Home | History | Annotate | Download | only in hw
      1 /*
      2  * SCSI Device emulation
      3  *
      4  * Copyright (c) 2006 CodeSourcery.
      5  * Based on code by Fabrice Bellard
      6  *
      7  * Written by Paul Brook
      8  *
      9  * This code is licenced under the LGPL.
     10  *
     11  * Note that this file only handles the SCSI architecture model and device
     12  * commands.  Emulation of interface/link layer protocols is handled by
     13  * the host adapter emulator.
     14  */
     15 
     16 #include <qemu-common.h>
     17 #include <sysemu.h>
     18 #include "blockdev.h"
     19 //#define DEBUG_SCSI
     20 
     21 #ifdef DEBUG_SCSI
     22 #define DPRINTF(fmt, ...) \
     23 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
     24 #else
     25 #define DPRINTF(fmt, ...) do {} while(0)
     26 #endif
     27 
     28 #define BADF(fmt, ...) \
     29 do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
     30 
     31 #include "qemu-common.h"
     32 #include "block.h"
     33 #include "scsi-disk.h"
     34 
     35 #define SENSE_NO_SENSE        0
     36 #define SENSE_NOT_READY       2
     37 #define SENSE_HARDWARE_ERROR  4
     38 #define SENSE_ILLEGAL_REQUEST 5
     39 
     40 #define STATUS_GOOD            0
     41 #define STATUS_CHECK_CONDITION 2
     42 
     43 #define SCSI_DMA_BUF_SIZE    131072
     44 #define SCSI_MAX_INQUIRY_LEN 256
     45 
     46 #define SCSI_REQ_STATUS_RETRY 0x01
     47 
     48 typedef struct SCSIRequest {
     49     SCSIDeviceState *dev;
     50     uint32_t tag;
     51     /* ??? We should probably keep track of whether the data transfer is
     52        a read or a write.  Currently we rely on the host getting it right.  */
     53     /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
     54     uint64_t sector;
     55     uint32_t sector_count;
     56     struct iovec iov;
     57     QEMUIOVector qiov;
     58     BlockDriverAIOCB *aiocb;
     59     struct SCSIRequest *next;
     60     uint32_t status;
     61 } SCSIRequest;
     62 
     63 struct SCSIDeviceState
     64 {
     65     BlockDriverState *bdrv;
     66     SCSIRequest *requests;
     67     /* The qemu block layer uses a fixed 512 byte sector size.
     68        This is the number of 512 byte blocks in a single scsi sector.  */
     69     int cluster_size;
     70     uint64_t max_lba;
     71     int sense;
     72     int tcq;
     73     /* Completion functions may be called from either scsi_{read,write}_data
     74        or from the AIO completion routines.  */
     75     scsi_completionfn completion;
     76     void *opaque;
     77     char drive_serial_str[21];
     78 };
     79 
     80 /* Global pool of SCSIRequest structures.  */
     81 static SCSIRequest *free_requests = NULL;
     82 
     83 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
     84 {
     85     SCSIRequest *r;
     86 
     87     if (free_requests) {
     88         r = free_requests;
     89         free_requests = r->next;
     90     } else {
     91         r = qemu_malloc(sizeof(SCSIRequest));
     92         r->iov.iov_base = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
     93     }
     94     r->dev = s;
     95     r->tag = tag;
     96     r->sector_count = 0;
     97     r->iov.iov_len = 0;
     98     r->aiocb = NULL;
     99     r->status = 0;
    100 
    101     r->next = s->requests;
    102     s->requests = r;
    103     return r;
    104 }
    105 
    106 static void scsi_remove_request(SCSIRequest *r)
    107 {
    108     SCSIRequest *last;
    109     SCSIDeviceState *s = r->dev;
    110 
    111     if (s->requests == r) {
    112         s->requests = r->next;
    113     } else {
    114         last = s->requests;
    115         while (last && last->next != r)
    116             last = last->next;
    117         if (last) {
    118             last->next = r->next;
    119         } else {
    120             BADF("Orphaned request\n");
    121         }
    122     }
    123     r->next = free_requests;
    124     free_requests = r;
    125 }
    126 
    127 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
    128 {
    129     SCSIRequest *r;
    130 
    131     r = s->requests;
    132     while (r && r->tag != tag)
    133         r = r->next;
    134 
    135     return r;
    136 }
    137 
    138 /* Helper function for command completion.  */
    139 static void scsi_command_complete(SCSIRequest *r, int status, int sense)
    140 {
    141     SCSIDeviceState *s = r->dev;
    142     uint32_t tag;
    143     DPRINTF("Command complete tag=0x%x status=%d sense=%d\n", r->tag, status, sense);
    144     s->sense = sense;
    145     tag = r->tag;
    146     scsi_remove_request(r);
    147     s->completion(s->opaque, SCSI_REASON_DONE, tag, status);
    148 }
    149 
    150 /* Cancel a pending data transfer.  */
    151 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
    152 {
    153     SCSIDeviceState *s = d->state;
    154     SCSIRequest *r;
    155     DPRINTF("Cancel tag=0x%x\n", tag);
    156     r = scsi_find_request(s, tag);
    157     if (r) {
    158         if (r->aiocb)
    159             bdrv_aio_cancel(r->aiocb);
    160         r->aiocb = NULL;
    161         scsi_remove_request(r);
    162     }
    163 }
    164 
    165 static void scsi_read_complete(void * opaque, int ret)
    166 {
    167     SCSIRequest *r = (SCSIRequest *)opaque;
    168     SCSIDeviceState *s = r->dev;
    169 
    170     if (ret) {
    171         DPRINTF("IO error\n");
    172         s->completion(s->opaque, SCSI_REASON_DATA, r->tag, 0);
    173         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NO_SENSE);
    174         return;
    175     }
    176     DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->iov.iov_len);
    177 
    178     s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
    179 }
    180 
    181 /* Read more data from scsi device into buffer.  */
    182 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
    183 {
    184     SCSIDeviceState *s = d->state;
    185     SCSIRequest *r;
    186     uint32_t n;
    187 
    188     r = scsi_find_request(s, tag);
    189     if (!r) {
    190         BADF("Bad read tag 0x%x\n", tag);
    191         /* ??? This is the wrong error.  */
    192         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
    193         return;
    194     }
    195     if (r->sector_count == (uint32_t)-1) {
    196         DPRINTF("Read buf_len=%d\n", r->iov.iov_len);
    197         r->sector_count = 0;
    198         s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
    199         return;
    200     }
    201     DPRINTF("Read sector_count=%d\n", r->sector_count);
    202     if (r->sector_count == 0) {
    203         scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
    204         return;
    205     }
    206 
    207     n = r->sector_count;
    208     if (n > SCSI_DMA_BUF_SIZE / 512)
    209         n = SCSI_DMA_BUF_SIZE / 512;
    210 
    211     r->iov.iov_len = n * 512;
    212     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
    213     r->aiocb = bdrv_aio_readv(s->bdrv, r->sector, &r->qiov, n,
    214                               scsi_read_complete, r);
    215     if (r->aiocb == NULL)
    216         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
    217     r->sector += n;
    218     r->sector_count -= n;
    219 }
    220 
    221 static int scsi_handle_write_error(SCSIRequest *r, int error)
    222 {
    223     BlockErrorAction action = bdrv_get_on_error(r->dev->bdrv, 0);
    224 
    225     if (action == BLOCK_ERR_IGNORE)
    226         return 0;
    227 
    228     if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
    229             || action == BLOCK_ERR_STOP_ANY) {
    230         r->status |= SCSI_REQ_STATUS_RETRY;
    231         vm_stop(0);
    232     } else {
    233         scsi_command_complete(r, STATUS_CHECK_CONDITION,
    234                 SENSE_HARDWARE_ERROR);
    235     }
    236 
    237     return 1;
    238 }
    239 
    240 static void scsi_write_complete(void * opaque, int ret)
    241 {
    242     SCSIRequest *r = (SCSIRequest *)opaque;
    243     SCSIDeviceState *s = r->dev;
    244     uint32_t len;
    245     uint32_t n;
    246 
    247     r->aiocb = NULL;
    248 
    249     if (ret) {
    250         if (scsi_handle_write_error(r, -ret))
    251             return;
    252     }
    253 
    254     n = r->iov.iov_len / 512;
    255     r->sector += n;
    256     r->sector_count -= n;
    257     if (r->sector_count == 0) {
    258         scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
    259     } else {
    260         len = r->sector_count * 512;
    261         if (len > SCSI_DMA_BUF_SIZE) {
    262             len = SCSI_DMA_BUF_SIZE;
    263         }
    264         r->iov.iov_len = len;
    265         DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
    266         s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
    267     }
    268 }
    269 
    270 static void scsi_write_request(SCSIRequest *r)
    271 {
    272     SCSIDeviceState *s = r->dev;
    273     uint32_t n;
    274 
    275     n = r->iov.iov_len / 512;
    276     if (n) {
    277         qemu_iovec_init_external(&r->qiov, &r->iov, 1);
    278         r->aiocb = bdrv_aio_writev(s->bdrv, r->sector, &r->qiov, n,
    279                                    scsi_write_complete, r);
    280         if (r->aiocb == NULL)
    281             scsi_command_complete(r, STATUS_CHECK_CONDITION,
    282                                   SENSE_HARDWARE_ERROR);
    283     } else {
    284         /* Invoke completion routine to fetch data from host.  */
    285         scsi_write_complete(r, 0);
    286     }
    287 }
    288 
    289 /* Write data to a scsi device.  Returns nonzero on failure.
    290    The transfer may complete asynchronously.  */
    291 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
    292 {
    293     SCSIDeviceState *s = d->state;
    294     SCSIRequest *r;
    295 
    296     DPRINTF("Write data tag=0x%x\n", tag);
    297     r = scsi_find_request(s, tag);
    298     if (!r) {
    299         BADF("Bad write tag 0x%x\n", tag);
    300         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
    301         return 1;
    302     }
    303 
    304     if (r->aiocb)
    305         BADF("Data transfer already in progress\n");
    306 
    307     scsi_write_request(r);
    308 
    309     return 0;
    310 }
    311 
    312 static void scsi_dma_restart_cb(void *opaque, int running, int reason)
    313 {
    314     SCSIDeviceState *s = opaque;
    315     SCSIRequest *r = s->requests;
    316     if (!running)
    317         return;
    318 
    319     while (r) {
    320         if (r->status & SCSI_REQ_STATUS_RETRY) {
    321             r->status &= ~SCSI_REQ_STATUS_RETRY;
    322             scsi_write_request(r);
    323         }
    324         r = r->next;
    325     }
    326 }
    327 
    328 /* Return a pointer to the data buffer.  */
    329 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
    330 {
    331     SCSIDeviceState *s = d->state;
    332     SCSIRequest *r;
    333 
    334     r = scsi_find_request(s, tag);
    335     if (!r) {
    336         BADF("Bad buffer tag 0x%x\n", tag);
    337         return NULL;
    338     }
    339     return (uint8_t *)r->iov.iov_base;
    340 }
    341 
    342 /* Execute a scsi command.  Returns the length of the data expected by the
    343    command.  This will be Positive for data transfers from the device
    344    (eg. disk reads), negative for transfers to the device (eg. disk writes),
    345    and zero if the command does not transfer any data.  */
    346 
    347 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
    348                                  uint8_t *buf, int lun)
    349 {
    350     SCSIDeviceState *s = d->state;
    351     uint64_t nb_sectors;
    352     uint64_t lba;
    353     uint32_t len;
    354     int cmdlen;
    355     int is_write;
    356     uint8_t command;
    357     uint8_t *outbuf;
    358     SCSIRequest *r;
    359 
    360     command = buf[0];
    361     r = scsi_find_request(s, tag);
    362     if (r) {
    363         BADF("Tag 0x%x already in use\n", tag);
    364         scsi_cancel_io(d, tag);
    365     }
    366     /* ??? Tags are not unique for different luns.  We only implement a
    367        single lun, so this should not matter.  */
    368     r = scsi_new_request(s, tag);
    369     outbuf = (uint8_t *)r->iov.iov_base;
    370     is_write = 0;
    371     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
    372     switch (command >> 5) {
    373     case 0:
    374         lba = (uint64_t) buf[3] | ((uint64_t) buf[2] << 8) |
    375               (((uint64_t) buf[1] & 0x1f) << 16);
    376         len = buf[4];
    377         cmdlen = 6;
    378         break;
    379     case 1:
    380     case 2:
    381         lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
    382               ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
    383         len = buf[8] | (buf[7] << 8);
    384         cmdlen = 10;
    385         break;
    386     case 4:
    387         lba = (uint64_t) buf[9] | ((uint64_t) buf[8] << 8) |
    388               ((uint64_t) buf[7] << 16) | ((uint64_t) buf[6] << 24) |
    389               ((uint64_t) buf[5] << 32) | ((uint64_t) buf[4] << 40) |
    390               ((uint64_t) buf[3] << 48) | ((uint64_t) buf[2] << 56);
    391         len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
    392         cmdlen = 16;
    393         break;
    394     case 5:
    395         lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
    396               ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
    397         len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
    398         cmdlen = 12;
    399         break;
    400     default:
    401         BADF("Unsupported command length, command %x\n", command);
    402         goto fail;
    403     }
    404 #ifdef DEBUG_SCSI
    405     {
    406         int i;
    407         for (i = 1; i < cmdlen; i++) {
    408             printf(" 0x%02x", buf[i]);
    409         }
    410         printf("\n");
    411     }
    412 #endif
    413     if (lun || buf[1] >> 5) {
    414         /* Only LUN 0 supported.  */
    415         DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
    416         if (command != 0x03 && command != 0x12) /* REQUEST SENSE and INQUIRY */
    417             goto fail;
    418     }
    419     switch (command) {
    420     case 0x0:
    421 	DPRINTF("Test Unit Ready\n");
    422         if (!bdrv_is_inserted(s->bdrv))
    423             goto notready;
    424 	break;
    425     case 0x03:
    426         DPRINTF("Request Sense (len %d)\n", len);
    427         if (len < 4)
    428             goto fail;
    429         memset(outbuf, 0, 4);
    430         r->iov.iov_len = 4;
    431         if (s->sense == SENSE_NOT_READY && len >= 18) {
    432             memset(outbuf, 0, 18);
    433             r->iov.iov_len = 18;
    434             outbuf[7] = 10;
    435             /* asc 0x3a, ascq 0: Medium not present */
    436             outbuf[12] = 0x3a;
    437             outbuf[13] = 0;
    438         }
    439         outbuf[0] = 0xf0;
    440         outbuf[1] = 0;
    441         outbuf[2] = s->sense;
    442         break;
    443     case 0x12:
    444         DPRINTF("Inquiry (len %d)\n", len);
    445         if (buf[1] & 0x2) {
    446             /* Command support data - optional, not implemented */
    447             BADF("optional INQUIRY command support request not implemented\n");
    448             goto fail;
    449         }
    450         else if (buf[1] & 0x1) {
    451             /* Vital product data */
    452             uint8_t page_code = buf[2];
    453             if (len < 4) {
    454                 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is "
    455                      "less than 4\n", page_code, len);
    456                 goto fail;
    457             }
    458 
    459             switch (page_code) {
    460                 case 0x00:
    461                     {
    462                         /* Supported page codes, mandatory */
    463                         DPRINTF("Inquiry EVPD[Supported pages] "
    464                                 "buffer size %d\n", len);
    465 
    466                         r->iov.iov_len = 0;
    467 
    468                         if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    469                             outbuf[r->iov.iov_len++] = 5;
    470                         } else {
    471                             outbuf[r->iov.iov_len++] = 0;
    472                         }
    473 
    474                         outbuf[r->iov.iov_len++] = 0x00; // this page
    475                         outbuf[r->iov.iov_len++] = 0x00;
    476                         outbuf[r->iov.iov_len++] = 3;    // number of pages
    477                         outbuf[r->iov.iov_len++] = 0x00; // list of supported pages (this page)
    478                         outbuf[r->iov.iov_len++] = 0x80; // unit serial number
    479                         outbuf[r->iov.iov_len++] = 0x83; // device identification
    480                     }
    481                     break;
    482                 case 0x80:
    483                     {
    484                         int l;
    485 
    486                         /* Device serial number, optional */
    487                         if (len < 4) {
    488                             BADF("Error: EVPD[Serial number] Inquiry buffer "
    489                                  "size %d too small, %d needed\n", len, 4);
    490                             goto fail;
    491                         }
    492 
    493                         DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len);
    494                         l = MIN(len, strlen(s->drive_serial_str));
    495 
    496                         r->iov.iov_len = 0;
    497 
    498                         /* Supported page codes */
    499                         if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    500                             outbuf[r->iov.iov_len++] = 5;
    501                         } else {
    502                             outbuf[r->iov.iov_len++] = 0;
    503                         }
    504 
    505                         outbuf[r->iov.iov_len++] = 0x80; // this page
    506                         outbuf[r->iov.iov_len++] = 0x00;
    507                         outbuf[r->iov.iov_len++] = l;
    508                         memcpy(&outbuf[r->iov.iov_len], s->drive_serial_str, l);
    509                         r->iov.iov_len += l;
    510                     }
    511 
    512                     break;
    513                 case 0x83:
    514                     {
    515                         /* Device identification page, mandatory */
    516                         int max_len = 255 - 8;
    517                         int id_len = strlen(bdrv_get_device_name(s->bdrv));
    518                         if (id_len > max_len)
    519                             id_len = max_len;
    520 
    521                         DPRINTF("Inquiry EVPD[Device identification] "
    522                                 "buffer size %d\n", len);
    523                         r->iov.iov_len = 0;
    524                         if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    525                             outbuf[r->iov.iov_len++] = 5;
    526                         } else {
    527                             outbuf[r->iov.iov_len++] = 0;
    528                         }
    529 
    530                         outbuf[r->iov.iov_len++] = 0x83; // this page
    531                         outbuf[r->iov.iov_len++] = 0x00;
    532                         outbuf[r->iov.iov_len++] = 3 + id_len;
    533 
    534                         outbuf[r->iov.iov_len++] = 0x2; // ASCII
    535                         outbuf[r->iov.iov_len++] = 0;   // not officially assigned
    536                         outbuf[r->iov.iov_len++] = 0;   // reserved
    537                         outbuf[r->iov.iov_len++] = id_len; // length of data following
    538 
    539                         memcpy(&outbuf[r->iov.iov_len],
    540                                bdrv_get_device_name(s->bdrv), id_len);
    541                         r->iov.iov_len += id_len;
    542                     }
    543                     break;
    544                 default:
    545                     BADF("Error: unsupported Inquiry (EVPD[%02X]) "
    546                          "buffer size %d\n", page_code, len);
    547                     goto fail;
    548             }
    549             /* done with EVPD */
    550             break;
    551         }
    552         else {
    553             /* Standard INQUIRY data */
    554             if (buf[2] != 0) {
    555                 BADF("Error: Inquiry (STANDARD) page or code "
    556                      "is non-zero [%02X]\n", buf[2]);
    557                 goto fail;
    558             }
    559 
    560             /* PAGE CODE == 0 */
    561             if (len < 5) {
    562                 BADF("Error: Inquiry (STANDARD) buffer size %d "
    563                      "is less than 5\n", len);
    564                 goto fail;
    565             }
    566 
    567             if (len < 36) {
    568                 BADF("Error: Inquiry (STANDARD) buffer size %d "
    569                      "is less than 36 (TODO: only 5 required)\n", len);
    570             }
    571         }
    572 
    573         if(len > SCSI_MAX_INQUIRY_LEN)
    574             len = SCSI_MAX_INQUIRY_LEN;
    575 
    576         memset(outbuf, 0, len);
    577 
    578         if (lun || buf[1] >> 5) {
    579             outbuf[0] = 0x7f;	/* LUN not supported */
    580 	} else if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    581 	    outbuf[0] = 5;
    582             outbuf[1] = 0x80;
    583 	    memcpy(&outbuf[16], "QEMU CD-ROM    ", 16);
    584 	} else {
    585 	    outbuf[0] = 0;
    586 	    memcpy(&outbuf[16], "QEMU HARDDISK  ", 16);
    587 	}
    588 	memcpy(&outbuf[8], "QEMU   ", 8);
    589         memcpy(&outbuf[32], QEMU_VERSION, 4);
    590         /* Identify device as SCSI-3 rev 1.
    591            Some later commands are also implemented. */
    592 	outbuf[2] = 3;
    593 	outbuf[3] = 2; /* Format 2 */
    594 	outbuf[4] = len - 5; /* Additional Length = (Len - 1) - 4 */
    595         /* Sync data transfer and TCQ.  */
    596         outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
    597 	r->iov.iov_len = len;
    598 	break;
    599     case 0x16:
    600         DPRINTF("Reserve(6)\n");
    601         if (buf[1] & 1)
    602             goto fail;
    603         break;
    604     case 0x17:
    605         DPRINTF("Release(6)\n");
    606         if (buf[1] & 1)
    607             goto fail;
    608         break;
    609     case 0x1a:
    610     case 0x5a:
    611         {
    612             uint8_t *p;
    613             int page;
    614 
    615             page = buf[2] & 0x3f;
    616             DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
    617             p = outbuf;
    618             memset(p, 0, 4);
    619             outbuf[1] = 0; /* Default media type.  */
    620             outbuf[3] = 0; /* Block descriptor length.  */
    621             if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    622                 outbuf[2] = 0x80; /* Readonly.  */
    623             }
    624             p += 4;
    625             if (page == 4) {
    626                 int cylinders, heads, secs;
    627 
    628                 /* Rigid disk device geometry page. */
    629                 p[0] = 4;
    630                 p[1] = 0x16;
    631                 /* if a geometry hint is available, use it */
    632                 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
    633                 p[2] = (cylinders >> 16) & 0xff;
    634                 p[3] = (cylinders >> 8) & 0xff;
    635                 p[4] = cylinders & 0xff;
    636                 p[5] = heads & 0xff;
    637                 /* Write precomp start cylinder, disabled */
    638                 p[6] = (cylinders >> 16) & 0xff;
    639                 p[7] = (cylinders >> 8) & 0xff;
    640                 p[8] = cylinders & 0xff;
    641                 /* Reduced current start cylinder, disabled */
    642                 p[9] = (cylinders >> 16) & 0xff;
    643                 p[10] = (cylinders >> 8) & 0xff;
    644                 p[11] = cylinders & 0xff;
    645                 /* Device step rate [ns], 200ns */
    646                 p[12] = 0;
    647                 p[13] = 200;
    648                 /* Landing zone cylinder */
    649                 p[14] = 0xff;
    650                 p[15] =  0xff;
    651                 p[16] = 0xff;
    652                 /* Medium rotation rate [rpm], 5400 rpm */
    653                 p[20] = (5400 >> 8) & 0xff;
    654                 p[21] = 5400 & 0xff;
    655                 p += 0x16;
    656             } else if (page == 5) {
    657                 int cylinders, heads, secs;
    658 
    659                 /* Flexible disk device geometry page. */
    660                 p[0] = 5;
    661                 p[1] = 0x1e;
    662                 /* Transfer rate [kbit/s], 5Mbit/s */
    663                 p[2] = 5000 >> 8;
    664                 p[3] = 5000 & 0xff;
    665                 /* if a geometry hint is available, use it */
    666                 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
    667                 p[4] = heads & 0xff;
    668                 p[5] = secs & 0xff;
    669                 p[6] = s->cluster_size * 2;
    670                 p[8] = (cylinders >> 8) & 0xff;
    671                 p[9] = cylinders & 0xff;
    672                 /* Write precomp start cylinder, disabled */
    673                 p[10] = (cylinders >> 8) & 0xff;
    674                 p[11] = cylinders & 0xff;
    675                 /* Reduced current start cylinder, disabled */
    676                 p[12] = (cylinders >> 8) & 0xff;
    677                 p[13] = cylinders & 0xff;
    678                 /* Device step rate [100us], 100us */
    679                 p[14] = 0;
    680                 p[15] = 1;
    681                 /* Device step pulse width [us], 1us */
    682                 p[16] = 1;
    683                 /* Device head settle delay [100us], 100us */
    684                 p[17] = 0;
    685                 p[18] = 1;
    686                 /* Motor on delay [0.1s], 0.1s */
    687                 p[19] = 1;
    688                 /* Motor off delay [0.1s], 0.1s */
    689                 p[20] = 1;
    690                 /* Medium rotation rate [rpm], 5400 rpm */
    691                 p[28] = (5400 >> 8) & 0xff;
    692                 p[29] = 5400 & 0xff;
    693                 p += 0x1e;
    694             } else if ((page == 8 || page == 0x3f)) {
    695                 /* Caching page.  */
    696                 memset(p,0,20);
    697                 p[0] = 8;
    698                 p[1] = 0x12;
    699                 p[2] = 4; /* WCE */
    700                 p += 20;
    701             }
    702             if ((page == 0x3f || page == 0x2a)
    703                     && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
    704                 /* CD Capabilities and Mechanical Status page. */
    705                 p[0] = 0x2a;
    706                 p[1] = 0x14;
    707                 p[2] = 3; // CD-R & CD-RW read
    708                 p[3] = 0; // Writing not supported
    709                 p[4] = 0x7f; /* Audio, composite, digital out,
    710                                          mode 2 form 1&2, multi session */
    711                 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
    712                                          RW corrected, C2 errors, ISRC,
    713                                          UPC, Bar code */
    714                 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
    715                 /* Locking supported, jumper present, eject, tray */
    716                 p[7] = 0; /* no volume & mute control, no
    717                                       changer */
    718                 p[8] = (50 * 176) >> 8; // 50x read speed
    719                 p[9] = (50 * 176) & 0xff;
    720                 p[10] = 0 >> 8; // No volume
    721                 p[11] = 0 & 0xff;
    722                 p[12] = 2048 >> 8; // 2M buffer
    723                 p[13] = 2048 & 0xff;
    724                 p[14] = (16 * 176) >> 8; // 16x read speed current
    725                 p[15] = (16 * 176) & 0xff;
    726                 p[18] = (16 * 176) >> 8; // 16x write speed
    727                 p[19] = (16 * 176) & 0xff;
    728                 p[20] = (16 * 176) >> 8; // 16x write speed current
    729                 p[21] = (16 * 176) & 0xff;
    730                 p += 22;
    731             }
    732             r->iov.iov_len = p - outbuf;
    733             outbuf[0] = r->iov.iov_len - 4;
    734             if (r->iov.iov_len > len)
    735                 r->iov.iov_len = len;
    736         }
    737         break;
    738     case 0x1b:
    739         DPRINTF("Start Stop Unit\n");
    740         if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM &&
    741             (buf[4] & 2))
    742             /* load/eject medium */
    743             bdrv_eject(s->bdrv, !(buf[4] & 1));
    744 	break;
    745     case 0x1e:
    746         DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
    747         bdrv_set_locked(s->bdrv, buf[4] & 1);
    748 	break;
    749     case 0x25:
    750 	DPRINTF("Read Capacity\n");
    751         /* The normal LEN field for this command is zero.  */
    752 	memset(outbuf, 0, 8);
    753 	bdrv_get_geometry(s->bdrv, &nb_sectors);
    754         nb_sectors /= s->cluster_size;
    755         /* Returned value is the address of the last sector.  */
    756         if (nb_sectors) {
    757             nb_sectors--;
    758             /* Remember the new size for read/write sanity checking. */
    759             s->max_lba = nb_sectors;
    760             /* Clip to 2TB, instead of returning capacity modulo 2TB. */
    761             if (nb_sectors > UINT32_MAX)
    762                 nb_sectors = UINT32_MAX;
    763             outbuf[0] = (nb_sectors >> 24) & 0xff;
    764             outbuf[1] = (nb_sectors >> 16) & 0xff;
    765             outbuf[2] = (nb_sectors >> 8) & 0xff;
    766             outbuf[3] = nb_sectors & 0xff;
    767             outbuf[4] = 0;
    768             outbuf[5] = 0;
    769             outbuf[6] = s->cluster_size * 2;
    770             outbuf[7] = 0;
    771             r->iov.iov_len = 8;
    772         } else {
    773         notready:
    774             scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY);
    775             return 0;
    776         }
    777 	break;
    778     case 0x08:
    779     case 0x28:
    780     case 0x88:
    781         DPRINTF("Read (sector %lld, count %d)\n", lba, len);
    782         if (lba > s->max_lba)
    783             goto illegal_lba;
    784         r->sector = lba * s->cluster_size;
    785         r->sector_count = len * s->cluster_size;
    786         break;
    787     case 0x0a:
    788     case 0x2a:
    789     case 0x8a:
    790         DPRINTF("Write (sector %lld, count %d)\n", lba, len);
    791         if (lba > s->max_lba)
    792             goto illegal_lba;
    793         r->sector = lba * s->cluster_size;
    794         r->sector_count = len * s->cluster_size;
    795         is_write = 1;
    796         break;
    797     case 0x35:
    798         DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
    799         bdrv_flush(s->bdrv);
    800         break;
    801     case 0x43:
    802         {
    803             int start_track, format, msf, toclen;
    804 
    805             msf = buf[1] & 2;
    806             format = buf[2] & 0xf;
    807             start_track = buf[6];
    808             bdrv_get_geometry(s->bdrv, &nb_sectors);
    809             DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
    810             nb_sectors /= s->cluster_size;
    811             switch(format) {
    812             case 0:
    813                 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
    814                 break;
    815             case 1:
    816                 /* multi session : only a single session defined */
    817                 toclen = 12;
    818                 memset(outbuf, 0, 12);
    819                 outbuf[1] = 0x0a;
    820                 outbuf[2] = 0x01;
    821                 outbuf[3] = 0x01;
    822                 break;
    823             case 2:
    824                 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
    825                 break;
    826             default:
    827                 goto error_cmd;
    828             }
    829             if (toclen > 0) {
    830                 if (len > toclen)
    831                   len = toclen;
    832                 r->iov.iov_len = len;
    833                 break;
    834             }
    835         error_cmd:
    836             DPRINTF("Read TOC error\n");
    837             goto fail;
    838         }
    839     case 0x46:
    840         DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
    841         memset(outbuf, 0, 8);
    842         /* ??? This should probably return much more information.  For now
    843            just return the basic header indicating the CD-ROM profile.  */
    844         outbuf[7] = 8; // CD-ROM
    845         r->iov.iov_len = 8;
    846         break;
    847     case 0x56:
    848         DPRINTF("Reserve(10)\n");
    849         if (buf[1] & 3)
    850             goto fail;
    851         break;
    852     case 0x57:
    853         DPRINTF("Release(10)\n");
    854         if (buf[1] & 3)
    855             goto fail;
    856         break;
    857     case 0x9e:
    858         /* Service Action In subcommands. */
    859         if ((buf[1] & 31) == 0x10) {
    860             DPRINTF("SAI READ CAPACITY(16)\n");
    861             memset(outbuf, 0, len);
    862             bdrv_get_geometry(s->bdrv, &nb_sectors);
    863             nb_sectors /= s->cluster_size;
    864             /* Returned value is the address of the last sector.  */
    865             if (nb_sectors) {
    866                 nb_sectors--;
    867                 /* Remember the new size for read/write sanity checking. */
    868                 s->max_lba = nb_sectors;
    869                 outbuf[0] = (nb_sectors >> 56) & 0xff;
    870                 outbuf[1] = (nb_sectors >> 48) & 0xff;
    871                 outbuf[2] = (nb_sectors >> 40) & 0xff;
    872                 outbuf[3] = (nb_sectors >> 32) & 0xff;
    873                 outbuf[4] = (nb_sectors >> 24) & 0xff;
    874                 outbuf[5] = (nb_sectors >> 16) & 0xff;
    875                 outbuf[6] = (nb_sectors >> 8) & 0xff;
    876                 outbuf[7] = nb_sectors & 0xff;
    877                 outbuf[8] = 0;
    878                 outbuf[9] = 0;
    879                 outbuf[10] = s->cluster_size * 2;
    880                 outbuf[11] = 0;
    881                 /* Protection, exponent and lowest lba field left blank. */
    882                 r->iov.iov_len = len;
    883             } else {
    884                 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY);
    885                 return 0;
    886             }
    887             break;
    888         }
    889         DPRINTF("Unsupported Service Action In\n");
    890         goto fail;
    891     case 0xa0:
    892         DPRINTF("Report LUNs (len %d)\n", len);
    893         if (len < 16)
    894             goto fail;
    895         memset(outbuf, 0, 16);
    896         outbuf[3] = 8;
    897         r->iov.iov_len = 16;
    898         break;
    899     case 0x2f:
    900         DPRINTF("Verify (sector %d, count %d)\n", lba, len);
    901         break;
    902     default:
    903 	DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
    904     fail:
    905         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_ILLEGAL_REQUEST);
    906 	return 0;
    907     illegal_lba:
    908         scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
    909         return 0;
    910     }
    911     if (r->sector_count == 0 && r->iov.iov_len == 0) {
    912         scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
    913     }
    914     len = r->sector_count * 512 + r->iov.iov_len;
    915     if (is_write) {
    916         return -len;
    917     } else {
    918         if (!r->sector_count)
    919             r->sector_count = -1;
    920         return len;
    921     }
    922 }
    923 
    924 static void scsi_destroy(SCSIDevice *d)
    925 {
    926     qemu_free(d->state);
    927     qemu_free(d);
    928 }
    929 
    930 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
    931                            scsi_completionfn completion, void *opaque)
    932 {
    933     SCSIDevice *d;
    934     SCSIDeviceState *s;
    935     uint64_t nb_sectors;
    936 
    937     s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
    938     s->bdrv = bdrv;
    939     s->tcq = tcq;
    940     s->completion = completion;
    941     s->opaque = opaque;
    942     if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
    943         s->cluster_size = 4;
    944     } else {
    945         s->cluster_size = 1;
    946     }
    947     bdrv_get_geometry(s->bdrv, &nb_sectors);
    948     nb_sectors /= s->cluster_size;
    949     if (nb_sectors)
    950         nb_sectors--;
    951     s->max_lba = nb_sectors;
    952 #if 0
    953     strncpy(s->drive_serial_str, drive_get_serial(s->bdrv),
    954             sizeof(s->drive_serial_str));
    955     if (strlen(s->drive_serial_str) == 0)
    956 #endif
    957         pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), "0");
    958     qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
    959     d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
    960     d->state = s;
    961     d->destroy = scsi_destroy;
    962     d->send_command = scsi_send_command;
    963     d->read_data = scsi_read_data;
    964     d->write_data = scsi_write_data;
    965     d->cancel_io = scsi_cancel_io;
    966     d->get_buf = scsi_get_buf;
    967 
    968     return d;
    969 }
    970