LXR qemu/hw/scsi/scsi-bus.c

   1#include "qemu/osdep.h"
   2#include "qapi/error.h"
   3#include "qemu/error-report.h"
   4#include "qemu/module.h"
   5#include "qemu/option.h"
   6#include "hw/qdev-properties.h"
   7#include "hw/scsi/scsi.h"
   8#include "migration/qemu-file-types.h"
   9#include "migration/vmstate.h"
  10#include "scsi/constants.h"
  11#include "sysemu/block-backend.h"
  12#include "sysemu/blockdev.h"
  13#include "sysemu/sysemu.h"
  14#include "sysemu/runstate.h"
  15#include "trace.h"
  16#include "sysemu/dma.h"
  17#include "qemu/cutils.h"
  18
  19static char *scsibus_get_dev_path(DeviceState *dev);
  20static char *scsibus_get_fw_dev_path(DeviceState *dev);
  21static void scsi_req_dequeue(SCSIRequest *req);
  22static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len);
  23static void scsi_target_free_buf(SCSIRequest *req);
  24
  25static int next_scsi_bus;
  26
  27static SCSIDevice *do_scsi_device_find(SCSIBus *bus,
  28                                       int channel, int id, int lun,
  29                                       bool include_unrealized)
  30{
  31    BusChild *kid;
  32    SCSIDevice *retval = NULL;
  33
  34    QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) {
  35        DeviceState *qdev = kid->child;
  36        SCSIDevice *dev = SCSI_DEVICE(qdev);
  37
  38        if (dev->channel == channel && dev->id == id) {
  39            if (dev->lun == lun) {
  40                retval = dev;
  41                break;
  42            }
  43
  44            /*
  45             * If we don't find exact match (channel/bus/lun),
  46             * we will return the first device which matches channel/bus
  47             */
  48
  49            if (!retval) {
  50                retval = dev;
  51            }
  52        }
  53    }
  54
  55    /*
  56     * This function might run on the IO thread and we might race against
  57     * main thread hot-plugging the device.
  58     * We assume that as soon as .realized is set to true we can let
  59     * the user access the device.
  60     */
  61
  62    if (retval && !include_unrealized &&
  63        !qatomic_load_acquire(&retval->qdev.realized)) {
  64        retval = NULL;
  65    }
  66
  67    return retval;
  68}
  69
  70SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
  71{
  72    RCU_READ_LOCK_GUARD();
  73    return do_scsi_device_find(bus, channel, id, lun, false);
  74}
  75
  76SCSIDevice *scsi_device_get(SCSIBus *bus, int channel, int id, int lun)
  77{
  78    SCSIDevice *d;
  79    RCU_READ_LOCK_GUARD();
  80    d = do_scsi_device_find(bus, channel, id, lun, false);
  81    if (d) {
  82        object_ref(d);
  83    }
  84    return d;
  85}
  86
  87static void scsi_device_realize(SCSIDevice *s, Error **errp)
  88{
  89    SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
  90    if (sc->realize) {
  91        sc->realize(s, errp);
  92    }
  93}
  94
  95static void scsi_device_unrealize(SCSIDevice *s)
  96{
  97    SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
  98    if (sc->unrealize) {
  99        sc->unrealize(s);
 100    }
 101}
 102
 103int scsi_bus_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf,
 104                       void *hba_private)
 105{
 106    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
 107    int rc;
 108
 109    assert(cmd->len == 0);
 110    rc = scsi_req_parse_cdb(dev, cmd, buf);
 111    if (bus->info->parse_cdb) {
 112        rc = bus->info->parse_cdb(dev, cmd, buf, hba_private);
 113    }
 114    return rc;
 115}
 116
 117static SCSIRequest *scsi_device_alloc_req(SCSIDevice *s, uint32_t tag, uint32_t lun,
 118                                          uint8_t *buf, void *hba_private)
 119{
 120    SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
 121    if (sc->alloc_req) {
 122        return sc->alloc_req(s, tag, lun, buf, hba_private);
 123    }
 124
 125    return NULL;
 126}
 127
 128void scsi_device_unit_attention_reported(SCSIDevice *s)
 129{
 130    SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
 131    if (sc->unit_attention_reported) {
 132        sc->unit_attention_reported(s);
 133    }
 134}
 135
 136/* Create a scsi bus, and attach devices to it.  */
 137void scsi_bus_init_named(SCSIBus *bus, size_t bus_size, DeviceState *host,
 138                         const SCSIBusInfo *info, const char *bus_name)
 139{
 140    qbus_init(bus, bus_size, TYPE_SCSI_BUS, host, bus_name);
 141    bus->busnr = next_scsi_bus++;
 142    bus->info = info;
 143    qbus_set_bus_hotplug_handler(BUS(bus));
 144}
 145
 146static void scsi_dma_restart_bh(void *opaque)
 147{
 148    SCSIDevice *s = opaque;
 149    SCSIRequest *req, *next;
 150
 151    qemu_bh_delete(s->bh);
 152    s->bh = NULL;
 153
 154    aio_context_acquire(blk_get_aio_context(s->conf.blk));
 155    QTAILQ_FOREACH_SAFE(req, &s->requests, next, next) {
 156        scsi_req_ref(req);
 157        if (req->retry) {
 158            req->retry = false;
 159            switch (req->cmd.mode) {
 160            case SCSI_XFER_FROM_DEV:
 161            case SCSI_XFER_TO_DEV:
 162                scsi_req_continue(req);
 163                break;
 164            case SCSI_XFER_NONE:
 165                scsi_req_dequeue(req);
 166                scsi_req_enqueue(req);
 167                break;
 168            }
 169        }
 170        scsi_req_unref(req);
 171    }
 172    aio_context_release(blk_get_aio_context(s->conf.blk));
 173    /* Drop the reference that was acquired in scsi_dma_restart_cb */
 174    object_unref(OBJECT(s));
 175}
 176
 177void scsi_req_retry(SCSIRequest *req)
 178{
 179    /* No need to save a reference, because scsi_dma_restart_bh just
 180     * looks at the request list.  */
 181    req->retry = true;
 182}
 183
 184static void scsi_dma_restart_cb(void *opaque, bool running, RunState state)
 185{
 186    SCSIDevice *s = opaque;
 187
 188    if (!running) {
 189        return;
 190    }
 191    if (!s->bh) {
 192        AioContext *ctx = blk_get_aio_context(s->conf.blk);
 193        /* The reference is dropped in scsi_dma_restart_bh.*/
 194        object_ref(OBJECT(s));
 195        s->bh = aio_bh_new(ctx, scsi_dma_restart_bh, s);
 196        qemu_bh_schedule(s->bh);
 197    }
 198}
 199
 200static bool scsi_bus_is_address_free(SCSIBus *bus,
 201                                     int channel, int target, int lun,
 202                                     SCSIDevice **p_dev)
 203{
 204    SCSIDevice *d;
 205
 206    RCU_READ_LOCK_GUARD();
 207    d = do_scsi_device_find(bus, channel, target, lun, true);
 208    if (d && d->lun == lun) {
 209        if (p_dev) {
 210            *p_dev = d;
 211        }
 212        return false;
 213    }
 214    if (p_dev) {
 215        *p_dev = NULL;
 216    }
 217    return true;
 218}
 219
 220static bool scsi_bus_check_address(BusState *qbus, DeviceState *qdev, Error **errp)
 221{
 222    SCSIDevice *dev = SCSI_DEVICE(qdev);
 223    SCSIBus *bus = SCSI_BUS(qbus);
 224
 225    if (dev->channel > bus->info->max_channel) {
 226        error_setg(errp, "bad scsi channel id: %d", dev->channel);
 227        return false;
 228    }
 229    if (dev->id != -1 && dev->id > bus->info->max_target) {
 230        error_setg(errp, "bad scsi device id: %d", dev->id);
 231        return false;
 232    }
 233    if (dev->lun != -1 && dev->lun > bus->info->max_lun) {
 234        error_setg(errp, "bad scsi device lun: %d", dev->lun);
 235        return false;
 236    }
 237
 238    if (dev->id != -1 && dev->lun != -1) {
 239        SCSIDevice *d;
 240        if (!scsi_bus_is_address_free(bus, dev->channel, dev->id, dev->lun, &d)) {
 241            error_setg(errp, "lun already used by '%s'", d->qdev.id);
 242            return false;
 243        }
 244    }
 245
 246    return true;
 247}
 248
 249static void scsi_qdev_realize(DeviceState *qdev, Error **errp)
 250{
 251    SCSIDevice *dev = SCSI_DEVICE(qdev);
 252    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
 253    bool is_free;
 254    Error *local_err = NULL;
 255
 256    if (dev->id == -1) {
 257        int id = -1;
 258        if (dev->lun == -1) {
 259            dev->lun = 0;
 260        }
 261        do {
 262            is_free = scsi_bus_is_address_free(bus, dev->channel, ++id, dev->lun, NULL);
 263        } while (!is_free && id < bus->info->max_target);
 264        if (!is_free) {
 265            error_setg(errp, "no free target");
 266            return;
 267        }
 268        dev->id = id;
 269    } else if (dev->lun == -1) {
 270        int lun = -1;
 271        do {
 272            is_free = scsi_bus_is_address_free(bus, dev->channel, dev->id, ++lun, NULL);
 273        } while (!is_free && lun < bus->info->max_lun);
 274        if (!is_free) {
 275            error_setg(errp, "no free lun");
 276            return;
 277        }
 278        dev->lun = lun;
 279    }
 280
 281    QTAILQ_INIT(&dev->requests);
 282    scsi_device_realize(dev, &local_err);
 283    if (local_err) {
 284        error_propagate(errp, local_err);
 285        return;
 286    }
 287    dev->vmsentry = qdev_add_vm_change_state_handler(DEVICE(dev),
 288            scsi_dma_restart_cb, dev);
 289}
 290
 291static void scsi_qdev_unrealize(DeviceState *qdev)
 292{
 293    SCSIDevice *dev = SCSI_DEVICE(qdev);
 294
 295    if (dev->vmsentry) {
 296        qemu_del_vm_change_state_handler(dev->vmsentry);
 297    }
 298
 299    scsi_device_purge_requests(dev, SENSE_CODE(NO_SENSE));
 300
 301    scsi_device_unrealize(dev);
 302
 303    blockdev_mark_auto_del(dev->conf.blk);
 304}
 305
 306/* handle legacy '-drive if=scsi,...' cmd line args */
 307SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
 308                                      int unit, bool removable, int bootindex,
 309                                      bool share_rw,
 310                                      BlockdevOnError rerror,
 311                                      BlockdevOnError werror,
 312                                      const char *serial, Error **errp)
 313{
 314    const char *driver;
 315    char *name;
 316    DeviceState *dev;
 317    DriveInfo *dinfo;
 318
 319    if (blk_is_sg(blk)) {
 320        driver = "scsi-generic";
 321    } else {
 322        dinfo = blk_legacy_dinfo(blk);
 323        if (dinfo && dinfo->media_cd) {
 324            driver = "scsi-cd";
 325        } else {
 326            driver = "scsi-hd";
 327        }
 328    }
 329    dev = qdev_new(driver);
 330    name = g_strdup_printf("legacy[%d]", unit);
 331    object_property_add_child(OBJECT(bus), name, OBJECT(dev));
 332    g_free(name);
 333
 334    qdev_prop_set_uint32(dev, "scsi-id", unit);
 335    if (bootindex >= 0) {
 336        object_property_set_int(OBJECT(dev), "bootindex", bootindex,
 337                                &error_abort);
 338    }
 339    if (object_property_find(OBJECT(dev), "removable")) {
 340        qdev_prop_set_bit(dev, "removable", removable);
 341    }
 342    if (serial && object_property_find(OBJECT(dev), "serial")) {
 343        qdev_prop_set_string(dev, "serial", serial);
 344    }
 345    if (!qdev_prop_set_drive_err(dev, "drive", blk, errp)) {
 346        object_unparent(OBJECT(dev));
 347        return NULL;
 348    }
 349    if (!object_property_set_bool(OBJECT(dev), "share-rw", share_rw, errp)) {
 350        object_unparent(OBJECT(dev));
 351        return NULL;
 352    }
 353
 354    qdev_prop_set_enum(dev, "rerror", rerror);
 355    qdev_prop_set_enum(dev, "werror", werror);
 356
 357    if (!qdev_realize_and_unref(dev, &bus->qbus, errp)) {
 358        object_unparent(OBJECT(dev));
 359        return NULL;
 360    }
 361    return SCSI_DEVICE(dev);
 362}
 363
 364void scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
 365{
 366    Location loc;
 367    DriveInfo *dinfo;
 368    int unit;
 369
 370    loc_push_none(&loc);
 371    for (unit = 0; unit <= bus->info->max_target; unit++) {
 372        dinfo = drive_get(IF_SCSI, bus->busnr, unit);
 373        if (dinfo == NULL) {
 374            continue;
 375        }
 376        qemu_opts_loc_restore(dinfo->opts);
 377        scsi_bus_legacy_add_drive(bus, blk_by_legacy_dinfo(dinfo),
 378                                  unit, false, -1, false,
 379                                  BLOCKDEV_ON_ERROR_AUTO,
 380                                  BLOCKDEV_ON_ERROR_AUTO,
 381                                  NULL, &error_fatal);
 382    }
 383    loc_pop(&loc);
 384}
 385
 386static int32_t scsi_invalid_field(SCSIRequest *req, uint8_t *buf)
 387{
 388    scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));
 389    scsi_req_complete(req, CHECK_CONDITION);
 390    return 0;
 391}
 392
 393static const struct SCSIReqOps reqops_invalid_field = {
 394    .size         = sizeof(SCSIRequest),
 395    .send_command = scsi_invalid_field
 396};
 397
 398/* SCSIReqOps implementation for invalid commands.  */
 399
 400static int32_t scsi_invalid_command(SCSIRequest *req, uint8_t *buf)
 401{
 402    scsi_req_build_sense(req, SENSE_CODE(INVALID_OPCODE));
 403    scsi_req_complete(req, CHECK_CONDITION);
 404    return 0;
 405}
 406
 407static const struct SCSIReqOps reqops_invalid_opcode = {
 408    .size         = sizeof(SCSIRequest),
 409    .send_command = scsi_invalid_command
 410};
 411
 412/* SCSIReqOps implementation for unit attention conditions.  */
 413
 414static int32_t scsi_unit_attention(SCSIRequest *req, uint8_t *buf)
 415{
 416    if (req->dev->unit_attention.key == UNIT_ATTENTION) {
 417        scsi_req_build_sense(req, req->dev->unit_attention);
 418    } else if (req->bus->unit_attention.key == UNIT_ATTENTION) {
 419        scsi_req_build_sense(req, req->bus->unit_attention);
 420    }
 421    scsi_req_complete(req, CHECK_CONDITION);
 422    return 0;
 423}
 424
 425static const struct SCSIReqOps reqops_unit_attention = {
 426    .size         = sizeof(SCSIRequest),
 427    .send_command = scsi_unit_attention
 428};
 429
 430/* SCSIReqOps implementation for REPORT LUNS and for commands sent to
 431   an invalid LUN.  */
 432
 433typedef struct SCSITargetReq SCSITargetReq;
 434
 435struct SCSITargetReq {
 436    SCSIRequest req;
 437    int len;
 438    uint8_t *buf;
 439    int buf_len;
 440};
 441
 442static void store_lun(uint8_t *outbuf, int lun)
 443{
 444    if (lun < 256) {
 445        /* Simple logical unit addressing method*/
 446        outbuf[0] = 0;
 447        outbuf[1] = lun;
 448    } else {
 449        /* Flat space addressing method */
 450        outbuf[0] = 0x40 | (lun >> 8);
 451        outbuf[1] = (lun & 255);
 452    }
 453}
 454
 455static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
 456{
 457    BusChild *kid;
 458    int channel, id;
 459    uint8_t tmp[8] = {0};
 460    int len = 0;
 461    GByteArray *buf;
 462
 463    if (r->req.cmd.xfer < 16) {
 464        return false;
 465    }
 466    if (r->req.cmd.buf[2] > 2) {
 467        return false;
 468    }
 469
 470    /* reserve space for 63 LUNs*/
 471    buf = g_byte_array_sized_new(512);
 472
 473    channel = r->req.dev->channel;
 474    id = r->req.dev->id;
 475
 476    /* add size (will be updated later to correct value */
 477    g_byte_array_append(buf, tmp, 8);
 478    len += 8;
 479
 480    /* add LUN0 */
 481    g_byte_array_append(buf, tmp, 8);
 482    len += 8;
 483
 484    WITH_RCU_READ_LOCK_GUARD() {
 485        QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
 486            DeviceState *qdev = kid->child;
 487            SCSIDevice *dev = SCSI_DEVICE(qdev);
 488
 489            if (dev->channel == channel && dev->id == id && dev->lun != 0) {
 490                store_lun(tmp, dev->lun);
 491                g_byte_array_append(buf, tmp, 8);
 492                len += 8;
 493            }
 494        }
 495    }
 496
 497    r->buf_len = len;
 498    r->buf = g_byte_array_free(buf, FALSE);
 499    r->len = MIN(len, r->req.cmd.xfer & ~7);
 500
 501    /* store the LUN list length */
 502    stl_be_p(&r->buf[0], len - 8);
 503    return true;
 504}
 505
 506static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
 507{
 508    assert(r->req.dev->lun != r->req.lun);
 509
 510    scsi_target_alloc_buf(&r->req, SCSI_INQUIRY_LEN);
 511
 512    if (r->req.cmd.buf[1] & 0x2) {
 513        /* Command support data - optional, not implemented */
 514        return false;
 515    }
 516
 517    if (r->req.cmd.buf[1] & 0x1) {
 518        /* Vital product data */
 519        uint8_t page_code = r->req.cmd.buf[2];
 520        r->buf[r->len++] = page_code ; /* this page */
 521        r->buf[r->len++] = 0x00;
 522
 523        switch (page_code) {
 524        case 0x00: /* Supported page codes, mandatory */
 525        {
 526            int pages;
 527            pages = r->len++;
 528            r->buf[r->len++] = 0x00; /* list of supported pages (this page) */
 529            r->buf[pages] = r->len - pages - 1; /* number of pages */
 530            break;
 531        }
 532        default:
 533            return false;
 534        }
 535        /* done with EVPD */
 536        assert(r->len < r->buf_len);
 537        r->len = MIN(r->req.cmd.xfer, r->len);
 538        return true;
 539    }
 540
 541    /* Standard INQUIRY data */
 542    if (r->req.cmd.buf[2] != 0) {
 543        return false;
 544    }
 545
 546    /* PAGE CODE == 0 */
 547    r->len = MIN(r->req.cmd.xfer, SCSI_INQUIRY_LEN);
 548    memset(r->buf, 0, r->len);
 549    if (r->req.lun != 0) {
 550        r->buf[0] = TYPE_NO_LUN;
 551    } else {
 552        r->buf[0] = TYPE_NOT_PRESENT | TYPE_INACTIVE;
 553        r->buf[2] = 5; /* Version */
 554        r->buf[3] = 2 | 0x10; /* HiSup, response data format */
 555        r->buf[4] = r->len - 5; /* Additional Length = (Len - 1) - 4 */
 556        r->buf[7] = 0x10 | (r->req.bus->info->tcq ? 0x02 : 0); /* Sync, TCQ.  */
 557        memcpy(&r->buf[8], "QEMU    ", 8);
 558        memcpy(&r->buf[16], "QEMU TARGET     ", 16);
 559        pstrcpy((char *) &r->buf[32], 4, qemu_hw_version());
 560    }
 561    return true;
 562}
 563
 564static size_t scsi_sense_len(SCSIRequest *req)
 565{
 566    if (req->dev->type == TYPE_SCANNER)
 567        return SCSI_SENSE_LEN_SCANNER;
 568    else
 569        return SCSI_SENSE_LEN;
 570}
 571
 572static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
 573{
 574    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
 575    int fixed_sense = (req->cmd.buf[1] & 1) == 0;
 576
 577    if (req->lun != 0 &&
 578        buf[0] != INQUIRY && buf[0] != REQUEST_SENSE) {
 579        scsi_req_build_sense(req, SENSE_CODE(LUN_NOT_SUPPORTED));
 580        scsi_req_complete(req, CHECK_CONDITION);
 581        return 0;
 582    }
 583    switch (buf[0]) {
 584    case REPORT_LUNS:
 585        if (!scsi_target_emulate_report_luns(r)) {
 586            goto illegal_request;
 587        }
 588        break;
 589    case INQUIRY:
 590        if (!scsi_target_emulate_inquiry(r)) {
 591            goto illegal_request;
 592        }
 593        break;
 594    case REQUEST_SENSE:
 595        scsi_target_alloc_buf(&r->req, scsi_sense_len(req));
 596        if (req->lun != 0) {
 597            const struct SCSISense sense = SENSE_CODE(LUN_NOT_SUPPORTED);
 598
 599            r->len = scsi_build_sense_buf(r->buf, req->cmd.xfer,
 600                                          sense, fixed_sense);
 601        } else {
 602            r->len = scsi_device_get_sense(r->req.dev, r->buf,
 603                                           MIN(req->cmd.xfer, r->buf_len),
 604                                           fixed_sense);
 605        }
 606        if (r->req.dev->sense_is_ua) {
 607            scsi_device_unit_attention_reported(req->dev);
 608            r->req.dev->sense_len = 0;
 609            r->req.dev->sense_is_ua = false;
 610        }
 611        break;
 612    case TEST_UNIT_READY:
 613        break;
 614    default:
 615        scsi_req_build_sense(req, SENSE_CODE(INVALID_OPCODE));
 616        scsi_req_complete(req, CHECK_CONDITION);
 617        return 0;
 618    illegal_request:
 619        scsi_req_build_sense(req, SENSE_CODE(INVALID_FIELD));
 620        scsi_req_complete(req, CHECK_CONDITION);
 621        return 0;
 622    }
 623
 624    if (!r->len) {
 625        scsi_req_complete(req, GOOD);
 626    }
 627    return r->len;
 628}
 629
 630static void scsi_target_read_data(SCSIRequest *req)
 631{
 632    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
 633    uint32_t n;
 634
 635    n = r->len;
 636    if (n > 0) {
 637        r->len = 0;
 638        scsi_req_data(&r->req, n);
 639    } else {
 640        scsi_req_complete(&r->req, GOOD);
 641    }
 642}
 643
 644static uint8_t *scsi_target_get_buf(SCSIRequest *req)
 645{
 646    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
 647
 648    return r->buf;
 649}
 650
 651static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len)
 652{
 653    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
 654
 655    r->buf = g_malloc(len);
 656    r->buf_len = len;
 657
 658    return r->buf;
 659}
 660
 661static void scsi_target_free_buf(SCSIRequest *req)
 662{
 663    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
 664
 665    g_free(r->buf);
 666}
 667
 668static const struct SCSIReqOps reqops_target_command = {
 669    .size         = sizeof(SCSITargetReq),
 670    .send_command = scsi_target_send_command,
 671    .read_data    = scsi_target_read_data,
 672    .get_buf      = scsi_target_get_buf,
 673    .free_req     = scsi_target_free_buf,
 674};
 675
 676
 677SCSIRequest *scsi_req_alloc(const SCSIReqOps *reqops, SCSIDevice *d,
 678                            uint32_t tag, uint32_t lun, void *hba_private)
 679{
 680    SCSIRequest *req;
 681    SCSIBus *bus = scsi_bus_from_device(d);
 682    BusState *qbus = BUS(bus);
 683    const int memset_off = offsetof(SCSIRequest, sense)
 684                           + sizeof(req->sense);
 685
 686    req = g_malloc(reqops->size);
 687    memset((uint8_t *)req + memset_off, 0, reqops->size - memset_off);
 688    req->refcount = 1;
 689    req->bus = bus;
 690    req->dev = d;
 691    req->tag = tag;
 692    req->lun = lun;
 693    req->hba_private = hba_private;
 694    req->status = -1;
 695    req->host_status = -1;
 696    req->ops = reqops;
 697    object_ref(OBJECT(d));
 698    object_ref(OBJECT(qbus->parent));
 699    notifier_list_init(&req->cancel_notifiers);
 700    trace_scsi_req_alloc(req->dev->id, req->lun, req->tag);
 701    return req;
 702}
 703
 704SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun,
 705                          uint8_t *buf, void *hba_private)
 706{
 707    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, d->qdev.parent_bus);
 708    const SCSIReqOps *ops;
 709    SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(d);
 710    SCSIRequest *req;
 711    SCSICommand cmd = { .len = 0 };
 712    int ret;
 713
 714    if ((d->unit_attention.key == UNIT_ATTENTION ||
 715         bus->unit_attention.key == UNIT_ATTENTION) &&
 716        (buf[0] != INQUIRY &&
 717         buf[0] != REPORT_LUNS &&
 718         buf[0] != GET_CONFIGURATION &&
 719         buf[0] != GET_EVENT_STATUS_NOTIFICATION &&
 720
 721         /*
 722          * If we already have a pending unit attention condition,
 723          * report this one before triggering another one.
 724          */
 725         !(buf[0] == REQUEST_SENSE && d->sense_is_ua))) {
 726        ops = &reqops_unit_attention;
 727    } else if (lun != d->lun ||
 728               buf[0] == REPORT_LUNS ||
 729               (buf[0] == REQUEST_SENSE && d->sense_len)) {
 730        ops = &reqops_target_command;
 731    } else {
 732        ops = NULL;
 733    }
 734
 735    if (ops != NULL || !sc->parse_cdb) {
 736        ret = scsi_req_parse_cdb(d, &cmd, buf);
 737    } else {
 738        ret = sc->parse_cdb(d, &cmd, buf, hba_private);
 739    }
 740
 741    if (ret != 0) {
 742        trace_scsi_req_parse_bad(d->id, lun, tag, buf[0]);
 743        req = scsi_req_alloc(&reqops_invalid_opcode, d, tag, lun, hba_private);
 744    } else {
 745        assert(cmd.len != 0);
 746        trace_scsi_req_parsed(d->id, lun, tag, buf[0],
 747                              cmd.mode, cmd.xfer);
 748        if (cmd.lba != -1) {
 749            trace_scsi_req_parsed_lba(d->id, lun, tag, buf[0],
 750                                      cmd.lba);
 751        }
 752
 753        if (cmd.xfer > INT32_MAX) {
 754            req = scsi_req_alloc(&reqops_invalid_field, d, tag, lun, hba_private);
 755        } else if (ops) {
 756            req = scsi_req_alloc(ops, d, tag, lun, hba_private);
 757        } else {
 758            req = scsi_device_alloc_req(d, tag, lun, buf, hba_private);
 759        }
 760    }
 761
 762    req->cmd = cmd;
 763    req->resid = req->cmd.xfer;
 764
 765    switch (buf[0]) {
 766    case INQUIRY:
 767        trace_scsi_inquiry(d->id, lun, tag, cmd.buf[1], cmd.buf[2]);
 768        break;
 769    case TEST_UNIT_READY:
 770        trace_scsi_test_unit_ready(d->id, lun, tag);
 771        break;
 772    case REPORT_LUNS:
 773        trace_scsi_report_luns(d->id, lun, tag);
 774        break;
 775    case REQUEST_SENSE:
 776        trace_scsi_request_sense(d->id, lun, tag);
 777        break;
 778    default:
 779        break;
 780    }
 781
 782    return req;
 783}
 784
 785uint8_t *scsi_req_get_buf(SCSIRequest *req)
 786{
 787    return req->ops->get_buf(req);
 788}
 789
 790static void scsi_clear_unit_attention(SCSIRequest *req)
 791{
 792    SCSISense *ua;
 793    if (req->dev->unit_attention.key != UNIT_ATTENTION &&
 794        req->bus->unit_attention.key != UNIT_ATTENTION) {
 795        return;
 796    }
 797
 798    /*
 799     * If an INQUIRY command enters the enabled command state,
 800     * the device server shall [not] clear any unit attention condition;
 801     * See also MMC-6, paragraphs 6.5 and 6.6.2.
 802     */
 803    if (req->cmd.buf[0] == INQUIRY ||
 804        req->cmd.buf[0] == GET_CONFIGURATION ||
 805        req->cmd.buf[0] == GET_EVENT_STATUS_NOTIFICATION) {
 806        return;
 807    }
 808
 809    if (req->dev->unit_attention.key == UNIT_ATTENTION) {
 810        ua = &req->dev->unit_attention;
 811    } else {
 812        ua = &req->bus->unit_attention;
 813    }
 814
 815    /*
 816     * If a REPORT LUNS command enters the enabled command state, [...]
 817     * the device server shall clear any pending unit attention condition
 818     * with an additional sense code of REPORTED LUNS DATA HAS CHANGED.
 819     */
 820    if (req->cmd.buf[0] == REPORT_LUNS &&
 821        !(ua->asc == SENSE_CODE(REPORTED_LUNS_CHANGED).asc &&
 822          ua->ascq == SENSE_CODE(REPORTED_LUNS_CHANGED).ascq)) {
 823        return;
 824    }
 825
 826    *ua = SENSE_CODE(NO_SENSE);
 827}
 828
 829int scsi_req_get_sense(SCSIRequest *req, uint8_t *buf, int len)
 830{
 831    int ret;
 832
 833    assert(len >= 14);
 834    if (!req->sense_len) {
 835        return 0;
 836    }
 837
 838    ret = scsi_convert_sense(req->sense, req->sense_len, buf, len, true);
 839
 840    /*
 841     * FIXME: clearing unit attention conditions upon autosense should be done
 842     * only if the UA_INTLCK_CTRL field in the Control mode page is set to 00b
 843     * (SAM-5, 5.14).
 844     *
 845     * We assume UA_INTLCK_CTRL to be 00b for HBAs that support autosense, and
 846     * 10b for HBAs that do not support it (do not call scsi_req_get_sense).
 847     * Here we handle unit attention clearing for UA_INTLCK_CTRL == 00b.
 848     */
 849    if (req->dev->sense_is_ua) {
 850        scsi_device_unit_attention_reported(req->dev);
 851        req->dev->sense_len = 0;
 852        req->dev->sense_is_ua = false;
 853    }
 854    return ret;
 855}
 856
 857int scsi_device_get_sense(SCSIDevice *dev, uint8_t *buf, int len, bool fixed)
 858{
 859    return scsi_convert_sense(dev->sense, dev->sense_len, buf, len, fixed);
 860}
 861
 862void scsi_req_build_sense(SCSIRequest *req, SCSISense sense)
 863{
 864    trace_scsi_req_build_sense(req->dev->id, req->lun, req->tag,
 865                               sense.key, sense.asc, sense.ascq);
 866    req->sense_len = scsi_build_sense(req->sense, sense);
 867}
 868
 869static void scsi_req_enqueue_internal(SCSIRequest *req)
 870{
 871    assert(!req->enqueued);
 872    scsi_req_ref(req);
 873    if (req->bus->info->get_sg_list) {
 874        req->sg = req->bus->info->get_sg_list(req);
 875    } else {
 876        req->sg = NULL;
 877    }
 878    req->enqueued = true;
 879    QTAILQ_INSERT_TAIL(&req->dev->requests, req, next);
 880}
 881
 882int32_t scsi_req_enqueue(SCSIRequest *req)
 883{
 884    int32_t rc;
 885
 886    assert(!req->retry);
 887    scsi_req_enqueue_internal(req);
 888    scsi_req_ref(req);
 889    rc = req->ops->send_command(req, req->cmd.buf);
 890    scsi_req_unref(req);
 891    return rc;
 892}
 893
 894static void scsi_req_dequeue(SCSIRequest *req)
 895{
 896    trace_scsi_req_dequeue(req->dev->id, req->lun, req->tag);
 897    req->retry = false;
 898    if (req->enqueued) {
 899        QTAILQ_REMOVE(&req->dev->requests, req, next);
 900        req->enqueued = false;
 901        scsi_req_unref(req);
 902    }
 903}
 904
 905static int scsi_get_performance_length(int num_desc, int type, int data_type)
 906{
 907    /* MMC-6, paragraph 6.7.  */
 908    switch (type) {
 909    case 0:
 910        if ((data_type & 3) == 0) {
 911            /* Each descriptor is as in Table 295 - Nominal performance.  */
 912            return 16 * num_desc + 8;
 913        } else {
 914            /* Each descriptor is as in Table 296 - Exceptions.  */
 915            return 6 * num_desc + 8;
 916        }
 917    case 1:
 918    case 4:
 919    case 5:
 920        return 8 * num_desc + 8;
 921    case 2:
 922        return 2048 * num_desc + 8;
 923    case 3:
 924        return 16 * num_desc + 8;
 925    default:
 926        return 8;
 927    }
 928}
 929
 930static int ata_passthrough_xfer_unit(SCSIDevice *dev, uint8_t *buf)
 931{
 932    int byte_block = (buf[2] >> 2) & 0x1;
 933    int type = (buf[2] >> 4) & 0x1;
 934    int xfer_unit;
 935
 936    if (byte_block) {
 937        if (type) {
 938            xfer_unit = dev->blocksize;
 939        } else {
 940            xfer_unit = 512;
 941        }
 942    } else {
 943        xfer_unit = 1;
 944    }
 945
 946    return xfer_unit;
 947}
 948
 949static int ata_passthrough_12_xfer(SCSIDevice *dev, uint8_t *buf)
 950{
 951    int length = buf[2] & 0x3;
 952    int xfer;
 953    int unit = ata_passthrough_xfer_unit(dev, buf);
 954
 955    switch (length) {
 956    case 0:
 957    case 3: /* USB-specific.  */
 958    default:
 959        xfer = 0;
 960        break;
 961    case 1:
 962        xfer = buf[3];
 963        break;
 964    case 2:
 965        xfer = buf[4];
 966        break;
 967    }
 968
 969    return xfer * unit;
 970}
 971
 972static int ata_passthrough_16_xfer(SCSIDevice *dev, uint8_t *buf)
 973{
 974    int extend = buf[1] & 0x1;
 975    int length = buf[2] & 0x3;
 976    int xfer;
 977    int unit = ata_passthrough_xfer_unit(dev, buf);
 978
 979    switch (length) {
 980    case 0:
 981    case 3: /* USB-specific.  */
 982    default:
 983        xfer = 0;
 984        break;
 985    case 1:
 986        xfer = buf[4];
 987        xfer |= (extend ? buf[3] << 8 : 0);
 988        break;
 989    case 2:
 990        xfer = buf[6];
 991        xfer |= (extend ? buf[5] << 8 : 0);
 992        break;
 993    }
 994
 995    return xfer * unit;
 996}
 997
 998static int scsi_req_xfer(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
 999{
1000    cmd->xfer = scsi_cdb_xfer(buf);

1001    switch (buf[0]) {
1002    case TEST_UNIT_READY:
1003    case REWIND:
1004    case START_STOP:
1005    case SET_CAPACITY:
1006    case WRITE_FILEMARKS:
1007    case WRITE_FILEMARKS_16:
1008    case SPACE:
1009    case RESERVE:
1010    case RELEASE:
1011    case ERASE:
1012    case ALLOW_MEDIUM_REMOVAL:
1013    case SEEK_10:
1014    case SYNCHRONIZE_CACHE:
1015    case SYNCHRONIZE_CACHE_16:
1016    case LOCATE_16:
1017    case LOCK_UNLOCK_CACHE:
1018    case SET_CD_SPEED:
1019    case SET_LIMITS:
1020    case WRITE_LONG_10:
1021    case UPDATE_BLOCK:
1022    case RESERVE_TRACK:
1023    case SET_READ_AHEAD:
1024    case PRE_FETCH:
1025    case PRE_FETCH_16:
1026    case ALLOW_OVERWRITE:
1027        cmd->xfer = 0;
1028        break;
1029    case VERIFY_10:
1030    case VERIFY_12:
1031    case VERIFY_16:
1032        if ((buf[1] & 2) == 0) {
1033            cmd->xfer = 0;
1034        } else if ((buf[1] & 4) != 0) {
1035            cmd->xfer = 1;
1036        }
1037        cmd->xfer *= dev->blocksize;
1038        break;
1039    case MODE_SENSE:
1040        break;
1041    case WRITE_SAME_10:
1042    case WRITE_SAME_16:
1043        cmd->xfer = buf[1] & 1 ? 0 : dev->blocksize;
1044        break;
1045    case READ_CAPACITY_10:
1046        cmd->xfer = 8;
1047        break;
1048    case READ_BLOCK_LIMITS:
1049        cmd->xfer = 6;
1050        break;
1051    case SEND_VOLUME_TAG:
1052        /* GPCMD_SET_STREAMING from multimedia commands.  */
1053        if (dev->type == TYPE_ROM) {
1054            cmd->xfer = buf[10] | (buf[9] << 8);
1055        } else {
1056            cmd->xfer = buf[9] | (buf[8] << 8);
1057        }
1058        break;
1059    case WRITE_6:
1060        /* length 0 means 256 blocks */
1061        if (cmd->xfer == 0) {
1062            cmd->xfer = 256;
1063        }
1064        /* fall through */
1065    case WRITE_10:
1066    case WRITE_VERIFY_10:
1067    case WRITE_12:
1068    case WRITE_VERIFY_12:
1069    case WRITE_16:
1070    case WRITE_VERIFY_16:
1071        cmd->xfer *= dev->blocksize;
1072        break;
1073    case READ_6:
1074    case READ_REVERSE:
1075        /* length 0 means 256 blocks */
1076        if (cmd->xfer == 0) {
1077            cmd->xfer = 256;
1078        }
1079        /* fall through */
1080    case READ_10:
1081    case READ_12:
1082    case READ_16:
1083        cmd->xfer *= dev->blocksize;
1084        break;
1085    case FORMAT_UNIT:
1086        /* MMC mandates the parameter list to be 12-bytes long.  Parameters
1087         * for block devices are restricted to the header right now.  */
1088        if (dev->type == TYPE_ROM && (buf[1] & 16)) {
1089            cmd->xfer = 12;
1090        } else {
1091            cmd->xfer = (buf[1] & 16) == 0 ? 0 : (buf[1] & 32 ? 8 : 4);
1092        }
1093        break;
1094    case INQUIRY:
1095    case RECEIVE_DIAGNOSTIC:
1096    case SEND_DIAGNOSTIC:
1097        cmd->xfer = buf[4] | (buf[3] << 8);
1098        break;
1099    case READ_CD:
1100    case READ_BUFFER:
1101    case WRITE_BUFFER:
1102    case SEND_CUE_SHEET:
1103        cmd->xfer = buf[8] | (buf[7] << 8) | (buf[6] << 16);
1104        break;
1105    case PERSISTENT_RESERVE_OUT:
1106        cmd->xfer = ldl_be_p(&buf[5]) & 0xffffffffULL;
1107        break;
1108    case ERASE_12:
1109        if (dev->type == TYPE_ROM) {
1110            /* MMC command GET PERFORMANCE.  */
1111            cmd->xfer = scsi_get_performance_length(buf[9] | (buf[8] << 8),
1112                                                    buf[10], buf[1] & 0x1f);
1113        }
1114        break;
1115    case MECHANISM_STATUS:
1116    case READ_DVD_STRUCTURE:
1117    case SEND_DVD_STRUCTURE:
1118    case MAINTENANCE_OUT:
1119    case MAINTENANCE_IN:
1120        if (dev->type == TYPE_ROM) {
1121            /* GPCMD_REPORT_KEY and GPCMD_SEND_KEY from multi media commands */
1122            cmd->xfer = buf[9] | (buf[8] << 8);
1123        }
1124        break;
1125    case ATA_PASSTHROUGH_12:
1126        if (dev->type == TYPE_ROM) {
1127            /* BLANK command of MMC */
1128            cmd->xfer = 0;
1129        } else {
1130            cmd->xfer = ata_passthrough_12_xfer(dev, buf);
1131        }
1132        break;
1133    case ATA_PASSTHROUGH_16:
1134        cmd->xfer = ata_passthrough_16_xfer(dev, buf);
1135        break;
1136    }
1137    return 0;
1138}
1139
1140static int scsi_req_stream_xfer(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
1141{
1142    switch (buf[0]) {
1143    /* stream commands */
1144    case ERASE_12:
1145    case ERASE_16:
1146        cmd->xfer = 0;
1147        break;
1148    case READ_6:
1149    case READ_REVERSE:
1150    case RECOVER_BUFFERED_DATA:
1151    case WRITE_6:
1152        cmd->xfer = buf[4] | (buf[3] << 8) | (buf[2] << 16);
1153        if (buf[1] & 0x01) { /* fixed */
1154            cmd->xfer *= dev->blocksize;
1155        }
1156        break;
1157    case READ_16:
1158    case READ_REVERSE_16:
1159    case VERIFY_16:
1160    case WRITE_16:
1161        cmd->xfer = buf[14] | (buf[13] << 8) | (buf[12] << 16);
1162        if (buf[1] & 0x01) { /* fixed */
1163            cmd->xfer *= dev->blocksize;
1164        }
1165        break;
1166    case REWIND:
1167    case LOAD_UNLOAD:
1168        cmd->xfer = 0;
1169        break;
1170    case SPACE_16:
1171        cmd->xfer = buf[13] | (buf[12] << 8);
1172        break;
1173    case READ_POSITION:
1174        switch (buf[1] & 0x1f) /* operation code */ {
1175        case SHORT_FORM_BLOCK_ID:
1176        case SHORT_FORM_VENDOR_SPECIFIC:
1177            cmd->xfer = 20;
1178            break;
1179        case LONG_FORM:
1180            cmd->xfer = 32;
1181            break;
1182        case EXTENDED_FORM:
1183            cmd->xfer = buf[8] | (buf[7] << 8);
1184            break;
1185        default:
1186            return -1;
1187        }
1188
1189        break;
1190    case FORMAT_UNIT:
1191        cmd->xfer = buf[4] | (buf[3] << 8);
1192        break;
1193    /* generic commands */
1194    default:
1195        return scsi_req_xfer(cmd, dev, buf);
1196    }
1197    return 0;
1198}
1199
1200static int scsi_req_medium_changer_xfer(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
1201{
1202    switch (buf[0]) {
1203    /* medium changer commands */
1204    case EXCHANGE_MEDIUM:
1205    case INITIALIZE_ELEMENT_STATUS:
1206    case INITIALIZE_ELEMENT_STATUS_WITH_RANGE:
1207    case MOVE_MEDIUM:
1208    case POSITION_TO_ELEMENT:
1209        cmd->xfer = 0;
1210        break;
1211    case READ_ELEMENT_STATUS:
1212        cmd->xfer = buf[9] | (buf[8] << 8) | (buf[7] << 16);
1213        break;
1214
1215    /* generic commands */
1216    default:
1217        return scsi_req_xfer(cmd, dev, buf);
1218    }
1219    return 0;
1220}
1221
1222static int scsi_req_scanner_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
1223{
1224    switch (buf[0]) {
1225    /* Scanner commands */
1226    case OBJECT_POSITION:
1227        cmd->xfer = 0;
1228        break;
1229    case SCAN:
1230        cmd->xfer = buf[4];
1231        break;
1232    case READ_10:
1233    case SEND:
1234    case GET_WINDOW:
1235    case SET_WINDOW:
1236        cmd->xfer = buf[8] | (buf[7] << 8) | (buf[6] << 16);
1237        break;
1238    default:
1239        /* GET_DATA_BUFFER_STATUS xfer handled by scsi_req_xfer */
1240        return scsi_req_xfer(cmd, dev, buf);
1241    }
1242
1243    return 0;
1244}
1245
1246static void scsi_cmd_xfer_mode(SCSICommand *cmd)
1247{
1248    if (!cmd->xfer) {
1249        cmd->mode = SCSI_XFER_NONE;
1250        return;
1251    }
1252    switch (cmd->buf[0]) {
1253    case WRITE_6:
1254    case WRITE_10:
1255    case WRITE_VERIFY_10:
1256    case WRITE_12:
1257    case WRITE_VERIFY_12:
1258    case WRITE_16:
1259    case WRITE_VERIFY_16:
1260    case VERIFY_10:
1261    case VERIFY_12:
1262    case VERIFY_16:
1263    case COPY:
1264    case COPY_VERIFY:
1265    case COMPARE:
1266    case CHANGE_DEFINITION:
1267    case LOG_SELECT:
1268    case MODE_SELECT:
1269    case MODE_SELECT_10:
1270    case SEND_DIAGNOSTIC:
1271    case WRITE_BUFFER:
1272    case FORMAT_UNIT:
1273    case REASSIGN_BLOCKS:
1274    case SEARCH_EQUAL:
1275    case SEARCH_HIGH:
1276    case SEARCH_LOW:
1277    case UPDATE_BLOCK:
1278    case WRITE_LONG_10:
1279    case WRITE_SAME_10:
1280    case WRITE_SAME_16:
1281    case UNMAP:
1282    case SEARCH_HIGH_12:
1283    case SEARCH_EQUAL_12:
1284    case SEARCH_LOW_12:
1285    case MEDIUM_SCAN:
1286    case SEND_VOLUME_TAG:
1287    case SEND_CUE_SHEET:
1288    case SEND_DVD_STRUCTURE:
1289    case PERSISTENT_RESERVE_OUT:
1290    case MAINTENANCE_OUT:
1291    case SET_WINDOW:
1292    case SCAN:
1293        /* SCAN conflicts with START_STOP.  START_STOP has cmd->xfer set to 0 for
1294         * non-scanner devices, so we only get here for SCAN and not for START_STOP.
1295         */
1296        cmd->mode = SCSI_XFER_TO_DEV;
1297        break;
1298    case ATA_PASSTHROUGH_12:
1299    case ATA_PASSTHROUGH_16:
1300        /* T_DIR */
1301        cmd->mode = (cmd->buf[2] & 0x8) ?
1302                   SCSI_XFER_FROM_DEV : SCSI_XFER_TO_DEV;
1303        break;
1304    default:
1305        cmd->mode = SCSI_XFER_FROM_DEV;
1306        break;
1307    }
1308}
1309
1310int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
1311{
1312    int rc;
1313    int len;
1314
1315    cmd->lba = -1;
1316    len = scsi_cdb_length(buf);
1317    if (len < 0) {
1318        return -1;
1319    }
1320
1321    cmd->len = len;
1322    switch (dev->type) {
1323    case TYPE_TAPE:
1324        rc = scsi_req_stream_xfer(cmd, dev, buf);
1325        break;
1326    case TYPE_MEDIUM_CHANGER:
1327        rc = scsi_req_medium_changer_xfer(cmd, dev, buf);
1328        break;
1329    case TYPE_SCANNER:
1330        rc = scsi_req_scanner_length(cmd, dev, buf);
1331        break;
1332    default:
1333        rc = scsi_req_xfer(cmd, dev, buf);
1334        break;
1335    }
1336
1337    if (rc != 0)
1338        return rc;
1339
1340    memcpy(cmd->buf, buf, cmd->len);
1341    scsi_cmd_xfer_mode(cmd);
1342    cmd->lba = scsi_cmd_lba(cmd);
1343    return 0;
1344}
1345
1346void scsi_device_report_change(SCSIDevice *dev, SCSISense sense)
1347{
1348    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
1349
1350    scsi_device_set_ua(dev, sense);
1351    if (bus->info->change) {
1352        bus->info->change(bus, dev, sense);
1353    }
1354}
1355
1356SCSIRequest *scsi_req_ref(SCSIRequest *req)
1357{
1358    assert(req->refcount > 0);
1359    req->refcount++;
1360    return req;
1361}
1362
1363void scsi_req_unref(SCSIRequest *req)
1364{
1365    assert(req->refcount > 0);
1366    if (--req->refcount == 0) {
1367        BusState *qbus = req->dev->qdev.parent_bus;
1368        SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, qbus);
1369
1370        if (bus->info->free_request && req->hba_private) {
1371            bus->info->free_request(bus, req->hba_private);
1372        }
1373        if (req->ops->free_req) {
1374            req->ops->free_req(req);
1375        }
1376        object_unref(OBJECT(req->dev));
1377        object_unref(OBJECT(qbus->parent));
1378        g_free(req);
1379    }
1380}
1381
1382/* Tell the device that we finished processing this chunk of I/O.  It
1383   will start the next chunk or complete the command.  */
1384void scsi_req_continue(SCSIRequest *req)
1385{
1386    if (req->io_canceled) {
1387        trace_scsi_req_continue_canceled(req->dev->id, req->lun, req->tag);
1388        return;
1389    }
1390    trace_scsi_req_continue(req->dev->id, req->lun, req->tag);
1391    if (req->cmd.mode == SCSI_XFER_TO_DEV) {
1392        req->ops->write_data(req);
1393    } else {
1394        req->ops->read_data(req);
1395    }
1396}
1397
1398/* Called by the devices when data is ready for the HBA.  The HBA should
1399   start a DMA operation to read or fill the device's data buffer.
1400   Once it completes, calling scsi_req_continue will restart I/O.  */
1401void scsi_req_data(SCSIRequest *req, int len)
1402{
1403    uint8_t *buf;
1404    if (req->io_canceled) {
1405        trace_scsi_req_data_canceled(req->dev->id, req->lun, req->tag, len);
1406        return;
1407    }
1408    trace_scsi_req_data(req->dev->id, req->lun, req->tag, len);
1409    assert(req->cmd.mode != SCSI_XFER_NONE);
1410    if (!req->sg) {
1411        req->resid -= len;
1412        req->bus->info->transfer_data(req, len);
1413        return;
1414    }
1415
1416    /* If the device calls scsi_req_data and the HBA specified a
1417     * scatter/gather list, the transfer has to happen in a single
1418     * step.  */
1419    assert(!req->dma_started);
1420    req->dma_started = true;
1421
1422    buf = scsi_req_get_buf(req);
1423    if (req->cmd.mode == SCSI_XFER_FROM_DEV) {
1424        req->resid = dma_buf_read(buf, len, req->sg);
1425    } else {
1426        req->resid = dma_buf_write(buf, len, req->sg);
1427    }
1428    scsi_req_continue(req);
1429}
1430
1431void scsi_req_print(SCSIRequest *req)
1432{
1433    FILE *fp = stderr;
1434    int i;
1435
1436    fprintf(fp, "[%s id=%d] %s",
1437            req->dev->qdev.parent_bus->name,
1438            req->dev->id,
1439            scsi_command_name(req->cmd.buf[0]));
1440    for (i = 1; i < req->cmd.len; i++) {
1441        fprintf(fp, " 0x%02x", req->cmd.buf[i]);
1442    }
1443    switch (req->cmd.mode) {
1444    case SCSI_XFER_NONE:
1445        fprintf(fp, " - none\n");
1446        break;
1447    case SCSI_XFER_FROM_DEV:
1448        fprintf(fp, " - from-dev len=%zd\n", req->cmd.xfer);
1449        break;
1450    case SCSI_XFER_TO_DEV:
1451        fprintf(fp, " - to-dev len=%zd\n", req->cmd.xfer);
1452        break;
1453    default:
1454        fprintf(fp, " - Oops\n");
1455        break;
1456    }
1457}
1458
1459void scsi_req_complete_failed(SCSIRequest *req, int host_status)
1460{
1461    SCSISense sense;
1462    int status;
1463
1464    assert(req->status == -1 && req->host_status == -1);
1465    assert(req->ops != &reqops_unit_attention);
1466
1467    if (!req->bus->info->fail) {
1468        status = scsi_sense_from_host_status(req->host_status, &sense);
1469        if (status == CHECK_CONDITION) {
1470            scsi_req_build_sense(req, sense);
1471        }
1472        scsi_req_complete(req, status);
1473        return;
1474    }
1475
1476    req->host_status = host_status;
1477    scsi_req_ref(req);
1478    scsi_req_dequeue(req);
1479    req->bus->info->fail(req);
1480
1481    /* Cancelled requests might end up being completed instead of cancelled */
1482    notifier_list_notify(&req->cancel_notifiers, req);
1483    scsi_req_unref(req);
1484}
1485
1486void scsi_req_complete(SCSIRequest *req, int status)
1487{
1488    assert(req->status == -1 && req->host_status == -1);
1489    req->status = status;
1490    req->host_status = SCSI_HOST_OK;
1491
1492    assert(req->sense_len <= sizeof(req->sense));
1493    if (status == GOOD) {
1494        req->sense_len = 0;
1495    }
1496
1497    if (req->sense_len) {
1498        memcpy(req->dev->sense, req->sense, req->sense_len);
1499        req->dev->sense_len = req->sense_len;
1500        req->dev->sense_is_ua = (req->ops == &reqops_unit_attention);
1501    } else {
1502        req->dev->sense_len = 0;
1503        req->dev->sense_is_ua = false;
1504    }
1505
1506    /*
1507     * Unit attention state is now stored in the device's sense buffer
1508     * if the HBA didn't do autosense.  Clear the pending unit attention
1509     * flags.
1510     */
1511    scsi_clear_unit_attention(req);
1512
1513    scsi_req_ref(req);
1514    scsi_req_dequeue(req);
1515    req->bus->info->complete(req, req->resid);
1516
1517    /* Cancelled requests might end up being completed instead of cancelled */
1518    notifier_list_notify(&req->cancel_notifiers, req);
1519    scsi_req_unref(req);
1520}
1521
1522/* Called by the devices when the request is canceled. */
1523void scsi_req_cancel_complete(SCSIRequest *req)
1524{
1525    assert(req->io_canceled);
1526    if (req->bus->info->cancel) {
1527        req->bus->info->cancel(req);
1528    }
1529    notifier_list_notify(&req->cancel_notifiers, req);
1530    scsi_req_unref(req);
1531}
1532
1533/* Cancel @req asynchronously. @notifier is added to @req's cancellation
1534 * notifier list, the bus will be notified the requests cancellation is
1535 * completed.
1536 * */
1537void scsi_req_cancel_async(SCSIRequest *req, Notifier *notifier)
1538{
1539    trace_scsi_req_cancel(req->dev->id, req->lun, req->tag);
1540    if (notifier) {
1541        notifier_list_add(&req->cancel_notifiers, notifier);
1542    }
1543    if (req->io_canceled) {
1544        /* A blk_aio_cancel_async is pending; when it finishes,
1545         * scsi_req_cancel_complete will be called and will
1546         * call the notifier we just added.  Just wait for that.
1547         */
1548        assert(req->aiocb);
1549        return;
1550    }
1551    /* Dropped in scsi_req_cancel_complete.  */
1552    scsi_req_ref(req);
1553    scsi_req_dequeue(req);
1554    req->io_canceled = true;
1555    if (req->aiocb) {
1556        blk_aio_cancel_async(req->aiocb);
1557    } else {
1558        scsi_req_cancel_complete(req);
1559    }
1560}
1561
1562void scsi_req_cancel(SCSIRequest *req)
1563{
1564    trace_scsi_req_cancel(req->dev->id, req->lun, req->tag);
1565    if (!req->enqueued) {
1566        return;
1567    }
1568    assert(!req->io_canceled);
1569    /* Dropped in scsi_req_cancel_complete.  */
1570    scsi_req_ref(req);
1571    scsi_req_dequeue(req);
1572    req->io_canceled = true;
1573    if (req->aiocb) {
1574        blk_aio_cancel(req->aiocb);
1575    } else {
1576        scsi_req_cancel_complete(req);
1577    }
1578}
1579
1580static int scsi_ua_precedence(SCSISense sense)
1581{
1582    if (sense.key != UNIT_ATTENTION) {
1583        return INT_MAX;
1584    }
1585    if (sense.asc == 0x29 && sense.ascq == 0x04) {
1586        /* DEVICE INTERNAL RESET goes with POWER ON OCCURRED */
1587        return 1;
1588    } else if (sense.asc == 0x3F && sense.ascq == 0x01) {
1589        /* MICROCODE HAS BEEN CHANGED goes with SCSI BUS RESET OCCURRED */
1590        return 2;
1591    } else if (sense.asc == 0x29 && (sense.ascq == 0x05 || sense.ascq == 0x06)) {
1592        /* These two go with "all others". */
1593        ;
1594    } else if (sense.asc == 0x29 && sense.ascq <= 0x07) {
1595        /* POWER ON, RESET OR BUS DEVICE RESET OCCURRED = 0
1596         * POWER ON OCCURRED = 1
1597         * SCSI BUS RESET OCCURRED = 2
1598         * BUS DEVICE RESET FUNCTION OCCURRED = 3
1599         * I_T NEXUS LOSS OCCURRED = 7
1600         */
1601        return sense.ascq;
1602    } else if (sense.asc == 0x2F && sense.ascq == 0x01) {
1603        /* COMMANDS CLEARED BY POWER LOSS NOTIFICATION  */
1604        return 8;
1605    }
1606    return (sense.asc << 8) | sense.ascq;
1607}
1608
1609void scsi_device_set_ua(SCSIDevice *sdev, SCSISense sense)
1610{
1611    int prec1, prec2;
1612    if (sense.key != UNIT_ATTENTION) {
1613        return;
1614    }
1615    trace_scsi_device_set_ua(sdev->id, sdev->lun, sense.key,
1616                             sense.asc, sense.ascq);
1617
1618    /*
1619     * Override a pre-existing unit attention condition, except for a more
1620     * important reset condition.
1621    */
1622    prec1 = scsi_ua_precedence(sdev->unit_attention);
1623    prec2 = scsi_ua_precedence(sense);
1624    if (prec2 < prec1) {
1625        sdev->unit_attention = sense;
1626    }
1627}
1628
1629void scsi_device_purge_requests(SCSIDevice *sdev, SCSISense sense)
1630{
1631    SCSIRequest *req;
1632
1633    aio_context_acquire(blk_get_aio_context(sdev->conf.blk));
1634    while (!QTAILQ_EMPTY(&sdev->requests)) {
1635        req = QTAILQ_FIRST(&sdev->requests);
1636        scsi_req_cancel_async(req, NULL);
1637    }
1638    blk_drain(sdev->conf.blk);
1639    aio_context_release(blk_get_aio_context(sdev->conf.blk));
1640    scsi_device_set_ua(sdev, sense);
1641}
1642
1643static char *scsibus_get_dev_path(DeviceState *dev)
1644{
1645    SCSIDevice *d = SCSI_DEVICE(dev);
1646    DeviceState *hba = dev->parent_bus->parent;
1647    char *id;
1648    char *path;
1649
1650    id = qdev_get_dev_path(hba);
1651    if (id) {
1652        path = g_strdup_printf("%s/%d:%d:%d", id, d->channel, d->id, d->lun);
1653    } else {
1654        path = g_strdup_printf("%d:%d:%d", d->channel, d->id, d->lun);
1655    }
1656    g_free(id);
1657    return path;
1658}
1659
1660static char *scsibus_get_fw_dev_path(DeviceState *dev)
1661{
1662    SCSIDevice *d = SCSI_DEVICE(dev);
1663    return g_strdup_printf("channel@%x/%s@%x,%x", d->channel,
1664                           qdev_fw_name(dev), d->id, d->lun);
1665}
1666
1667/* SCSI request list.  For simplicity, pv points to the whole device */
1668
1669static int put_scsi_requests(QEMUFile *f, void *pv, size_t size,
1670                             const VMStateField *field, JSONWriter *vmdesc)
1671{
1672    SCSIDevice *s = pv;
1673    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, s->qdev.parent_bus);
1674    SCSIRequest *req;
1675
1676    QTAILQ_FOREACH(req, &s->requests, next) {
1677        assert(!req->io_canceled);
1678        assert(req->status == -1 && req->host_status == -1);
1679        assert(req->enqueued);
1680
1681        qemu_put_sbyte(f, req->retry ? 1 : 2);
1682        qemu_put_buffer(f, req->cmd.buf, sizeof(req->cmd.buf));
1683        qemu_put_be32s(f, &req->tag);
1684        qemu_put_be32s(f, &req->lun);
1685        if (bus->info->save_request) {
1686            bus->info->save_request(f, req);
1687        }
1688        if (req->ops->save_request) {
1689            req->ops->save_request(f, req);
1690        }
1691    }
1692    qemu_put_sbyte(f, 0);
1693
1694    return 0;
1695}
1696
1697static int get_scsi_requests(QEMUFile *f, void *pv, size_t size,
1698                             const VMStateField *field)
1699{
1700    SCSIDevice *s = pv;
1701    SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, s->qdev.parent_bus);
1702    int8_t sbyte;
1703
1704    while ((sbyte = qemu_get_sbyte(f)) > 0) {
1705        uint8_t buf[SCSI_CMD_BUF_SIZE];
1706        uint32_t tag;
1707        uint32_t lun;
1708        SCSIRequest *req;
1709
1710        qemu_get_buffer(f, buf, sizeof(buf));
1711        qemu_get_be32s(f, &tag);
1712        qemu_get_be32s(f, &lun);
1713        req = scsi_req_new(s, tag, lun, buf, NULL);
1714        req->retry = (sbyte == 1);
1715        if (bus->info->load_request) {
1716            req->hba_private = bus->info->load_request(f, req);
1717        }
1718        if (req->ops->load_request) {
1719            req->ops->load_request(f, req);
1720        }
1721
1722        /* Just restart it later.  */
1723        scsi_req_enqueue_internal(req);
1724
1725        /* At this point, the request will be kept alive by the reference
1726         * added by scsi_req_enqueue_internal, so we can release our reference.
1727         * The HBA of course will add its own reference in the load_request
1728         * callback if it needs to hold on the SCSIRequest.
1729         */
1730        scsi_req_unref(req);
1731    }
1732
1733    return 0;
1734}
1735
1736static const VMStateInfo vmstate_info_scsi_requests = {
1737    .name = "scsi-requests",
1738    .get  = get_scsi_requests,
1739    .put  = put_scsi_requests,
1740};
1741
1742static bool scsi_sense_state_needed(void *opaque)
1743{
1744    SCSIDevice *s = opaque;
1745
1746    return s->sense_len > SCSI_SENSE_BUF_SIZE_OLD;
1747}
1748
1749static const VMStateDescription vmstate_scsi_sense_state = {
1750    .name = "SCSIDevice/sense",
1751    .version_id = 1,
1752    .minimum_version_id = 1,
1753    .needed = scsi_sense_state_needed,
1754    .fields = (VMStateField[]) {
1755        VMSTATE_UINT8_SUB_ARRAY(sense, SCSIDevice,
1756                                SCSI_SENSE_BUF_SIZE_OLD,
1757                                SCSI_SENSE_BUF_SIZE - SCSI_SENSE_BUF_SIZE_OLD),
1758        VMSTATE_END_OF_LIST()
1759    }
1760};
1761
1762const VMStateDescription vmstate_scsi_device = {
1763    .name = "SCSIDevice",
1764    .version_id = 1,
1765    .minimum_version_id = 1,
1766    .fields = (VMStateField[]) {
1767        VMSTATE_UINT8(unit_attention.key, SCSIDevice),
1768        VMSTATE_UINT8(unit_attention.asc, SCSIDevice),
1769        VMSTATE_UINT8(unit_attention.ascq, SCSIDevice),
1770        VMSTATE_BOOL(sense_is_ua, SCSIDevice),
1771        VMSTATE_UINT8_SUB_ARRAY(sense, SCSIDevice, 0, SCSI_SENSE_BUF_SIZE_OLD),
1772        VMSTATE_UINT32(sense_len, SCSIDevice),
1773        {
1774            .name         = "requests",
1775            .version_id   = 0,
1776            .field_exists = NULL,
1777            .size         = 0,   /* ouch */
1778            .info         = &vmstate_info_scsi_requests,
1779            .flags        = VMS_SINGLE,
1780            .offset       = 0,
1781        },
1782        VMSTATE_END_OF_LIST()
1783    },
1784    .subsections = (const VMStateDescription*[]) {
1785        &vmstate_scsi_sense_state,
1786        NULL
1787    }
1788};
1789
1790static Property scsi_props[] = {
1791    DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
1792    DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1),
1793    DEFINE_PROP_UINT32("lun", SCSIDevice, lun, -1),
1794    DEFINE_PROP_END_OF_LIST(),
1795};
1796
1797static void scsi_device_class_init(ObjectClass *klass, void *data)
1798{
1799    DeviceClass *k = DEVICE_CLASS(klass);
1800    set_bit(DEVICE_CATEGORY_STORAGE, k->categories);
1801    k->bus_type  = TYPE_SCSI_BUS;
1802    k->realize   = scsi_qdev_realize;
1803    k->unrealize = scsi_qdev_unrealize;
1804    device_class_set_props(k, scsi_props);
1805}
1806
1807static void scsi_dev_instance_init(Object *obj)
1808{
1809    DeviceState *dev = DEVICE(obj);
1810    SCSIDevice *s = SCSI_DEVICE(dev);
1811
1812    device_add_bootindex_property(obj, &s->conf.bootindex,
1813                                  "bootindex", NULL,
1814                                  &s->qdev);
1815}
1816
1817static const TypeInfo scsi_device_type_info = {
1818    .name = TYPE_SCSI_DEVICE,
1819    .parent = TYPE_DEVICE,
1820    .instance_size = sizeof(SCSIDevice),
1821    .abstract = true,
1822    .class_size = sizeof(SCSIDeviceClass),
1823    .class_init = scsi_device_class_init,
1824    .instance_init = scsi_dev_instance_init,
1825};
1826
1827static void scsi_bus_class_init(ObjectClass *klass, void *data)
1828{
1829    BusClass *k = BUS_CLASS(klass);
1830    HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass);
1831
1832    k->get_dev_path = scsibus_get_dev_path;
1833    k->get_fw_dev_path = scsibus_get_fw_dev_path;
1834    k->check_address = scsi_bus_check_address;
1835    hc->unplug = qdev_simple_device_unplug_cb;
1836}
1837
1838static const TypeInfo scsi_bus_info = {
1839    .name = TYPE_SCSI_BUS,
1840    .parent = TYPE_BUS,
1841    .instance_size = sizeof(SCSIBus),
1842    .class_init = scsi_bus_class_init,
1843    .interfaces = (InterfaceInfo[]) {
1844        { TYPE_HOTPLUG_HANDLER },
1845        { }
1846    }
1847};
1848
1849static void scsi_register_types(void)
1850{
1851    type_register_static(&scsi_bus_info);
1852    type_register_static(&scsi_device_type_info);
1853}
1854
1855type_init(scsi_register_types)
1856