xref: /openbmc/qemu/hw/scsi/scsi-disk.c (revision f1f7e4bf)
1 /*
2  * SCSI Device emulation
3  *
4  * Copyright (c) 2006 CodeSourcery.
5  * Based on code by Fabrice Bellard
6  *
7  * Written by Paul Brook
8  * Modifications:
9  *  2009-Dec-12 Artyom Tarasenko : implemented stamdard inquiry for the case
10  *                                 when the allocation length of CDB is smaller
11  *                                 than 36.
12  *  2009-Oct-13 Artyom Tarasenko : implemented the block descriptor in the
13  *                                 MODE SENSE response.
14  *
15  * This code is licensed under the LGPL.
16  *
17  * Note that this file only handles the SCSI architecture model and device
18  * commands.  Emulation of interface/link layer protocols is handled by
19  * the host adapter emulator.
20  */
21 
22 //#define DEBUG_SCSI
23 
24 #ifdef DEBUG_SCSI
25 #define DPRINTF(fmt, ...) \
26 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
27 #else
28 #define DPRINTF(fmt, ...) do {} while(0)
29 #endif
30 
31 #include "qemu-common.h"
32 #include "qemu/error-report.h"
33 #include "hw/scsi/scsi.h"
34 #include "block/scsi.h"
35 #include "sysemu/sysemu.h"
36 #include "sysemu/block-backend.h"
37 #include "sysemu/blockdev.h"
38 #include "hw/block/block.h"
39 #include "sysemu/dma.h"
40 
41 #ifdef __linux
42 #include <scsi/sg.h>
43 #endif
44 
45 #define SCSI_WRITE_SAME_MAX         524288
46 #define SCSI_DMA_BUF_SIZE           131072
47 #define SCSI_MAX_INQUIRY_LEN        256
48 #define SCSI_MAX_MODE_LEN           256
49 
50 #define DEFAULT_DISCARD_GRANULARITY 4096
51 #define DEFAULT_MAX_UNMAP_SIZE      (1 << 30)   /* 1 GB */
52 #define DEFAULT_MAX_IO_SIZE         INT_MAX     /* 2 GB - 1 block */
53 
54 typedef struct SCSIDiskState SCSIDiskState;
55 
56 typedef struct SCSIDiskReq {
57     SCSIRequest req;
58     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
59     uint64_t sector;
60     uint32_t sector_count;
61     uint32_t buflen;
62     bool started;
63     struct iovec iov;
64     QEMUIOVector qiov;
65     BlockAcctCookie acct;
66 } SCSIDiskReq;
67 
68 #define SCSI_DISK_F_REMOVABLE             0
69 #define SCSI_DISK_F_DPOFUA                1
70 #define SCSI_DISK_F_NO_REMOVABLE_DEVOPS   2
71 
72 struct SCSIDiskState
73 {
74     SCSIDevice qdev;
75     uint32_t features;
76     bool media_changed;
77     bool media_event;
78     bool eject_request;
79     uint64_t wwn;
80     uint64_t port_wwn;
81     uint16_t port_index;
82     uint64_t max_unmap_size;
83     uint64_t max_io_size;
84     QEMUBH *bh;
85     char *version;
86     char *serial;
87     char *vendor;
88     char *product;
89     bool tray_open;
90     bool tray_locked;
91 };
92 
93 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed);
94 
95 static void scsi_free_request(SCSIRequest *req)
96 {
97     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
98 
99     qemu_vfree(r->iov.iov_base);
100 }
101 
102 /* Helper function for command completion with sense.  */
103 static void scsi_check_condition(SCSIDiskReq *r, SCSISense sense)
104 {
105     DPRINTF("Command complete tag=0x%x sense=%d/%d/%d\n",
106             r->req.tag, sense.key, sense.asc, sense.ascq);
107     scsi_req_build_sense(&r->req, sense);
108     scsi_req_complete(&r->req, CHECK_CONDITION);
109 }
110 
111 static uint32_t scsi_init_iovec(SCSIDiskReq *r, size_t size)
112 {
113     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
114 
115     if (!r->iov.iov_base) {
116         r->buflen = size;
117         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
118     }
119     r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
120     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
121     return r->qiov.size / 512;
122 }
123 
124 static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
125 {
126     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
127 
128     qemu_put_be64s(f, &r->sector);
129     qemu_put_be32s(f, &r->sector_count);
130     qemu_put_be32s(f, &r->buflen);
131     if (r->buflen) {
132         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
133             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
134         } else if (!req->retry) {
135             uint32_t len = r->iov.iov_len;
136             qemu_put_be32s(f, &len);
137             qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
138         }
139     }
140 }
141 
142 static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
143 {
144     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
145 
146     qemu_get_be64s(f, &r->sector);
147     qemu_get_be32s(f, &r->sector_count);
148     qemu_get_be32s(f, &r->buflen);
149     if (r->buflen) {
150         scsi_init_iovec(r, r->buflen);
151         if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
152             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
153         } else if (!r->req.retry) {
154             uint32_t len;
155             qemu_get_be32s(f, &len);
156             r->iov.iov_len = len;
157             assert(r->iov.iov_len <= r->buflen);
158             qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
159         }
160     }
161 
162     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
163 }
164 
165 static void scsi_aio_complete(void *opaque, int ret)
166 {
167     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
168     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
169 
170     assert(r->req.aiocb != NULL);
171     r->req.aiocb = NULL;
172     if (r->req.io_canceled) {
173         scsi_req_cancel_complete(&r->req);
174         goto done;
175     }
176 
177     if (ret < 0) {
178         if (scsi_handle_rw_error(r, -ret, true)) {
179             goto done;
180         }
181     }
182 
183     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
184     scsi_req_complete(&r->req, GOOD);
185 
186 done:
187     scsi_req_unref(&r->req);
188 }
189 
190 static bool scsi_is_cmd_fua(SCSICommand *cmd)
191 {
192     switch (cmd->buf[0]) {
193     case READ_10:
194     case READ_12:
195     case READ_16:
196     case WRITE_10:
197     case WRITE_12:
198     case WRITE_16:
199         return (cmd->buf[1] & 8) != 0;
200 
201     case VERIFY_10:
202     case VERIFY_12:
203     case VERIFY_16:
204     case WRITE_VERIFY_10:
205     case WRITE_VERIFY_12:
206     case WRITE_VERIFY_16:
207         return true;
208 
209     case READ_6:
210     case WRITE_6:
211     default:
212         return false;
213     }
214 }
215 
216 static void scsi_write_do_fua(SCSIDiskReq *r)
217 {
218     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
219 
220     assert(r->req.aiocb == NULL);
221 
222     if (r->req.io_canceled) {
223         scsi_req_cancel_complete(&r->req);
224         goto done;
225     }
226 
227     if (scsi_is_cmd_fua(&r->req.cmd)) {
228         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
229                          BLOCK_ACCT_FLUSH);
230         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
231         return;
232     }
233 
234     scsi_req_complete(&r->req, GOOD);
235 
236 done:
237     scsi_req_unref(&r->req);
238 }
239 
240 static void scsi_dma_complete_noio(SCSIDiskReq *r, int ret)
241 {
242     assert(r->req.aiocb == NULL);
243 
244     if (r->req.io_canceled) {
245         scsi_req_cancel_complete(&r->req);
246         goto done;
247     }
248 
249     if (ret < 0) {
250         if (scsi_handle_rw_error(r, -ret, false)) {
251             goto done;
252         }
253     }
254 
255     r->sector += r->sector_count;
256     r->sector_count = 0;
257     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
258         scsi_write_do_fua(r);
259         return;
260     } else {
261         scsi_req_complete(&r->req, GOOD);
262     }
263 
264 done:
265     scsi_req_unref(&r->req);
266 }
267 
268 static void scsi_dma_complete(void *opaque, int ret)
269 {
270     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
271     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
272 
273     assert(r->req.aiocb != NULL);
274     r->req.aiocb = NULL;
275 
276     if (ret < 0) {
277         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
278     } else {
279         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
280     }
281     scsi_dma_complete_noio(r, ret);
282 }
283 
284 static void scsi_read_complete(void * opaque, int ret)
285 {
286     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
287     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
288     int n;
289 
290     assert(r->req.aiocb != NULL);
291     r->req.aiocb = NULL;
292     if (r->req.io_canceled) {
293         scsi_req_cancel_complete(&r->req);
294         goto done;
295     }
296 
297     if (ret < 0) {
298         if (scsi_handle_rw_error(r, -ret, true)) {
299             goto done;
300         }
301     }
302 
303     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
304     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
305 
306     n = r->qiov.size / 512;
307     r->sector += n;
308     r->sector_count -= n;
309     scsi_req_data(&r->req, r->qiov.size);
310 
311 done:
312     scsi_req_unref(&r->req);
313 }
314 
315 /* Actually issue a read to the block device.  */
316 static void scsi_do_read(SCSIDiskReq *r, int ret)
317 {
318     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
319     uint32_t n;
320 
321     assert (r->req.aiocb == NULL);
322 
323     if (r->req.io_canceled) {
324         scsi_req_cancel_complete(&r->req);
325         goto done;
326     }
327 
328     if (ret < 0) {
329         if (scsi_handle_rw_error(r, -ret, false)) {
330             goto done;
331         }
332     }
333 
334     /* The request is used as the AIO opaque value, so add a ref.  */
335     scsi_req_ref(&r->req);
336 
337     if (r->req.sg) {
338         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
339         r->req.resid -= r->req.sg->size;
340         r->req.aiocb = dma_blk_read(s->qdev.conf.blk, r->req.sg, r->sector,
341                                     scsi_dma_complete, r);
342     } else {
343         n = scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
344         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
345                          n * BDRV_SECTOR_SIZE, BLOCK_ACCT_READ);
346         r->req.aiocb = blk_aio_readv(s->qdev.conf.blk, r->sector, &r->qiov, n,
347                                      scsi_read_complete, r);
348     }
349 
350 done:
351     scsi_req_unref(&r->req);
352 }
353 
354 static void scsi_do_read_cb(void *opaque, int ret)
355 {
356     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
357     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
358 
359     assert (r->req.aiocb != NULL);
360     r->req.aiocb = NULL;
361 
362     if (ret < 0) {
363         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
364     } else {
365         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
366     }
367     scsi_do_read(opaque, ret);
368 }
369 
370 /* Read more data from scsi device into buffer.  */
371 static void scsi_read_data(SCSIRequest *req)
372 {
373     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
374     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
375     bool first;
376 
377     DPRINTF("Read sector_count=%d\n", r->sector_count);
378     if (r->sector_count == 0) {
379         /* This also clears the sense buffer for REQUEST SENSE.  */
380         scsi_req_complete(&r->req, GOOD);
381         return;
382     }
383 
384     /* No data transfer may already be in progress */
385     assert(r->req.aiocb == NULL);
386 
387     /* The request is used as the AIO opaque value, so add a ref.  */
388     scsi_req_ref(&r->req);
389     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
390         DPRINTF("Data transfer direction invalid\n");
391         scsi_read_complete(r, -EINVAL);
392         return;
393     }
394 
395     if (s->tray_open) {
396         scsi_read_complete(r, -ENOMEDIUM);
397         return;
398     }
399 
400     first = !r->started;
401     r->started = true;
402     if (first && scsi_is_cmd_fua(&r->req.cmd)) {
403         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
404                          BLOCK_ACCT_FLUSH);
405         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_do_read_cb, r);
406     } else {
407         scsi_do_read(r, 0);
408     }
409 }
410 
411 /*
412  * scsi_handle_rw_error has two return values.  0 means that the error
413  * must be ignored, 1 means that the error has been processed and the
414  * caller should not do anything else for this request.  Note that
415  * scsi_handle_rw_error always manages its reference counts, independent
416  * of the return value.
417  */
418 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
419 {
420     bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
421     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
422     BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
423                                                    is_read, error);
424 
425     if (action == BLOCK_ERROR_ACTION_REPORT) {
426         if (acct_failed) {
427             block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
428         }
429         switch (error) {
430         case ENOMEDIUM:
431             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
432             break;
433         case ENOMEM:
434             scsi_check_condition(r, SENSE_CODE(TARGET_FAILURE));
435             break;
436         case EINVAL:
437             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
438             break;
439         case ENOSPC:
440             scsi_check_condition(r, SENSE_CODE(SPACE_ALLOC_FAILED));
441             break;
442         default:
443             scsi_check_condition(r, SENSE_CODE(IO_ERROR));
444             break;
445         }
446     }
447     blk_error_action(s->qdev.conf.blk, action, is_read, error);
448     if (action == BLOCK_ERROR_ACTION_STOP) {
449         scsi_req_retry(&r->req);
450     }
451     return action != BLOCK_ERROR_ACTION_IGNORE;
452 }
453 
454 static void scsi_write_complete_noio(SCSIDiskReq *r, int ret)
455 {
456     uint32_t n;
457 
458     assert (r->req.aiocb == NULL);
459 
460     if (r->req.io_canceled) {
461         scsi_req_cancel_complete(&r->req);
462         goto done;
463     }
464 
465     if (ret < 0) {
466         if (scsi_handle_rw_error(r, -ret, false)) {
467             goto done;
468         }
469     }
470 
471     n = r->qiov.size / 512;
472     r->sector += n;
473     r->sector_count -= n;
474     if (r->sector_count == 0) {
475         scsi_write_do_fua(r);
476         return;
477     } else {
478         scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
479         DPRINTF("Write complete tag=0x%x more=%zd\n", r->req.tag, r->qiov.size);
480         scsi_req_data(&r->req, r->qiov.size);
481     }
482 
483 done:
484     scsi_req_unref(&r->req);
485 }
486 
487 static void scsi_write_complete(void * opaque, int ret)
488 {
489     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
490     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
491 
492     assert (r->req.aiocb != NULL);
493     r->req.aiocb = NULL;
494 
495     if (ret < 0) {
496         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
497     } else {
498         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
499     }
500     scsi_write_complete_noio(r, ret);
501 }
502 
503 static void scsi_write_data(SCSIRequest *req)
504 {
505     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
506     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
507     uint32_t n;
508 
509     /* No data transfer may already be in progress */
510     assert(r->req.aiocb == NULL);
511 
512     /* The request is used as the AIO opaque value, so add a ref.  */
513     scsi_req_ref(&r->req);
514     if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
515         DPRINTF("Data transfer direction invalid\n");
516         scsi_write_complete_noio(r, -EINVAL);
517         return;
518     }
519 
520     if (!r->req.sg && !r->qiov.size) {
521         /* Called for the first time.  Ask the driver to send us more data.  */
522         r->started = true;
523         scsi_write_complete_noio(r, 0);
524         return;
525     }
526     if (s->tray_open) {
527         scsi_write_complete_noio(r, -ENOMEDIUM);
528         return;
529     }
530 
531     if (r->req.cmd.buf[0] == VERIFY_10 || r->req.cmd.buf[0] == VERIFY_12 ||
532         r->req.cmd.buf[0] == VERIFY_16) {
533         if (r->req.sg) {
534             scsi_dma_complete_noio(r, 0);
535         } else {
536             scsi_write_complete_noio(r, 0);
537         }
538         return;
539     }
540 
541     if (r->req.sg) {
542         dma_acct_start(s->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_WRITE);
543         r->req.resid -= r->req.sg->size;
544         r->req.aiocb = dma_blk_write(s->qdev.conf.blk, r->req.sg, r->sector,
545                                      scsi_dma_complete, r);
546     } else {
547         n = r->qiov.size / 512;
548         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
549                          n * BDRV_SECTOR_SIZE, BLOCK_ACCT_WRITE);
550         r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, r->sector, &r->qiov, n,
551                                       scsi_write_complete, r);
552     }
553 }
554 
555 /* Return a pointer to the data buffer.  */
556 static uint8_t *scsi_get_buf(SCSIRequest *req)
557 {
558     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
559 
560     return (uint8_t *)r->iov.iov_base;
561 }
562 
563 static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
564 {
565     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
566     int buflen = 0;
567     int start;
568 
569     if (req->cmd.buf[1] & 0x1) {
570         /* Vital product data */
571         uint8_t page_code = req->cmd.buf[2];
572 
573         outbuf[buflen++] = s->qdev.type & 0x1f;
574         outbuf[buflen++] = page_code ; // this page
575         outbuf[buflen++] = 0x00;
576         outbuf[buflen++] = 0x00;
577         start = buflen;
578 
579         switch (page_code) {
580         case 0x00: /* Supported page codes, mandatory */
581         {
582             DPRINTF("Inquiry EVPD[Supported pages] "
583                     "buffer size %zd\n", req->cmd.xfer);
584             outbuf[buflen++] = 0x00; // list of supported pages (this page)
585             if (s->serial) {
586                 outbuf[buflen++] = 0x80; // unit serial number
587             }
588             outbuf[buflen++] = 0x83; // device identification
589             if (s->qdev.type == TYPE_DISK) {
590                 outbuf[buflen++] = 0xb0; // block limits
591                 outbuf[buflen++] = 0xb2; // thin provisioning
592             }
593             break;
594         }
595         case 0x80: /* Device serial number, optional */
596         {
597             int l;
598 
599             if (!s->serial) {
600                 DPRINTF("Inquiry (EVPD[Serial number] not supported\n");
601                 return -1;
602             }
603 
604             l = strlen(s->serial);
605             if (l > 20) {
606                 l = 20;
607             }
608 
609             DPRINTF("Inquiry EVPD[Serial number] "
610                     "buffer size %zd\n", req->cmd.xfer);
611             memcpy(outbuf+buflen, s->serial, l);
612             buflen += l;
613             break;
614         }
615 
616         case 0x83: /* Device identification page, mandatory */
617         {
618             const char *str = s->serial ?: blk_name(s->qdev.conf.blk);
619             int max_len = s->serial ? 20 : 255 - 8;
620             int id_len = strlen(str);
621 
622             if (id_len > max_len) {
623                 id_len = max_len;
624             }
625             DPRINTF("Inquiry EVPD[Device identification] "
626                     "buffer size %zd\n", req->cmd.xfer);
627 
628             outbuf[buflen++] = 0x2; // ASCII
629             outbuf[buflen++] = 0;   // not officially assigned
630             outbuf[buflen++] = 0;   // reserved
631             outbuf[buflen++] = id_len; // length of data following
632             memcpy(outbuf+buflen, str, id_len);
633             buflen += id_len;
634 
635             if (s->wwn) {
636                 outbuf[buflen++] = 0x1; // Binary
637                 outbuf[buflen++] = 0x3; // NAA
638                 outbuf[buflen++] = 0;   // reserved
639                 outbuf[buflen++] = 8;
640                 stq_be_p(&outbuf[buflen], s->wwn);
641                 buflen += 8;
642             }
643 
644             if (s->port_wwn) {
645                 outbuf[buflen++] = 0x61; // SAS / Binary
646                 outbuf[buflen++] = 0x93; // PIV / Target port / NAA
647                 outbuf[buflen++] = 0;    // reserved
648                 outbuf[buflen++] = 8;
649                 stq_be_p(&outbuf[buflen], s->port_wwn);
650                 buflen += 8;
651             }
652 
653             if (s->port_index) {
654                 outbuf[buflen++] = 0x61; // SAS / Binary
655                 outbuf[buflen++] = 0x94; // PIV / Target port / relative target port
656                 outbuf[buflen++] = 0;    // reserved
657                 outbuf[buflen++] = 4;
658                 stw_be_p(&outbuf[buflen + 2], s->port_index);
659                 buflen += 4;
660             }
661             break;
662         }
663         case 0xb0: /* block limits */
664         {
665             unsigned int unmap_sectors =
666                     s->qdev.conf.discard_granularity / s->qdev.blocksize;
667             unsigned int min_io_size =
668                     s->qdev.conf.min_io_size / s->qdev.blocksize;
669             unsigned int opt_io_size =
670                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
671             unsigned int max_unmap_sectors =
672                     s->max_unmap_size / s->qdev.blocksize;
673             unsigned int max_io_sectors =
674                     s->max_io_size / s->qdev.blocksize;
675 
676             if (s->qdev.type == TYPE_ROM) {
677                 DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
678                         page_code);
679                 return -1;
680             }
681             /* required VPD size with unmap support */
682             buflen = 0x40;
683             memset(outbuf + 4, 0, buflen - 4);
684 
685             outbuf[4] = 0x1; /* wsnz */
686 
687             /* optimal transfer length granularity */
688             outbuf[6] = (min_io_size >> 8) & 0xff;
689             outbuf[7] = min_io_size & 0xff;
690 
691             /* maximum transfer length */
692             outbuf[8] = (max_io_sectors >> 24) & 0xff;
693             outbuf[9] = (max_io_sectors >> 16) & 0xff;
694             outbuf[10] = (max_io_sectors >> 8) & 0xff;
695             outbuf[11] = max_io_sectors & 0xff;
696 
697             /* optimal transfer length */
698             outbuf[12] = (opt_io_size >> 24) & 0xff;
699             outbuf[13] = (opt_io_size >> 16) & 0xff;
700             outbuf[14] = (opt_io_size >> 8) & 0xff;
701             outbuf[15] = opt_io_size & 0xff;
702 
703             /* max unmap LBA count, default is 1GB */
704             outbuf[20] = (max_unmap_sectors >> 24) & 0xff;
705             outbuf[21] = (max_unmap_sectors >> 16) & 0xff;
706             outbuf[22] = (max_unmap_sectors >> 8) & 0xff;
707             outbuf[23] = max_unmap_sectors & 0xff;
708 
709             /* max unmap descriptors, 255 fit in 4 kb with an 8-byte header.  */
710             outbuf[24] = 0;
711             outbuf[25] = 0;
712             outbuf[26] = 0;
713             outbuf[27] = 255;
714 
715             /* optimal unmap granularity */
716             outbuf[28] = (unmap_sectors >> 24) & 0xff;
717             outbuf[29] = (unmap_sectors >> 16) & 0xff;
718             outbuf[30] = (unmap_sectors >> 8) & 0xff;
719             outbuf[31] = unmap_sectors & 0xff;
720 
721             /* max write same size */
722             outbuf[36] = 0;
723             outbuf[37] = 0;
724             outbuf[38] = 0;
725             outbuf[39] = 0;
726 
727             outbuf[40] = (max_io_sectors >> 24) & 0xff;
728             outbuf[41] = (max_io_sectors >> 16) & 0xff;
729             outbuf[42] = (max_io_sectors >> 8) & 0xff;
730             outbuf[43] = max_io_sectors & 0xff;
731             break;
732         }
733         case 0xb2: /* thin provisioning */
734         {
735             buflen = 8;
736             outbuf[4] = 0;
737             outbuf[5] = 0xe0; /* unmap & write_same 10/16 all supported */
738             outbuf[6] = s->qdev.conf.discard_granularity ? 2 : 1;
739             outbuf[7] = 0;
740             break;
741         }
742         default:
743             return -1;
744         }
745         /* done with EVPD */
746         assert(buflen - start <= 255);
747         outbuf[start - 1] = buflen - start;
748         return buflen;
749     }
750 
751     /* Standard INQUIRY data */
752     if (req->cmd.buf[2] != 0) {
753         return -1;
754     }
755 
756     /* PAGE CODE == 0 */
757     buflen = req->cmd.xfer;
758     if (buflen > SCSI_MAX_INQUIRY_LEN) {
759         buflen = SCSI_MAX_INQUIRY_LEN;
760     }
761 
762     outbuf[0] = s->qdev.type & 0x1f;
763     outbuf[1] = (s->features & (1 << SCSI_DISK_F_REMOVABLE)) ? 0x80 : 0;
764 
765     strpadcpy((char *) &outbuf[16], 16, s->product, ' ');
766     strpadcpy((char *) &outbuf[8], 8, s->vendor, ' ');
767 
768     memset(&outbuf[32], 0, 4);
769     memcpy(&outbuf[32], s->version, MIN(4, strlen(s->version)));
770     /*
771      * We claim conformance to SPC-3, which is required for guests
772      * to ask for modern features like READ CAPACITY(16) or the
773      * block characteristics VPD page by default.  Not all of SPC-3
774      * is actually implemented, but we're good enough.
775      */
776     outbuf[2] = 5;
777     outbuf[3] = 2 | 0x10; /* Format 2, HiSup */
778 
779     if (buflen > 36) {
780         outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
781     } else {
782         /* If the allocation length of CDB is too small,
783                the additional length is not adjusted */
784         outbuf[4] = 36 - 5;
785     }
786 
787     /* Sync data transfer and TCQ.  */
788     outbuf[7] = 0x10 | (req->bus->info->tcq ? 0x02 : 0);
789     return buflen;
790 }
791 
792 static inline bool media_is_dvd(SCSIDiskState *s)
793 {
794     uint64_t nb_sectors;
795     if (s->qdev.type != TYPE_ROM) {
796         return false;
797     }
798     if (!blk_is_inserted(s->qdev.conf.blk)) {
799         return false;
800     }
801     if (s->tray_open) {
802         return false;
803     }
804     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
805     return nb_sectors > CD_MAX_SECTORS;
806 }
807 
808 static inline bool media_is_cd(SCSIDiskState *s)
809 {
810     uint64_t nb_sectors;
811     if (s->qdev.type != TYPE_ROM) {
812         return false;
813     }
814     if (!blk_is_inserted(s->qdev.conf.blk)) {
815         return false;
816     }
817     if (s->tray_open) {
818         return false;
819     }
820     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
821     return nb_sectors <= CD_MAX_SECTORS;
822 }
823 
824 static int scsi_read_disc_information(SCSIDiskState *s, SCSIDiskReq *r,
825                                       uint8_t *outbuf)
826 {
827     uint8_t type = r->req.cmd.buf[1] & 7;
828 
829     if (s->qdev.type != TYPE_ROM) {
830         return -1;
831     }
832 
833     /* Types 1/2 are only defined for Blu-Ray.  */
834     if (type != 0) {
835         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
836         return -1;
837     }
838 
839     memset(outbuf, 0, 34);
840     outbuf[1] = 32;
841     outbuf[2] = 0xe; /* last session complete, disc finalized */
842     outbuf[3] = 1;   /* first track on disc */
843     outbuf[4] = 1;   /* # of sessions */
844     outbuf[5] = 1;   /* first track of last session */
845     outbuf[6] = 1;   /* last track of last session */
846     outbuf[7] = 0x20; /* unrestricted use */
847     outbuf[8] = 0x00; /* CD-ROM or DVD-ROM */
848     /* 9-10-11: most significant byte corresponding bytes 4-5-6 */
849     /* 12-23: not meaningful for CD-ROM or DVD-ROM */
850     /* 24-31: disc bar code */
851     /* 32: disc application code */
852     /* 33: number of OPC tables */
853 
854     return 34;
855 }
856 
857 static int scsi_read_dvd_structure(SCSIDiskState *s, SCSIDiskReq *r,
858                                    uint8_t *outbuf)
859 {
860     static const int rds_caps_size[5] = {
861         [0] = 2048 + 4,
862         [1] = 4 + 4,
863         [3] = 188 + 4,
864         [4] = 2048 + 4,
865     };
866 
867     uint8_t media = r->req.cmd.buf[1];
868     uint8_t layer = r->req.cmd.buf[6];
869     uint8_t format = r->req.cmd.buf[7];
870     int size = -1;
871 
872     if (s->qdev.type != TYPE_ROM) {
873         return -1;
874     }
875     if (media != 0) {
876         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
877         return -1;
878     }
879 
880     if (format != 0xff) {
881         if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
882             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
883             return -1;
884         }
885         if (media_is_cd(s)) {
886             scsi_check_condition(r, SENSE_CODE(INCOMPATIBLE_FORMAT));
887             return -1;
888         }
889         if (format >= ARRAY_SIZE(rds_caps_size)) {
890             return -1;
891         }
892         size = rds_caps_size[format];
893         memset(outbuf, 0, size);
894     }
895 
896     switch (format) {
897     case 0x00: {
898         /* Physical format information */
899         uint64_t nb_sectors;
900         if (layer != 0) {
901             goto fail;
902         }
903         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
904 
905         outbuf[4] = 1;   /* DVD-ROM, part version 1 */
906         outbuf[5] = 0xf; /* 120mm disc, minimum rate unspecified */
907         outbuf[6] = 1;   /* one layer, read-only (per MMC-2 spec) */
908         outbuf[7] = 0;   /* default densities */
909 
910         stl_be_p(&outbuf[12], (nb_sectors >> 2) - 1); /* end sector */
911         stl_be_p(&outbuf[16], (nb_sectors >> 2) - 1); /* l0 end sector */
912         break;
913     }
914 
915     case 0x01: /* DVD copyright information, all zeros */
916         break;
917 
918     case 0x03: /* BCA information - invalid field for no BCA info */
919         return -1;
920 
921     case 0x04: /* DVD disc manufacturing information, all zeros */
922         break;
923 
924     case 0xff: { /* List capabilities */
925         int i;
926         size = 4;
927         for (i = 0; i < ARRAY_SIZE(rds_caps_size); i++) {
928             if (!rds_caps_size[i]) {
929                 continue;
930             }
931             outbuf[size] = i;
932             outbuf[size + 1] = 0x40; /* Not writable, readable */
933             stw_be_p(&outbuf[size + 2], rds_caps_size[i]);
934             size += 4;
935         }
936         break;
937      }
938 
939     default:
940         return -1;
941     }
942 
943     /* Size of buffer, not including 2 byte size field */
944     stw_be_p(outbuf, size - 2);
945     return size;
946 
947 fail:
948     return -1;
949 }
950 
951 static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
952 {
953     uint8_t event_code, media_status;
954 
955     media_status = 0;
956     if (s->tray_open) {
957         media_status = MS_TRAY_OPEN;
958     } else if (blk_is_inserted(s->qdev.conf.blk)) {
959         media_status = MS_MEDIA_PRESENT;
960     }
961 
962     /* Event notification descriptor */
963     event_code = MEC_NO_CHANGE;
964     if (media_status != MS_TRAY_OPEN) {
965         if (s->media_event) {
966             event_code = MEC_NEW_MEDIA;
967             s->media_event = false;
968         } else if (s->eject_request) {
969             event_code = MEC_EJECT_REQUESTED;
970             s->eject_request = false;
971         }
972     }
973 
974     outbuf[0] = event_code;
975     outbuf[1] = media_status;
976 
977     /* These fields are reserved, just clear them. */
978     outbuf[2] = 0;
979     outbuf[3] = 0;
980     return 4;
981 }
982 
983 static int scsi_get_event_status_notification(SCSIDiskState *s, SCSIDiskReq *r,
984                                               uint8_t *outbuf)
985 {
986     int size;
987     uint8_t *buf = r->req.cmd.buf;
988     uint8_t notification_class_request = buf[4];
989     if (s->qdev.type != TYPE_ROM) {
990         return -1;
991     }
992     if ((buf[1] & 1) == 0) {
993         /* asynchronous */
994         return -1;
995     }
996 
997     size = 4;
998     outbuf[0] = outbuf[1] = 0;
999     outbuf[3] = 1 << GESN_MEDIA; /* supported events */
1000     if (notification_class_request & (1 << GESN_MEDIA)) {
1001         outbuf[2] = GESN_MEDIA;
1002         size += scsi_event_status_media(s, &outbuf[size]);
1003     } else {
1004         outbuf[2] = 0x80;
1005     }
1006     stw_be_p(outbuf, size - 4);
1007     return size;
1008 }
1009 
1010 static int scsi_get_configuration(SCSIDiskState *s, uint8_t *outbuf)
1011 {
1012     int current;
1013 
1014     if (s->qdev.type != TYPE_ROM) {
1015         return -1;
1016     }
1017 
1018     if (media_is_dvd(s)) {
1019         current = MMC_PROFILE_DVD_ROM;
1020     } else if (media_is_cd(s)) {
1021         current = MMC_PROFILE_CD_ROM;
1022     } else {
1023         current = MMC_PROFILE_NONE;
1024     }
1025 
1026     memset(outbuf, 0, 40);
1027     stl_be_p(&outbuf[0], 36); /* Bytes after the data length field */
1028     stw_be_p(&outbuf[6], current);
1029     /* outbuf[8] - outbuf[19]: Feature 0 - Profile list */
1030     outbuf[10] = 0x03; /* persistent, current */
1031     outbuf[11] = 8; /* two profiles */
1032     stw_be_p(&outbuf[12], MMC_PROFILE_DVD_ROM);
1033     outbuf[14] = (current == MMC_PROFILE_DVD_ROM);
1034     stw_be_p(&outbuf[16], MMC_PROFILE_CD_ROM);
1035     outbuf[18] = (current == MMC_PROFILE_CD_ROM);
1036     /* outbuf[20] - outbuf[31]: Feature 1 - Core feature */
1037     stw_be_p(&outbuf[20], 1);
1038     outbuf[22] = 0x08 | 0x03; /* version 2, persistent, current */
1039     outbuf[23] = 8;
1040     stl_be_p(&outbuf[24], 1); /* SCSI */
1041     outbuf[28] = 1; /* DBE = 1, mandatory */
1042     /* outbuf[32] - outbuf[39]: Feature 3 - Removable media feature */
1043     stw_be_p(&outbuf[32], 3);
1044     outbuf[34] = 0x08 | 0x03; /* version 2, persistent, current */
1045     outbuf[35] = 4;
1046     outbuf[36] = 0x39; /* tray, load=1, eject=1, unlocked at powerup, lock=1 */
1047     /* TODO: Random readable, CD read, DVD read, drive serial number,
1048        power management */
1049     return 40;
1050 }
1051 
1052 static int scsi_emulate_mechanism_status(SCSIDiskState *s, uint8_t *outbuf)
1053 {
1054     if (s->qdev.type != TYPE_ROM) {
1055         return -1;
1056     }
1057     memset(outbuf, 0, 8);
1058     outbuf[5] = 1; /* CD-ROM */
1059     return 8;
1060 }
1061 
1062 static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
1063                            int page_control)
1064 {
1065     static const int mode_sense_valid[0x3f] = {
1066         [MODE_PAGE_HD_GEOMETRY]            = (1 << TYPE_DISK),
1067         [MODE_PAGE_FLEXIBLE_DISK_GEOMETRY] = (1 << TYPE_DISK),
1068         [MODE_PAGE_CACHING]                = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1069         [MODE_PAGE_R_W_ERROR]              = (1 << TYPE_DISK) | (1 << TYPE_ROM),
1070         [MODE_PAGE_AUDIO_CTL]              = (1 << TYPE_ROM),
1071         [MODE_PAGE_CAPABILITIES]           = (1 << TYPE_ROM),
1072     };
1073 
1074     uint8_t *p = *p_outbuf + 2;
1075     int length;
1076 
1077     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
1078         return -1;
1079     }
1080 
1081     /*
1082      * If Changeable Values are requested, a mask denoting those mode parameters
1083      * that are changeable shall be returned. As we currently don't support
1084      * parameter changes via MODE_SELECT all bits are returned set to zero.
1085      * The buffer was already menset to zero by the caller of this function.
1086      *
1087      * The offsets here are off by two compared to the descriptions in the
1088      * SCSI specs, because those include a 2-byte header.  This is unfortunate,
1089      * but it is done so that offsets are consistent within our implementation
1090      * of MODE SENSE and MODE SELECT.  MODE SELECT has to deal with both
1091      * 2-byte and 4-byte headers.
1092      */
1093     switch (page) {
1094     case MODE_PAGE_HD_GEOMETRY:
1095         length = 0x16;
1096         if (page_control == 1) { /* Changeable Values */
1097             break;
1098         }
1099         /* if a geometry hint is available, use it */
1100         p[0] = (s->qdev.conf.cyls >> 16) & 0xff;
1101         p[1] = (s->qdev.conf.cyls >> 8) & 0xff;
1102         p[2] = s->qdev.conf.cyls & 0xff;
1103         p[3] = s->qdev.conf.heads & 0xff;
1104         /* Write precomp start cylinder, disabled */
1105         p[4] = (s->qdev.conf.cyls >> 16) & 0xff;
1106         p[5] = (s->qdev.conf.cyls >> 8) & 0xff;
1107         p[6] = s->qdev.conf.cyls & 0xff;
1108         /* Reduced current start cylinder, disabled */
1109         p[7] = (s->qdev.conf.cyls >> 16) & 0xff;
1110         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1111         p[9] = s->qdev.conf.cyls & 0xff;
1112         /* Device step rate [ns], 200ns */
1113         p[10] = 0;
1114         p[11] = 200;
1115         /* Landing zone cylinder */
1116         p[12] = 0xff;
1117         p[13] =  0xff;
1118         p[14] = 0xff;
1119         /* Medium rotation rate [rpm], 5400 rpm */
1120         p[18] = (5400 >> 8) & 0xff;
1121         p[19] = 5400 & 0xff;
1122         break;
1123 
1124     case MODE_PAGE_FLEXIBLE_DISK_GEOMETRY:
1125         length = 0x1e;
1126         if (page_control == 1) { /* Changeable Values */
1127             break;
1128         }
1129         /* Transfer rate [kbit/s], 5Mbit/s */
1130         p[0] = 5000 >> 8;
1131         p[1] = 5000 & 0xff;
1132         /* if a geometry hint is available, use it */
1133         p[2] = s->qdev.conf.heads & 0xff;
1134         p[3] = s->qdev.conf.secs & 0xff;
1135         p[4] = s->qdev.blocksize >> 8;
1136         p[6] = (s->qdev.conf.cyls >> 8) & 0xff;
1137         p[7] = s->qdev.conf.cyls & 0xff;
1138         /* Write precomp start cylinder, disabled */
1139         p[8] = (s->qdev.conf.cyls >> 8) & 0xff;
1140         p[9] = s->qdev.conf.cyls & 0xff;
1141         /* Reduced current start cylinder, disabled */
1142         p[10] = (s->qdev.conf.cyls >> 8) & 0xff;
1143         p[11] = s->qdev.conf.cyls & 0xff;
1144         /* Device step rate [100us], 100us */
1145         p[12] = 0;
1146         p[13] = 1;
1147         /* Device step pulse width [us], 1us */
1148         p[14] = 1;
1149         /* Device head settle delay [100us], 100us */
1150         p[15] = 0;
1151         p[16] = 1;
1152         /* Motor on delay [0.1s], 0.1s */
1153         p[17] = 1;
1154         /* Motor off delay [0.1s], 0.1s */
1155         p[18] = 1;
1156         /* Medium rotation rate [rpm], 5400 rpm */
1157         p[26] = (5400 >> 8) & 0xff;
1158         p[27] = 5400 & 0xff;
1159         break;
1160 
1161     case MODE_PAGE_CACHING:
1162         length = 0x12;
1163         if (page_control == 1 || /* Changeable Values */
1164             blk_enable_write_cache(s->qdev.conf.blk)) {
1165             p[0] = 4; /* WCE */
1166         }
1167         break;
1168 
1169     case MODE_PAGE_R_W_ERROR:
1170         length = 10;
1171         if (page_control == 1) { /* Changeable Values */
1172             break;
1173         }
1174         p[0] = 0x80; /* Automatic Write Reallocation Enabled */
1175         if (s->qdev.type == TYPE_ROM) {
1176             p[1] = 0x20; /* Read Retry Count */
1177         }
1178         break;
1179 
1180     case MODE_PAGE_AUDIO_CTL:
1181         length = 14;
1182         break;
1183 
1184     case MODE_PAGE_CAPABILITIES:
1185         length = 0x14;
1186         if (page_control == 1) { /* Changeable Values */
1187             break;
1188         }
1189 
1190         p[0] = 0x3b; /* CD-R & CD-RW read */
1191         p[1] = 0; /* Writing not supported */
1192         p[2] = 0x7f; /* Audio, composite, digital out,
1193                         mode 2 form 1&2, multi session */
1194         p[3] = 0xff; /* CD DA, DA accurate, RW supported,
1195                         RW corrected, C2 errors, ISRC,
1196                         UPC, Bar code */
1197         p[4] = 0x2d | (s->tray_locked ? 2 : 0);
1198         /* Locking supported, jumper present, eject, tray */
1199         p[5] = 0; /* no volume & mute control, no
1200                      changer */
1201         p[6] = (50 * 176) >> 8; /* 50x read speed */
1202         p[7] = (50 * 176) & 0xff;
1203         p[8] = 2 >> 8; /* Two volume levels */
1204         p[9] = 2 & 0xff;
1205         p[10] = 2048 >> 8; /* 2M buffer */
1206         p[11] = 2048 & 0xff;
1207         p[12] = (16 * 176) >> 8; /* 16x read speed current */
1208         p[13] = (16 * 176) & 0xff;
1209         p[16] = (16 * 176) >> 8; /* 16x write speed */
1210         p[17] = (16 * 176) & 0xff;
1211         p[18] = (16 * 176) >> 8; /* 16x write speed current */
1212         p[19] = (16 * 176) & 0xff;
1213         break;
1214 
1215     default:
1216         return -1;
1217     }
1218 
1219     assert(length < 256);
1220     (*p_outbuf)[0] = page;
1221     (*p_outbuf)[1] = length;
1222     *p_outbuf += length + 2;
1223     return length + 2;
1224 }
1225 
1226 static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
1227 {
1228     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1229     uint64_t nb_sectors;
1230     bool dbd;
1231     int page, buflen, ret, page_control;
1232     uint8_t *p;
1233     uint8_t dev_specific_param;
1234 
1235     dbd = (r->req.cmd.buf[1] & 0x8) != 0;
1236     page = r->req.cmd.buf[2] & 0x3f;
1237     page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
1238     DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
1239         (r->req.cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, r->req.cmd.xfer, page_control);
1240     memset(outbuf, 0, r->req.cmd.xfer);
1241     p = outbuf;
1242 
1243     if (s->qdev.type == TYPE_DISK) {
1244         dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
1245         if (blk_is_read_only(s->qdev.conf.blk)) {
1246             dev_specific_param |= 0x80; /* Readonly.  */
1247         }
1248     } else {
1249         /* MMC prescribes that CD/DVD drives have no block descriptors,
1250          * and defines no device-specific parameter.  */
1251         dev_specific_param = 0x00;
1252         dbd = true;
1253     }
1254 
1255     if (r->req.cmd.buf[0] == MODE_SENSE) {
1256         p[1] = 0; /* Default media type.  */
1257         p[2] = dev_specific_param;
1258         p[3] = 0; /* Block descriptor length.  */
1259         p += 4;
1260     } else { /* MODE_SENSE_10 */
1261         p[2] = 0; /* Default media type.  */
1262         p[3] = dev_specific_param;
1263         p[6] = p[7] = 0; /* Block descriptor length.  */
1264         p += 8;
1265     }
1266 
1267     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1268     if (!dbd && nb_sectors) {
1269         if (r->req.cmd.buf[0] == MODE_SENSE) {
1270             outbuf[3] = 8; /* Block descriptor length  */
1271         } else { /* MODE_SENSE_10 */
1272             outbuf[7] = 8; /* Block descriptor length  */
1273         }
1274         nb_sectors /= (s->qdev.blocksize / 512);
1275         if (nb_sectors > 0xffffff) {
1276             nb_sectors = 0;
1277         }
1278         p[0] = 0; /* media density code */
1279         p[1] = (nb_sectors >> 16) & 0xff;
1280         p[2] = (nb_sectors >> 8) & 0xff;
1281         p[3] = nb_sectors & 0xff;
1282         p[4] = 0; /* reserved */
1283         p[5] = 0; /* bytes 5-7 are the sector size in bytes */
1284         p[6] = s->qdev.blocksize >> 8;
1285         p[7] = 0;
1286         p += 8;
1287     }
1288 
1289     if (page_control == 3) {
1290         /* Saved Values */
1291         scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
1292         return -1;
1293     }
1294 
1295     if (page == 0x3f) {
1296         for (page = 0; page <= 0x3e; page++) {
1297             mode_sense_page(s, page, &p, page_control);
1298         }
1299     } else {
1300         ret = mode_sense_page(s, page, &p, page_control);
1301         if (ret == -1) {
1302             return -1;
1303         }
1304     }
1305 
1306     buflen = p - outbuf;
1307     /*
1308      * The mode data length field specifies the length in bytes of the
1309      * following data that is available to be transferred. The mode data
1310      * length does not include itself.
1311      */
1312     if (r->req.cmd.buf[0] == MODE_SENSE) {
1313         outbuf[0] = buflen - 1;
1314     } else { /* MODE_SENSE_10 */
1315         outbuf[0] = ((buflen - 2) >> 8) & 0xff;
1316         outbuf[1] = (buflen - 2) & 0xff;
1317     }
1318     return buflen;
1319 }
1320 
1321 static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
1322 {
1323     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1324     int start_track, format, msf, toclen;
1325     uint64_t nb_sectors;
1326 
1327     msf = req->cmd.buf[1] & 2;
1328     format = req->cmd.buf[2] & 0xf;
1329     start_track = req->cmd.buf[6];
1330     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1331     DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
1332     nb_sectors /= s->qdev.blocksize / 512;
1333     switch (format) {
1334     case 0:
1335         toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
1336         break;
1337     case 1:
1338         /* multi session : only a single session defined */
1339         toclen = 12;
1340         memset(outbuf, 0, 12);
1341         outbuf[1] = 0x0a;
1342         outbuf[2] = 0x01;
1343         outbuf[3] = 0x01;
1344         break;
1345     case 2:
1346         toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
1347         break;
1348     default:
1349         return -1;
1350     }
1351     return toclen;
1352 }
1353 
1354 static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
1355 {
1356     SCSIRequest *req = &r->req;
1357     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1358     bool start = req->cmd.buf[4] & 1;
1359     bool loej = req->cmd.buf[4] & 2; /* load on start, eject on !start */
1360     int pwrcnd = req->cmd.buf[4] & 0xf0;
1361 
1362     if (pwrcnd) {
1363         /* eject/load only happens for power condition == 0 */
1364         return 0;
1365     }
1366 
1367     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) && loej) {
1368         if (!start && !s->tray_open && s->tray_locked) {
1369             scsi_check_condition(r,
1370                                  blk_is_inserted(s->qdev.conf.blk)
1371                                  ? SENSE_CODE(ILLEGAL_REQ_REMOVAL_PREVENTED)
1372                                  : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
1373             return -1;
1374         }
1375 
1376         if (s->tray_open != !start) {
1377             blk_eject(s->qdev.conf.blk, !start);
1378             s->tray_open = !start;
1379         }
1380     }
1381     return 0;
1382 }
1383 
1384 static void scsi_disk_emulate_read_data(SCSIRequest *req)
1385 {
1386     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1387     int buflen = r->iov.iov_len;
1388 
1389     if (buflen) {
1390         DPRINTF("Read buf_len=%d\n", buflen);
1391         r->iov.iov_len = 0;
1392         r->started = true;
1393         scsi_req_data(&r->req, buflen);
1394         return;
1395     }
1396 
1397     /* This also clears the sense buffer for REQUEST SENSE.  */
1398     scsi_req_complete(&r->req, GOOD);
1399 }
1400 
1401 static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
1402                                        uint8_t *inbuf, int inlen)
1403 {
1404     uint8_t mode_current[SCSI_MAX_MODE_LEN];
1405     uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
1406     uint8_t *p;
1407     int len, expected_len, changeable_len, i;
1408 
1409     /* The input buffer does not include the page header, so it is
1410      * off by 2 bytes.
1411      */
1412     expected_len = inlen + 2;
1413     if (expected_len > SCSI_MAX_MODE_LEN) {
1414         return -1;
1415     }
1416 
1417     p = mode_current;
1418     memset(mode_current, 0, inlen + 2);
1419     len = mode_sense_page(s, page, &p, 0);
1420     if (len < 0 || len != expected_len) {
1421         return -1;
1422     }
1423 
1424     p = mode_changeable;
1425     memset(mode_changeable, 0, inlen + 2);
1426     changeable_len = mode_sense_page(s, page, &p, 1);
1427     assert(changeable_len == len);
1428 
1429     /* Check that unchangeable bits are the same as what MODE SENSE
1430      * would return.
1431      */
1432     for (i = 2; i < len; i++) {
1433         if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
1434             return -1;
1435         }
1436     }
1437     return 0;
1438 }
1439 
1440 static void scsi_disk_apply_mode_select(SCSIDiskState *s, int page, uint8_t *p)
1441 {
1442     switch (page) {
1443     case MODE_PAGE_CACHING:
1444         blk_set_enable_write_cache(s->qdev.conf.blk, (p[0] & 4) != 0);
1445         break;
1446 
1447     default:
1448         break;
1449     }
1450 }
1451 
1452 static int mode_select_pages(SCSIDiskReq *r, uint8_t *p, int len, bool change)
1453 {
1454     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1455 
1456     while (len > 0) {
1457         int page, subpage, page_len;
1458 
1459         /* Parse both possible formats for the mode page headers.  */
1460         page = p[0] & 0x3f;
1461         if (p[0] & 0x40) {
1462             if (len < 4) {
1463                 goto invalid_param_len;
1464             }
1465             subpage = p[1];
1466             page_len = lduw_be_p(&p[2]);
1467             p += 4;
1468             len -= 4;
1469         } else {
1470             if (len < 2) {
1471                 goto invalid_param_len;
1472             }
1473             subpage = 0;
1474             page_len = p[1];
1475             p += 2;
1476             len -= 2;
1477         }
1478 
1479         if (subpage) {
1480             goto invalid_param;
1481         }
1482         if (page_len > len) {
1483             goto invalid_param_len;
1484         }
1485 
1486         if (!change) {
1487             if (scsi_disk_check_mode_select(s, page, p, page_len) < 0) {
1488                 goto invalid_param;
1489             }
1490         } else {
1491             scsi_disk_apply_mode_select(s, page, p);
1492         }
1493 
1494         p += page_len;
1495         len -= page_len;
1496     }
1497     return 0;
1498 
1499 invalid_param:
1500     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1501     return -1;
1502 
1503 invalid_param_len:
1504     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1505     return -1;
1506 }
1507 
1508 static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
1509 {
1510     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1511     uint8_t *p = inbuf;
1512     int cmd = r->req.cmd.buf[0];
1513     int len = r->req.cmd.xfer;
1514     int hdr_len = (cmd == MODE_SELECT ? 4 : 8);
1515     int bd_len;
1516     int pass;
1517 
1518     /* We only support PF=1, SP=0.  */
1519     if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
1520         goto invalid_field;
1521     }
1522 
1523     if (len < hdr_len) {
1524         goto invalid_param_len;
1525     }
1526 
1527     bd_len = (cmd == MODE_SELECT ? p[3] : lduw_be_p(&p[6]));
1528     len -= hdr_len;
1529     p += hdr_len;
1530     if (len < bd_len) {
1531         goto invalid_param_len;
1532     }
1533     if (bd_len != 0 && bd_len != 8) {
1534         goto invalid_param;
1535     }
1536 
1537     len -= bd_len;
1538     p += bd_len;
1539 
1540     /* Ensure no change is made if there is an error!  */
1541     for (pass = 0; pass < 2; pass++) {
1542         if (mode_select_pages(r, p, len, pass == 1) < 0) {
1543             assert(pass == 0);
1544             return;
1545         }
1546     }
1547     if (!blk_enable_write_cache(s->qdev.conf.blk)) {
1548         /* The request is used as the AIO opaque value, so add a ref.  */
1549         scsi_req_ref(&r->req);
1550         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
1551                          BLOCK_ACCT_FLUSH);
1552         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
1553         return;
1554     }
1555 
1556     scsi_req_complete(&r->req, GOOD);
1557     return;
1558 
1559 invalid_param:
1560     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
1561     return;
1562 
1563 invalid_param_len:
1564     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1565     return;
1566 
1567 invalid_field:
1568     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1569 }
1570 
1571 static inline bool check_lba_range(SCSIDiskState *s,
1572                                    uint64_t sector_num, uint32_t nb_sectors)
1573 {
1574     /*
1575      * The first line tests that no overflow happens when computing the last
1576      * sector.  The second line tests that the last accessed sector is in
1577      * range.
1578      *
1579      * Careful, the computations should not underflow for nb_sectors == 0,
1580      * and a 0-block read to the first LBA beyond the end of device is
1581      * valid.
1582      */
1583     return (sector_num <= sector_num + nb_sectors &&
1584             sector_num + nb_sectors <= s->qdev.max_lba + 1);
1585 }
1586 
1587 typedef struct UnmapCBData {
1588     SCSIDiskReq *r;
1589     uint8_t *inbuf;
1590     int count;
1591 } UnmapCBData;
1592 
1593 static void scsi_unmap_complete(void *opaque, int ret);
1594 
1595 static void scsi_unmap_complete_noio(UnmapCBData *data, int ret)
1596 {
1597     SCSIDiskReq *r = data->r;
1598     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1599     uint64_t sector_num;
1600     uint32_t nb_sectors;
1601 
1602     assert(r->req.aiocb == NULL);
1603 
1604     if (r->req.io_canceled) {
1605         scsi_req_cancel_complete(&r->req);
1606         goto done;
1607     }
1608 
1609     if (ret < 0) {
1610         if (scsi_handle_rw_error(r, -ret, false)) {
1611             goto done;
1612         }
1613     }
1614 
1615     if (data->count > 0) {
1616         sector_num = ldq_be_p(&data->inbuf[0]);
1617         nb_sectors = ldl_be_p(&data->inbuf[8]) & 0xffffffffULL;
1618         if (!check_lba_range(s, sector_num, nb_sectors)) {
1619             scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1620             goto done;
1621         }
1622 
1623         r->req.aiocb = blk_aio_discard(s->qdev.conf.blk,
1624                                        sector_num * (s->qdev.blocksize / 512),
1625                                        nb_sectors * (s->qdev.blocksize / 512),
1626                                        scsi_unmap_complete, data);
1627         data->count--;
1628         data->inbuf += 16;
1629         return;
1630     }
1631 
1632     scsi_req_complete(&r->req, GOOD);
1633 
1634 done:
1635     scsi_req_unref(&r->req);
1636     g_free(data);
1637 }
1638 
1639 static void scsi_unmap_complete(void *opaque, int ret)
1640 {
1641     UnmapCBData *data = opaque;
1642     SCSIDiskReq *r = data->r;
1643 
1644     assert(r->req.aiocb != NULL);
1645     r->req.aiocb = NULL;
1646 
1647     scsi_unmap_complete_noio(data, ret);
1648 }
1649 
1650 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
1651 {
1652     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1653     uint8_t *p = inbuf;
1654     int len = r->req.cmd.xfer;
1655     UnmapCBData *data;
1656 
1657     /* Reject ANCHOR=1.  */
1658     if (r->req.cmd.buf[1] & 0x1) {
1659         goto invalid_field;
1660     }
1661 
1662     if (len < 8) {
1663         goto invalid_param_len;
1664     }
1665     if (len < lduw_be_p(&p[0]) + 2) {
1666         goto invalid_param_len;
1667     }
1668     if (len < lduw_be_p(&p[2]) + 8) {
1669         goto invalid_param_len;
1670     }
1671     if (lduw_be_p(&p[2]) & 15) {
1672         goto invalid_param_len;
1673     }
1674 
1675     if (blk_is_read_only(s->qdev.conf.blk)) {
1676         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1677         return;
1678     }
1679 
1680     data = g_new0(UnmapCBData, 1);
1681     data->r = r;
1682     data->inbuf = &p[8];
1683     data->count = lduw_be_p(&p[2]) >> 4;
1684 
1685     /* The matching unref is in scsi_unmap_complete, before data is freed.  */
1686     scsi_req_ref(&r->req);
1687     scsi_unmap_complete_noio(data, 0);
1688     return;
1689 
1690 invalid_param_len:
1691     scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
1692     return;
1693 
1694 invalid_field:
1695     scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1696 }
1697 
1698 typedef struct WriteSameCBData {
1699     SCSIDiskReq *r;
1700     int64_t sector;
1701     int nb_sectors;
1702     QEMUIOVector qiov;
1703     struct iovec iov;
1704 } WriteSameCBData;
1705 
1706 static void scsi_write_same_complete(void *opaque, int ret)
1707 {
1708     WriteSameCBData *data = opaque;
1709     SCSIDiskReq *r = data->r;
1710     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
1711 
1712     assert(r->req.aiocb != NULL);
1713     r->req.aiocb = NULL;
1714     if (r->req.io_canceled) {
1715         scsi_req_cancel_complete(&r->req);
1716         goto done;
1717     }
1718 
1719     if (ret < 0) {
1720         if (scsi_handle_rw_error(r, -ret, true)) {
1721             goto done;
1722         }
1723     }
1724 
1725     block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
1726 
1727     data->nb_sectors -= data->iov.iov_len / 512;
1728     data->sector += data->iov.iov_len / 512;
1729     data->iov.iov_len = MIN(data->nb_sectors * 512, data->iov.iov_len);
1730     if (data->iov.iov_len) {
1731         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1732                          data->iov.iov_len, BLOCK_ACCT_WRITE);
1733         /* blk_aio_write doesn't like the qiov size being different from
1734          * nb_sectors, make sure they match.
1735          */
1736         qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1737         r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, data->sector,
1738                                       &data->qiov, data->iov.iov_len / 512,
1739                                       scsi_write_same_complete, data);
1740         return;
1741     }
1742 
1743     scsi_req_complete(&r->req, GOOD);
1744 
1745 done:
1746     scsi_req_unref(&r->req);
1747     qemu_vfree(data->iov.iov_base);
1748     g_free(data);
1749 }
1750 
1751 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
1752 {
1753     SCSIRequest *req = &r->req;
1754     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1755     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
1756     WriteSameCBData *data;
1757     uint8_t *buf;
1758     int i;
1759 
1760     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
1761     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
1762         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1763         return;
1764     }
1765 
1766     if (blk_is_read_only(s->qdev.conf.blk)) {
1767         scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
1768         return;
1769     }
1770     if (!check_lba_range(s, r->req.cmd.lba, nb_sectors)) {
1771         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
1772         return;
1773     }
1774 
1775     if (buffer_is_zero(inbuf, s->qdev.blocksize)) {
1776         int flags = (req->cmd.buf[1] & 0x8) ? BDRV_REQ_MAY_UNMAP : 0;
1777 
1778         /* The request is used as the AIO opaque value, so add a ref.  */
1779         scsi_req_ref(&r->req);
1780         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1781                          nb_sectors * s->qdev.blocksize,
1782                         BLOCK_ACCT_WRITE);
1783         r->req.aiocb = blk_aio_write_zeroes(s->qdev.conf.blk,
1784                                 r->req.cmd.lba * (s->qdev.blocksize / 512),
1785                                 nb_sectors * (s->qdev.blocksize / 512),
1786                                 flags, scsi_aio_complete, r);
1787         return;
1788     }
1789 
1790     data = g_new0(WriteSameCBData, 1);
1791     data->r = r;
1792     data->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
1793     data->nb_sectors = nb_sectors * (s->qdev.blocksize / 512);
1794     data->iov.iov_len = MIN(data->nb_sectors * 512, SCSI_WRITE_SAME_MAX);
1795     data->iov.iov_base = buf = blk_blockalign(s->qdev.conf.blk,
1796                                               data->iov.iov_len);
1797     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
1798 
1799     for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
1800         memcpy(&buf[i], inbuf, s->qdev.blocksize);
1801     }
1802 
1803     scsi_req_ref(&r->req);
1804     block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct,
1805                      data->iov.iov_len, BLOCK_ACCT_WRITE);
1806     r->req.aiocb = blk_aio_writev(s->qdev.conf.blk, data->sector,
1807                                   &data->qiov, data->iov.iov_len / 512,
1808                                   scsi_write_same_complete, data);
1809 }
1810 
1811 static void scsi_disk_emulate_write_data(SCSIRequest *req)
1812 {
1813     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1814 
1815     if (r->iov.iov_len) {
1816         int buflen = r->iov.iov_len;
1817         DPRINTF("Write buf_len=%d\n", buflen);
1818         r->iov.iov_len = 0;
1819         scsi_req_data(&r->req, buflen);
1820         return;
1821     }
1822 
1823     switch (req->cmd.buf[0]) {
1824     case MODE_SELECT:
1825     case MODE_SELECT_10:
1826         /* This also clears the sense buffer for REQUEST SENSE.  */
1827         scsi_disk_emulate_mode_select(r, r->iov.iov_base);
1828         break;
1829 
1830     case UNMAP:
1831         scsi_disk_emulate_unmap(r, r->iov.iov_base);
1832         break;
1833 
1834     case VERIFY_10:
1835     case VERIFY_12:
1836     case VERIFY_16:
1837         if (r->req.status == -1) {
1838             scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
1839         }
1840         break;
1841 
1842     case WRITE_SAME_10:
1843     case WRITE_SAME_16:
1844         scsi_disk_emulate_write_same(r, r->iov.iov_base);
1845         break;
1846 
1847     default:
1848         abort();
1849     }
1850 }
1851 
1852 static int32_t scsi_disk_emulate_command(SCSIRequest *req, uint8_t *buf)
1853 {
1854     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
1855     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
1856     uint64_t nb_sectors;
1857     uint8_t *outbuf;
1858     int buflen;
1859 
1860     switch (req->cmd.buf[0]) {
1861     case INQUIRY:
1862     case MODE_SENSE:
1863     case MODE_SENSE_10:
1864     case RESERVE:
1865     case RESERVE_10:
1866     case RELEASE:
1867     case RELEASE_10:
1868     case START_STOP:
1869     case ALLOW_MEDIUM_REMOVAL:
1870     case GET_CONFIGURATION:
1871     case GET_EVENT_STATUS_NOTIFICATION:
1872     case MECHANISM_STATUS:
1873     case REQUEST_SENSE:
1874         break;
1875 
1876     default:
1877         if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
1878             scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
1879             return 0;
1880         }
1881         break;
1882     }
1883 
1884     /*
1885      * FIXME: we shouldn't return anything bigger than 4k, but the code
1886      * requires the buffer to be as big as req->cmd.xfer in several
1887      * places.  So, do not allow CDBs with a very large ALLOCATION
1888      * LENGTH.  The real fix would be to modify scsi_read_data and
1889      * dma_buf_read, so that they return data beyond the buflen
1890      * as all zeros.
1891      */
1892     if (req->cmd.xfer > 65536) {
1893         goto illegal_request;
1894     }
1895     r->buflen = MAX(4096, req->cmd.xfer);
1896 
1897     if (!r->iov.iov_base) {
1898         r->iov.iov_base = blk_blockalign(s->qdev.conf.blk, r->buflen);
1899     }
1900 
1901     buflen = req->cmd.xfer;
1902     outbuf = r->iov.iov_base;
1903     memset(outbuf, 0, r->buflen);
1904     switch (req->cmd.buf[0]) {
1905     case TEST_UNIT_READY:
1906         assert(!s->tray_open && blk_is_inserted(s->qdev.conf.blk));
1907         break;
1908     case INQUIRY:
1909         buflen = scsi_disk_emulate_inquiry(req, outbuf);
1910         if (buflen < 0) {
1911             goto illegal_request;
1912         }
1913         break;
1914     case MODE_SENSE:
1915     case MODE_SENSE_10:
1916         buflen = scsi_disk_emulate_mode_sense(r, outbuf);
1917         if (buflen < 0) {
1918             goto illegal_request;
1919         }
1920         break;
1921     case READ_TOC:
1922         buflen = scsi_disk_emulate_read_toc(req, outbuf);
1923         if (buflen < 0) {
1924             goto illegal_request;
1925         }
1926         break;
1927     case RESERVE:
1928         if (req->cmd.buf[1] & 1) {
1929             goto illegal_request;
1930         }
1931         break;
1932     case RESERVE_10:
1933         if (req->cmd.buf[1] & 3) {
1934             goto illegal_request;
1935         }
1936         break;
1937     case RELEASE:
1938         if (req->cmd.buf[1] & 1) {
1939             goto illegal_request;
1940         }
1941         break;
1942     case RELEASE_10:
1943         if (req->cmd.buf[1] & 3) {
1944             goto illegal_request;
1945         }
1946         break;
1947     case START_STOP:
1948         if (scsi_disk_emulate_start_stop(r) < 0) {
1949             return 0;
1950         }
1951         break;
1952     case ALLOW_MEDIUM_REMOVAL:
1953         s->tray_locked = req->cmd.buf[4] & 1;
1954         blk_lock_medium(s->qdev.conf.blk, req->cmd.buf[4] & 1);
1955         break;
1956     case READ_CAPACITY_10:
1957         /* The normal LEN field for this command is zero.  */
1958         memset(outbuf, 0, 8);
1959         blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
1960         if (!nb_sectors) {
1961             scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
1962             return 0;
1963         }
1964         if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
1965             goto illegal_request;
1966         }
1967         nb_sectors /= s->qdev.blocksize / 512;
1968         /* Returned value is the address of the last sector.  */
1969         nb_sectors--;
1970         /* Remember the new size for read/write sanity checking. */
1971         s->qdev.max_lba = nb_sectors;
1972         /* Clip to 2TB, instead of returning capacity modulo 2TB. */
1973         if (nb_sectors > UINT32_MAX) {
1974             nb_sectors = UINT32_MAX;
1975         }
1976         outbuf[0] = (nb_sectors >> 24) & 0xff;
1977         outbuf[1] = (nb_sectors >> 16) & 0xff;
1978         outbuf[2] = (nb_sectors >> 8) & 0xff;
1979         outbuf[3] = nb_sectors & 0xff;
1980         outbuf[4] = 0;
1981         outbuf[5] = 0;
1982         outbuf[6] = s->qdev.blocksize >> 8;
1983         outbuf[7] = 0;
1984         break;
1985     case REQUEST_SENSE:
1986         /* Just return "NO SENSE".  */
1987         buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
1988                                   (req->cmd.buf[1] & 1) == 0);
1989         if (buflen < 0) {
1990             goto illegal_request;
1991         }
1992         break;
1993     case MECHANISM_STATUS:
1994         buflen = scsi_emulate_mechanism_status(s, outbuf);
1995         if (buflen < 0) {
1996             goto illegal_request;
1997         }
1998         break;
1999     case GET_CONFIGURATION:
2000         buflen = scsi_get_configuration(s, outbuf);
2001         if (buflen < 0) {
2002             goto illegal_request;
2003         }
2004         break;
2005     case GET_EVENT_STATUS_NOTIFICATION:
2006         buflen = scsi_get_event_status_notification(s, r, outbuf);
2007         if (buflen < 0) {
2008             goto illegal_request;
2009         }
2010         break;
2011     case READ_DISC_INFORMATION:
2012         buflen = scsi_read_disc_information(s, r, outbuf);
2013         if (buflen < 0) {
2014             goto illegal_request;
2015         }
2016         break;
2017     case READ_DVD_STRUCTURE:
2018         buflen = scsi_read_dvd_structure(s, r, outbuf);
2019         if (buflen < 0) {
2020             goto illegal_request;
2021         }
2022         break;
2023     case SERVICE_ACTION_IN_16:
2024         /* Service Action In subcommands. */
2025         if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
2026             DPRINTF("SAI READ CAPACITY(16)\n");
2027             memset(outbuf, 0, req->cmd.xfer);
2028             blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2029             if (!nb_sectors) {
2030                 scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
2031                 return 0;
2032             }
2033             if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
2034                 goto illegal_request;
2035             }
2036             nb_sectors /= s->qdev.blocksize / 512;
2037             /* Returned value is the address of the last sector.  */
2038             nb_sectors--;
2039             /* Remember the new size for read/write sanity checking. */
2040             s->qdev.max_lba = nb_sectors;
2041             outbuf[0] = (nb_sectors >> 56) & 0xff;
2042             outbuf[1] = (nb_sectors >> 48) & 0xff;
2043             outbuf[2] = (nb_sectors >> 40) & 0xff;
2044             outbuf[3] = (nb_sectors >> 32) & 0xff;
2045             outbuf[4] = (nb_sectors >> 24) & 0xff;
2046             outbuf[5] = (nb_sectors >> 16) & 0xff;
2047             outbuf[6] = (nb_sectors >> 8) & 0xff;
2048             outbuf[7] = nb_sectors & 0xff;
2049             outbuf[8] = 0;
2050             outbuf[9] = 0;
2051             outbuf[10] = s->qdev.blocksize >> 8;
2052             outbuf[11] = 0;
2053             outbuf[12] = 0;
2054             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
2055 
2056             /* set TPE bit if the format supports discard */
2057             if (s->qdev.conf.discard_granularity) {
2058                 outbuf[14] = 0x80;
2059             }
2060 
2061             /* Protection, exponent and lowest lba field left blank. */
2062             break;
2063         }
2064         DPRINTF("Unsupported Service Action In\n");
2065         goto illegal_request;
2066     case SYNCHRONIZE_CACHE:
2067         /* The request is used as the AIO opaque value, so add a ref.  */
2068         scsi_req_ref(&r->req);
2069         block_acct_start(blk_get_stats(s->qdev.conf.blk), &r->acct, 0,
2070                          BLOCK_ACCT_FLUSH);
2071         r->req.aiocb = blk_aio_flush(s->qdev.conf.blk, scsi_aio_complete, r);
2072         return 0;
2073     case SEEK_10:
2074         DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
2075         if (r->req.cmd.lba > s->qdev.max_lba) {
2076             goto illegal_lba;
2077         }
2078         break;
2079     case MODE_SELECT:
2080         DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
2081         break;
2082     case MODE_SELECT_10:
2083         DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
2084         break;
2085     case UNMAP:
2086         DPRINTF("Unmap (len %lu)\n", (long)r->req.cmd.xfer);
2087         break;
2088     case VERIFY_10:
2089     case VERIFY_12:
2090     case VERIFY_16:
2091         DPRINTF("Verify (bytchk %d)\n", (req->cmd.buf[1] >> 1) & 3);
2092         if (req->cmd.buf[1] & 6) {
2093             goto illegal_request;
2094         }
2095         break;
2096     case WRITE_SAME_10:
2097     case WRITE_SAME_16:
2098         DPRINTF("WRITE SAME %d (len %lu)\n",
2099                 req->cmd.buf[0] == WRITE_SAME_10 ? 10 : 16,
2100                 (long)r->req.cmd.xfer);
2101         break;
2102     default:
2103         DPRINTF("Unknown SCSI command (%2.2x=%s)\n", buf[0],
2104                 scsi_command_name(buf[0]));
2105         scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
2106         return 0;
2107     }
2108     assert(!r->req.aiocb);
2109     r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
2110     if (r->iov.iov_len == 0) {
2111         scsi_req_complete(&r->req, GOOD);
2112     }
2113     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2114         assert(r->iov.iov_len == req->cmd.xfer);
2115         return -r->iov.iov_len;
2116     } else {
2117         return r->iov.iov_len;
2118     }
2119 
2120 illegal_request:
2121     if (r->req.status == -1) {
2122         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2123     }
2124     return 0;
2125 
2126 illegal_lba:
2127     scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2128     return 0;
2129 }
2130 
2131 /* Execute a scsi command.  Returns the length of the data expected by the
2132    command.  This will be Positive for data transfers from the device
2133    (eg. disk reads), negative for transfers to the device (eg. disk writes),
2134    and zero if the command does not transfer any data.  */
2135 
2136 static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
2137 {
2138     SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
2139     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
2140     uint32_t len;
2141     uint8_t command;
2142 
2143     command = buf[0];
2144 
2145     if (s->tray_open || !blk_is_inserted(s->qdev.conf.blk)) {
2146         scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
2147         return 0;
2148     }
2149 
2150     len = scsi_data_cdb_xfer(r->req.cmd.buf);
2151     switch (command) {
2152     case READ_6:
2153     case READ_10:
2154     case READ_12:
2155     case READ_16:
2156         DPRINTF("Read (sector %" PRId64 ", count %u)\n", r->req.cmd.lba, len);
2157         if (r->req.cmd.buf[1] & 0xe0) {
2158             goto illegal_request;
2159         }
2160         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2161             goto illegal_lba;
2162         }
2163         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2164         r->sector_count = len * (s->qdev.blocksize / 512);
2165         break;
2166     case WRITE_6:
2167     case WRITE_10:
2168     case WRITE_12:
2169     case WRITE_16:
2170     case WRITE_VERIFY_10:
2171     case WRITE_VERIFY_12:
2172     case WRITE_VERIFY_16:
2173         if (blk_is_read_only(s->qdev.conf.blk)) {
2174             scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
2175             return 0;
2176         }
2177         DPRINTF("Write %s(sector %" PRId64 ", count %u)\n",
2178                 (command & 0xe) == 0xe ? "And Verify " : "",
2179                 r->req.cmd.lba, len);
2180         if (r->req.cmd.buf[1] & 0xe0) {
2181             goto illegal_request;
2182         }
2183         if (!check_lba_range(s, r->req.cmd.lba, len)) {
2184             goto illegal_lba;
2185         }
2186         r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
2187         r->sector_count = len * (s->qdev.blocksize / 512);
2188         break;
2189     default:
2190         abort();
2191     illegal_request:
2192         scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
2193         return 0;
2194     illegal_lba:
2195         scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
2196         return 0;
2197     }
2198     if (r->sector_count == 0) {
2199         scsi_req_complete(&r->req, GOOD);
2200     }
2201     assert(r->iov.iov_len == 0);
2202     if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
2203         return -r->sector_count * 512;
2204     } else {
2205         return r->sector_count * 512;
2206     }
2207 }
2208 
2209 static void scsi_disk_reset(DeviceState *dev)
2210 {
2211     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev.qdev, dev);
2212     uint64_t nb_sectors;
2213 
2214     scsi_device_purge_requests(&s->qdev, SENSE_CODE(RESET));
2215 
2216     blk_get_geometry(s->qdev.conf.blk, &nb_sectors);
2217     nb_sectors /= s->qdev.blocksize / 512;
2218     if (nb_sectors) {
2219         nb_sectors--;
2220     }
2221     s->qdev.max_lba = nb_sectors;
2222     /* reset tray statuses */
2223     s->tray_locked = 0;
2224     s->tray_open = 0;
2225 }
2226 
2227 static void scsi_disk_resize_cb(void *opaque)
2228 {
2229     SCSIDiskState *s = opaque;
2230 
2231     /* SPC lists this sense code as available only for
2232      * direct-access devices.
2233      */
2234     if (s->qdev.type == TYPE_DISK) {
2235         scsi_device_report_change(&s->qdev, SENSE_CODE(CAPACITY_CHANGED));
2236     }
2237 }
2238 
2239 static void scsi_cd_change_media_cb(void *opaque, bool load)
2240 {
2241     SCSIDiskState *s = opaque;
2242 
2243     /*
2244      * When a CD gets changed, we have to report an ejected state and
2245      * then a loaded state to guests so that they detect tray
2246      * open/close and media change events.  Guests that do not use
2247      * GET_EVENT_STATUS_NOTIFICATION to detect such tray open/close
2248      * states rely on this behavior.
2249      *
2250      * media_changed governs the state machine used for unit attention
2251      * report.  media_event is used by GET EVENT STATUS NOTIFICATION.
2252      */
2253     s->media_changed = load;
2254     s->tray_open = !load;
2255     scsi_device_set_ua(&s->qdev, SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM));
2256     s->media_event = true;
2257     s->eject_request = false;
2258 }
2259 
2260 static void scsi_cd_eject_request_cb(void *opaque, bool force)
2261 {
2262     SCSIDiskState *s = opaque;
2263 
2264     s->eject_request = true;
2265     if (force) {
2266         s->tray_locked = false;
2267     }
2268 }
2269 
2270 static bool scsi_cd_is_tray_open(void *opaque)
2271 {
2272     return ((SCSIDiskState *)opaque)->tray_open;
2273 }
2274 
2275 static bool scsi_cd_is_medium_locked(void *opaque)
2276 {
2277     return ((SCSIDiskState *)opaque)->tray_locked;
2278 }
2279 
2280 static const BlockDevOps scsi_disk_removable_block_ops = {
2281     .change_media_cb = scsi_cd_change_media_cb,
2282     .eject_request_cb = scsi_cd_eject_request_cb,
2283     .is_tray_open = scsi_cd_is_tray_open,
2284     .is_medium_locked = scsi_cd_is_medium_locked,
2285 
2286     .resize_cb = scsi_disk_resize_cb,
2287 };
2288 
2289 static const BlockDevOps scsi_disk_block_ops = {
2290     .resize_cb = scsi_disk_resize_cb,
2291 };
2292 
2293 static void scsi_disk_unit_attention_reported(SCSIDevice *dev)
2294 {
2295     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2296     if (s->media_changed) {
2297         s->media_changed = false;
2298         scsi_device_set_ua(&s->qdev, SENSE_CODE(MEDIUM_CHANGED));
2299     }
2300 }
2301 
2302 static void scsi_realize(SCSIDevice *dev, Error **errp)
2303 {
2304     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2305     Error *err = NULL;
2306 
2307     if (!s->qdev.conf.blk) {
2308         error_setg(errp, "drive property not set");
2309         return;
2310     }
2311 
2312     if (!(s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2313         !blk_is_inserted(s->qdev.conf.blk)) {
2314         error_setg(errp, "Device needs media, but drive is empty");
2315         return;
2316     }
2317 
2318     blkconf_serial(&s->qdev.conf, &s->serial);
2319     blkconf_blocksizes(&s->qdev.conf);
2320     if (dev->type == TYPE_DISK) {
2321         blkconf_geometry(&dev->conf, NULL, 65535, 255, 255, &err);
2322         if (err) {
2323             error_propagate(errp, err);
2324             return;
2325         }
2326     }
2327 
2328     if (s->qdev.conf.discard_granularity == -1) {
2329         s->qdev.conf.discard_granularity =
2330             MAX(s->qdev.conf.logical_block_size, DEFAULT_DISCARD_GRANULARITY);
2331     }
2332 
2333     if (!s->version) {
2334         s->version = g_strdup(qemu_hw_version());
2335     }
2336     if (!s->vendor) {
2337         s->vendor = g_strdup("QEMU");
2338     }
2339 
2340     if (blk_is_sg(s->qdev.conf.blk)) {
2341         error_setg(errp, "unwanted /dev/sg*");
2342         return;
2343     }
2344 
2345     if ((s->features & (1 << SCSI_DISK_F_REMOVABLE)) &&
2346             !(s->features & (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS))) {
2347         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_removable_block_ops, s);
2348     } else {
2349         blk_set_dev_ops(s->qdev.conf.blk, &scsi_disk_block_ops, s);
2350     }
2351     blk_set_guest_block_size(s->qdev.conf.blk, s->qdev.blocksize);
2352 
2353     blk_iostatus_enable(s->qdev.conf.blk);
2354 }
2355 
2356 static void scsi_hd_realize(SCSIDevice *dev, Error **errp)
2357 {
2358     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2359     /* can happen for devices without drive. The error message for missing
2360      * backend will be issued in scsi_realize
2361      */
2362     if (s->qdev.conf.blk) {
2363         blkconf_blocksizes(&s->qdev.conf);
2364     }
2365     s->qdev.blocksize = s->qdev.conf.logical_block_size;
2366     s->qdev.type = TYPE_DISK;
2367     if (!s->product) {
2368         s->product = g_strdup("QEMU HARDDISK");
2369     }
2370     scsi_realize(&s->qdev, errp);
2371 }
2372 
2373 static void scsi_cd_realize(SCSIDevice *dev, Error **errp)
2374 {
2375     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2376     s->qdev.blocksize = 2048;
2377     s->qdev.type = TYPE_ROM;
2378     s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2379     if (!s->product) {
2380         s->product = g_strdup("QEMU CD-ROM");
2381     }
2382     scsi_realize(&s->qdev, errp);
2383 }
2384 
2385 static void scsi_disk_realize(SCSIDevice *dev, Error **errp)
2386 {
2387     DriveInfo *dinfo;
2388     Error *local_err = NULL;
2389 
2390     if (!dev->conf.blk) {
2391         scsi_realize(dev, &local_err);
2392         assert(local_err);
2393         error_propagate(errp, local_err);
2394         return;
2395     }
2396 
2397     dinfo = blk_legacy_dinfo(dev->conf.blk);
2398     if (dinfo && dinfo->media_cd) {
2399         scsi_cd_realize(dev, errp);
2400     } else {
2401         scsi_hd_realize(dev, errp);
2402     }
2403 }
2404 
2405 static const SCSIReqOps scsi_disk_emulate_reqops = {
2406     .size         = sizeof(SCSIDiskReq),
2407     .free_req     = scsi_free_request,
2408     .send_command = scsi_disk_emulate_command,
2409     .read_data    = scsi_disk_emulate_read_data,
2410     .write_data   = scsi_disk_emulate_write_data,
2411     .get_buf      = scsi_get_buf,
2412 };
2413 
2414 static const SCSIReqOps scsi_disk_dma_reqops = {
2415     .size         = sizeof(SCSIDiskReq),
2416     .free_req     = scsi_free_request,
2417     .send_command = scsi_disk_dma_command,
2418     .read_data    = scsi_read_data,
2419     .write_data   = scsi_write_data,
2420     .get_buf      = scsi_get_buf,
2421     .load_request = scsi_disk_load_request,
2422     .save_request = scsi_disk_save_request,
2423 };
2424 
2425 static const SCSIReqOps *const scsi_disk_reqops_dispatch[256] = {
2426     [TEST_UNIT_READY]                 = &scsi_disk_emulate_reqops,
2427     [INQUIRY]                         = &scsi_disk_emulate_reqops,
2428     [MODE_SENSE]                      = &scsi_disk_emulate_reqops,
2429     [MODE_SENSE_10]                   = &scsi_disk_emulate_reqops,
2430     [START_STOP]                      = &scsi_disk_emulate_reqops,
2431     [ALLOW_MEDIUM_REMOVAL]            = &scsi_disk_emulate_reqops,
2432     [READ_CAPACITY_10]                = &scsi_disk_emulate_reqops,
2433     [READ_TOC]                        = &scsi_disk_emulate_reqops,
2434     [READ_DVD_STRUCTURE]              = &scsi_disk_emulate_reqops,
2435     [READ_DISC_INFORMATION]           = &scsi_disk_emulate_reqops,
2436     [GET_CONFIGURATION]               = &scsi_disk_emulate_reqops,
2437     [GET_EVENT_STATUS_NOTIFICATION]   = &scsi_disk_emulate_reqops,
2438     [MECHANISM_STATUS]                = &scsi_disk_emulate_reqops,
2439     [SERVICE_ACTION_IN_16]            = &scsi_disk_emulate_reqops,
2440     [REQUEST_SENSE]                   = &scsi_disk_emulate_reqops,
2441     [SYNCHRONIZE_CACHE]               = &scsi_disk_emulate_reqops,
2442     [SEEK_10]                         = &scsi_disk_emulate_reqops,
2443     [MODE_SELECT]                     = &scsi_disk_emulate_reqops,
2444     [MODE_SELECT_10]                  = &scsi_disk_emulate_reqops,
2445     [UNMAP]                           = &scsi_disk_emulate_reqops,
2446     [WRITE_SAME_10]                   = &scsi_disk_emulate_reqops,
2447     [WRITE_SAME_16]                   = &scsi_disk_emulate_reqops,
2448     [VERIFY_10]                       = &scsi_disk_emulate_reqops,
2449     [VERIFY_12]                       = &scsi_disk_emulate_reqops,
2450     [VERIFY_16]                       = &scsi_disk_emulate_reqops,
2451 
2452     [READ_6]                          = &scsi_disk_dma_reqops,
2453     [READ_10]                         = &scsi_disk_dma_reqops,
2454     [READ_12]                         = &scsi_disk_dma_reqops,
2455     [READ_16]                         = &scsi_disk_dma_reqops,
2456     [WRITE_6]                         = &scsi_disk_dma_reqops,
2457     [WRITE_10]                        = &scsi_disk_dma_reqops,
2458     [WRITE_12]                        = &scsi_disk_dma_reqops,
2459     [WRITE_16]                        = &scsi_disk_dma_reqops,
2460     [WRITE_VERIFY_10]                 = &scsi_disk_dma_reqops,
2461     [WRITE_VERIFY_12]                 = &scsi_disk_dma_reqops,
2462     [WRITE_VERIFY_16]                 = &scsi_disk_dma_reqops,
2463 };
2464 
2465 static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
2466                                      uint8_t *buf, void *hba_private)
2467 {
2468     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2469     SCSIRequest *req;
2470     const SCSIReqOps *ops;
2471     uint8_t command;
2472 
2473     command = buf[0];
2474     ops = scsi_disk_reqops_dispatch[command];
2475     if (!ops) {
2476         ops = &scsi_disk_emulate_reqops;
2477     }
2478     req = scsi_req_alloc(ops, &s->qdev, tag, lun, hba_private);
2479 
2480 #ifdef DEBUG_SCSI
2481     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
2482     {
2483         int i;
2484         for (i = 1; i < scsi_cdb_length(buf); i++) {
2485             printf(" 0x%02x", buf[i]);
2486         }
2487         printf("\n");
2488     }
2489 #endif
2490 
2491     return req;
2492 }
2493 
2494 #ifdef __linux__
2495 static int get_device_type(SCSIDiskState *s)
2496 {
2497     uint8_t cmd[16];
2498     uint8_t buf[36];
2499     uint8_t sensebuf[8];
2500     sg_io_hdr_t io_header;
2501     int ret;
2502 
2503     memset(cmd, 0, sizeof(cmd));
2504     memset(buf, 0, sizeof(buf));
2505     cmd[0] = INQUIRY;
2506     cmd[4] = sizeof(buf);
2507 
2508     memset(&io_header, 0, sizeof(io_header));
2509     io_header.interface_id = 'S';
2510     io_header.dxfer_direction = SG_DXFER_FROM_DEV;
2511     io_header.dxfer_len = sizeof(buf);
2512     io_header.dxferp = buf;
2513     io_header.cmdp = cmd;
2514     io_header.cmd_len = sizeof(cmd);
2515     io_header.mx_sb_len = sizeof(sensebuf);
2516     io_header.sbp = sensebuf;
2517     io_header.timeout = 6000; /* XXX */
2518 
2519     ret = blk_ioctl(s->qdev.conf.blk, SG_IO, &io_header);
2520     if (ret < 0 || io_header.driver_status || io_header.host_status) {
2521         return -1;
2522     }
2523     s->qdev.type = buf[0];
2524     if (buf[1] & 0x80) {
2525         s->features |= 1 << SCSI_DISK_F_REMOVABLE;
2526     }
2527     return 0;
2528 }
2529 
2530 static void scsi_block_realize(SCSIDevice *dev, Error **errp)
2531 {
2532     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
2533     int sg_version;
2534     int rc;
2535 
2536     if (!s->qdev.conf.blk) {
2537         error_setg(errp, "drive property not set");
2538         return;
2539     }
2540 
2541     /* check we are using a driver managing SG_IO (version 3 and after) */
2542     rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version);
2543     if (rc < 0) {
2544         error_setg(errp, "cannot get SG_IO version number: %s.  "
2545                      "Is this a SCSI device?",
2546                      strerror(-rc));
2547         return;
2548     }
2549     if (sg_version < 30000) {
2550         error_setg(errp, "scsi generic interface too old");
2551         return;
2552     }
2553 
2554     /* get device type from INQUIRY data */
2555     rc = get_device_type(s);
2556     if (rc < 0) {
2557         error_setg(errp, "INQUIRY failed");
2558         return;
2559     }
2560 
2561     /* Make a guess for the block size, we'll fix it when the guest sends.
2562      * READ CAPACITY.  If they don't, they likely would assume these sizes
2563      * anyway. (TODO: check in /sys).
2564      */
2565     if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
2566         s->qdev.blocksize = 2048;
2567     } else {
2568         s->qdev.blocksize = 512;
2569     }
2570 
2571     /* Makes the scsi-block device not removable by using HMP and QMP eject
2572      * command.
2573      */
2574     s->features |= (1 << SCSI_DISK_F_NO_REMOVABLE_DEVOPS);
2575 
2576     scsi_realize(&s->qdev, errp);
2577 }
2578 
2579 static bool scsi_block_is_passthrough(SCSIDiskState *s, uint8_t *buf)
2580 {
2581     switch (buf[0]) {
2582     case READ_6:
2583     case READ_10:
2584     case READ_12:
2585     case READ_16:
2586     case VERIFY_10:
2587     case VERIFY_12:
2588     case VERIFY_16:
2589     case WRITE_6:
2590     case WRITE_10:
2591     case WRITE_12:
2592     case WRITE_16:
2593     case WRITE_VERIFY_10:
2594     case WRITE_VERIFY_12:
2595     case WRITE_VERIFY_16:
2596         /* If we are not using O_DIRECT, we might read stale data from the
2597          * host cache if writes were made using other commands than these
2598          * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
2599          * O_DIRECT everything must go through SG_IO.
2600          */
2601         if (!(blk_get_flags(s->qdev.conf.blk) & BDRV_O_NOCACHE)) {
2602             break;
2603         }
2604 
2605         /* MMC writing cannot be done via pread/pwrite, because it sometimes
2606          * involves writing beyond the maximum LBA or to negative LBA (lead-in).
2607          * And once you do these writes, reading from the block device is
2608          * unreliable, too.  It is even possible that reads deliver random data
2609          * from the host page cache (this is probably a Linux bug).
2610          *
2611          * We might use scsi_disk_dma_reqops as long as no writing commands are
2612          * seen, but performance usually isn't paramount on optical media.  So,
2613          * just make scsi-block operate the same as scsi-generic for them.
2614          */
2615         if (s->qdev.type != TYPE_ROM) {
2616             return false;
2617         }
2618         break;
2619 
2620     default:
2621         break;
2622     }
2623 
2624     return true;
2625 }
2626 
2627 
2628 static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
2629                                            uint32_t lun, uint8_t *buf,
2630                                            void *hba_private)
2631 {
2632     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2633 
2634     if (scsi_block_is_passthrough(s, buf)) {
2635         return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
2636                               hba_private);
2637     } else {
2638         return scsi_req_alloc(&scsi_disk_dma_reqops, &s->qdev, tag, lun,
2639                               hba_private);
2640     }
2641 }
2642 
2643 static int scsi_block_parse_cdb(SCSIDevice *d, SCSICommand *cmd,
2644                                   uint8_t *buf, void *hba_private)
2645 {
2646     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
2647 
2648     if (scsi_block_is_passthrough(s, buf)) {
2649         return scsi_bus_parse_cdb(&s->qdev, cmd, buf, hba_private);
2650     } else {
2651         return scsi_req_parse_cdb(&s->qdev, cmd, buf);
2652     }
2653 }
2654 
2655 #endif
2656 
2657 #define DEFINE_SCSI_DISK_PROPERTIES()                                \
2658     DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),               \
2659     DEFINE_PROP_STRING("ver", SCSIDiskState, version),               \
2660     DEFINE_PROP_STRING("serial", SCSIDiskState, serial),             \
2661     DEFINE_PROP_STRING("vendor", SCSIDiskState, vendor),             \
2662     DEFINE_PROP_STRING("product", SCSIDiskState, product)
2663 
2664 static Property scsi_hd_properties[] = {
2665     DEFINE_SCSI_DISK_PROPERTIES(),
2666     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2667                     SCSI_DISK_F_REMOVABLE, false),
2668     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2669                     SCSI_DISK_F_DPOFUA, false),
2670     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2671     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2672     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2673     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2674                        DEFAULT_MAX_UNMAP_SIZE),
2675     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2676                        DEFAULT_MAX_IO_SIZE),
2677     DEFINE_BLOCK_CHS_PROPERTIES(SCSIDiskState, qdev.conf),
2678     DEFINE_PROP_END_OF_LIST(),
2679 };
2680 
2681 static const VMStateDescription vmstate_scsi_disk_state = {
2682     .name = "scsi-disk",
2683     .version_id = 1,
2684     .minimum_version_id = 1,
2685     .fields = (VMStateField[]) {
2686         VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
2687         VMSTATE_BOOL(media_changed, SCSIDiskState),
2688         VMSTATE_BOOL(media_event, SCSIDiskState),
2689         VMSTATE_BOOL(eject_request, SCSIDiskState),
2690         VMSTATE_BOOL(tray_open, SCSIDiskState),
2691         VMSTATE_BOOL(tray_locked, SCSIDiskState),
2692         VMSTATE_END_OF_LIST()
2693     }
2694 };
2695 
2696 static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
2697 {
2698     DeviceClass *dc = DEVICE_CLASS(klass);
2699     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2700 
2701     sc->realize      = scsi_hd_realize;
2702     sc->alloc_req    = scsi_new_request;
2703     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2704     dc->fw_name = "disk";
2705     dc->desc = "virtual SCSI disk";
2706     dc->reset = scsi_disk_reset;
2707     dc->props = scsi_hd_properties;
2708     dc->vmsd  = &vmstate_scsi_disk_state;
2709 }
2710 
2711 static const TypeInfo scsi_hd_info = {
2712     .name          = "scsi-hd",
2713     .parent        = TYPE_SCSI_DEVICE,
2714     .instance_size = sizeof(SCSIDiskState),
2715     .class_init    = scsi_hd_class_initfn,
2716 };
2717 
2718 static Property scsi_cd_properties[] = {
2719     DEFINE_SCSI_DISK_PROPERTIES(),
2720     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2721     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2722     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2723     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2724                        DEFAULT_MAX_IO_SIZE),
2725     DEFINE_PROP_END_OF_LIST(),
2726 };
2727 
2728 static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
2729 {
2730     DeviceClass *dc = DEVICE_CLASS(klass);
2731     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2732 
2733     sc->realize      = scsi_cd_realize;
2734     sc->alloc_req    = scsi_new_request;
2735     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2736     dc->fw_name = "disk";
2737     dc->desc = "virtual SCSI CD-ROM";
2738     dc->reset = scsi_disk_reset;
2739     dc->props = scsi_cd_properties;
2740     dc->vmsd  = &vmstate_scsi_disk_state;
2741 }
2742 
2743 static const TypeInfo scsi_cd_info = {
2744     .name          = "scsi-cd",
2745     .parent        = TYPE_SCSI_DEVICE,
2746     .instance_size = sizeof(SCSIDiskState),
2747     .class_init    = scsi_cd_class_initfn,
2748 };
2749 
2750 #ifdef __linux__
2751 static Property scsi_block_properties[] = {
2752     DEFINE_PROP_DRIVE("drive", SCSIDiskState, qdev.conf.blk),
2753     DEFINE_PROP_END_OF_LIST(),
2754 };
2755 
2756 static void scsi_block_class_initfn(ObjectClass *klass, void *data)
2757 {
2758     DeviceClass *dc = DEVICE_CLASS(klass);
2759     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2760 
2761     sc->realize      = scsi_block_realize;
2762     sc->alloc_req    = scsi_block_new_request;
2763     sc->parse_cdb    = scsi_block_parse_cdb;
2764     dc->fw_name = "disk";
2765     dc->desc = "SCSI block device passthrough";
2766     dc->reset = scsi_disk_reset;
2767     dc->props = scsi_block_properties;
2768     dc->vmsd  = &vmstate_scsi_disk_state;
2769 }
2770 
2771 static const TypeInfo scsi_block_info = {
2772     .name          = "scsi-block",
2773     .parent        = TYPE_SCSI_DEVICE,
2774     .instance_size = sizeof(SCSIDiskState),
2775     .class_init    = scsi_block_class_initfn,
2776 };
2777 #endif
2778 
2779 static Property scsi_disk_properties[] = {
2780     DEFINE_SCSI_DISK_PROPERTIES(),
2781     DEFINE_PROP_BIT("removable", SCSIDiskState, features,
2782                     SCSI_DISK_F_REMOVABLE, false),
2783     DEFINE_PROP_BIT("dpofua", SCSIDiskState, features,
2784                     SCSI_DISK_F_DPOFUA, false),
2785     DEFINE_PROP_UINT64("wwn", SCSIDiskState, wwn, 0),
2786     DEFINE_PROP_UINT64("port_wwn", SCSIDiskState, port_wwn, 0),
2787     DEFINE_PROP_UINT16("port_index", SCSIDiskState, port_index, 0),
2788     DEFINE_PROP_UINT64("max_unmap_size", SCSIDiskState, max_unmap_size,
2789                        DEFAULT_MAX_UNMAP_SIZE),
2790     DEFINE_PROP_UINT64("max_io_size", SCSIDiskState, max_io_size,
2791                        DEFAULT_MAX_IO_SIZE),
2792     DEFINE_PROP_END_OF_LIST(),
2793 };
2794 
2795 static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
2796 {
2797     DeviceClass *dc = DEVICE_CLASS(klass);
2798     SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
2799 
2800     sc->realize      = scsi_disk_realize;
2801     sc->alloc_req    = scsi_new_request;
2802     sc->unit_attention_reported = scsi_disk_unit_attention_reported;
2803     dc->fw_name = "disk";
2804     dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
2805     dc->reset = scsi_disk_reset;
2806     dc->props = scsi_disk_properties;
2807     dc->vmsd  = &vmstate_scsi_disk_state;
2808 }
2809 
2810 static const TypeInfo scsi_disk_info = {
2811     .name          = "scsi-disk",
2812     .parent        = TYPE_SCSI_DEVICE,
2813     .instance_size = sizeof(SCSIDiskState),
2814     .class_init    = scsi_disk_class_initfn,
2815 };
2816 
2817 static void scsi_disk_register_types(void)
2818 {
2819     type_register_static(&scsi_hd_info);
2820     type_register_static(&scsi_cd_info);
2821 #ifdef __linux__
2822     type_register_static(&scsi_block_info);
2823 #endif
2824     type_register_static(&scsi_disk_info);
2825 }
2826 
2827 type_init(scsi_disk_register_types)
2828