2 * SCSI Device emulation
4 * Copyright (c) 2006 CodeSourcery.
5 * Based on code by Fabrice Bellard
7 * Written by Paul Brook
9 * This code is licenced under the LGPL.
11 * Note that this file only handles the SCSI architecture model and device
12 * commands. Emultion of interface/link layer protocols is handled by
13 * the host adapter emulation.
19 #define DPRINTF(fmt, args...) \
20 do { printf("scsi-disk: " fmt , ##args); } while (0)
22 #define DPRINTF(fmt, args...) do {} while(0)
25 #define BADF(fmt, args...) \
26 do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)
28 #include "qemu-common.h"
30 #include "scsi-disk.h"
32 #define SENSE_NO_SENSE 0
33 #define SENSE_NOT_READY 2
34 #define SENSE_HARDWARE_ERROR 4
35 #define SENSE_ILLEGAL_REQUEST 5
37 #define SCSI_DMA_BUF_SIZE 65536
39 typedef struct SCSIRequest {
42 /* ??? We should probably keep track of whether the data trasfer is
43 a read or a write. Currently we rely on the host getting it right. */
44 /* Both sector and sector_count are in terms of qemu 512 byte blocks. */
47 /* The amounnt of data in the buffer. */
50 BlockDriverAIOCB *aiocb;
51 struct SCSIRequest *next;
54 struct SCSIDeviceState
56 BlockDriverState *bdrv;
57 SCSIRequest *requests;
58 /* The qemu block layer uses a fixed 512 byte sector size.
59 This is the number of 512 byte blocks in a single scsi sector. */
63 /* Completion functions may be called from either scsi_{read,write}_data
64 or from the AIO completion routines. */
65 scsi_completionfn completion;
69 /* Global pool of SCSIRequest structures. */
70 static SCSIRequest *free_requests = NULL;
72 static SCSIRequest *scsi_new_request(SCSIDeviceState *s, uint32_t tag)
78 free_requests = r->next;
80 r = qemu_malloc(sizeof(SCSIRequest));
81 r->dma_buf = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
89 r->next = s->requests;
94 static void scsi_remove_request(SCSIRequest *r)
97 SCSIDeviceState *s = r->dev;
99 if (s->requests == r) {
100 s->requests = r->next;
103 while (last && last->next != r)
106 last->next = r->next;
108 BADF("Orphaned request\n");
111 r->next = free_requests;
115 static SCSIRequest *scsi_find_request(SCSIDeviceState *s, uint32_t tag)
120 while (r && r->tag != tag)
126 /* Helper function for command completion. */
127 static void scsi_command_complete(SCSIRequest *r, int sense)
129 SCSIDeviceState *s = r->dev;
131 DPRINTF("Command complete tag=0x%x sense=%d\n", r->tag, sense);
134 scsi_remove_request(r);
135 s->completion(s->opaque, SCSI_REASON_DONE, tag, sense);
138 /* Cancel a pending data transfer. */
139 static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
141 SCSIDeviceState *s = d->state;
143 DPRINTF("Cancel tag=0x%x\n", tag);
144 r = scsi_find_request(s, tag);
147 bdrv_aio_cancel(r->aiocb);
149 scsi_remove_request(r);
153 static void scsi_read_complete(void * opaque, int ret)
155 SCSIRequest *r = (SCSIRequest *)opaque;
156 SCSIDeviceState *s = r->dev;
159 DPRINTF("IO error\n");
160 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
163 DPRINTF("Data ready tag=0x%x len=%d\n", r->tag, r->buf_len);
165 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
168 /* Read more data from scsi device into buffer. */
169 static void scsi_read_data(SCSIDevice *d, uint32_t tag)
171 SCSIDeviceState *s = d->state;
175 r = scsi_find_request(s, tag);
177 BADF("Bad read tag 0x%x\n", tag);
178 /* ??? This is the wrong error. */
179 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
182 if (r->sector_count == (uint32_t)-1) {
183 DPRINTF("Read buf_len=%d\n", r->buf_len);
185 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, r->buf_len);
188 DPRINTF("Read sector_count=%d\n", r->sector_count);
189 if (r->sector_count == 0) {
190 scsi_command_complete(r, SENSE_NO_SENSE);
195 if (n > SCSI_DMA_BUF_SIZE / 512)
196 n = SCSI_DMA_BUF_SIZE / 512;
198 r->buf_len = n * 512;
199 r->aiocb = bdrv_aio_read(s->bdrv, r->sector, r->dma_buf, n,
200 scsi_read_complete, r);
201 if (r->aiocb == NULL)
202 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
204 r->sector_count -= n;
207 static void scsi_write_complete(void * opaque, int ret)
209 SCSIRequest *r = (SCSIRequest *)opaque;
210 SCSIDeviceState *s = r->dev;
214 fprintf(stderr, "scsi-disc: IO write error\n");
219 if (r->sector_count == 0) {
220 scsi_command_complete(r, SENSE_NO_SENSE);
222 len = r->sector_count * 512;
223 if (len > SCSI_DMA_BUF_SIZE) {
224 len = SCSI_DMA_BUF_SIZE;
227 DPRINTF("Write complete tag=0x%x more=%d\n", r->tag, len);
228 s->completion(s->opaque, SCSI_REASON_DATA, r->tag, len);
232 /* Write data to a scsi device. Returns nonzero on failure.
233 The transfer may complete asynchronously. */
234 static int scsi_write_data(SCSIDevice *d, uint32_t tag)
236 SCSIDeviceState *s = d->state;
240 DPRINTF("Write data tag=0x%x\n", tag);
241 r = scsi_find_request(s, tag);
243 BADF("Bad write tag 0x%x\n", tag);
244 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
248 BADF("Data transfer already in progress\n");
249 n = r->buf_len / 512;
251 r->aiocb = bdrv_aio_write(s->bdrv, r->sector, r->dma_buf, n,
252 scsi_write_complete, r);
253 if (r->aiocb == NULL)
254 scsi_command_complete(r, SENSE_HARDWARE_ERROR);
256 r->sector_count -= n;
258 /* Invoke completion routine to fetch data from host. */
259 scsi_write_complete(r, 0);
265 /* Return a pointer to the data buffer. */
266 static uint8_t *scsi_get_buf(SCSIDevice *d, uint32_t tag)
268 SCSIDeviceState *s = d->state;
271 r = scsi_find_request(s, tag);
273 BADF("Bad buffer tag 0x%x\n", tag);
279 /* Execute a scsi command. Returns the length of the data expected by the
280 command. This will be Positive for data transfers from the device
281 (eg. disk reads), negative for transfers to the device (eg. disk writes),
282 and zero if the command does not transfer any data. */
284 static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
285 uint8_t *buf, int lun)
287 SCSIDeviceState *s = d->state;
298 r = scsi_find_request(s, tag);
300 BADF("Tag 0x%x already in use\n", tag);
301 scsi_cancel_io(d, tag);
303 /* ??? Tags are not unique for different luns. We only implement a
304 single lun, so this should not matter. */
305 r = scsi_new_request(s, tag);
308 DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
309 switch (command >> 5) {
311 lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);
317 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
318 len = buf[8] | (buf[7] << 8);
322 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
323 len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
327 lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);
328 len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
332 BADF("Unsupported command length, command %x\n", command);
338 for (i = 1; i < cmdlen; i++) {
339 printf(" 0x%02x", buf[i]);
344 if (lun || buf[1] >> 5) {
345 /* Only LUN 0 supported. */
346 DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
351 DPRINTF("Test Unit Ready\n");
354 DPRINTF("Request Sense (len %d)\n", len);
357 memset(outbuf, 0, 4);
360 outbuf[2] = s->sense;
364 DPRINTF("Inquiry (len %d)\n", len);
366 BADF("Inquiry buffer too small (%d)\n", len);
368 memset(outbuf, 0, 36);
369 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
372 memcpy(&outbuf[16], "QEMU CD-ROM ", 16);
375 memcpy(&outbuf[16], "QEMU HARDDISK ", 16);
377 memcpy(&outbuf[8], "QEMU ", 8);
378 memcpy(&outbuf[32], QEMU_VERSION, 4);
379 /* Identify device as SCSI-3 rev 1.
380 Some later commands are also implemented. */
382 outbuf[3] = 2; /* Format 2 */
384 /* Sync data transfer and TCQ. */
385 outbuf[7] = 0x10 | (s->tcq ? 0x02 : 0);
389 DPRINTF("Reserve(6)\n");
394 DPRINTF("Release(6)\n");
404 page = buf[2] & 0x3f;
405 DPRINTF("Mode Sense (page %d, len %d)\n", page, len);
408 outbuf[1] = 0; /* Default media type. */
409 outbuf[3] = 0; /* Block descriptor length. */
410 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
411 outbuf[2] = 0x80; /* Readonly. */
414 if ((page == 8 || page == 0x3f)) {
422 if ((page == 0x3f || page == 0x2a)
423 && (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM)) {
424 /* CD Capabilities and Mechanical Status page. */
427 p[2] = 3; // CD-R & CD-RW read
428 p[3] = 0; // Writing not supported
429 p[4] = 0x7f; /* Audio, composite, digital out,
430 mode 2 form 1&2, multi session */
431 p[5] = 0xff; /* CD DA, DA accurate, RW supported,
432 RW corrected, C2 errors, ISRC,
434 p[6] = 0x2d | (bdrv_is_locked(s->bdrv)? 2 : 0);
435 /* Locking supported, jumper present, eject, tray */
436 p[7] = 0; /* no volume & mute control, no
438 p[8] = (50 * 176) >> 8; // 50x read speed
439 p[9] = (50 * 176) & 0xff;
440 p[10] = 0 >> 8; // No volume
442 p[12] = 2048 >> 8; // 2M buffer
444 p[14] = (16 * 176) >> 8; // 16x read speed current
445 p[15] = (16 * 176) & 0xff;
446 p[18] = (16 * 176) >> 8; // 16x write speed
447 p[19] = (16 * 176) & 0xff;
448 p[20] = (16 * 176) >> 8; // 16x write speed current
449 p[21] = (16 * 176) & 0xff;
452 r->buf_len = p - outbuf;
453 outbuf[0] = r->buf_len - 4;
454 if (r->buf_len > len)
459 DPRINTF("Start Stop Unit\n");
462 DPRINTF("Prevent Allow Medium Removal (prevent = %d)\n", buf[4] & 3);
463 bdrv_set_locked(s->bdrv, buf[4] & 1);
466 DPRINTF("Read Capacity\n");
467 /* The normal LEN field for this command is zero. */
468 memset(outbuf, 0, 8);
469 bdrv_get_geometry(s->bdrv, &nb_sectors);
470 /* Returned value is the address of the last sector. */
473 outbuf[0] = (nb_sectors >> 24) & 0xff;
474 outbuf[1] = (nb_sectors >> 16) & 0xff;
475 outbuf[2] = (nb_sectors >> 8) & 0xff;
476 outbuf[3] = nb_sectors & 0xff;
479 outbuf[6] = s->cluster_size * 2;
483 scsi_command_complete(r, SENSE_NOT_READY);
489 DPRINTF("Read (sector %d, count %d)\n", lba, len);
490 r->sector = lba * s->cluster_size;
491 r->sector_count = len * s->cluster_size;
495 DPRINTF("Write (sector %d, count %d)\n", lba, len);
496 r->sector = lba * s->cluster_size;
497 r->sector_count = len * s->cluster_size;
501 DPRINTF("Synchronise cache (sector %d, count %d)\n", lba, len);
506 int start_track, format, msf, toclen;
509 format = buf[2] & 0xf;
510 start_track = buf[6];
511 bdrv_get_geometry(s->bdrv, &nb_sectors);
512 DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);
515 toclen = cdrom_read_toc(nb_sectors, outbuf, msf, start_track);
518 /* multi session : only a single session defined */
520 memset(outbuf, 0, 12);
526 toclen = cdrom_read_toc_raw(nb_sectors, outbuf, msf, start_track);
538 DPRINTF("Read TOC error\n");
542 DPRINTF("Get Configuration (rt %d, maxlen %d)\n", buf[1] & 3, len);
543 memset(outbuf, 0, 8);
544 /* ??? This shoud probably return much more information. For now
545 just return the basic header indicating the CD-ROM profile. */
546 outbuf[7] = 8; // CD-ROM
550 DPRINTF("Reserve(10)\n");
555 DPRINTF("Release(10)\n");
560 DPRINTF("Report LUNs (len %d)\n", len);
563 memset(outbuf, 0, 16);
568 DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
570 scsi_command_complete(r, SENSE_ILLEGAL_REQUEST);
573 if (r->sector_count == 0 && r->buf_len == 0) {
574 scsi_command_complete(r, SENSE_NO_SENSE);
576 len = r->sector_count * 512 + r->buf_len;
580 if (!r->sector_count)
581 r->sector_count = -1;
586 static void scsi_destroy(SCSIDevice *d)
592 SCSIDevice *scsi_disk_init(BlockDriverState *bdrv, int tcq,
593 scsi_completionfn completion, void *opaque)
598 s = (SCSIDeviceState *)qemu_mallocz(sizeof(SCSIDeviceState));
601 s->completion = completion;
603 if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {
609 d = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));
611 d->destroy = scsi_destroy;
612 d->send_command = scsi_send_command;
613 d->read_data = scsi_read_data;
614 d->write_data = scsi_write_data;
615 d->cancel_io = scsi_cancel_io;
616 d->get_buf = scsi_get_buf;
projects / qemu / blob