1 /* 2 * SCSI Device emulation 3 * 4 * Copyright (c) 2006 CodeSourcery. 5 * Based on code by Fabrice Bellard 6 * 7 * Written by Paul Brook 8 * 9 * This code is licenced under the LGPL. 10 * 11 * Note that this file only handles the SCSI architecture model and device 12 * commands. Emulation of interface/link layer protocols is handled by 13 * the host adapter emulator. 14 */ 15 16 #include <qemu-common.h> 17 #include <sysemu.h> 18 //#define DEBUG_SCSI 19 20 #ifdef DEBUG_SCSI 21 #define DPRINTF(fmt, ...) \ 22 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0) 23 #else 24 #define DPRINTF(fmt, ...) do {} while(0) 25 #endif 26 27 #define BADF(fmt, ...) \ 28 do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0) 29 30 #include "qemu-common.h" 31 #include "block.h" 32 #include "scsi-disk.h" 33 34 #define SENSE_NO_SENSE 0 35 #define SENSE_NOT_READY 2 36 #define SENSE_HARDWARE_ERROR 4 37 #define SENSE_ILLEGAL_REQUEST 5 38 39 #define STATUS_GOOD 0 40 #define STATUS_CHECK_CONDITION 2 41 42 #define SCSI_DMA_BUF_SIZE 131072 43 #define SCSI_MAX_INQUIRY_LEN 256 44 45 #define SCSI_REQ_STATUS_RETRY 0x01 46 47 typedef struct SCSIRequest { 48 SCSIDeviceState *dev; 49 uint32_t tag; 50 /* ??? We should probably keep track of whether the data transfer is 51 a read or a write. Currently we rely on the host getting it right. */ 52 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */ 53 uint64_t sector; 54 uint32_t sector_count; 55 struct iovec iov; 56 QEMUIOVector qiov; 57 BlockDriverAIOCB *aiocb; 58 struct SCSIRequest *next; 59 uint32_t status; 60 } SCSIRequest; 61 62 struct SCSIDeviceState 63 { 64 BlockDriverState *bdrv; 65 SCSIRequest *requests; 66 /* The qemu block layer uses a fixed 512 byte sector size. 67 This is the number of 512 byte blocks in a single scsi sector. */ 68 int cluster_size; 69 uint64_t max_lba; 70 int sense; 71 int tcq; 72 /* Completion functions may be called from either scsi_{read,write}_data 73 or from the AIO completion routines. */ 74 scsi_completionfn completion; 75 void *opaque; 76 char drive_serial_str[21]; 77 }; 78 79 /* Global pool of SCSIRequest structures. */ 80 static SCSIRequest *free_requests = NULL; 81 82 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag) 83 { 84 SCSIRequest *r; 85 86 if (free_requests) { 87 r = free_requests; 88 free_requests = r->next; 89 } else { 90 r = qemu_malloc(sizeof(SCSIRequest)); 91 r->iov.iov_base = qemu_memalign(512, SCSI_DMA_BUF_SIZE); 92 } 93 r->dev = s; 94 r->tag = tag; 95 r->sector_count = 0; 96 r->iov.iov_len = 0; 97 r->aiocb = NULL; 98 r->status = 0; 99 100 r->next = s->requests; 101 s->requests = r; 102 return r; 103 } 104 105 static void scsi_remove_request(SCSIRequest *r) 106 { 107 SCSIRequest *last; 108 SCSIDeviceState *s = r->dev; 109 110 if (s->requests == r) { 111 s->requests = r->next; 112 } else { 113 last = s->requests; 114 while (last && last->next != r) 115 last = last->next; 116 if (last) { 117 last->next = r->next; 118 } else { 119 BADF("Orphaned request\n"); 120 } 121 } 122 r->next = free_requests; 123 free_requests = r; 124 } 125 126 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag) 127 { 128 SCSIRequest *r; 129 130 r = s->requests; 131 while (r && r->tag != tag) 132 r = r->next; 133 134 return r; 135 } 136 137 /* Helper function for command completion. */ 138 static void scsi_command_complete(SCSIRequest *r, int status, int sense) 139 { 140 SCSIDeviceState *s = r->dev; 141 uint32_t tag; 142 DPRINTF("Command complete tag=0x%x status=%d sense=%d\n", r->tag, status, sense); 143 s->sense = sense; 144 tag = r->tag; 145 scsi_remove_request(r); 146 s->completion(s->opaque, SCSI_REASON_DONE, tag, status); 147 } 148 149 /* Cancel a pending data transfer. */ 150 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag) 151 { 152 SCSIDeviceState *s = d->state; 153 SCSIRequest *r; 154 DPRINTF("Cancel tag=0x%x\n", tag); 155 r = scsi_find_request(s, tag); 156 if (r) { 157 if (r->aiocb) 158 bdrv_aio_cancel(r->aiocb); 159 r->aiocb = NULL; 160 scsi_remove_request(r); 161 } 162 } 163 164 static void scsi_read_complete(void * opaque, int ret) 165 { 166 SCSIRequest *r = (SCSIRequest *)opaque; 167 SCSIDeviceState *s = r->dev; 168 169 if (ret) { 170 DPRINTF("IO error\n"); 171 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, 0); 172 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NO_SENSE); 173 return; 174 } 175 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->iov.iov_len); 176 177 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len); 178 } 179 180 /* Read more data from scsi device into buffer. */ 181 static void scsi_read_data(SCSIDevice *d, uint32_t tag) 182 { 183 SCSIDeviceState *s = d->state; 184 SCSIRequest *r; 185 uint32_t n; 186 187 r = scsi_find_request(s, tag); 188 if (!r) { 189 BADF("Bad read tag 0x%x\n", tag); 190 /* ??? This is the wrong error. */ 191 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR); 192 return; 193 } 194 if (r->sector_count == (uint32_t)-1) { 195 DPRINTF("Read buf_len=%d\n", r->iov.iov_len); 196 r->sector_count = 0; 197 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len); 198 return; 199 } 200 DPRINTF("Read sector_count=%d\n", r->sector_count); 201 if (r->sector_count == 0) { 202 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE); 203 return; 204 } 205 206 n = r->sector_count; 207 if (n > SCSI_DMA_BUF_SIZE / 512) 208 n = SCSI_DMA_BUF_SIZE / 512; 209 210 r->iov.iov_len = n * 512; 211 qemu_iovec_init_external(&r->qiov, &r->iov, 1); 212 r->aiocb = bdrv_aio_readv(s->bdrv, r->sector, &r->qiov, n, 213 scsi_read_complete, r); 214 if (r->aiocb == NULL) 215 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR); 216 r->sector += n; 217 r->sector_count -= n; 218 } 219 220 static int scsi_handle_write_error(SCSIRequest *r, int error) 221 { 222 BlockInterfaceErrorAction action = drive_get_onerror(r->dev->bdrv); 223 224 if (action == BLOCK_ERR_IGNORE) 225 return 0; 226 227 if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC) 228 || action == BLOCK_ERR_STOP_ANY) { 229 r->status |= SCSI_REQ_STATUS_RETRY; 230 vm_stop(0); 231 } else { 232 scsi_command_complete(r, STATUS_CHECK_CONDITION, 233 SENSE_HARDWARE_ERROR); 234 } 235 236 return 1; 237 } 238 239 static void scsi_write_complete(void * opaque, int ret) 240 { 241 SCSIRequest *r = (SCSIRequest *)opaque; 242 SCSIDeviceState *s = r->dev; 243 uint32_t len; 244 uint32_t n; 245 246 r->aiocb = NULL; 247 248 if (ret) { 249 if (scsi_handle_write_error(r, -ret)) 250 return; 251 } 252 253 n = r->iov.iov_len / 512; 254 r->sector += n; 255 r->sector_count -= n; 256 if (r->sector_count == 0) { 257 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE); 258 } else { 259 len = r->sector_count * 512; 260 if (len > SCSI_DMA_BUF_SIZE) { 261 len = SCSI_DMA_BUF_SIZE; 262 } 263 r->iov.iov_len = len; 264 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len); 265 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len); 266 } 267 } 268 269 static void scsi_write_request(SCSIRequest *r) 270 { 271 SCSIDeviceState *s = r->dev; 272 uint32_t n; 273 274 n = r->iov.iov_len / 512; 275 if (n) { 276 qemu_iovec_init_external(&r->qiov, &r->iov, 1); 277 r->aiocb = bdrv_aio_writev(s->bdrv, r->sector, &r->qiov, n, 278 scsi_write_complete, r); 279 if (r->aiocb == NULL) 280 scsi_command_complete(r, STATUS_CHECK_CONDITION, 281 SENSE_HARDWARE_ERROR); 282 } else { 283 /* Invoke completion routine to fetch data from host. */ 284 scsi_write_complete(r, 0); 285 } 286 } 287 288 /* Write data to a scsi device. Returns nonzero on failure. 289 The transfer may complete asynchronously. */ 290 static int scsi_write_data(SCSIDevice *d, uint32_t tag) 291 { 292 SCSIDeviceState *s = d->state; 293 SCSIRequest *r; 294 295 DPRINTF("Write data tag=0x%x\n", tag); 296 r = scsi_find_request(s, tag); 297 if (!r) { 298 BADF("Bad write tag 0x%x\n", tag); 299 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR); 300 return 1; 301 } 302 303 if (r->aiocb) 304 BADF("Data transfer already in progress\n"); 305 306 scsi_write_request(r); 307 308 return 0; 309 } 310 311 static void scsi_dma_restart_cb(void *opaque, int running, int reason) 312 { 313 SCSIDeviceState *s = opaque; 314 SCSIRequest *r = s->requests; 315 if (!running) 316 return; 317 318 while (r) { 319 if (r->status & SCSI_REQ_STATUS_RETRY) { 320 r->status &= ~SCSI_REQ_STATUS_RETRY; 321 scsi_write_request(r); 322 } 323 r = r->next; 324 } 325 } 326 327 /* Return a pointer to the data buffer. */ 328 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag) 329 { 330 SCSIDeviceState *s = d->state; 331 SCSIRequest *r; 332 333 r = scsi_find_request(s, tag); 334 if (!r) { 335 BADF("Bad buffer tag 0x%x\n", tag); 336 return NULL; 337 } 338 return (uint8_t *)r->iov.iov_base; 339 } 340 341 /* Execute a scsi command. Returns the length of the data expected by the 342 command. This will be Positive for data transfers from the device 343 (eg. disk reads), negative for transfers to the device (eg. disk writes), 344 and zero if the command does not transfer any data. */ 345 346 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag, 347 uint8_t *buf, int lun) 348 { 349 SCSIDeviceState *s = d->state; 350 uint64_t nb_sectors; 351 uint64_t lba; 352 uint32_t len; 353 int cmdlen; 354 int is_write; 355 uint8_t command; 356 uint8_t *outbuf; 357 SCSIRequest *r; 358 359 command = buf[0]; 360 r = scsi_find_request(s, tag); 361 if (r) { 362 BADF("Tag 0x%x already in use\n", tag); 363 scsi_cancel_io(d, tag); 364 } 365 /* ??? Tags are not unique for different luns. We only implement a 366 single lun, so this should not matter. */ 367 r = scsi_new_request(s, tag); 368 outbuf = (uint8_t *)r->iov.iov_base; 369 is_write = 0; 370 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]); 371 switch (command >> 5) { 372 case 0: 373 lba = (uint64_t) buf[3] | ((uint64_t) buf[2] << 8) | 374 (((uint64_t) buf[1] & 0x1f) << 16); 375 len = buf[4]; 376 cmdlen = 6; 377 break; 378 case 1: 379 case 2: 380 lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) | 381 ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24); 382 len = buf[8] | (buf[7] << 8); 383 cmdlen = 10; 384 break; 385 case 4: 386 lba = (uint64_t) buf[9] | ((uint64_t) buf[8] << 8) | 387 ((uint64_t) buf[7] << 16) | ((uint64_t) buf[6] << 24) | 388 ((uint64_t) buf[5] << 32) | ((uint64_t) buf[4] << 40) | 389 ((uint64_t) buf[3] << 48) | ((uint64_t) buf[2] << 56); 390 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24); 391 cmdlen = 16; 392 break; 393 case 5: 394 lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) | 395 ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24); 396 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24); 397 cmdlen = 12; 398 break; 399 default: 400 BADF("Unsupported command length, command %x\n", command); 401 goto fail; 402 } 403 #ifdef DEBUG_SCSI 404 { 405 int i; 406 for (i = 1; i < cmdlen; i++) { 407 printf(" 0x%02x", buf[i]); 408 } 409 printf("\n"); 410 } 411 #endif 412 if (lun || buf[1] >> 5) { 413 /* Only LUN 0 supported. */ 414 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5); 415 if (command != 0x03 && command != 0x12) /* REQUEST SENSE and INQUIRY */ 416 goto fail; 417 } 418 switch (command) { 419 case 0x0: 420 DPRINTF("Test Unit Ready\n"); 421 if (!bdrv_is_inserted(s->bdrv)) 422 goto notready; 423 break; 424 case 0x03: 425 DPRINTF("Request Sense (len %d)\n", len); 426 if (len < 4) 427 goto fail; 428 memset(outbuf, 0, 4); 429 r->iov.iov_len = 4; 430 if (s->sense == SENSE_NOT_READY && len >= 18) { 431 memset(outbuf, 0, 18); 432 r->iov.iov_len = 18; 433 outbuf[7] = 10; 434 /* asc 0x3a, ascq 0: Medium not present */ 435 outbuf[12] = 0x3a; 436 outbuf[13] = 0; 437 } 438 outbuf[0] = 0xf0; 439 outbuf[1] = 0; 440 outbuf[2] = s->sense; 441 break; 442 case 0x12: 443 DPRINTF("Inquiry (len %d)\n", len); 444 if (buf[1] & 0x2) { 445 /* Command support data - optional, not implemented */ 446 BADF("optional INQUIRY command support request not implemented\n"); 447 goto fail; 448 } 449 else if (buf[1] & 0x1) { 450 /* Vital product data */ 451 uint8_t page_code = buf[2]; 452 if (len < 4) { 453 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is " 454 "less than 4\n", page_code, len); 455 goto fail; 456 } 457 458 switch (page_code) { 459 case 0x00: 460 { 461 /* Supported page codes, mandatory */ 462 DPRINTF("Inquiry EVPD[Supported pages] " 463 "buffer size %d\n", len); 464 465 r->iov.iov_len = 0; 466 467 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 468 outbuf[r->iov.iov_len++] = 5; 469 } else { 470 outbuf[r->iov.iov_len++] = 0; 471 } 472 473 outbuf[r->iov.iov_len++] = 0x00; // this page 474 outbuf[r->iov.iov_len++] = 0x00; 475 outbuf[r->iov.iov_len++] = 3; // number of pages 476 outbuf[r->iov.iov_len++] = 0x00; // list of supported pages (this page) 477 outbuf[r->iov.iov_len++] = 0x80; // unit serial number 478 outbuf[r->iov.iov_len++] = 0x83; // device identification 479 } 480 break; 481 case 0x80: 482 { 483 int l; 484 485 /* Device serial number, optional */ 486 if (len < 4) { 487 BADF("Error: EVPD[Serial number] Inquiry buffer " 488 "size %d too small, %d needed\n", len, 4); 489 goto fail; 490 } 491 492 DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len); 493 l = MIN(len, strlen(s->drive_serial_str)); 494 495 r->iov.iov_len = 0; 496 497 /* Supported page codes */ 498 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 499 outbuf[r->iov.iov_len++] = 5; 500 } else { 501 outbuf[r->iov.iov_len++] = 0; 502 } 503 504 outbuf[r->iov.iov_len++] = 0x80; // this page 505 outbuf[r->iov.iov_len++] = 0x00; 506 outbuf[r->iov.iov_len++] = l; 507 memcpy(&outbuf[r->iov.iov_len], s->drive_serial_str, l); 508 r->iov.iov_len += l; 509 } 510 511 break; 512 case 0x83: 513 { 514 /* Device identification page, mandatory */ 515 int max_len = 255 - 8; 516 int id_len = strlen(bdrv_get_device_name(s->bdrv)); 517 if (id_len > max_len) 518 id_len = max_len; 519 520 DPRINTF("Inquiry EVPD[Device identification] " 521 "buffer size %d\n", len); 522 r->iov.iov_len = 0; 523 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 524 outbuf[r->iov.iov_len++] = 5; 525 } else { 526 outbuf[r->iov.iov_len++] = 0; 527 } 528 529 outbuf[r->iov.iov_len++] = 0x83; // this page 530 outbuf[r->iov.iov_len++] = 0x00; 531 outbuf[r->iov.iov_len++] = 3 + id_len; 532 533 outbuf[r->iov.iov_len++] = 0x2; // ASCII 534 outbuf[r->iov.iov_len++] = 0; // not officially assigned 535 outbuf[r->iov.iov_len++] = 0; // reserved 536 outbuf[r->iov.iov_len++] = id_len; // length of data following 537 538 memcpy(&outbuf[r->iov.iov_len], 539 bdrv_get_device_name(s->bdrv), id_len); 540 r->iov.iov_len += id_len; 541 } 542 break; 543 default: 544 BADF("Error: unsupported Inquiry (EVPD[%02X]) " 545 "buffer size %d\n", page_code, len); 546 goto fail; 547 } 548 /* done with EVPD */ 549 break; 550 } 551 else { 552 /* Standard INQUIRY data */ 553 if (buf[2] != 0) { 554 BADF("Error: Inquiry (STANDARD) page or code " 555 "is non-zero [%02X]\n", buf[2]); 556 goto fail; 557 } 558 559 /* PAGE CODE == 0 */ 560 if (len < 5) { 561 BADF("Error: Inquiry (STANDARD) buffer size %d " 562 "is less than 5\n", len); 563 goto fail; 564 } 565 566 if (len < 36) { 567 BADF("Error: Inquiry (STANDARD) buffer size %d " 568 "is less than 36 (TODO: only 5 required)\n", len); 569 } 570 } 571 572 if(len > SCSI_MAX_INQUIRY_LEN) 573 len = SCSI_MAX_INQUIRY_LEN; 574 575 memset(outbuf, 0, len); 576 577 if (lun || buf[1] >> 5) { 578 outbuf[0] = 0x7f; /* LUN not supported */ 579 } else if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 580 outbuf[0] = 5; 581 outbuf[1] = 0x80; 582 memcpy(&outbuf[16], "QEMU CD-ROM ", 16); 583 } else { 584 outbuf[0] = 0; 585 memcpy(&outbuf[16], "QEMU HARDDISK ", 16); 586 } 587 memcpy(&outbuf[8], "QEMU ", 8); 588 memcpy(&outbuf[32], QEMU_VERSION, 4); 589 /* Identify device as SCSI-3 rev 1. 590 Some later commands are also implemented. */ 591 outbuf[2] = 3; 592 outbuf[3] = 2; /* Format 2 */ 593 outbuf[4] = len - 5; /* Additional Length = (Len - 1) - 4 */ 594 /* Sync data transfer and TCQ. */ 595 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0); 596 r->iov.iov_len = len; 597 break; 598 case 0x16: 599 DPRINTF("Reserve(6)\n"); 600 if (buf[1] & 1) 601 goto fail; 602 break; 603 case 0x17: 604 DPRINTF("Release(6)\n"); 605 if (buf[1] & 1) 606 goto fail; 607 break; 608 case 0x1a: 609 case 0x5a: 610 { 611 uint8_t *p; 612 int page; 613 614 page = buf[2] & 0x3f; 615 DPRINTF("Mode Sense (page %d, len %d)\n", page, len); 616 p = outbuf; 617 memset(p, 0, 4); 618 outbuf[1] = 0; /* Default media type. */ 619 outbuf[3] = 0; /* Block descriptor length. */ 620 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 621 outbuf[2] = 0x80; /* Readonly. */ 622 } 623 p += 4; 624 if (page == 4) { 625 int cylinders, heads, secs; 626 627 /* Rigid disk device geometry page. */ 628 p[0] = 4; 629 p[1] = 0x16; 630 /* if a geometry hint is available, use it */ 631 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs); 632 p[2] = (cylinders >> 16) & 0xff; 633 p[3] = (cylinders >> 8) & 0xff; 634 p[4] = cylinders & 0xff; 635 p[5] = heads & 0xff; 636 /* Write precomp start cylinder, disabled */ 637 p[6] = (cylinders >> 16) & 0xff; 638 p[7] = (cylinders >> 8) & 0xff; 639 p[8] = cylinders & 0xff; 640 /* Reduced current start cylinder, disabled */ 641 p[9] = (cylinders >> 16) & 0xff; 642 p[10] = (cylinders >> 8) & 0xff; 643 p[11] = cylinders & 0xff; 644 /* Device step rate [ns], 200ns */ 645 p[12] = 0; 646 p[13] = 200; 647 /* Landing zone cylinder */ 648 p[14] = 0xff; 649 p[15] = 0xff; 650 p[16] = 0xff; 651 /* Medium rotation rate [rpm], 5400 rpm */ 652 p[20] = (5400 >> 8) & 0xff; 653 p[21] = 5400 & 0xff; 654 p += 0x16; 655 } else if (page == 5) { 656 int cylinders, heads, secs; 657 658 /* Flexible disk device geometry page. */ 659 p[0] = 5; 660 p[1] = 0x1e; 661 /* Transfer rate [kbit/s], 5Mbit/s */ 662 p[2] = 5000 >> 8; 663 p[3] = 5000 & 0xff; 664 /* if a geometry hint is available, use it */ 665 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs); 666 p[4] = heads & 0xff; 667 p[5] = secs & 0xff; 668 p[6] = s->cluster_size * 2; 669 p[8] = (cylinders >> 8) & 0xff; 670 p[9] = cylinders & 0xff; 671 /* Write precomp start cylinder, disabled */ 672 p[10] = (cylinders >> 8) & 0xff; 673 p[11] = cylinders & 0xff; 674 /* Reduced current start cylinder, disabled */ 675 p[12] = (cylinders >> 8) & 0xff; 676 p[13] = cylinders & 0xff; 677 /* Device step rate [100us], 100us */ 678 p[14] = 0; 679 p[15] = 1; 680 /* Device step pulse width [us], 1us */ 681 p[16] = 1; 682 /* Device head settle delay [100us], 100us */ 683 p[17] = 0; 684 p[18] = 1; 685 /* Motor on delay [0.1s], 0.1s */ 686 p[19] = 1; 687 /* Motor off delay [0.1s], 0.1s */ 688 p[20] = 1; 689 /* Medium rotation rate [rpm], 5400 rpm */ 690 p[28] = (5400 >> 8) & 0xff; 691 p[29] = 5400 & 0xff; 692 p += 0x1e; 693 } else if ((page == 8 || page == 0x3f)) { 694 /* Caching page. */ 695 memset(p,0,20); 696 p[0] = 8; 697 p[1] = 0x12; 698 p[2] = 4; /* WCE */ 699 p += 20; 700 } 701 if ((page == 0x3f || page == 0x2a) 702 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) { 703 /* CD Capabilities and Mechanical Status page. */ 704 p[0] = 0x2a; 705 p[1] = 0x14; 706 p[2] = 3; // CD-R & CD-RW read 707 p[3] = 0; // Writing not supported 708 p[4] = 0x7f; /* Audio, composite, digital out, 709 mode 2 form 1&2, multi session */ 710 p[5] = 0xff; /* CD DA, DA accurate, RW supported, 711 RW corrected, C2 errors, ISRC, 712 UPC, Bar code */ 713 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0); 714 /* Locking supported, jumper present, eject, tray */ 715 p[7] = 0; /* no volume & mute control, no 716 changer */ 717 p[8] = (50 * 176) >> 8; // 50x read speed 718 p[9] = (50 * 176) & 0xff; 719 p[10] = 0 >> 8; // No volume 720 p[11] = 0 & 0xff; 721 p[12] = 2048 >> 8; // 2M buffer 722 p[13] = 2048 & 0xff; 723 p[14] = (16 * 176) >> 8; // 16x read speed current 724 p[15] = (16 * 176) & 0xff; 725 p[18] = (16 * 176) >> 8; // 16x write speed 726 p[19] = (16 * 176) & 0xff; 727 p[20] = (16 * 176) >> 8; // 16x write speed current 728 p[21] = (16 * 176) & 0xff; 729 p += 22; 730 } 731 r->iov.iov_len = p - outbuf; 732 outbuf[0] = r->iov.iov_len - 4; 733 if (r->iov.iov_len > len) 734 r->iov.iov_len = len; 735 } 736 break; 737 case 0x1b: 738 DPRINTF("Start Stop Unit\n"); 739 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM && 740 (buf[4] & 2)) 741 /* load/eject medium */ 742 bdrv_eject(s->bdrv, !(buf[4] & 1)); 743 break; 744 case 0x1e: 745 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3); 746 bdrv_set_locked(s->bdrv, buf[4] & 1); 747 break; 748 case 0x25: 749 DPRINTF("Read Capacity\n"); 750 /* The normal LEN field for this command is zero. */ 751 memset(outbuf, 0, 8); 752 bdrv_get_geometry(s->bdrv, &nb_sectors); 753 nb_sectors /= s->cluster_size; 754 /* Returned value is the address of the last sector. */ 755 if (nb_sectors) { 756 nb_sectors--; 757 /* Remember the new size for read/write sanity checking. */ 758 s->max_lba = nb_sectors; 759 /* Clip to 2TB, instead of returning capacity modulo 2TB. */ 760 if (nb_sectors > UINT32_MAX) 761 nb_sectors = UINT32_MAX; 762 outbuf[0] = (nb_sectors >> 24) & 0xff; 763 outbuf[1] = (nb_sectors >> 16) & 0xff; 764 outbuf[2] = (nb_sectors >> 8) & 0xff; 765 outbuf[3] = nb_sectors & 0xff; 766 outbuf[4] = 0; 767 outbuf[5] = 0; 768 outbuf[6] = s->cluster_size * 2; 769 outbuf[7] = 0; 770 r->iov.iov_len = 8; 771 } else { 772 notready: 773 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY); 774 return 0; 775 } 776 break; 777 case 0x08: 778 case 0x28: 779 case 0x88: 780 DPRINTF("Read (sector %lld, count %d)\n", lba, len); 781 if (lba > s->max_lba) 782 goto illegal_lba; 783 r->sector = lba * s->cluster_size; 784 r->sector_count = len * s->cluster_size; 785 break; 786 case 0x0a: 787 case 0x2a: 788 case 0x8a: 789 DPRINTF("Write (sector %lld, count %d)\n", lba, len); 790 if (lba > s->max_lba) 791 goto illegal_lba; 792 r->sector = lba * s->cluster_size; 793 r->sector_count = len * s->cluster_size; 794 is_write = 1; 795 break; 796 case 0x35: 797 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len); 798 bdrv_flush(s->bdrv); 799 break; 800 case 0x43: 801 { 802 int start_track, format, msf, toclen; 803 804 msf = buf[1] & 2; 805 format = buf[2] & 0xf; 806 start_track = buf[6]; 807 bdrv_get_geometry(s->bdrv, &nb_sectors); 808 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1); 809 nb_sectors /= s->cluster_size; 810 switch(format) { 811 case 0: 812 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track); 813 break; 814 case 1: 815 /* multi session : only a single session defined */ 816 toclen = 12; 817 memset(outbuf, 0, 12); 818 outbuf[1] = 0x0a; 819 outbuf[2] = 0x01; 820 outbuf[3] = 0x01; 821 break; 822 case 2: 823 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track); 824 break; 825 default: 826 goto error_cmd; 827 } 828 if (toclen > 0) { 829 if (len > toclen) 830 len = toclen; 831 r->iov.iov_len = len; 832 break; 833 } 834 error_cmd: 835 DPRINTF("Read TOC error\n"); 836 goto fail; 837 } 838 case 0x46: 839 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len); 840 memset(outbuf, 0, 8); 841 /* ??? This should probably return much more information. For now 842 just return the basic header indicating the CD-ROM profile. */ 843 outbuf[7] = 8; // CD-ROM 844 r->iov.iov_len = 8; 845 break; 846 case 0x56: 847 DPRINTF("Reserve(10)\n"); 848 if (buf[1] & 3) 849 goto fail; 850 break; 851 case 0x57: 852 DPRINTF("Release(10)\n"); 853 if (buf[1] & 3) 854 goto fail; 855 break; 856 case 0x9e: 857 /* Service Action In subcommands. */ 858 if ((buf[1] & 31) == 0x10) { 859 DPRINTF("SAI READ CAPACITY(16)\n"); 860 memset(outbuf, 0, len); 861 bdrv_get_geometry(s->bdrv, &nb_sectors); 862 nb_sectors /= s->cluster_size; 863 /* Returned value is the address of the last sector. */ 864 if (nb_sectors) { 865 nb_sectors--; 866 /* Remember the new size for read/write sanity checking. */ 867 s->max_lba = nb_sectors; 868 outbuf[0] = (nb_sectors >> 56) & 0xff; 869 outbuf[1] = (nb_sectors >> 48) & 0xff; 870 outbuf[2] = (nb_sectors >> 40) & 0xff; 871 outbuf[3] = (nb_sectors >> 32) & 0xff; 872 outbuf[4] = (nb_sectors >> 24) & 0xff; 873 outbuf[5] = (nb_sectors >> 16) & 0xff; 874 outbuf[6] = (nb_sectors >> 8) & 0xff; 875 outbuf[7] = nb_sectors & 0xff; 876 outbuf[8] = 0; 877 outbuf[9] = 0; 878 outbuf[10] = s->cluster_size * 2; 879 outbuf[11] = 0; 880 /* Protection, exponent and lowest lba field left blank. */ 881 r->iov.iov_len = len; 882 } else { 883 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY); 884 return 0; 885 } 886 break; 887 } 888 DPRINTF("Unsupported Service Action In\n"); 889 goto fail; 890 case 0xa0: 891 DPRINTF("Report LUNs (len %d)\n", len); 892 if (len < 16) 893 goto fail; 894 memset(outbuf, 0, 16); 895 outbuf[3] = 8; 896 r->iov.iov_len = 16; 897 break; 898 case 0x2f: 899 DPRINTF("Verify (sector %d, count %d)\n", lba, len); 900 break; 901 default: 902 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]); 903 fail: 904 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_ILLEGAL_REQUEST); 905 return 0; 906 illegal_lba: 907 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR); 908 return 0; 909 } 910 if (r->sector_count == 0 && r->iov.iov_len == 0) { 911 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE); 912 } 913 len = r->sector_count * 512 + r->iov.iov_len; 914 if (is_write) { 915 return -len; 916 } else { 917 if (!r->sector_count) 918 r->sector_count = -1; 919 return len; 920 } 921 } 922 923 static void scsi_destroy(SCSIDevice *d) 924 { 925 qemu_free(d->state); 926 qemu_free(d); 927 } 928 929 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq, 930 scsi_completionfn completion, void *opaque) 931 { 932 SCSIDevice *d; 933 SCSIDeviceState *s; 934 uint64_t nb_sectors; 935 936 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState)); 937 s->bdrv = bdrv; 938 s->tcq = tcq; 939 s->completion = completion; 940 s->opaque = opaque; 941 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) { 942 s->cluster_size = 4; 943 } else { 944 s->cluster_size = 1; 945 } 946 bdrv_get_geometry(s->bdrv, &nb_sectors); 947 nb_sectors /= s->cluster_size; 948 if (nb_sectors) 949 nb_sectors--; 950 s->max_lba = nb_sectors; 951 strncpy(s->drive_serial_str, drive_get_serial(s->bdrv), 952 sizeof(s->drive_serial_str)); 953 if (strlen(s->drive_serial_str) == 0) 954 pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), "0"); 955 qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s); 956 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice)); 957 d->state = s; 958 d->destroy = scsi_destroy; 959 d->send_command = scsi_send_command; 960 d->read_data = scsi_read_data; 961 d->write_data = scsi_write_data; 962 d->cancel_io = scsi_cancel_io; 963 d->get_buf = scsi_get_buf; 964 965 return d; 966 } 967
