xref: /openbmc/qemu/hw/scsi/virtio-scsi.c (revision 28004fb7)
1 /*
2  * Virtio SCSI HBA
3  *
4  * Copyright IBM, Corp. 2010
5  * Copyright Red Hat, Inc. 2011
6  *
7  * Authors:
8  *   Stefan Hajnoczi    <stefanha@linux.vnet.ibm.com>
9  *   Paolo Bonzini      <pbonzini@redhat.com>
10  *
11  * This work is licensed under the terms of the GNU GPL, version 2 or later.
12  * See the COPYING file in the top-level directory.
13  *
14  */
15 
16 #include "qemu/osdep.h"
17 #include "qapi/error.h"
18 #include "standard-headers/linux/virtio_ids.h"
19 #include "hw/virtio/virtio-scsi.h"
20 #include "migration/qemu-file-types.h"
21 #include "qemu/defer-call.h"
22 #include "qemu/error-report.h"
23 #include "qemu/iov.h"
24 #include "qemu/module.h"
25 #include "sysemu/block-backend.h"
26 #include "sysemu/dma.h"
27 #include "hw/qdev-properties.h"
28 #include "hw/scsi/scsi.h"
29 #include "scsi/constants.h"
30 #include "hw/virtio/virtio-bus.h"
31 #include "hw/virtio/virtio-access.h"
32 #include "trace.h"
33 
34 typedef struct VirtIOSCSIReq {
35     /*
36      * Note:
37      * - fields up to resp_iov are initialized by virtio_scsi_init_req;
38      * - fields starting at vring are zeroed by virtio_scsi_init_req.
39      */
40     VirtQueueElement elem;
41 
42     VirtIOSCSI *dev;
43     VirtQueue *vq;
44     QEMUSGList qsgl;
45     QEMUIOVector resp_iov;
46 
47     /* Used for two-stage request submission and TMFs deferred to BH */
48     QTAILQ_ENTRY(VirtIOSCSIReq) next;
49 
50     /* Used for cancellation of request during TMFs */
51     int remaining;
52 
53     SCSIRequest *sreq;
54     size_t resp_size;
55     enum SCSIXferMode mode;
56     union {
57         VirtIOSCSICmdResp     cmd;
58         VirtIOSCSICtrlTMFResp tmf;
59         VirtIOSCSICtrlANResp  an;
60         VirtIOSCSIEvent       event;
61     } resp;
62     union {
63         VirtIOSCSICmdReq      cmd;
64         VirtIOSCSICtrlTMFReq  tmf;
65         VirtIOSCSICtrlANReq   an;
66     } req;
67 } VirtIOSCSIReq;
68 
69 static inline int virtio_scsi_get_lun(uint8_t *lun)
70 {
71     return ((lun[2] << 8) | lun[3]) & 0x3FFF;
72 }
73 
74 static inline SCSIDevice *virtio_scsi_device_get(VirtIOSCSI *s, uint8_t *lun)
75 {
76     if (lun[0] != 1) {
77         return NULL;
78     }
79     if (lun[2] != 0 && !(lun[2] >= 0x40 && lun[2] < 0x80)) {
80         return NULL;
81     }
82     return scsi_device_get(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun));
83 }
84 
85 static void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
86 {
87     VirtIODevice *vdev = VIRTIO_DEVICE(s);
88     const size_t zero_skip =
89         offsetof(VirtIOSCSIReq, resp_iov) + sizeof(req->resp_iov);
90 
91     req->vq = vq;
92     req->dev = s;
93     qemu_sglist_init(&req->qsgl, DEVICE(s), 8, vdev->dma_as);
94     qemu_iovec_init(&req->resp_iov, 1);
95     memset((uint8_t *)req + zero_skip, 0, sizeof(*req) - zero_skip);
96 }
97 
98 static void virtio_scsi_free_req(VirtIOSCSIReq *req)
99 {
100     qemu_iovec_destroy(&req->resp_iov);
101     qemu_sglist_destroy(&req->qsgl);
102     g_free(req);
103 }
104 
105 static void virtio_scsi_complete_req(VirtIOSCSIReq *req)
106 {
107     VirtIOSCSI *s = req->dev;
108     VirtQueue *vq = req->vq;
109     VirtIODevice *vdev = VIRTIO_DEVICE(s);
110 
111     qemu_iovec_from_buf(&req->resp_iov, 0, &req->resp, req->resp_size);
112     virtqueue_push(vq, &req->elem, req->qsgl.size + req->resp_iov.size);
113     if (s->dataplane_started && !s->dataplane_fenced) {
114         virtio_notify_irqfd(vdev, vq);
115     } else {
116         virtio_notify(vdev, vq);
117     }
118 
119     if (req->sreq) {
120         req->sreq->hba_private = NULL;
121         scsi_req_unref(req->sreq);
122     }
123     virtio_scsi_free_req(req);
124 }
125 
126 static void virtio_scsi_complete_req_bh(void *opaque)
127 {
128     VirtIOSCSIReq *req = opaque;
129 
130     virtio_scsi_complete_req(req);
131 }
132 
133 /*
134  * Called from virtio_scsi_do_one_tmf_bh() in main loop thread. The main loop
135  * thread cannot touch the virtqueue since that could race with an IOThread.
136  */
137 static void virtio_scsi_complete_req_from_main_loop(VirtIOSCSIReq *req)
138 {
139     VirtIOSCSI *s = req->dev;
140 
141     if (!s->ctx || s->ctx == qemu_get_aio_context()) {
142         /* No need to schedule a BH when there is no IOThread */
143         virtio_scsi_complete_req(req);
144     } else {
145         /* Run request completion in the IOThread */
146         aio_wait_bh_oneshot(s->ctx, virtio_scsi_complete_req_bh, req);
147     }
148 }
149 
150 static void virtio_scsi_bad_req(VirtIOSCSIReq *req)
151 {
152     virtio_error(VIRTIO_DEVICE(req->dev), "wrong size for virtio-scsi headers");
153     virtqueue_detach_element(req->vq, &req->elem, 0);
154     virtio_scsi_free_req(req);
155 }
156 
157 static size_t qemu_sgl_concat(VirtIOSCSIReq *req, struct iovec *iov,
158                               hwaddr *addr, int num, size_t skip)
159 {
160     QEMUSGList *qsgl = &req->qsgl;
161     size_t copied = 0;
162 
163     while (num) {
164         if (skip >= iov->iov_len) {
165             skip -= iov->iov_len;
166         } else {
167             qemu_sglist_add(qsgl, *addr + skip, iov->iov_len - skip);
168             copied += iov->iov_len - skip;
169             skip = 0;
170         }
171         iov++;
172         addr++;
173         num--;
174     }
175 
176     assert(skip == 0);
177     return copied;
178 }
179 
180 static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
181                                  unsigned req_size, unsigned resp_size)
182 {
183     VirtIODevice *vdev = (VirtIODevice *) req->dev;
184     size_t in_size, out_size;
185 
186     if (iov_to_buf(req->elem.out_sg, req->elem.out_num, 0,
187                    &req->req, req_size) < req_size) {
188         return -EINVAL;
189     }
190 
191     if (qemu_iovec_concat_iov(&req->resp_iov,
192                               req->elem.in_sg, req->elem.in_num, 0,
193                               resp_size) < resp_size) {
194         return -EINVAL;
195     }
196 
197     req->resp_size = resp_size;
198 
199     /* Old BIOSes left some padding by mistake after the req_size/resp_size.
200      * As a workaround, always consider the first buffer as the virtio-scsi
201      * request/response, making the payload start at the second element
202      * of the iovec.
203      *
204      * The actual length of the response header, stored in req->resp_size,
205      * does not change.
206      *
207      * TODO: always disable this workaround for virtio 1.0 devices.
208      */
209     if (!virtio_vdev_has_feature(vdev, VIRTIO_F_ANY_LAYOUT)) {
210         if (req->elem.out_num) {
211             req_size = req->elem.out_sg[0].iov_len;
212         }
213         if (req->elem.in_num) {
214             resp_size = req->elem.in_sg[0].iov_len;
215         }
216     }
217 
218     out_size = qemu_sgl_concat(req, req->elem.out_sg,
219                                &req->elem.out_addr[0], req->elem.out_num,
220                                req_size);
221     in_size = qemu_sgl_concat(req, req->elem.in_sg,
222                               &req->elem.in_addr[0], req->elem.in_num,
223                               resp_size);
224 
225     if (out_size && in_size) {
226         return -ENOTSUP;
227     }
228 
229     if (out_size) {
230         req->mode = SCSI_XFER_TO_DEV;
231     } else if (in_size) {
232         req->mode = SCSI_XFER_FROM_DEV;
233     }
234 
235     return 0;
236 }
237 
238 static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq)
239 {
240     VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
241     VirtIOSCSIReq *req;
242 
243     req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
244     if (!req) {
245         return NULL;
246     }
247     virtio_scsi_init_req(s, vq, req);
248     return req;
249 }
250 
251 static void virtio_scsi_save_request(QEMUFile *f, SCSIRequest *sreq)
252 {
253     VirtIOSCSIReq *req = sreq->hba_private;
254     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(req->dev);
255     VirtIODevice *vdev = VIRTIO_DEVICE(req->dev);
256     uint32_t n = virtio_get_queue_index(req->vq) - VIRTIO_SCSI_VQ_NUM_FIXED;
257 
258     assert(n < vs->conf.num_queues);
259     qemu_put_be32s(f, &n);
260     qemu_put_virtqueue_element(vdev, f, &req->elem);
261 }
262 
263 static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
264 {
265     SCSIBus *bus = sreq->bus;
266     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
267     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
268     VirtIODevice *vdev = VIRTIO_DEVICE(s);
269     VirtIOSCSIReq *req;
270     uint32_t n;
271 
272     qemu_get_be32s(f, &n);
273     assert(n < vs->conf.num_queues);
274     req = qemu_get_virtqueue_element(vdev, f,
275                                      sizeof(VirtIOSCSIReq) + vs->cdb_size);
276     virtio_scsi_init_req(s, vs->cmd_vqs[n], req);
277 
278     if (virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
279                               sizeof(VirtIOSCSICmdResp) + vs->sense_size) < 0) {
280         error_report("invalid SCSI request migration data");
281         exit(1);
282     }
283 
284     scsi_req_ref(sreq);
285     req->sreq = sreq;
286     if (req->sreq->cmd.mode != SCSI_XFER_NONE) {
287         assert(req->sreq->cmd.mode == req->mode);
288     }
289     return req;
290 }
291 
292 typedef struct {
293     Notifier        notifier;
294     VirtIOSCSIReq  *tmf_req;
295 } VirtIOSCSICancelNotifier;
296 
297 static void virtio_scsi_cancel_notify(Notifier *notifier, void *data)
298 {
299     VirtIOSCSICancelNotifier *n = container_of(notifier,
300                                                VirtIOSCSICancelNotifier,
301                                                notifier);
302 
303     if (--n->tmf_req->remaining == 0) {
304         VirtIOSCSIReq *req = n->tmf_req;
305 
306         trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun),
307                                    req->req.tmf.tag, req->resp.tmf.response);
308         virtio_scsi_complete_req(req);
309     }
310     g_free(n);
311 }
312 
313 static inline void virtio_scsi_ctx_check(VirtIOSCSI *s, SCSIDevice *d)
314 {
315     if (s->dataplane_started && d && blk_is_available(d->conf.blk)) {
316         assert(blk_get_aio_context(d->conf.blk) == s->ctx);
317     }
318 }
319 
320 static void virtio_scsi_do_one_tmf_bh(VirtIOSCSIReq *req)
321 {
322     VirtIOSCSI *s = req->dev;
323     SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun);
324     BusChild *kid;
325     int target;
326 
327     switch (req->req.tmf.subtype) {
328     case VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET:
329         if (!d) {
330             req->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
331             goto out;
332         }
333         if (d->lun != virtio_scsi_get_lun(req->req.tmf.lun)) {
334             req->resp.tmf.response = VIRTIO_SCSI_S_INCORRECT_LUN;
335             goto out;
336         }
337         qatomic_inc(&s->resetting);
338         device_cold_reset(&d->qdev);
339         qatomic_dec(&s->resetting);
340         break;
341 
342     case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
343         target = req->req.tmf.lun[1];
344         qatomic_inc(&s->resetting);
345 
346         rcu_read_lock();
347         QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) {
348             SCSIDevice *d1 = SCSI_DEVICE(kid->child);
349             if (d1->channel == 0 && d1->id == target) {
350                 device_cold_reset(&d1->qdev);
351             }
352         }
353         rcu_read_unlock();
354 
355         qatomic_dec(&s->resetting);
356         break;
357 
358     default:
359         g_assert_not_reached();
360         break;
361     }
362 
363 out:
364     object_unref(OBJECT(d));
365     virtio_scsi_complete_req_from_main_loop(req);
366 }
367 
368 /* Some TMFs must be processed from the main loop thread */
369 static void virtio_scsi_do_tmf_bh(void *opaque)
370 {
371     VirtIOSCSI *s = opaque;
372     QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
373     VirtIOSCSIReq *req;
374     VirtIOSCSIReq *tmp;
375 
376     GLOBAL_STATE_CODE();
377 
378     WITH_QEMU_LOCK_GUARD(&s->tmf_bh_lock) {
379         QTAILQ_FOREACH_SAFE(req, &s->tmf_bh_list, next, tmp) {
380             QTAILQ_REMOVE(&s->tmf_bh_list, req, next);
381             QTAILQ_INSERT_TAIL(&reqs, req, next);
382         }
383 
384         qemu_bh_delete(s->tmf_bh);
385         s->tmf_bh = NULL;
386     }
387 
388     QTAILQ_FOREACH_SAFE(req, &reqs, next, tmp) {
389         QTAILQ_REMOVE(&reqs, req, next);
390         virtio_scsi_do_one_tmf_bh(req);
391     }
392 }
393 
394 static void virtio_scsi_reset_tmf_bh(VirtIOSCSI *s)
395 {
396     VirtIOSCSIReq *req;
397     VirtIOSCSIReq *tmp;
398 
399     GLOBAL_STATE_CODE();
400 
401     /* Called after ioeventfd has been stopped, so tmf_bh_lock is not needed */
402     if (s->tmf_bh) {
403         qemu_bh_delete(s->tmf_bh);
404         s->tmf_bh = NULL;
405     }
406 
407     QTAILQ_FOREACH_SAFE(req, &s->tmf_bh_list, next, tmp) {
408         QTAILQ_REMOVE(&s->tmf_bh_list, req, next);
409 
410         /* SAM-6 6.3.2 Hard reset */
411         req->resp.tmf.response = VIRTIO_SCSI_S_TARGET_FAILURE;
412         virtio_scsi_complete_req(req);
413     }
414 }
415 
416 static void virtio_scsi_defer_tmf_to_bh(VirtIOSCSIReq *req)
417 {
418     VirtIOSCSI *s = req->dev;
419 
420     WITH_QEMU_LOCK_GUARD(&s->tmf_bh_lock) {
421         QTAILQ_INSERT_TAIL(&s->tmf_bh_list, req, next);
422 
423         if (!s->tmf_bh) {
424             s->tmf_bh = qemu_bh_new(virtio_scsi_do_tmf_bh, s);
425             qemu_bh_schedule(s->tmf_bh);
426         }
427     }
428 }
429 
430 /* Return 0 if the request is ready to be completed and return to guest;
431  * -EINPROGRESS if the request is submitted and will be completed later, in the
432  *  case of async cancellation. */
433 static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
434 {
435     SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun);
436     SCSIRequest *r, *next;
437     int ret = 0;
438 
439     virtio_scsi_ctx_check(s, d);
440     /* Here VIRTIO_SCSI_S_OK means "FUNCTION COMPLETE".  */
441     req->resp.tmf.response = VIRTIO_SCSI_S_OK;
442 
443     /*
444      * req->req.tmf has the QEMU_PACKED attribute. Don't use virtio_tswap32s()
445      * to avoid compiler errors.
446      */
447     req->req.tmf.subtype =
448         virtio_tswap32(VIRTIO_DEVICE(s), req->req.tmf.subtype);
449 
450     trace_virtio_scsi_tmf_req(virtio_scsi_get_lun(req->req.tmf.lun),
451                               req->req.tmf.tag, req->req.tmf.subtype);
452 
453     switch (req->req.tmf.subtype) {
454     case VIRTIO_SCSI_T_TMF_ABORT_TASK:
455     case VIRTIO_SCSI_T_TMF_QUERY_TASK:
456         if (!d) {
457             goto fail;
458         }
459         if (d->lun != virtio_scsi_get_lun(req->req.tmf.lun)) {
460             goto incorrect_lun;
461         }
462         QTAILQ_FOREACH_SAFE(r, &d->requests, next, next) {
463             VirtIOSCSIReq *cmd_req = r->hba_private;
464             if (cmd_req && cmd_req->req.cmd.tag == req->req.tmf.tag) {
465                 break;
466             }
467         }
468         if (r) {
469             /*
470              * Assert that the request has not been completed yet, we
471              * check for it in the loop above.
472              */
473             assert(r->hba_private);
474             if (req->req.tmf.subtype == VIRTIO_SCSI_T_TMF_QUERY_TASK) {
475                 /* "If the specified command is present in the task set, then
476                  * return a service response set to FUNCTION SUCCEEDED".
477                  */
478                 req->resp.tmf.response = VIRTIO_SCSI_S_FUNCTION_SUCCEEDED;
479             } else {
480                 VirtIOSCSICancelNotifier *notifier;
481 
482                 req->remaining = 1;
483                 notifier = g_new(VirtIOSCSICancelNotifier, 1);
484                 notifier->tmf_req = req;
485                 notifier->notifier.notify = virtio_scsi_cancel_notify;
486                 scsi_req_cancel_async(r, &notifier->notifier);
487                 ret = -EINPROGRESS;
488             }
489         }
490         break;
491 
492     case VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET:
493     case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
494         virtio_scsi_defer_tmf_to_bh(req);
495         ret = -EINPROGRESS;
496         break;
497 
498     case VIRTIO_SCSI_T_TMF_ABORT_TASK_SET:
499     case VIRTIO_SCSI_T_TMF_CLEAR_TASK_SET:
500     case VIRTIO_SCSI_T_TMF_QUERY_TASK_SET:
501         if (!d) {
502             goto fail;
503         }
504         if (d->lun != virtio_scsi_get_lun(req->req.tmf.lun)) {
505             goto incorrect_lun;
506         }
507 
508         /* Add 1 to "remaining" until virtio_scsi_do_tmf returns.
509          * This way, if the bus starts calling back to the notifiers
510          * even before we finish the loop, virtio_scsi_cancel_notify
511          * will not complete the TMF too early.
512          */
513         req->remaining = 1;
514         QTAILQ_FOREACH_SAFE(r, &d->requests, next, next) {
515             if (r->hba_private) {
516                 if (req->req.tmf.subtype == VIRTIO_SCSI_T_TMF_QUERY_TASK_SET) {
517                     /* "If there is any command present in the task set, then
518                      * return a service response set to FUNCTION SUCCEEDED".
519                      */
520                     req->resp.tmf.response = VIRTIO_SCSI_S_FUNCTION_SUCCEEDED;
521                     break;
522                 } else {
523                     VirtIOSCSICancelNotifier *notifier;
524 
525                     req->remaining++;
526                     notifier = g_new(VirtIOSCSICancelNotifier, 1);
527                     notifier->notifier.notify = virtio_scsi_cancel_notify;
528                     notifier->tmf_req = req;
529                     scsi_req_cancel_async(r, &notifier->notifier);
530                 }
531             }
532         }
533         if (--req->remaining > 0) {
534             ret = -EINPROGRESS;
535         }
536         break;
537 
538     case VIRTIO_SCSI_T_TMF_CLEAR_ACA:
539     default:
540         req->resp.tmf.response = VIRTIO_SCSI_S_FUNCTION_REJECTED;
541         break;
542     }
543 
544     object_unref(OBJECT(d));
545     return ret;
546 
547 incorrect_lun:
548     req->resp.tmf.response = VIRTIO_SCSI_S_INCORRECT_LUN;
549     object_unref(OBJECT(d));
550     return ret;
551 
552 fail:
553     req->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
554     object_unref(OBJECT(d));
555     return ret;
556 }
557 
558 static void virtio_scsi_handle_ctrl_req(VirtIOSCSI *s, VirtIOSCSIReq *req)
559 {
560     VirtIODevice *vdev = (VirtIODevice *)s;
561     uint32_t type;
562     int r = 0;
563 
564     if (iov_to_buf(req->elem.out_sg, req->elem.out_num, 0,
565                 &type, sizeof(type)) < sizeof(type)) {
566         virtio_scsi_bad_req(req);
567         return;
568     }
569 
570     virtio_tswap32s(vdev, &type);
571     if (type == VIRTIO_SCSI_T_TMF) {
572         if (virtio_scsi_parse_req(req, sizeof(VirtIOSCSICtrlTMFReq),
573                     sizeof(VirtIOSCSICtrlTMFResp)) < 0) {
574             virtio_scsi_bad_req(req);
575             return;
576         } else {
577             r = virtio_scsi_do_tmf(s, req);
578         }
579 
580     } else if (type == VIRTIO_SCSI_T_AN_QUERY ||
581                type == VIRTIO_SCSI_T_AN_SUBSCRIBE) {
582         if (virtio_scsi_parse_req(req, sizeof(VirtIOSCSICtrlANReq),
583                     sizeof(VirtIOSCSICtrlANResp)) < 0) {
584             virtio_scsi_bad_req(req);
585             return;
586         } else {
587             req->req.an.event_requested =
588                 virtio_tswap32(VIRTIO_DEVICE(s), req->req.an.event_requested);
589             trace_virtio_scsi_an_req(virtio_scsi_get_lun(req->req.an.lun),
590                                      req->req.an.event_requested);
591             req->resp.an.event_actual = 0;
592             req->resp.an.response = VIRTIO_SCSI_S_OK;
593         }
594     }
595     if (r == 0) {
596         if (type == VIRTIO_SCSI_T_TMF)
597             trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun),
598                                        req->req.tmf.tag,
599                                        req->resp.tmf.response);
600         else if (type == VIRTIO_SCSI_T_AN_QUERY ||
601                  type == VIRTIO_SCSI_T_AN_SUBSCRIBE)
602             trace_virtio_scsi_an_resp(virtio_scsi_get_lun(req->req.an.lun),
603                                       req->resp.an.response);
604         virtio_scsi_complete_req(req);
605     } else {
606         assert(r == -EINPROGRESS);
607     }
608 }
609 
610 static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
611 {
612     VirtIOSCSIReq *req;
613 
614     while ((req = virtio_scsi_pop_req(s, vq))) {
615         virtio_scsi_handle_ctrl_req(s, req);
616     }
617 }
618 
619 /*
620  * If dataplane is configured but not yet started, do so now and return true on
621  * success.
622  *
623  * Dataplane is started by the core virtio code but virtqueue handler functions
624  * can also be invoked when a guest kicks before DRIVER_OK, so this helper
625  * function helps us deal with manually starting ioeventfd in that case.
626  */
627 static bool virtio_scsi_defer_to_dataplane(VirtIOSCSI *s)
628 {
629     if (!s->ctx || s->dataplane_started) {
630         return false;
631     }
632 
633     virtio_device_start_ioeventfd(&s->parent_obj.parent_obj);
634     return !s->dataplane_fenced;
635 }
636 
637 static void virtio_scsi_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
638 {
639     VirtIOSCSI *s = (VirtIOSCSI *)vdev;
640 
641     if (virtio_scsi_defer_to_dataplane(s)) {
642         return;
643     }
644 
645     virtio_scsi_handle_ctrl_vq(s, vq);
646 }
647 
648 static void virtio_scsi_complete_cmd_req(VirtIOSCSIReq *req)
649 {
650     trace_virtio_scsi_cmd_resp(virtio_scsi_get_lun(req->req.cmd.lun),
651                                req->req.cmd.tag,
652                                req->resp.cmd.response,
653                                req->resp.cmd.status);
654     /* Sense data is not in req->resp and is copied separately
655      * in virtio_scsi_command_complete.
656      */
657     req->resp_size = sizeof(VirtIOSCSICmdResp);
658     virtio_scsi_complete_req(req);
659 }
660 
661 static void virtio_scsi_command_failed(SCSIRequest *r)
662 {
663     VirtIOSCSIReq *req = r->hba_private;
664 
665     if (r->io_canceled) {
666         return;
667     }
668 
669     req->resp.cmd.status = GOOD;
670     switch (r->host_status) {
671     case SCSI_HOST_NO_LUN:
672         req->resp.cmd.response = VIRTIO_SCSI_S_INCORRECT_LUN;
673         break;
674     case SCSI_HOST_BUSY:
675         req->resp.cmd.response = VIRTIO_SCSI_S_BUSY;
676         break;
677     case SCSI_HOST_TIME_OUT:
678     case SCSI_HOST_ABORTED:
679         req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED;
680         break;
681     case SCSI_HOST_BAD_RESPONSE:
682         req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
683         break;
684     case SCSI_HOST_RESET:
685         req->resp.cmd.response = VIRTIO_SCSI_S_RESET;
686         break;
687     case SCSI_HOST_TRANSPORT_DISRUPTED:
688         req->resp.cmd.response = VIRTIO_SCSI_S_TRANSPORT_FAILURE;
689         break;
690     case SCSI_HOST_TARGET_FAILURE:
691         req->resp.cmd.response = VIRTIO_SCSI_S_TARGET_FAILURE;
692         break;
693     case SCSI_HOST_RESERVATION_ERROR:
694         req->resp.cmd.response = VIRTIO_SCSI_S_NEXUS_FAILURE;
695         break;
696     case SCSI_HOST_ALLOCATION_FAILURE:
697     case SCSI_HOST_MEDIUM_ERROR:
698     case SCSI_HOST_ERROR:
699     default:
700         req->resp.cmd.response = VIRTIO_SCSI_S_FAILURE;
701         break;
702     }
703     virtio_scsi_complete_cmd_req(req);
704 }
705 
706 static void virtio_scsi_command_complete(SCSIRequest *r, size_t resid)
707 {
708     VirtIOSCSIReq *req = r->hba_private;
709     uint8_t sense[SCSI_SENSE_BUF_SIZE];
710     uint32_t sense_len;
711     VirtIODevice *vdev = VIRTIO_DEVICE(req->dev);
712 
713     if (r->io_canceled) {
714         return;
715     }
716 
717     req->resp.cmd.response = VIRTIO_SCSI_S_OK;
718     req->resp.cmd.status = r->status;
719     if (req->resp.cmd.status == GOOD) {
720         req->resp.cmd.resid = virtio_tswap32(vdev, resid);
721     } else {
722         req->resp.cmd.resid = 0;
723         sense_len = scsi_req_get_sense(r, sense, sizeof(sense));
724         sense_len = MIN(sense_len, req->resp_iov.size - sizeof(req->resp.cmd));
725         qemu_iovec_from_buf(&req->resp_iov, sizeof(req->resp.cmd),
726                             sense, sense_len);
727         req->resp.cmd.sense_len = virtio_tswap32(vdev, sense_len);
728     }
729     virtio_scsi_complete_cmd_req(req);
730 }
731 
732 static int virtio_scsi_parse_cdb(SCSIDevice *dev, SCSICommand *cmd,
733                                  uint8_t *buf, size_t buf_len,
734                                  void *hba_private)
735 {
736     VirtIOSCSIReq *req = hba_private;
737 
738     if (cmd->len == 0) {
739         cmd->len = MIN(VIRTIO_SCSI_CDB_DEFAULT_SIZE, SCSI_CMD_BUF_SIZE);
740         memcpy(cmd->buf, buf, cmd->len);
741     }
742 
743     /* Extract the direction and mode directly from the request, for
744      * host device passthrough.
745      */
746     cmd->xfer = req->qsgl.size;
747     cmd->mode = req->mode;
748     return 0;
749 }
750 
751 static QEMUSGList *virtio_scsi_get_sg_list(SCSIRequest *r)
752 {
753     VirtIOSCSIReq *req = r->hba_private;
754 
755     return &req->qsgl;
756 }
757 
758 static void virtio_scsi_request_cancelled(SCSIRequest *r)
759 {
760     VirtIOSCSIReq *req = r->hba_private;
761 
762     if (!req) {
763         return;
764     }
765     if (qatomic_read(&req->dev->resetting)) {
766         req->resp.cmd.response = VIRTIO_SCSI_S_RESET;
767     } else {
768         req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED;
769     }
770     virtio_scsi_complete_cmd_req(req);
771 }
772 
773 static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *req)
774 {
775     req->resp.cmd.response = VIRTIO_SCSI_S_FAILURE;
776     virtio_scsi_complete_cmd_req(req);
777 }
778 
779 static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
780 {
781     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
782     SCSIDevice *d;
783     int rc;
784 
785     rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
786                                sizeof(VirtIOSCSICmdResp) + vs->sense_size);
787     if (rc < 0) {
788         if (rc == -ENOTSUP) {
789             virtio_scsi_fail_cmd_req(req);
790             return -ENOTSUP;
791         } else {
792             virtio_scsi_bad_req(req);
793             return -EINVAL;
794         }
795     }
796     trace_virtio_scsi_cmd_req(virtio_scsi_get_lun(req->req.cmd.lun),
797                               req->req.cmd.tag, req->req.cmd.cdb[0]);
798 
799     d = virtio_scsi_device_get(s, req->req.cmd.lun);
800     if (!d) {
801         req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
802         virtio_scsi_complete_cmd_req(req);
803         return -ENOENT;
804     }
805     virtio_scsi_ctx_check(s, d);
806     req->sreq = scsi_req_new(d, req->req.cmd.tag,
807                              virtio_scsi_get_lun(req->req.cmd.lun),
808                              req->req.cmd.cdb, vs->cdb_size, req);
809 
810     if (req->sreq->cmd.mode != SCSI_XFER_NONE
811         && (req->sreq->cmd.mode != req->mode ||
812             req->sreq->cmd.xfer > req->qsgl.size)) {
813         req->resp.cmd.response = VIRTIO_SCSI_S_OVERRUN;
814         virtio_scsi_complete_cmd_req(req);
815         object_unref(OBJECT(d));
816         return -ENOBUFS;
817     }
818     scsi_req_ref(req->sreq);
819     defer_call_begin();
820     object_unref(OBJECT(d));
821     return 0;
822 }
823 
824 static void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
825 {
826     SCSIRequest *sreq = req->sreq;
827     if (scsi_req_enqueue(sreq)) {
828         scsi_req_continue(sreq);
829     }
830     defer_call_end();
831     scsi_req_unref(sreq);
832 }
833 
834 static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
835 {
836     VirtIOSCSIReq *req, *next;
837     int ret = 0;
838     bool suppress_notifications = virtio_queue_get_notification(vq);
839 
840     QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
841 
842     do {
843         if (suppress_notifications) {
844             virtio_queue_set_notification(vq, 0);
845         }
846 
847         while ((req = virtio_scsi_pop_req(s, vq))) {
848             ret = virtio_scsi_handle_cmd_req_prepare(s, req);
849             if (!ret) {
850                 QTAILQ_INSERT_TAIL(&reqs, req, next);
851             } else if (ret == -EINVAL) {
852                 /* The device is broken and shouldn't process any request */
853                 while (!QTAILQ_EMPTY(&reqs)) {
854                     req = QTAILQ_FIRST(&reqs);
855                     QTAILQ_REMOVE(&reqs, req, next);
856                     defer_call_end();
857                     scsi_req_unref(req->sreq);
858                     virtqueue_detach_element(req->vq, &req->elem, 0);
859                     virtio_scsi_free_req(req);
860                 }
861             }
862         }
863 
864         if (suppress_notifications) {
865             virtio_queue_set_notification(vq, 1);
866         }
867     } while (ret != -EINVAL && !virtio_queue_empty(vq));
868 
869     QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
870         virtio_scsi_handle_cmd_req_submit(s, req);
871     }
872 }
873 
874 static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
875 {
876     /* use non-QOM casts in the data path */
877     VirtIOSCSI *s = (VirtIOSCSI *)vdev;
878 
879     if (virtio_scsi_defer_to_dataplane(s)) {
880         return;
881     }
882 
883     virtio_scsi_handle_cmd_vq(s, vq);
884 }
885 
886 static void virtio_scsi_get_config(VirtIODevice *vdev,
887                                    uint8_t *config)
888 {
889     VirtIOSCSIConfig *scsiconf = (VirtIOSCSIConfig *)config;
890     VirtIOSCSICommon *s = VIRTIO_SCSI_COMMON(vdev);
891 
892     virtio_stl_p(vdev, &scsiconf->num_queues, s->conf.num_queues);
893     virtio_stl_p(vdev, &scsiconf->seg_max,
894                  s->conf.seg_max_adjust ? s->conf.virtqueue_size - 2 : 128 - 2);
895     virtio_stl_p(vdev, &scsiconf->max_sectors, s->conf.max_sectors);
896     virtio_stl_p(vdev, &scsiconf->cmd_per_lun, s->conf.cmd_per_lun);
897     virtio_stl_p(vdev, &scsiconf->event_info_size, sizeof(VirtIOSCSIEvent));
898     virtio_stl_p(vdev, &scsiconf->sense_size, s->sense_size);
899     virtio_stl_p(vdev, &scsiconf->cdb_size, s->cdb_size);
900     virtio_stw_p(vdev, &scsiconf->max_channel, VIRTIO_SCSI_MAX_CHANNEL);
901     virtio_stw_p(vdev, &scsiconf->max_target, VIRTIO_SCSI_MAX_TARGET);
902     virtio_stl_p(vdev, &scsiconf->max_lun, VIRTIO_SCSI_MAX_LUN);
903 }
904 
905 static void virtio_scsi_set_config(VirtIODevice *vdev,
906                                    const uint8_t *config)
907 {
908     VirtIOSCSIConfig *scsiconf = (VirtIOSCSIConfig *)config;
909     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(vdev);
910 
911     if ((uint32_t) virtio_ldl_p(vdev, &scsiconf->sense_size) >= 65536 ||
912         (uint32_t) virtio_ldl_p(vdev, &scsiconf->cdb_size) >= 256) {
913         virtio_error(vdev,
914                      "bad data written to virtio-scsi configuration space");
915         return;
916     }
917 
918     vs->sense_size = virtio_ldl_p(vdev, &scsiconf->sense_size);
919     vs->cdb_size = virtio_ldl_p(vdev, &scsiconf->cdb_size);
920 }
921 
922 static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
923                                          uint64_t requested_features,
924                                          Error **errp)
925 {
926     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
927 
928     /* Firstly sync all virtio-scsi possible supported features */
929     requested_features |= s->host_features;
930     return requested_features;
931 }
932 
933 static void virtio_scsi_reset(VirtIODevice *vdev)
934 {
935     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
936     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(vdev);
937 
938     assert(!s->dataplane_started);
939 
940     virtio_scsi_reset_tmf_bh(s);
941 
942     qatomic_inc(&s->resetting);
943     bus_cold_reset(BUS(&s->bus));
944     qatomic_dec(&s->resetting);
945 
946     vs->sense_size = VIRTIO_SCSI_SENSE_DEFAULT_SIZE;
947     vs->cdb_size = VIRTIO_SCSI_CDB_DEFAULT_SIZE;
948     s->events_dropped = false;
949 }
950 
951 typedef struct {
952     uint32_t event;
953     uint32_t reason;
954     union {
955         /* Used by messages specific to a device */
956         struct {
957             uint32_t id;
958             uint32_t lun;
959         } address;
960     };
961 } VirtIOSCSIEventInfo;
962 
963 static void virtio_scsi_push_event(VirtIOSCSI *s,
964                                    const VirtIOSCSIEventInfo *info)
965 {
966     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
967     VirtIOSCSIReq *req;
968     VirtIOSCSIEvent *evt;
969     VirtIODevice *vdev = VIRTIO_DEVICE(s);
970     uint32_t event = info->event;
971     uint32_t reason = info->reason;
972 
973     if (!(vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)) {
974         return;
975     }
976 
977     req = virtio_scsi_pop_req(s, vs->event_vq);
978     if (!req) {
979         s->events_dropped = true;
980         return;
981     }
982 
983     if (s->events_dropped) {
984         event |= VIRTIO_SCSI_T_EVENTS_MISSED;
985         s->events_dropped = false;
986     }
987 
988     if (virtio_scsi_parse_req(req, 0, sizeof(VirtIOSCSIEvent))) {
989         virtio_scsi_bad_req(req);
990         return;
991     }
992 
993     evt = &req->resp.event;
994     memset(evt, 0, sizeof(VirtIOSCSIEvent));
995     evt->event = virtio_tswap32(vdev, event);
996     evt->reason = virtio_tswap32(vdev, reason);
997     if (event != VIRTIO_SCSI_T_EVENTS_MISSED) {
998         evt->lun[0] = 1;
999         evt->lun[1] = info->address.id;
1000 
1001         /* Linux wants us to keep the same encoding we use for REPORT LUNS.  */
1002         if (info->address.lun >= 256) {
1003             evt->lun[2] = (info->address.lun >> 8) | 0x40;
1004         }
1005         evt->lun[3] = info->address.lun & 0xFF;
1006     }
1007     trace_virtio_scsi_event(virtio_scsi_get_lun(evt->lun), event, reason);
1008 
1009     virtio_scsi_complete_req(req);
1010 }
1011 
1012 static void virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
1013 {
1014     if (s->events_dropped) {
1015         VirtIOSCSIEventInfo info = {
1016             .event = VIRTIO_SCSI_T_NO_EVENT,
1017         };
1018         virtio_scsi_push_event(s, &info);
1019     }
1020 }
1021 
1022 static void virtio_scsi_handle_event(VirtIODevice *vdev, VirtQueue *vq)
1023 {
1024     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
1025 
1026     if (virtio_scsi_defer_to_dataplane(s)) {
1027         return;
1028     }
1029 
1030     virtio_scsi_handle_event_vq(s, vq);
1031 }
1032 
1033 static void virtio_scsi_change(SCSIBus *bus, SCSIDevice *dev, SCSISense sense)
1034 {
1035     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
1036     VirtIODevice *vdev = VIRTIO_DEVICE(s);
1037 
1038     if (virtio_vdev_has_feature(vdev, VIRTIO_SCSI_F_CHANGE) &&
1039         dev->type != TYPE_ROM) {
1040         VirtIOSCSIEventInfo info = {
1041             .event   = VIRTIO_SCSI_T_PARAM_CHANGE,
1042             .reason  = sense.asc | (sense.ascq << 8),
1043             .address = {
1044                 .id  = dev->id,
1045                 .lun = dev->lun,
1046             },
1047         };
1048 
1049         virtio_scsi_push_event(s, &info);
1050     }
1051 }
1052 
1053 static void virtio_scsi_pre_hotplug(HotplugHandler *hotplug_dev,
1054                                     DeviceState *dev, Error **errp)
1055 {
1056     SCSIDevice *sd = SCSI_DEVICE(dev);
1057     sd->hba_supports_iothread = true;
1058 }
1059 
1060 static void virtio_scsi_hotplug(HotplugHandler *hotplug_dev, DeviceState *dev,
1061                                 Error **errp)
1062 {
1063     VirtIODevice *vdev = VIRTIO_DEVICE(hotplug_dev);
1064     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
1065     SCSIDevice *sd = SCSI_DEVICE(dev);
1066     int ret;
1067 
1068     if (s->ctx && !s->dataplane_fenced) {
1069         if (blk_op_is_blocked(sd->conf.blk, BLOCK_OP_TYPE_DATAPLANE, errp)) {
1070             return;
1071         }
1072         ret = blk_set_aio_context(sd->conf.blk, s->ctx, errp);
1073         if (ret < 0) {
1074             return;
1075         }
1076     }
1077 
1078     if (virtio_vdev_has_feature(vdev, VIRTIO_SCSI_F_HOTPLUG)) {
1079         VirtIOSCSIEventInfo info = {
1080             .event   = VIRTIO_SCSI_T_TRANSPORT_RESET,
1081             .reason  = VIRTIO_SCSI_EVT_RESET_RESCAN,
1082             .address = {
1083                 .id  = sd->id,
1084                 .lun = sd->lun,
1085             },
1086         };
1087 
1088         virtio_scsi_push_event(s, &info);
1089         scsi_bus_set_ua(&s->bus, SENSE_CODE(REPORTED_LUNS_CHANGED));
1090     }
1091 }
1092 
1093 static void virtio_scsi_hotunplug(HotplugHandler *hotplug_dev, DeviceState *dev,
1094                                   Error **errp)
1095 {
1096     VirtIODevice *vdev = VIRTIO_DEVICE(hotplug_dev);
1097     VirtIOSCSI *s = VIRTIO_SCSI(vdev);
1098     SCSIDevice *sd = SCSI_DEVICE(dev);
1099     VirtIOSCSIEventInfo info = {
1100         .event   = VIRTIO_SCSI_T_TRANSPORT_RESET,
1101         .reason  = VIRTIO_SCSI_EVT_RESET_REMOVED,
1102         .address = {
1103             .id  = sd->id,
1104             .lun = sd->lun,
1105         },
1106     };
1107 
1108     qdev_simple_device_unplug_cb(hotplug_dev, dev, errp);
1109 
1110     if (s->ctx) {
1111         /* If other users keep the BlockBackend in the iothread, that's ok */
1112         blk_set_aio_context(sd->conf.blk, qemu_get_aio_context(), NULL);
1113     }
1114 
1115     if (virtio_vdev_has_feature(vdev, VIRTIO_SCSI_F_HOTPLUG)) {
1116         virtio_scsi_push_event(s, &info);
1117         scsi_bus_set_ua(&s->bus, SENSE_CODE(REPORTED_LUNS_CHANGED));
1118     }
1119 }
1120 
1121 /* Suspend virtqueue ioeventfd processing during drain */
1122 static void virtio_scsi_drained_begin(SCSIBus *bus)
1123 {
1124     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
1125     VirtIODevice *vdev = VIRTIO_DEVICE(s);
1126     uint32_t total_queues = VIRTIO_SCSI_VQ_NUM_FIXED +
1127                             s->parent_obj.conf.num_queues;
1128 
1129     /*
1130      * Drain is called when stopping dataplane but the host notifier has
1131      * already been detached. Detaching multiple times is a no-op if nothing
1132      * else is using the monitoring same file descriptor, but avoid it just in
1133      * case.
1134      *
1135      * Also, don't detach if dataplane has not even been started yet because
1136      * the host notifier isn't attached.
1137      */
1138     if (s->dataplane_stopping || !s->dataplane_started) {
1139         return;
1140     }
1141 
1142     for (uint32_t i = 0; i < total_queues; i++) {
1143         VirtQueue *vq = virtio_get_queue(vdev, i);
1144         virtio_queue_aio_detach_host_notifier(vq, s->ctx);
1145     }
1146 }
1147 
1148 /* Resume virtqueue ioeventfd processing after drain */
1149 static void virtio_scsi_drained_end(SCSIBus *bus)
1150 {
1151     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
1152     VirtIODevice *vdev = VIRTIO_DEVICE(s);
1153     uint32_t total_queues = VIRTIO_SCSI_VQ_NUM_FIXED +
1154                             s->parent_obj.conf.num_queues;
1155 
1156     /*
1157      * Drain is called when stopping dataplane. Keep the host notifier detached
1158      * so it's not left dangling after dataplane is stopped.
1159      *
1160      * Also, don't attach if dataplane has not even been started yet. We're not
1161      * ready.
1162      */
1163     if (s->dataplane_stopping || !s->dataplane_started) {
1164         return;
1165     }
1166 
1167     for (uint32_t i = 0; i < total_queues; i++) {
1168         VirtQueue *vq = virtio_get_queue(vdev, i);
1169         virtio_queue_aio_attach_host_notifier(vq, s->ctx);
1170     }
1171 }
1172 
1173 static struct SCSIBusInfo virtio_scsi_scsi_info = {
1174     .tcq = true,
1175     .max_channel = VIRTIO_SCSI_MAX_CHANNEL,
1176     .max_target = VIRTIO_SCSI_MAX_TARGET,
1177     .max_lun = VIRTIO_SCSI_MAX_LUN,
1178 
1179     .complete = virtio_scsi_command_complete,
1180     .fail = virtio_scsi_command_failed,
1181     .cancel = virtio_scsi_request_cancelled,
1182     .change = virtio_scsi_change,
1183     .parse_cdb = virtio_scsi_parse_cdb,
1184     .get_sg_list = virtio_scsi_get_sg_list,
1185     .save_request = virtio_scsi_save_request,
1186     .load_request = virtio_scsi_load_request,
1187     .drained_begin = virtio_scsi_drained_begin,
1188     .drained_end = virtio_scsi_drained_end,
1189 };
1190 
1191 void virtio_scsi_common_realize(DeviceState *dev,
1192                                 VirtIOHandleOutput ctrl,
1193                                 VirtIOHandleOutput evt,
1194                                 VirtIOHandleOutput cmd,
1195                                 Error **errp)
1196 {
1197     VirtIODevice *vdev = VIRTIO_DEVICE(dev);
1198     VirtIOSCSICommon *s = VIRTIO_SCSI_COMMON(dev);
1199     int i;
1200 
1201     virtio_init(vdev, VIRTIO_ID_SCSI, sizeof(VirtIOSCSIConfig));
1202 
1203     if (s->conf.num_queues == VIRTIO_SCSI_AUTO_NUM_QUEUES) {
1204         s->conf.num_queues = 1;
1205     }
1206     if (s->conf.num_queues == 0 ||
1207             s->conf.num_queues > VIRTIO_QUEUE_MAX - VIRTIO_SCSI_VQ_NUM_FIXED) {
1208         error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
1209                          "must be a positive integer less than %d.",
1210                    s->conf.num_queues,
1211                    VIRTIO_QUEUE_MAX - VIRTIO_SCSI_VQ_NUM_FIXED);
1212         virtio_cleanup(vdev);
1213         return;
1214     }
1215     if (s->conf.virtqueue_size <= 2) {
1216         error_setg(errp, "invalid virtqueue_size property (= %" PRIu32 "), "
1217                    "must be > 2", s->conf.virtqueue_size);
1218         return;
1219     }
1220     s->cmd_vqs = g_new0(VirtQueue *, s->conf.num_queues);
1221     s->sense_size = VIRTIO_SCSI_SENSE_DEFAULT_SIZE;
1222     s->cdb_size = VIRTIO_SCSI_CDB_DEFAULT_SIZE;
1223 
1224     s->ctrl_vq = virtio_add_queue(vdev, s->conf.virtqueue_size, ctrl);
1225     s->event_vq = virtio_add_queue(vdev, s->conf.virtqueue_size, evt);
1226     for (i = 0; i < s->conf.num_queues; i++) {
1227         s->cmd_vqs[i] = virtio_add_queue(vdev, s->conf.virtqueue_size, cmd);
1228     }
1229 }
1230 
1231 static void virtio_scsi_device_realize(DeviceState *dev, Error **errp)
1232 {
1233     VirtIODevice *vdev = VIRTIO_DEVICE(dev);
1234     VirtIOSCSI *s = VIRTIO_SCSI(dev);
1235     Error *err = NULL;
1236 
1237     QTAILQ_INIT(&s->tmf_bh_list);
1238     qemu_mutex_init(&s->tmf_bh_lock);
1239 
1240     virtio_scsi_common_realize(dev,
1241                                virtio_scsi_handle_ctrl,
1242                                virtio_scsi_handle_event,
1243                                virtio_scsi_handle_cmd,
1244                                &err);
1245     if (err != NULL) {
1246         error_propagate(errp, err);
1247         return;
1248     }
1249 
1250     scsi_bus_init_named(&s->bus, sizeof(s->bus), dev,
1251                        &virtio_scsi_scsi_info, vdev->bus_name);
1252     /* override default SCSI bus hotplug-handler, with virtio-scsi's one */
1253     qbus_set_hotplug_handler(BUS(&s->bus), OBJECT(dev));
1254 
1255     virtio_scsi_dataplane_setup(s, errp);
1256 }
1257 
1258 void virtio_scsi_common_unrealize(DeviceState *dev)
1259 {
1260     VirtIODevice *vdev = VIRTIO_DEVICE(dev);
1261     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(dev);
1262     int i;
1263 
1264     virtio_delete_queue(vs->ctrl_vq);
1265     virtio_delete_queue(vs->event_vq);
1266     for (i = 0; i < vs->conf.num_queues; i++) {
1267         virtio_delete_queue(vs->cmd_vqs[i]);
1268     }
1269     g_free(vs->cmd_vqs);
1270     virtio_cleanup(vdev);
1271 }
1272 
1273 static void virtio_scsi_device_unrealize(DeviceState *dev)
1274 {
1275     VirtIOSCSI *s = VIRTIO_SCSI(dev);
1276 
1277     virtio_scsi_reset_tmf_bh(s);
1278 
1279     qbus_set_hotplug_handler(BUS(&s->bus), NULL);
1280     virtio_scsi_common_unrealize(dev);
1281     qemu_mutex_destroy(&s->tmf_bh_lock);
1282 }
1283 
1284 static Property virtio_scsi_properties[] = {
1285     DEFINE_PROP_UINT32("num_queues", VirtIOSCSI, parent_obj.conf.num_queues,
1286                        VIRTIO_SCSI_AUTO_NUM_QUEUES),
1287     DEFINE_PROP_UINT32("virtqueue_size", VirtIOSCSI,
1288                                          parent_obj.conf.virtqueue_size, 256),
1289     DEFINE_PROP_BOOL("seg_max_adjust", VirtIOSCSI,
1290                       parent_obj.conf.seg_max_adjust, true),
1291     DEFINE_PROP_UINT32("max_sectors", VirtIOSCSI, parent_obj.conf.max_sectors,
1292                                                   0xFFFF),
1293     DEFINE_PROP_UINT32("cmd_per_lun", VirtIOSCSI, parent_obj.conf.cmd_per_lun,
1294                                                   128),
1295     DEFINE_PROP_BIT("hotplug", VirtIOSCSI, host_features,
1296                                            VIRTIO_SCSI_F_HOTPLUG, true),
1297     DEFINE_PROP_BIT("param_change", VirtIOSCSI, host_features,
1298                                                 VIRTIO_SCSI_F_CHANGE, true),
1299     DEFINE_PROP_LINK("iothread", VirtIOSCSI, parent_obj.conf.iothread,
1300                      TYPE_IOTHREAD, IOThread *),
1301     DEFINE_PROP_END_OF_LIST(),
1302 };
1303 
1304 static const VMStateDescription vmstate_virtio_scsi = {
1305     .name = "virtio-scsi",
1306     .minimum_version_id = 1,
1307     .version_id = 1,
1308     .fields = (const VMStateField[]) {
1309         VMSTATE_VIRTIO_DEVICE,
1310         VMSTATE_END_OF_LIST()
1311     },
1312 };
1313 
1314 static void virtio_scsi_common_class_init(ObjectClass *klass, void *data)
1315 {
1316     VirtioDeviceClass *vdc = VIRTIO_DEVICE_CLASS(klass);
1317     DeviceClass *dc = DEVICE_CLASS(klass);
1318 
1319     vdc->get_config = virtio_scsi_get_config;
1320     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1321 }
1322 
1323 static void virtio_scsi_class_init(ObjectClass *klass, void *data)
1324 {
1325     DeviceClass *dc = DEVICE_CLASS(klass);
1326     VirtioDeviceClass *vdc = VIRTIO_DEVICE_CLASS(klass);
1327     HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass);
1328 
1329     device_class_set_props(dc, virtio_scsi_properties);
1330     dc->vmsd = &vmstate_virtio_scsi;
1331     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
1332     vdc->realize = virtio_scsi_device_realize;
1333     vdc->unrealize = virtio_scsi_device_unrealize;
1334     vdc->set_config = virtio_scsi_set_config;
1335     vdc->get_features = virtio_scsi_get_features;
1336     vdc->reset = virtio_scsi_reset;
1337     vdc->start_ioeventfd = virtio_scsi_dataplane_start;
1338     vdc->stop_ioeventfd = virtio_scsi_dataplane_stop;
1339     hc->pre_plug = virtio_scsi_pre_hotplug;
1340     hc->plug = virtio_scsi_hotplug;
1341     hc->unplug = virtio_scsi_hotunplug;
1342 }
1343 
1344 static const TypeInfo virtio_scsi_common_info = {
1345     .name = TYPE_VIRTIO_SCSI_COMMON,
1346     .parent = TYPE_VIRTIO_DEVICE,
1347     .instance_size = sizeof(VirtIOSCSICommon),
1348     .abstract = true,
1349     .class_init = virtio_scsi_common_class_init,
1350 };
1351 
1352 static const TypeInfo virtio_scsi_info = {
1353     .name = TYPE_VIRTIO_SCSI,
1354     .parent = TYPE_VIRTIO_SCSI_COMMON,
1355     .instance_size = sizeof(VirtIOSCSI),
1356     .class_init = virtio_scsi_class_init,
1357     .interfaces = (InterfaceInfo[]) {
1358         { TYPE_HOTPLUG_HANDLER },
1359         { }
1360     }
1361 };
1362 
1363 static void virtio_register_types(void)
1364 {
1365     type_register_static(&virtio_scsi_common_info);
1366     type_register_static(&virtio_scsi_info);
1367 }
1368 
1369 type_init(virtio_register_types)
1370