scsi: add support for FUA on writes

[qemu.git] / hw / scsi-disk.c
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c

index af1001de3233979c9769b44a2b08fcfe3f421537..7e6e17dfad7ac7057c9c48cb934e314bc08a2727 100644 (file)
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -38,16 +38,15 @@ do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
  #include "sysemu.h"
  #include "blockdev.h"
  #include "block_int.h"
+#include "dma.h"
+
+#ifdef __linux
+#include <scsi/sg.h>
+#endif
  
  #define SCSI_DMA_BUF_SIZE    131072
  #define SCSI_MAX_INQUIRY_LEN 256
  
-#define SCSI_REQ_STATUS_RETRY           0x01
-#define SCSI_REQ_STATUS_RETRY_TYPE_MASK 0x06
-#define SCSI_REQ_STATUS_RETRY_READ      0x00
-#define SCSI_REQ_STATUS_RETRY_WRITE     0x02
-#define SCSI_REQ_STATUS_RETRY_FLUSH     0x04
-
  typedef struct SCSIDiskState SCSIDiskState;
  
  typedef struct SCSIDiskReq {
@@ -58,7 +57,6 @@ typedef struct SCSIDiskReq {
      uint32_t buflen;
      struct iovec iov;
      QEMUIOVector qiov;
-    uint32_t status;
      BlockAcctCookie acct;
  } SCSIDiskReq;
  
@@ -66,9 +64,9 @@ struct SCSIDiskState
  {
      SCSIDevice qdev;
      uint32_t removable;
-    uint64_t max_lba;
      bool media_changed;
      bool media_event;
+    bool eject_request;
      QEMUBH *bh;
      char *version;
      char *serial;
@@ -76,8 +74,7 @@ struct SCSIDiskState
      bool tray_locked;
  };
  
-static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type);
-static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf);
+static int scsi_handle_rw_error(SCSIDiskReq *r, int error);
  
  static void scsi_free_request(SCSIRequest *req)
  {
@@ -105,16 +102,21 @@ static void scsi_cancel_io(SCSIRequest *req)
      DPRINTF("Cancel tag=0x%x\n", req->tag);
      if (r->req.aiocb) {
          bdrv_aio_cancel(r->req.aiocb);
+
+        /* This reference was left in by scsi_*_data.  We take ownership of
+         * it the moment scsi_req_cancel is called, independent of whether
+         * bdrv_aio_cancel completes the request or not.  */
+        scsi_req_unref(&r->req);
      }
      r->req.aiocb = NULL;
  }
  
-static uint32_t scsi_init_iovec(SCSIDiskReq *r)
+static uint32_t scsi_init_iovec(SCSIDiskReq *r, size_t size)
  {
      SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
  
      if (!r->iov.iov_base) {
-        r->buflen = SCSI_DMA_BUF_SIZE;
+        r->buflen = size;
          r->iov.iov_base = qemu_blockalign(s->qdev.conf.bs, r->buflen);
      }
      r->iov.iov_len = MIN(r->sector_count * 512, r->buflen);
@@ -122,35 +124,128 @@ static uint32_t scsi_init_iovec(SCSIDiskReq *r)
      return r->qiov.size / 512;
  }
  
-static void scsi_read_complete(void * opaque, int ret)
+static void scsi_disk_save_request(QEMUFile *f, SCSIRequest *req)
+{
+    SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
+
+    qemu_put_be64s(f, &r->sector);
+    qemu_put_be32s(f, &r->sector_count);
+    qemu_put_be32s(f, &r->buflen);
+    if (r->buflen && r->req.cmd.mode == SCSI_XFER_TO_DEV) {
+        qemu_put_buffer(f, r->iov.iov_base, r->iov.iov_len);
+    }
+}
+
+static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req)
+{
+    SCSIDiskReq *r = DO_UPCAST(SCSIDiskReq, req, req);
+
+    qemu_get_be64s(f, &r->sector);
+    qemu_get_be32s(f, &r->sector_count);
+    qemu_get_be32s(f, &r->buflen);
+    if (r->buflen) {
+        scsi_init_iovec(r, r->buflen);
+        if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
+            qemu_get_buffer(f, r->iov.iov_base, r->iov.iov_len);
+        }
+    }
+
+    qemu_iovec_init_external(&r->qiov, &r->iov, 1);
+}
+
+static void scsi_flush_complete(void * opaque, int ret)
  {
      SCSIDiskReq *r = (SCSIDiskReq *)opaque;
      SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
-    int n;
  
-    if (r->req.aiocb != NULL) {
-        r->req.aiocb = NULL;
-        bdrv_acct_done(s->qdev.conf.bs, &r->acct);
+    bdrv_acct_done(s->qdev.conf.bs, &r->acct);
+
+    if (ret < 0) {
+        if (scsi_handle_rw_error(r, -ret)) {
+            goto done;
+        }
+    }
+
+    scsi_req_complete(&r->req, GOOD);
+
+done:
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
      }
+}
+
+static bool scsi_is_cmd_fua(SCSICommand *cmd)
+{
+    switch (cmd->buf[0]) {
+    case READ_10:
+    case READ_12:
+    case READ_16:
+    case WRITE_10:
+    case WRITE_12:
+    case WRITE_16:
+        return (cmd->buf[1] & 8) != 0;
+
+    case WRITE_VERIFY_10:
+    case WRITE_VERIFY_12:
+    case WRITE_VERIFY_16:
+        return true;
+
+    case READ_6:
+    case WRITE_6:
+    default:
+        return false;
+    }
+}
+
+static void scsi_write_do_fua(SCSIDiskReq *r)
+{
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
+
+    if (scsi_is_cmd_fua(&r->req.cmd)) {
+        bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
+        r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_flush_complete, r);
+        return;
+    }
+
+    scsi_req_complete(&r->req, GOOD);
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
+    }
+}
+
+static void scsi_dma_complete(void *opaque, int ret)
+{
+    SCSIDiskReq *r = (SCSIDiskReq *)opaque;
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
+
+    bdrv_acct_done(s->qdev.conf.bs, &r->acct);
  
-    if (ret) {
-        if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_READ)) {
-            return;
+    if (ret < 0) {
+        if (scsi_handle_rw_error(r, -ret)) {
+            goto done;
          }
      }
  
-    DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
+    r->sector += r->sector_count;
+    r->sector_count = 0;
+    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
+        scsi_write_do_fua(r);
+        return;
+    } else {
+        scsi_req_complete(&r->req, GOOD);
+    }
  
-    n = r->qiov.size / 512;
-    r->sector += n;
-    r->sector_count -= n;
-    scsi_req_data(&r->req, r->qiov.size);
+done:
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
+    }
  }
  
-static void scsi_flush_complete(void * opaque, int ret)
+static void scsi_read_complete(void * opaque, int ret)
  {
      SCSIDiskReq *r = (SCSIDiskReq *)opaque;
      SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
+    int n;
  
      if (r->req.aiocb != NULL) {
          r->req.aiocb = NULL;
@@ -158,12 +253,22 @@ static void scsi_flush_complete(void * opaque, int ret)
      }
  
      if (ret < 0) {
-        if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_FLUSH)) {
-            return;
+        if (scsi_handle_rw_error(r, -ret)) {
+            goto done;
          }
      }
  
-    scsi_req_complete(&r->req, GOOD);
+    DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->qiov.size);
+
+    n = r->qiov.size / 512;
+    r->sector += n;
+    r->sector_count -= n;
+    scsi_req_data(&r->req, r->qiov.size);
+
+done:
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
+    }
  }
  
  /* Read more data from scsi device into buffer.  */
@@ -189,6 +294,8 @@ static void scsi_read_data(SCSIRequest *req)
      /* No data transfer may already be in progress */
      assert(r->req.aiocb == NULL);
  
+    /* The request is used as the AIO opaque value, so add a ref.  */
+    scsi_req_ref(&r->req);
      if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
          DPRINTF("Data transfer direction invalid\n");
          scsi_read_complete(r, -EINVAL);
@@ -197,36 +304,47 @@ static void scsi_read_data(SCSIRequest *req)
  
      if (s->tray_open) {
          scsi_read_complete(r, -ENOMEDIUM);
+        return;
      }
-    n = scsi_init_iovec(r);
-    bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_READ);
-    r->req.aiocb = bdrv_aio_readv(s->qdev.conf.bs, r->sector, &r->qiov, n,
-                              scsi_read_complete, r);
-    if (r->req.aiocb == NULL) {
-        scsi_read_complete(r, -EIO);
+
+    if (r->req.sg) {
+        dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_READ);
+        r->req.resid -= r->req.sg->size;
+        r->req.aiocb = dma_bdrv_read(s->qdev.conf.bs, r->req.sg, r->sector,
+                                     scsi_dma_complete, r);
+    } else {
+        n = scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
+        bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_READ);
+        r->req.aiocb = bdrv_aio_readv(s->qdev.conf.bs, r->sector, &r->qiov, n,
+                                      scsi_read_complete, r);
      }
  }
  
-static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type)
+/*
+ * scsi_handle_rw_error has two return values.  0 means that the error
+ * must be ignored, 1 means that the error has been processed and the
+ * caller should not do anything else for this request.  Note that
+ * scsi_handle_rw_error always manages its reference counts, independent
+ * of the return value.
+ */
+static int scsi_handle_rw_error(SCSIDiskReq *r, int error)
  {
-    int is_read = (type == SCSI_REQ_STATUS_RETRY_READ);
+    int is_read = (r->req.cmd.xfer == SCSI_XFER_FROM_DEV);
      SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
      BlockErrorAction action = bdrv_get_on_error(s->qdev.conf.bs, is_read);
  
      if (action == BLOCK_ERR_IGNORE) {
-        bdrv_mon_event(s->qdev.conf.bs, BDRV_ACTION_IGNORE, is_read);
+        bdrv_emit_qmp_error_event(s->qdev.conf.bs, BDRV_ACTION_IGNORE, is_read);
          return 0;
      }
  
      if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
              || action == BLOCK_ERR_STOP_ANY) {
  
-        type &= SCSI_REQ_STATUS_RETRY_TYPE_MASK;
-        r->status |= SCSI_REQ_STATUS_RETRY | type;
-
-        bdrv_mon_event(s->qdev.conf.bs, BDRV_ACTION_STOP, is_read);
+        bdrv_emit_qmp_error_event(s->qdev.conf.bs, BDRV_ACTION_STOP, is_read);
          vm_stop(RUN_STATE_IO_ERROR);
          bdrv_iostatus_set_err(s->qdev.conf.bs, error);
+        scsi_req_retry(&r->req);
      } else {
          switch (error) {
          case ENOMEDIUM:
@@ -242,7 +360,7 @@ static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type)
              scsi_check_condition(r, SENSE_CODE(IO_ERROR));
              break;
          }
-        bdrv_mon_event(s->qdev.conf.bs, BDRV_ACTION_REPORT, is_read);
+        bdrv_emit_qmp_error_event(s->qdev.conf.bs, BDRV_ACTION_REPORT, is_read);
      }
      return 1;
  }
@@ -258,9 +376,9 @@ static void scsi_write_complete(void * opaque, int ret)
          bdrv_acct_done(s->qdev.conf.bs, &r->acct);
      }
  
-    if (ret) {
-        if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_WRITE)) {
-            return;
+    if (ret < 0) {
+        if (scsi_handle_rw_error(r, -ret)) {
+            goto done;
          }
      }
  
@@ -268,12 +386,18 @@ static void scsi_write_complete(void * opaque, int ret)
      r->sector += n;
      r->sector_count -= n;
      if (r->sector_count == 0) {
-        scsi_req_complete(&r->req, GOOD);
+        scsi_write_do_fua(r);
+        return;
      } else {
-        scsi_init_iovec(r);
+        scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
          DPRINTF("Write complete tag=0x%x more=%d\n", r->req.tag, r->qiov.size);
          scsi_req_data(&r->req, r->qiov.size);
      }
+
+done:
+    if (!r->req.io_canceled) {
+        scsi_req_unref(&r->req);
+    }
  }
  
  static void scsi_write_data(SCSIRequest *req)
@@ -285,71 +409,34 @@ static void scsi_write_data(SCSIRequest *req)
      /* No data transfer may already be in progress */
      assert(r->req.aiocb == NULL);
  
+    /* The request is used as the AIO opaque value, so add a ref.  */
+    scsi_req_ref(&r->req);
      if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
          DPRINTF("Data transfer direction invalid\n");
          scsi_write_complete(r, -EINVAL);
          return;
      }
  
-    n = r->qiov.size / 512;
-    if (n) {
-        if (s->tray_open) {
-            scsi_write_complete(r, -ENOMEDIUM);
-        }
-        bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_WRITE);
-        r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, r->sector, &r->qiov, n,
-                                       scsi_write_complete, r);
-        if (r->req.aiocb == NULL) {
-            scsi_write_complete(r, -ENOMEM);
-        }
-    } else {
+    if (!r->req.sg && !r->qiov.size) {
          /* Called for the first time.  Ask the driver to send us more data.  */
          scsi_write_complete(r, 0);
+        return;
      }
-}
-
-static void scsi_dma_restart_bh(void *opaque)
-{
-    SCSIDiskState *s = opaque;
-    SCSIRequest *req;
-    SCSIDiskReq *r;
-
-    qemu_bh_delete(s->bh);
-    s->bh = NULL;
-
-    QTAILQ_FOREACH(req, &s->qdev.requests, next) {
-        r = DO_UPCAST(SCSIDiskReq, req, req);
-        if (r->status & SCSI_REQ_STATUS_RETRY) {
-            int status = r->status;
-
-            r->status &=
-                ~(SCSI_REQ_STATUS_RETRY | SCSI_REQ_STATUS_RETRY_TYPE_MASK);
-
-            switch (status & SCSI_REQ_STATUS_RETRY_TYPE_MASK) {
-            case SCSI_REQ_STATUS_RETRY_READ:
-                scsi_read_data(&r->req);
-                break;
-            case SCSI_REQ_STATUS_RETRY_WRITE:
-                scsi_write_data(&r->req);
-                break;
-            case SCSI_REQ_STATUS_RETRY_FLUSH:
-                scsi_send_command(&r->req, r->req.cmd.buf);
-                break;
-            }
-        }
-    }
-}
-
-static void scsi_dma_restart_cb(void *opaque, int running, RunState state)
-{
-    SCSIDiskState *s = opaque;
-
-    if (!running) {
+    if (s->tray_open) {
+        scsi_write_complete(r, -ENOMEDIUM);
          return;
      }
-    if (!s->bh) {
-        s->bh = qemu_bh_new(scsi_dma_restart_bh, s);
-        qemu_bh_schedule(s->bh);
+
+    if (r->req.sg) {
+        dma_acct_start(s->qdev.conf.bs, &r->acct, r->req.sg, BDRV_ACCT_WRITE);
+        r->req.resid -= r->req.sg->size;
+        r->req.aiocb = dma_bdrv_write(s->qdev.conf.bs, r->req.sg, r->sector,
+                                      scsi_dma_complete, r);
+    } else {
+        n = r->qiov.size / 512;
+        bdrv_acct_start(s->qdev.conf.bs, &r->acct, n * BDRV_SECTOR_SIZE, BDRV_ACCT_WRITE);
+        r->req.aiocb = bdrv_aio_writev(s->qdev.conf.bs, r->sector, &r->qiov, n,
+                                       scsi_write_complete, r);
      }
  }
  
@@ -414,9 +501,6 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
              }
  
              l = strlen(s->serial);
-            if (l > req->cmd.xfer) {
-                l = req->cmd.xfer;
-            }
              if (l > 20) {
                  l = 20;
              }
@@ -431,8 +515,9 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
  
          case 0x83: /* Device identification page, mandatory */
          {
-            int max_len = 255 - 8;
-            int id_len = strlen(bdrv_get_device_name(s->qdev.conf.bs));
+            const char *str = s->serial ?: bdrv_get_device_name(s->qdev.conf.bs);
+            int max_len = s->serial ? 20 : 255 - 8;
+            int id_len = strlen(str);
  
              if (id_len > max_len) {
                  id_len = max_len;
@@ -446,7 +531,7 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
              outbuf[buflen++] = 0;   // reserved
              outbuf[buflen++] = id_len; // length of data following
  
-            memcpy(outbuf+buflen, bdrv_get_device_name(s->qdev.conf.bs), id_len);
+            memcpy(outbuf+buflen, str, id_len);
              buflen += id_len;
              break;
          }
@@ -689,9 +774,14 @@ static int scsi_event_status_media(SCSIDiskState *s, uint8_t *outbuf)
  
      /* Event notification descriptor */
      event_code = MEC_NO_CHANGE;
-    if (media_status != MS_TRAY_OPEN && s->media_event) {
-        event_code = MEC_NEW_MEDIA;
-        s->media_event = false;
+    if (media_status != MS_TRAY_OPEN) {
+        if (s->media_event) {
+            event_code = MEC_NEW_MEDIA;
+            s->media_event = false;
+        } else if (s->eject_request) {
+            event_code = MEC_EJECT_REQUESTED;
+            s->eject_request = false;
+        }
      }
  
      outbuf[0] = event_code;
@@ -809,7 +899,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
              break;
          }
          /* if a geometry hint is available, use it */
-        bdrv_get_geometry_hint(bdrv, &cylinders, &heads, &secs);
+        bdrv_guess_geometry(bdrv, &cylinders, &heads, &secs);
          p[2] = (cylinders >> 16) & 0xff;
          p[3] = (cylinders >> 8) & 0xff;
          p[4] = cylinders & 0xff;
@@ -843,7 +933,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
          p[2] = 5000 >> 8;
          p[3] = 5000 & 0xff;
          /* if a geometry hint is available, use it */
-        bdrv_get_geometry_hint(bdrv, &cylinders, &heads, &secs);
+        bdrv_guess_geometry(bdrv, &cylinders, &heads, &secs);
          p[4] = heads & 0xff;
          p[5] = secs & 0xff;
          p[6] = s->qdev.blocksize >> 8;
@@ -968,8 +1058,9 @@ static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
          p += 8;
      }
  
+    /* MMC prescribes that CD/DVD drives have no block descriptors.  */
      bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
-    if (!dbd && nb_sectors) {
+    if (!dbd && s->qdev.type == TYPE_DISK && nb_sectors) {
          if (r->req.cmd.buf[0] == MODE_SENSE) {
              outbuf[3] = 8; /* Block descriptor length  */
          } else { /* MODE_SENSE_10 */
@@ -1019,9 +1110,6 @@ static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
          outbuf[0] = ((buflen - 2) >> 8) & 0xff;
          outbuf[1] = (buflen - 2) & 0xff;
      }
-    if (buflen > r->req.cmd.xfer) {
-        buflen = r->req.cmd.xfer;
-    }
      return buflen;
  }
  
@@ -1055,9 +1143,6 @@ static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
      default:
          return -1;
      }
-    if (toclen > req->cmd.xfer) {
-        toclen = req->cmd.xfer;
-    }
      return toclen;
  }
  
@@ -1076,8 +1161,11 @@ static int scsi_disk_emulate_start_stop(SCSIDiskReq *r)
                                   : SENSE_CODE(NOT_READY_REMOVAL_PREVENTED));
              return -1;
          }
-        bdrv_eject(s->qdev.conf.bs, !start);
-        s->tray_open = !start;
+
+        if (s->tray_open != !start) {
+            bdrv_eject(s->qdev.conf.bs, !start);
+            s->tray_open = !start;
+        }
      }
      return 0;
  }
@@ -1109,9 +1197,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
      outbuf = r->iov.iov_base;
      switch (req->cmd.buf[0]) {
      case TEST_UNIT_READY:
-        if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
-            goto not_ready;
-        }
+        assert(!s->tray_open && bdrv_is_inserted(s->qdev.conf.bs));
          break;
      case INQUIRY:
          buflen = scsi_disk_emulate_inquiry(req, outbuf);
@@ -1166,7 +1252,8 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
          memset(outbuf, 0, 8);
          bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
          if (!nb_sectors) {
-            goto not_ready;
+            scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
+            return -1;
          }
          if ((req->cmd.buf[8] & 1) == 0 && req->cmd.lba) {
              goto illegal_request;
@@ -1175,7 +1262,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
          /* Returned value is the address of the last sector.  */
          nb_sectors--;
          /* Remember the new size for read/write sanity checking. */
-        s->max_lba = nb_sectors;
+        s->qdev.max_lba = nb_sectors;
          /* Clip to 2TB, instead of returning capacity modulo 2TB. */
          if (nb_sectors > UINT32_MAX) {
              nb_sectors = UINT32_MAX;
@@ -1190,6 +1277,11 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
          outbuf[7] = 0;
          buflen = 8;
          break;
+    case REQUEST_SENSE:
+        /* Just return "NO SENSE".  */
+        buflen = scsi_build_sense(NULL, 0, outbuf, r->buflen,
+                                  (req->cmd.buf[1] & 1) == 0);
+        break;
      case MECHANISM_STATUS:
          buflen = scsi_emulate_mechanism_status(s, outbuf);
          if (buflen < 0) {
@@ -1221,7 +1313,8 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
              memset(outbuf, 0, req->cmd.xfer);
              bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
              if (!nb_sectors) {
-                goto not_ready;
+                scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
+                return -1;
              }
              if ((req->cmd.buf[14] & 1) == 0 && req->cmd.lba) {
                  goto illegal_request;
@@ -1230,7 +1323,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
              /* Returned value is the address of the last sector.  */
              nb_sectors--;
              /* Remember the new size for read/write sanity checking. */
-            s->max_lba = nb_sectors;
+            s->qdev.max_lba = nb_sectors;
              outbuf[0] = (nb_sectors >> 56) & 0xff;
              outbuf[1] = (nb_sectors >> 48) & 0xff;
              outbuf[2] = (nb_sectors >> 40) & 0xff;
@@ -1263,16 +1356,9 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r)
          scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
          return -1;
      }
+    buflen = MIN(buflen, req->cmd.xfer);
      return buflen;
  
-not_ready:
-    if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
-        scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
-    } else {
-        scsi_check_condition(r, SENSE_CODE(LUN_NOT_READY));
-    }
-    return -1;
-
  illegal_request:
      if (r->req.status == -1) {
          scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
@@ -1306,6 +1392,30 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
      }
  #endif
  
+    switch (command) {
+    case INQUIRY:
+    case MODE_SENSE:
+    case MODE_SENSE_10:
+    case RESERVE:
+    case RESERVE_10:
+    case RELEASE:
+    case RELEASE_10:
+    case START_STOP:
+    case ALLOW_MEDIUM_REMOVAL:
+    case GET_CONFIGURATION:
+    case GET_EVENT_STATUS_NOTIFICATION:
+    case MECHANISM_STATUS:
+    case REQUEST_SENSE:
+        break;
+
+    default:
+        if (s->tray_open || !bdrv_is_inserted(s->qdev.conf.bs)) {
+            scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
+            return 0;
+        }
+        break;
+    }
+
      switch (command) {
      case TEST_UNIT_READY:
      case INQUIRY:
@@ -1324,6 +1434,7 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
      case GET_EVENT_STATUS_NOTIFICATION:
      case MECHANISM_STATUS:
      case SERVICE_ACTION_IN_16:
+    case REQUEST_SENSE:
      case VERIFY_10:
          rc = scsi_disk_emulate_command(r);
          if (rc < 0) {
@@ -1333,11 +1444,10 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
          r->iov.iov_len = rc;
          break;
      case SYNCHRONIZE_CACHE:
+        /* The request is used as the AIO opaque value, so add a ref.  */
+        scsi_req_ref(&r->req);
          bdrv_acct_start(s->qdev.conf.bs, &r->acct, 0, BDRV_ACCT_FLUSH);
          r->req.aiocb = bdrv_aio_flush(s->qdev.conf.bs, scsi_flush_complete, r);
-        if (r->req.aiocb == NULL) {
-            scsi_flush_complete(r, -EIO);
-        }
          return 0;
      case READ_6:
      case READ_10:
@@ -1345,7 +1455,7 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
      case READ_16:
          len = r->req.cmd.xfer / s->qdev.blocksize;
          DPRINTF("Read (sector %" PRId64 ", count %d)\n", r->req.cmd.lba, len);
-        if (r->req.cmd.lba > s->max_lba) {
+        if (r->req.cmd.lba > s->qdev.max_lba) {
              goto illegal_lba;
          }
          r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
@@ -1362,7 +1472,7 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
          DPRINTF("Write %s(sector %" PRId64 ", count %d)\n",
                  (command & 0xe) == 0xe ? "And Verify " : "",
                  r->req.cmd.lba, len);
-        if (r->req.cmd.lba > s->max_lba) {
+        if (r->req.cmd.lba > s->qdev.max_lba) {
              goto illegal_lba;
          }
          r->sector = r->req.cmd.lba * (s->qdev.blocksize / 512);
@@ -1384,11 +1494,9 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
              goto fail;
          }
          break;
-    case SEEK_6:
      case SEEK_10:
-        DPRINTF("Seek(%d) (sector %" PRId64 ")\n", command == SEEK_6 ? 6 : 10,
-                r->req.cmd.lba);
-        if (r->req.cmd.lba > s->max_lba) {
+        DPRINTF("Seek(10) (sector %" PRId64 ")\n", r->req.cmd.lba);
+        if (r->req.cmd.lba > s->qdev.max_lba) {
              goto illegal_lba;
          }
          break;
@@ -1398,7 +1506,7 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
          DPRINTF("WRITE SAME(16) (sector %" PRId64 ", count %d)\n",
                  r->req.cmd.lba, len);
  
-        if (r->req.cmd.lba > s->max_lba) {
+        if (r->req.cmd.lba > s->qdev.max_lba) {
              goto illegal_lba;
          }
  
@@ -1418,8 +1526,6 @@ static int32_t scsi_send_command(SCSIRequest *req, uint8_t *buf)
          }
  
          break;
-    case REQUEST_SENSE:
-        abort();
      default:
          DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
          scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
@@ -1457,7 +1563,7 @@ static void scsi_disk_reset(DeviceState *dev)
      if (nb_sectors) {
          nb_sectors--;
      }
-    s->max_lba = nb_sectors;
+    s->qdev.max_lba = nb_sectors;
  }
  
  static void scsi_destroy(SCSIDevice *dev)
@@ -1486,6 +1592,17 @@ static void scsi_cd_change_media_cb(void *opaque, bool load)
      s->tray_open = !load;
      s->qdev.unit_attention = SENSE_CODE(UNIT_ATTENTION_NO_MEDIUM);
      s->media_event = true;
+    s->eject_request = false;
+}
+
+static void scsi_cd_eject_request_cb(void *opaque, bool force)
+{
+    SCSIDiskState *s = opaque;
+
+    s->eject_request = true;
+    if (force) {
+        s->tray_locked = false;
+    }
  }
  
  static bool scsi_cd_is_tray_open(void *opaque)
@@ -1500,6 +1617,7 @@ static bool scsi_cd_is_medium_locked(void *opaque)
  
  static const BlockDevOps scsi_cd_block_ops = {
      .change_media_cb = scsi_cd_change_media_cb,
+    .eject_request_cb = scsi_cd_eject_request_cb,
      .is_tray_open = scsi_cd_is_tray_open,
      .is_medium_locked = scsi_cd_is_medium_locked,
  };
@@ -1519,7 +1637,7 @@ static int scsi_initfn(SCSIDevice *dev)
      DriveInfo *dinfo;
  
      if (!s->qdev.conf.bs) {
-        error_report("scsi-disk: drive property not set");
+        error_report("drive property not set");
          return -1;
      }
  
@@ -1541,7 +1659,7 @@ static int scsi_initfn(SCSIDevice *dev)
      }
  
      if (bdrv_is_sg(s->qdev.conf.bs)) {
-        error_report("scsi-disk: unwanted /dev/sg*");
+        error_report("unwanted /dev/sg*");
          return -1;
      }
  
@@ -1550,9 +1668,8 @@ static int scsi_initfn(SCSIDevice *dev)
      }
      bdrv_set_buffer_alignment(s->qdev.conf.bs, s->qdev.blocksize);
  
-    qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
      bdrv_iostatus_enable(s->qdev.conf.bs);
-    add_boot_device_path(s->qdev.conf.bootindex, &dev->qdev, ",0");
+    add_boot_device_path(s->qdev.conf.bootindex, &dev->qdev, NULL);
      return 0;
  }
  
@@ -1589,7 +1706,7 @@ static int scsi_disk_initfn(SCSIDevice *dev)
      }
  }
  
-static SCSIReqOps scsi_disk_reqops = {
+static const SCSIReqOps scsi_disk_reqops = {
      .size         = sizeof(SCSIDiskReq),
      .free_req     = scsi_free_request,
      .send_command = scsi_send_command,
@@ -1597,10 +1714,12 @@ static SCSIReqOps scsi_disk_reqops = {
      .write_data   = scsi_write_data,
      .cancel_io    = scsi_cancel_io,
      .get_buf      = scsi_get_buf,
+    .load_request = scsi_disk_load_request,
+    .save_request = scsi_disk_save_request,
  };
  
-static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag,
-                                     uint32_t lun, void *hba_private)
+static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
+                                     uint8_t *buf, void *hba_private)
  {
      SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
      SCSIRequest *req;
@@ -1609,65 +1728,271 @@ static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag,
      return req;
  }
  
+#ifdef __linux__
+static int get_device_type(SCSIDiskState *s)
+{
+    BlockDriverState *bdrv = s->qdev.conf.bs;
+    uint8_t cmd[16];
+    uint8_t buf[36];
+    uint8_t sensebuf[8];
+    sg_io_hdr_t io_header;
+    int ret;
+
+    memset(cmd, 0, sizeof(cmd));
+    memset(buf, 0, sizeof(buf));
+    cmd[0] = INQUIRY;
+    cmd[4] = sizeof(buf);
+
+    memset(&io_header, 0, sizeof(io_header));
+    io_header.interface_id = 'S';
+    io_header.dxfer_direction = SG_DXFER_FROM_DEV;
+    io_header.dxfer_len = sizeof(buf);
+    io_header.dxferp = buf;
+    io_header.cmdp = cmd;
+    io_header.cmd_len = sizeof(cmd);
+    io_header.mx_sb_len = sizeof(sensebuf);
+    io_header.sbp = sensebuf;
+    io_header.timeout = 6000; /* XXX */
+
+    ret = bdrv_ioctl(bdrv, SG_IO, &io_header);
+    if (ret < 0 || io_header.driver_status || io_header.host_status) {
+        return -1;
+    }
+    s->qdev.type = buf[0];
+    s->removable = (buf[1] & 0x80) != 0;
+    return 0;
+}
+
+static int scsi_block_initfn(SCSIDevice *dev)
+{
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev);
+    int sg_version;
+    int rc;
+
+    if (!s->qdev.conf.bs) {
+        error_report("scsi-block: drive property not set");
+        return -1;
+    }
+
+    /* check we are using a driver managing SG_IO (version 3 and after) */
+    if (bdrv_ioctl(s->qdev.conf.bs, SG_GET_VERSION_NUM, &sg_version) < 0 ||
+        sg_version < 30000) {
+        error_report("scsi-block: scsi generic interface too old");
+        return -1;
+    }
+
+    /* get device type from INQUIRY data */
+    rc = get_device_type(s);
+    if (rc < 0) {
+        error_report("scsi-block: INQUIRY failed");
+        return -1;
+    }
+
+    /* Make a guess for the block size, we'll fix it when the guest sends.
+     * READ CAPACITY.  If they don't, they likely would assume these sizes
+     * anyway. (TODO: check in /sys).
+     */
+    if (s->qdev.type == TYPE_ROM || s->qdev.type == TYPE_WORM) {
+        s->qdev.blocksize = 2048;
+    } else {
+        s->qdev.blocksize = 512;
+    }
+    return scsi_initfn(&s->qdev);
+}
+
+static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
+                                           uint32_t lun, uint8_t *buf,
+                                           void *hba_private)
+{
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
+
+    switch (buf[0]) {
+    case READ_6:
+    case READ_10:
+    case READ_12:
+    case READ_16:
+    case WRITE_6:
+    case WRITE_10:
+    case WRITE_12:
+    case WRITE_16:
+    case WRITE_VERIFY_10:
+    case WRITE_VERIFY_12:
+    case WRITE_VERIFY_16:
+        /* If we are not using O_DIRECT, we might read stale data from the
+        * host cache if writes were made using other commands than these
+        * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
+        * O_DIRECT everything must go through SG_IO.
+         */
+        if (!(s->qdev.conf.bs->open_flags & BDRV_O_NOCACHE)) {
+            break;
+        }
+
+        /* MMC writing cannot be done via pread/pwrite, because it sometimes
+         * involves writing beyond the maximum LBA or to negative LBA (lead-in).
+         * And once you do these writes, reading from the block device is
+         * unreliable, too.  It is even possible that reads deliver random data
+         * from the host page cache (this is probably a Linux bug).
+         *
+         * We might use scsi_disk_reqops as long as no writing commands are
+         * seen, but performance usually isn't paramount on optical media.  So,
+         * just make scsi-block operate the same as scsi-generic for them.
+         */
+        if (s->qdev.type == TYPE_ROM) {
+            break;
+       }
+        return scsi_req_alloc(&scsi_disk_reqops, &s->qdev, tag, lun,
+                              hba_private);
+    }
+
+    return scsi_req_alloc(&scsi_generic_req_ops, &s->qdev, tag, lun,
+                          hba_private);
+}
+#endif
+
  #define DEFINE_SCSI_DISK_PROPERTIES()                           \
      DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),          \
      DEFINE_PROP_STRING("ver",  SCSIDiskState, version),         \
      DEFINE_PROP_STRING("serial",  SCSIDiskState, serial)
  
-static SCSIDeviceInfo scsi_disk_info[] = {
-    {
-        .qdev.name    = "scsi-hd",
-        .qdev.fw_name = "disk",
-        .qdev.desc    = "virtual SCSI disk",
-        .qdev.size    = sizeof(SCSIDiskState),
-        .qdev.reset   = scsi_disk_reset,
-        .init         = scsi_hd_initfn,
-        .destroy      = scsi_destroy,
-        .alloc_req    = scsi_new_request,
-        .unit_attention_reported = scsi_disk_unit_attention_reported,
-        .qdev.props   = (Property[]) {
-            DEFINE_SCSI_DISK_PROPERTIES(),
-            DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
-            DEFINE_PROP_END_OF_LIST(),
-        }
-    },{
-        .qdev.name    = "scsi-cd",
-        .qdev.fw_name = "disk",
-        .qdev.desc    = "virtual SCSI CD-ROM",
-        .qdev.size    = sizeof(SCSIDiskState),
-        .qdev.reset   = scsi_disk_reset,
-        .init         = scsi_cd_initfn,
-        .destroy      = scsi_destroy,
-        .alloc_req    = scsi_new_request,
-        .unit_attention_reported = scsi_disk_unit_attention_reported,
-        .qdev.props   = (Property[]) {
-            DEFINE_SCSI_DISK_PROPERTIES(),
-            DEFINE_PROP_END_OF_LIST(),
-        },
-    },{
-        .qdev.name    = "scsi-disk", /* legacy -device scsi-disk */
-        .qdev.fw_name = "disk",
-        .qdev.desc    = "virtual SCSI disk or CD-ROM (legacy)",
-        .qdev.size    = sizeof(SCSIDiskState),
-        .qdev.reset   = scsi_disk_reset,
-        .init         = scsi_disk_initfn,
-        .destroy      = scsi_destroy,
-        .alloc_req    = scsi_new_request,
-        .unit_attention_reported = scsi_disk_unit_attention_reported,
-        .qdev.props   = (Property[]) {
-            DEFINE_SCSI_DISK_PROPERTIES(),
-            DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
-            DEFINE_PROP_END_OF_LIST(),
-        }
+static Property scsi_hd_properties[] = {
+    DEFINE_SCSI_DISK_PROPERTIES(),
+    DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static const VMStateDescription vmstate_scsi_disk_state = {
+    .name = "scsi-disk",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_SCSI_DEVICE(qdev, SCSIDiskState),
+        VMSTATE_BOOL(media_changed, SCSIDiskState),
+        VMSTATE_BOOL(media_event, SCSIDiskState),
+        VMSTATE_BOOL(eject_request, SCSIDiskState),
+        VMSTATE_BOOL(tray_open, SCSIDiskState),
+        VMSTATE_BOOL(tray_locked, SCSIDiskState),
+        VMSTATE_END_OF_LIST()
      }
  };
  
-static void scsi_disk_register_devices(void)
+static void scsi_hd_class_initfn(ObjectClass *klass, void *data)
  {
-    int i;
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
+
+    sc->init         = scsi_hd_initfn;
+    sc->destroy      = scsi_destroy;
+    sc->alloc_req    = scsi_new_request;
+    sc->unit_attention_reported = scsi_disk_unit_attention_reported;
+    dc->fw_name = "disk";
+    dc->desc = "virtual SCSI disk";
+    dc->reset = scsi_disk_reset;
+    dc->props = scsi_hd_properties;
+    dc->vmsd  = &vmstate_scsi_disk_state;
+}
  
-    for (i = 0; i < ARRAY_SIZE(scsi_disk_info); i++) {
-        scsi_qdev_register(&scsi_disk_info[i]);
-    }
+static TypeInfo scsi_hd_info = {
+    .name          = "scsi-hd",
+    .parent        = TYPE_SCSI_DEVICE,
+    .instance_size = sizeof(SCSIDiskState),
+    .class_init    = scsi_hd_class_initfn,
+};
+
+static Property scsi_cd_properties[] = {
+    DEFINE_SCSI_DISK_PROPERTIES(),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void scsi_cd_class_initfn(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
+
+    sc->init         = scsi_cd_initfn;
+    sc->destroy      = scsi_destroy;
+    sc->alloc_req    = scsi_new_request;
+    sc->unit_attention_reported = scsi_disk_unit_attention_reported;
+    dc->fw_name = "disk";
+    dc->desc = "virtual SCSI CD-ROM";
+    dc->reset = scsi_disk_reset;
+    dc->props = scsi_cd_properties;
+    dc->vmsd  = &vmstate_scsi_disk_state;
  }
-device_init(scsi_disk_register_devices)
+
+static TypeInfo scsi_cd_info = {
+    .name          = "scsi-cd",
+    .parent        = TYPE_SCSI_DEVICE,
+    .instance_size = sizeof(SCSIDiskState),
+    .class_init    = scsi_cd_class_initfn,
+};
+
+#ifdef __linux__
+static Property scsi_block_properties[] = {
+    DEFINE_SCSI_DISK_PROPERTIES(),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void scsi_block_class_initfn(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
+
+    sc->init         = scsi_block_initfn;
+    sc->destroy      = scsi_destroy;
+    sc->alloc_req    = scsi_block_new_request;
+    dc->fw_name = "disk";
+    dc->desc = "SCSI block device passthrough";
+    dc->reset = scsi_disk_reset;
+    dc->props = scsi_block_properties;
+    dc->vmsd  = &vmstate_scsi_disk_state;
+}
+
+static TypeInfo scsi_block_info = {
+    .name          = "scsi-block",
+    .parent        = TYPE_SCSI_DEVICE,
+    .instance_size = sizeof(SCSIDiskState),
+    .class_init    = scsi_block_class_initfn,
+};
+#endif
+
+static Property scsi_disk_properties[] = {
+    DEFINE_SCSI_DISK_PROPERTIES(),
+    DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void scsi_disk_class_initfn(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(klass);
+
+    sc->init         = scsi_disk_initfn;
+    sc->destroy      = scsi_destroy;
+    sc->alloc_req    = scsi_new_request;
+    sc->unit_attention_reported = scsi_disk_unit_attention_reported;
+    dc->fw_name = "disk";
+    dc->desc = "virtual SCSI disk or CD-ROM (legacy)";
+    dc->reset = scsi_disk_reset;
+    dc->props = scsi_disk_properties;
+    dc->vmsd  = &vmstate_scsi_disk_state;
+}
+
+static TypeInfo scsi_disk_info = {
+    .name          = "scsi-disk",
+    .parent        = TYPE_SCSI_DEVICE,
+    .instance_size = sizeof(SCSIDiskState),
+    .class_init    = scsi_disk_class_initfn,
+};
+
+static void scsi_disk_register_types(void)
+{
+    type_register_static(&scsi_hd_info);
+    type_register_static(&scsi_cd_info);
+#ifdef __linux__
+    type_register_static(&scsi_block_info);
+#endif
+    type_register_static(&scsi_disk_info);
+}
+
+type_init(scsi_disk_register_types)