search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix 32-bit overflow in parallels image support
[qemu-kvm/fedora.git] / hw / scsi-disk.c
blob5b825c9f79129ed94e9accc588f39b9e4e209b55
1 /*
2 * SCSI Device emulation
3 *
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
6 *
7 * Written by Paul Brook
8 *
9 * This code is licenced under the LGPL.
10 *
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emulation of interface/link layer protocols is handled by
13 * the host adapter emulator.
14 */
15
16 #include <qemu-common.h>
17 #include <sysemu.h>
18 //#define DEBUG_SCSI
19
20 #ifdef DEBUG_SCSI
21 #define DPRINTF(fmt, ...) \
22 do { printf("scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
23 #else
24 #define DPRINTF(fmt, ...) do {} while(0)
25 #endif
26
27 #define BADF(fmt, ...) \
28 do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
29
30 #include "qemu-common.h"
31 #include "block.h"
32 #include "scsi-disk.h"
33
34 #define SENSE_NO_SENSE 0
35 #define SENSE_NOT_READY 2
36 #define SENSE_HARDWARE_ERROR 4
37 #define SENSE_ILLEGAL_REQUEST 5
38
39 #define STATUS_GOOD 0
40 #define STATUS_CHECK_CONDITION 2
41
42 #define SCSI_DMA_BUF_SIZE 131072
43 #define SCSI_MAX_INQUIRY_LEN 256
44
45 #define SCSI_REQ_STATUS_RETRY 0x01
46
47 typedef struct SCSIRequest {
48 SCSIDeviceState *dev;
49 uint32_t tag;
50 /* ??? We should probably keep track of whether the data transfer is
51 a read or a write. Currently we rely on the host getting it right. */
52 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
53 uint64_t sector;
54 uint32_t sector_count;
55 struct iovec iov;
56 QEMUIOVector qiov;
57 BlockDriverAIOCB *aiocb;
58 struct SCSIRequest *next;
59 uint32_t status;
60 } SCSIRequest;
61
62 struct SCSIDeviceState
63 {
64 BlockDriverState *bdrv;
65 SCSIRequest *requests;
66 /* The qemu block layer uses a fixed 512 byte sector size.
67 This is the number of 512 byte blocks in a single scsi sector. */
68 int cluster_size;
69 uint64_t max_lba;
70 int sense;
71 int tcq;
72 /* Completion functions may be called from either scsi_{read,write}_data
73 or from the AIO completion routines. */
74 scsi_completionfn completion;
75 void *opaque;
76 char drive_serial_str[21];
77 QEMUBH *bh;
78 };
79
80 /* Global pool of SCSIRequest structures. */
81 static SCSIRequest *free_requests = NULL;
82
83 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
84 {
85 SCSIRequest *r;
86
87 if (free_requests) {
88 r = free_requests;
89 free_requests = r->next;
90 } else {
91 r = qemu_malloc(sizeof(SCSIRequest));
92 r->iov.iov_base = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
93 }
94 r->dev = s;
95 r->tag = tag;
96 r->sector_count = 0;
97 r->iov.iov_len = 0;
98 r->aiocb = NULL;
99 r->status = 0;
100
101 r->next = s->requests;
102 s->requests = r;
103 return r;
104 }
105
106 static void scsi_remove_request(SCSIRequest *r)
107 {
108 SCSIRequest *last;
109 SCSIDeviceState *s = r->dev;
110
111 if (s->requests == r) {
112 s->requests = r->next;
113 } else {
114 last = s->requests;
115 while (last && last->next != r)
116 last = last->next;
117 if (last) {
118 last->next = r->next;
119 } else {
120 BADF("Orphaned request\n");
121 }
122 }
123 r->next = free_requests;
124 free_requests = r;
125 }
126
127 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
128 {
129 SCSIRequest *r;
130
131 r = s->requests;
132 while (r && r->tag != tag)
133 r = r->next;
134
135 return r;
136 }
137
138 /* Helper function for command completion. */
139 static void scsi_command_complete(SCSIRequest *r, int status, int sense)
140 {
141 SCSIDeviceState *s = r->dev;
142 uint32_t tag;
143 DPRINTF("Command complete tag=0x%x status=%d sense=%d\n", r->tag, status, sense);
144 s->sense = sense;
145 tag = r->tag;
146 scsi_remove_request(r);
147 s->completion(s->opaque, SCSI_REASON_DONE, tag, status);
148 }
149
150 /* Cancel a pending data transfer. */
151 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
152 {
153 SCSIDeviceState *s = d->state;
154 SCSIRequest *r;
155 DPRINTF("Cancel tag=0x%x\n", tag);
156 r = scsi_find_request(s, tag);
157 if (r) {
158 if (r->aiocb)
159 bdrv_aio_cancel(r->aiocb);
160 r->aiocb = NULL;
161 scsi_remove_request(r);
162 }
163 }
164
165 static void scsi_read_complete(void * opaque, int ret)
166 {
167 SCSIRequest *r = (SCSIRequest *)opaque;
168 SCSIDeviceState *s = r->dev;
169
170 if (ret) {
171 DPRINTF("IO error\n");
172 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, 0);
173 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NO_SENSE);
174 return;
175 }
176 DPRINTF("Data ready tag=0x%x len=%" PRId64 "\n", r->tag, r->iov.iov_len);
177
178 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
179 }
180
181 /* Read more data from scsi device into buffer. */
182 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
183 {
184 SCSIDeviceState *s = d->state;
185 SCSIRequest *r;
186 uint32_t n;
187
188 r = scsi_find_request(s, tag);
189 if (!r) {
190 BADF("Bad read tag 0x%x\n", tag);
191 /* ??? This is the wrong error. */
192 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
193 return;
194 }
195 if (r->sector_count == (uint32_t)-1) {
196 DPRINTF("Read buf_len=%" PRId64 "\n", r->iov.iov_len);
197 r->sector_count = 0;
198 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->iov.iov_len);
199 return;
200 }
201 DPRINTF("Read sector_count=%d\n", r->sector_count);
202 if (r->sector_count == 0) {
203 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
204 return;
205 }
206
207 n = r->sector_count;
208 if (n > SCSI_DMA_BUF_SIZE / 512)
209 n = SCSI_DMA_BUF_SIZE / 512;
210
211 r->iov.iov_len = n * 512;
212 qemu_iovec_init_external(&r->qiov, &r->iov, 1);
213 r->aiocb = bdrv_aio_readv(s->bdrv, r->sector, &r->qiov, n,
214 scsi_read_complete, r);
215 if (r->aiocb == NULL)
216 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
217 r->sector += n;
218 r->sector_count -= n;
219 }
220
221 static int scsi_handle_write_error(SCSIRequest *r, int error)
222 {
223 BlockInterfaceErrorAction action = drive_get_onerror(r->dev->bdrv);
224
225 if (action == BLOCK_ERR_IGNORE)
226 return 0;
227
228 if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
229 || action == BLOCK_ERR_STOP_ANY) {
230 r->status |= SCSI_REQ_STATUS_RETRY;
231 vm_stop(0);
232 } else {
233 scsi_command_complete(r, STATUS_CHECK_CONDITION,
234 SENSE_HARDWARE_ERROR);
235 }
236
237 return 1;
238 }
239
240 static void scsi_write_complete(void * opaque, int ret)
241 {
242 SCSIRequest *r = (SCSIRequest *)opaque;
243 SCSIDeviceState *s = r->dev;
244 uint32_t len;
245 uint32_t n;
246
247 r->aiocb = NULL;
248
249 if (ret) {
250 if (scsi_handle_write_error(r, -ret))
251 return;
252 }
253
254 n = r->iov.iov_len / 512;
255 r->sector += n;
256 r->sector_count -= n;
257 if (r->sector_count == 0) {
258 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
259 } else {
260 len = r->sector_count * 512;
261 if (len > SCSI_DMA_BUF_SIZE) {
262 len = SCSI_DMA_BUF_SIZE;
263 }
264 r->iov.iov_len = len;
265 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
266 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
267 }
268 }
269
270 static void scsi_write_request(SCSIRequest *r)
271 {
272 SCSIDeviceState *s = r->dev;
273 uint32_t n;
274
275 n = r->iov.iov_len / 512;
276 if (n) {
277 qemu_iovec_init_external(&r->qiov, &r->iov, 1);
278 r->aiocb = bdrv_aio_writev(s->bdrv, r->sector, &r->qiov, n,
279 scsi_write_complete, r);
280 if (r->aiocb == NULL)
281 scsi_command_complete(r, STATUS_CHECK_CONDITION,
282 SENSE_HARDWARE_ERROR);
283 } else {
284 /* Invoke completion routine to fetch data from host. */
285 scsi_write_complete(r, 0);
286 }
287 }
288
289 /* Write data to a scsi device. Returns nonzero on failure.
290 The transfer may complete asynchronously. */
291 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
292 {
293 SCSIDeviceState *s = d->state;
294 SCSIRequest *r;
295
296 DPRINTF("Write data tag=0x%x\n", tag);
297 r = scsi_find_request(s, tag);
298 if (!r) {
299 BADF("Bad write tag 0x%x\n", tag);
300 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
301 return 1;
302 }
303
304 if (r->aiocb)
305 BADF("Data transfer already in progress\n");
306
307 scsi_write_request(r);
308
309 return 0;
310 }
311
312 static void scsi_dma_restart_bh(void *opaque)
313 {
314 SCSIDeviceState *s = opaque;
315 SCSIRequest *r = s->requests;
316
317 qemu_bh_delete(s->bh);
318 s->bh = NULL;
319
320 while (r) {
321 if (r->status & SCSI_REQ_STATUS_RETRY) {
322 r->status &= ~SCSI_REQ_STATUS_RETRY;
323 scsi_write_request(r);
324 }
325 r = r->next;
326 }
327 }
328
329 static void scsi_dma_restart_cb(void *opaque, int running, int reason)
330 {
331 SCSIDeviceState *s = opaque;
332
333 if (!running)
334 return;
335
336 if (!s->bh) {
337 s->bh = qemu_bh_new(scsi_dma_restart_bh, s);
338 qemu_bh_schedule(s->bh);
339 }
340 }
341
342 /* Return a pointer to the data buffer. */
343 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
344 {
345 SCSIDeviceState *s = d->state;
346 SCSIRequest *r;
347
348 r = scsi_find_request(s, tag);
349 if (!r) {
350 BADF("Bad buffer tag 0x%x\n", tag);
351 return NULL;
352 }
353 return (uint8_t *)r->iov.iov_base;
354 }
355
356 /* Execute a scsi command. Returns the length of the data expected by the
357 command. This will be Positive for data transfers from the device
358 (eg. disk reads), negative for transfers to the device (eg. disk writes),
359 and zero if the command does not transfer any data. */
360
361 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
362 uint8_t *buf, int lun)
363 {
364 SCSIDeviceState *s = d->state;
365 uint64_t nb_sectors;
366 uint64_t lba;
367 uint32_t len;
368 int cmdlen;
369 int is_write;
370 uint8_t command;
371 uint8_t *outbuf;
372 SCSIRequest *r;
373
374 command = buf[0];
375 r = scsi_find_request(s, tag);
376 if (r) {
377 BADF("Tag 0x%x already in use\n", tag);
378 scsi_cancel_io(d, tag);
379 }
380 /* ??? Tags are not unique for different luns. We only implement a
381 single lun, so this should not matter. */
382 r = scsi_new_request(s, tag);
383 outbuf = (uint8_t *)r->iov.iov_base;
384 is_write = 0;
385 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
386 switch (command >> 5) {
387 case 0:
388 lba = (uint64_t) buf[3] | ((uint64_t) buf[2] << 8) |
389 (((uint64_t) buf[1] & 0x1f) << 16);
390 len = buf[4];
391 cmdlen = 6;
392 break;
393 case 1:
394 case 2:
395 lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
396 ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
397 len = buf[8] | (buf[7] << 8);
398 cmdlen = 10;
399 break;
400 case 4:
401 lba = (uint64_t) buf[9] | ((uint64_t) buf[8] << 8) |
402 ((uint64_t) buf[7] << 16) | ((uint64_t) buf[6] << 24) |
403 ((uint64_t) buf[5] << 32) | ((uint64_t) buf[4] << 40) |
404 ((uint64_t) buf[3] << 48) | ((uint64_t) buf[2] << 56);
405 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
406 cmdlen = 16;
407 break;
408 case 5:
409 lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
410 ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
411 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
412 cmdlen = 12;
413 break;
414 default:
415 BADF("Unsupported command length, command %x\n", command);
416 goto fail;
417 }
418 #ifdef DEBUG_SCSI
419 {
420 int i;
421 for (i = 1; i < cmdlen; i++) {
422 printf(" 0x%02x", buf[i]);
423 }
424 printf("\n");
425 }
426 #endif
427 if (lun || buf[1] >> 5) {
428 /* Only LUN 0 supported. */
429 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
430 if (command != 0x03 && command != 0x12) /* REQUEST SENSE and INQUIRY */
431 goto fail;
432 }
433 switch (command) {
434 case 0x0:
435 DPRINTF("Test Unit Ready\n");
436 if (!bdrv_is_inserted(s->bdrv))
437 goto notready;
438 break;
439 case 0x03:
440 DPRINTF("Request Sense (len %d)\n", len);
441 if (len < 4)
442 goto fail;
443 memset(outbuf, 0, 4);
444 r->iov.iov_len = 4;
445 if (s->sense == SENSE_NOT_READY && len >= 18) {
446 memset(outbuf, 0, 18);
447 r->iov.iov_len = 18;
448 outbuf[7] = 10;
449 /* asc 0x3a, ascq 0: Medium not present */
450 outbuf[12] = 0x3a;
451 outbuf[13] = 0;
452 }
453 outbuf[0] = 0xf0;
454 outbuf[1] = 0;
455 outbuf[2] = s->sense;
456 break;
457 case 0x12:
458 DPRINTF("Inquiry (len %d)\n", len);
459 if (buf[1] & 0x2) {
460 /* Command support data - optional, not implemented */
461 BADF("optional INQUIRY command support request not implemented\n");
462 goto fail;
463 }
464 else if (buf[1] & 0x1) {
465 /* Vital product data */
466 uint8_t page_code = buf[2];
467 if (len < 4) {
468 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is "
469 "less than 4\n", page_code, len);
470 goto fail;
471 }
472
473 switch (page_code) {
474 case 0x00:
475 {
476 /* Supported page codes, mandatory */
477 DPRINTF("Inquiry EVPD[Supported pages] "
478 "buffer size %d\n", len);
479
480 r->iov.iov_len = 0;
481
482 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
483 outbuf[r->iov.iov_len++] = 5;
484 } else {
485 outbuf[r->iov.iov_len++] = 0;
486 }
487
488 outbuf[r->iov.iov_len++] = 0x00; // this page
489 outbuf[r->iov.iov_len++] = 0x00;
490 outbuf[r->iov.iov_len++] = 3; // number of pages
491 outbuf[r->iov.iov_len++] = 0x00; // list of supported pages (this page)
492 outbuf[r->iov.iov_len++] = 0x80; // unit serial number
493 outbuf[r->iov.iov_len++] = 0x83; // device identification
494 }
495 break;
496 case 0x80:
497 {
498 int l;
499
500 /* Device serial number, optional */
501 if (len < 4) {
502 BADF("Error: EVPD[Serial number] Inquiry buffer "
503 "size %d too small, %d needed\n", len, 4);
504 goto fail;
505 }
506
507 DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len);
508 l = MIN(len, strlen(s->drive_serial_str));
509
510 r->iov.iov_len = 0;
511
512 /* Supported page codes */
513 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
514 outbuf[r->iov.iov_len++] = 5;
515 } else {
516 outbuf[r->iov.iov_len++] = 0;
517 }
518
519 outbuf[r->iov.iov_len++] = 0x80; // this page
520 outbuf[r->iov.iov_len++] = 0x00;
521 outbuf[r->iov.iov_len++] = l;
522 memcpy(&outbuf[r->iov.iov_len], s->drive_serial_str, l);
523 r->iov.iov_len += l;
524 }
525
526 break;
527 case 0x83:
528 {
529 /* Device identification page, mandatory */
530 int max_len = 255 - 8;
531 int id_len = strlen(bdrv_get_device_name(s->bdrv));
532 if (id_len > max_len)
533 id_len = max_len;
534
535 DPRINTF("Inquiry EVPD[Device identification] "
536 "buffer size %d\n", len);
537 r->iov.iov_len = 0;
538 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
539 outbuf[r->iov.iov_len++] = 5;
540 } else {
541 outbuf[r->iov.iov_len++] = 0;
542 }
543
544 outbuf[r->iov.iov_len++] = 0x83; // this page
545 outbuf[r->iov.iov_len++] = 0x00;
546 outbuf[r->iov.iov_len++] = 3 + id_len;
547
548 outbuf[r->iov.iov_len++] = 0x2; // ASCII
549 outbuf[r->iov.iov_len++] = 0; // not officially assigned
550 outbuf[r->iov.iov_len++] = 0; // reserved
551 outbuf[r->iov.iov_len++] = id_len; // length of data following
552
553 memcpy(&outbuf[r->iov.iov_len],
554 bdrv_get_device_name(s->bdrv), id_len);
555 r->iov.iov_len += id_len;
556 }
557 break;
558 default:
559 BADF("Error: unsupported Inquiry (EVPD[%02X]) "
560 "buffer size %d\n", page_code, len);
561 goto fail;
562 }
563 /* done with EVPD */
564 break;
565 }
566 else {
567 /* Standard INQUIRY data */
568 if (buf[2] != 0) {
569 BADF("Error: Inquiry (STANDARD) page or code "
570 "is non-zero [%02X]\n", buf[2]);
571 goto fail;
572 }
573
574 /* PAGE CODE == 0 */
575 if (len < 5) {
576 BADF("Error: Inquiry (STANDARD) buffer size %d "
577 "is less than 5\n", len);
578 goto fail;
579 }
580
581 if (len < 36) {
582 BADF("Error: Inquiry (STANDARD) buffer size %d "
583 "is less than 36 (TODO: only 5 required)\n", len);
584 }
585 }
586
587 if(len > SCSI_MAX_INQUIRY_LEN)
588 len = SCSI_MAX_INQUIRY_LEN;
589
590 memset(outbuf, 0, len);
591
592 if (lun || buf[1] >> 5) {
593 outbuf[0] = 0x7f; /* LUN not supported */
594 } else if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
595 outbuf[0] = 5;
596 outbuf[1] = 0x80;
597 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
598 } else {
599 outbuf[0] = 0;
600 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
601 }
602 memcpy(&outbuf[8], "QEMU ", 8);
603 memcpy(&outbuf[32], QEMU_VERSION, 4);
604 /* Identify device as SCSI-3 rev 1.
605 Some later commands are also implemented. */
606 outbuf[2] = 3;
607 outbuf[3] = 2; /* Format 2 */
608 outbuf[4] = len - 5; /* Additional Length = (Len - 1) - 4 */
609 /* Sync data transfer and TCQ. */
610 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
611 r->iov.iov_len = len;
612 break;
613 case 0x16:
614 DPRINTF("Reserve(6)\n");
615 if (buf[1] & 1)
616 goto fail;
617 break;
618 case 0x17:
619 DPRINTF("Release(6)\n");
620 if (buf[1] & 1)
621 goto fail;
622 break;
623 case 0x1a:
624 case 0x5a:
625 {
626 uint8_t *p;
627 int page;
628
629 page = buf[2] & 0x3f;
630 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
631 p = outbuf;
632 memset(p, 0, 4);
633 outbuf[1] = 0; /* Default media type. */
634 outbuf[3] = 0; /* Block descriptor length. */
635 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
636 outbuf[2] = 0x80; /* Readonly. */
637 }
638 p += 4;
639 if (page == 4) {
640 int cylinders, heads, secs;
641
642 /* Rigid disk device geometry page. */
643 p[0] = 4;
644 p[1] = 0x16;
645 /* if a geometry hint is available, use it */
646 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
647 p[2] = (cylinders >> 16) & 0xff;
648 p[3] = (cylinders >> 8) & 0xff;
649 p[4] = cylinders & 0xff;
650 p[5] = heads & 0xff;
651 /* Write precomp start cylinder, disabled */
652 p[6] = (cylinders >> 16) & 0xff;
653 p[7] = (cylinders >> 8) & 0xff;
654 p[8] = cylinders & 0xff;
655 /* Reduced current start cylinder, disabled */
656 p[9] = (cylinders >> 16) & 0xff;
657 p[10] = (cylinders >> 8) & 0xff;
658 p[11] = cylinders & 0xff;
659 /* Device step rate [ns], 200ns */
660 p[12] = 0;
661 p[13] = 200;
662 /* Landing zone cylinder */
663 p[14] = 0xff;
664 p[15] = 0xff;
665 p[16] = 0xff;
666 /* Medium rotation rate [rpm], 5400 rpm */
667 p[20] = (5400 >> 8) & 0xff;
668 p[21] = 5400 & 0xff;
669 p += 0x16;
670 } else if (page == 5) {
671 int cylinders, heads, secs;
672
673 /* Flexible disk device geometry page. */
674 p[0] = 5;
675 p[1] = 0x1e;
676 /* Transfer rate [kbit/s], 5Mbit/s */
677 p[2] = 5000 >> 8;
678 p[3] = 5000 & 0xff;
679 /* if a geometry hint is available, use it */
680 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
681 p[4] = heads & 0xff;
682 p[5] = secs & 0xff;
683 p[6] = s->cluster_size * 2;
684 p[8] = (cylinders >> 8) & 0xff;
685 p[9] = cylinders & 0xff;
686 /* Write precomp start cylinder, disabled */
687 p[10] = (cylinders >> 8) & 0xff;
688 p[11] = cylinders & 0xff;
689 /* Reduced current start cylinder, disabled */
690 p[12] = (cylinders >> 8) & 0xff;
691 p[13] = cylinders & 0xff;
692 /* Device step rate [100us], 100us */
693 p[14] = 0;
694 p[15] = 1;
695 /* Device step pulse width [us], 1us */
696 p[16] = 1;
697 /* Device head settle delay [100us], 100us */
698 p[17] = 0;
699 p[18] = 1;
700 /* Motor on delay [0.1s], 0.1s */
701 p[19] = 1;
702 /* Motor off delay [0.1s], 0.1s */
703 p[20] = 1;
704 /* Medium rotation rate [rpm], 5400 rpm */
705 p[28] = (5400 >> 8) & 0xff;
706 p[29] = 5400 & 0xff;
707 p += 0x1e;
708 } else if ((page == 8 || page == 0x3f)) {
709 /* Caching page. */
710 memset(p,0,20);
711 p[0] = 8;
712 p[1] = 0x12;
713 p[2] = 4; /* WCE */
714 p += 20;
715 }
716 if ((page == 0x3f || page == 0x2a)
717 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
718 /* CD Capabilities and Mechanical Status page. */
719 p[0] = 0x2a;
720 p[1] = 0x14;
721 p[2] = 3; // CD-R & CD-RW read
722 p[3] = 0; // Writing not supported
723 p[4] = 0x7f; /* Audio, composite, digital out,
724 mode 2 form 1&2, multi session */
725 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
726 RW corrected, C2 errors, ISRC,
727 UPC, Bar code */
728 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
729 /* Locking supported, jumper present, eject, tray */
730 p[7] = 0; /* no volume & mute control, no
731 changer */
732 p[8] = (50 * 176) >> 8; // 50x read speed
733 p[9] = (50 * 176) & 0xff;
734 p[10] = 0 >> 8; // No volume
735 p[11] = 0 & 0xff;
736 p[12] = 2048 >> 8; // 2M buffer
737 p[13] = 2048 & 0xff;
738 p[14] = (16 * 176) >> 8; // 16x read speed current
739 p[15] = (16 * 176) & 0xff;
740 p[18] = (16 * 176) >> 8; // 16x write speed
741 p[19] = (16 * 176) & 0xff;
742 p[20] = (16 * 176) >> 8; // 16x write speed current
743 p[21] = (16 * 176) & 0xff;
744 p += 22;
745 }
746 r->iov.iov_len = p - outbuf;
747 outbuf[0] = r->iov.iov_len - 4;
748 if (r->iov.iov_len > len)
749 r->iov.iov_len = len;
750 }
751 break;
752 case 0x1b:
753 DPRINTF("Start Stop Unit\n");
754 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM &&
755 (buf[4] & 2))
756 /* load/eject medium */
757 bdrv_eject(s->bdrv, !(buf[4] & 1));
758 break;
759 case 0x1e:
760 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
761 bdrv_set_locked(s->bdrv, buf[4] & 1);
762 break;
763 case 0x25:
764 DPRINTF("Read Capacity\n");
765 /* The normal LEN field for this command is zero. */
766 memset(outbuf, 0, 8);
767 bdrv_get_geometry(s->bdrv, &nb_sectors);
768 nb_sectors /= s->cluster_size;
769 /* Returned value is the address of the last sector. */
770 if (nb_sectors) {
771 nb_sectors--;
772 /* Remember the new size for read/write sanity checking. */
773 s->max_lba = nb_sectors;
774 /* Clip to 2TB, instead of returning capacity modulo 2TB. */
775 if (nb_sectors > UINT32_MAX)
776 nb_sectors = UINT32_MAX;
777 outbuf[0] = (nb_sectors >> 24) & 0xff;
778 outbuf[1] = (nb_sectors >> 16) & 0xff;
779 outbuf[2] = (nb_sectors >> 8) & 0xff;
780 outbuf[3] = nb_sectors & 0xff;
781 outbuf[4] = 0;
782 outbuf[5] = 0;
783 outbuf[6] = s->cluster_size * 2;
784 outbuf[7] = 0;
785 r->iov.iov_len = 8;
786 } else {
787 notready:
788 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY);
789 return 0;
790 }
791 break;
792 case 0x08:
793 case 0x28:
794 case 0x88:
795 DPRINTF("Read (sector %" PRId64 ", count %d)\n", lba, len);
796 if (lba > s->max_lba)
797 goto illegal_lba;
798 r->sector = lba * s->cluster_size;
799 r->sector_count = len * s->cluster_size;
800 break;
801 case 0x0a:
802 case 0x2a:
803 case 0x8a:
804 DPRINTF("Write (sector %" PRId64 ", count %d)\n", lba, len);
805 if (lba > s->max_lba)
806 goto illegal_lba;
807 r->sector = lba * s->cluster_size;
808 r->sector_count = len * s->cluster_size;
809 is_write = 1;
810 break;
811 case 0x35:
812 DPRINTF("Synchronise cache (sector %" PRId64 ", count %d)\n", lba, len);
813 bdrv_flush(s->bdrv);
814 break;
815 case 0x43:
816 {
817 int start_track, format, msf, toclen;
818
819 msf = buf[1] & 2;
820 format = buf[2] & 0xf;
821 start_track = buf[6];
822 bdrv_get_geometry(s->bdrv, &nb_sectors);
823 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
824 nb_sectors /= s->cluster_size;
825 switch(format) {
826 case 0:
827 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
828 break;
829 case 1:
830 /* multi session : only a single session defined */
831 toclen = 12;
832 memset(outbuf, 0, 12);
833 outbuf[1] = 0x0a;
834 outbuf[2] = 0x01;
835 outbuf[3] = 0x01;
836 break;
837 case 2:
838 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
839 break;
840 default:
841 goto error_cmd;
842 }
843 if (toclen > 0) {
844 if (len > toclen)
845 len = toclen;
846 r->iov.iov_len = len;
847 break;
848 }
849 error_cmd:
850 DPRINTF("Read TOC error\n");
851 goto fail;
852 }
853 case 0x46:
854 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
855 memset(outbuf, 0, 8);
856 /* ??? This should probably return much more information. For now
857 just return the basic header indicating the CD-ROM profile. */
858 outbuf[7] = 8; // CD-ROM
859 r->iov.iov_len = 8;
860 break;
861 case 0x56:
862 DPRINTF("Reserve(10)\n");
863 if (buf[1] & 3)
864 goto fail;
865 break;
866 case 0x57:
867 DPRINTF("Release(10)\n");
868 if (buf[1] & 3)
869 goto fail;
870 break;
871 case 0x9e:
872 /* Service Action In subcommands. */
873 if ((buf[1] & 31) == 0x10) {
874 DPRINTF("SAI READ CAPACITY(16)\n");
875 memset(outbuf, 0, len);
876 bdrv_get_geometry(s->bdrv, &nb_sectors);
877 nb_sectors /= s->cluster_size;
878 /* Returned value is the address of the last sector. */
879 if (nb_sectors) {
880 nb_sectors--;
881 /* Remember the new size for read/write sanity checking. */
882 s->max_lba = nb_sectors;
883 outbuf[0] = (nb_sectors >> 56) & 0xff;
884 outbuf[1] = (nb_sectors >> 48) & 0xff;
885 outbuf[2] = (nb_sectors >> 40) & 0xff;
886 outbuf[3] = (nb_sectors >> 32) & 0xff;
887 outbuf[4] = (nb_sectors >> 24) & 0xff;
888 outbuf[5] = (nb_sectors >> 16) & 0xff;
889 outbuf[6] = (nb_sectors >> 8) & 0xff;
890 outbuf[7] = nb_sectors & 0xff;
891 outbuf[8] = 0;
892 outbuf[9] = 0;
893 outbuf[10] = s->cluster_size * 2;
894 outbuf[11] = 0;
895 /* Protection, exponent and lowest lba field left blank. */
896 r->iov.iov_len = len;
897 } else {
898 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY);
899 return 0;
900 }
901 break;
902 }
903 DPRINTF("Unsupported Service Action In\n");
904 goto fail;
905 case 0xa0:
906 DPRINTF("Report LUNs (len %d)\n", len);
907 if (len < 16)
908 goto fail;
909 memset(outbuf, 0, 16);
910 outbuf[3] = 8;
911 r->iov.iov_len = 16;
912 break;
913 case 0x2f:
914 DPRINTF("Verify (sector %" PRId64 ", count %d)\n", lba, len);
915 break;
916 default:
917 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
918 fail:
919 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_ILLEGAL_REQUEST);
920 return 0;
921 illegal_lba:
922 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
923 return 0;
924 }
925 if (r->sector_count == 0 && r->iov.iov_len == 0) {
926 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
927 }
928 len = r->sector_count * 512 + r->iov.iov_len;
929 if (is_write) {
930 return -len;
931 } else {
932 if (!r->sector_count)
933 r->sector_count = -1;
934 return len;
935 }
936 }
937
938 static void scsi_destroy(SCSIDevice *d)
939 {
940 qemu_free(d->state);
941 qemu_free(d);
942 }
943
944 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
945 scsi_completionfn completion, void *opaque)
946 {
947 SCSIDevice *d;
948 SCSIDeviceState *s;
949 uint64_t nb_sectors;
950
951 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
952 s->bdrv = bdrv;
953 s->tcq = tcq;
954 s->completion = completion;
955 s->opaque = opaque;
956 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
957 s->cluster_size = 4;
958 } else {
959 s->cluster_size = 1;
960 }
961 bdrv_get_geometry(s->bdrv, &nb_sectors);
962 nb_sectors /= s->cluster_size;
963 if (nb_sectors)
964 nb_sectors--;
965 s->max_lba = nb_sectors;
966 strncpy(s->drive_serial_str, drive_get_serial(s->bdrv),
967 sizeof(s->drive_serial_str));
968 if (strlen(s->drive_serial_str) == 0)
969 pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), "0");
970 qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
971 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
972 d->state = s;
973 d->destroy = scsi_destroy;
974 d->send_command = scsi_send_command;
975 d->read_data = scsi_read_data;
976 d->write_data = scsi_write_data;
977 d->cancel_io = scsi_cancel_io;
978 d->get_buf = scsi_get_buf;
979
980 return d;
981 }
Patches shipped by Fedora