2 * SCSI Device emulation
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
7 * Written by Paul Brook
9 * This code is licenced under the LGPL.
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emulation of interface/link layer protocols is handled by
13 * the host adapter emulator.
19 #define DPRINTF(fmt, args...) \
20 do { printf("scsi-disk: " fmt , ##args); } while (0)
22 #define DPRINTF(fmt, args...) do {} while(0)
25 #define BADF(fmt, args...) \
26 do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)
28 #include "qemu-common.h"
30 #include "scsi-disk.h"
32 #define SENSE_NO_SENSE 0
33 #define SENSE_NOT_READY 2
34 #define SENSE_HARDWARE_ERROR 4
35 #define SENSE_ILLEGAL_REQUEST 5
37 #define SCSI_DMA_BUF_SIZE 65536
39 typedef struct SCSIRequest {
42 /* ??? We should probably keep track of whether the data trasfer is
43 a read or a write. Currently we rely on the host getting it right. */
44 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
47 /* The amounnt of data in the buffer. */
50 BlockDriverAIOCB *aiocb;
51 struct SCSIRequest *next;
54 struct SCSIDeviceState
56 BlockDriverState *bdrv;
57 SCSIRequest *requests;
58 /* The qemu block layer uses a fixed 512 byte sector size.
59 This is the number of 512 byte blocks in a single scsi sector. */
63 /* Completion functions may be called from either scsi_{read,write}_data
64 or from the AIO completion routines. */
65 scsi_completionfn completion;
69 /* Global pool of SCSIRequest structures. */
70 static SCSIRequest *free_requests = NULL;
72 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
78 free_requests = r->next;
80 r = qemu_malloc(sizeof(SCSIRequest));
81 r->dma_buf = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
89 r->next = s->requests;
94 static void scsi_remove_request(SCSIRequest *r)
97 SCSIDeviceState *s = r->dev;
99 if (s->requests == r) {
100 s->requests = r->next;
103 while (last && last->next != r)
106 last->next = r->next;
108 BADF("Orphaned request\n");
111 r->next = free_requests;
115 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
120 while (r && r->tag != tag)
126 /* Helper function for command completion. */
127 static void scsi_command_complete(SCSIRequest *r, int sense)
129 SCSIDeviceState *s = r->dev;
131 DPRINTF("Command complete tag=0x%x sense=%d\n", r->tag, sense);
134 scsi_remove_request(r);
135 s->completion(s->opaque, SCSI_REASON_DONE, tag, sense);
138 /* Cancel a pending data transfer. */
139 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
141 SCSIDeviceState *s = d->state;
143 DPRINTF("Cancel tag=0x%x\n", tag);
144 r = scsi_find_request(s, tag);
147 bdrv_aio_cancel(r->aiocb);
149 scsi_remove_request(r);
153 static void scsi_read_complete(void * opaque, int ret)
155 SCSIRequest *r = (SCSIRequest *)opaque;
156 SCSIDeviceState *s = r->dev;
159 DPRINTF("IO error\n");
160 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
163 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->buf_len);
165 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
168 /* Read more data from scsi device into buffer. */
169 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
171 SCSIDeviceState *s = d->state;
175 r = scsi_find_request(s, tag);
177 BADF("Bad read tag 0x%x\n", tag);
178 /* ??? This is the wrong error. */
179 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
182 if (r->sector_count == (uint32_t)-1) {
183 DPRINTF("Read buf_len=%d\n", r->buf_len);
185 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
188 DPRINTF("Read sector_count=%d\n", r->sector_count);
189 if (r->sector_count == 0) {
190 scsi_command_complete(r, SENSE_NO_SENSE);
195 if (n > SCSI_DMA_BUF_SIZE / 512)
196 n = SCSI_DMA_BUF_SIZE / 512;
198 r->buf_len = n * 512;
199 r->aiocb = bdrv_aio_read(s->bdrv, r->sector, r->dma_buf, n,
200 scsi_read_complete, r);
201 if (r->aiocb == NULL)
202 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
204 r->sector_count -= n;
207 static void scsi_write_complete(void * opaque, int ret)
209 SCSIRequest *r = (SCSIRequest *)opaque;
210 SCSIDeviceState *s = r->dev;
214 fprintf(stderr, "scsi-disc: IO write error\n");
219 if (r->sector_count == 0) {
220 scsi_command_complete(r, SENSE_NO_SENSE);
222 len = r->sector_count * 512;
223 if (len > SCSI_DMA_BUF_SIZE) {
224 len = SCSI_DMA_BUF_SIZE;
227 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
228 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
232 /* Write data to a scsi device. Returns nonzero on failure.
233 The transfer may complete asynchronously. */
234 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
236 SCSIDeviceState *s = d->state;
240 DPRINTF("Write data tag=0x%x\n", tag);
241 r = scsi_find_request(s, tag);
243 BADF("Bad write tag 0x%x\n", tag);
244 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
248 BADF("Data transfer already in progress\n");
249 n = r->buf_len / 512;
251 r->aiocb = bdrv_aio_write(s->bdrv, r->sector, r->dma_buf, n,
252 scsi_write_complete, r);
253 if (r->aiocb == NULL)
254 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
256 r->sector_count -= n;
258 /* Invoke completion routine to fetch data from host. */
259 scsi_write_complete(r, 0);
265 /* Return a pointer to the data buffer. */
266 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
268 SCSIDeviceState *s = d->state;
271 r = scsi_find_request(s, tag);
273 BADF("Bad buffer tag 0x%x\n", tag);
279 /* Execute a scsi command. Returns the length of the data expected by the
280 command. This will be Positive for data transfers from the device
281 (eg. disk reads), negative for transfers to the device (eg. disk writes),
282 and zero if the command does not transfer any data. */
284 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
285 uint8_t *buf, int lun)
287 SCSIDeviceState *s = d->state;
298 r = scsi_find_request(s, tag);
300 BADF("Tag 0x%x already in use\n", tag);
301 scsi_cancel_io(d, tag);
303 /* ??? Tags are not unique for different luns. We only implement a
304 single lun, so this should not matter. */
305 r = scsi_new_request(s, tag);
308 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
309 switch (command >> 5) {
311 lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);
317 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
318 len = buf[8] | (buf[7] << 8);
322 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
323 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
327 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
328 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
332 BADF("Unsupported command length, command %x\n", command);
338 for (i = 1; i < cmdlen; i++) {
339 printf(" 0x%02x", buf[i]);
344 if (lun || buf[1] >> 5) {
345 /* Only LUN 0 supported. */
346 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
351 DPRINTF("Test Unit Ready\n");
354 DPRINTF("Request Sense (len %d)\n", len);
357 memset(outbuf, 0, 4);
360 outbuf[2] = s->sense;
364 DPRINTF("Inquiry (len %d)\n", len);
366 /* Command support data - optional, not implemented */
367 BADF("optional INQUIRY command support request not implemented\n");
370 else if (buf[1] & 0x1) {
371 /* Vital product data */
372 uint8_t page_code = buf[2];
374 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is "
375 "less than 4\n", page_code, len);
382 /* Supported page codes, mandatory */
383 DPRINTF("Inquiry EVPD[Supported pages] "
384 "buffer size %d\n", len);
388 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
389 outbuf[r->buf_len++] = 5;
391 outbuf[r->buf_len++] = 0;
394 outbuf[r->buf_len++] = 0x00; // this page
395 outbuf[r->buf_len++] = 0x00;
396 outbuf[r->buf_len++] = 3; // number of pages
397 outbuf[r->buf_len++] = 0x00; // list of supported pages (this page)
398 outbuf[r->buf_len++] = 0x80; // unit serial number
399 outbuf[r->buf_len++] = 0x83; // device identification
404 /* Device serial number, optional */
406 BADF("Error: EVPD[Serial number] Inquiry buffer "
407 "size %d too small, %d needed\n", len, 4);
411 DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len);
415 /* Supported page codes */
416 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
417 outbuf[r->buf_len++] = 5;
419 outbuf[r->buf_len++] = 0;
422 outbuf[r->buf_len++] = 0x80; // this page
423 outbuf[r->buf_len++] = 0x00;
424 outbuf[r->buf_len++] = 0x01; // 1 byte data follow
426 outbuf[r->buf_len++] = '0'; // 1 byte data follow
432 /* Device identification page, mandatory */
433 int max_len = 255 - 8;
434 int id_len = strlen(bdrv_get_device_name(s->bdrv));
435 if (id_len > max_len)
438 DPRINTF("Inquiry EVPD[Device identification] "
439 "buffer size %d\n", len);
441 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
442 outbuf[r->buf_len++] = 5;
444 outbuf[r->buf_len++] = 0;
447 outbuf[r->buf_len++] = 0x83; // this page
448 outbuf[r->buf_len++] = 0x00;
449 outbuf[r->buf_len++] = 3 + id_len;
451 outbuf[r->buf_len++] = 0x2; // ASCII
452 outbuf[r->buf_len++] = 0; // not officially assigned
453 outbuf[r->buf_len++] = 0; // reserved
454 outbuf[r->buf_len++] = id_len; // length of data following
456 memcpy(&outbuf[r->buf_len],
457 bdrv_get_device_name(s->bdrv), id_len);
458 r->buf_len += id_len;
462 BADF("Error: unsupported Inquiry (EVPD[%02X]) "
463 "buffer size %d\n", page_code, len);
470 /* Standard INQUIRY data */
472 BADF("Error: Inquiry (STANDARD) page or code "
473 "is non-zero [%02X]\n", buf[2]);
479 BADF("Error: Inquiry (STANDARD) buffer size %d "
480 "is less than 5\n", len);
485 BADF("Error: Inquiry (STANDARD) buffer size %d "
486 "is less than 36 (TODO: only 5 required)\n", len);
489 memset(outbuf, 0, 36);
490 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
493 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
496 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
498 memcpy(&outbuf[8], "QEMU ", 8);
499 memcpy(&outbuf[32], QEMU_VERSION, 4);
500 /* Identify device as SCSI-3 rev 1.
501 Some later commands are also implemented. */
503 outbuf[3] = 2; /* Format 2 */
505 /* Sync data transfer and TCQ. */
506 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
510 DPRINTF("Reserve(6)\n");
515 DPRINTF("Release(6)\n");
525 page = buf[2] & 0x3f;
526 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
529 outbuf[1] = 0; /* Default media type. */
530 outbuf[3] = 0; /* Block descriptor length. */
531 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
532 outbuf[2] = 0x80; /* Readonly. */
536 int cylinders, heads, secs;
538 /* Rigid disk device geometry page. */
541 /* if a geometry hint is available, use it */
542 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
543 p[2] = (cylinders >> 16) & 0xff;
544 p[3] = (cylinders >> 8) & 0xff;
545 p[4] = cylinders & 0xff;
547 /* Write precomp start cylinder, disabled */
548 p[6] = (cylinders >> 16) & 0xff;
549 p[7] = (cylinders >> 8) & 0xff;
550 p[8] = cylinders & 0xff;
551 /* Reduced current start cylinder, disabled */
552 p[9] = (cylinders >> 16) & 0xff;
553 p[10] = (cylinders >> 8) & 0xff;
554 p[11] = cylinders & 0xff;
555 /* Device step rate [ns], 200ns */
558 /* Landing zone cylinder */
562 /* Medium rotation rate [rpm], 5400 rpm */
563 p[20] = (5400 >> 8) & 0xff;
566 } else if (page == 5) {
567 int cylinders, heads, secs;
569 /* Flexible disk device geometry page. */
572 /* Transfer rate [kbit/s], 5Mbit/s */
575 /* if a geometry hint is available, use it */
576 bdrv_get_geometry_hint(s->bdrv, &cylinders, &heads, &secs);
579 p[6] = s->cluster_size * 2;
580 p[8] = (cylinders >> 8) & 0xff;
581 p[9] = cylinders & 0xff;
582 /* Write precomp start cylinder, disabled */
583 p[10] = (cylinders >> 8) & 0xff;
584 p[11] = cylinders & 0xff;
585 /* Reduced current start cylinder, disabled */
586 p[12] = (cylinders >> 8) & 0xff;
587 p[13] = cylinders & 0xff;
588 /* Device step rate [100us], 100us */
591 /* Device step pulse width [us], 1us */
593 /* Device head settle delay [100us], 100us */
596 /* Motor on delay [0.1s], 0.1s */
598 /* Motor off delay [0.1s], 0.1s */
600 /* Medium rotation rate [rpm], 5400 rpm */
601 p[28] = (5400 >> 8) & 0xff;
604 } else if ((page == 8 || page == 0x3f)) {
612 if ((page == 0x3f || page == 0x2a)
613 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
614 /* CD Capabilities and Mechanical Status page. */
617 p[2] = 3; // CD-R & CD-RW read
618 p[3] = 0; // Writing not supported
619 p[4] = 0x7f; /* Audio, composite, digital out,
620 mode 2 form 1&2, multi session */
621 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
622 RW corrected, C2 errors, ISRC,
624 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
625 /* Locking supported, jumper present, eject, tray */
626 p[7] = 0; /* no volume & mute control, no
628 p[8] = (50 * 176) >> 8; // 50x read speed
629 p[9] = (50 * 176) & 0xff;
630 p[10] = 0 >> 8; // No volume
632 p[12] = 2048 >> 8; // 2M buffer
634 p[14] = (16 * 176) >> 8; // 16x read speed current
635 p[15] = (16 * 176) & 0xff;
636 p[18] = (16 * 176) >> 8; // 16x write speed
637 p[19] = (16 * 176) & 0xff;
638 p[20] = (16 * 176) >> 8; // 16x write speed current
639 p[21] = (16 * 176) & 0xff;
642 r->buf_len = p - outbuf;
643 outbuf[0] = r->buf_len - 4;
644 if (r->buf_len > len)
649 DPRINTF("Start Stop Unit\n");
652 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
653 bdrv_set_locked(s->bdrv, buf[4] & 1);
656 DPRINTF("Read Capacity\n");
657 /* The normal LEN field for this command is zero. */
658 memset(outbuf, 0, 8);
659 bdrv_get_geometry(s->bdrv, &nb_sectors);
660 /* Returned value is the address of the last sector. */
663 outbuf[0] = (nb_sectors >> 24) & 0xff;
664 outbuf[1] = (nb_sectors >> 16) & 0xff;
665 outbuf[2] = (nb_sectors >> 8) & 0xff;
666 outbuf[3] = nb_sectors & 0xff;
669 outbuf[6] = s->cluster_size * 2;
673 scsi_command_complete(r, SENSE_NOT_READY);
679 DPRINTF("Read (sector %d, count %d)\n", lba, len);
680 r->sector = lba * s->cluster_size;
681 r->sector_count = len * s->cluster_size;
685 DPRINTF("Write (sector %d, count %d)\n", lba, len);
686 r->sector = lba * s->cluster_size;
687 r->sector_count = len * s->cluster_size;
691 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
696 int start_track, format, msf, toclen;
699 format = buf[2] & 0xf;
700 start_track = buf[6];
701 bdrv_get_geometry(s->bdrv, &nb_sectors);
702 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
705 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
708 /* multi session : only a single session defined */
710 memset(outbuf, 0, 12);
716 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
728 DPRINTF("Read TOC error\n");
732 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
733 memset(outbuf, 0, 8);
734 /* ??? This should probably return much more information. For now
735 just return the basic header indicating the CD-ROM profile. */
736 outbuf[7] = 8; // CD-ROM
740 DPRINTF("Reserve(10)\n");
745 DPRINTF("Release(10)\n");
750 DPRINTF("Report LUNs (len %d)\n", len);
753 memset(outbuf, 0, 16);
758 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
760 scsi_command_complete(r, SENSE_ILLEGAL_REQUEST);
763 if (r->sector_count == 0 && r->buf_len == 0) {
764 scsi_command_complete(r, SENSE_NO_SENSE);
766 len = r->sector_count * 512 + r->buf_len;
770 if (!r->sector_count)
771 r->sector_count = -1;
776 static void scsi_destroy(SCSIDevice *d)
782 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
783 scsi_completionfn completion, void *opaque)
788 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
791 s->completion = completion;
793 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
799 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
801 d->destroy = scsi_destroy;
802 d->send_command = scsi_send_command;
803 d->read_data = scsi_read_data;
804 d->write_data = scsi_write_data;
805 d->cancel_io = scsi_cancel_io;
806 d->get_buf = scsi_get_buf;
projects / qemu / blob