LOAD_UNLOAD and START_STOP have same value, so the table
entry is initialized twice. Spotted by Clang compiler.

Remove LOAD_UNLOAD entry since START_STOP entry already
represents both.
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Correct the command names of opcode 0x85 and 0xa1, and calculate
their xfer size from CDB.
Signed-off-by: NCong Meng <mc@linux.vnet.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Change the sense codes for failures to eject a device that is locked
by PREVENT_ALLOW_MEDIUM_REMOVAL from
the generic MEDIA_LOAD_OR_EJECT_FAILED to the more specific
MEDIUM_REMOVAL_PREVENTED.

The second sense code is more accurate, and is also listed in MMC annex F
for the recommended sense codes for MMC devices while the first sense code is not.
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Linux will not use these, but a very similar mechanism will be used to
report the condition via virtio-scsi events.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

When a device is resized, we will report a unit attention condition
for CAPACITY DATA HAS CHANGED.  However, we should ensure that this
condition does not override a more important unit attention condition.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Add two interfaces hotplug() and hot_unplug() to scsi bus info.
The scsi bus can implement these two interfaces to signal the HBA driver
of guest kernel to add/remove the scsi device in question.
Signed-off-by: NSen Wang <senwang@linux.vnet.ibm.com>
Signed-off-by: NCong Meng <mc@linux.vnet.ibm.com>
[ Fixed braces and indentation - Paolo ]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Add sense code for DATA_PROTECT/WRITE_PROTECTED and return this error
for any WRITE*/WRITE_VERIFY* calls if the device is readonly=on,
i.e. write-protected
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This adds the bulk of the parsing code for MODE SELECT, including
breaking out changes to different mode pages, and checking that only
changeable values are modified.

In order to report errors correctly two passes are made through the
parameters; the first only looks for errors, the second actually
applies the changes to the mode page.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Most device models have a simple lifecycle for the hba_private field
and they can free it when a request is completed or cancelled.
However, in some cases it may be simpler to tie the lifetime
of hba_private to that of the included SCSIRequest.  This patch
adds a free_request callback to SCSIBusInfo that lets an HBA
device model do exactly that.

Normally, device models use req->hba_private == NULL to flag requests
that have been completed already.  Device models that use free_request
will still need to track this using a flag.  This is the reason why
"converting" existing HBAs to use free_request adds complexity and
makes little sense.  It is simply an additional convenience that is
provided by the SCSI layer.  USB-attached storage will be the first
user.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The transfer length depends on the specific service action
code, as defined in the SCSI stream commands spec section 7.7.
Up to now only the extended form was supported.
Signed-off-by: NChristian Hoff <christian.hoff@de.ibm.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This adds basic support for SCSI media changer commands.
Not all commands are supported as of now, but enough to cover
basic functionality.
Signed-off-by: NChristian Hoff <christian.hoff@de.ibm.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

scsi-generic relies on those values to be correct, so it is important that
those values are initialized properly for all device types.
Reported-by: NChristian Hoff <christian.hoff@de.ibm.com>
Reported-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Change operation code of LOAD_UNLOAD command to 0x1b as described in
section 7.3 of the SCSI Stream Commands spec.
Signed-off-by: NChristian Hoff <christian.hoff@de.ibm.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Fix the edge case where the sense data length is exactly the same
as SCSI_SENSE_BUF_SIZE.
This makes SCSI requests work that use all of the available 95 byte
sense data.
Signed-off-by: NChristian Hoff <christian.hoff@de.ibm.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

QEMU exposes its version to the guest's hardware and in some cases that is wrong
(e.g. Windows prints messages about driver updates when you switch
the QEMU version).
There is a new field now on the struct QEmuMachine, hw_version, which may
contain the version that the specific machine should report. If that field is
set, then that machine will report that version to the guest.
Signed-off-by: NCrístian Viana <vianac@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Avoids duplicated error_set().
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
[AF: Also drop error_set() in object_property_del().]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Can be replaced everywhere with object_property_find().
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Make qbus children show up as link<> properties.  There is no stable
addressing for qbus children so we use an unstable naming convention.

This is okay in QOM though because the composition name is expected to
be what's stable.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

This is far less interesting than it sounds.  We simply add an Object to each
BusState and then register the types appropriately.  Most of the interesting
refactoring will follow in the next patches.

Since we're changing fundamental type names (BusInfo -> BusClass), it all needs
to convert at once.  Fortunately, not a lot of code is affected.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
[AF: Made all new bus TypeInfos static const.]
[AF: Made qbus_free() call object_delete(), required {qom,glib}_allocated]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

This makes it easier to remove it from BusInfo.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
[AF: Drop now unnecessary NULL initialization in scsibus_get_dev_path()]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

In qdev, each bus in practice identified an abstract superclass, but
this was mostly hidden.  In QOM, instead, these abstract classes are
explicit so we can move bus properties there.

All bus property walks are removed, and all device property walks
are changed to look along the class hierarchy instead.

We would have duplicates if class A defines some properties and its
subclass B does not define any, because class_b->props will be
left equal to class_a->props.

The solution here is to reintroduce the class_base_init TypeInfo
callback, that was present in one of the early QOM versions but
removed (on my request...) before committing.

This breaks global bus properties, an obscure feature when used
with the command-line which is actually useful and used when used by
backwards-compatible machine types.  So this patch also adjusts the
global bus properties in hw/pc_piix.c to refer to the abstract class.

Globals and other properties must be modified in the same patch to
avoid complications related to initialization ordering.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Simple code movement in order to simplify future refactoring.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

usb-storage can't handle requests in one go as the data transfer can be
splitted into lots of usb packets.  Because of that there can be
normal in-flight requests at savevm time and we need to handle that.
With other scsi hba's this happens only in case i/o is stopped due to
errors and there are pending requests which need to be restarted
(req->retry = true).

So, first we need to save req->retry and then handle the req->retry =
false case.  Write requests are handled fine already.  For read requests
we have to save the buffer as we will not restart the request (and thus
not refill the buffer) on the target host.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NJim Meyering <meyering@redhat.com>

The QEMU emulation which is currently used with Raspberry PI images
(qemu-system-arm -M versatilepb ...) accesses memory which was freed.

Valgrind output (extract):

==17857== Invalid write of size 4
==17857==    at 0x24EB06: scsi_req_unref (scsi-bus.c:1273)
==17857==    by 0x24FFAE: scsi_read_complete (scsi-disk.c:277)
==17857==    by 0x152ACC: bdrv_co_em_bh (block.c:3363)
==17857==    by 0x13D49C: qemu_bh_poll (async.c:71)
==17857==    by 0x211A8C: main_loop_wait (main-loop.c:503)
==17857==    by 0x207954: main_loop (vl.c:1555)
==17857==    by 0x20E9C9: main (vl.c:3653)
==17857==  Address 0x1c54383c is 12 bytes inside a block of size 260 free'd
==17857==    at 0x4824B3A: free (vg_replace_malloc.c:366)
==17857==    by 0x20ADFA: free_and_trace (vl.c:2250)
==17857==    by 0x4899FC5: g_free (in /lib/libglib-2.0.so.0.2400.1)
==17857==    by 0x24EB3B: scsi_req_unref (scsi-bus.c:1277)
==17857==    by 0x24F003: scsi_req_complete (scsi-bus.c:1383)
==17857==    by 0x25022A: scsi_read_data (scsi-disk.c:334)
==17857==    by 0x24EB9F: scsi_req_continue (scsi-bus.c:1289)
==17857==    by 0x1C7787: lsi_do_dma (lsi53c895a.c:575)
==17857==    by 0x1C8CDA: lsi_execute_script (lsi53c895a.c:1147)
==17857==    by 0x1C74EA: lsi_resume_script (lsi53c895a.c:510)
==17857==    by 0x1C7ECD: lsi_transfer_data (lsi53c895a.c:746)
==17857==    by 0x24EC90: scsi_req_data (scsi-bus.c:1307)

(There are some more similar messages.)

This patch adds an assertion which also detects those errors:

Calling scsi_req_unref is not allowed when the previous call
of that function has decremented refcount to 0, because in this
case req was freed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The INFORMATION field (bytes 3..6) is never set by QEMU, so the VALID
bit must be 0.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The requirements on the REQUEST SENSE buffer size are not in my copy of SPC
(SPC-4 r27) and not observed by LIO.  Rip them out.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The requirements on the INQUIRY buffer size are not in my copy of SPC
(SPC-4 r27) and not observed by LIO.  Rip them out.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The transfer length for these commands is different from the transfer
length of the corresponding disk commands, so parse it specially.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Interpreting cdb[4] == 0 as a request to transfer 256 blocks is only
needed for READ_6 and WRITE_6.  No other command in that range needs
that special-casing, and the resulting overrun breaks scsi-testsuite's
attempt to use command 2 as a known-invalid command.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

scsi_cmd_xfer_mode() is used to specify the xfer direction for SCSI
commands that come in from the guest.  If the direction is set incorrectly
this will eventually cause QEMU to kernel-panic the guest.

Add UNMAP and ATAPASSTHROUGH as commands that send data to the device.

Without this change, recent kernels will send both UNMAP as well
as ATAPASSTHROUGH commands to any /dev/sg* device, which due to the
incorrect xfer direction very quickly causes the guest kernel to crash.

Example causing a crash without the patch applied:

./x86_64-softmmu/qemu-system-x86_64 -m 1024 -enable-kvm -cdrom linuxmint-12-gnome-dvd-64bit.iso -drive file=/dev/sg4,if=scsi,bus=0,unit=6
Signed-off-by: NRonnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Avoid sending more than 2GB of data, as that can cause overflows
in int32_t variables.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

scsibus_get_dev_path is leaking id if it is not NULL.  Fix it.
Reported-by: NLaszlo Ersek <lersek@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The conditions for detecting no free target or LUN were wrong.

The LUN loop was followed by an "if" condition that is never
true, because the loop is exited as soon as lun becomes equal
to bus->info->max_lun, and never becomes greater than it.

The target loop had a wrong condition (<= instead of <).  Once
this is fixed, the loop would fail in the same way as the LUN
loop.

The fix is to see whether scsi_device_find returned the device with the
last (channel, target, LUN) pair, and fail if so.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>