search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix signed/unsigned overflows in SCSI disk (Rik van Riel)
[qemu.git] / hw / scsi-disk.c
blob89b44c31b7a6b2f76e9e5653ee21666263e3ab97
1 /*
2 * SCSI Device emulation
3 *
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
6 *
7 * Written by Paul Brook
8 *
9 * This code is licenced under the LGPL.
10 *
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emulation of interface/link layer protocols is handled by
13 * the host adapter emulator.
14 */
15
16 #include <qemu-common.h>
17 #include <sysemu.h>
18 //#define DEBUG_SCSI
19
20 #ifdef DEBUG_SCSI
21 #define DPRINTF(fmt, args...) \
22 do { printf("scsi-disk: " fmt , ##args); } while (0)
23 #else
24 #define DPRINTF(fmt, args...) do {} while(0)
25 #endif
26
27 #define BADF(fmt, args...) \
28 do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)
29
30 #include "qemu-common.h"
31 #include "block.h"
32 #include "scsi-disk.h"
33
34 #define SENSE_NO_SENSE 0
35 #define SENSE_NOT_READY 2
36 #define SENSE_HARDWARE_ERROR 4
37 #define SENSE_ILLEGAL_REQUEST 5
38
39 #define STATUS_GOOD 0
40 #define STATUS_CHECK_CONDITION 2
41
42 #define SCSI_DMA_BUF_SIZE 131072
43 #define SCSI_MAX_INQUIRY_LEN 256
44
45 #define SCSI_REQ_STATUS_RETRY 0x01
46
47 typedef struct SCSIRequest {
48 SCSIDeviceState *dev;
49 uint32_t tag;
50 /* ??? We should probably keep track of whether the data transfer is
51 a read or a write. Currently we rely on the host getting it right. */
52 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
53 uint64_t sector;
54 uint32_t sector_count;
55 /* The amounnt of data in the buffer. */
56 int buf_len;
57 uint8_t *dma_buf;
58 BlockDriverAIOCB *aiocb;
59 struct SCSIRequest *next;
60 uint32_t status;
61 } SCSIRequest;
62
63 struct SCSIDeviceState
64 {
65 BlockDriverState *bdrv;
66 SCSIRequest *requests;
67 /* The qemu block layer uses a fixed 512 byte sector size.
68 This is the number of 512 byte blocks in a single scsi sector. */
69 int cluster_size;
70 int sense;
71 int tcq;
72 /* Completion functions may be called from either scsi_{read,write}_data
73 or from the AIO completion routines. */
74 scsi_completionfn completion;
75 void *opaque;
76 char drive_serial_str[21];
77 };
78
79 /* Global pool of SCSIRequest structures. */
80 static SCSIRequest *free_requests = NULL;
81
82 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
83 {
84 SCSIRequest *r;
85
86 if (free_requests) {
87 r = free_requests;
88 free_requests = r->next;
89 } else {
90 r = qemu_malloc(sizeof(SCSIRequest));
91 r->dma_buf = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
92 }
93 r->dev = s;
94 r->tag = tag;
95 r->sector_count = 0;
96 r->buf_len = 0;
97 r->aiocb = NULL;
98 r->status = 0;
99
100 r->next = s->requests;
101 s->requests = r;
102 return r;
103 }
104
105 static void scsi_remove_request(SCSIRequest *r)
106 {
107 SCSIRequest *last;
108 SCSIDeviceState *s = r->dev;
109
110 if (s->requests == r) {
111 s->requests = r->next;
112 } else {
113 last = s->requests;
114 while (last && last->next != r)
115 last = last->next;
116 if (last) {
117 last->next = r->next;
118 } else {
119 BADF("Orphaned request\n");
120 }
121 }
122 r->next = free_requests;
123 free_requests = r;
124 }
125
126 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
127 {
128 SCSIRequest *r;
129
130 r = s->requests;
131 while (r && r->tag != tag)
132 r = r->next;
133
134 return r;
135 }
136
137 /* Helper function for command completion. */
138 static void scsi_command_complete(SCSIRequest *r, int status, int sense)
139 {
140 SCSIDeviceState *s = r->dev;
141 uint32_t tag;
142 DPRINTF("Command complete tag=0x%x status=%d sense=%d\n", r->tag, status, sense);
143 s->sense = sense;
144 tag = r->tag;
145 scsi_remove_request(r);
146 s->completion(s->opaque, SCSI_REASON_DONE, tag, status);
147 }
148
149 /* Cancel a pending data transfer. */
150 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
151 {
152 SCSIDeviceState *s = d->state;
153 SCSIRequest *r;
154 DPRINTF("Cancel tag=0x%x\n", tag);
155 r = scsi_find_request(s, tag);
156 if (r) {
157 if (r->aiocb)
158 bdrv_aio_cancel(r->aiocb);
159 r->aiocb = NULL;
160 scsi_remove_request(r);
161 }
162 }
163
164 static void scsi_read_complete(void * opaque, int ret)
165 {
166 SCSIRequest *r = (SCSIRequest *)opaque;
167 SCSIDeviceState *s = r->dev;
168
169 if (ret) {
170 DPRINTF("IO error\n");
171 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, 0);
172 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NO_SENSE);
173 return;
174 }
175 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->buf_len);
176
177 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
178 }
179
180 /* Read more data from scsi device into buffer. */
181 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
182 {
183 SCSIDeviceState *s = d->state;
184 SCSIRequest *r;
185 uint32_t n;
186
187 r = scsi_find_request(s, tag);
188 if (!r) {
189 BADF("Bad read tag 0x%x\n", tag);
190 /* ??? This is the wrong error. */
191 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
192 return;
193 }
194 if (r->sector_count == (uint32_t)-1) {
195 DPRINTF("Read buf_len=%d\n", r->buf_len);
196 r->sector_count = 0;
197 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
198 return;
199 }
200 DPRINTF("Read sector_count=%d\n", r->sector_count);
201 if (r->sector_count == 0) {
202 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
203 return;
204 }
205
206 n = r->sector_count;
207 if (n > SCSI_DMA_BUF_SIZE / 512)
208 n = SCSI_DMA_BUF_SIZE / 512;
209
210 r->buf_len = n * 512;
211 r->aiocb = bdrv_aio_read(s->bdrv, r->sector, r->dma_buf, n,
212 scsi_read_complete, r);
213 if (r->aiocb == NULL)
214 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
215 r->sector += n;
216 r->sector_count -= n;
217 }
218
219 static int scsi_handle_write_error(SCSIRequest *r, int error)
220 {
221 BlockInterfaceErrorAction action = drive_get_onerror(r->dev->bdrv);
222
223 if (action == BLOCK_ERR_IGNORE)
224 return 0;
225
226 if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
227 || action == BLOCK_ERR_STOP_ANY) {
228 r->status |= SCSI_REQ_STATUS_RETRY;
229 vm_stop(0);
230 } else {
231 scsi_command_complete(r, STATUS_CHECK_CONDITION,
232 SENSE_HARDWARE_ERROR);
233 }
234
235 return 1;
236 }
237
238 static void scsi_write_complete(void * opaque, int ret)
239 {
240 SCSIRequest *r = (SCSIRequest *)opaque;
241 SCSIDeviceState *s = r->dev;
242 uint32_t len;
243 uint32_t n;
244
245 r->aiocb = NULL;
246
247 if (ret) {
248 if (scsi_handle_write_error(r, -ret))
249 return;
250 }
251
252 n = r->buf_len / 512;
253 r->sector += n;
254 r->sector_count -= n;
255 if (r->sector_count == 0) {
256 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
257 } else {
258 len = r->sector_count * 512;
259 if (len > SCSI_DMA_BUF_SIZE) {
260 len = SCSI_DMA_BUF_SIZE;
261 }
262 r->buf_len = len;
263 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
264 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
265 }
266 }
267
268 static void scsi_write_request(SCSIRequest *r)
269 {
270 SCSIDeviceState *s = r->dev;
271 uint32_t n;
272
273 n = r->buf_len / 512;
274 if (n) {
275 r->aiocb = bdrv_aio_write(s->bdrv, r->sector, r->dma_buf, n,
276 scsi_write_complete, r);
277 if (r->aiocb == NULL)
278 scsi_command_complete(r, STATUS_CHECK_CONDITION,
279 SENSE_HARDWARE_ERROR);
280 } else {
281 /* Invoke completion routine to fetch data from host. */
282 scsi_write_complete(r, 0);
283 }
284 }
285
286 /* Write data to a scsi device. Returns nonzero on failure.
287 The transfer may complete asynchronously. */
288 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
289 {
290 SCSIDeviceState *s = d->state;
291 SCSIRequest *r;
292
293 DPRINTF("Write data tag=0x%x\n", tag);
294 r = scsi_find_request(s, tag);
295 if (!r) {
296 BADF("Bad write tag 0x%x\n", tag);
297 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_HARDWARE_ERROR);
298 return 1;
299 }
300
301 if (r->aiocb)
302 BADF("Data transfer already in progress\n");
303
304 scsi_write_request(r);
305
306 return 0;
307 }
308
309 static void scsi_dma_restart_cb(void *opaque, int running, int reason)
310 {
311 SCSIDeviceState *s = opaque;
312 SCSIRequest *r = s->requests;
313 if (!running)
314 return;
315
316 while (r) {
317 if (r->status & SCSI_REQ_STATUS_RETRY) {
318 r->status &= ~SCSI_REQ_STATUS_RETRY;
319 scsi_write_request(r);
320 }
321 r = r->next;
322 }
323 }
324
325 /* Return a pointer to the data buffer. */
326 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
327 {
328 SCSIDeviceState *s = d->state;
329 SCSIRequest *r;
330
331 r = scsi_find_request(s, tag);
332 if (!r) {
333 BADF("Bad buffer tag 0x%x\n", tag);
334 return NULL;
335 }
336 return r->dma_buf;
337 }
338
339 /* Execute a scsi command. Returns the length of the data expected by the
340 command. This will be Positive for data transfers from the device
341 (eg. disk reads), negative for transfers to the device (eg. disk writes),
342 and zero if the command does not transfer any data. */
343
344 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
345 uint8_t *buf, int lun)
346 {
347 SCSIDeviceState *s = d->state;
348 uint64_t nb_sectors;
349 uint32_t lba;
350 uint32_t len;
351 int cmdlen;
352 int is_write;
353 uint8_t command;
354 uint8_t *outbuf;
355 SCSIRequest *r;
356
357 command = buf[0];
358 r = scsi_find_request(s, tag);
359 if (r) {
360 BADF("Tag 0x%x already in use\n", tag);
361 scsi_cancel_io(d, tag);
362 }
363 /* ??? Tags are not unique for different luns. We only implement a
364 single lun, so this should not matter. */
365 r = scsi_new_request(s, tag);
366 outbuf = r->dma_buf;
367 is_write = 0;
368 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
369 switch (command >> 5) {
370 case 0:
371 lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);
372 len = buf[4];
373 cmdlen = 6;
374 break;
375 case 1:
376 case 2:
377 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
378 len = buf[8] | (buf[7] << 8);
379 cmdlen = 10;
380 break;
381 case 4:
382 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
383 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
384 cmdlen = 16;
385 break;
386 case 5:
387 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
388 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
389 cmdlen = 12;
390 break;
391 default:
392 BADF("Unsupported command length, command %x\n", command);
393 goto fail;
394 }
395 #ifdef DEBUG_SCSI
396 {
397 int i;
398 for (i = 1; i < cmdlen; i++) {
399 printf(" 0x%02x", buf[i]);
400 }
401 printf("\n");
402 }
403 #endif
404 if (lun || buf[1] >> 5) {
405 /* Only LUN 0 supported. */
406 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
407 if (command != 0x03 && command != 0x12) /* REQUEST SENSE and INQUIRY */
408 goto fail;
409 }
410 switch (command) {
411 case 0x0:
412 DPRINTF("Test Unit Ready\n");
413 break;
414 case 0x03:
415 DPRINTF("Request Sense (len %d)\n", len);
416 if (len < 4)
417 goto fail;
418 memset(outbuf, 0, 4);
419 outbuf[0] = 0xf0;
420 outbuf[1] = 0;
421 outbuf[2] = s->sense;
422 r->buf_len = 4;
423 break;
424 case 0x12:
425 DPRINTF("Inquiry (len %d)\n", len);
426 if (buf[1] & 0x2) {
427 /* Command support data - optional, not implemented */
428 BADF("optional INQUIRY command support request not implemented\n");
429 goto fail;
430 }
431 else if (buf[1] & 0x1) {
432 /* Vital product data */
433 uint8_t page_code = buf[2];
434 if (len < 4) {
435 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is "
436 "less than 4\n", page_code, len);
437 goto fail;
438 }
439
440 switch (page_code) {
441 case 0x00:
442 {
443 /* Supported page codes, mandatory */
444 DPRINTF("Inquiry EVPD[Supported pages] "
445 "buffer size %d\n", len);
446
447 r->buf_len = 0;
448
449 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
450 outbuf[r->buf_len++] = 5;
451 } else {
452 outbuf[r->buf_len++] = 0;
453 }
454
455 outbuf[r->buf_len++] = 0x00; // this page
456 outbuf[r->buf_len++] = 0x00;
457 outbuf[r->buf_len++] = 3; // number of pages
458 outbuf[r->buf_len++] = 0x00; // list of supported pages (this page)
459 outbuf[r->buf_len++] = 0x80; // unit serial number
460 outbuf[r->buf_len++] = 0x83; // device identification
461 }
462 break;
463 case 0x80:
464 {
465 int l;
466
467 /* Device serial number, optional */
468 if (len < 4) {
469 BADF("Error: EVPD[Serial number] Inquiry buffer "
470 "size %d too small, %d needed\n", len, 4);
471 goto fail;
472 }
473
474 DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len);
475 l = MIN(len, strlen(s->drive_serial_str));
476
477 r->buf_len = 0;
478
479 /* Supported page codes */
480 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
481 outbuf[r->buf_len++] = 5;
482 } else {
483 outbuf[r->buf_len++] = 0;
484 }
485
486 outbuf[r->buf_len++] = 0x80; // this page
487 outbuf[r->buf_len++] = 0x00;
488 outbuf[r->buf_len++] = l;
489 memcpy(&outbuf[r->buf_len], s->drive_serial_str, l);
490 r->buf_len += l;
491 }
492
493 break;
494 case 0x83:
495 {
496 /* Device identification page, mandatory */
497 int max_len = 255 - 8;
498 int id_len = strlen(bdrv_get_device_name(s->bdrv));
499 if (id_len > max_len)
500 id_len = max_len;
501
502 DPRINTF("Inquiry EVPD[Device identification] "
503 "buffer size %d\n", len);
504 r->buf_len = 0;
505 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
506 outbuf[r->buf_len++] = 5;
507 } else {
508 outbuf[r->buf_len++] = 0;
509 }
510
511 outbuf[r->buf_len++] = 0x83; // this page
512 outbuf[r->buf_len++] = 0x00;
513 outbuf[r->buf_len++] = 3 + id_len;
514
515 outbuf[r->buf_len++] = 0x2; // ASCII
516 outbuf[r->buf_len++] = 0; // not officially assigned
517 outbuf[r->buf_len++] = 0; // reserved
518 outbuf[r->buf_len++] = id_len; // length of data following
519
520 memcpy(&outbuf[r->buf_len],
521 bdrv_get_device_name(s->bdrv), id_len);
522 r->buf_len += id_len;
523 }
524 break;
525 default:
526 BADF("Error: unsupported Inquiry (EVPD[%02X]) "
527 "buffer size %d\n", page_code, len);
528 goto fail;
529 }
530 /* done with EVPD */
531 break;
532 }
533 else {
534 /* Standard INQUIRY data */
535 if (buf[2] != 0) {
536 BADF("Error: Inquiry (STANDARD) page or code "
537 "is non-zero [%02X]\n", buf[2]);
538 goto fail;
539 }
540
541 /* PAGE CODE == 0 */
542 if (len < 5) {
543 BADF("Error: Inquiry (STANDARD) buffer size %d "
544 "is less than 5\n", len);
545 goto fail;
546 }
547
548 if (len < 36) {
549 BADF("Error: Inquiry (STANDARD) buffer size %d "
550 "is less than 36 (TODO: only 5 required)\n", len);
551 }
552 }
553
554 if(len > SCSI_MAX_INQUIRY_LEN)
555 len = SCSI_MAX_INQUIRY_LEN;
556
557 memset(outbuf, 0, len);
558
559 if (lun || buf[1] >> 5) {
560 outbuf[0] = 0x7f; /* LUN not supported */
561 } else if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
562 outbuf[0] = 5;
563 outbuf[1] = 0x80;
564 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
565 } else {
566 outbuf[0] = 0;
567 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
568 }
569 memcpy(&outbuf[8], "QEMU ", 8);
570 memcpy(&outbuf[32], QEMU_VERSION, 4);
571 /* Identify device as SCSI-3 rev 1.
572 Some later commands are also implemented. */
573 outbuf[2] = 3;
574 outbuf[3] = 2; /* Format 2 */
575 outbuf[4] = len - 5; /* Additional Length = (Len - 1) - 4 */
576 /* Sync data transfer and TCQ. */
577 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
578 r->buf_len = len;
579 break;
580 case 0x16:
581 DPRINTF("Reserve(6)\n");
582 if (buf[1] & 1)
583 goto fail;
584 break;
585 case 0x17:
586 DPRINTF("Release(6)\n");
587 if (buf[1] & 1)
588 goto fail;
589 break;
590 case 0x1a:
591 case 0x5a:
592 {
593 uint8_t *p;
594 int page;
595
596 page = buf[2] & 0x3f;
597 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
598 p = outbuf;
599 memset(p, 0, 4);
600 outbuf[1] = 0; /* Default media type. */
601 outbuf[3] = 0; /* Block descriptor length. */
602 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
603 outbuf[2] = 0x80; /* Readonly. */
604 }
605 p += 4;
606 if (page == 4) {
607 int cylinders, heads, secs;
608
609 /* Rigid disk device geometry page. */
610 p[0] = 4;
611 p[1] = 0x16;
612 /* if a geometry hint is available, use it */
613 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
614 p[2] = (cylinders >> 16) & 0xff;
615 p[3] = (cylinders >> 8) & 0xff;
616 p[4] = cylinders & 0xff;
617 p[5] = heads & 0xff;
618 /* Write precomp start cylinder, disabled */
619 p[6] = (cylinders >> 16) & 0xff;
620 p[7] = (cylinders >> 8) & 0xff;
621 p[8] = cylinders & 0xff;
622 /* Reduced current start cylinder, disabled */
623 p[9] = (cylinders >> 16) & 0xff;
624 p[10] = (cylinders >> 8) & 0xff;
625 p[11] = cylinders & 0xff;
626 /* Device step rate [ns], 200ns */
627 p[12] = 0;
628 p[13] = 200;
629 /* Landing zone cylinder */
630 p[14] = 0xff;
631 p[15] = 0xff;
632 p[16] = 0xff;
633 /* Medium rotation rate [rpm], 5400 rpm */
634 p[20] = (5400 >> 8) & 0xff;
635 p[21] = 5400 & 0xff;
636 p += 0x16;
637 } else if (page == 5) {
638 int cylinders, heads, secs;
639
640 /* Flexible disk device geometry page. */
641 p[0] = 5;
642 p[1] = 0x1e;
643 /* Transfer rate [kbit/s], 5Mbit/s */
644 p[2] = 5000 >> 8;
645 p[3] = 5000 & 0xff;
646 /* if a geometry hint is available, use it */
647 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
648 p[4] = heads & 0xff;
649 p[5] = secs & 0xff;
650 p[6] = s->cluster_size * 2;
651 p[8] = (cylinders >> 8) & 0xff;
652 p[9] = cylinders & 0xff;
653 /* Write precomp start cylinder, disabled */
654 p[10] = (cylinders >> 8) & 0xff;
655 p[11] = cylinders & 0xff;
656 /* Reduced current start cylinder, disabled */
657 p[12] = (cylinders >> 8) & 0xff;
658 p[13] = cylinders & 0xff;
659 /* Device step rate [100us], 100us */
660 p[14] = 0;
661 p[15] = 1;
662 /* Device step pulse width [us], 1us */
663 p[16] = 1;
664 /* Device head settle delay [100us], 100us */
665 p[17] = 0;
666 p[18] = 1;
667 /* Motor on delay [0.1s], 0.1s */
668 p[19] = 1;
669 /* Motor off delay [0.1s], 0.1s */
670 p[20] = 1;
671 /* Medium rotation rate [rpm], 5400 rpm */
672 p[28] = (5400 >> 8) & 0xff;
673 p[29] = 5400 & 0xff;
674 p += 0x1e;
675 } else if ((page == 8 || page == 0x3f)) {
676 /* Caching page. */
677 memset(p,0,20);
678 p[0] = 8;
679 p[1] = 0x12;
680 p[2] = 4; /* WCE */
681 p += 20;
682 }
683 if ((page == 0x3f || page == 0x2a)
684 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
685 /* CD Capabilities and Mechanical Status page. */
686 p[0] = 0x2a;
687 p[1] = 0x14;
688 p[2] = 3; // CD-R & CD-RW read
689 p[3] = 0; // Writing not supported
690 p[4] = 0x7f; /* Audio, composite, digital out,
691 mode 2 form 1&2, multi session */
692 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
693 RW corrected, C2 errors, ISRC,
694 UPC, Bar code */
695 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
696 /* Locking supported, jumper present, eject, tray */
697 p[7] = 0; /* no volume & mute control, no
698 changer */
699 p[8] = (50 * 176) >> 8; // 50x read speed
700 p[9] = (50 * 176) & 0xff;
701 p[10] = 0 >> 8; // No volume
702 p[11] = 0 & 0xff;
703 p[12] = 2048 >> 8; // 2M buffer
704 p[13] = 2048 & 0xff;
705 p[14] = (16 * 176) >> 8; // 16x read speed current
706 p[15] = (16 * 176) & 0xff;
707 p[18] = (16 * 176) >> 8; // 16x write speed
708 p[19] = (16 * 176) & 0xff;
709 p[20] = (16 * 176) >> 8; // 16x write speed current
710 p[21] = (16 * 176) & 0xff;
711 p += 22;
712 }
713 r->buf_len = p - outbuf;
714 outbuf[0] = r->buf_len - 4;
715 if (r->buf_len > len)
716 r->buf_len = len;
717 }
718 break;
719 case 0x1b:
720 DPRINTF("Start Stop Unit\n");
721 break;
722 case 0x1e:
723 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
724 bdrv_set_locked(s->bdrv, buf[4] & 1);
725 break;
726 case 0x25:
727 DPRINTF("Read Capacity\n");
728 /* The normal LEN field for this command is zero. */
729 memset(outbuf, 0, 8);
730 bdrv_get_geometry(s->bdrv, &nb_sectors);
731 /* Returned value is the address of the last sector. */
732 if (nb_sectors) {
733 nb_sectors--;
734 /* Clip to 2TB, instead of returning capacity modulo 2TB. */
735 if (nb_sectors > UINT32_MAX)
736 nb_sectors = UINT32_MAX;
737 outbuf[0] = (nb_sectors >> 24) & 0xff;
738 outbuf[1] = (nb_sectors >> 16) & 0xff;
739 outbuf[2] = (nb_sectors >> 8) & 0xff;
740 outbuf[3] = nb_sectors & 0xff;
741 outbuf[4] = 0;
742 outbuf[5] = 0;
743 outbuf[6] = s->cluster_size * 2;
744 outbuf[7] = 0;
745 r->buf_len = 8;
746 } else {
747 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_NOT_READY);
748 return 0;
749 }
750 break;
751 case 0x08:
752 case 0x28:
753 DPRINTF("Read (sector %d, count %d)\n", lba, len);
754 r->sector = lba * s->cluster_size;
755 r->sector_count = len * s->cluster_size;
756 break;
757 case 0x0a:
758 case 0x2a:
759 DPRINTF("Write (sector %d, count %d)\n", lba, len);
760 r->sector = lba * s->cluster_size;
761 r->sector_count = len * s->cluster_size;
762 is_write = 1;
763 break;
764 case 0x35:
765 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
766 bdrv_flush(s->bdrv);
767 break;
768 case 0x43:
769 {
770 int start_track, format, msf, toclen;
771
772 msf = buf[1] & 2;
773 format = buf[2] & 0xf;
774 start_track = buf[6];
775 bdrv_get_geometry(s->bdrv, &nb_sectors);
776 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
777 switch(format) {
778 case 0:
779 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
780 break;
781 case 1:
782 /* multi session : only a single session defined */
783 toclen = 12;
784 memset(outbuf, 0, 12);
785 outbuf[1] = 0x0a;
786 outbuf[2] = 0x01;
787 outbuf[3] = 0x01;
788 break;
789 case 2:
790 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
791 break;
792 default:
793 goto error_cmd;
794 }
795 if (toclen > 0) {
796 if (len > toclen)
797 len = toclen;
798 r->buf_len = len;
799 break;
800 }
801 error_cmd:
802 DPRINTF("Read TOC error\n");
803 goto fail;
804 }
805 case 0x46:
806 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
807 memset(outbuf, 0, 8);
808 /* ??? This should probably return much more information. For now
809 just return the basic header indicating the CD-ROM profile. */
810 outbuf[7] = 8; // CD-ROM
811 r->buf_len = 8;
812 break;
813 case 0x56:
814 DPRINTF("Reserve(10)\n");
815 if (buf[1] & 3)
816 goto fail;
817 break;
818 case 0x57:
819 DPRINTF("Release(10)\n");
820 if (buf[1] & 3)
821 goto fail;
822 break;
823 case 0xa0:
824 DPRINTF("Report LUNs (len %d)\n", len);
825 if (len < 16)
826 goto fail;
827 memset(outbuf, 0, 16);
828 outbuf[3] = 8;
829 r->buf_len = 16;
830 break;
831 case 0x2f:
832 DPRINTF("Verify (sector %d, count %d)\n", lba, len);
833 break;
834 default:
835 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
836 fail:
837 scsi_command_complete(r, STATUS_CHECK_CONDITION, SENSE_ILLEGAL_REQUEST);
838 return 0;
839 }
840 if (r->sector_count == 0 && r->buf_len == 0) {
841 scsi_command_complete(r, STATUS_GOOD, SENSE_NO_SENSE);
842 }
843 len = r->sector_count * 512 + r->buf_len;
844 if (is_write) {
845 return -len;
846 } else {
847 if (!r->sector_count)
848 r->sector_count = -1;
849 return len;
850 }
851 }
852
853 static void scsi_destroy(SCSIDevice *d)
854 {
855 qemu_free(d->state);
856 qemu_free(d);
857 }
858
859 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
860 scsi_completionfn completion, void *opaque)
861 {
862 SCSIDevice *d;
863 SCSIDeviceState *s;
864
865 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
866 s->bdrv = bdrv;
867 s->tcq = tcq;
868 s->completion = completion;
869 s->opaque = opaque;
870 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
871 s->cluster_size = 4;
872 } else {
873 s->cluster_size = 1;
874 }
875 strncpy(s->drive_serial_str, drive_get_serial(s->bdrv),
876 sizeof(s->drive_serial_str));
877 if (strlen(s->drive_serial_str) == 0)
878 pstrcpy(s->drive_serial_str, sizeof(s->drive_serial_str), "0");
879 qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
880 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
881 d->state = s;
882 d->destroy = scsi_destroy;
883 d->send_command = scsi_send_command;
884 d->read_data = scsi_read_data;
885 d->write_data = scsi_write_data;
886 d->cancel_io = scsi_cancel_io;
887 d->get_buf = scsi_get_buf;
888
889 return d;
890 }
QEmu