb_sectors & 0xff;
2076             outbuf[8] = 0;
2077             outbuf[9] = 0;
2078             outbuf[10] = s->qdev.blocksize >> 8;
2079             outbuf[11] = 0;
2080             outbuf[12] = 0;
2081             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2082 
2083             /* set TPE bit if the format supports discard */
2084             if (s->qdev.conf.discard_granularity) {
2085                 outbuf[14] = 0x80;
2086             }
2087 
2088             /* Protection, exponent and lowest lba field left blank. */
2089             break;
2090         }
2091         trace_scsi_disk_emulate_command_SAI_unsupported();
2092         goto illegal_request;
2093     case SYNCHRONIZE_CACHE:
2094         /* The request is used as the AIO opaque value, so add a ref.  */
2095         scsi_req_ref(&r->req);
2096         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2097                          BLOCK_ACCT_FLUSH);
2098         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2099         return 0;
2100     case SEEK_10:
2101         trace_scsi_disk_emulate_command_SEEK_10(r->req.cmd.lba);
2102         if (r->req.cmd.lba > s->qdev.max_lba) {
2103             goto illegal_lba;
2104         }
2105         break;
2106     case MODE_SELECT:
2107         trace_scsi_disk_emulate_command_MODE_SELECT(r->req.cmd.xfer);
2108         break;
2109     case MODE_SELECT_10:
2110         trace_scsi_disk_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
2111         break;
2112     case UNMAP:
2113         trace_scsi_disk_emulate_command_UNMAP(r->req.cmd.xfer);
2114         break;
2115     case VERIFY_10:
2116     case VERIFY_12:
2117     case VERIFY_16:
2118         trace_scsi_disk_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
2119         if (req->cmd.buf[1] & 6) {
2120             goto illegal_request;
2121         }
2122         break;
2123     case WRITE_SAME_10:
2124     case WRITE_SAME_16:
2125         trace_scsi_disk_emulate_command_WRITE_SAME(
2126                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16, r->req.cmd.xfer);
2127         break;
2128     default:
2129         trace_scsi_disk_emulate_command_UNKNOWN(buf[0],
2130                                                 scsi_command_name(buf[0]));
2131         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2132         return 0;
2133     }
2134     assert(!r->req.aiocb);
2135     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2136     if (r->iov.iov_len == 0) {
2137         scsi_req_complete(&r->req, GOOD);
2138     }
2139     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2140         assert(r->iov.iov_len == req->cmd.xfer);
2141         return -r->iov.iov_len;
2142     } else {
2143         return r->iov.iov_len;
2144     }
2145 
2146 illegal_request:
2147     if (r->req.status == -1) {
2148         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2149     }
2150     return 0;
2151 
2152 illegal_lba:
2153     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2154     return 0;
2155 }
2156 
2157 /* Execute a scsi command.  Returns the length of the data expected by the
2158    command.  This will be Positive for data transfers from the device
2159    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2160    and zero if the command does not transfer any data.  */
2161 
2162 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2163 {
2164     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2165     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2166     SCSIDiskClass *sdc = (SCSIDiskClass *) object_get_class(OBJECT(s));
2167     uint32_t len;
2168     uint8_t command;
2169 
2170     command = buf[0];
2171 
2172     if (!blk_is_available(s->qdev.conf.blk)) {
2173         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2174         return 0;
2175     }
2176 
2177     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2178     switch (command) {
2179     case READ_6:
2180     case READ_10:
2181     case READ_12:
2182     case READ_16:
2183         trace_scsi_disk_dma_command_READ(r->req.cmd.lba, len);
2184         /* Protection information is not supported.  For SCSI versions 2 and
2185          * older (as determined by snooping the guest's INQUIRY commands),
2186          * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2187          */
2188         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2189             goto illegal_request;
2190         }
2191         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2192             goto illegal_lba;
2193         }
2194         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2195         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2196         break;
2197     case WRITE_6:
2198     case WRITE_10:
2199     case WRITE_12:
2200     case WRITE_16:
2201     case WRITE_VERIFY_10:
2202     case WRITE_VERIFY_12:
2203     case WRITE_VERIFY_16:
2204         if (!blk_is_writable(s->qdev.conf.blk)) {
2205             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2206             return 0;
2207         }
2208         trace_scsi_disk_dma_command_WRITE(
2209                 (command & 0xe) == 0xe ? "And Verify " : "",
2210                 r->req.cmd.lba, len);
2211         /* fall through */
2212     case VERIFY_10:
2213     case VERIFY_12:
2214     case VERIFY_16:
2215         /* We get here only for BYTCHK == 0x01 and only for scsi-block.
2216          * As far as DMA is concerned, we can treat it the same as a write;
2217          * scsi_block_do_sgio will send VERIFY commands.
2218          */
2219         if (s->qdev.scsi_version > 2 && (r->req.cmd.buf[1] & 0xe0)) {
2220             goto illegal_request;
2221         }
2222         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2223             goto illegal_lba;
2224         }
2225         r->sector = r->req.cmd.lba * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2226         r->sector_count = len * (s->qdev.blocksize / BDRV_SECTOR_SIZE);
2227         break;
2228     default:
2229         abort();
2230     illegal_request:
2231         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2232         return 0;
2233     illegal_lba:
2234         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2235         return 0;
2236     }
2237     r->need_fua_emulation = sdc->need_fua_emulation(&r->req.cmd);
2238     if (r->sector_count == 0) {
2239         scsi_req_complete(&r->req, GOOD);
2240     }
2241     assert(r->iov.iov_len == 0);
2242     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2243         return -r->sector_count * BDRV_SECTOR_SIZE;
2244     } else {
2245         return r->sector_count * BDRV_SECTOR_SIZE;
2246     }
2247 }
2248 
2249 static void scsi_disk_reset(DeviceState *dev)
2250 {
2251     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2252     uint64_t nb_sectors;
2253 
2254     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2255 
2256     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2257     nb_sectors /= s->qdev.blocksize / BDRV_SECTOR_SIZE;
2258     if (nb_sectors) {
2259         nb_sectors--;
2260     }
2261     s->qdev.max_lba = nb_sectors;
2262     /* reset tray statuses */
2263     s->tray_locked = 0;
2264     s->tray_open = 0;
2265 
2266     s->qdev.scsi_version = s->qdev.default_scsi_version;
2267 }
2268 
2269 static void scsi_disk_resize_cb(void *opaque)
2270 {
2271     SCSIDiskState *s = opaque;
2272 
2273     /* SPC lists this sense code as available only for
2274      * direct-access devices.
2275      */
2276     if (s->qdev.type == TYPE_DISK) {
2277         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2278     }
2279 }
2280 
2281 static void scsi_cd_change_media_cb(void *opaque, bool load, Error **errp)
2282 {
2283     SCSIDiskState *s = opaque;
2284 
2285     /*
2286      * When a CD gets changed, we have to report an ejected state and
2287      * then a loaded state to guests so that they detect tray
2288      * open/close and media change events.  Guests that do not use
2289      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2290      * states rely on this behavior.
2291      *
2292      * media_changed governs the state machine used for unit attention
2293      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2294      */
2295     s->media_changed = load;
2296     s->tray_open = !load;
2297     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2298     s->media_event = true;
2299     s->eject_request = false;
2300 }
2301 
2302 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2303 {
2304     SCSIDiskState *s = opaque;
2305 
2306     s->eject_request = true;
2307     if (force) {
2308         s->tray_locked = false;
2309     }
2310 }
2311 
2312 static bool scsi_cd_is_tray_open(void *opaque)
2313 {
2314     return ((SCSIDiskState *)opaque)->tray_open;
2315 }
2316 
2317 static bool scsi_cd_is_medium_locked(void *opaque)
2318 {
2319     return ((SCSIDiskState *)opaque)->tray_locked;
2320 }
2321 
2322 static const BlockDevOps scsi_disk_removable_block_ops = {
2323     .change_media_cb = scsi_cd_change_media_cb,
2324     .eject_request_cb = scsi_cd_eject_request_cb,
2325     .is_tray_open = scsi_cd_is_tray_open,
2326     .is_medium_locked = scsi_cd_is_medium_locked,
2327 
2328     .resize_cb = scsi_disk_resize_cb,
2329 };
2330 
2331 static const BlockDevOps scsi_disk_block_ops = {
2332     .resize_cb = scsi_disk_resize_cb,
2333 };
2334 
2335 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2336 {
2337     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2338     if (s->media_changed) {
2339         s->media_changed = false;
2340         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2341     }
2342 }
2343 
2344 static void scsi_realize(SCSIDevice *dev, Error **errp)
2345 {
2346     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2347     bool read_only;
2348 
2349     if (!s->qdev.conf.blk) {
2350         error_setg(errp, "drive property not set");
2351         return;
2352     }
2353 
2354     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2355         !blk_is_inserted(s->qdev.conf.blk)) {
2356         error_setg(errp, "Device needs media, but drive is empty");
2357         return;
2358     }
2359 
2360     if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2361         return;
2362     }
2363 
2364     if (blk_get_aio_context(s->qdev.conf.blk) != qemu_get_aio_context() &&
2365         !s->qdev.hba_supports_iothread)
2366     {
2367         error_setg(errp, "HBA does not support iothreads");
2368         return;
2369     }
2370 
2371     if (dev->type == TYPE_DISK) {
2372         if (!blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, errp)) {
2373             return;
2374         }
2375     }
2376 
2377     read_only = !blk_supports_write_perm(s->qdev.conf.blk);
2378     if (dev->type == TYPE_ROM) {
2379         read_only = true;
2380     }
2381 
2382     if (!blkconf_apply_backend_options(&dev->conf, read_only,
2383                                        dev->type == TYPE_DISK, errp)) {
2384         return;
2385     }
2386 
2387     if (s->qdev.conf.discard_granularity == -1) {
2388         s->qdev.conf.discard_granularity =
2389             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2390     }
2391 
2392     if (!s->version) {
2393         s->version = g_strdup(qemu_hw_version());
2394     }
2395     if (!s->vendor) {
2396         s->vendor = g_strdup("QEMU");
2397     }
2398     if (!s->device_id) {
2399         if (s->serial) {
2400             s->device_id = g_strdup_printf("%.20s", s->serial);
2401         } else {
2402             const char *str = blk_name(s->qdev.conf.blk);
2403             if (str && *str) {
2404                 s->device_id = g_strdup(str);
2405             }
2406         }
2407     }
2408 
2409     if (blk_is_sg(s->qdev.conf.blk)) {
2410         error_setg(errp, "unwanted /dev/sg*");
2411         return;
2412     }
2413 
2414     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2415             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2416         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2417     } else {
2418         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2419     }
2420     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2421 
2422     blk_iostatus_enable(s->qdev.conf.blk);
2423 
2424     add_boot_device_lchs(&dev->qdev, NULL,
2425                          dev->conf.lcyls,
2426                          dev->conf.lheads,
2427                          dev->conf.lsecs);
2428 }
2429 
2430 static void scsi_unrealize(SCSIDevice *dev)
2431 {
2432     del_boot_device_lchs(&dev->qdev, NULL);
2433 }
2434 
2435 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2436 {
2437     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2438     AioContext *ctx = NULL;
2439     /* can happen for devices without drive. The error message for missing
2440      * backend will be issued in scsi_realize
2441      */
2442     if (s->qdev.conf.blk) {
2443         ctx = blk_get_aio_context(s->qdev.conf.blk);
2444         aio_context_acquire(ctx);
2445         if (!blkconf_blocksizes(&s->qdev.conf, errp)) {
2446             goto out;
2447         }
2448     }
2449     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2450     s->qdev.type = TYPE_DISK;
2451     if (!s->product) {
2452         s->product = g_strdup("QEMU HARDDISK");
2453     }
2454     scsi_realize(&s->qdev, errp);
2455 out:
2456     if (ctx) {
2457         aio_context_release(ctx);
2458     }
2459 }
2460 
2461 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2462 {
2463     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2464     AioContext *ctx;
2465     int ret;
2466 
2467     if (!dev->conf.blk) {
2468         /* Anonymous BlockBackend for an empty drive. As we put it into
2469          * dev->conf, qdev takes care of detaching on unplug. */
2470         dev->conf.blk = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
2471         ret = blk_attach_dev(dev->conf.blk, &dev->qdev);
2472         assert(ret == 0);
2473     }
2474 
2475     ctx = blk_get_aio_context(dev->conf.blk);
2476     aio_context_acquire(ctx);
2477     s->qdev.blocksize = 2048;
2478     s->qdev.type = TYPE_ROM;
2479     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2480     if (!s->product) {
2481         s->product = g_strdup("QEMU CD-ROM");
2482     }
2483     scsi_realize(&s->qdev, errp);
2484     aio_context_release(ctx);
2485 }
2486 
2487 
2488 static const SCSIReqOps scsi_disk_emulate_reqops = {
2489     .size         = sizeof(SCSIDiskReq),
2490     .free_req     = scsi_free_request,
2491     .send_command = scsi_disk_emulate_command,
2492     .read_data    = scsi_disk_emulate_read_data,
2493     .write_data   = scsi_disk_emulate_write_data,
2494     .get_buf      = scsi_get_buf,
2495 };
2496 
2497 static const SCSIReqOps scsi_disk_dma_reqops = {
2498     .size         = sizeof(SCSIDiskReq),
2499     .free_req     = scsi_free_request,
2500     .send_command = scsi_disk_dma_command,
2501     .read_data    = scsi_read_data,
2502     .write_data   = scsi_write_data,
2503     .get_buf      = scsi_get_buf,
2504     .load_request = scsi_disk_load_request,
2505     .save_request = scsi_disk_save_request,
2506 };
2507 
2508 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2509     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2510     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2511     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2512     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2513     [START_STOP]                      = &scsi_disk_emulate_reqops,
2514     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2515     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2516     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2517     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2518     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2519     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2520     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2521     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2522     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2523     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2524     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2525     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2526     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2527     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2528     [UNMAP]                           = &scsi_disk_emulate_reqops,
2529     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2530     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2531     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2532     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2533     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2534 
2535     [READ_6]                          = &scsi_disk_dma_reqops,
2536     [READ_10]                         = &scsi_disk_dma_reqops,
2537     [READ_12]                         = &scsi_disk_dma_reqops,
2538     [READ_16]                         = &scsi_disk_dma_reqops,
2539     [WRITE_6]                         = &scsi_disk_dma_reqops,
2540     [WRITE_10]                        = &scsi_disk_dma_reqops,
2541     [WRITE_12]                        = &scsi_disk_dma_reqops,
2542     [WRITE_16]                        = &scsi_disk_dma_reqops,
2543     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2544     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2545     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2546 };
2547 
2548 static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
2549 {
2550     int i;
2551     int len = scsi_cdb_length(buf);
2552     char *line_buffer, *p;
2553 
2554     assert(len > 0 && len <= 16);
2555     line_buffer = g_malloc(len * 5 + 1);
2556 
2557     for (i = 0, p = line_buffer; i < len; i++) {
2558         p += sprintf(p, " 0x%02x", buf[i]);
2559     }
2560     trace_scsi_disk_new_request(lun, tag, line_buffer);
2561 
2562     g_free(line_buffer);
2563 }
2564 
2565 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2566                                      uint8_t *buf, void *hba_private)
2567 {
2568     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2569     SCSIRequest *req;
2570     const SCSIReqOps *ops;
2571     uint8_t command;
2572 
2573     command = buf[0];
2574     ops = scsi_disk_reqops_dispatch[command];
2575     if (!ops) {
2576         ops = &scsi_disk_emulate_reqops;
2577     }
2578     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2579 
2580     if (trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)) {
2581         scsi_disk_new_request_dump(lun, tag, buf);
2582     }
2583 
2584     return req;
2585 }
2586 
2587 #ifdef __linux__
2588 static int get_device_type(SCSIDiskState *s)
2589 {
2590     uint8_t cmd[16];
2591     uint8_t buf[36];
2592     int ret;
2593 
2594     memset(cmd, 0, sizeof(cmd));
2595     memset(buf, 0, sizeof(buf));
2596     cmd[0] = INQUIRY;
2597     cmd[4] = sizeof(buf);
2598 
2599     ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
2600                               buf, sizeof(buf), s->qdev.io_timeout);
2601     if (ret < 0) {
2602         return -1;
2603     }
2604     s->qdev.type = buf[0];
2605     if (buf[1] & 0x80) {
2606         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2607     }
2608     return 0;
2609 }
2610 
2611 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2612 {
2613     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2614     AioContext *ctx;
2615     int sg_version;
2616     int rc;
2617 
2618     if (!s->qdev.conf.blk) {
2619         error_setg(errp, "drive property not set");
2620         return;
2621     }
2622 
2623     if (s->rotation_rate) {
2624         error_report_once("rotation_rate is specified for scsi-block but is "
2625                           "not implemented. This option is deprecated and will "
2626                           "be removed in a future version");
2627     }
2628 
2629     ctx = blk_get_aio_context(s->qdev.conf.blk);
2630     aio_context_acquire(ctx);
2631 
2632     /* check we are using a driver managing SG_IO (version 3 and after) */
2633     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2634     if (rc < 0) {
2635         error_setg_errno(errp, -rc, "cannot get SG_IO version number");
2636         if (rc != -EPERM) {
2637             error_append_hint(errp, "Is this a SCSI device?\n");
2638         }
2639         goto out;
2640     }
2641     if (sg_version < 30000) {
2642         error_setg(errp, "scsi generic interface too old");
2643         goto out;
2644     }
2645 
2646     /* get device type from INQUIRY data */
2647     rc = get_device_type(s);
2648     if (rc < 0) {
2649         error_setg(errp, "INQUIRY failed");
2650         goto out;
2651     }
2652 
2653     /* Make a guess for the block size, we'll fix it when the guest sends.
2654      * READ CAPACITY.  If they don't, they likely would assume these sizes
2655      * anyway. (TODO: check in /sys).
2656      */
2657     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2658         s->qdev.blocksize = 2048;
2659     } else {
2660         s->qdev.blocksize = 512;
2661     }
2662 
2663     /* Makes the scsi-block device not removable by using HMP and QMP eject
2664      * command.
2665      */
2666     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2667 
2668     scsi_realize(&s->qdev, errp);
2669     scsi_generic_read_device_inquiry(&s->qdev);
2670 
2671 out:
2672     aio_context_release(ctx);
2673 }
2674 
2675 typedef struct SCSIBlockReq {
2676     SCSIDiskReq req;
2677     sg_io_hdr_t io_header;
2678 
2679     /* Selected bytes of the original CDB, copied into our own CDB.  */
2680     uint8_t cmd, cdb1, group_number;
2681 
2682     /* CDB passed to SG_IO.  */
2683     uint8_t cdb[16];
2684     BlockCompletionFunc *cb;
2685     void *cb_opaque;
2686 } SCSIBlockReq;
2687 
2688 static void scsi_block_sgio_complete(void *opaque, int ret)
2689 {
2690     SCSIBlockReq *req = (SCSIBlockReq *)opaque;
2691     SCSIDiskReq *r = &req->req;
2692     SCSIDevice *s = r->req.dev;
2693     sg_io_hdr_t *io_hdr = &req->io_header;
2694 
2695     if (ret == 0) {
2696         if (io_hdr->host_status != SCSI_HOST_OK) {
2697             scsi_req_complete_failed(&r->req, io_hdr->host_status);
2698             scsi_req_unref(&r->req);
2699             return;
2700         }
2701 
2702         if (io_hdr->driver_status & SG_ERR_DRIVER_TIMEOUT) {
2703             ret = BUSY;
2704         } else {
2705             ret = io_hdr->status;
2706         }
2707 
2708         if (ret > 0) {
2709             aio_context_acquire(blk_get_aio_context(s->conf.blk));
2710             if (scsi_handle_rw_error(r, ret, true)) {
2711                 aio_context_release(blk_get_aio_context(s->conf.blk));
2712                 scsi_req_unref(&r->req);
2713                 return;
2714             }
2715             aio_context_release(blk_get_aio_context(s->conf.blk));
2716 
2717             /* Ignore error.  */
2718             ret = 0;
2719         }
2720     }
2721 
2722     req->cb(req->cb_opaque, ret);
2723 }
2724 
2725 static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
2726                                       int64_t offset, QEMUIOVector *iov,
2727                                       int direction,
2728                                       BlockCompletionFunc *cb, void *opaque)
2729 {
2730     sg_io_hdr_t *io_header = &req->io_header;
2731     SCSIDiskReq *r = &req->req;
2732     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2733     int nb_logical_blocks;
2734     uint64_t lba;
2735     BlockAIOCB *aiocb;
2736 
2737     /* This is not supported yet.  It can only happen if the guest does
2738      * reads and writes that are not aligned to one logical sectors
2739      * _and_ cover multiple MemoryRegions.
2740      */
2741     assert(offset % s->qdev.blocksize == 0);
2742     assert(iov->size % s->qdev.blocksize == 0);
2743 
2744     io_header->interface_id = 'S';
2745 
2746     /* The data transfer comes from the QEMUIOVector.  */
2747     io_header->dxfer_direction = direction;
2748     io_header->dxfer_len = iov->size;
2749     io_header->dxferp = (void *)iov->iov;
2750     io_header->iovec_count = iov->niov;
2751     assert(io_header->iovec_count == iov->niov); /* no overflow! */
2752 
2753     /* Build a new CDB with the LBA and length patched in, in case
2754      * DMA helpers split the transfer in multiple segments.  Do not
2755      * build a CDB smaller than what the guest wanted, and only build
2756      * a larger one if strictly necessary.
2757      */
2758     io_header->cmdp = req->cdb;
2759     lba = offset / s->qdev.blocksize;
2760     nb_logical_blocks = io_header->dxfer_len / s->qdev.blocksize;
2761 
2762     if ((req->cmd >> 5) == 0 && lba <= 0x1ffff) {
2763         /* 6-byte CDB */
2764         stl_be_p(&req->cdb[0], lba | (req->cmd << 24));
2765         req->cdb[4] = nb_logical_blocks;
2766         req->cdb[5] = 0;
2767         io_header->cmd_len = 6;
2768     } else if ((req->cmd >> 5) <= 1 && lba <= 0xffffffffULL) {
2769         /* 10-byte CDB */
2770         req->cdb[0] = (req->cmd & 0x1f) | 0x20;
2771         req->cdb[1] = req->cdb1;
2772         stl_be_p(&req->cdb[2], lba);
2773         req->cdb[6] = req->group_number;
2774         stw_be_p(&req->cdb[7], nb_logical_blocks);
2775         req->cdb[9] = 0;
2776         io_header->cmd_len = 10;
2777     } else if ((req->cmd >> 5) != 4 && lba <= 0xffffffffULL) {
2778         /* 12-byte CDB */
2779         req->cdb[0] = (req->cmd & 0x1f) | 0xA0;
2780         req->cdb[1] = req->cdb1;
2781         stl_be_p(&req->cdb[2], lba);
2782         stl_be_p(&req->cdb[6], nb_logical_blocks);
2783         req->cdb[10] = req->group_number;
2784         req->cdb[11] = 0;
2785         io_header->cmd_len = 12;
2786     } else {
2787         /* 16-byte CDB */
2788         req->cdb[0] = (req->cmd & 0x1f) | 0x80;
2789         req->cdb[1] = req->cdb1;
2790         stq_be_p(&req->cdb[2], lba);
2791         stl_be_p(&req->cdb[10], nb_logical_blocks);
2792         req->cdb[14] = req->group_number;
2793         req->cdb[15] = 0;
2794         io_header->cmd_len = 16;
2795     }
2796 
2797     /* The rest is as in scsi-generic.c.  */
2798     io_header->mx_sb_len = sizeof(r->req.sense);
2799     io_header->sbp = r->req.sense;
2800     io_header->timeout = s->qdev.io_timeout * 1000;
2801     io_header->usr_ptr = r;
2802     io_header->flags |= SG_FLAG_DIRECT_IO;
2803     req->cb = cb;
2804     req->cb_opaque = opaque;
2805     trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
2806                                      nb_logical_blocks, io_header->timeout);
2807     aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, scsi_block_sgio_complete, req);
2808     assert(aiocb != NULL);
2809     return aiocb;
2810 }
2811 
2812 static bool scsi_block_no_fua(SCSICommand *cmd)
2813 {
2814     return false;
2815 }
2816 
2817 static BlockAIOCB *scsi_block_dma_readv(int64_t offset,
2818                                         QEMUIOVector *iov,
2819                                         BlockCompletionFunc *cb, void *cb_opaque,
2820                                         void *opaque)
2821 {
2822     SCSIBlockReq *r = opaque;
2823     return scsi_block_do_sgio(r, offset, iov,
2824                               SG_DXFER_FROM_DEV, cb, cb_opaque);
2825 }
2826 
2827 static BlockAIOCB *scsi_block_dma_writev(int64_t offset,
2828                                          QEMUIOVector *iov,
2829                                          BlockCompletionFunc *cb, void *cb_opaque,
2830                                          void *opaque)
2831 {
2832     SCSIBlockReq *r = opaque;
2833     return scsi_block_do_sgio(r, offset, iov,
2834                               SG_DXFER_TO_DEV, cb, cb_opaque);
2835 }
2836 
2837 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2838 {
2839     switch (buf[0]) {
2840     case VERIFY_10:
2841     case VERIFY_12:
2842     case VERIFY_16:
2843         /* Check if BYTCHK == 0x01 (data-out buffer contains data
2844          * for the number of logical blocks specified in the length
2845          * field).  For other modes, do not use scatter/gather operation.
2846          */
2847         if ((buf[1] & 6) == 2) {
2848             return false;
2849         }
2850         break;
2851 
2852     case READ_6:
2853     case READ_10:
2854     case READ_12:
2855     case READ_16:
2856     case WRITE_6:
2857     case WRITE_10:
2858     case WRITE_12:
2859     case WRITE_16:
2860     case WRITE_VERIFY_10:
2861     case WRITE_VERIFY_12:
2862     case WRITE_VERIFY_16:
2863         /* MMC writing cannot be done via DMA helpers, because it sometimes
2864          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2865          * We might use scsi_block_dma_reqops as long as no writing commands are
2866          * seen, but performance usually isn't paramount on optical media.  So,
2867          * just make scsi-block operate the same as scsi-generic for them.
2868          */
2869         if (s->qdev.type != TYPE_ROM) {
2870             return false;
2871         }
2872         break;
2873 
2874     default:
2875         break;
2876     }
2877 
2878     return true;
2879 }
2880 
2881 
2882 static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
2883 {
2884     SCSIBlockReq *r = (SCSIBlockReq *)req;
2885     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2886 
2887     r->cmd = req->cmd.buf[0];
2888     switch (r->cmd >> 5) {
2889     case 0:
2890         /* 6-byte CDB.  */
2891         r->cdb1 = r->group_number = 0;
2892         break;
2893     case 1:
2894         /* 10-byte CDB.  */
2895         r->cdb1 = req->cmd.buf[1];
2896         r->group_number = req->cmd.buf[6];
2897         break;
2898     case 4:
2899         /* 12-byte CDB.  */
2900         r->cdb1 = req->cmd.buf[1];
2901         r->group_number = req->cmd.buf[10];
2902         break;
2903     case 5:
2904         /* 16-byte CDB.  */
2905         r->cdb1 = req->cmd.buf[1];
2906         r->group_number = req->cmd.buf[14];
2907         break;
2908     default:
2909         abort();
2910     }
2911 
2912     /* Protection information is not supported.  For SCSI versions 2 and
2913      * older (as determined by snooping the guest's INQUIRY commands),
2914      * there is no RD/WR/VRPROTECT, so skip this check in these versions.
2915      */
2916     if (s->qdev.scsi_version > 2 && (req->cmd.buf[1] & 0xe0)) {
2917         scsi_check_condition(&r->req, SENSE_CODE(INVALID_FIELD));
2918         return 0;
2919     }
2920 
2921     return scsi_disk_dma_command(req, buf);
2922 }
2923 
2924 static const SCSIReqOps scsi_block_dma_reqops = {
2925     .size         = sizeof(SCSIBlockReq),
2926     .free_req     = scsi_free_request,
2927     .send_command = scsi_block_dma_command,
2928     .read_data    = scsi_read_data,
2929     .write_data   = scsi_write_data,
2930     .get_buf      = scsi_get_buf,
2931     .load_request = scsi_disk_load_request,
2932     .save_request = scsi_disk_save_request,
2933 };
2934 
2935 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2936                                            uint32_t lun, uint8_t *buf,
2937                                            void *hba_private)
2938 {
2939     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2940 
2941     if (scsi_block_is_passthrough(s, buf)) {
2942         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2943                               hba_private);
2944     } else {
2945         return scsi_req_alloc(&scsi_block_dma_reqops, &s->qdev, tag, lun,
2946                               hba_private);
2947     }
2948 }
2949 
2950 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2951                                   uint8_t *buf, void *hba_private)
2952 {
2953     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2954 
2955     if (scsi_block_is_passthrough(s, buf)) {
2956         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2957     } else {
2958         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2959     }
2960 }
2961 
2962 static void scsi_block_update_sense(SCSIRequest *req)
2963 {
2964     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2965     SCSIBlockReq *br = DO_UPCAST(SCSIBlockReq, req, r);
2966     r->req.sense_len = MIN(br->io_header.sb_len_wr, sizeof(r->req.sense));
2967 }
2968 #endif
2969 
2970 static
2971 BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
2972                            BlockCompletionFunc *cb, void *cb_opaque,
2973                            void *opaque)
2974 {
2975     SCSIDiskReq *r = opaque;
2976     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2977     return blk_aio_preadv(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2978 }
2979 
2980 static
2981 BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
2982                             BlockCompletionFunc *cb, void *cb_opaque,
2983                             void *opaque)
2984 {
2985     SCSIDiskReq *r = opaque;
2986     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
2987     return blk_aio_pwritev(s->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
2988 }
2989 
2990 static void scsi_disk_base_class_initfn(ObjectClass *klass, void *data)
2991 {
2992     DeviceClass *dc = DEVICE_CLASS(klass);
2993     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
2994 
2995     dc->fw_name = "disk";
2996     dc->reset = scsi_disk_reset;
2997     sdc->dma_readv = scsi_dma_readv;
2998     sdc->dma_writev = scsi_dma_writev;
2999     sdc->need_fua_emulation = scsi_is_cmd_fua;
3000 }
3001 
3002 static const TypeInfo scsi_disk_base_info = {
3003     .name          = TYPE_SCSI_DISK_BASE,
3004     .parent        = TYPE_SCSI_DEVICE,
3005     .class_init    = scsi_disk_base_class_initfn,
3006     .instance_size = sizeof(SCSIDiskState),
3007     .class_size    = sizeof(SCSIDiskClass),
3008     .abstract      = true,
3009 };
3010 
3011 #define DEFINE_SCSI_DISK_PROPERTIES()                                   \
3012     DEFINE_PROP_DRIVE_IOTHREAD("drive", SCSIDiskState, qdev.conf.blk),  \
3013     DEFINE_BLOCK_PROPERTIES_BASE(SCSIDiskState, qdev.conf),             \
3014     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),            \
3015     DEFINE_PROP_STRING("ver", SCSIDiskState, version),                  \
3016     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),                \
3017     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),                \
3018     DEFINE_PROP_STRING("product", SCSIDiskState, product),              \
3019     DEFINE_PROP_STRING("device_id", SCSIDiskState, device_id)
3020 
3021 
3022 static Property scsi_hd_properties[] = {
3023     DEFINE_SCSI_DISK_PROPERTIES(),
3024     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
3025                     SCSI_DISK_F_REMOVABLE, false),
3026     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
3027                     SCSI_DISK_F_DPOFUA, false),
3028     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3029     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3030     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3031     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3032                        DEFAULT_MAX_UNMAP_SIZE),
3033     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3034                        DEFAULT_MAX_IO_SIZE),
3035     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3036     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3037                       5),
3038     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
3039     DEFINE_PROP_END_OF_LIST(),
3040 };
3041 
3042 static const VMStateDescription vmstate_scsi_disk_state = {
3043     .name = "scsi-disk",
3044     .version_id = 1,
3045     .minimum_version_id = 1,
3046     .fields = (VMStateField[]) {
3047         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
3048         VMSTATE_BOOL(media_changed, SCSIDiskState),
3049         VMSTATE_BOOL(media_event, SCSIDiskState),
3050         VMSTATE_BOOL(eject_request, SCSIDiskState),
3051         VMSTATE_BOOL(tray_open, SCSIDiskState),
3052         VMSTATE_BOOL(tray_locked, SCSIDiskState),
3053         VMSTATE_END_OF_LIST()
3054     }
3055 };
3056 
3057 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
3058 {
3059     DeviceClass *dc = DEVICE_CLASS(klass);
3060     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3061 
3062     sc->realize      = scsi_hd_realize;
3063     sc->unrealize    = scsi_unrealize;
3064     sc->alloc_req    = scsi_new_request;
3065     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3066     dc->desc = "virtual SCSI disk";
3067     device_class_set_props(dc, scsi_hd_properties);
3068     dc->vmsd  = &vmstate_scsi_disk_state;
3069 }
3070 
3071 static const TypeInfo scsi_hd_info = {
3072     .name          = "scsi-hd",
3073     .parent        = TYPE_SCSI_DISK_BASE,
3074     .class_init    = scsi_hd_class_initfn,
3075 };
3076 
3077 static Property scsi_cd_properties[] = {
3078     DEFINE_SCSI_DISK_PROPERTIES(),
3079     DEFINE_PROP_UINT64("wwn", SCSIDiskState, qdev.wwn, 0),
3080     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, qdev.port_wwn, 0),
3081     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
3082     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3083                        DEFAULT_MAX_IO_SIZE),
3084     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3085                       5),
3086     DEFINE_PROP_END_OF_LIST(),
3087 };
3088 
3089 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
3090 {
3091     DeviceClass *dc = DEVICE_CLASS(klass);
3092     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3093 
3094     sc->realize      = scsi_cd_realize;
3095     sc->alloc_req    = scsi_new_request;
3096     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
3097     dc->desc = "virtual SCSI CD-ROM";
3098     device_class_set_props(dc, scsi_cd_properties);
3099     dc->vmsd  = &vmstate_scsi_disk_state;
3100 }
3101 
3102 static const TypeInfo scsi_cd_info = {
3103     .name          = "scsi-cd",
3104     .parent        = TYPE_SCSI_DISK_BASE,
3105     .class_init    = scsi_cd_class_initfn,
3106 };
3107 
3108 #ifdef __linux__
3109 static Property scsi_block_properties[] = {
3110     DEFINE_BLOCK_ERROR_PROPERTIES(SCSIDiskState, qdev.conf),
3111     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
3112     DEFINE_PROP_BOOL("share-rw", SCSIDiskState, qdev.conf.share_rw, false),
3113     DEFINE_PROP_UINT16("rotation_rate", SCSIDiskState, rotation_rate, 0),
3114     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
3115                        DEFAULT_MAX_UNMAP_SIZE),
3116     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
3117                        DEFAULT_MAX_IO_SIZE),
3118     DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
3119                       -1),
3120     DEFINE_PROP_UINT32("io_timeout", SCSIDiskState, qdev.io_timeout,
3121                        DEFAULT_IO_TIMEOUT),
3122     DEFINE_PROP_END_OF_LIST(),
3123 };
3124 
3125 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
3126 {
3127     DeviceClass *dc = DEVICE_CLASS(klass);
3128     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
3129     SCSIDiskClass *sdc = SCSI_DISK_BASE_CLASS(klass);
3130 
3131     sc->realize      = scsi_block_realize;
3132     sc->alloc_req    = scsi_block_new_request;
3133     sc->parse_cdb    = scsi_block_parse_cdb;
3134     sdc->dma_readv   = scsi_block_dma_readv;
3135     sdc->dma_writev  = scsi_block_dma_writev;
3136     sdc->update_sense = scsi_block_update_sense;
3137     sdc->need_fua_emulation = scsi_block_no_fua;
3138     dc->desc = "SCSI block device passthrough";
3139     device_class_set_props(dc, scsi_block_properties);
3140     dc->vmsd  = &vmstate_scsi_disk_state;
3141 }
3142 
3143 static const TypeInfo scsi_block_info = {
3144     .name          = "scsi-block",
3145     .parent        = TYPE_SCSI_DISK_BASE,
3146     .class_init    = scsi_block_class_initfn,
3147 };
3148 #endif
3149 
3150 static void scsi_disk_register_types(void)
3151 {
3152     type_register_static(&scsi_disk_base_info);
3153     type_register_static(&scsi_hd_info);
3154     type_register_static(&scsi_cd_info);
3155 #ifdef __linux__
3156     type_register_static(&scsi_block_info);
3157 #endif
3158 }
3159 
3160 type_init(scsi_disk_register_types)
3161