2 * SCSI Device emulation
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
7 * Written by Paul Brook
9 * This code is licenced under the LGPL.
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emulation of interface/link layer protocols is handled by
13 * the host adapter emulator.
19 #define DPRINTF(fmt, args...) \
20 do { printf("scsi-disk: " fmt , ##args); } while (0)
22 #define DPRINTF(fmt, args...) do {} while(0)
25 #define BADF(fmt, args...) \
26 do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)
28 #include "qemu-common.h"
30 #include "scsi-disk.h"
32 #define SENSE_NO_SENSE 0
33 #define SENSE_NOT_READY 2
34 #define SENSE_HARDWARE_ERROR 4
35 #define SENSE_ILLEGAL_REQUEST 5
37 #define SCSI_DMA_BUF_SIZE 65536
39 typedef struct SCSIRequest {
42 /* ??? We should probably keep track of whether the data trasfer is
43 a read or a write. Currently we rely on the host getting it right. */
44 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
47 /* The amounnt of data in the buffer. */
50 BlockDriverAIOCB *aiocb;
51 struct SCSIRequest *next;
54 struct SCSIDeviceState
56 BlockDriverState *bdrv;
57 SCSIRequest *requests;
58 /* The qemu block layer uses a fixed 512 byte sector size.
59 This is the number of 512 byte blocks in a single scsi sector. */
63 /* Completion functions may be called from either scsi_{read,write}_data
64 or from the AIO completion routines. */
65 scsi_completionfn completion;
69 /* Global pool of SCSIRequest structures. */
70 static SCSIRequest *free_requests = NULL;
72 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
78 free_requests = r->next;
80 r = qemu_malloc(sizeof(SCSIRequest));
81 r->dma_buf = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
89 r->next = s->requests;
94 static void scsi_remove_request(SCSIRequest *r)
97 SCSIDeviceState *s = r->dev;
99 if (s->requests == r) {
100 s->requests = r->next;
103 while (last && last->next != r)
106 last->next = r->next;
108 BADF("Orphaned request\n");
111 r->next = free_requests;
115 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
120 while (r && r->tag != tag)
126 /* Helper function for command completion. */
127 static void scsi_command_complete(SCSIRequest *r, int sense)
129 SCSIDeviceState *s = r->dev;
131 DPRINTF("Command complete tag=0x%x sense=%d\n", r->tag, sense);
134 scsi_remove_request(r);
135 s->completion(s->opaque, SCSI_REASON_DONE, tag, sense);
138 /* Cancel a pending data transfer. */
139 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
141 SCSIDeviceState *s = d->state;
143 DPRINTF("Cancel tag=0x%x\n", tag);
144 r = scsi_find_request(s, tag);
147 bdrv_aio_cancel(r->aiocb);
149 scsi_remove_request(r);
153 static void scsi_read_complete(void * opaque, int ret)
155 SCSIRequest *r = (SCSIRequest *)opaque;
156 SCSIDeviceState *s = r->dev;
159 DPRINTF("IO error\n");
160 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
163 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->buf_len);
165 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
168 /* Read more data from scsi device into buffer. */
169 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
171 SCSIDeviceState *s = d->state;
175 r = scsi_find_request(s, tag);
177 BADF("Bad read tag 0x%x\n", tag);
178 /* ??? This is the wrong error. */
179 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
182 if (r->sector_count == (uint32_t)-1) {
183 DPRINTF("Read buf_len=%d\n", r->buf_len);
185 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
188 DPRINTF("Read sector_count=%d\n", r->sector_count);
189 if (r->sector_count == 0) {
190 scsi_command_complete(r, SENSE_NO_SENSE);
195 if (n > SCSI_DMA_BUF_SIZE / 512)
196 n = SCSI_DMA_BUF_SIZE / 512;
198 r->buf_len = n * 512;
199 r->aiocb = bdrv_aio_read(s->bdrv, r->sector, r->dma_buf, n,
200 scsi_read_complete, r);
201 if (r->aiocb == NULL)
202 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
204 r->sector_count -= n;
207 static void scsi_write_complete(void * opaque, int ret)
209 SCSIRequest *r = (SCSIRequest *)opaque;
210 SCSIDeviceState *s = r->dev;
214 fprintf(stderr, "scsi-disc: IO write error\n");
219 if (r->sector_count == 0) {
220 scsi_command_complete(r, SENSE_NO_SENSE);
222 len = r->sector_count * 512;
223 if (len > SCSI_DMA_BUF_SIZE) {
224 len = SCSI_DMA_BUF_SIZE;
227 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
228 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
232 /* Write data to a scsi device. Returns nonzero on failure.
233 The transfer may complete asynchronously. */
234 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
236 SCSIDeviceState *s = d->state;
240 DPRINTF("Write data tag=0x%x\n", tag);
241 r = scsi_find_request(s, tag);
243 BADF("Bad write tag 0x%x\n", tag);
244 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
248 BADF("Data transfer already in progress\n");
249 n = r->buf_len / 512;
251 r->aiocb = bdrv_aio_write(s->bdrv, r->sector, r->dma_buf, n,
252 scsi_write_complete, r);
253 if (r->aiocb == NULL)
254 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
256 r->sector_count -= n;
258 /* Invoke completion routine to fetch data from host. */
259 scsi_write_complete(r, 0);
265 /* Return a pointer to the data buffer. */
266 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
268 SCSIDeviceState *s = d->state;
271 r = scsi_find_request(s, tag);
273 BADF("Bad buffer tag 0x%x\n", tag);
279 /* Execute a scsi command. Returns the length of the data expected by the
280 command. This will be Positive for data transfers from the device
281 (eg. disk reads), negative for transfers to the device (eg. disk writes),
282 and zero if the command does not transfer any data. */
284 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
285 uint8_t *buf, int lun)
287 SCSIDeviceState *s = d->state;
298 r = scsi_find_request(s, tag);
300 BADF("Tag 0x%x already in use\n", tag);
301 scsi_cancel_io(d, tag);
303 /* ??? Tags are not unique for different luns. We only implement a
304 single lun, so this should not matter. */
305 r = scsi_new_request(s, tag);
308 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
309 switch (command >> 5) {
311 lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);
317 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
318 len = buf[8] | (buf[7] << 8);
322 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
323 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
327 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
328 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
332 BADF("Unsupported command length, command %x\n", command);
338 for (i = 1; i < cmdlen; i++) {
339 printf(" 0x%02x", buf[i]);
344 if (lun || buf[1] >> 5) {
345 /* Only LUN 0 supported. */
346 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
351 DPRINTF("Test Unit Ready\n");
354 DPRINTF("Request Sense (len %d)\n", len);
357 memset(outbuf, 0, 4);
360 outbuf[2] = s->sense;
364 DPRINTF("Inquiry (len %d)\n", len);
366 /* Command support data - optional, not implemented */
367 BADF("optional INQUIRY command support request not implemented\n");
370 else if (buf[1] & 0x1) {
371 /* Vital product data */
372 uint8_t page_code = buf[2];
374 BADF("Error: Inquiry (EVPD[%02X]) buffer size %d is "
375 "less than 4\n", page_code, len);
382 /* Supported page codes, mandatory */
383 DPRINTF("Inquiry EVPD[Supported pages] "
384 "buffer size %d\n", len);
388 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
389 outbuf[r->buf_len++] = 5;
391 outbuf[r->buf_len++] = 0;
394 outbuf[r->buf_len++] = 0x00; // this page
395 outbuf[r->buf_len++] = 0x00;
396 outbuf[r->buf_len++] = 3; // number of pages
397 outbuf[r->buf_len++] = 0x00; // list of supported pages (this page)
398 outbuf[r->buf_len++] = 0x80; // unit serial number
399 outbuf[r->buf_len++] = 0x83; // device identification
404 /* Device serial number, optional */
406 BADF("Error: EVPD[Serial number] Inquiry buffer "
407 "size %d too small, %d needed\n", len, 4);
411 DPRINTF("Inquiry EVPD[Serial number] buffer size %d\n", len);
415 /* Supported page codes */
416 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
417 outbuf[r->buf_len++] = 5;
419 outbuf[r->buf_len++] = 0;
422 outbuf[r->buf_len++] = 0x80; // this page
423 outbuf[r->buf_len++] = 0x00;
424 outbuf[r->buf_len++] = 0x01; // 1 byte data follow
426 outbuf[r->buf_len++] = '0'; // 1 byte data follow
432 /* Device identification page, mandatory */
433 int max_len = 255 - 8;
434 int id_len = strlen(bdrv_get_device_name(s->bdrv));
435 if (id_len > max_len)
438 DPRINTF("Inquiry EVPD[Device identification] "
439 "buffer size %d\n", len);
441 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
442 outbuf[r->buf_len++] = 5;
444 outbuf[r->buf_len++] = 0;
447 outbuf[r->buf_len++] = 0x83; // this page
448 outbuf[r->buf_len++] = 0x00;
449 outbuf[r->buf_len++] = 3 + id_len;
451 outbuf[r->buf_len++] = 0x2; // ASCII
452 outbuf[r->buf_len++] = 0; // not officially assigned
453 outbuf[r->buf_len++] = 0; // reserved
454 outbuf[r->buf_len++] = id_len; // length of data following
456 memcpy(&outbuf[r->buf_len],
457 bdrv_get_device_name(s->bdrv), id_len);
458 r->buf_len += id_len;
462 BADF("Error: unsupported Inquiry (EVPD[%02X]) "
463 "buffer size %d\n", page_code, len);
470 /* Standard INQUIRY data */
472 BADF("Error: Inquiry (STANDARD) page or code "
473 "is non-zero [%02X]\n", buf[2]);
479 BADF("Error: Inquiry (STANDARD) buffer size %d "
480 "is less than 5\n", len);
485 BADF("Error: Inquiry (STANDARD) buffer size %d "
486 "is less than 36 (TODO: only 5 required)\n", len);
489 memset(outbuf, 0, 36);
490 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
493 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
496 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
498 memcpy(&outbuf[8], "QEMU ", 8);
499 memcpy(&outbuf[32], QEMU_VERSION, 4);
500 /* Identify device as SCSI-3 rev 1.
501 Some later commands are also implemented. */
503 outbuf[3] = 2; /* Format 2 */
505 /* Sync data transfer and TCQ. */
506 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
510 DPRINTF("Reserve(6)\n");
515 DPRINTF("Release(6)\n");
525 page = buf[2] & 0x3f;
526 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
529 outbuf[1] = 0; /* Default media type. */
530 outbuf[3] = 0; /* Block descriptor length. */
531 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
532 outbuf[2] = 0x80; /* Readonly. */
535 if ((page == 8 || page == 0x3f)) {
543 if ((page == 0x3f || page == 0x2a)
544 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
545 /* CD Capabilities and Mechanical Status page. */
548 p[2] = 3; // CD-R & CD-RW read
549 p[3] = 0; // Writing not supported
550 p[4] = 0x7f; /* Audio, composite, digital out,
551 mode 2 form 1&2, multi session */
552 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
553 RW corrected, C2 errors, ISRC,
555 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
556 /* Locking supported, jumper present, eject, tray */
557 p[7] = 0; /* no volume & mute control, no
559 p[8] = (50 * 176) >> 8; // 50x read speed
560 p[9] = (50 * 176) & 0xff;
561 p[10] = 0 >> 8; // No volume
563 p[12] = 2048 >> 8; // 2M buffer
565 p[14] = (16 * 176) >> 8; // 16x read speed current
566 p[15] = (16 * 176) & 0xff;
567 p[18] = (16 * 176) >> 8; // 16x write speed
568 p[19] = (16 * 176) & 0xff;
569 p[20] = (16 * 176) >> 8; // 16x write speed current
570 p[21] = (16 * 176) & 0xff;
573 r->buf_len = p - outbuf;
574 outbuf[0] = r->buf_len - 4;
575 if (r->buf_len > len)
580 DPRINTF("Start Stop Unit\n");
583 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
584 bdrv_set_locked(s->bdrv, buf[4] & 1);
587 DPRINTF("Read Capacity\n");
588 /* The normal LEN field for this command is zero. */
589 memset(outbuf, 0, 8);
590 bdrv_get_geometry(s->bdrv, &nb_sectors);
591 /* Returned value is the address of the last sector. */
594 outbuf[0] = (nb_sectors >> 24) & 0xff;
595 outbuf[1] = (nb_sectors >> 16) & 0xff;
596 outbuf[2] = (nb_sectors >> 8) & 0xff;
597 outbuf[3] = nb_sectors & 0xff;
600 outbuf[6] = s->cluster_size * 2;
604 scsi_command_complete(r, SENSE_NOT_READY);
610 DPRINTF("Read (sector %d, count %d)\n", lba, len);
611 r->sector = lba * s->cluster_size;
612 r->sector_count = len * s->cluster_size;
616 DPRINTF("Write (sector %d, count %d)\n", lba, len);
617 r->sector = lba * s->cluster_size;
618 r->sector_count = len * s->cluster_size;
622 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
627 int start_track, format, msf, toclen;
630 format = buf[2] & 0xf;
631 start_track = buf[6];
632 bdrv_get_geometry(s->bdrv, &nb_sectors);
633 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
636 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
639 /* multi session : only a single session defined */
641 memset(outbuf, 0, 12);
647 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
659 DPRINTF("Read TOC error\n");
663 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
664 memset(outbuf, 0, 8);
665 /* ??? This shoud probably return much more information. For now
666 just return the basic header indicating the CD-ROM profile. */
667 outbuf[7] = 8; // CD-ROM
671 DPRINTF("Reserve(10)\n");
676 DPRINTF("Release(10)\n");
681 DPRINTF("Report LUNs (len %d)\n", len);
684 memset(outbuf, 0, 16);
689 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
691 scsi_command_complete(r, SENSE_ILLEGAL_REQUEST);
694 if (r->sector_count == 0 && r->buf_len == 0) {
695 scsi_command_complete(r, SENSE_NO_SENSE);
697 len = r->sector_count * 512 + r->buf_len;
701 if (!r->sector_count)
702 r->sector_count = -1;
707 static void scsi_destroy(SCSIDevice *d)
713 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
714 scsi_completionfn completion, void *opaque)
719 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
722 s->completion = completion;
724 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
730 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
732 d->destroy = scsi_destroy;
733 d->send_command = scsi_send_command;
734 d->read_data = scsi_read_data;
735 d->write_data = scsi_write_data;
736 d->cancel_io = scsi_cancel_io;
737 d->get_buf = scsi_get_buf;
projects / qemu / blob