2 * SCSI Device emulation
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
7 * Written by Paul Brook
9 * This code is licenced under the LGPL.
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emultion of interface/link layer protocols is handled by
13 * the host adapter emulation.
19 #define DPRINTF(fmt, args...) \
20 do { printf("scsi-disk: " fmt , ##args); } while (0)
22 #define DPRINTF(fmt, args...) do {} while(0)
25 #define BADF(fmt, args...) \
26 do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)
28 #include "qemu-common.h"
30 #include "scsi-disk.h"
32 #define SENSE_NO_SENSE 0
33 #define SENSE_NOT_READY 2
34 #define SENSE_HARDWARE_ERROR 4
35 #define SENSE_ILLEGAL_REQUEST 5
37 #define SCSI_DMA_BUF_SIZE 65536
39 typedef struct SCSIRequest {
42 /* ??? We should probably keep track of whether the data trasfer is
43 a read or a write. Currently we rely on the host getting it right. */
44 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
47 /* The amounnt of data in the buffer. */
49 uint8_t dma_buf[SCSI_DMA_BUF_SIZE];
50 BlockDriverAIOCB *aiocb;
51 struct SCSIRequest *next;
54 struct SCSIDeviceState
56 BlockDriverState *bdrv;
57 SCSIRequest *requests;
58 /* The qemu block layer uses a fixed 512 byte sector size.
59 This is the number of 512 byte blocks in a single scsi sector. */
63 /* Completion functions may be called from either scsi_{read,write}_data
64 or from the AIO completion routines. */
65 scsi_completionfn completion;
69 /* Global pool of SCSIRequest structures. */
70 static SCSIRequest *free_requests = NULL;
72 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
78 free_requests = r->next;
80 r = qemu_malloc(sizeof(SCSIRequest));
88 r->next = s->requests;
93 static void scsi_remove_request(SCSIRequest *r)
96 SCSIDeviceState *s = r->dev;
98 if (s->requests == r) {
99 s->requests = r->next;
102 while (last && last->next != r)
105 last->next = r->next;
107 BADF("Orphaned request\n");
110 r->next = free_requests;
114 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
119 while (r && r->tag != tag)
125 /* Helper function for command completion. */
126 static void scsi_command_complete(SCSIRequest *r, int sense)
128 SCSIDeviceState *s = r->dev;
130 DPRINTF("Command complete tag=0x%x sense=%d\n", r->tag, sense);
133 scsi_remove_request(r);
134 s->completion(s->opaque, SCSI_REASON_DONE, tag, sense);
137 /* Cancel a pending data transfer. */
138 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
140 SCSIDeviceState *s = d->state;
142 DPRINTF("Cancel tag=0x%x\n", tag);
143 r = scsi_find_request(s, tag);
146 bdrv_aio_cancel(r->aiocb);
148 scsi_remove_request(r);
152 static void scsi_read_complete(void * opaque, int ret)
154 SCSIRequest *r = (SCSIRequest *)opaque;
155 SCSIDeviceState *s = r->dev;
158 DPRINTF("IO error\n");
159 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
162 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->buf_len);
164 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
167 /* Read more data from scsi device into buffer. */
168 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
170 SCSIDeviceState *s = d->state;
174 r = scsi_find_request(s, tag);
176 BADF("Bad read tag 0x%x\n", tag);
177 /* ??? This is the wrong error. */
178 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
181 if (r->sector_count == (uint32_t)-1) {
182 DPRINTF("Read buf_len=%d\n", r->buf_len);
184 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
187 DPRINTF("Read sector_count=%d\n", r->sector_count);
188 if (r->sector_count == 0) {
189 scsi_command_complete(r, SENSE_NO_SENSE);
194 if (n > SCSI_DMA_BUF_SIZE / 512)
195 n = SCSI_DMA_BUF_SIZE / 512;
197 r->buf_len = n * 512;
198 r->aiocb = bdrv_aio_read(s->bdrv, r->sector, r->dma_buf, n,
199 scsi_read_complete, r);
200 if (r->aiocb == NULL)
201 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
203 r->sector_count -= n;
206 static void scsi_write_complete(void * opaque, int ret)
208 SCSIRequest *r = (SCSIRequest *)opaque;
209 SCSIDeviceState *s = r->dev;
213 fprintf(stderr, "scsi-disc: IO write error\n");
218 if (r->sector_count == 0) {
219 scsi_command_complete(r, SENSE_NO_SENSE);
221 len = r->sector_count * 512;
222 if (len > SCSI_DMA_BUF_SIZE) {
223 len = SCSI_DMA_BUF_SIZE;
226 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
227 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
231 /* Write data to a scsi device. Returns nonzero on failure.
232 The transfer may complete asynchronously. */
233 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
235 SCSIDeviceState *s = d->state;
239 DPRINTF("Write data tag=0x%x\n", tag);
240 r = scsi_find_request(s, tag);
242 BADF("Bad write tag 0x%x\n", tag);
243 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
247 BADF("Data transfer already in progress\n");
248 n = r->buf_len / 512;
250 r->aiocb = bdrv_aio_write(s->bdrv, r->sector, r->dma_buf, n,
251 scsi_write_complete, r);
252 if (r->aiocb == NULL)
253 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
255 r->sector_count -= n;
257 /* Invoke completion routine to fetch data from host. */
258 scsi_write_complete(r, 0);
264 /* Return a pointer to the data buffer. */
265 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
267 SCSIDeviceState *s = d->state;
270 r = scsi_find_request(s, tag);
272 BADF("Bad buffer tag 0x%x\n", tag);
278 /* Execute a scsi command. Returns the length of the data expected by the
279 command. This will be Positive for data transfers from the device
280 (eg. disk reads), negative for transfers to the device (eg. disk writes),
281 and zero if the command does not transfer any data. */
283 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
284 uint8_t *buf, int lun)
286 SCSIDeviceState *s = d->state;
297 r = scsi_find_request(s, tag);
299 BADF("Tag 0x%x already in use\n", tag);
300 scsi_cancel_io(d, tag);
302 /* ??? Tags are not unique for different luns. We only implement a
303 single lun, so this should not matter. */
304 r = scsi_new_request(s, tag);
307 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
308 switch (command >> 5) {
310 lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);
316 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
317 len = buf[8] | (buf[7] << 8);
321 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
322 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
326 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
327 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
331 BADF("Unsupported command length, command %x\n", command);
337 for (i = 1; i < cmdlen; i++) {
338 printf(" 0x%02x", buf[i]);
343 if (lun || buf[1] >> 5) {
344 /* Only LUN 0 supported. */
345 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
350 DPRINTF("Test Unit Ready\n");
353 DPRINTF("Request Sense (len %d)\n", len);
356 memset(outbuf, 0, 4);
359 outbuf[2] = s->sense;
363 DPRINTF("Inquiry (len %d)\n", len);
365 BADF("Inquiry buffer too small (%d)\n", len);
367 memset(outbuf, 0, 36);
368 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
371 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
374 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
376 memcpy(&outbuf[8], "QEMU ", 8);
377 memcpy(&outbuf[32], QEMU_VERSION, 4);
378 /* Identify device as SCSI-3 rev 1.
379 Some later commands are also implemented. */
381 outbuf[3] = 2; /* Format 2 */
383 /* Sync data transfer and TCQ. */
384 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
388 DPRINTF("Reserve(6)\n");
393 DPRINTF("Release(6)\n");
403 page = buf[2] & 0x3f;
404 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
407 outbuf[1] = 0; /* Default media type. */
408 outbuf[3] = 0; /* Block descriptor length. */
409 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
410 outbuf[2] = 0x80; /* Readonly. */
413 if ((page == 8 || page == 0x3f)) {
421 if ((page == 0x3f || page == 0x2a)
422 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
423 /* CD Capabilities and Mechanical Status page. */
426 p[2] = 3; // CD-R & CD-RW read
427 p[3] = 0; // Writing not supported
428 p[4] = 0x7f; /* Audio, composite, digital out,
429 mode 2 form 1&2, multi session */
430 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
431 RW corrected, C2 errors, ISRC,
433 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
434 /* Locking supported, jumper present, eject, tray */
435 p[7] = 0; /* no volume & mute control, no
437 p[8] = (50 * 176) >> 8; // 50x read speed
438 p[9] = (50 * 176) & 0xff;
439 p[10] = 0 >> 8; // No volume
441 p[12] = 2048 >> 8; // 2M buffer
443 p[14] = (16 * 176) >> 8; // 16x read speed current
444 p[15] = (16 * 176) & 0xff;
445 p[18] = (16 * 176) >> 8; // 16x write speed
446 p[19] = (16 * 176) & 0xff;
447 p[20] = (16 * 176) >> 8; // 16x write speed current
448 p[21] = (16 * 176) & 0xff;
451 r->buf_len = p - outbuf;
452 outbuf[0] = r->buf_len - 4;
453 if (r->buf_len > len)
458 DPRINTF("Start Stop Unit\n");
461 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
462 bdrv_set_locked(s->bdrv, buf[4] & 1);
465 DPRINTF("Read Capacity\n");
466 /* The normal LEN field for this command is zero. */
467 memset(outbuf, 0, 8);
468 bdrv_get_geometry(s->bdrv, &nb_sectors);
469 /* Returned value is the address of the last sector. */
472 outbuf[0] = (nb_sectors >> 24) & 0xff;
473 outbuf[1] = (nb_sectors >> 16) & 0xff;
474 outbuf[2] = (nb_sectors >> 8) & 0xff;
475 outbuf[3] = nb_sectors & 0xff;
478 outbuf[6] = s->cluster_size * 2;
482 scsi_command_complete(r, SENSE_NOT_READY);
488 DPRINTF("Read (sector %d, count %d)\n", lba, len);
489 r->sector = lba * s->cluster_size;
490 r->sector_count = len * s->cluster_size;
494 DPRINTF("Write (sector %d, count %d)\n", lba, len);
495 r->sector = lba * s->cluster_size;
496 r->sector_count = len * s->cluster_size;
500 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
505 int start_track, format, msf, toclen;
508 format = buf[2] & 0xf;
509 start_track = buf[6];
510 bdrv_get_geometry(s->bdrv, &nb_sectors);
511 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
514 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
517 /* multi session : only a single session defined */
519 memset(outbuf, 0, 12);
525 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
537 DPRINTF("Read TOC error\n");
541 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
542 memset(outbuf, 0, 8);
543 /* ??? This shoud probably return much more information. For now
544 just return the basic header indicating the CD-ROM profile. */
545 outbuf[7] = 8; // CD-ROM
549 DPRINTF("Reserve(10)\n");
554 DPRINTF("Release(10)\n");
559 DPRINTF("Report LUNs (len %d)\n", len);
562 memset(outbuf, 0, 16);
567 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
569 scsi_command_complete(r, SENSE_ILLEGAL_REQUEST);
572 if (r->sector_count == 0 && r->buf_len == 0) {
573 scsi_command_complete(r, SENSE_NO_SENSE);
575 len = r->sector_count * 512 + r->buf_len;
579 if (!r->sector_count)
580 r->sector_count = -1;
585 static void scsi_destroy(SCSIDevice *d)
591 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
592 scsi_completionfn completion, void *opaque)
597 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
600 s->completion = completion;
602 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
608 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
610 d->destroy = scsi_destroy;
611 d->send_command = scsi_send_command;
612 d->read_data = scsi_read_data;
613 d->write_data = scsi_write_data;
614 d->cancel_io = scsi_cancel_io;
615 d->get_buf = scsi_get_buf;
projects / qemu / blob