Series comparison

-[PULL v2 00/28] Block patches
+[PULL v2 0/8] Block patches
-The following changes since commit ac793156f650ae2d77834932d72224175ee69086:
+The following changes since commit 813bac3d8d70d85cb7835f7945eb9eed84c2d8d0:
-  Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20201020-1' into staging (2020-10-20 21:11:35 +0100)
+  Merge tag '2023q3-bsd-user-pull-request' of https://gitlab.com/bsdimp/qemu into staging (2023-08-29 08:58:00 -0400)
 are available in the Git repository at:
   https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to 32a3fd65e7e3551337fd26bfc0e2f899d70c028c:
+for you to fetch changes up to 3f5f2285bfcdd855508a55da7875fb92de1a6ed0:
-  iotests: add commit top->base cases to 274 (2020-10-22 09:55:39 +0100)
+  tests/qemu-iotests/197: add testcase for CoR with subclusters (2023-08-29 13:19:56 -0400)
 ----------------------------------------------------------------
 Pull request
 v2:
- * Fix format string issues on 32-bit hosts [Peter]
+- Fix authorship information lost by the mailing list for Andrey Drobyshev
  * Fix qemu-nbd.c CONFIG_POSIX ifdef issue [Eric]
  * Fix missing eventfd.h header on macOS [Peter]
  * Drop unreliable vhost-user-blk test (will send a new patch when ready) [Peter]
 This pull request contains the vhost-user-blk server by Coiby Xu along with my
 additions, block/nvme.c alignment and hardware error statistics by Philippe
 Mathieu-Daudé, and bdrv_co_block_status_above() fixes by Vladimir
 Sementsov-Ogievskiy.
 ----------------------------------------------------------------
-Coiby Xu (6):
+Andrey Drobyshev (3):
-  libvhost-user: Allow vu_message_read to be replaced
+  block: add subcluster_size field to BlockDriverInfo
-  libvhost-user: remove watch for kick_fd when de-initialize vu-dev
+  block/io: align requests to subcluster_size
-  util/vhost-user-server: generic vhost user server
+  tests/qemu-iotests/197: add testcase for CoR with subclusters
   block: move logical block size check function to a common utility
     function
   block/export: vhost-user block device backend server
   MAINTAINERS: Add vhost-user block device backend server maintainer
-Philippe Mathieu-Daudé (1):
+Fabiano Rosas (1):
-  block/nvme: Add driver statistics for access alignment and hw errors
+  block-migration: Ensure we don't crash during migration cleanup
-Stefan Hajnoczi (16):
+Jeuk Kim (4):
-  util/vhost-user-server: s/fileds/fields/ typo fix
+  hw/ufs: Initial commit for emulated Universal-Flash-Storage
-  util/vhost-user-server: drop unnecessary QOM cast
+  hw/ufs: Support for Query Transfer Requests
-  util/vhost-user-server: drop unnecessary watch deletion
+  hw/ufs: Support for UFS logical unit
-  block/export: consolidate request structs into VuBlockReq
+  tests/qtest: Introduce tests for UFS
   util/vhost-user-server: drop unused DevicePanicNotifier
   util/vhost-user-server: fix memory leak in vu_message_read()
   util/vhost-user-server: check EOF when reading payload
   util/vhost-user-server: rework vu_client_trip() coroutine lifecycle
   block/export: report flush errors
   block/export: convert vhost-user-blk server to block export API
   util/vhost-user-server: move header to include/
   util/vhost-user-server: use static library in meson.build
   qemu-storage-daemon: avoid compiling blockdev_ss twice
   block: move block exports to libblockdev
   block/export: add iothread and fixed-iothread options
   block/export: add vhost-user-blk multi-queue support
-Vladimir Sementsov-Ogievskiy (5):
+ MAINTAINERS                  |    7 +
-  block/io: fix bdrv_co_block_status_above
+ docs/specs/pci-ids.rst       |    2 +
-  block/io: bdrv_common_block_status_above: support include_base
+ meson.build                  |    1 +
-  block/io: bdrv_common_block_status_above: support bs == base
+ hw/ufs/trace.h               |    1 +
-  block/io: fix bdrv_is_allocated_above
+ hw/ufs/ufs.h                 |  131 +++
-  iotests: add commit top->base cases to 274
+ include/block/block-common.h |    5 +
+ include/block/block-io.h     |    8 +-
- MAINTAINERS                                |   9 +
+ include/block/ufs.h          | 1090 +++++++++++++++++++++++++
- qapi/block-core.json                       |  24 +-
+ include/hw/pci/pci.h         |    1 +
- qapi/block-export.json                     |  36 +-
+ include/hw/pci/pci_ids.h     |    1 +
- block/coroutines.h                         |   2 +
+ include/scsi/constants.h     |    1 +
- block/export/vhost-user-blk-server.h       |  19 +
+ block.c                      |    7 +
- contrib/libvhost-user/libvhost-user.h      |  21 +
+ block/io.c                   |   50 +-
- include/qemu/vhost-user-server.h           |  65 +++
+ block/mirror.c               |    8 +-
- util/block-helpers.h                       |  19 +
+ block/qcow2.c                |    1 +
- block/export/export.c                      |  37 +-
+ hw/ufs/lu.c                  | 1445 ++++++++++++++++++++++++++++++++
- block/export/vhost-user-blk-server.c       | 431 ++++++++++++++++++++
+ hw/ufs/ufs.c                 | 1494 ++++++++++++++++++++++++++++++++++
- block/io.c                                 | 132 +++---
+ migration/block.c            |   11 +-
- block/nvme.c                               |  27 ++
+ tests/qtest/ufs-test.c       |  584 +++++++++++++
- block/qcow2.c                              |  16 +-
+ hw/Kconfig                   |    1 +
- contrib/libvhost-user/libvhost-user-glib.c |   2 +-
+ hw/meson.build               |    1 +
- contrib/libvhost-user/libvhost-user.c      |  15 +-
+ hw/ufs/Kconfig               |    4 +
- hw/core/qdev-properties-system.c           |  31 +-
+ hw/ufs/meson.build           |    1 +
- nbd/server.c                               |   2 -
+ hw/ufs/trace-events          |   58 ++
- qemu-nbd.c                                 |  21 +-
+ tests/qemu-iotests/197       |   29 +
- softmmu/vl.c                               |   4 +
+ tests/qemu-iotests/197.out   |   24 +
- stubs/blk-exp-close-all.c                  |   7 +
+ tests/qtest/meson.build      |    1 +
- tests/vhost-user-bridge.c                  |   2 +
+files changed, 4932 insertions(+), 35 deletions(-)
- tools/virtiofsd/fuse_virtio.c              |   4 +-
+ create mode 100644 hw/ufs/trace.h
- util/block-helpers.c                       |  46 +++
+ create mode 100644 hw/ufs/ufs.h
- util/vhost-user-server.c                   | 446 +++++++++++++++++++++
+ create mode 100644 include/block/ufs.h
- block/export/meson.build                   |   3 +-
+ create mode 100644 hw/ufs/lu.c
- contrib/libvhost-user/meson.build          |   1 +
+ create mode 100644 hw/ufs/ufs.c
- meson.build                                |  22 +-
+ create mode 100644 tests/qtest/ufs-test.c
- nbd/meson.build                            |   2 +
+ create mode 100644 hw/ufs/Kconfig
- storage-daemon/meson.build                 |   3 +-
+ create mode 100644 hw/ufs/meson.build
- stubs/meson.build                          |   1 +
+ create mode 100644 hw/ufs/trace-events
  tests/qemu-iotests/274                     |  20 +
  tests/qemu-iotests/274.out                 |  68 ++++
  util/meson.build                           |   4 +
 files changed, 1420 insertions(+), 122 deletions(-)
  create mode 100644 block/export/vhost-user-blk-server.h
  create mode 100644 include/qemu/vhost-user-server.h
  create mode 100644 util/block-helpers.h
  create mode 100644 block/export/vhost-user-blk-server.c
  create mode 100644 stubs/blk-exp-close-all.c
  create mode 100644 util/block-helpers.c
  create mode 100644 util/vhost-user-server.c
 --
-.26.2
+.41.0

-[PULL v2 01/28] block/nvme: Add driver statistics for access alignment and hw errors
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Keep statistics of some hardware errors, and number of
-aligned/unaligned I/O accesses.
-QMP example booting a full RHEL 8.3 aarch64 guest:
-{ "execute": "query-blockstats" }
-{
-    "return": [
-        {
-            "device": "",
-            "node-name": "drive0",
-            "stats": {
-                "flush_total_time_ns": 6026948,
-                "wr_highest_offset": 3383991230464,
-                "wr_total_time_ns": 807450995,
-                "failed_wr_operations": 0,
-                "failed_rd_operations": 0,
-                "wr_merged": 3,
-                "wr_bytes": 50133504,
-                "failed_unmap_operations": 0,
-                "failed_flush_operations": 0,
-                "account_invalid": false,
-                "rd_total_time_ns": 1846979900,
-                "flush_operations": 130,
-                "wr_operations": 659,
-                "rd_merged": 1192,
-                "rd_bytes": 218244096,
-                "account_failed": false,
-                "idle_time_ns": 2678641497,
-                "rd_operations": 7406,
-            },
-            "driver-specific": {
-                "driver": "nvme",
-                "completion-errors": 0,
-                "unaligned-accesses": 2959,
-                "aligned-accesses": 4477
-            },
-            "qdev": "/machine/peripheral-anon/device[0]/virtio-backend"
-        }
-    ]
-}
-Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Message-id: 20201001162939.1567915-1-philmd@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qapi/block-core.json | 24 +++++++++++++++++++++++-
- block/nvme.c         | 27 +++++++++++++++++++++++++++
-files changed, 50 insertions(+), 1 deletion(-)
-diff --git a/qapi/block-core.json b/qapi/block-core.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/block-core.json
-+++ b/qapi/block-core.json
-@@ -XXX,XX +XXX,XX @@
-       'discard-nb-failed': 'uint64',
-       'discard-bytes-ok': 'uint64' } }
-+##
-+# @BlockStatsSpecificNvme:
-+#
-+# NVMe driver statistics
-+#
-+# @completion-errors: The number of completion errors.
-+#
-+# @aligned-accesses: The number of aligned accesses performed by
-+#                    the driver.
-+#
-+# @unaligned-accesses: The number of unaligned accesses performed by
-+#                      the driver.
-+#
-+# Since: 5.2
-+##
-+{ 'struct': 'BlockStatsSpecificNvme',
-+  'data': {
-+      'completion-errors': 'uint64',
-+      'aligned-accesses': 'uint64',
-+      'unaligned-accesses': 'uint64' } }
-+
- ##
- # @BlockStatsSpecific:
- #
-@@ -XXX,XX +XXX,XX @@
-   'discriminator': 'driver',
-   'data': {
-       'file': 'BlockStatsSpecificFile',
--      'host_device': 'BlockStatsSpecificFile' } }
-+      'host_device': 'BlockStatsSpecificFile',
-+      'nvme': 'BlockStatsSpecificNvme' } }
- ##
- # @BlockStats:
-diff --git a/block/nvme.c b/block/nvme.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/nvme.c
-+++ b/block/nvme.c
-@@ -XXX,XX +XXX,XX @@ struct BDRVNVMeState {
-     /* PCI address (required for nvme_refresh_filename()) */
-     char *device;
-+
-+    struct {
-+        uint64_t completion_errors;
-+        uint64_t aligned_accesses;
-+        uint64_t unaligned_accesses;
-+    } stats;
- };
- #define NVME_BLOCK_OPT_DEVICE "device"
-@@ -XXX,XX +XXX,XX @@ static bool nvme_process_completion(NVMeQueuePair *q)
-             break;
-         }
-         ret = nvme_translate_error(c);
-+        if (ret) {
-+            s->stats.completion_errors++;
-+        }
-         q->cq.head = (q->cq.head + 1) % NVME_QUEUE_SIZE;
-         if (!q->cq.head) {
-             q->cq_phase = !q->cq_phase;
-@@ -XXX,XX +XXX,XX @@ static int nvme_co_prw(BlockDriverState *bs, uint64_t offset, uint64_t bytes,
-     assert(QEMU_IS_ALIGNED(bytes, s->page_size));
-     assert(bytes <= s->max_transfer);
-     if (nvme_qiov_aligned(bs, qiov)) {
-+        s->stats.aligned_accesses++;
-         return nvme_co_prw_aligned(bs, offset, bytes, qiov, is_write, flags);
-     }
-+    s->stats.unaligned_accesses++;
-     trace_nvme_prw_buffered(s, offset, bytes, qiov->niov, is_write);
-     buf = qemu_try_memalign(s->page_size, bytes);
-@@ -XXX,XX +XXX,XX @@ static void nvme_unregister_buf(BlockDriverState *bs, void *host)
-     qemu_vfio_dma_unmap(s->vfio, host);
- }
-+static BlockStatsSpecific *nvme_get_specific_stats(BlockDriverState *bs)
-+{
-+    BlockStatsSpecific *stats = g_new(BlockStatsSpecific, 1);
-+    BDRVNVMeState *s = bs->opaque;
-+
-+    stats->driver = BLOCKDEV_DRIVER_NVME;
-+    stats->u.nvme = (BlockStatsSpecificNvme) {
-+        .completion_errors = s->stats.completion_errors,
-+        .aligned_accesses = s->stats.aligned_accesses,
-+        .unaligned_accesses = s->stats.unaligned_accesses,
-+    };
-+
-+    return stats;
-+}
-+
- static const char *const nvme_strong_runtime_opts[] = {
-     NVME_BLOCK_OPT_DEVICE,
-     NVME_BLOCK_OPT_NAMESPACE,
-@@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_nvme = {
-     .bdrv_refresh_filename    = nvme_refresh_filename,
-     .bdrv_refresh_limits      = nvme_refresh_limits,
-     .strong_runtime_opts      = nvme_strong_runtime_opts,
-+    .bdrv_get_specific_stats  = nvme_get_specific_stats,
-     .bdrv_detach_aio_context  = nvme_detach_aio_context,
-     .bdrv_attach_aio_context  = nvme_attach_aio_context,
---
-.26.2

-[PULL v2 02/28] libvhost-user: Allow vu_message_read to be replaced
+Deleted patch
-From: Coiby Xu <coiby.xu@gmail.com>
-Allow vu_message_read to be replaced by one which will make use of the
-QIOChannel functions. Thus reading vhost-user message won't stall the
-guest. For slave channel, we still use the default vu_message_read.
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200918080912.321299-2-coiby.xu@gmail.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- contrib/libvhost-user/libvhost-user.h      | 21 +++++++++++++++++++++
- contrib/libvhost-user/libvhost-user-glib.c |  2 +-
- contrib/libvhost-user/libvhost-user.c      | 14 +++++++-------
- tests/vhost-user-bridge.c                  |  2 ++
- tools/virtiofsd/fuse_virtio.c              |  4 ++--
-files changed, 33 insertions(+), 10 deletions(-)
-diff --git a/contrib/libvhost-user/libvhost-user.h b/contrib/libvhost-user/libvhost-user.h
-index XXXXXXX..XXXXXXX 100644
---- a/contrib/libvhost-user/libvhost-user.h
-+++ b/contrib/libvhost-user/libvhost-user.h
-@@ -XXX,XX +XXX,XX @@
-  */
- #define VHOST_USER_MAX_RAM_SLOTS 32
-+#define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64)
-+
- typedef enum VhostSetConfigType {
-     VHOST_SET_CONFIG_TYPE_MASTER = 0,
-     VHOST_SET_CONFIG_TYPE_MIGRATION = 1,
-@@ -XXX,XX +XXX,XX @@ typedef uint64_t (*vu_get_features_cb) (VuDev *dev);
- typedef void (*vu_set_features_cb) (VuDev *dev, uint64_t features);
- typedef int (*vu_process_msg_cb) (VuDev *dev, VhostUserMsg *vmsg,
-                                   int *do_reply);
-+typedef bool (*vu_read_msg_cb) (VuDev *dev, int sock, VhostUserMsg *vmsg);
- typedef void (*vu_queue_set_started_cb) (VuDev *dev, int qidx, bool started);
- typedef bool (*vu_queue_is_processed_in_order_cb) (VuDev *dev, int qidx);
- typedef int (*vu_get_config_cb) (VuDev *dev, uint8_t *config, uint32_t len);
-@@ -XXX,XX +XXX,XX @@ struct VuDev {
-     bool broken;
-     uint16_t max_queues;
-+    /* @read_msg: custom method to read vhost-user message
-+     *
-+     * Read data from vhost_user socket fd and fill up
-+     * the passed VhostUserMsg *vmsg struct.
-+     *
-+     * If reading fails, it should close the received set of file
-+     * descriptors as socket message's auxiliary data.
-+     *
-+     * For the details, please refer to vu_message_read in libvhost-user.c
-+     * which will be used by default if not custom method is provided when
-+     * calling vu_init
-+     *
-+     * Returns: true if vhost-user message successfully received,
-+     *          otherwise return false.
-+     *
-+     */
-+    vu_read_msg_cb read_msg;
-     /* @set_watch: add or update the given fd to the watch set,
-      * call cb when condition is met */
-     vu_set_watch_cb set_watch;
-@@ -XXX,XX +XXX,XX @@ bool vu_init(VuDev *dev,
-              uint16_t max_queues,
-              int socket,
-              vu_panic_cb panic,
-+             vu_read_msg_cb read_msg,
-              vu_set_watch_cb set_watch,
-              vu_remove_watch_cb remove_watch,
-              const VuDevIface *iface);
-diff --git a/contrib/libvhost-user/libvhost-user-glib.c b/contrib/libvhost-user/libvhost-user-glib.c
-index XXXXXXX..XXXXXXX 100644
---- a/contrib/libvhost-user/libvhost-user-glib.c
-+++ b/contrib/libvhost-user/libvhost-user-glib.c
-@@ -XXX,XX +XXX,XX @@ vug_init(VugDev *dev, uint16_t max_queues, int socket,
-     g_assert(dev);
-     g_assert(iface);
--    if (!vu_init(&dev->parent, max_queues, socket, panic, set_watch,
-+    if (!vu_init(&dev->parent, max_queues, socket, panic, NULL, set_watch,
-                  remove_watch, iface)) {
-         return false;
-     }
-diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
-index XXXXXXX..XXXXXXX 100644
---- a/contrib/libvhost-user/libvhost-user.c
-+++ b/contrib/libvhost-user/libvhost-user.c
-@@ -XXX,XX +XXX,XX @@
- /* The version of inflight buffer */
- #define INFLIGHT_VERSION 1
--#define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64)
--
- /* The version of the protocol we support */
- #define VHOST_USER_VERSION 1
- #define LIBVHOST_USER_DEBUG 0
-@@ -XXX,XX +XXX,XX @@ have_userfault(void)
- }
- static bool
--vu_message_read(VuDev *dev, int conn_fd, VhostUserMsg *vmsg)
-+vu_message_read_default(VuDev *dev, int conn_fd, VhostUserMsg *vmsg)
- {
-     char control[CMSG_SPACE(VHOST_MEMORY_BASELINE_NREGIONS * sizeof(int))] = {};
-     struct iovec iov = {
-@@ -XXX,XX +XXX,XX @@ vu_process_message_reply(VuDev *dev, const VhostUserMsg *vmsg)
-         goto out;
-     }
--    if (!vu_message_read(dev, dev->slave_fd, &msg_reply)) {
-+    if (!vu_message_read_default(dev, dev->slave_fd, &msg_reply)) {
-         goto out;
-     }
-@@ -XXX,XX +XXX,XX @@ vu_set_mem_table_exec_postcopy(VuDev *dev, VhostUserMsg *vmsg)
-     /* Wait for QEMU to confirm that it's registered the handler for the
-      * faults.
-      */
--    if (!vu_message_read(dev, dev->sock, vmsg) ||
-+    if (!dev->read_msg(dev, dev->sock, vmsg) ||
-         vmsg->size != sizeof(vmsg->payload.u64) ||
-         vmsg->payload.u64 != 0) {
-         vu_panic(dev, "failed to receive valid ack for postcopy set-mem-table");
-@@ -XXX,XX +XXX,XX @@ vu_dispatch(VuDev *dev)
-     int reply_requested;
-     bool need_reply, success = false;
--    if (!vu_message_read(dev, dev->sock, &vmsg)) {
-+    if (!dev->read_msg(dev, dev->sock, &vmsg)) {
-         goto end;
-     }
-@@ -XXX,XX +XXX,XX @@ vu_init(VuDev *dev,
-         uint16_t max_queues,
-         int socket,
-         vu_panic_cb panic,
-+        vu_read_msg_cb read_msg,
-         vu_set_watch_cb set_watch,
-         vu_remove_watch_cb remove_watch,
-         const VuDevIface *iface)
-@@ -XXX,XX +XXX,XX @@ vu_init(VuDev *dev,
-     dev->sock = socket;
-     dev->panic = panic;
-+    dev->read_msg = read_msg ? read_msg : vu_message_read_default;
-     dev->set_watch = set_watch;
-     dev->remove_watch = remove_watch;
-     dev->iface = iface;
-@@ -XXX,XX +XXX,XX @@ static void _vu_queue_notify(VuDev *dev, VuVirtq *vq, bool sync)
-         vu_message_write(dev, dev->slave_fd, &vmsg);
-         if (ack) {
--            vu_message_read(dev, dev->slave_fd, &vmsg);
-+            vu_message_read_default(dev, dev->slave_fd, &vmsg);
-         }
-         return;
-     }
-diff --git a/tests/vhost-user-bridge.c b/tests/vhost-user-bridge.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/vhost-user-bridge.c
-+++ b/tests/vhost-user-bridge.c
-@@ -XXX,XX +XXX,XX @@ vubr_accept_cb(int sock, void *ctx)
-                  VHOST_USER_BRIDGE_MAX_QUEUES,
-                  conn_fd,
-                  vubr_panic,
-+                 NULL,
-                  vubr_set_watch,
-                  vubr_remove_watch,
-                  &vuiface)) {
-@@ -XXX,XX +XXX,XX @@ vubr_new(const char *path, bool client)
-                      VHOST_USER_BRIDGE_MAX_QUEUES,
-                      dev->sock,
-                      vubr_panic,
-+                     NULL,
-                      vubr_set_watch,
-                      vubr_remove_watch,
-                      &vuiface)) {
-diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
-index XXXXXXX..XXXXXXX 100644
---- a/tools/virtiofsd/fuse_virtio.c
-+++ b/tools/virtiofsd/fuse_virtio.c
-@@ -XXX,XX +XXX,XX @@ int virtio_session_mount(struct fuse_session *se)
-     se->vu_socketfd = data_sock;
-     se->virtio_dev->se = se;
-     pthread_rwlock_init(&se->virtio_dev->vu_dispatch_rwlock, NULL);
--    vu_init(&se->virtio_dev->dev, 2, se->vu_socketfd, fv_panic, fv_set_watch,
--            fv_remove_watch, &fv_iface);
-+    vu_init(&se->virtio_dev->dev, 2, se->vu_socketfd, fv_panic, NULL,
-+            fv_set_watch, fv_remove_watch, &fv_iface);
-     return 0;
- }
---
-.26.2

-[PULL v2 03/28] libvhost-user: remove watch for kick_fd when de-initialize vu-dev
+Deleted patch
-From: Coiby Xu <coiby.xu@gmail.com>
-When the client is running in gdb and quit command is run in gdb,
-QEMU will still dispatch the event which will cause segment fault in
-the callback function.
-Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 20200918080912.321299-3-coiby.xu@gmail.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- contrib/libvhost-user/libvhost-user.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
-index XXXXXXX..XXXXXXX 100644
---- a/contrib/libvhost-user/libvhost-user.c
-+++ b/contrib/libvhost-user/libvhost-user.c
-@@ -XXX,XX +XXX,XX @@ vu_deinit(VuDev *dev)
-         }
-         if (vq->kick_fd != -1) {
-+            dev->remove_watch(dev, vq->kick_fd);
-             close(vq->kick_fd);
-             vq->kick_fd = -1;
-         }
---
-.26.2

-[PULL v2 06/28] block/export: vhost-user block device backend server
+[PULL v2 1/8] hw/ufs: Initial commit for emulated Universal-Flash-Storage
-From: Coiby Xu <coiby.xu@gmail.com>
+From: Jeuk Kim <jeuk20.kim@gmail.com>
-By making use of libvhost-user, block device drive can be shared to
+Universal Flash Storage (UFS) is a high-performance mass storage device
-the connected vhost-user client. Only one client can connect to the
+with a serial interface. It is primarily used as a high-performance
-server one time.
+data storage device for embedded applications.
-Since vhost-user-server needs a block drive to be created first, delay
+This commit contains code for UFS device to be recognized
-the creation of this object.
+as a UFS PCI device.
 Patches to handle UFS logical unit and Transfer Request will follow.
-Suggested-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 9f3db32fe1c708090a6bb764d456973b5abef55f.1691062912.git.jeuk20.kim@samsung.com
 Message-id: 20200918080912.321299-6-coiby.xu@gmail.com
 [Shorten "vhost_user_blk_server" string to "vhost_user_blk" to avoid the
 following compiler warning:
 ../block/export/vhost-user-blk-server.c:178:50: error: ‘%s’ directive output truncated writing 21 bytes into a region of size 20 [-Werror=format-truncation=]
 and fix "Invalid size %ld ..." ssize_t format string arguments for
 -bit hosts.
 --Stefan]
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- block/export/vhost-user-blk-server.h |  36 ++
+ MAINTAINERS              |    6 +
- block/export/vhost-user-blk-server.c | 661 +++++++++++++++++++++++++++
+ docs/specs/pci-ids.rst   |    2 +
- softmmu/vl.c                         |   4 +
+ meson.build              |    1 +
- block/meson.build                    |   1 +
+ hw/ufs/trace.h           |    1 +
-files changed, 702 insertions(+)
+ hw/ufs/ufs.h             |   42 ++
- create mode 100644 block/export/vhost-user-blk-server.h
+ include/block/ufs.h      | 1090 ++++++++++++++++++++++++++++++++++++++
- create mode 100644 block/export/vhost-user-blk-server.c
+ include/hw/pci/pci.h     |    1 +
  include/hw/pci/pci_ids.h |    1 +
  hw/ufs/ufs.c             |  278 ++++++++++
  hw/Kconfig               |    1 +
  hw/meson.build           |    1 +
  hw/ufs/Kconfig           |    4 +
  hw/ufs/meson.build       |    1 +
  hw/ufs/trace-events      |   32 ++
 files changed, 1461 insertions(+)
  create mode 100644 hw/ufs/trace.h
  create mode 100644 hw/ufs/ufs.h
  create mode 100644 include/block/ufs.h
  create mode 100644 hw/ufs/ufs.c
  create mode 100644 hw/ufs/Kconfig
  create mode 100644 hw/ufs/meson.build
  create mode 100644 hw/ufs/trace-events
-diff --git a/block/export/vhost-user-blk-server.h b/block/export/vhost-user-blk-server.h
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: tests/qtest/nvme-test.c
  F: docs/system/devices/nvme.rst
  T: git git://git.infradead.org/qemu-nvme.git nvme-next
 +ufs
 +M: Jeuk Kim <jeuk20.kim@samsung.com>
 +S: Supported
 +F: hw/ufs/*
 +F: include/block/ufs.h
 +
  megasas
  M: Hannes Reinecke <hare@suse.com>
  L: qemu-block@nongnu.org
 diff --git a/docs/specs/pci-ids.rst b/docs/specs/pci-ids.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/specs/pci-ids.rst
 +++ b/docs/specs/pci-ids.rst
@@ -XXX,XX +XXX,XX @@ PCI devices (other than virtio):
    PCI PVPanic device (``-device pvpanic-pci``)
 b36:0012
    PCI ACPI ERST device (``-device acpi-erst``)
 +1b36:0013
 +  PCI UFS device (``-device ufs``)
  All these devices are documented in :doc:`index`.
 diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/meson.build
 +++ b/meson.build
@@ -XXX,XX +XXX,XX @@ if have_system
      'hw/ssi',
      'hw/timer',
      'hw/tpm',
 +    'hw/ufs',
      'hw/usb',
      'hw/vfio',
      'hw/virtio',
 diff --git a/hw/ufs/trace.h b/hw/ufs/trace.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/block/export/vhost-user-blk-server.h
++++ b/hw/ufs/trace.h
-@@ -XXX,XX +XXX,XX @@
+@@ -0,0 +1 @@
-+/*
++#include "trace/trace-hw_ufs.h"
-+ * Sharing QEMU block devices via vhost-user protocal
+diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h
 + *
 + * Copyright (c) Coiby Xu <coiby.xu@gmail.com>.
 + * Copyright (c) 2020 Red Hat, Inc.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or
 + * later.  See the COPYING file in the top-level directory.
 + */
 +
 +#ifndef VHOST_USER_BLK_SERVER_H
 +#define VHOST_USER_BLK_SERVER_H
 +#include "util/vhost-user-server.h"
 +
 +typedef struct VuBlockDev VuBlockDev;
 +#define TYPE_VHOST_USER_BLK_SERVER "vhost-user-blk-server"
 +#define VHOST_USER_BLK_SERVER(obj) \
 +   OBJECT_CHECK(VuBlockDev, obj, TYPE_VHOST_USER_BLK_SERVER)
 +
 +/* vhost user block device */
 +struct VuBlockDev {
 +    Object parent_obj;
 +    char *node_name;
 +    SocketAddress *addr;
 +    AioContext *ctx;
 +    VuServer vu_server;
 +    bool running;
 +    uint32_t blk_size;
 +    BlockBackend *backend;
 +    QIOChannelSocket *sioc;
 +    QTAILQ_ENTRY(VuBlockDev) next;
 +    struct virtio_blk_config blkcfg;
 +    bool writable;
 +};
 +
 +#endif /* VHOST_USER_BLK_SERVER_H */
 diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/block/export/vhost-user-blk-server.c
++++ b/hw/ufs/ufs.h
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Sharing QEMU block devices via vhost-user protocal
++ * QEMU UFS
 + *
-+ * Parts of the code based on nbd/server.c.
++ * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
 + *
-+ * Copyright (c) Coiby Xu <coiby.xu@gmail.com>.
++ * Written by Jeuk Kim <jeuk20.kim@samsung.com>
 + * Copyright (c) 2020 Red Hat, Inc.
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or
++ * SPDX-License-Identifier: GPL-2.0-or-later
-+ * later.  See the COPYING file in the top-level directory.
++ */
-+ */
++
 +#ifndef HW_UFS_UFS_H
 +#define HW_UFS_UFS_H
 +
 +#include "hw/pci/pci_device.h"
 +#include "hw/scsi/scsi.h"
 +#include "block/ufs.h"
 +
 +#define UFS_MAX_LUS 32
 +#define UFS_BLOCK_SIZE 4096
 +
 +typedef struct UfsParams {
 +    char *serial;
 +    uint8_t nutrs; /* Number of UTP Transfer Request Slots */
 +    uint8_t nutmrs; /* Number of UTP Task Management Request Slots */
 +} UfsParams;
 +
 +typedef struct UfsHc {
 +    PCIDevice parent_obj;
 +    MemoryRegion iomem;
 +    UfsReg reg;
 +    UfsParams params;
 +    uint32_t reg_size;
 +
 +    qemu_irq irq;
 +    QEMUBH *doorbell_bh;
 +    QEMUBH *complete_bh;
 +} UfsHc;
 +
 +#define TYPE_UFS "ufs"
 +#define UFS(obj) OBJECT_CHECK(UfsHc, (obj), TYPE_UFS)
 +
 +#endif /* HW_UFS_UFS_H */
 diff --git a/include/block/ufs.h b/include/block/ufs.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/block/ufs.h
@@ -XXX,XX +XXX,XX @@
 +/* SPDX-License-Identifier: GPL-2.0-or-later */
 +
 +#ifndef BLOCK_UFS_H
 +#define BLOCK_UFS_H
 +
 +#include "hw/registerfields.h"
 +
 +typedef struct QEMU_PACKED UfsReg {
 +    uint32_t cap;
 +    uint32_t rsvd0;
 +    uint32_t ver;
 +    uint32_t rsvd1;
 +    uint32_t hcpid;
 +    uint32_t hcmid;
 +    uint32_t ahit;
 +    uint32_t rsvd2;
 +    uint32_t is;
 +    uint32_t ie;
 +    uint32_t rsvd3[2];
 +    uint32_t hcs;
 +    uint32_t hce;
 +    uint32_t uecpa;
 +    uint32_t uecdl;
 +    uint32_t uecn;
 +    uint32_t uect;
 +    uint32_t uecdme;
 +    uint32_t utriacr;
 +    uint32_t utrlba;
 +    uint32_t utrlbau;
 +    uint32_t utrldbr;
 +    uint32_t utrlclr;
 +    uint32_t utrlrsr;
 +    uint32_t utrlcnr;
 +    uint32_t rsvd4[2];
 +    uint32_t utmrlba;
 +    uint32_t utmrlbau;
 +    uint32_t utmrldbr;
 +    uint32_t utmrlclr;
 +    uint32_t utmrlrsr;
 +    uint32_t rsvd5[3];
 +    uint32_t uiccmd;
 +    uint32_t ucmdarg1;
 +    uint32_t ucmdarg2;
 +    uint32_t ucmdarg3;
 +    uint32_t rsvd6[4];
 +    uint32_t rsvd7[4];
 +    uint32_t rsvd8[16];
 +    uint32_t ccap;
 +} UfsReg;
 +
 +REG32(CAP, offsetof(UfsReg, cap))
 +    FIELD(CAP, NUTRS, 0, 5)
 +    FIELD(CAP, RTT, 8, 8)
 +    FIELD(CAP, NUTMRS, 16, 3)
 +    FIELD(CAP, AUTOH8, 23, 1)
 +    FIELD(CAP, 64AS, 24, 1)
 +    FIELD(CAP, OODDS, 25, 1)
 +    FIELD(CAP, UICDMETMS, 26, 1)
 +    FIELD(CAP, CS, 28, 1)
 +REG32(VER, offsetof(UfsReg, ver))
 +REG32(HCPID, offsetof(UfsReg, hcpid))
 +REG32(HCMID, offsetof(UfsReg, hcmid))
 +REG32(AHIT, offsetof(UfsReg, ahit))
 +REG32(IS, offsetof(UfsReg, is))
 +    FIELD(IS, UTRCS, 0, 1)
 +    FIELD(IS, UDEPRI, 1, 1)
 +    FIELD(IS, UE, 2, 1)
 +    FIELD(IS, UTMS, 3, 1)
 +    FIELD(IS, UPMS, 4, 1)
 +    FIELD(IS, UHXS, 5, 1)
 +    FIELD(IS, UHES, 6, 1)
 +    FIELD(IS, ULLS, 7, 1)
 +    FIELD(IS, ULSS, 8, 1)
 +    FIELD(IS, UTMRCS, 9, 1)
 +    FIELD(IS, UCCS, 10, 1)
 +    FIELD(IS, DFES, 11, 1)
 +    FIELD(IS, UTPES, 12, 1)
 +    FIELD(IS, HCFES, 16, 1)
 +    FIELD(IS, SBFES, 17, 1)
 +    FIELD(IS, CEFES, 18, 1)
 +REG32(IE, offsetof(UfsReg, ie))
 +    FIELD(IE, UTRCE, 0, 1)
 +    FIELD(IE, UDEPRIE, 1, 1)
 +    FIELD(IE, UEE, 2, 1)
 +    FIELD(IE, UTMSE, 3, 1)
 +    FIELD(IE, UPMSE, 4, 1)
 +    FIELD(IE, UHXSE, 5, 1)
 +    FIELD(IE, UHESE, 6, 1)
 +    FIELD(IE, ULLSE, 7, 1)
 +    FIELD(IE, ULSSE, 8, 1)
 +    FIELD(IE, UTMRCE, 9, 1)
 +    FIELD(IE, UCCE, 10, 1)
 +    FIELD(IE, DFEE, 11, 1)
 +    FIELD(IE, UTPEE, 12, 1)
 +    FIELD(IE, HCFEE, 16, 1)
 +    FIELD(IE, SBFEE, 17, 1)
 +    FIELD(IE, CEFEE, 18, 1)
 +REG32(HCS, offsetof(UfsReg, hcs))
 +    FIELD(HCS, DP, 0, 1)
 +    FIELD(HCS, UTRLRDY, 1, 1)
 +    FIELD(HCS, UTMRLRDY, 2, 1)
 +    FIELD(HCS, UCRDY, 3, 1)
 +    FIELD(HCS, UPMCRS, 8, 3)
 +REG32(HCE, offsetof(UfsReg, hce))
 +    FIELD(HCE, HCE, 0, 1)
 +    FIELD(HCE, CGE, 1, 1)
 +REG32(UECPA, offsetof(UfsReg, uecpa))
 +REG32(UECDL, offsetof(UfsReg, uecdl))
 +REG32(UECN, offsetof(UfsReg, uecn))
 +REG32(UECT, offsetof(UfsReg, uect))
 +REG32(UECDME, offsetof(UfsReg, uecdme))
 +REG32(UTRIACR, offsetof(UfsReg, utriacr))
 +REG32(UTRLBA, offsetof(UfsReg, utrlba))
 +    FIELD(UTRLBA, UTRLBA, 9, 22)
 +REG32(UTRLBAU, offsetof(UfsReg, utrlbau))
 +REG32(UTRLDBR, offsetof(UfsReg, utrldbr))
 +REG32(UTRLCLR, offsetof(UfsReg, utrlclr))
 +REG32(UTRLRSR, offsetof(UfsReg, utrlrsr))
 +REG32(UTRLCNR, offsetof(UfsReg, utrlcnr))
 +REG32(UTMRLBA, offsetof(UfsReg, utmrlba))
 +    FIELD(UTMRLBA, UTMRLBA, 9, 22)
 +REG32(UTMRLBAU, offsetof(UfsReg, utmrlbau))
 +REG32(UTMRLDBR, offsetof(UfsReg, utmrldbr))
 +REG32(UTMRLCLR, offsetof(UfsReg, utmrlclr))
 +REG32(UTMRLRSR, offsetof(UfsReg, utmrlrsr))
 +REG32(UICCMD, offsetof(UfsReg, uiccmd))
 +REG32(UCMDARG1, offsetof(UfsReg, ucmdarg1))
 +REG32(UCMDARG2, offsetof(UfsReg, ucmdarg2))
 +REG32(UCMDARG3, offsetof(UfsReg, ucmdarg3))
 +REG32(CCAP, offsetof(UfsReg, ccap))
 +
 +#define UFS_INTR_MASK                                    \
 +    ((1 << R_IS_CEFES_SHIFT) | (1 << R_IS_SBFES_SHIFT) | \
 +     (1 << R_IS_HCFES_SHIFT) | (1 << R_IS_UTPES_SHIFT) | \
 +     (1 << R_IS_DFES_SHIFT) | (1 << R_IS_UCCS_SHIFT) |   \
 +     (1 << R_IS_UTMRCS_SHIFT) | (1 << R_IS_ULSS_SHIFT) | \
 +     (1 << R_IS_ULLS_SHIFT) | (1 << R_IS_UHES_SHIFT) |   \
 +     (1 << R_IS_UHXS_SHIFT) | (1 << R_IS_UPMS_SHIFT) |   \
 +     (1 << R_IS_UTMS_SHIFT) | (1 << R_IS_UE_SHIFT) |     \
 +     (1 << R_IS_UDEPRI_SHIFT) | (1 << R_IS_UTRCS_SHIFT))
 +
 +#define UFS_UPIU_HEADER_TRANSACTION_TYPE_SHIFT 24
 +#define UFS_UPIU_HEADER_TRANSACTION_TYPE_MASK 0xff
 +#define UFS_UPIU_HEADER_TRANSACTION_TYPE(dword0)                       \
 +    ((be32_to_cpu(dword0) >> UFS_UPIU_HEADER_TRANSACTION_TYPE_SHIFT) & \
 +     UFS_UPIU_HEADER_TRANSACTION_TYPE_MASK)
 +
 +#define UFS_UPIU_HEADER_QUERY_FUNC_SHIFT 16
 +#define UFS_UPIU_HEADER_QUERY_FUNC_MASK 0xff
 +#define UFS_UPIU_HEADER_QUERY_FUNC(dword1)                       \
 +    ((be32_to_cpu(dword1) >> UFS_UPIU_HEADER_QUERY_FUNC_SHIFT) & \
 +     UFS_UPIU_HEADER_QUERY_FUNC_MASK)
 +
 +#define UFS_UPIU_HEADER_DATA_SEGMENT_LENGTH_SHIFT 0
 +#define UFS_UPIU_HEADER_DATA_SEGMENT_LENGTH_MASK 0xffff
 +#define UFS_UPIU_HEADER_DATA_SEGMENT_LENGTH(dword2)                       \
 +    ((be32_to_cpu(dword2) >> UFS_UPIU_HEADER_DATA_SEGMENT_LENGTH_SHIFT) & \
 +     UFS_UPIU_HEADER_DATA_SEGMENT_LENGTH_MASK)
 +
 +typedef struct QEMU_PACKED DeviceDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint8_t device;
 +    uint8_t device_class;
 +    uint8_t device_sub_class;
 +    uint8_t protocol;
 +    uint8_t number_lu;
 +    uint8_t number_wlu;
 +    uint8_t boot_enable;
 +    uint8_t descr_access_en;
 +    uint8_t init_power_mode;
 +    uint8_t high_priority_lun;
 +    uint8_t secure_removal_type;
 +    uint8_t security_lu;
 +    uint8_t background_ops_term_lat;
 +    uint8_t init_active_icc_level;
 +    uint16_t spec_version;
 +    uint16_t manufacture_date;
 +    uint8_t manufacturer_name;
 +    uint8_t product_name;
 +    uint8_t serial_number;
 +    uint8_t oem_id;
 +    uint16_t manufacturer_id;
 +    uint8_t ud_0_base_offset;
 +    uint8_t ud_config_p_length;
 +    uint8_t device_rtt_cap;
 +    uint16_t periodic_rtc_update;
 +    uint8_t ufs_features_support;
 +    uint8_t ffu_timeout;
 +    uint8_t queue_depth;
 +    uint16_t device_version;
 +    uint8_t num_secure_wp_area;
 +    uint32_t psa_max_data_size;
 +    uint8_t psa_state_timeout;
 +    uint8_t product_revision_level;
 +    uint8_t reserved[36];
 +    uint32_t extended_ufs_features_support;
 +    uint8_t write_booster_buffer_preserve_user_space_en;
 +    uint8_t write_booster_buffer_type;
 +    uint32_t num_shared_write_booster_buffer_alloc_units;
 +} DeviceDescriptor;
 +
 +typedef struct QEMU_PACKED GeometryDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint8_t media_technology;
 +    uint8_t reserved;
 +    uint64_t total_raw_device_capacity;
 +    uint8_t max_number_lu;
 +    uint32_t segment_size;
 +    uint8_t allocation_unit_size;
 +    uint8_t min_addr_block_size;
 +    uint8_t optimal_read_block_size;
 +    uint8_t optimal_write_block_size;
 +    uint8_t max_in_buffer_size;
 +    uint8_t max_out_buffer_size;
 +    uint8_t rpmb_read_write_size;
 +    uint8_t dynamic_capacity_resource_policy;
 +    uint8_t data_ordering;
 +    uint8_t max_context_id_number;
 +    uint8_t sys_data_tag_unit_size;
 +    uint8_t sys_data_tag_res_size;
 +    uint8_t supported_sec_r_types;
 +    uint16_t supported_memory_types;
 +    uint32_t system_code_max_n_alloc_u;
 +    uint16_t system_code_cap_adj_fac;
 +    uint32_t non_persist_max_n_alloc_u;
 +    uint16_t non_persist_cap_adj_fac;
 +    uint32_t enhanced_1_max_n_alloc_u;
 +    uint16_t enhanced_1_cap_adj_fac;
 +    uint32_t enhanced_2_max_n_alloc_u;
 +    uint16_t enhanced_2_cap_adj_fac;
 +    uint32_t enhanced_3_max_n_alloc_u;
 +    uint16_t enhanced_3_cap_adj_fac;
 +    uint32_t enhanced_4_max_n_alloc_u;
 +    uint16_t enhanced_4_cap_adj_fac;
 +    uint32_t optimal_logical_block_size;
 +    uint8_t reserved2[7];
 +    uint32_t write_booster_buffer_max_n_alloc_units;
 +    uint8_t device_max_write_booster_l_us;
 +    uint8_t write_booster_buffer_cap_adj_fac;
 +    uint8_t supported_write_booster_buffer_user_space_reduction_types;
 +    uint8_t supported_write_booster_buffer_types;
 +} GeometryDescriptor;
 +
 +#define UFS_GEOMETRY_CAPACITY_SHIFT 9
 +
 +typedef struct QEMU_PACKED UnitDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint8_t unit_index;
 +    uint8_t lu_enable;
 +    uint8_t boot_lun_id;
 +    uint8_t lu_write_protect;
 +    uint8_t lu_queue_depth;
 +    uint8_t psa_sensitive;
 +    uint8_t memory_type;
 +    uint8_t data_reliability;
 +    uint8_t logical_block_size;
 +    uint64_t logical_block_count;
 +    uint32_t erase_block_size;
 +    uint8_t provisioning_type;
 +    uint64_t phy_mem_resource_count;
 +    uint16_t context_capabilities;
 +    uint8_t large_unit_granularity_m1;
 +    uint8_t reserved[6];
 +    uint32_t lu_num_write_booster_buffer_alloc_units;
 +} UnitDescriptor;
 +
 +typedef struct QEMU_PACKED RpmbUnitDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint8_t unit_index;
 +    uint8_t lu_enable;
 +    uint8_t boot_lun_id;
 +    uint8_t lu_write_protect;
 +    uint8_t lu_queue_depth;
 +    uint8_t psa_sensitive;
 +    uint8_t memory_type;
 +    uint8_t reserved;
 +    uint8_t logical_block_size;
 +    uint64_t logical_block_count;
 +    uint32_t erase_block_size;
 +    uint8_t provisioning_type;
 +    uint64_t phy_mem_resource_count;
 +    uint8_t reserved2[3];
 +} RpmbUnitDescriptor;
 +
 +typedef struct QEMU_PACKED PowerParametersDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint16_t active_icc_levels_vcc[16];
 +    uint16_t active_icc_levels_vccq[16];
 +    uint16_t active_icc_levels_vccq_2[16];
 +} PowerParametersDescriptor;
 +
 +typedef struct QEMU_PACKED InterconnectDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint16_t bcd_unipro_version;
 +    uint16_t bcd_mphy_version;
 +} InterconnectDescriptor;
 +
 +typedef struct QEMU_PACKED StringDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint16_t UC[126];
 +} StringDescriptor;
 +
 +typedef struct QEMU_PACKED DeviceHealthDescriptor {
 +    uint8_t length;
 +    uint8_t descriptor_idn;
 +    uint8_t pre_eol_info;
 +    uint8_t device_life_time_est_a;
 +    uint8_t device_life_time_est_b;
 +    uint8_t vendor_prop_info[32];
 +    uint32_t refresh_total_count;
 +    uint32_t refresh_progress;
 +} DeviceHealthDescriptor;
 +
 +typedef struct QEMU_PACKED Flags {
 +    uint8_t reserved;
 +    uint8_t device_init;
 +    uint8_t permanent_wp_en;
 +    uint8_t power_on_wp_en;
 +    uint8_t background_ops_en;
 +    uint8_t device_life_span_mode_en;
 +    uint8_t purge_enable;
 +    uint8_t refresh_enable;
 +    uint8_t phy_resource_removal;
 +    uint8_t busy_rtc;
 +    uint8_t reserved2;
 +    uint8_t permanently_disable_fw_update;
 +    uint8_t reserved3[2];
 +    uint8_t wb_en;
 +    uint8_t wb_buffer_flush_en;
 +    uint8_t wb_buffer_flush_during_hibernate;
 +    uint8_t reserved4[2];
 +} Flags;
 +
 +typedef struct Attributes {
 +    uint8_t boot_lun_en;
 +    uint8_t reserved;
 +    uint8_t current_power_mode;
 +    uint8_t active_icc_level;
 +    uint8_t out_of_order_data_en;
 +    uint8_t background_op_status;
 +    uint8_t purge_status;
 +    uint8_t max_data_in_size;
 +    uint8_t max_data_out_size;
 +    uint32_t dyn_cap_needed;
 +    uint8_t ref_clk_freq;
 +    uint8_t config_descr_lock;
 +    uint8_t max_num_of_rtt;
 +    uint16_t exception_event_control;
 +    uint16_t exception_event_status;
 +    uint32_t seconds_passed;
 +    uint16_t context_conf;
 +    uint8_t device_ffu_status;
 +    uint8_t psa_state;
 +    uint32_t psa_data_size;
 +    uint8_t ref_clk_gating_wait_time;
 +    uint8_t device_case_rough_temperaure;
 +    uint8_t device_too_high_temp_boundary;
 +    uint8_t device_too_low_temp_boundary;
 +    uint8_t throttling_status;
 +    uint8_t wb_buffer_flush_status;
 +    uint8_t available_wb_buffer_size;
 +    uint8_t wb_buffer_life_time_est;
 +    uint32_t current_wb_buffer_size;
 +    uint8_t refresh_status;
 +    uint8_t refresh_freq;
 +    uint8_t refresh_unit;
 +    uint8_t refresh_method;
 +} Attributes;
 +
 +#define UFS_TRANSACTION_SPECIFIC_FIELD_SIZE 20
 +#define UFS_MAX_QUERY_DATA_SIZE 256
 +
 +/* Command response result code */
 +typedef enum CommandRespCode {
 +    COMMAND_RESULT_SUCESS = 0x00,
 +    COMMAND_RESULT_FAIL = 0x01,
 +} CommandRespCode;
 +
 +enum {
 +    UFS_UPIU_FLAG_UNDERFLOW = 0x20,
 +    UFS_UPIU_FLAG_OVERFLOW = 0x40,
 +};
 +
 +typedef struct QEMU_PACKED UtpUpiuHeader {
 +    uint8_t trans_type;
 +    uint8_t flags;
 +    uint8_t lun;
 +    uint8_t task_tag;
 +    uint8_t iid_cmd_set_type;
 +    uint8_t query_func;
 +    uint8_t response;
 +    uint8_t scsi_status;
 +    uint8_t ehs_len;
 +    uint8_t device_inf;
 +    uint16_t data_segment_length;
 +} UtpUpiuHeader;
 +
 +/*
 + * The code below is copied from the linux kernel
 + * ("include/uapi/scsi/scsi_bsg_ufs.h") and modified to fit the qemu style.
 + */
 +
 +typedef struct QEMU_PACKED UtpUpiuQuery {
 +    uint8_t opcode;
 +    uint8_t idn;
 +    uint8_t index;
 +    uint8_t selector;
 +    uint16_t reserved_osf;
 +    uint16_t length;
 +    uint32_t value;
 +    uint32_t reserved[2];
 +    /* EHS length should be 0. We don't have to worry about EHS area. */
 +    uint8_t data[UFS_MAX_QUERY_DATA_SIZE];
 +} UtpUpiuQuery;
 +
 +#define UFS_CDB_SIZE 16
 +
 +/*
 + * struct UtpUpiuCmd - Command UPIU structure
 + * @data_transfer_len: Data Transfer Length DW-3
 + * @cdb: Command Descriptor Block CDB DW-4 to DW-7
 + */
 +typedef struct QEMU_PACKED UtpUpiuCmd {
 +    uint32_t exp_data_transfer_len;
 +    uint8_t cdb[UFS_CDB_SIZE];
 +} UtpUpiuCmd;
 +
 +/*
 + * struct UtpUpiuReq - general upiu request structure
 + * @header:UPIU header structure DW-0 to DW-2
 + * @sc: fields structure for scsi command DW-3 to DW-7
 + * @qr: fields structure for query request DW-3 to DW-7
 + * @uc: use utp_upiu_query to host the 4 dwords of uic command
 + */
 +typedef struct QEMU_PACKED UtpUpiuReq {
 +    UtpUpiuHeader header;
 +    union {
 +        UtpUpiuCmd sc;
 +        UtpUpiuQuery qr;
 +    };
 +} UtpUpiuReq;
 +
 +/*
 + * The code below is copied from the linux kernel ("include/ufs/ufshci.h") and
 + * modified to fit the qemu style.
 + */
 +
 +enum {
 +    PWR_OK = 0x0,
 +    PWR_LOCAL = 0x01,
 +    PWR_REMOTE = 0x02,
 +    PWR_BUSY = 0x03,
 +    PWR_ERROR_CAP = 0x04,
 +    PWR_FATAL_ERROR = 0x05,
 +};
 +
 +/* UIC Commands */
 +enum uic_cmd_dme {
 +    UIC_CMD_DME_GET = 0x01,
 +    UIC_CMD_DME_SET = 0x02,
 +    UIC_CMD_DME_PEER_GET = 0x03,
 +    UIC_CMD_DME_PEER_SET = 0x04,
 +    UIC_CMD_DME_POWERON = 0x10,
 +    UIC_CMD_DME_POWEROFF = 0x11,
 +    UIC_CMD_DME_ENABLE = 0x12,
 +    UIC_CMD_DME_RESET = 0x14,
 +    UIC_CMD_DME_END_PT_RST = 0x15,
 +    UIC_CMD_DME_LINK_STARTUP = 0x16,
 +    UIC_CMD_DME_HIBER_ENTER = 0x17,
 +    UIC_CMD_DME_HIBER_EXIT = 0x18,
 +    UIC_CMD_DME_TEST_MODE = 0x1A,
 +};
 +
 +/* UIC Config result code / Generic error code */
 +enum {
 +    UIC_CMD_RESULT_SUCCESS = 0x00,
 +    UIC_CMD_RESULT_INVALID_ATTR = 0x01,
 +    UIC_CMD_RESULT_FAILURE = 0x01,
 +    UIC_CMD_RESULT_INVALID_ATTR_VALUE = 0x02,
 +    UIC_CMD_RESULT_READ_ONLY_ATTR = 0x03,
 +    UIC_CMD_RESULT_WRITE_ONLY_ATTR = 0x04,
 +    UIC_CMD_RESULT_BAD_INDEX = 0x05,
 +    UIC_CMD_RESULT_LOCKED_ATTR = 0x06,
 +    UIC_CMD_RESULT_BAD_TEST_FEATURE_INDEX = 0x07,
 +    UIC_CMD_RESULT_PEER_COMM_FAILURE = 0x08,
 +    UIC_CMD_RESULT_BUSY = 0x09,
 +    UIC_CMD_RESULT_DME_FAILURE = 0x0A,
 +};
 +
 +#define MASK_UIC_COMMAND_RESULT 0xFF
 +
 +/*
 + * Request Descriptor Definitions
 + */
 +
 +/* Transfer request command type */
 +enum {
 +    UTP_CMD_TYPE_SCSI = 0x0,
 +    UTP_CMD_TYPE_UFS = 0x1,
 +    UTP_CMD_TYPE_DEV_MANAGE = 0x2,
 +};
 +
 +/* To accommodate UFS2.0 required Command type */
 +enum {
 +    UTP_CMD_TYPE_UFS_STORAGE = 0x1,
 +};
 +
 +enum {
 +    UTP_SCSI_COMMAND = 0x00000000,
 +    UTP_NATIVE_UFS_COMMAND = 0x10000000,
 +    UTP_DEVICE_MANAGEMENT_FUNCTION = 0x20000000,
 +    UTP_REQ_DESC_INT_CMD = 0x01000000,
 +    UTP_REQ_DESC_CRYPTO_ENABLE_CMD = 0x00800000,
 +};
 +
 +/* UTP Transfer Request Data Direction (DD) */
 +enum {
 +    UTP_NO_DATA_TRANSFER = 0x00000000,
 +    UTP_HOST_TO_DEVICE = 0x02000000,
 +    UTP_DEVICE_TO_HOST = 0x04000000,
 +};
 +
 +/* Overall command status values */
 +enum UtpOcsCodes {
 +    OCS_SUCCESS = 0x0,
 +    OCS_INVALID_CMD_TABLE_ATTR = 0x1,
 +    OCS_INVALID_PRDT_ATTR = 0x2,
 +    OCS_MISMATCH_DATA_BUF_SIZE = 0x3,
 +    OCS_MISMATCH_RESP_UPIU_SIZE = 0x4,
 +    OCS_PEER_COMM_FAILURE = 0x5,
 +    OCS_ABORTED = 0x6,
 +    OCS_FATAL_ERROR = 0x7,
 +    OCS_DEVICE_FATAL_ERROR = 0x8,
 +    OCS_INVALID_CRYPTO_CONFIG = 0x9,
 +    OCS_GENERAL_CRYPTO_ERROR = 0xa,
 +    OCS_INVALID_COMMAND_STATUS = 0xf,
 +};
 +
 +enum {
 +    MASK_OCS = 0x0F,
 +};
 +
 +/*
 + * struct UfshcdSgEntry - UFSHCI PRD Entry
 + * @addr: Physical address; DW-0 and DW-1.
 + * @reserved: Reserved for future use DW-2
 + * @size: size of physical segment DW-3
 + */
 +typedef struct QEMU_PACKED UfshcdSgEntry {
 +    uint64_t addr;
 +    uint32_t reserved;
 +    uint32_t size;
 +    /*
 +     * followed by variant-specific fields if
 +     * CONFIG_SCSI_UFS_VARIABLE_SG_ENTRY_SIZE has been defined.
 +     */
 +} UfshcdSgEntry;
 +
 +/*
 + * struct RequestDescHeader - Descriptor Header common to both UTRD and UTMRD
 + * @dword0: Descriptor Header DW0
 + * @dword1: Descriptor Header DW1
 + * @dword2: Descriptor Header DW2
 + * @dword3: Descriptor Header DW3
 + */
 +typedef struct QEMU_PACKED RequestDescHeader {
 +    uint32_t dword_0;
 +    uint32_t dword_1;
 +    uint32_t dword_2;
 +    uint32_t dword_3;
 +} RequestDescHeader;
 +
 +/*
 + * struct UtpTransferReqDesc - UTP Transfer Request Descriptor (UTRD)
 + * @header: UTRD header DW-0 to DW-3
 + * @command_desc_base_addr_lo: UCD base address low DW-4
 + * @command_desc_base_addr_hi: UCD base address high DW-5
 + * @response_upiu_length: response UPIU length DW-6
 + * @response_upiu_offset: response UPIU offset DW-6
 + * @prd_table_length: Physical region descriptor length DW-7
 + * @prd_table_offset: Physical region descriptor offset DW-7
 + */
 +typedef struct QEMU_PACKED UtpTransferReqDesc {
 +    /* DW 0-3 */
 +    RequestDescHeader header;
 +
 +    /* DW 4-5*/
 +    uint32_t command_desc_base_addr_lo;
 +    uint32_t command_desc_base_addr_hi;
 +
 +    /* DW 6 */
 +    uint16_t response_upiu_length;
 +    uint16_t response_upiu_offset;
 +
 +    /* DW 7 */
 +    uint16_t prd_table_length;
 +    uint16_t prd_table_offset;
 +} UtpTransferReqDesc;
 +
 +/*
 + * UTMRD structure.
 + */
 +typedef struct QEMU_PACKED UtpTaskReqDesc {
 +    /* DW 0-3 */
 +    RequestDescHeader header;
 +
 +    /* DW 4-11 - Task request UPIU structure */
 +    struct {
 +        UtpUpiuHeader req_header;
 +        uint32_t input_param1;
 +        uint32_t input_param2;
 +        uint32_t input_param3;
 +        uint32_t reserved1[2];
 +    } upiu_req;
 +
 +    /* DW 12-19 - Task Management Response UPIU structure */
 +    struct {
 +        UtpUpiuHeader rsp_header;
 +        uint32_t output_param1;
 +        uint32_t output_param2;
 +        uint32_t reserved2[3];
 +    } upiu_rsp;
 +} UtpTaskReqDesc;
 +
 +/*
 + * The code below is copied from the linux kernel ("include/ufs/ufs.h") and
 + * modified to fit the qemu style.
 + */
 +
 +#define GENERAL_UPIU_REQUEST_SIZE (sizeof(UtpUpiuReq))
 +#define QUERY_DESC_MAX_SIZE 255
 +#define QUERY_DESC_MIN_SIZE 2
 +#define QUERY_DESC_HDR_SIZE 2
 +#define QUERY_OSF_SIZE (GENERAL_UPIU_REQUEST_SIZE - (sizeof(UtpUpiuHeader)))
 +#define UFS_SENSE_SIZE 18
 +
 +/*
 + * UFS device may have standard LUs and LUN id could be from 0x00 to
 + * 0x7F. Standard LUs use "Peripheral Device Addressing Format".
 + * UFS device may also have the Well Known LUs (also referred as W-LU)
 + * which again could be from 0x00 to 0x7F. For W-LUs, device only use
 + * the "Extended Addressing Format" which means the W-LUNs would be
 + * from 0xc100 (SCSI_W_LUN_BASE) onwards.
 + * This means max. LUN number reported from UFS device could be 0xC17F.
 + */
 +#define UFS_UPIU_MAX_UNIT_NUM_ID 0x7F
 +#define UFS_UPIU_WLUN_ID (1 << 7)
 +
 +/* WriteBooster buffer is available only for the logical unit from 0 to 7 */
 +#define UFS_UPIU_MAX_WB_LUN_ID 8
 +
 +/*
 + * WriteBooster buffer lifetime has a limit setted by vendor.
 + * If it is over the limit, WriteBooster feature will be disabled.
 + */
 +#define UFS_WB_EXCEED_LIFETIME 0x0B
 +
 +/*
 + * In UFS Spec, the Extra Header Segment (EHS) starts from byte 32 in UPIU
 + * request/response packet
 + */
 +#define EHS_OFFSET_IN_RESPONSE 32
 +
 +/* Well known logical unit id in LUN field of UPIU */
 +enum {
 +    UFS_UPIU_REPORT_LUNS_WLUN = 0x81,
 +    UFS_UPIU_UFS_DEVICE_WLUN = 0xD0,
 +    UFS_UPIU_BOOT_WLUN = 0xB0,
 +    UFS_UPIU_RPMB_WLUN = 0xC4,
 +};
 +
 +/*
 + * UFS Protocol Information Unit related definitions
 + */
 +
 +/* Task management functions */
 +enum {
 +    UFS_ABORT_TASK = 0x01,
 +    UFS_ABORT_TASK_SET = 0x02,
 +    UFS_CLEAR_TASK_SET = 0x04,
 +    UFS_LOGICAL_RESET = 0x08,
 +    UFS_QUERY_TASK = 0x80,
 +    UFS_QUERY_TASK_SET = 0x81,
 +};
 +
 +/* UTP UPIU Transaction Codes Initiator to Target */
 +enum {
 +    UPIU_TRANSACTION_NOP_OUT = 0x00,
 +    UPIU_TRANSACTION_COMMAND = 0x01,
 +    UPIU_TRANSACTION_DATA_OUT = 0x02,
 +    UPIU_TRANSACTION_TASK_REQ = 0x04,
 +    UPIU_TRANSACTION_QUERY_REQ = 0x16,
 +};
 +
 +/* UTP UPIU Transaction Codes Target to Initiator */
 +enum {
 +    UPIU_TRANSACTION_NOP_IN = 0x20,
 +    UPIU_TRANSACTION_RESPONSE = 0x21,
 +    UPIU_TRANSACTION_DATA_IN = 0x22,
 +    UPIU_TRANSACTION_TASK_RSP = 0x24,
 +    UPIU_TRANSACTION_READY_XFER = 0x31,
 +    UPIU_TRANSACTION_QUERY_RSP = 0x36,
 +    UPIU_TRANSACTION_REJECT_UPIU = 0x3F,
 +};
 +
 +/* UPIU Read/Write flags */
 +enum {
 +    UPIU_CMD_FLAGS_NONE = 0x00,
 +    UPIU_CMD_FLAGS_WRITE = 0x20,
 +    UPIU_CMD_FLAGS_READ = 0x40,
 +};
 +
 +/* UPIU Task Attributes */
 +enum {
 +    UPIU_TASK_ATTR_SIMPLE = 0x00,
 +    UPIU_TASK_ATTR_ORDERED = 0x01,
 +    UPIU_TASK_ATTR_HEADQ = 0x02,
 +    UPIU_TASK_ATTR_ACA = 0x03,
 +};
 +
 +/* UPIU Query request function */
 +enum {
 +    UPIU_QUERY_FUNC_STANDARD_READ_REQUEST = 0x01,
 +    UPIU_QUERY_FUNC_STANDARD_WRITE_REQUEST = 0x81,
 +};
 +
 +/* Flag idn for Query Requests*/
 +enum flag_idn {
 +    QUERY_FLAG_IDN_FDEVICEINIT = 0x01,
 +    QUERY_FLAG_IDN_PERMANENT_WPE = 0x02,
 +    QUERY_FLAG_IDN_PWR_ON_WPE = 0x03,
 +    QUERY_FLAG_IDN_BKOPS_EN = 0x04,
 +    QUERY_FLAG_IDN_LIFE_SPAN_MODE_ENABLE = 0x05,
 +    QUERY_FLAG_IDN_PURGE_ENABLE = 0x06,
 +    QUERY_FLAG_IDN_REFRESH_ENABLE = 0x07,
 +    QUERY_FLAG_IDN_FPHYRESOURCEREMOVAL = 0x08,
 +    QUERY_FLAG_IDN_BUSY_RTC = 0x09,
 +    QUERY_FLAG_IDN_RESERVED3 = 0x0A,
 +    QUERY_FLAG_IDN_PERMANENTLY_DISABLE_FW_UPDATE = 0x0B,
 +    QUERY_FLAG_IDN_WB_EN = 0x0E,
 +    QUERY_FLAG_IDN_WB_BUFF_FLUSH_EN = 0x0F,
 +    QUERY_FLAG_IDN_WB_BUFF_FLUSH_DURING_HIBERN8 = 0x10,
 +    QUERY_FLAG_IDN_HPB_RESET = 0x11,
 +    QUERY_FLAG_IDN_HPB_EN = 0x12,
 +    QUERY_FLAG_IDN_COUNT,
 +};
 +
 +/* Attribute idn for Query requests */
 +enum attr_idn {
 +    QUERY_ATTR_IDN_BOOT_LU_EN = 0x00,
 +    QUERY_ATTR_IDN_MAX_HPB_SINGLE_CMD = 0x01,
 +    QUERY_ATTR_IDN_POWER_MODE = 0x02,
 +    QUERY_ATTR_IDN_ACTIVE_ICC_LVL = 0x03,
 +    QUERY_ATTR_IDN_OOO_DATA_EN = 0x04,
 +    QUERY_ATTR_IDN_BKOPS_STATUS = 0x05,
 +    QUERY_ATTR_IDN_PURGE_STATUS = 0x06,
 +    QUERY_ATTR_IDN_MAX_DATA_IN = 0x07,
 +    QUERY_ATTR_IDN_MAX_DATA_OUT = 0x08,
 +    QUERY_ATTR_IDN_DYN_CAP_NEEDED = 0x09,
 +    QUERY_ATTR_IDN_REF_CLK_FREQ = 0x0A,
 +    QUERY_ATTR_IDN_CONF_DESC_LOCK = 0x0B,
 +    QUERY_ATTR_IDN_MAX_NUM_OF_RTT = 0x0C,
 +    QUERY_ATTR_IDN_EE_CONTROL = 0x0D,
 +    QUERY_ATTR_IDN_EE_STATUS = 0x0E,
 +    QUERY_ATTR_IDN_SECONDS_PASSED = 0x0F,
 +    QUERY_ATTR_IDN_CNTX_CONF = 0x10,
 +    QUERY_ATTR_IDN_CORR_PRG_BLK_NUM = 0x11,
 +    QUERY_ATTR_IDN_RESERVED2 = 0x12,
 +    QUERY_ATTR_IDN_RESERVED3 = 0x13,
 +    QUERY_ATTR_IDN_FFU_STATUS = 0x14,
 +    QUERY_ATTR_IDN_PSA_STATE = 0x15,
 +    QUERY_ATTR_IDN_PSA_DATA_SIZE = 0x16,
 +    QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME = 0x17,
 +    QUERY_ATTR_IDN_CASE_ROUGH_TEMP = 0x18,
 +    QUERY_ATTR_IDN_HIGH_TEMP_BOUND = 0x19,
 +    QUERY_ATTR_IDN_LOW_TEMP_BOUND = 0x1A,
 +    QUERY_ATTR_IDN_THROTTLING_STATUS = 0x1B,
 +    QUERY_ATTR_IDN_WB_FLUSH_STATUS = 0x1C,
 +    QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE = 0x1D,
 +    QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST = 0x1E,
 +    QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE = 0x1F,
 +    QUERY_ATTR_IDN_REFRESH_STATUS = 0x2C,
 +    QUERY_ATTR_IDN_REFRESH_FREQ = 0x2D,
 +    QUERY_ATTR_IDN_REFRESH_UNIT = 0x2E,
 +    QUERY_ATTR_IDN_COUNT,
 +};
 +
 +/* Descriptor idn for Query requests */
 +enum desc_idn {
 +    QUERY_DESC_IDN_DEVICE = 0x0,
 +    QUERY_DESC_IDN_CONFIGURATION = 0x1,
 +    QUERY_DESC_IDN_UNIT = 0x2,
 +    QUERY_DESC_IDN_RFU_0 = 0x3,
 +    QUERY_DESC_IDN_INTERCONNECT = 0x4,
 +    QUERY_DESC_IDN_STRING = 0x5,
 +    QUERY_DESC_IDN_RFU_1 = 0x6,
 +    QUERY_DESC_IDN_GEOMETRY = 0x7,
 +    QUERY_DESC_IDN_POWER = 0x8,
 +    QUERY_DESC_IDN_HEALTH = 0x9,
 +    QUERY_DESC_IDN_MAX,
 +};
 +
 +enum desc_header_offset {
 +    QUERY_DESC_LENGTH_OFFSET = 0x00,
 +    QUERY_DESC_DESC_TYPE_OFFSET = 0x01,
 +};
 +
 +/* Unit descriptor parameters offsets in bytes*/
 +enum unit_desc_param {
 +    UNIT_DESC_PARAM_LEN = 0x0,
 +    UNIT_DESC_PARAM_TYPE = 0x1,
 +    UNIT_DESC_PARAM_UNIT_INDEX = 0x2,
 +    UNIT_DESC_PARAM_LU_ENABLE = 0x3,
 +    UNIT_DESC_PARAM_BOOT_LUN_ID = 0x4,
 +    UNIT_DESC_PARAM_LU_WR_PROTECT = 0x5,
 +    UNIT_DESC_PARAM_LU_Q_DEPTH = 0x6,
 +    UNIT_DESC_PARAM_PSA_SENSITIVE = 0x7,
 +    UNIT_DESC_PARAM_MEM_TYPE = 0x8,
 +    UNIT_DESC_PARAM_DATA_RELIABILITY = 0x9,
 +    UNIT_DESC_PARAM_LOGICAL_BLK_SIZE = 0xA,
 +    UNIT_DESC_PARAM_LOGICAL_BLK_COUNT = 0xB,
 +    UNIT_DESC_PARAM_ERASE_BLK_SIZE = 0x13,
 +    UNIT_DESC_PARAM_PROVISIONING_TYPE = 0x17,
 +    UNIT_DESC_PARAM_PHY_MEM_RSRC_CNT = 0x18,
 +    UNIT_DESC_PARAM_CTX_CAPABILITIES = 0x20,
 +    UNIT_DESC_PARAM_LARGE_UNIT_SIZE_M1 = 0x22,
 +    UNIT_DESC_PARAM_HPB_LU_MAX_ACTIVE_RGNS = 0x23,
 +    UNIT_DESC_PARAM_HPB_PIN_RGN_START_OFF = 0x25,
 +    UNIT_DESC_PARAM_HPB_NUM_PIN_RGNS = 0x27,
 +    UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS = 0x29,
 +};
 +
 +/* RPMB Unit descriptor parameters offsets in bytes*/
 +enum rpmb_unit_desc_param {
 +    RPMB_UNIT_DESC_PARAM_LEN = 0x0,
 +    RPMB_UNIT_DESC_PARAM_TYPE = 0x1,
 +    RPMB_UNIT_DESC_PARAM_UNIT_INDEX = 0x2,
 +    RPMB_UNIT_DESC_PARAM_LU_ENABLE = 0x3,
 +    RPMB_UNIT_DESC_PARAM_BOOT_LUN_ID = 0x4,
 +    RPMB_UNIT_DESC_PARAM_LU_WR_PROTECT = 0x5,
 +    RPMB_UNIT_DESC_PARAM_LU_Q_DEPTH = 0x6,
 +    RPMB_UNIT_DESC_PARAM_PSA_SENSITIVE = 0x7,
 +    RPMB_UNIT_DESC_PARAM_MEM_TYPE = 0x8,
 +    RPMB_UNIT_DESC_PARAM_REGION_EN = 0x9,
 +    RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_SIZE = 0xA,
 +    RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_COUNT = 0xB,
 +    RPMB_UNIT_DESC_PARAM_REGION0_SIZE = 0x13,
 +    RPMB_UNIT_DESC_PARAM_REGION1_SIZE = 0x14,
 +    RPMB_UNIT_DESC_PARAM_REGION2_SIZE = 0x15,
 +    RPMB_UNIT_DESC_PARAM_REGION3_SIZE = 0x16,
 +    RPMB_UNIT_DESC_PARAM_PROVISIONING_TYPE = 0x17,
 +    RPMB_UNIT_DESC_PARAM_PHY_MEM_RSRC_CNT = 0x18,
 +};
 +
 +/* Device descriptor parameters offsets in bytes*/
 +enum device_desc_param {
 +    DEVICE_DESC_PARAM_LEN = 0x0,
 +    DEVICE_DESC_PARAM_TYPE = 0x1,
 +    DEVICE_DESC_PARAM_DEVICE_TYPE = 0x2,
 +    DEVICE_DESC_PARAM_DEVICE_CLASS = 0x3,
 +    DEVICE_DESC_PARAM_DEVICE_SUB_CLASS = 0x4,
 +    DEVICE_DESC_PARAM_PRTCL = 0x5,
 +    DEVICE_DESC_PARAM_NUM_LU = 0x6,
 +    DEVICE_DESC_PARAM_NUM_WLU = 0x7,
 +    DEVICE_DESC_PARAM_BOOT_ENBL = 0x8,
 +    DEVICE_DESC_PARAM_DESC_ACCSS_ENBL = 0x9,
 +    DEVICE_DESC_PARAM_INIT_PWR_MODE = 0xA,
 +    DEVICE_DESC_PARAM_HIGH_PR_LUN = 0xB,
 +    DEVICE_DESC_PARAM_SEC_RMV_TYPE = 0xC,
 +    DEVICE_DESC_PARAM_SEC_LU = 0xD,
 +    DEVICE_DESC_PARAM_BKOP_TERM_LT = 0xE,
 +    DEVICE_DESC_PARAM_ACTVE_ICC_LVL = 0xF,
 +    DEVICE_DESC_PARAM_SPEC_VER = 0x10,
 +    DEVICE_DESC_PARAM_MANF_DATE = 0x12,
 +    DEVICE_DESC_PARAM_MANF_NAME = 0x14,
 +    DEVICE_DESC_PARAM_PRDCT_NAME = 0x15,
 +    DEVICE_DESC_PARAM_SN = 0x16,
 +    DEVICE_DESC_PARAM_OEM_ID = 0x17,
 +    DEVICE_DESC_PARAM_MANF_ID = 0x18,
 +    DEVICE_DESC_PARAM_UD_OFFSET = 0x1A,
 +    DEVICE_DESC_PARAM_UD_LEN = 0x1B,
 +    DEVICE_DESC_PARAM_RTT_CAP = 0x1C,
 +    DEVICE_DESC_PARAM_FRQ_RTC = 0x1D,
 +    DEVICE_DESC_PARAM_UFS_FEAT = 0x1F,
 +    DEVICE_DESC_PARAM_FFU_TMT = 0x20,
 +    DEVICE_DESC_PARAM_Q_DPTH = 0x21,
 +    DEVICE_DESC_PARAM_DEV_VER = 0x22,
 +    DEVICE_DESC_PARAM_NUM_SEC_WPA = 0x24,
 +    DEVICE_DESC_PARAM_PSA_MAX_DATA = 0x25,
 +    DEVICE_DESC_PARAM_PSA_TMT = 0x29,
 +    DEVICE_DESC_PARAM_PRDCT_REV = 0x2A,
 +    DEVICE_DESC_PARAM_HPB_VER = 0x40,
 +    DEVICE_DESC_PARAM_HPB_CONTROL = 0x42,
 +    DEVICE_DESC_PARAM_EXT_UFS_FEATURE_SUP = 0x4F,
 +    DEVICE_DESC_PARAM_WB_PRESRV_USRSPC_EN = 0x53,
 +    DEVICE_DESC_PARAM_WB_TYPE = 0x54,
 +    DEVICE_DESC_PARAM_WB_SHARED_ALLOC_UNITS = 0x55,
 +};
 +
 +/* Interconnect descriptor parameters offsets in bytes*/
 +enum interconnect_desc_param {
 +    INTERCONNECT_DESC_PARAM_LEN = 0x0,
 +    INTERCONNECT_DESC_PARAM_TYPE = 0x1,
 +    INTERCONNECT_DESC_PARAM_UNIPRO_VER = 0x2,
 +    INTERCONNECT_DESC_PARAM_MPHY_VER = 0x4,
 +};
 +
 +/* Geometry descriptor parameters offsets in bytes*/
 +enum geometry_desc_param {
 +    GEOMETRY_DESC_PARAM_LEN = 0x0,
 +    GEOMETRY_DESC_PARAM_TYPE = 0x1,
 +    GEOMETRY_DESC_PARAM_DEV_CAP = 0x4,
 +    GEOMETRY_DESC_PARAM_MAX_NUM_LUN = 0xC,
 +    GEOMETRY_DESC_PARAM_SEG_SIZE = 0xD,
 +    GEOMETRY_DESC_PARAM_ALLOC_UNIT_SIZE = 0x11,
 +    GEOMETRY_DESC_PARAM_MIN_BLK_SIZE = 0x12,
 +    GEOMETRY_DESC_PARAM_OPT_RD_BLK_SIZE = 0x13,
 +    GEOMETRY_DESC_PARAM_OPT_WR_BLK_SIZE = 0x14,
 +    GEOMETRY_DESC_PARAM_MAX_IN_BUF_SIZE = 0x15,
 +    GEOMETRY_DESC_PARAM_MAX_OUT_BUF_SIZE = 0x16,
 +    GEOMETRY_DESC_PARAM_RPMB_RW_SIZE = 0x17,
 +    GEOMETRY_DESC_PARAM_DYN_CAP_RSRC_PLC = 0x18,
 +    GEOMETRY_DESC_PARAM_DATA_ORDER = 0x19,
 +    GEOMETRY_DESC_PARAM_MAX_NUM_CTX = 0x1A,
 +    GEOMETRY_DESC_PARAM_TAG_UNIT_SIZE = 0x1B,
 +    GEOMETRY_DESC_PARAM_TAG_RSRC_SIZE = 0x1C,
 +    GEOMETRY_DESC_PARAM_SEC_RM_TYPES = 0x1D,
 +    GEOMETRY_DESC_PARAM_MEM_TYPES = 0x1E,
 +    GEOMETRY_DESC_PARAM_SCM_MAX_NUM_UNITS = 0x20,
 +    GEOMETRY_DESC_PARAM_SCM_CAP_ADJ_FCTR = 0x24,
 +    GEOMETRY_DESC_PARAM_NPM_MAX_NUM_UNITS = 0x26,
 +    GEOMETRY_DESC_PARAM_NPM_CAP_ADJ_FCTR = 0x2A,
 +    GEOMETRY_DESC_PARAM_ENM1_MAX_NUM_UNITS = 0x2C,
 +    GEOMETRY_DESC_PARAM_ENM1_CAP_ADJ_FCTR = 0x30,
 +    GEOMETRY_DESC_PARAM_ENM2_MAX_NUM_UNITS = 0x32,
 +    GEOMETRY_DESC_PARAM_ENM2_CAP_ADJ_FCTR = 0x36,
 +    GEOMETRY_DESC_PARAM_ENM3_MAX_NUM_UNITS = 0x38,
 +    GEOMETRY_DESC_PARAM_ENM3_CAP_ADJ_FCTR = 0x3C,
 +    GEOMETRY_DESC_PARAM_ENM4_MAX_NUM_UNITS = 0x3E,
 +    GEOMETRY_DESC_PARAM_ENM4_CAP_ADJ_FCTR = 0x42,
 +    GEOMETRY_DESC_PARAM_OPT_LOG_BLK_SIZE = 0x44,
 +    GEOMETRY_DESC_PARAM_HPB_REGION_SIZE = 0x48,
 +    GEOMETRY_DESC_PARAM_HPB_NUMBER_LU = 0x49,
 +    GEOMETRY_DESC_PARAM_HPB_SUBREGION_SIZE = 0x4A,
 +    GEOMETRY_DESC_PARAM_HPB_MAX_ACTIVE_REGS = 0x4B,
 +    GEOMETRY_DESC_PARAM_WB_MAX_ALLOC_UNITS = 0x4F,
 +    GEOMETRY_DESC_PARAM_WB_MAX_WB_LUNS = 0x53,
 +    GEOMETRY_DESC_PARAM_WB_BUFF_CAP_ADJ = 0x54,
 +    GEOMETRY_DESC_PARAM_WB_SUP_RED_TYPE = 0x55,
 +    GEOMETRY_DESC_PARAM_WB_SUP_WB_TYPE = 0x56,
 +};
 +
 +/* Health descriptor parameters offsets in bytes*/
 +enum health_desc_param {
 +    HEALTH_DESC_PARAM_LEN = 0x0,
 +    HEALTH_DESC_PARAM_TYPE = 0x1,
 +    HEALTH_DESC_PARAM_EOL_INFO = 0x2,
 +    HEALTH_DESC_PARAM_LIFE_TIME_EST_A = 0x3,
 +    HEALTH_DESC_PARAM_LIFE_TIME_EST_B = 0x4,
 +};
 +
 +/* WriteBooster buffer mode */
 +enum {
 +    WB_BUF_MODE_LU_DEDICATED = 0x0,
 +    WB_BUF_MODE_SHARED = 0x1,
 +};
 +
 +/*
 + * Logical Unit Write Protect
 + * 00h: LU not write protected
 + * 01h: LU write protected when fPowerOnWPEn =1
 + * 02h: LU permanently write protected when fPermanentWPEn =1
 + */
 +enum ufs_lu_wp_type {
 +    UFS_LU_NO_WP = 0x00,
 +    UFS_LU_POWER_ON_WP = 0x01,
 +    UFS_LU_PERM_WP = 0x02,
 +};
 +
 +/* UTP QUERY Transaction Specific Fields OpCode */
 +enum query_opcode {
 +    UPIU_QUERY_OPCODE_NOP = 0x0,
 +    UPIU_QUERY_OPCODE_READ_DESC = 0x1,
 +    UPIU_QUERY_OPCODE_WRITE_DESC = 0x2,
 +    UPIU_QUERY_OPCODE_READ_ATTR = 0x3,
 +    UPIU_QUERY_OPCODE_WRITE_ATTR = 0x4,
 +    UPIU_QUERY_OPCODE_READ_FLAG = 0x5,
 +    UPIU_QUERY_OPCODE_SET_FLAG = 0x6,
 +    UPIU_QUERY_OPCODE_CLEAR_FLAG = 0x7,
 +    UPIU_QUERY_OPCODE_TOGGLE_FLAG = 0x8,
 +};
 +
 +/* Query response result code */
 +typedef enum QueryRespCode {
 +    QUERY_RESULT_SUCCESS = 0x00,
 +    QUERY_RESULT_NOT_READABLE = 0xF6,
 +    QUERY_RESULT_NOT_WRITEABLE = 0xF7,
 +    QUERY_RESULT_ALREADY_WRITTEN = 0xF8,
 +    QUERY_RESULT_INVALID_LENGTH = 0xF9,
 +    QUERY_RESULT_INVALID_VALUE = 0xFA,
 +    QUERY_RESULT_INVALID_SELECTOR = 0xFB,
 +    QUERY_RESULT_INVALID_INDEX = 0xFC,
 +    QUERY_RESULT_INVALID_IDN = 0xFD,
 +    QUERY_RESULT_INVALID_OPCODE = 0xFE,
 +    QUERY_RESULT_GENERAL_FAILURE = 0xFF,
 +} QueryRespCode;
 +
 +/* UTP Transfer Request Command Type (CT) */
 +enum {
 +    UPIU_COMMAND_SET_TYPE_SCSI = 0x0,
 +    UPIU_COMMAND_SET_TYPE_UFS = 0x1,
 +    UPIU_COMMAND_SET_TYPE_QUERY = 0x2,
 +};
 +
 +/* Task management service response */
 +enum {
 +    UPIU_TASK_MANAGEMENT_FUNC_COMPL = 0x00,
 +    UPIU_TASK_MANAGEMENT_FUNC_NOT_SUPPORTED = 0x04,
 +    UPIU_TASK_MANAGEMENT_FUNC_SUCCEEDED = 0x08,
 +    UPIU_TASK_MANAGEMENT_FUNC_FAILED = 0x05,
 +    UPIU_INCORRECT_LOGICAL_UNIT_NO = 0x09,
 +};
 +
 +/* UFS device power modes */
 +enum ufs_dev_pwr_mode {
 +    UFS_ACTIVE_PWR_MODE = 1,
 +    UFS_SLEEP_PWR_MODE = 2,
 +    UFS_POWERDOWN_PWR_MODE = 3,
 +    UFS_DEEPSLEEP_PWR_MODE = 4,
 +};
 +
 +/*
 + * struct UtpCmdRsp - Response UPIU structure
 + * @residual_transfer_count: Residual transfer count DW-3
 + * @reserved: Reserved double words DW-4 to DW-7
 + * @sense_data_len: Sense data length DW-8 U16
 + * @sense_data: Sense data field DW-8 to DW-12
 + */
 +typedef struct QEMU_PACKED UtpCmdRsp {
 +    uint32_t residual_transfer_count;
 +    uint32_t reserved[4];
 +    uint16_t sense_data_len;
 +    uint8_t sense_data[UFS_SENSE_SIZE];
 +} UtpCmdRsp;
 +
 +/*
 + * struct UtpUpiuRsp - general upiu response structure
 + * @header: UPIU header structure DW-0 to DW-2
 + * @sr: fields structure for scsi command DW-3 to DW-12
 + * @qr: fields structure for query request DW-3 to DW-7
 + */
 +typedef struct QEMU_PACKED UtpUpiuRsp {
 +    UtpUpiuHeader header;
 +    union {
 +        UtpCmdRsp sr;
 +        UtpUpiuQuery qr;
 +    };
 +} UtpUpiuRsp;
 +
 +static inline void _ufs_check_size(void)
 +{
 +    QEMU_BUILD_BUG_ON(sizeof(UfsReg) != 0x104);
 +    QEMU_BUILD_BUG_ON(sizeof(DeviceDescriptor) != 89);
 +    QEMU_BUILD_BUG_ON(sizeof(GeometryDescriptor) != 87);
 +    QEMU_BUILD_BUG_ON(sizeof(UnitDescriptor) != 45);
 +    QEMU_BUILD_BUG_ON(sizeof(RpmbUnitDescriptor) != 35);
 +    QEMU_BUILD_BUG_ON(sizeof(PowerParametersDescriptor) != 98);
 +    QEMU_BUILD_BUG_ON(sizeof(InterconnectDescriptor) != 6);
 +    QEMU_BUILD_BUG_ON(sizeof(StringDescriptor) != 254);
 +    QEMU_BUILD_BUG_ON(sizeof(DeviceHealthDescriptor) != 45);
 +    QEMU_BUILD_BUG_ON(sizeof(Flags) != 0x13);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpUpiuHeader) != 12);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpUpiuQuery) != 276);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpUpiuCmd) != 20);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpUpiuReq) != 288);
 +    QEMU_BUILD_BUG_ON(sizeof(UfshcdSgEntry) != 16);
 +    QEMU_BUILD_BUG_ON(sizeof(RequestDescHeader) != 16);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpTransferReqDesc) != 32);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpTaskReqDesc) != 80);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpCmdRsp) != 40);
 +    QEMU_BUILD_BUG_ON(sizeof(UtpUpiuRsp) != 288);
 +}
 +#endif
 diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/pci/pci.h
 +++ b/include/hw/pci/pci.h
@@ -XXX,XX +XXX,XX @@ extern bool pci_available;
  #define PCI_DEVICE_ID_REDHAT_NVME        0x0010
  #define PCI_DEVICE_ID_REDHAT_PVPANIC     0x0011
  #define PCI_DEVICE_ID_REDHAT_ACPI_ERST   0x0012
 +#define PCI_DEVICE_ID_REDHAT_UFS         0x0013
  #define PCI_DEVICE_ID_REDHAT_QXL         0x0100
  #define FMT_PCIBUS                      PRIx64
 diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/pci/pci_ids.h
 +++ b/include/hw/pci/pci_ids.h
@@ -XXX,XX +XXX,XX @@
  #define PCI_CLASS_STORAGE_SATA           0x0106
  #define PCI_CLASS_STORAGE_SAS            0x0107
  #define PCI_CLASS_STORAGE_EXPRESS        0x0108
 +#define PCI_CLASS_STORAGE_UFS            0x0109
  #define PCI_CLASS_STORAGE_OTHER          0x0180
  #define PCI_BASE_CLASS_NETWORK           0x02
 diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/ufs/ufs.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU Universal Flash Storage (UFS) Controller
 + *
 + * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
 + *
 + * Written by Jeuk Kim <jeuk20.kim@samsung.com>
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include "qemu/osdep.h"
-+#include "block/block.h"
-+#include "vhost-user-blk-server.h"
 +#include "qapi/error.h"
-+#include "qom/object_interfaces.h"
++#include "migration/vmstate.h"
-+#include "sysemu/block-backend.h"
++#include "trace.h"
-+#include "util/block-helpers.h"
++#include "ufs.h"
 +
-+enum {
++/* The QEMU-UFS device follows spec version 3.1 */
-+    VHOST_USER_BLK_MAX_QUEUES = 1,
++#define UFS_SPEC_VER 0x00000310
-+};
++#define UFS_MAX_NUTRS 32
-+struct virtio_blk_inhdr {
++#define UFS_MAX_NUTMRS 8
-+    unsigned char status;
++
-+};
++static void ufs_irq_check(UfsHc *u)
 +
 +typedef struct VuBlockReq {
 +    VuVirtqElement *elem;
 +    int64_t sector_num;
 +    size_t size;
 +    struct virtio_blk_inhdr *in;
 +    struct virtio_blk_outhdr out;
 +    VuServer *server;
 +    struct VuVirtq *vq;
 +} VuBlockReq;
 +
 +static void vu_block_req_complete(VuBlockReq *req)
 +{
-+    VuDev *vu_dev = &req->server->vu_dev;
++    PCIDevice *pci = PCI_DEVICE(u);
 +
-+    /* IO size with 1 extra status byte */
++    if ((u->reg.is & UFS_INTR_MASK) & u->reg.ie) {
-+    vu_queue_push(vu_dev, req->vq, req->elem, req->size + 1);
++        trace_ufs_irq_raise();
-+    vu_queue_notify(vu_dev, req->vq);
++        pci_irq_assert(pci);
-+
++    } else {
-+    if (req->elem) {
++        trace_ufs_irq_lower();
-+        free(req->elem);
++        pci_irq_deassert(pci);
 +    }
-+
-+    g_free(req);
 +}
 +
-+static VuBlockDev *get_vu_block_device_by_server(VuServer *server)
++static void ufs_process_uiccmd(UfsHc *u, uint32_t val)
 +{
-+    return container_of(server, VuBlockDev, vu_server);
++    trace_ufs_process_uiccmd(val, u->reg.ucmdarg1, u->reg.ucmdarg2,
 +                             u->reg.ucmdarg3);
 +    /*
 +     * Only the essential uic commands for running drivers on Linux and Windows
 +     * are implemented.
 +     */
 +    switch (val) {
 +    case UIC_CMD_DME_LINK_STARTUP:
 +        u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, DP, 1);
 +        u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTRLRDY, 1);
 +        u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UTMRLRDY, 1);
 +        u->reg.ucmdarg2 = UIC_CMD_RESULT_SUCCESS;
 +        break;
 +    /* TODO: Revisit it when Power Management is implemented */
 +    case UIC_CMD_DME_HIBER_ENTER:
 +        u->reg.is = FIELD_DP32(u->reg.is, IS, UHES, 1);
 +        u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, PWR_LOCAL);
 +        u->reg.ucmdarg2 = UIC_CMD_RESULT_SUCCESS;
 +        break;
 +    case UIC_CMD_DME_HIBER_EXIT:
 +        u->reg.is = FIELD_DP32(u->reg.is, IS, UHXS, 1);
 +        u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UPMCRS, PWR_LOCAL);
 +        u->reg.ucmdarg2 = UIC_CMD_RESULT_SUCCESS;
 +        break;
 +    default:
 +        u->reg.ucmdarg2 = UIC_CMD_RESULT_FAILURE;
 +    }
 +
 +    u->reg.is = FIELD_DP32(u->reg.is, IS, UCCS, 1);
 +
 +    ufs_irq_check(u);
 +}
 +
-+static int coroutine_fn
++static void ufs_write_reg(UfsHc *u, hwaddr offset, uint32_t data, unsigned size)
 +vu_block_discard_write_zeroes(VuBlockReq *req, struct iovec *iov,
 +                              uint32_t iovcnt, uint32_t type)
 +{
-+    struct virtio_blk_discard_write_zeroes desc;
++    switch (offset) {
-+    ssize_t size = iov_to_buf(iov, iovcnt, 0, &desc, sizeof(desc));
++    case A_IS:
-+    if (unlikely(size != sizeof(desc))) {
++        u->reg.is &= ~data;
-+        error_report("Invalid size %zd, expect %zu", size, sizeof(desc));
++        ufs_irq_check(u);
-+        return -EINVAL;
++        break;
 +    case A_IE:
 +        u->reg.ie = data;
 +        ufs_irq_check(u);
 +        break;
 +    case A_HCE:
 +        if (!FIELD_EX32(u->reg.hce, HCE, HCE) && FIELD_EX32(data, HCE, HCE)) {
 +            u->reg.hcs = FIELD_DP32(u->reg.hcs, HCS, UCRDY, 1);
 +            u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 1);
 +        } else if (FIELD_EX32(u->reg.hce, HCE, HCE) &&
 +                   !FIELD_EX32(data, HCE, HCE)) {
 +            u->reg.hcs = 0;
 +            u->reg.hce = FIELD_DP32(u->reg.hce, HCE, HCE, 0);
 +        }
 +        break;
 +    case A_UTRLBA:
 +        u->reg.utrlba = data & R_UTRLBA_UTRLBA_MASK;
 +        break;
 +    case A_UTRLBAU:
 +        u->reg.utrlbau = data;
 +        break;
 +    case A_UTRLDBR:
 +        /* Not yet supported */
 +        break;
 +    case A_UTRLRSR:
 +        u->reg.utrlrsr = data;
 +        break;
 +    case A_UTRLCNR:
 +        u->reg.utrlcnr &= ~data;
 +        break;
 +    case A_UTMRLBA:
 +        u->reg.utmrlba = data & R_UTMRLBA_UTMRLBA_MASK;
 +        break;
 +    case A_UTMRLBAU:
 +        u->reg.utmrlbau = data;
 +        break;
 +    case A_UICCMD:
 +        ufs_process_uiccmd(u, data);
 +        break;
 +    case A_UCMDARG1:
 +        u->reg.ucmdarg1 = data;
 +        break;
 +    case A_UCMDARG2:
 +        u->reg.ucmdarg2 = data;
 +        break;
 +    case A_UCMDARG3:
 +        u->reg.ucmdarg3 = data;
 +        break;
 +    case A_UTRLCLR:
 +    case A_UTMRLDBR:
 +    case A_UTMRLCLR:
 +    case A_UTMRLRSR:
 +        trace_ufs_err_unsupport_register_offset(offset);
 +        break;
 +    default:
 +        trace_ufs_err_invalid_register_offset(offset);
 +        break;
 +    }
-+
++}
-+    VuBlockDev *vdev_blk = get_vu_block_device_by_server(req->server);
++
-+    uint64_t range[2] = { le64_to_cpu(desc.sector) << 9,
++static uint64_t ufs_mmio_read(void *opaque, hwaddr addr, unsigned size)
-+                          le32_to_cpu(desc.num_sectors) << 9 };
++{
-+    if (type == VIRTIO_BLK_T_DISCARD) {
++    UfsHc *u = (UfsHc *)opaque;
-+        if (blk_co_pdiscard(vdev_blk->backend, range[0], range[1]) == 0) {
++    uint8_t *ptr = (uint8_t *)&u->reg;
-+            return 0;
++    uint64_t value;
-+        }
++
-+    } else if (type == VIRTIO_BLK_T_WRITE_ZEROES) {
++    if (addr > sizeof(u->reg) - size) {
-+        if (blk_co_pwrite_zeroes(vdev_blk->backend,
++        trace_ufs_err_invalid_register_offset(addr);
-+                                 range[0], range[1], 0) == 0) {
++        return 0;
 +            return 0;
 +        }
 +    }
 +
-+    return -EINVAL;
++    value = *(uint32_t *)(ptr + addr);
 +    trace_ufs_mmio_read(addr, value, size);
 +    return value;
 +}
 +
-+static void coroutine_fn vu_block_flush(VuBlockReq *req)
++static void ufs_mmio_write(void *opaque, hwaddr addr, uint64_t data,
 +                           unsigned size)
 +{
-+    VuBlockDev *vdev_blk = get_vu_block_device_by_server(req->server);
++    UfsHc *u = (UfsHc *)opaque;
-+    BlockBackend *backend = vdev_blk->backend;
++
-+    blk_co_flush(backend);
++    if (addr > sizeof(u->reg) - size) {
-+}
++        trace_ufs_err_invalid_register_offset(addr);
 +
 +struct req_data {
 +    VuServer *server;
 +    VuVirtq *vq;
 +    VuVirtqElement *elem;
 +};
 +
 +static void coroutine_fn vu_block_virtio_process_req(void *opaque)
 +{
 +    struct req_data *data = opaque;
 +    VuServer *server = data->server;
 +    VuVirtq *vq = data->vq;
 +    VuVirtqElement *elem = data->elem;
 +    uint32_t type;
 +    VuBlockReq *req;
 +
 +    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
 +    BlockBackend *backend = vdev_blk->backend;
 +
 +    struct iovec *in_iov = elem->in_sg;
 +    struct iovec *out_iov = elem->out_sg;
 +    unsigned in_num = elem->in_num;
 +    unsigned out_num = elem->out_num;
 +    /* refer to hw/block/virtio_blk.c */
 +    if (elem->out_num < 1 || elem->in_num < 1) {
 +        error_report("virtio-blk request missing headers");
 +        free(elem);
 +        return;
 +    }
 +
-+    req = g_new0(VuBlockReq, 1);
++    trace_ufs_mmio_write(addr, data, size);
-+    req->server = server;
++    ufs_write_reg(u, addr, data, size);
-+    req->vq = vq;
++}
-+    req->elem = elem;
++
-+
++static const MemoryRegionOps ufs_mmio_ops = {
-+    if (unlikely(iov_to_buf(out_iov, out_num, 0, &req->out,
++    .read = ufs_mmio_read,
-+                            sizeof(req->out)) != sizeof(req->out))) {
++    .write = ufs_mmio_write,
-+        error_report("virtio-blk request outhdr too short");
++    .endianness = DEVICE_LITTLE_ENDIAN,
-+        goto err;
++    .impl = {
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +    },
 +};
 +
 +static bool ufs_check_constraints(UfsHc *u, Error **errp)
 +{
 +    if (u->params.nutrs > UFS_MAX_NUTRS) {
 +        error_setg(errp, "nutrs must be less than or equal to %d",
 +                   UFS_MAX_NUTRS);
 +        return false;
 +    }
 +
-+    iov_discard_front(&out_iov, &out_num, sizeof(req->out));
++    if (u->params.nutmrs > UFS_MAX_NUTMRS) {
-+
++        error_setg(errp, "nutmrs must be less than or equal to %d",
-+    if (in_iov[in_num - 1].iov_len < sizeof(struct virtio_blk_inhdr)) {
++                   UFS_MAX_NUTMRS);
-+        error_report("virtio-blk request inhdr too short");
++        return false;
 +        goto err;
 +    }
 +
-+    /* We always touch the last byte, so just see how big in_iov is.  */
++    return true;
 +    req->in = (void *)in_iov[in_num - 1].iov_base
 +              + in_iov[in_num - 1].iov_len
 +              - sizeof(struct virtio_blk_inhdr);
 +    iov_discard_back(in_iov, &in_num, sizeof(struct virtio_blk_inhdr));
 +
 +    type = le32_to_cpu(req->out.type);
 +    switch (type & ~VIRTIO_BLK_T_BARRIER) {
 +    case VIRTIO_BLK_T_IN:
 +    case VIRTIO_BLK_T_OUT: {
 +        ssize_t ret = 0;
 +        bool is_write = type & VIRTIO_BLK_T_OUT;
 +        req->sector_num = le64_to_cpu(req->out.sector);
 +
 +        int64_t offset = req->sector_num * vdev_blk->blk_size;
 +        QEMUIOVector qiov;
 +        if (is_write) {
 +            qemu_iovec_init_external(&qiov, out_iov, out_num);
 +            ret = blk_co_pwritev(backend, offset, qiov.size,
 +                                 &qiov, 0);
 +        } else {
 +            qemu_iovec_init_external(&qiov, in_iov, in_num);
 +            ret = blk_co_preadv(backend, offset, qiov.size,
 +                                &qiov, 0);
 +        }
 +        if (ret >= 0) {
 +            req->in->status = VIRTIO_BLK_S_OK;
 +        } else {
 +            req->in->status = VIRTIO_BLK_S_IOERR;
 +        }
 +        break;
 +    }
 +    case VIRTIO_BLK_T_FLUSH:
 +        vu_block_flush(req);
 +        req->in->status = VIRTIO_BLK_S_OK;
 +        break;
 +    case VIRTIO_BLK_T_GET_ID: {
 +        size_t size = MIN(iov_size(&elem->in_sg[0], in_num),
 +                          VIRTIO_BLK_ID_BYTES);
 +        snprintf(elem->in_sg[0].iov_base, size, "%s", "vhost_user_blk");
 +        req->in->status = VIRTIO_BLK_S_OK;
 +        req->size = elem->in_sg[0].iov_len;
 +        break;
 +    }
 +    case VIRTIO_BLK_T_DISCARD:
 +    case VIRTIO_BLK_T_WRITE_ZEROES: {
 +        int rc;
 +        rc = vu_block_discard_write_zeroes(req, &elem->out_sg[1],
 +                                           out_num, type);
 +        if (rc == 0) {
 +            req->in->status = VIRTIO_BLK_S_OK;
 +        } else {
 +            req->in->status = VIRTIO_BLK_S_IOERR;
 +        }
 +        break;
 +    }
 +    default:
 +        req->in->status = VIRTIO_BLK_S_UNSUPP;
 +        break;
 +    }
 +
 +    vu_block_req_complete(req);
 +    return;
 +
 +err:
 +    free(elem);
 +    g_free(req);
 +    return;
 +}
 +
-+static void vu_block_process_vq(VuDev *vu_dev, int idx)
++static void ufs_init_pci(UfsHc *u, PCIDevice *pci_dev)
 +{
-+    VuServer *server;
++    uint8_t *pci_conf = pci_dev->config;
-+    VuVirtq *vq;
++
-+    struct req_data *req_data;
++    pci_conf[PCI_INTERRUPT_PIN] = 1;
-+
++    pci_config_set_prog_interface(pci_conf, 0x1);
-+    server = container_of(vu_dev, VuServer, vu_dev);
++
-+    assert(server);
++    memory_region_init_io(&u->iomem, OBJECT(u), &ufs_mmio_ops, u, "ufs",
-+
++                          u->reg_size);
-+    vq = vu_get_queue(vu_dev, idx);
++    pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, &u->iomem);
-+    assert(vq);
++    u->irq = pci_allocate_irq(pci_dev);
 +    VuVirtqElement *elem;
 +    while (1) {
 +        elem = vu_queue_pop(vu_dev, vq, sizeof(VuVirtqElement) +
 +                                    sizeof(VuBlockReq));
 +        if (elem) {
 +            req_data = g_new0(struct req_data, 1);
 +            req_data->server = server;
 +            req_data->vq = vq;
 +            req_data->elem = elem;
 +            Coroutine *co = qemu_coroutine_create(vu_block_virtio_process_req,
 +                                                  req_data);
 +            aio_co_enter(server->ioc->ctx, co);
 +        } else {
 +            break;
 +        }
 +    }
 +}
 +
-+static void vu_block_queue_set_started(VuDev *vu_dev, int idx, bool started)
++static void ufs_init_hc(UfsHc *u)
 +{
-+    VuVirtq *vq;
++    uint32_t cap = 0;
 +
-+    assert(vu_dev);
++    u->reg_size = pow2ceil(sizeof(UfsReg));
 +
-+    vq = vu_get_queue(vu_dev, idx);
++    memset(&u->reg, 0, sizeof(u->reg));
-+    vu_set_queue_handler(vu_dev, vq, started ? vu_block_process_vq : NULL);
++    cap = FIELD_DP32(cap, CAP, NUTRS, (u->params.nutrs - 1));
 +    cap = FIELD_DP32(cap, CAP, RTT, 2);
 +    cap = FIELD_DP32(cap, CAP, NUTMRS, (u->params.nutmrs - 1));
 +    cap = FIELD_DP32(cap, CAP, AUTOH8, 0);
 +    cap = FIELD_DP32(cap, CAP, 64AS, 1);
 +    cap = FIELD_DP32(cap, CAP, OODDS, 0);
 +    cap = FIELD_DP32(cap, CAP, UICDMETMS, 0);
 +    cap = FIELD_DP32(cap, CAP, CS, 0);
 +    u->reg.cap = cap;
 +    u->reg.ver = UFS_SPEC_VER;
 +}
 +
-+static uint64_t vu_block_get_features(VuDev *dev)
++static void ufs_realize(PCIDevice *pci_dev, Error **errp)
 +{
-+    uint64_t features;
++    UfsHc *u = UFS(pci_dev);
-+    VuServer *server = container_of(dev, VuServer, vu_dev);
++
-+    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
++    if (!ufs_check_constraints(u, errp)) {
 +    features = 1ull << VIRTIO_BLK_F_SIZE_MAX |
 +               1ull << VIRTIO_BLK_F_SEG_MAX |
 +               1ull << VIRTIO_BLK_F_TOPOLOGY |
 +               1ull << VIRTIO_BLK_F_BLK_SIZE |
 +               1ull << VIRTIO_BLK_F_FLUSH |
 +               1ull << VIRTIO_BLK_F_DISCARD |
 +               1ull << VIRTIO_BLK_F_WRITE_ZEROES |
 +               1ull << VIRTIO_BLK_F_CONFIG_WCE |
 +               1ull << VIRTIO_F_VERSION_1 |
 +               1ull << VIRTIO_RING_F_INDIRECT_DESC |
 +               1ull << VIRTIO_RING_F_EVENT_IDX |
 +               1ull << VHOST_USER_F_PROTOCOL_FEATURES;
 +
 +    if (!vdev_blk->writable) {
 +        features |= 1ull << VIRTIO_BLK_F_RO;
 +    }
 +
 +    return features;
 +}
 +
 +static uint64_t vu_block_get_protocol_features(VuDev *dev)
 +{
 +    return 1ull << VHOST_USER_PROTOCOL_F_CONFIG |
 +           1ull << VHOST_USER_PROTOCOL_F_INFLIGHT_SHMFD;
 +}
 +
 +static int
 +vu_block_get_config(VuDev *vu_dev, uint8_t *config, uint32_t len)
 +{
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
 +    memcpy(config, &vdev_blk->blkcfg, len);
 +
 +    return 0;
 +}
 +
 +static int
 +vu_block_set_config(VuDev *vu_dev, const uint8_t *data,
 +                    uint32_t offset, uint32_t size, uint32_t flags)
 +{
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
 +    uint8_t wce;
 +
 +    /* don't support live migration */
 +    if (flags != VHOST_SET_CONFIG_TYPE_MASTER) {
 +        return -EINVAL;
 +    }
 +
 +    if (offset != offsetof(struct virtio_blk_config, wce) ||
 +        size != 1) {
 +        return -EINVAL;
 +    }
 +
 +    wce = *data;
 +    vdev_blk->blkcfg.wce = wce;
 +    blk_set_enable_write_cache(vdev_blk->backend, wce);
 +    return 0;
 +}
 +
 +/*
 + * When the client disconnects, it sends a VHOST_USER_NONE request
 + * and vu_process_message will simple call exit which cause the VM
 + * to exit abruptly.
 + * To avoid this issue,  process VHOST_USER_NONE request ahead
 + * of vu_process_message.
 + *
 + */
 +static int vu_block_process_msg(VuDev *dev, VhostUserMsg *vmsg, int *do_reply)
 +{
 +    if (vmsg->request == VHOST_USER_NONE) {
 +        dev->panic(dev, "disconnect");
 +        return true;
 +    }
 +    return false;
 +}
 +
 +static const VuDevIface vu_block_iface = {
 +    .get_features          = vu_block_get_features,
 +    .queue_set_started     = vu_block_queue_set_started,
 +    .get_protocol_features = vu_block_get_protocol_features,
 +    .get_config            = vu_block_get_config,
 +    .set_config            = vu_block_set_config,
 +    .process_msg           = vu_block_process_msg,
 +};
 +
 +static void blk_aio_attached(AioContext *ctx, void *opaque)
 +{
 +    VuBlockDev *vub_dev = opaque;
 +    aio_context_acquire(ctx);
 +    vhost_user_server_set_aio_context(&vub_dev->vu_server, ctx);
 +    aio_context_release(ctx);
 +}
 +
 +static void blk_aio_detach(void *opaque)
 +{
 +    VuBlockDev *vub_dev = opaque;
 +    AioContext *ctx = vub_dev->vu_server.ctx;
 +    aio_context_acquire(ctx);
 +    vhost_user_server_set_aio_context(&vub_dev->vu_server, NULL);
 +    aio_context_release(ctx);
 +}
 +
 +static void
 +vu_block_initialize_config(BlockDriverState *bs,
 +                           struct virtio_blk_config *config, uint32_t blk_size)
 +{
 +    config->capacity = bdrv_getlength(bs) >> BDRV_SECTOR_BITS;
 +    config->blk_size = blk_size;
 +    config->size_max = 0;
 +    config->seg_max = 128 - 2;
 +    config->min_io_size = 1;
 +    config->opt_io_size = 1;
 +    config->num_queues = VHOST_USER_BLK_MAX_QUEUES;
 +    config->max_discard_sectors = 32768;
 +    config->max_discard_seg = 1;
 +    config->discard_sector_alignment = config->blk_size >> 9;
 +    config->max_write_zeroes_sectors = 32768;
 +    config->max_write_zeroes_seg = 1;
 +}
 +
 +static VuBlockDev *vu_block_init(VuBlockDev *vu_block_device, Error **errp)
 +{
 +
 +    BlockBackend *blk;
 +    Error *local_error = NULL;
 +    const char *node_name = vu_block_device->node_name;
 +    bool writable = vu_block_device->writable;
 +    uint64_t perm = BLK_PERM_CONSISTENT_READ;
 +    int ret;
 +
 +    AioContext *ctx;
 +
 +    BlockDriverState *bs = bdrv_lookup_bs(node_name, node_name, &local_error);
 +
 +    if (!bs) {
 +        error_propagate(errp, local_error);
 +        return NULL;
 +    }
 +
 +    if (bdrv_is_read_only(bs)) {
 +        writable = false;
 +    }
 +
 +    if (writable) {
 +        perm |= BLK_PERM_WRITE;
 +    }
 +
 +    ctx = bdrv_get_aio_context(bs);
 +    aio_context_acquire(ctx);
 +    bdrv_invalidate_cache(bs, NULL);
 +    aio_context_release(ctx);
 +
 +    /*
 +     * Don't allow resize while the vhost user server is running,
 +     * otherwise we don't care what happens with the node.
 +     */
 +    blk = blk_new(bdrv_get_aio_context(bs), perm,
 +                  BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANGED |
 +                  BLK_PERM_WRITE | BLK_PERM_GRAPH_MOD);
 +    ret = blk_insert_bs(blk, bs, errp);
 +
 +    if (ret < 0) {
 +        goto fail;
 +    }
 +
 +    blk_set_enable_write_cache(blk, false);
 +
 +    blk_set_allow_aio_context_change(blk, true);
 +
 +    vu_block_device->blkcfg.wce = 0;
 +    vu_block_device->backend = blk;
 +    if (!vu_block_device->blk_size) {
 +        vu_block_device->blk_size = BDRV_SECTOR_SIZE;
 +    }
 +    vu_block_device->blkcfg.blk_size = vu_block_device->blk_size;
 +    blk_set_guest_block_size(blk, vu_block_device->blk_size);
 +    vu_block_initialize_config(bs, &vu_block_device->blkcfg,
 +                                   vu_block_device->blk_size);
 +    return vu_block_device;
 +
 +fail:
 +    blk_unref(blk);
 +    return NULL;
 +}
 +
 +static void vu_block_deinit(VuBlockDev *vu_block_device)
 +{
 +    if (vu_block_device->backend) {
 +        blk_remove_aio_context_notifier(vu_block_device->backend, blk_aio_attached,
 +                                        blk_aio_detach, vu_block_device);
 +    }
 +
 +    blk_unref(vu_block_device->backend);
 +}
 +
 +static void vhost_user_blk_server_stop(VuBlockDev *vu_block_device)
 +{
 +    vhost_user_server_stop(&vu_block_device->vu_server);
 +    vu_block_deinit(vu_block_device);
 +}
 +
 +static void vhost_user_blk_server_start(VuBlockDev *vu_block_device,
 +                                        Error **errp)
 +{
 +    AioContext *ctx;
 +    SocketAddress *addr = vu_block_device->addr;
 +
 +    if (!vu_block_init(vu_block_device, errp)) {
 +        return;
 +    }
 +
-+    ctx = bdrv_get_aio_context(blk_bs(vu_block_device->backend));
++    ufs_init_hc(u);
-+
++    ufs_init_pci(u, pci_dev);
 +    if (!vhost_user_server_start(&vu_block_device->vu_server, addr, ctx,
 +                                 VHOST_USER_BLK_MAX_QUEUES,
 +                                 NULL, &vu_block_iface,
 +                                 errp)) {
 +        goto error;
 +    }
 +
 +    blk_add_aio_context_notifier(vu_block_device->backend, blk_aio_attached,
 +                                 blk_aio_detach, vu_block_device);
 +    vu_block_device->running = true;
 +    return;
 +
 + error:
 +    vu_block_deinit(vu_block_device);
 +}
 +
-+static bool vu_prop_modifiable(VuBlockDev *vus, Error **errp)
++static Property ufs_props[] = {
 +    DEFINE_PROP_STRING("serial", UfsHc, params.serial),
 +    DEFINE_PROP_UINT8("nutrs", UfsHc, params.nutrs, 32),
 +    DEFINE_PROP_UINT8("nutmrs", UfsHc, params.nutmrs, 8),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static const VMStateDescription ufs_vmstate = {
 +    .name = "ufs",
 +    .unmigratable = 1,
 +};
 +
 +static void ufs_class_init(ObjectClass *oc, void *data)
 +{
-+    if (vus->running) {
++    DeviceClass *dc = DEVICE_CLASS(oc);
-+            error_setg(errp, "The property can't be modified "
++    PCIDeviceClass *pc = PCI_DEVICE_CLASS(oc);
-+                       "while the server is running");
++
-+            return false;
++    pc->realize = ufs_realize;
-+    }
++    pc->vendor_id = PCI_VENDOR_ID_REDHAT;
-+    return true;
++    pc->device_id = PCI_DEVICE_ID_REDHAT_UFS;
 +    pc->class_id = PCI_CLASS_STORAGE_UFS;
 +
 +    set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
 +    dc->desc = "Universal Flash Storage";
 +    device_class_set_props(dc, ufs_props);
 +    dc->vmsd = &ufs_vmstate;
 +}
 +
-+static void vu_set_node_name(Object *obj, const char *value, Error **errp)
++static const TypeInfo ufs_info = {
 +    .name = TYPE_UFS,
 +    .parent = TYPE_PCI_DEVICE,
 +    .class_init = ufs_class_init,
 +    .instance_size = sizeof(UfsHc),
 +    .interfaces = (InterfaceInfo[]){ { INTERFACE_PCIE_DEVICE }, {} },
 +};
 +
 +static void ufs_register_types(void)
 +{
-+    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
++    type_register_static(&ufs_info);
 +
 +    if (!vu_prop_modifiable(vus, errp)) {
 +        return;
 +    }
 +
 +    if (vus->node_name) {
 +        g_free(vus->node_name);
 +    }
 +
 +    vus->node_name = g_strdup(value);
 +}
 +
-+static char *vu_get_node_name(Object *obj, Error **errp)
++type_init(ufs_register_types)
-+{
+diff --git a/hw/Kconfig b/hw/Kconfig
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +    return g_strdup(vus->node_name);
 +}
 +
 +static void free_socket_addr(SocketAddress *addr)
 +{
 +        g_free(addr->u.q_unix.path);
 +        g_free(addr);
 +}
 +
 +static void vu_set_unix_socket(Object *obj, const char *value,
 +                               Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +
 +    if (!vu_prop_modifiable(vus, errp)) {
 +        return;
 +    }
 +
 +    if (vus->addr) {
 +        free_socket_addr(vus->addr);
 +    }
 +
 +    SocketAddress *addr = g_new0(SocketAddress, 1);
 +    addr->type = SOCKET_ADDRESS_TYPE_UNIX;
 +    addr->u.q_unix.path = g_strdup(value);
 +    vus->addr = addr;
 +}
 +
 +static char *vu_get_unix_socket(Object *obj, Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +    return g_strdup(vus->addr->u.q_unix.path);
 +}
 +
 +static bool vu_get_block_writable(Object *obj, Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +    return vus->writable;
 +}
 +
 +static void vu_set_block_writable(Object *obj, bool value, Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +
 +    if (!vu_prop_modifiable(vus, errp)) {
 +            return;
 +    }
 +
 +    vus->writable = value;
 +}
 +
 +static void vu_get_blk_size(Object *obj, Visitor *v, const char *name,
 +                            void *opaque, Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +    uint32_t value = vus->blk_size;
 +
 +    visit_type_uint32(v, name, &value, errp);
 +}
 +
 +static void vu_set_blk_size(Object *obj, Visitor *v, const char *name,
 +                            void *opaque, Error **errp)
 +{
 +    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
 +
 +    Error *local_err = NULL;
 +    uint32_t value;
 +
 +    if (!vu_prop_modifiable(vus, errp)) {
 +            return;
 +    }
 +
 +    visit_type_uint32(v, name, &value, &local_err);
 +    if (local_err) {
 +        goto out;
 +    }
 +
 +    check_block_size(object_get_typename(obj), name, value, &local_err);
 +    if (local_err) {
 +        goto out;
 +    }
 +
 +    vus->blk_size = value;
 +
 +out:
 +    error_propagate(errp, local_err);
 +}
 +
 +static void vhost_user_blk_server_instance_finalize(Object *obj)
 +{
 +    VuBlockDev *vub = VHOST_USER_BLK_SERVER(obj);
 +
 +    vhost_user_blk_server_stop(vub);
 +
 +    /*
 +     * Unlike object_property_add_str, object_class_property_add_str
 +     * doesn't have a release method. Thus manual memory freeing is
 +     * needed.
 +     */
 +    free_socket_addr(vub->addr);
 +    g_free(vub->node_name);
 +}
 +
 +static void vhost_user_blk_server_complete(UserCreatable *obj, Error **errp)
 +{
 +    VuBlockDev *vub = VHOST_USER_BLK_SERVER(obj);
 +
 +    vhost_user_blk_server_start(vub, errp);
 +}
 +
 +static void vhost_user_blk_server_class_init(ObjectClass *klass,
 +                                             void *class_data)
 +{
 +    UserCreatableClass *ucc = USER_CREATABLE_CLASS(klass);
 +    ucc->complete = vhost_user_blk_server_complete;
 +
 +    object_class_property_add_bool(klass, "writable",
 +                                   vu_get_block_writable,
 +                                   vu_set_block_writable);
 +
 +    object_class_property_add_str(klass, "node-name",
 +                                  vu_get_node_name,
 +                                  vu_set_node_name);
 +
 +    object_class_property_add_str(klass, "unix-socket",
 +                                  vu_get_unix_socket,
 +                                  vu_set_unix_socket);
 +
 +    object_class_property_add(klass, "logical-block-size", "uint32",
 +                              vu_get_blk_size, vu_set_blk_size,
 +                              NULL, NULL);
 +}
 +
 +static const TypeInfo vhost_user_blk_server_info = {
 +    .name = TYPE_VHOST_USER_BLK_SERVER,
 +    .parent = TYPE_OBJECT,
 +    .instance_size = sizeof(VuBlockDev),
 +    .instance_finalize = vhost_user_blk_server_instance_finalize,
 +    .class_init = vhost_user_blk_server_class_init,
 +    .interfaces = (InterfaceInfo[]) {
 +        {TYPE_USER_CREATABLE},
 +        {}
 +    },
 +};
 +
 +static void vhost_user_blk_server_register_types(void)
 +{
 +    type_register_static(&vhost_user_blk_server_info);
 +}
 +
 +type_init(vhost_user_blk_server_register_types)
 diff --git a/softmmu/vl.c b/softmmu/vl.c
 index XXXXXXX..XXXXXXX 100644
---- a/softmmu/vl.c
+--- a/hw/Kconfig
-+++ b/softmmu/vl.c
++++ b/hw/Kconfig
-@@ -XXX,XX +XXX,XX @@ static bool object_create_initial(const char *type, QemuOpts *opts)
+@@ -XXX,XX +XXX,XX @@ source smbios/Kconfig
-     }
+ source ssi/Kconfig
- #endif
+ source timer/Kconfig
+ source tpm/Kconfig
-+    /* Reason: vhost-user-blk-server property "node-name" */
++source ufs/Kconfig
-+    if (g_str_equal(type, "vhost-user-blk-server")) {
+ source usb/Kconfig
-+        return false;
+ source virtio/Kconfig
-+    }
+ source vfio/Kconfig
-     /*
+diff --git a/hw/meson.build b/hw/meson.build
       * Reason: filter-* property "netdev" etc.
       */
 diff --git a/block/meson.build b/block/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/block/meson.build
+--- a/hw/meson.build
-+++ b/block/meson.build
++++ b/hw/meson.build
-@@ -XXX,XX +XXX,XX @@ block_ss.add(when: 'CONFIG_WIN32', if_true: files('file-win32.c', 'win32-aio.c')
+@@ -XXX,XX +XXX,XX @@ subdir('smbios')
- block_ss.add(when: 'CONFIG_POSIX', if_true: [files('file-posix.c'), coref, iokit])
+ subdir('ssi')
- block_ss.add(when: 'CONFIG_LIBISCSI', if_true: files('iscsi-opts.c'))
+ subdir('timer')
- block_ss.add(when: 'CONFIG_LINUX', if_true: files('nvme.c'))
+ subdir('tpm')
-+block_ss.add(when: 'CONFIG_LINUX', if_true: files('export/vhost-user-blk-server.c', '../contrib/libvhost-user/libvhost-user.c'))
++subdir('ufs')
- block_ss.add(when: 'CONFIG_REPLICATION', if_true: files('replication.c'))
+ subdir('usb')
- block_ss.add(when: 'CONFIG_SHEEPDOG', if_true: files('sheepdog.c'))
+ subdir('vfio')
- block_ss.add(when: ['CONFIG_LINUX_AIO', libaio], if_true: files('linux-aio.c'))
+ subdir('virtio')
 diff --git a/hw/ufs/Kconfig b/hw/ufs/Kconfig
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/ufs/Kconfig
@@ -XXX,XX +XXX,XX @@
 +config UFS_PCI
 +    bool
 +    default y if PCI_DEVICES
 +    depends on PCI
 diff --git a/hw/ufs/meson.build b/hw/ufs/meson.build
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/ufs/meson.build
@@ -0,0 +1 @@
 +system_ss.add(when: 'CONFIG_UFS_PCI', if_true: files('ufs.c'))
 diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/ufs/trace-events
@@ -XXX,XX +XXX,XX @@
 +# ufs.c
 +ufs_irq_raise(void) "INTx"
 +ufs_irq_lower(void) "INTx"
 +ufs_mmio_read(uint64_t addr, uint64_t data, unsigned size) "addr 0x%"PRIx64" data 0x%"PRIx64" size %d"
 +ufs_mmio_write(uint64_t addr, uint64_t data, unsigned size) "addr 0x%"PRIx64" data 0x%"PRIx64" size %d"
 +ufs_process_db(uint32_t slot) "UTRLDBR slot %"PRIu32""
 +ufs_process_req(uint32_t slot) "UTRLDBR slot %"PRIu32""
 +ufs_complete_req(uint32_t slot) "UTRLDBR slot %"PRIu32""
 +ufs_sendback_req(uint32_t slot) "UTRLDBR slot %"PRIu32""
 +ufs_exec_nop_cmd(uint32_t slot) "UTRLDBR slot %"PRIu32""
 +ufs_exec_scsi_cmd(uint32_t slot, uint8_t lun, uint8_t opcode) "slot %"PRIu32", lun 0x%"PRIx8", opcode 0x%"PRIx8""
 +ufs_exec_query_cmd(uint32_t slot, uint8_t opcode) "slot %"PRIu32", opcode 0x%"PRIx8""
 +ufs_process_uiccmd(uint32_t uiccmd, uint32_t ucmdarg1, uint32_t ucmdarg2, uint32_t ucmdarg3) "uiccmd 0x%"PRIx32", ucmdarg1 0x%"PRIx32", ucmdarg2 0x%"PRIx32", ucmdarg3 0x%"PRIx32""
 +
 +# error condition
 +ufs_err_dma_read_utrd(uint32_t slot, uint64_t addr) "failed to read utrd. UTRLDBR slot %"PRIu32", UTRD dma addr %"PRIu64""
 +ufs_err_dma_read_req_upiu(uint32_t slot, uint64_t addr) "failed to read req upiu. UTRLDBR slot %"PRIu32", request upiu addr %"PRIu64""
 +ufs_err_dma_read_prdt(uint32_t slot, uint64_t addr) "failed to read prdt. UTRLDBR slot %"PRIu32", prdt addr %"PRIu64""
 +ufs_err_dma_write_utrd(uint32_t slot, uint64_t addr) "failed to write utrd. UTRLDBR slot %"PRIu32", UTRD dma addr %"PRIu64""
 +ufs_err_dma_write_rsp_upiu(uint32_t slot, uint64_t addr) "failed to write rsp upiu. UTRLDBR slot %"PRIu32", response upiu addr %"PRIu64""
 +ufs_err_utrl_slot_busy(uint32_t slot) "UTRLDBR slot %"PRIu32" is busy"
 +ufs_err_unsupport_register_offset(uint32_t offset) "Register offset 0x%"PRIx32" is not yet supported"
 +ufs_err_invalid_register_offset(uint32_t offset) "Register offset 0x%"PRIx32" is invalid"
 +ufs_err_scsi_cmd_invalid_lun(uint8_t lun) "scsi command has invalid lun: 0x%"PRIx8""
 +ufs_err_query_flag_not_readable(uint8_t idn) "query flag idn 0x%"PRIx8" is denied to read"
 +ufs_err_query_flag_not_writable(uint8_t idn) "query flag idn 0x%"PRIx8" is denied to write"
 +ufs_err_query_attr_not_readable(uint8_t idn) "query attribute idn 0x%"PRIx8" is denied to read"
 +ufs_err_query_attr_not_writable(uint8_t idn) "query attribute idn 0x%"PRIx8" is denied to write"
 +ufs_err_query_invalid_opcode(uint8_t opcode) "query request has invalid opcode. opcode: 0x%"PRIx8""
 +ufs_err_query_invalid_idn(uint8_t opcode, uint8_t idn) "query request has invalid idn. opcode: 0x%"PRIx8", idn 0x%"PRIx8""
 +ufs_err_query_invalid_index(uint8_t opcode, uint8_t index) "query request has invalid index. opcode: 0x%"PRIx8", index 0x%"PRIx8""
 +ufs_err_invalid_trans_code(uint32_t slot, uint8_t trans_code) "request upiu has invalid transaction code. slot: %"PRIu32", trans_code: 0x%"PRIx8""
 --
-.26.2
+.41.0

-[PULL v2 15/28] util/vhost-user-server: rework vu_client_trip() coroutine lifecycle
+[PULL v2 2/8] hw/ufs: Support for Query Transfer Requests
-The vu_client_trip() coroutine is leaked during AioContext switching. It
+From: Jeuk Kim <jeuk20.kim@gmail.com>
 is also unsafe to destroy the vu_dev in panic_cb() since its callers
 still access it in some cases.
-Rework the lifecycle to solve these safety issues.
+This commit makes the UFS device support query
 and nop out transfer requests.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+The next patch would be support for UFS logical
-Message-id: 20200924151549.913737-10-stefanha@redhat.com
+unit and scsi command transfer request.
 Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-id: d06b440d660872092f70af1b8167bd5f4704c957.1691062912.git.jeuk20.kim@samsung.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/vhost-user-server.h             |  29 ++--
+ hw/ufs/ufs.h        |  46 +++
- block/export/vhost-user-blk-server.c |   9 +-
+ hw/ufs/ufs.c        | 980 +++++++++++++++++++++++++++++++++++++++++++-
- util/vhost-user-server.c             | 245 +++++++++++++++------------
+ hw/ufs/trace-events |   1 +
-files changed, 155 insertions(+), 128 deletions(-)
+files changed, 1025 insertions(+), 2 deletions(-)
-diff --git a/util/vhost-user-server.h b/util/vhost-user-server.h
+diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h
 index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.h
+--- a/hw/ufs/ufs.h
-+++ b/util/vhost-user-server.h
++++ b/hw/ufs/ufs.h
 @@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
+ #define UFS_MAX_LUS 32
- #include "standard-headers/linux/virtio_blk.h"
+ #define UFS_BLOCK_SIZE 4096
-+/* A kick fd that we monitor on behalf of libvhost-user */
++typedef enum UfsRequestState {
- typedef struct VuFdWatch {
++    UFS_REQUEST_IDLE = 0,
-     VuDev *vu_dev;
++    UFS_REQUEST_READY = 1,
-     int fd; /*kick fd*/
++    UFS_REQUEST_RUNNING = 2,
-     void *pvt;
++    UFS_REQUEST_COMPLETE = 3,
-     vu_watch_cb cb;
++    UFS_REQUEST_ERROR = 4,
--    bool processing;
++} UfsRequestState;
-     QTAILQ_ENTRY(VuFdWatch) next;
++
- } VuFdWatch;
++typedef enum UfsReqResult {
++    UFS_REQUEST_SUCCESS = 0,
--typedef struct VuServer VuServer;
++    UFS_REQUEST_FAIL = 1,
--
++} UfsReqResult;
--struct VuServer {
++
-+/**
++typedef struct UfsRequest {
-+ * VuServer:
++    struct UfsHc *hc;
-+ * A vhost-user server instance with user-defined VuDevIface callbacks.
++    UfsRequestState state;
-+ * Vhost-user device backends can be implemented using VuServer. VuDevIface
++    int slot;
-+ * callbacks and virtqueue kicks run in the given AioContext.
++
-+ */
++    UtpTransferReqDesc utrd;
-+typedef struct {
++    UtpUpiuReq req_upiu;
-     QIONetListener *listener;
++    UtpUpiuRsp rsp_upiu;
-+    QEMUBH *restart_listener_bh;
++
-     AioContext *ctx;
++    /* for scsi command */
-     int max_queues;
++    QEMUSGList *sg;
-     const VuDevIface *vu_iface;
++} UfsRequest;
 +
-+    /* Protected by ctx lock */
+ typedef struct UfsParams {
-     VuDev vu_dev;
+     char *serial;
-     QIOChannel *ioc; /* The I/O channel with the client */
+     uint8_t nutrs; /* Number of UTP Transfer Request Slots */
-     QIOChannelSocket *sioc; /* The underlying data channel with the client */
+@@ -XXX,XX +XXX,XX @@ typedef struct UfsHc {
--    /* IOChannel for fd provided via VHOST_USER_SET_SLAVE_REQ_FD */
+     UfsReg reg;
--    QIOChannel *ioc_slave;
+     UfsParams params;
--    QIOChannelSocket *sioc_slave;
+     uint32_t reg_size;
--    Coroutine *co_trip; /* coroutine for processing VhostUserMsg */
++    UfsRequest *req_list;
-     QTAILQ_HEAD(, VuFdWatch) vu_fd_watches;
++
--    /* restart coroutine co_trip if AIOContext is changed */
++    DeviceDescriptor device_desc;
--    bool aio_context_changed;
++    GeometryDescriptor geometry_desc;
--    bool processing_msg;
++    Attributes attributes;
--};
++    Flags flags;
-+
-+    Coroutine *co_trip; /* coroutine for processing VhostUserMsg */
+     qemu_irq irq;
-+} VuServer;
+     QEMUBH *doorbell_bh;
+@@ -XXX,XX +XXX,XX @@ typedef struct UfsHc {
- bool vhost_user_server_start(VuServer *server,
+ #define TYPE_UFS "ufs"
-                              SocketAddress *unix_socket,
+ #define UFS(obj) OBJECT_CHECK(UfsHc, (obj), TYPE_UFS)
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
++typedef enum UfsQueryFlagPerm {
- void vhost_user_server_stop(VuServer *server);
++    UFS_QUERY_FLAG_NONE = 0x0,
++    UFS_QUERY_FLAG_READ = 0x1,
--void vhost_user_server_set_aio_context(VuServer *server, AioContext *ctx);
++    UFS_QUERY_FLAG_SET = 0x2,
-+void vhost_user_server_attach_aio_context(VuServer *server, AioContext *ctx);
++    UFS_QUERY_FLAG_CLEAR = 0x4,
-+void vhost_user_server_detach_aio_context(VuServer *server);
++    UFS_QUERY_FLAG_TOGGLE = 0x8,
++} UfsQueryFlagPerm;
- #endif /* VHOST_USER_SERVER_H */
++
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
++typedef enum UfsQueryAttrPerm {
 +    UFS_QUERY_ATTR_NONE = 0x0,
 +    UFS_QUERY_ATTR_READ = 0x1,
 +    UFS_QUERY_ATTR_WRITE = 0x2,
 +} UfsQueryAttrPerm;
 +
  #endif /* HW_UFS_UFS_H */
 diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
 index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
+--- a/hw/ufs/ufs.c
-+++ b/block/export/vhost-user-blk-server.c
++++ b/hw/ufs/ufs.c
-@@ -XXX,XX +XXX,XX @@ static const VuDevIface vu_block_iface = {
+@@ -XXX,XX +XXX,XX @@
- static void blk_aio_attached(AioContext *ctx, void *opaque)
+ #include "ufs.h"
  /* The QEMU-UFS device follows spec version 3.1 */
 -#define UFS_SPEC_VER 0x00000310
 +#define UFS_SPEC_VER 0x0310
  #define UFS_MAX_NUTRS 32
  #define UFS_MAX_NUTMRS 8
 +static MemTxResult ufs_addr_read(UfsHc *u, hwaddr addr, void *buf, int size)
 +{
 +    hwaddr hi = addr + size - 1;
 +
 +    if (hi < addr) {
 +        return MEMTX_DECODE_ERROR;
 +    }
 +
 +    if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
 +        return MEMTX_DECODE_ERROR;
 +    }
 +
 +    return pci_dma_read(PCI_DEVICE(u), addr, buf, size);
 +}
 +
 +static MemTxResult ufs_addr_write(UfsHc *u, hwaddr addr, const void *buf,
 +                                  int size)
 +{
 +    hwaddr hi = addr + size - 1;
 +    if (hi < addr) {
 +        return MEMTX_DECODE_ERROR;
 +    }
 +
 +    if (!FIELD_EX32(u->reg.cap, CAP, 64AS) && (hi >> 32)) {
 +        return MEMTX_DECODE_ERROR;
 +    }
 +
 +    return pci_dma_write(PCI_DEVICE(u), addr, buf, size);
 +}
 +
 +static void ufs_complete_req(UfsRequest *req, UfsReqResult req_result);
 +
 +static inline hwaddr ufs_get_utrd_addr(UfsHc *u, uint32_t slot)
 +{
 +    hwaddr utrl_base_addr = (((hwaddr)u->reg.utrlbau) << 32) + u->reg.utrlba;
 +    hwaddr utrd_addr = utrl_base_addr + slot * sizeof(UtpTransferReqDesc);
 +
 +    return utrd_addr;
 +}
 +
 +static inline hwaddr ufs_get_req_upiu_base_addr(const UtpTransferReqDesc *utrd)
 +{
 +    uint32_t cmd_desc_base_addr_lo =
 +        le32_to_cpu(utrd->command_desc_base_addr_lo);
 +    uint32_t cmd_desc_base_addr_hi =
 +        le32_to_cpu(utrd->command_desc_base_addr_hi);
 +
 +    return (((hwaddr)cmd_desc_base_addr_hi) << 32) + cmd_desc_base_addr_lo;
 +}
 +
 +static inline hwaddr ufs_get_rsp_upiu_base_addr(const UtpTransferReqDesc *utrd)
 +{
 +    hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(utrd);
 +    uint32_t rsp_upiu_byte_off =
 +        le16_to_cpu(utrd->response_upiu_offset) * sizeof(uint32_t);
 +    return req_upiu_base_addr + rsp_upiu_byte_off;
 +}
 +
 +static MemTxResult ufs_dma_read_utrd(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
 +    MemTxResult ret;
 +
 +    ret = ufs_addr_read(u, utrd_addr, &req->utrd, sizeof(req->utrd));
 +    if (ret) {
 +        trace_ufs_err_dma_read_utrd(req->slot, utrd_addr);
 +    }
 +    return ret;
 +}
 +
 +static MemTxResult ufs_dma_read_req_upiu(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    hwaddr req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
 +    UtpUpiuReq *req_upiu = &req->req_upiu;
 +    uint32_t copy_size;
 +    uint16_t data_segment_length;
 +    MemTxResult ret;
 +
 +    /*
 +     * To know the size of the req_upiu, we need to read the
 +     * data_segment_length in the header first.
 +     */
 +    ret = ufs_addr_read(u, req_upiu_base_addr, &req_upiu->header,
 +                        sizeof(UtpUpiuHeader));
 +    if (ret) {
 +        trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
 +        return ret;
 +    }
 +    data_segment_length = be16_to_cpu(req_upiu->header.data_segment_length);
 +
 +    copy_size = sizeof(UtpUpiuHeader) + UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
 +                data_segment_length;
 +
 +    ret = ufs_addr_read(u, req_upiu_base_addr, &req->req_upiu, copy_size);
 +    if (ret) {
 +        trace_ufs_err_dma_read_req_upiu(req->slot, req_upiu_base_addr);
 +    }
 +    return ret;
 +}
 +
 +static MemTxResult ufs_dma_read_prdt(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    uint16_t prdt_len = le16_to_cpu(req->utrd.prd_table_length);
 +    uint16_t prdt_byte_off =
 +        le16_to_cpu(req->utrd.prd_table_offset) * sizeof(uint32_t);
 +    uint32_t prdt_size = prdt_len * sizeof(UfshcdSgEntry);
 +    g_autofree UfshcdSgEntry *prd_entries = NULL;
 +    hwaddr req_upiu_base_addr, prdt_base_addr;
 +    int err;
 +
 +    assert(!req->sg);
 +
 +    if (prdt_size == 0) {
 +        return MEMTX_OK;
 +    }
 +    prd_entries = g_new(UfshcdSgEntry, prdt_size);
 +
 +    req_upiu_base_addr = ufs_get_req_upiu_base_addr(&req->utrd);
 +    prdt_base_addr = req_upiu_base_addr + prdt_byte_off;
 +
 +    err = ufs_addr_read(u, prdt_base_addr, prd_entries, prdt_size);
 +    if (err) {
 +        trace_ufs_err_dma_read_prdt(req->slot, prdt_base_addr);
 +        return err;
 +    }
 +
 +    req->sg = g_malloc0(sizeof(QEMUSGList));
 +    pci_dma_sglist_init(req->sg, PCI_DEVICE(u), prdt_len);
 +
 +    for (uint16_t i = 0; i < prdt_len; ++i) {
 +        hwaddr data_dma_addr = le64_to_cpu(prd_entries[i].addr);
 +        uint32_t data_byte_count = le32_to_cpu(prd_entries[i].size) + 1;
 +        qemu_sglist_add(req->sg, data_dma_addr, data_byte_count);
 +    }
 +    return MEMTX_OK;
 +}
 +
 +static MemTxResult ufs_dma_read_upiu(UfsRequest *req)
 +{
 +    MemTxResult ret;
 +
 +    ret = ufs_dma_read_utrd(req);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    ret = ufs_dma_read_req_upiu(req);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    ret = ufs_dma_read_prdt(req);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    return 0;
 +}
 +
 +static MemTxResult ufs_dma_write_utrd(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    hwaddr utrd_addr = ufs_get_utrd_addr(u, req->slot);
 +    MemTxResult ret;
 +
 +    ret = ufs_addr_write(u, utrd_addr, &req->utrd, sizeof(req->utrd));
 +    if (ret) {
 +        trace_ufs_err_dma_write_utrd(req->slot, utrd_addr);
 +    }
 +    return ret;
 +}
 +
 +static MemTxResult ufs_dma_write_rsp_upiu(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    hwaddr rsp_upiu_base_addr = ufs_get_rsp_upiu_base_addr(&req->utrd);
 +    uint32_t rsp_upiu_byte_len =
 +        le16_to_cpu(req->utrd.response_upiu_length) * sizeof(uint32_t);
 +    uint16_t data_segment_length =
 +        be16_to_cpu(req->rsp_upiu.header.data_segment_length);
 +    uint32_t copy_size = sizeof(UtpUpiuHeader) +
 +                         UFS_TRANSACTION_SPECIFIC_FIELD_SIZE +
 +                         data_segment_length;
 +    MemTxResult ret;
 +
 +    if (copy_size > rsp_upiu_byte_len) {
 +        copy_size = rsp_upiu_byte_len;
 +    }
 +
 +    ret = ufs_addr_write(u, rsp_upiu_base_addr, &req->rsp_upiu, copy_size);
 +    if (ret) {
 +        trace_ufs_err_dma_write_rsp_upiu(req->slot, rsp_upiu_base_addr);
 +    }
 +    return ret;
 +}
 +
 +static MemTxResult ufs_dma_write_upiu(UfsRequest *req)
 +{
 +    MemTxResult ret;
 +
 +    ret = ufs_dma_write_rsp_upiu(req);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    return ufs_dma_write_utrd(req);
 +}
 +
  static void ufs_irq_check(UfsHc *u)
  {
-     VuBlockDev *vub_dev = opaque;
+     PCIDevice *pci = PCI_DEVICE(u);
--    aio_context_acquire(ctx);
+@@ -XXX,XX +XXX,XX @@ static void ufs_irq_check(UfsHc *u)
 -    vhost_user_server_set_aio_context(&vub_dev->vu_server, ctx);
 -    aio_context_release(ctx);
 +    vhost_user_server_attach_aio_context(&vub_dev->vu_server, ctx);
  }
  static void blk_aio_detach(void *opaque)
  {
      VuBlockDev *vub_dev = opaque;
 -    AioContext *ctx = vub_dev->vu_server.ctx;
 -    aio_context_acquire(ctx);
 -    vhost_user_server_set_aio_context(&vub_dev->vu_server, NULL);
 -    aio_context_release(ctx);
 +    vhost_user_server_detach_aio_context(&vub_dev->vu_server);
  }
  static void
 diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/vhost-user-server.c
 +++ b/util/vhost-user-server.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
  #include "qemu/main-loop.h"
 +#include "block/aio-wait.h"
  #include "vhost-user-server.h"
 +/*
 + * Theory of operation:
 + *
 + * VuServer is started and stopped by vhost_user_server_start() and
 + * vhost_user_server_stop() from the main loop thread. Starting the server
 + * opens a vhost-user UNIX domain socket and listens for incoming connections.
 + * Only one connection is allowed at a time.
 + *
 + * The connection is handled by the vu_client_trip() coroutine in the
 + * VuServer->ctx AioContext. The coroutine consists of a vu_dispatch() loop
 + * where libvhost-user calls vu_message_read() to receive the next vhost-user
 + * protocol messages over the UNIX domain socket.
 + *
 + * When virtqueues are set up libvhost-user calls set_watch() to monitor kick
 + * fds. These fds are also handled in the VuServer->ctx AioContext.
 + *
 + * Both vu_client_trip() and kick fd monitoring can be stopped by shutting down
 + * the socket connection. Shutting down the socket connection causes
 + * vu_message_read() to fail since no more data can be received from the socket.
 + * After vu_dispatch() fails, vu_client_trip() calls vu_deinit() to stop
 + * libvhost-user before terminating the coroutine. vu_deinit() calls
 + * remove_watch() to stop monitoring kick fds and this stops virtqueue
 + * processing.
 + *
 + * When vu_client_trip() has finished cleaning up it schedules a BH in the main
 + * loop thread to accept the next client connection.
 + *
 + * When libvhost-user detects an error it calls panic_cb() and sets the
 + * dev->broken flag. Both vu_client_trip() and kick fd processing stop when
 + * the dev->broken flag is set.
 + *
 + * It is possible to switch AioContexts using
 + * vhost_user_server_detach_aio_context() and
 + * vhost_user_server_attach_aio_context(). They stop monitoring fds in the old
 + * AioContext and resume monitoring in the new AioContext. The vu_client_trip()
 + * coroutine remains in a yielded state during the switch. This is made
 + * possible by QIOChannel's support for spurious coroutine re-entry in
 + * qio_channel_yield(). The coroutine will restart I/O when re-entered from the
 + * new AioContext.
 + */
 +
  static void vmsg_close_fds(VhostUserMsg *vmsg)
  {
      int i;
@@ -XXX,XX +XXX,XX @@ static void vmsg_unblock_fds(VhostUserMsg *vmsg)
      }
  }
--static void vu_accept(QIONetListener *listener, QIOChannelSocket *sioc,
++static void ufs_process_db(UfsHc *u, uint32_t val)
--                      gpointer opaque);
++{
--
++    uint32_t slot;
--static void close_client(VuServer *server)
++    uint32_t nutrs = u->params.nutrs;
--{
++    UfsRequest *req;
--    /*
++
--     * Before closing the client
++    val &= ~u->reg.utrldbr;
--     *
++    if (!val) {
--     * 1. Let vu_client_trip stop processing new vhost-user msg
++        return;
--     *
++    }
--     * 2. remove kick_handler
++
--     *
++    slot = find_first_bit((unsigned long *)&val, nutrs);
--     * 3. wait for the kick handler to be finished
++
--     *
++    while (slot < nutrs) {
--     * 4. wait for the current vhost-user msg to be finished processing
++        req = &u->req_list[slot];
--     */
++        if (req->state == UFS_REQUEST_ERROR) {
--
++            trace_ufs_err_utrl_slot_error(req->slot);
--    QIOChannelSocket *sioc = server->sioc;
++            return;
--    /* When this is set vu_client_trip will stop new processing vhost-user message */
++        }
--    server->sioc = NULL;
++
--
++        if (req->state != UFS_REQUEST_IDLE) {
--    while (server->processing_msg) {
++            trace_ufs_err_utrl_slot_busy(req->slot);
--        if (server->ioc->read_coroutine) {
++            return;
--            server->ioc->read_coroutine = NULL;
++        }
--            qio_channel_set_aio_fd_handler(server->ioc, server->ioc->ctx, NULL,
++
--                                           NULL, server->ioc);
++        trace_ufs_process_db(slot);
--            server->processing_msg = false;
++        req->state = UFS_REQUEST_READY;
--        }
++        slot = find_next_bit((unsigned long *)&val, nutrs, slot + 1);
--    }
++    }
--
++
--    vu_deinit(&server->vu_dev);
++    qemu_bh_schedule(u->doorbell_bh);
--
++}
--    /* vu_deinit() should have called remove_watch() */
++
--    assert(QTAILQ_EMPTY(&server->vu_fd_watches));
+ static void ufs_process_uiccmd(UfsHc *u, uint32_t val)
 -
 -    object_unref(OBJECT(sioc));
 -    object_unref(OBJECT(server->ioc));
 -}
 -
  static void panic_cb(VuDev *vu_dev, const char *buf)
  {
--    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
+     trace_ufs_process_uiccmd(val, u->reg.ucmdarg1, u->reg.ucmdarg2,
--
+@@ -XXX,XX +XXX,XX @@ static void ufs_write_reg(UfsHc *u, hwaddr offset, uint32_t data, unsigned size)
--    /* avoid while loop in close_client */
+         u->reg.utrlbau = data;
--    server->processing_msg = false;
+         break;
--
+     case A_UTRLDBR:
--    if (buf) {
+-        /* Not yet supported */
--        error_report("vu_panic: %s", buf);
++        ufs_process_db(u, data);
--    }
++        u->reg.utrldbr |= data;
--
+         break;
--    if (server->sioc) {
+     case A_UTRLRSR:
--        close_client(server);
+         u->reg.utrlrsr = data;
--    }
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ufs_mmio_ops = {
--
+     },
--    /*
+ };
--     * Set the callback function for network listener so another
--     * vhost-user client can connect to this server
++static void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type,
--     */
++                                  uint8_t flags, uint8_t response,
--    qio_net_listener_set_client_func(server->listener,
++                                  uint8_t scsi_status,
--                                     vu_accept,
++                                  uint16_t data_segment_length)
--                                     server,
++{
--                                     NULL);
++    memcpy(&req->rsp_upiu.header, &req->req_upiu.header, sizeof(UtpUpiuHeader));
-+    error_report("vu_panic: %s", buf);
++    req->rsp_upiu.header.trans_type = trans_type;
 +    req->rsp_upiu.header.flags = flags;
 +    req->rsp_upiu.header.response = response;
 +    req->rsp_upiu.header.scsi_status = scsi_status;
 +    req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length);
 +}
 +
 +static UfsReqResult ufs_exec_nop_cmd(UfsRequest *req)
 +{
 +    trace_ufs_exec_nop_cmd(req->slot);
 +    ufs_build_upiu_header(req, UPIU_TRANSACTION_NOP_IN, 0, 0, 0, 0);
 +    return UFS_REQUEST_SUCCESS;
 +}
 +
 +/*
 + * This defines the permission of flags based on their IDN. There are some
 + * things that are declared read-only, which is inconsistent with the ufs spec,
 + * because we want to return an error for features that are not yet supported.
 + */
 +static const int flag_permission[QUERY_FLAG_IDN_COUNT] = {
 +    [QUERY_FLAG_IDN_FDEVICEINIT] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET,
 +    /* Write protection is not supported */
 +    [QUERY_FLAG_IDN_PERMANENT_WPE] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_PWR_ON_WPE] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_BKOPS_EN] = UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET |
 +                                UFS_QUERY_FLAG_CLEAR | UFS_QUERY_FLAG_TOGGLE,
 +    [QUERY_FLAG_IDN_LIFE_SPAN_MODE_ENABLE] =
 +        UFS_QUERY_FLAG_READ | UFS_QUERY_FLAG_SET | UFS_QUERY_FLAG_CLEAR |
 +        UFS_QUERY_FLAG_TOGGLE,
 +    /* Purge Operation is not supported */
 +    [QUERY_FLAG_IDN_PURGE_ENABLE] = UFS_QUERY_FLAG_NONE,
 +    /* Refresh Operation is not supported */
 +    [QUERY_FLAG_IDN_REFRESH_ENABLE] = UFS_QUERY_FLAG_NONE,
 +    /* Physical Resource Removal is not supported */
 +    [QUERY_FLAG_IDN_FPHYRESOURCEREMOVAL] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_BUSY_RTC] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_PERMANENTLY_DISABLE_FW_UPDATE] = UFS_QUERY_FLAG_READ,
 +    /* Write Booster is not supported */
 +    [QUERY_FLAG_IDN_WB_EN] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_WB_BUFF_FLUSH_EN] = UFS_QUERY_FLAG_READ,
 +    [QUERY_FLAG_IDN_WB_BUFF_FLUSH_DURING_HIBERN8] = UFS_QUERY_FLAG_READ,
 +};
 +
 +static inline QueryRespCode ufs_flag_check_idn_valid(uint8_t idn, int op)
 +{
 +    if (idn >= QUERY_FLAG_IDN_COUNT) {
 +        return QUERY_RESULT_INVALID_IDN;
 +    }
 +
 +    if (!(flag_permission[idn] & op)) {
 +        if (op == UFS_QUERY_FLAG_READ) {
 +            trace_ufs_err_query_flag_not_readable(idn);
 +            return QUERY_RESULT_NOT_READABLE;
 +        }
 +        trace_ufs_err_query_flag_not_writable(idn);
 +        return QUERY_RESULT_NOT_WRITEABLE;
 +    }
 +
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static const int attr_permission[QUERY_ATTR_IDN_COUNT] = {
 +    /* booting is not supported */
 +    [QUERY_ATTR_IDN_BOOT_LU_EN] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_POWER_MODE] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_ACTIVE_ICC_LVL] =
 +        UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_OOO_DATA_EN] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_BKOPS_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_PURGE_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_MAX_DATA_IN] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_MAX_DATA_OUT] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_DYN_CAP_NEEDED] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_REF_CLK_FREQ] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_CONF_DESC_LOCK] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_MAX_NUM_OF_RTT] =
 +        UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_EE_CONTROL] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_EE_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_SECONDS_PASSED] = UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_CNTX_CONF] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_FFU_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_PSA_STATE] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_PSA_DATA_SIZE] = UFS_QUERY_ATTR_READ | UFS_QUERY_ATTR_WRITE,
 +    [QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_CASE_ROUGH_TEMP] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_HIGH_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_LOW_TEMP_BOUND] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_THROTTLING_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_WB_FLUSH_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE] = UFS_QUERY_ATTR_READ,
 +    /* refresh operation is not supported */
 +    [QUERY_ATTR_IDN_REFRESH_STATUS] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_REFRESH_FREQ] = UFS_QUERY_ATTR_READ,
 +    [QUERY_ATTR_IDN_REFRESH_UNIT] = UFS_QUERY_ATTR_READ,
 +};
 +
 +static inline QueryRespCode ufs_attr_check_idn_valid(uint8_t idn, int op)
 +{
 +    if (idn >= QUERY_ATTR_IDN_COUNT) {
 +        return QUERY_RESULT_INVALID_IDN;
 +    }
 +
 +    if (!(attr_permission[idn] & op)) {
 +        if (op == UFS_QUERY_ATTR_READ) {
 +            trace_ufs_err_query_attr_not_readable(idn);
 +            return QUERY_RESULT_NOT_READABLE;
 +        }
 +        trace_ufs_err_query_attr_not_writable(idn);
 +        return QUERY_RESULT_NOT_WRITEABLE;
 +    }
 +
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static QueryRespCode ufs_exec_query_flag(UfsRequest *req, int op)
 +{
 +    UfsHc *u = req->hc;
 +    uint8_t idn = req->req_upiu.qr.idn;
 +    uint32_t value;
 +    QueryRespCode ret;
 +
 +    ret = ufs_flag_check_idn_valid(idn, op);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    if (idn == QUERY_FLAG_IDN_FDEVICEINIT) {
 +        value = 0;
 +    } else if (op == UFS_QUERY_FLAG_READ) {
 +        value = *(((uint8_t *)&u->flags) + idn);
 +    } else if (op == UFS_QUERY_FLAG_SET) {
 +        value = 1;
 +    } else if (op == UFS_QUERY_FLAG_CLEAR) {
 +        value = 0;
 +    } else if (op == UFS_QUERY_FLAG_TOGGLE) {
 +        value = *(((uint8_t *)&u->flags) + idn);
 +        value = !value;
 +    } else {
 +        trace_ufs_err_query_invalid_opcode(op);
 +        return QUERY_RESULT_INVALID_OPCODE;
 +    }
 +
 +    *(((uint8_t *)&u->flags) + idn) = value;
 +    req->rsp_upiu.qr.value = cpu_to_be32(value);
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static uint32_t ufs_read_attr_value(UfsHc *u, uint8_t idn)
 +{
 +    switch (idn) {
 +    case QUERY_ATTR_IDN_BOOT_LU_EN:
 +        return u->attributes.boot_lun_en;
 +    case QUERY_ATTR_IDN_POWER_MODE:
 +        return u->attributes.current_power_mode;
 +    case QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
 +        return u->attributes.active_icc_level;
 +    case QUERY_ATTR_IDN_OOO_DATA_EN:
 +        return u->attributes.out_of_order_data_en;
 +    case QUERY_ATTR_IDN_BKOPS_STATUS:
 +        return u->attributes.background_op_status;
 +    case QUERY_ATTR_IDN_PURGE_STATUS:
 +        return u->attributes.purge_status;
 +    case QUERY_ATTR_IDN_MAX_DATA_IN:
 +        return u->attributes.max_data_in_size;
 +    case QUERY_ATTR_IDN_MAX_DATA_OUT:
 +        return u->attributes.max_data_out_size;
 +    case QUERY_ATTR_IDN_DYN_CAP_NEEDED:
 +        return be32_to_cpu(u->attributes.dyn_cap_needed);
 +    case QUERY_ATTR_IDN_REF_CLK_FREQ:
 +        return u->attributes.ref_clk_freq;
 +    case QUERY_ATTR_IDN_CONF_DESC_LOCK:
 +        return u->attributes.config_descr_lock;
 +    case QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
 +        return u->attributes.max_num_of_rtt;
 +    case QUERY_ATTR_IDN_EE_CONTROL:
 +        return be16_to_cpu(u->attributes.exception_event_control);
 +    case QUERY_ATTR_IDN_EE_STATUS:
 +        return be16_to_cpu(u->attributes.exception_event_status);
 +    case QUERY_ATTR_IDN_SECONDS_PASSED:
 +        return be32_to_cpu(u->attributes.seconds_passed);
 +    case QUERY_ATTR_IDN_CNTX_CONF:
 +        return be16_to_cpu(u->attributes.context_conf);
 +    case QUERY_ATTR_IDN_FFU_STATUS:
 +        return u->attributes.device_ffu_status;
 +    case QUERY_ATTR_IDN_PSA_STATE:
 +        return be32_to_cpu(u->attributes.psa_state);
 +    case QUERY_ATTR_IDN_PSA_DATA_SIZE:
 +        return be32_to_cpu(u->attributes.psa_data_size);
 +    case QUERY_ATTR_IDN_REF_CLK_GATING_WAIT_TIME:
 +        return u->attributes.ref_clk_gating_wait_time;
 +    case QUERY_ATTR_IDN_CASE_ROUGH_TEMP:
 +        return u->attributes.device_case_rough_temperaure;
 +    case QUERY_ATTR_IDN_HIGH_TEMP_BOUND:
 +        return u->attributes.device_too_high_temp_boundary;
 +    case QUERY_ATTR_IDN_LOW_TEMP_BOUND:
 +        return u->attributes.device_too_low_temp_boundary;
 +    case QUERY_ATTR_IDN_THROTTLING_STATUS:
 +        return u->attributes.throttling_status;
 +    case QUERY_ATTR_IDN_WB_FLUSH_STATUS:
 +        return u->attributes.wb_buffer_flush_status;
 +    case QUERY_ATTR_IDN_AVAIL_WB_BUFF_SIZE:
 +        return u->attributes.available_wb_buffer_size;
 +    case QUERY_ATTR_IDN_WB_BUFF_LIFE_TIME_EST:
 +        return u->attributes.wb_buffer_life_time_est;
 +    case QUERY_ATTR_IDN_CURR_WB_BUFF_SIZE:
 +        return be32_to_cpu(u->attributes.current_wb_buffer_size);
 +    case QUERY_ATTR_IDN_REFRESH_STATUS:
 +        return u->attributes.refresh_status;
 +    case QUERY_ATTR_IDN_REFRESH_FREQ:
 +        return u->attributes.refresh_freq;
 +    case QUERY_ATTR_IDN_REFRESH_UNIT:
 +        return u->attributes.refresh_unit;
 +    }
 +    return 0;
 +}
 +
 +static void ufs_write_attr_value(UfsHc *u, uint8_t idn, uint32_t value)
 +{
 +    switch (idn) {
 +    case QUERY_ATTR_IDN_ACTIVE_ICC_LVL:
 +        u->attributes.active_icc_level = value;
 +        break;
 +    case QUERY_ATTR_IDN_MAX_DATA_IN:
 +        u->attributes.max_data_in_size = value;
 +        break;
 +    case QUERY_ATTR_IDN_MAX_DATA_OUT:
 +        u->attributes.max_data_out_size = value;
 +        break;
 +    case QUERY_ATTR_IDN_REF_CLK_FREQ:
 +        u->attributes.ref_clk_freq = value;
 +        break;
 +    case QUERY_ATTR_IDN_MAX_NUM_OF_RTT:
 +        u->attributes.max_num_of_rtt = value;
 +        break;
 +    case QUERY_ATTR_IDN_EE_CONTROL:
 +        u->attributes.exception_event_control = cpu_to_be16(value);
 +        break;
 +    case QUERY_ATTR_IDN_SECONDS_PASSED:
 +        u->attributes.seconds_passed = cpu_to_be32(value);
 +        break;
 +    case QUERY_ATTR_IDN_PSA_STATE:
 +        u->attributes.psa_state = value;
 +        break;
 +    case QUERY_ATTR_IDN_PSA_DATA_SIZE:
 +        u->attributes.psa_data_size = cpu_to_be32(value);
 +        break;
 +    }
 +}
 +
 +static QueryRespCode ufs_exec_query_attr(UfsRequest *req, int op)
 +{
 +    UfsHc *u = req->hc;
 +    uint8_t idn = req->req_upiu.qr.idn;
 +    uint32_t value;
 +    QueryRespCode ret;
 +
 +    ret = ufs_attr_check_idn_valid(idn, op);
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    if (op == UFS_QUERY_ATTR_READ) {
 +        value = ufs_read_attr_value(u, idn);
 +    } else {
 +        value = be32_to_cpu(req->req_upiu.qr.value);
 +        ufs_write_attr_value(u, idn, value);
 +    }
 +
 +    req->rsp_upiu.qr.value = cpu_to_be32(value);
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static const RpmbUnitDescriptor rpmb_unit_desc = {
 +    .length = sizeof(RpmbUnitDescriptor),
 +    .descriptor_idn = 2,
 +    .unit_index = UFS_UPIU_RPMB_WLUN,
 +    .lu_enable = 0,
 +};
 +
 +static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
 +{
 +    uint8_t lun = req->req_upiu.qr.index;
 +
 +    if (lun != UFS_UPIU_RPMB_WLUN && lun > UFS_MAX_LUS) {
 +        trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
 +        return QUERY_RESULT_INVALID_INDEX;
 +    }
 +
 +    if (lun == UFS_UPIU_RPMB_WLUN) {
 +        memcpy(&req->rsp_upiu.qr.data, &rpmb_unit_desc, rpmb_unit_desc.length);
 +    } else {
 +        /* unit descriptor is not yet supported */
 +        return QUERY_RESULT_INVALID_INDEX;
 +    }
 +
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static inline StringDescriptor manufacturer_str_desc(void)
 +{
 +    StringDescriptor desc = {
 +        .length = 0x12,
 +        .descriptor_idn = QUERY_DESC_IDN_STRING,
 +    };
 +    desc.UC[0] = cpu_to_be16('R');
 +    desc.UC[1] = cpu_to_be16('E');
 +    desc.UC[2] = cpu_to_be16('D');
 +    desc.UC[3] = cpu_to_be16('H');
 +    desc.UC[4] = cpu_to_be16('A');
 +    desc.UC[5] = cpu_to_be16('T');
 +    return desc;
 +}
 +
 +static inline StringDescriptor product_name_str_desc(void)
 +{
 +    StringDescriptor desc = {
 +        .length = 0x22,
 +        .descriptor_idn = QUERY_DESC_IDN_STRING,
 +    };
 +    desc.UC[0] = cpu_to_be16('Q');
 +    desc.UC[1] = cpu_to_be16('E');
 +    desc.UC[2] = cpu_to_be16('M');
 +    desc.UC[3] = cpu_to_be16('U');
 +    desc.UC[4] = cpu_to_be16(' ');
 +    desc.UC[5] = cpu_to_be16('U');
 +    desc.UC[6] = cpu_to_be16('F');
 +    desc.UC[7] = cpu_to_be16('S');
 +    return desc;
 +}
 +
 +static inline StringDescriptor product_rev_level_str_desc(void)
 +{
 +    StringDescriptor desc = {
 +        .length = 0x0a,
 +        .descriptor_idn = QUERY_DESC_IDN_STRING,
 +    };
 +    desc.UC[0] = cpu_to_be16('0');
 +    desc.UC[1] = cpu_to_be16('0');
 +    desc.UC[2] = cpu_to_be16('0');
 +    desc.UC[3] = cpu_to_be16('1');
 +    return desc;
 +}
 +
 +static const StringDescriptor null_str_desc = {
 +    .length = 0x02,
 +    .descriptor_idn = QUERY_DESC_IDN_STRING,
 +};
 +
 +static QueryRespCode ufs_read_string_desc(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    uint8_t index = req->req_upiu.qr.index;
 +    StringDescriptor desc;
 +
 +    if (index == u->device_desc.manufacturer_name) {
 +        desc = manufacturer_str_desc();
 +        memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
 +    } else if (index == u->device_desc.product_name) {
 +        desc = product_name_str_desc();
 +        memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
 +    } else if (index == u->device_desc.serial_number) {
 +        memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
 +    } else if (index == u->device_desc.oem_id) {
 +        memcpy(&req->rsp_upiu.qr.data, &null_str_desc, null_str_desc.length);
 +    } else if (index == u->device_desc.product_revision_level) {
 +        desc = product_rev_level_str_desc();
 +        memcpy(&req->rsp_upiu.qr.data, &desc, desc.length);
 +    } else {
 +        trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, index);
 +        return QUERY_RESULT_INVALID_INDEX;
 +    }
 +    return QUERY_RESULT_SUCCESS;
 +}
 +
 +static inline InterconnectDescriptor interconnect_desc(void)
 +{
 +    InterconnectDescriptor desc = {
 +        .length = sizeof(InterconnectDescriptor),
 +        .descriptor_idn = QUERY_DESC_IDN_INTERCONNECT,
 +    };
 +    desc.bcd_unipro_version = cpu_to_be16(0x180);
 +    desc.bcd_mphy_version = cpu_to_be16(0x410);
 +    return desc;
 +}
 +
 +static QueryRespCode ufs_read_desc(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    QueryRespCode status;
 +    uint8_t idn = req->req_upiu.qr.idn;
 +    uint16_t length = be16_to_cpu(req->req_upiu.qr.length);
 +    InterconnectDescriptor desc;
 +
 +    switch (idn) {
 +    case QUERY_DESC_IDN_DEVICE:
 +        memcpy(&req->rsp_upiu.qr.data, &u->device_desc, sizeof(u->device_desc));
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    case QUERY_DESC_IDN_UNIT:
 +        status = ufs_read_unit_desc(req);
 +        break;
 +    case QUERY_DESC_IDN_GEOMETRY:
 +        memcpy(&req->rsp_upiu.qr.data, &u->geometry_desc,
 +               sizeof(u->geometry_desc));
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    case QUERY_DESC_IDN_INTERCONNECT: {
 +        desc = interconnect_desc();
 +        memcpy(&req->rsp_upiu.qr.data, &desc, sizeof(InterconnectDescriptor));
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    }
 +    case QUERY_DESC_IDN_STRING:
 +        status = ufs_read_string_desc(req);
 +        break;
 +    case QUERY_DESC_IDN_POWER:
 +        /* mocking of power descriptor is not supported */
 +        memset(&req->rsp_upiu.qr.data, 0, sizeof(PowerParametersDescriptor));
 +        req->rsp_upiu.qr.data[0] = sizeof(PowerParametersDescriptor);
 +        req->rsp_upiu.qr.data[1] = QUERY_DESC_IDN_POWER;
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    case QUERY_DESC_IDN_HEALTH:
 +        /* mocking of health descriptor is not supported */
 +        memset(&req->rsp_upiu.qr.data, 0, sizeof(DeviceHealthDescriptor));
 +        req->rsp_upiu.qr.data[0] = sizeof(DeviceHealthDescriptor);
 +        req->rsp_upiu.qr.data[1] = QUERY_DESC_IDN_HEALTH;
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    default:
 +        length = 0;
 +        trace_ufs_err_query_invalid_idn(req->req_upiu.qr.opcode, idn);
 +        status = QUERY_RESULT_INVALID_IDN;
 +    }
 +
 +    if (length > req->rsp_upiu.qr.data[0]) {
 +        length = req->rsp_upiu.qr.data[0];
 +    }
 +    req->rsp_upiu.qr.opcode = req->req_upiu.qr.opcode;
 +    req->rsp_upiu.qr.idn = req->req_upiu.qr.idn;
 +    req->rsp_upiu.qr.index = req->req_upiu.qr.index;
 +    req->rsp_upiu.qr.selector = req->req_upiu.qr.selector;
 +    req->rsp_upiu.qr.length = cpu_to_be16(length);
 +
 +    return status;
 +}
 +
 +static QueryRespCode ufs_exec_query_read(UfsRequest *req)
 +{
 +    QueryRespCode status;
 +    switch (req->req_upiu.qr.opcode) {
 +    case UPIU_QUERY_OPCODE_NOP:
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    case UPIU_QUERY_OPCODE_READ_DESC:
 +        status = ufs_read_desc(req);
 +        break;
 +    case UPIU_QUERY_OPCODE_READ_ATTR:
 +        status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_READ);
 +        break;
 +    case UPIU_QUERY_OPCODE_READ_FLAG:
 +        status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_READ);
 +        break;
 +    default:
 +        trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
 +        status = QUERY_RESULT_INVALID_OPCODE;
 +        break;
 +    }
 +
 +    return status;
 +}
 +
 +static QueryRespCode ufs_exec_query_write(UfsRequest *req)
 +{
 +    QueryRespCode status;
 +    switch (req->req_upiu.qr.opcode) {
 +    case UPIU_QUERY_OPCODE_NOP:
 +        status = QUERY_RESULT_SUCCESS;
 +        break;
 +    case UPIU_QUERY_OPCODE_WRITE_DESC:
 +        /* write descriptor is not supported */
 +        status = QUERY_RESULT_NOT_WRITEABLE;
 +        break;
 +    case UPIU_QUERY_OPCODE_WRITE_ATTR:
 +        status = ufs_exec_query_attr(req, UFS_QUERY_ATTR_WRITE);
 +        break;
 +    case UPIU_QUERY_OPCODE_SET_FLAG:
 +        status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_SET);
 +        break;
 +    case UPIU_QUERY_OPCODE_CLEAR_FLAG:
 +        status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_CLEAR);
 +        break;
 +    case UPIU_QUERY_OPCODE_TOGGLE_FLAG:
 +        status = ufs_exec_query_flag(req, UFS_QUERY_FLAG_TOGGLE);
 +        break;
 +    default:
 +        trace_ufs_err_query_invalid_opcode(req->req_upiu.qr.opcode);
 +        status = QUERY_RESULT_INVALID_OPCODE;
 +        break;
 +    }
 +
 +    return status;
 +}
 +
 +static UfsReqResult ufs_exec_query_cmd(UfsRequest *req)
 +{
 +    uint8_t query_func = req->req_upiu.header.query_func;
 +    uint16_t data_segment_length;
 +    QueryRespCode status;
 +
 +    trace_ufs_exec_query_cmd(req->slot, req->req_upiu.qr.opcode);
 +    if (query_func == UPIU_QUERY_FUNC_STANDARD_READ_REQUEST) {
 +        status = ufs_exec_query_read(req);
 +    } else if (query_func == UPIU_QUERY_FUNC_STANDARD_WRITE_REQUEST) {
 +        status = ufs_exec_query_write(req);
 +    } else {
 +        status = QUERY_RESULT_GENERAL_FAILURE;
 +    }
 +
 +    data_segment_length = be16_to_cpu(req->rsp_upiu.qr.length);
 +    ufs_build_upiu_header(req, UPIU_TRANSACTION_QUERY_RSP, 0, status, 0,
 +                          data_segment_length);
 +
 +    if (status != QUERY_RESULT_SUCCESS) {
 +        return UFS_REQUEST_FAIL;
 +    }
 +    return UFS_REQUEST_SUCCESS;
 +}
 +
 +static void ufs_exec_req(UfsRequest *req)
 +{
 +    UfsReqResult req_result;
 +
 +    if (ufs_dma_read_upiu(req)) {
 +        return;
 +    }
 +
 +    switch (req->req_upiu.header.trans_type) {
 +    case UPIU_TRANSACTION_NOP_OUT:
 +        req_result = ufs_exec_nop_cmd(req);
 +        break;
 +    case UPIU_TRANSACTION_COMMAND:
 +        /* Not yet implemented */
 +        req_result = UFS_REQUEST_FAIL;
 +        break;
 +    case UPIU_TRANSACTION_QUERY_REQ:
 +        req_result = ufs_exec_query_cmd(req);
 +        break;
 +    default:
 +        trace_ufs_err_invalid_trans_code(req->slot,
 +                                         req->req_upiu.header.trans_type);
 +        req_result = UFS_REQUEST_FAIL;
 +    }
 +
 +    ufs_complete_req(req, req_result);
 +}
 +
 +static void ufs_process_req(void *opaque)
 +{
 +    UfsHc *u = opaque;
 +    UfsRequest *req;
 +    int slot;
 +
 +    for (slot = 0; slot < u->params.nutrs; slot++) {
 +        req = &u->req_list[slot];
 +
 +        if (req->state != UFS_REQUEST_READY) {
 +            continue;
 +        }
 +        trace_ufs_process_req(slot);
 +        req->state = UFS_REQUEST_RUNNING;
 +
 +        ufs_exec_req(req);
 +    }
 +}
 +
 +static void ufs_complete_req(UfsRequest *req, UfsReqResult req_result)
 +{
 +    UfsHc *u = req->hc;
 +    assert(req->state == UFS_REQUEST_RUNNING);
 +
 +    if (req_result == UFS_REQUEST_SUCCESS) {
 +        req->utrd.header.dword_2 = cpu_to_le32(OCS_SUCCESS);
 +    } else {
 +        req->utrd.header.dword_2 = cpu_to_le32(OCS_INVALID_CMD_TABLE_ATTR);
 +    }
 +
 +    trace_ufs_complete_req(req->slot);
 +    req->state = UFS_REQUEST_COMPLETE;
 +    qemu_bh_schedule(u->complete_bh);
 +}
 +
 +static void ufs_clear_req(UfsRequest *req)
 +{
 +    if (req->sg != NULL) {
 +        qemu_sglist_destroy(req->sg);
 +        g_free(req->sg);
 +        req->sg = NULL;
 +    }
 +
 +    memset(&req->utrd, 0, sizeof(req->utrd));
 +    memset(&req->req_upiu, 0, sizeof(req->req_upiu));
 +    memset(&req->rsp_upiu, 0, sizeof(req->rsp_upiu));
 +}
 +
 +static void ufs_sendback_req(void *opaque)
 +{
 +    UfsHc *u = opaque;
 +    UfsRequest *req;
 +    int slot;
 +
 +    for (slot = 0; slot < u->params.nutrs; slot++) {
 +        req = &u->req_list[slot];
 +
 +        if (req->state != UFS_REQUEST_COMPLETE) {
 +            continue;
 +        }
 +
 +        if (ufs_dma_write_upiu(req)) {
 +            req->state = UFS_REQUEST_ERROR;
 +            continue;
 +        }
 +
 +        /*
 +         * TODO: UTP Transfer Request Interrupt Aggregation Control is not yet
 +         * supported
 +         */
 +        if (le32_to_cpu(req->utrd.header.dword_2) != OCS_SUCCESS ||
 +            le32_to_cpu(req->utrd.header.dword_0) & UTP_REQ_DESC_INT_CMD) {
 +            u->reg.is = FIELD_DP32(u->reg.is, IS, UTRCS, 1);
 +        }
 +
 +        u->reg.utrldbr &= ~(1 << slot);
 +        u->reg.utrlcnr |= (1 << slot);
 +
 +        trace_ufs_sendback_req(req->slot);
 +
 +        ufs_clear_req(req);
 +        req->state = UFS_REQUEST_IDLE;
 +    }
 +
 +    ufs_irq_check(u);
 +}
 +
  static bool ufs_check_constraints(UfsHc *u, Error **errp)
  {
      if (u->params.nutrs > UFS_MAX_NUTRS) {
@@ -XXX,XX +XXX,XX @@ static void ufs_init_pci(UfsHc *u, PCIDevice *pci_dev)
      u->irq = pci_allocate_irq(pci_dev);
  }
- static bool coroutine_fn
++static void ufs_init_state(UfsHc *u)
-@@ -XXX,XX +XXX,XX @@ fail:
++{
-     return false;
++    u->req_list = g_new0(UfsRequest, u->params.nutrs);
 +
 +    for (int i = 0; i < u->params.nutrs; i++) {
 +        u->req_list[i].hc = u;
 +        u->req_list[i].slot = i;
 +        u->req_list[i].sg = NULL;
 +        u->req_list[i].state = UFS_REQUEST_IDLE;
 +    }
 +
 +    u->doorbell_bh = qemu_bh_new_guarded(ufs_process_req, u,
 +                                         &DEVICE(u)->mem_reentrancy_guard);
 +    u->complete_bh = qemu_bh_new_guarded(ufs_sendback_req, u,
 +                                         &DEVICE(u)->mem_reentrancy_guard);
 +}
 +
  static void ufs_init_hc(UfsHc *u)
  {
      uint32_t cap = 0;
@@ -XXX,XX +XXX,XX @@ static void ufs_init_hc(UfsHc *u)
      cap = FIELD_DP32(cap, CAP, CS, 0);
      u->reg.cap = cap;
      u->reg.ver = UFS_SPEC_VER;
 +
 +    memset(&u->device_desc, 0, sizeof(DeviceDescriptor));
 +    u->device_desc.length = sizeof(DeviceDescriptor);
 +    u->device_desc.descriptor_idn = QUERY_DESC_IDN_DEVICE;
 +    u->device_desc.device_sub_class = 0x01;
 +    u->device_desc.number_lu = 0x00;
 +    u->device_desc.number_wlu = 0x04;
 +    /* TODO: Revisit it when Power Management is implemented */
 +    u->device_desc.init_power_mode = 0x01; /* Active Mode */
 +    u->device_desc.high_priority_lun = 0x7F; /* Same Priority */
 +    u->device_desc.spec_version = cpu_to_be16(UFS_SPEC_VER);
 +    u->device_desc.manufacturer_name = 0x00;
 +    u->device_desc.product_name = 0x01;
 +    u->device_desc.serial_number = 0x02;
 +    u->device_desc.oem_id = 0x03;
 +    u->device_desc.ud_0_base_offset = 0x16;
 +    u->device_desc.ud_config_p_length = 0x1A;
 +    u->device_desc.device_rtt_cap = 0x02;
 +    u->device_desc.queue_depth = u->params.nutrs;
 +    u->device_desc.product_revision_level = 0x04;
 +
 +    memset(&u->geometry_desc, 0, sizeof(GeometryDescriptor));
 +    u->geometry_desc.length = sizeof(GeometryDescriptor);
 +    u->geometry_desc.descriptor_idn = QUERY_DESC_IDN_GEOMETRY;
 +    u->geometry_desc.max_number_lu = (UFS_MAX_LUS == 32) ? 0x1 : 0x0;
 +    u->geometry_desc.segment_size = cpu_to_be32(0x2000); /* 4KB */
 +    u->geometry_desc.allocation_unit_size = 0x1; /* 4KB */
 +    u->geometry_desc.min_addr_block_size = 0x8; /* 4KB */
 +    u->geometry_desc.max_in_buffer_size = 0x8;
 +    u->geometry_desc.max_out_buffer_size = 0x8;
 +    u->geometry_desc.rpmb_read_write_size = 0x40;
 +    u->geometry_desc.data_ordering =
 +        0x0; /* out-of-order data transfer is not supported */
 +    u->geometry_desc.max_context_id_number = 0x5;
 +    u->geometry_desc.supported_memory_types = cpu_to_be16(0x8001);
 +
 +    memset(&u->attributes, 0, sizeof(u->attributes));
 +    u->attributes.max_data_in_size = 0x08;
 +    u->attributes.max_data_out_size = 0x08;
 +    u->attributes.ref_clk_freq = 0x01; /* 26 MHz */
 +    /* configure descriptor is not supported */
 +    u->attributes.config_descr_lock = 0x01;
 +    u->attributes.max_num_of_rtt = 0x02;
 +
 +    memset(&u->flags, 0, sizeof(u->flags));
 +    u->flags.permanently_disable_fw_update = 1;
  }
--
+ static void ufs_realize(PCIDevice *pci_dev, Error **errp)
--static void vu_client_start(VuServer *server);
+@@ -XXX,XX +XXX,XX @@ static void ufs_realize(PCIDevice *pci_dev, Error **errp)
  static coroutine_fn void vu_client_trip(void *opaque)
  {
      VuServer *server = opaque;
 +    VuDev *vu_dev = &server->vu_dev;
 -    while (!server->aio_context_changed && server->sioc) {
 -        server->processing_msg = true;
 -        vu_dispatch(&server->vu_dev);
 -        server->processing_msg = false;
 +    while (!vu_dev->broken && vu_dispatch(vu_dev)) {
 +        /* Keep running */
      }
 -    if (server->aio_context_changed && server->sioc) {
 -        server->aio_context_changed = false;
 -        vu_client_start(server);
 -    }
 -}
 +    vu_deinit(vu_dev);
 +
 +    /* vu_deinit() should have called remove_watch() */
 +    assert(QTAILQ_EMPTY(&server->vu_fd_watches));
 +
 +    object_unref(OBJECT(server->sioc));
 +    server->sioc = NULL;
 -static void vu_client_start(VuServer *server)
 -{
 -    server->co_trip = qemu_coroutine_create(vu_client_trip, server);
 -    aio_co_enter(server->ctx, server->co_trip);
 +    object_unref(OBJECT(server->ioc));
 +    server->ioc = NULL;
 +
 +    server->co_trip = NULL;
 +    if (server->restart_listener_bh) {
 +        qemu_bh_schedule(server->restart_listener_bh);
 +    }
 +    aio_wait_kick();
  }
  /*
@@ -XXX,XX +XXX,XX @@ static void vu_client_start(VuServer *server)
  static void kick_handler(void *opaque)
  {
      VuFdWatch *vu_fd_watch = opaque;
 -    vu_fd_watch->processing = true;
 -    vu_fd_watch->cb(vu_fd_watch->vu_dev, 0, vu_fd_watch->pvt);
 -    vu_fd_watch->processing = false;
 +    VuDev *vu_dev = vu_fd_watch->vu_dev;
 +
 +    vu_fd_watch->cb(vu_dev, 0, vu_fd_watch->pvt);
 +
 +    /* Stop vu_client_trip() if an error occurred in vu_fd_watch->cb() */
 +    if (vu_dev->broken) {
 +        VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +
 +        qio_channel_shutdown(server->ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
 +    }
  }
 -
  static VuFdWatch *find_vu_fd_watch(VuServer *server, int fd)
  {
@@ -XXX,XX +XXX,XX @@ static void vu_accept(QIONetListener *listener, QIOChannelSocket *sioc,
      qio_channel_set_name(QIO_CHANNEL(sioc), "vhost-user client");
      server->ioc = QIO_CHANNEL(sioc);
      object_ref(OBJECT(server->ioc));
 -    qio_channel_attach_aio_context(server->ioc, server->ctx);
 +
 +    /* TODO vu_message_write() spins if non-blocking! */
      qio_channel_set_blocking(server->ioc, false, NULL);
 -    vu_client_start(server);
 +
 +    server->co_trip = qemu_coroutine_create(vu_client_trip, server);
 +
 +    aio_context_acquire(server->ctx);
 +    vhost_user_server_attach_aio_context(server, server->ctx);
 +    aio_context_release(server->ctx);
  }
 -
  void vhost_user_server_stop(VuServer *server)
  {
 +    aio_context_acquire(server->ctx);
 +
 +    qemu_bh_delete(server->restart_listener_bh);
 +    server->restart_listener_bh = NULL;
 +
      if (server->sioc) {
 -        close_client(server);
 +        VuFdWatch *vu_fd_watch;
 +
 +        QTAILQ_FOREACH(vu_fd_watch, &server->vu_fd_watches, next) {
 +            aio_set_fd_handler(server->ctx, vu_fd_watch->fd, true,
 +                               NULL, NULL, NULL, vu_fd_watch);
 +        }
 +
 +        qio_channel_shutdown(server->ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL);
 +
 +        AIO_WAIT_WHILE(server->ctx, server->co_trip);
      }
 +    aio_context_release(server->ctx);
 +
      if (server->listener) {
          qio_net_listener_disconnect(server->listener);
          object_unref(OBJECT(server->listener));
      }
 +}
 +
 +/*
 + * Allow the next client to connect to the server. Called from a BH in the main
 + * loop.
 + */
 +static void restart_listener_bh(void *opaque)
 +{
 +    VuServer *server = opaque;
 +    qio_net_listener_set_client_func(server->listener, vu_accept, server,
 +                                     NULL);
  }
 -void vhost_user_server_set_aio_context(VuServer *server, AioContext *ctx)
 +/* Called with ctx acquired */
 +void vhost_user_server_attach_aio_context(VuServer *server, AioContext *ctx)
  {
 -    VuFdWatch *vu_fd_watch, *next;
 -    void *opaque = NULL;
 -    IOHandler *io_read = NULL;
 -    bool attach;
 +    VuFdWatch *vu_fd_watch;
 -    server->ctx = ctx ? ctx : qemu_get_aio_context();
 +    server->ctx = ctx;
      if (!server->sioc) {
 -        /* not yet serving any client*/
          return;
      }
--    if (ctx) {
++    ufs_init_state(u);
--        qio_channel_attach_aio_context(server->ioc, ctx);
+     ufs_init_hc(u);
--        server->aio_context_changed = true;
+     ufs_init_pci(u, pci_dev);
 -        io_read = kick_handler;
 -        attach = true;
 -    } else {
 +    qio_channel_attach_aio_context(server->ioc, ctx);
 +
 +    QTAILQ_FOREACH(vu_fd_watch, &server->vu_fd_watches, next) {
 +        aio_set_fd_handler(ctx, vu_fd_watch->fd, true, kick_handler, NULL,
 +                           NULL, vu_fd_watch);
 +    }
 +
 +    aio_co_schedule(ctx, server->co_trip);
 +}
 +
 +/* Called with server->ctx acquired */
 +void vhost_user_server_detach_aio_context(VuServer *server)
 +{
 +    if (server->sioc) {
 +        VuFdWatch *vu_fd_watch;
 +
 +        QTAILQ_FOREACH(vu_fd_watch, &server->vu_fd_watches, next) {
 +            aio_set_fd_handler(server->ctx, vu_fd_watch->fd, true,
 +                               NULL, NULL, NULL, vu_fd_watch);
 +        }
 +
          qio_channel_detach_aio_context(server->ioc);
 -        /* server->ioc->ctx keeps the old AioConext */
 -        ctx = server->ioc->ctx;
 -        attach = false;
      }
 -    QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
 -        if (vu_fd_watch->cb) {
 -            opaque = attach ? vu_fd_watch : NULL;
 -            aio_set_fd_handler(ctx, vu_fd_watch->fd, true,
 -                               io_read, NULL, NULL,
 -                               opaque);
 -        }
 -    }
 +    server->ctx = NULL;
  }
--
++static void ufs_exit(PCIDevice *pci_dev)
- bool vhost_user_server_start(VuServer *server,
++{
-                              SocketAddress *socket_addr,
++    UfsHc *u = UFS(pci_dev);
-                              AioContext *ctx,
++
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
++    qemu_bh_delete(u->doorbell_bh);
-                              const VuDevIface *vu_iface,
++    qemu_bh_delete(u->complete_bh);
-                              Error **errp)
++
- {
++    for (int i = 0; i < u->params.nutrs; i++) {
-+    QEMUBH *bh;
++        ufs_clear_req(&u->req_list[i]);
-     QIONetListener *listener = qio_net_listener_new();
++    }
-     if (qio_net_listener_open_sync(listener, socket_addr, 1,
++    g_free(u->req_list);
-                                    errp) < 0) {
++}
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
++
-         return false;
+ static Property ufs_props[] = {
-     }
+     DEFINE_PROP_STRING("serial", UfsHc, params.serial),
+     DEFINE_PROP_UINT8("nutrs", UfsHc, params.nutrs, 32),
-+    bh = qemu_bh_new(restart_listener_bh, server);
+@@ -XXX,XX +XXX,XX @@ static void ufs_class_init(ObjectClass *oc, void *data)
-+
+     PCIDeviceClass *pc = PCI_DEVICE_CLASS(oc);
-     /* zero out unspecified fields */
-     *server = (VuServer) {
+     pc->realize = ufs_realize;
-         .listener              = listener,
++    pc->exit = ufs_exit;
-+        .restart_listener_bh   = bh,
+     pc->vendor_id = PCI_VENDOR_ID_REDHAT;
-         .vu_iface              = vu_iface,
+     pc->device_id = PCI_DEVICE_ID_REDHAT_UFS;
-         .max_queues            = max_queues,
+     pc->class_id = PCI_CLASS_STORAGE_UFS;
-         .ctx                   = ctx,
+diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/ufs/trace-events
 +++ b/hw/ufs/trace-events
@@ -XXX,XX +XXX,XX @@ ufs_err_dma_read_req_upiu(uint32_t slot, uint64_t addr) "failed to read req upiu
  ufs_err_dma_read_prdt(uint32_t slot, uint64_t addr) "failed to read prdt. UTRLDBR slot %"PRIu32", prdt addr %"PRIu64""
  ufs_err_dma_write_utrd(uint32_t slot, uint64_t addr) "failed to write utrd. UTRLDBR slot %"PRIu32", UTRD dma addr %"PRIu64""
  ufs_err_dma_write_rsp_upiu(uint32_t slot, uint64_t addr) "failed to write rsp upiu. UTRLDBR slot %"PRIu32", response upiu addr %"PRIu64""
 +ufs_err_utrl_slot_error(uint32_t slot) "UTRLDBR slot %"PRIu32" is in error"
  ufs_err_utrl_slot_busy(uint32_t slot) "UTRLDBR slot %"PRIu32" is busy"
  ufs_err_unsupport_register_offset(uint32_t offset) "Register offset 0x%"PRIx32" is not yet supported"
  ufs_err_invalid_register_offset(uint32_t offset) "Register offset 0x%"PRIx32" is invalid"
 --
-.26.2
+.41.0

-[PULL v2 04/28] util/vhost-user-server: generic vhost user server
+[PULL v2 3/8] hw/ufs: Support for UFS logical unit
-From: Coiby Xu <coiby.xu@gmail.com>
+From: Jeuk Kim <jeuk20.kim@gmail.com>
-Sharing QEMU devices via vhost-user protocol.
+This commit adds support for ufs logical unit.
 The LU handles processing for the SCSI command,
 unit descriptor query request.
-Only one vhost-user client can connect to the server one time.
+This commit enables the UFS device to process
 IO requests.
-Suggested-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 898cea923e819dc21a99597bf045a12d7983be28.1691062912.git.jeuk20.kim@samsung.com
 Message-id: 20200918080912.321299-4-coiby.xu@gmail.com
 [Fixed size_t %lu -> %zu format string compiler error.
 --Stefan]
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/vhost-user-server.h |  65 ++++++
+ hw/ufs/ufs.h             |   43 ++
- util/vhost-user-server.c | 428 +++++++++++++++++++++++++++++++++++++++
+ include/scsi/constants.h |    1 +
- util/meson.build         |   1 +
+ hw/ufs/lu.c              | 1445 ++++++++++++++++++++++++++++++++++++++
-files changed, 494 insertions(+)
+ hw/ufs/ufs.c             |  252 ++++++-
- create mode 100644 util/vhost-user-server.h
+ hw/ufs/meson.build       |    2 +-
- create mode 100644 util/vhost-user-server.c
+ hw/ufs/trace-events      |   25 +
 files changed, 1761 insertions(+), 7 deletions(-)
  create mode 100644 hw/ufs/lu.c
-diff --git a/util/vhost-user-server.h b/util/vhost-user-server.h
+diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/ufs/ufs.h
 +++ b/hw/ufs/ufs.h
@@ -XXX,XX +XXX,XX @@
  #define UFS_MAX_LUS 32
  #define UFS_BLOCK_SIZE 4096
 +typedef struct UfsBusClass {
 +    BusClass parent_class;
 +    bool (*parent_check_address)(BusState *bus, DeviceState *dev, Error **errp);
 +} UfsBusClass;
 +
 +typedef struct UfsBus {
 +    SCSIBus parent_bus;
 +} UfsBus;
 +
 +#define TYPE_UFS_BUS "ufs-bus"
 +DECLARE_OBJ_CHECKERS(UfsBus, UfsBusClass, UFS_BUS, TYPE_UFS_BUS)
 +
  typedef enum UfsRequestState {
      UFS_REQUEST_IDLE = 0,
      UFS_REQUEST_READY = 1,
@@ -XXX,XX +XXX,XX @@ typedef enum UfsRequestState {
  typedef enum UfsReqResult {
      UFS_REQUEST_SUCCESS = 0,
      UFS_REQUEST_FAIL = 1,
 +    UFS_REQUEST_NO_COMPLETE = 2,
  } UfsReqResult;
  typedef struct UfsRequest {
@@ -XXX,XX +XXX,XX @@ typedef struct UfsRequest {
      QEMUSGList *sg;
  } UfsRequest;
 +typedef struct UfsLu {
 +    SCSIDevice qdev;
 +    uint8_t lun;
 +    UnitDescriptor unit_desc;
 +} UfsLu;
 +
 +typedef struct UfsWLu {
 +    SCSIDevice qdev;
 +    uint8_t lun;
 +} UfsWLu;
 +
  typedef struct UfsParams {
      char *serial;
      uint8_t nutrs; /* Number of UTP Transfer Request Slots */
@@ -XXX,XX +XXX,XX @@ typedef struct UfsParams {
  typedef struct UfsHc {
      PCIDevice parent_obj;
 +    UfsBus bus;
      MemoryRegion iomem;
      UfsReg reg;
      UfsParams params;
      uint32_t reg_size;
      UfsRequest *req_list;
 +    UfsLu *lus[UFS_MAX_LUS];
 +    UfsWLu *report_wlu;
 +    UfsWLu *dev_wlu;
 +    UfsWLu *boot_wlu;
 +    UfsWLu *rpmb_wlu;
      DeviceDescriptor device_desc;
      GeometryDescriptor geometry_desc;
      Attributes attributes;
@@ -XXX,XX +XXX,XX @@ typedef struct UfsHc {
  #define TYPE_UFS "ufs"
  #define UFS(obj) OBJECT_CHECK(UfsHc, (obj), TYPE_UFS)
 +#define TYPE_UFS_LU "ufs-lu"
 +#define UFSLU(obj) OBJECT_CHECK(UfsLu, (obj), TYPE_UFS_LU)
 +
 +#define TYPE_UFS_WLU "ufs-wlu"
 +#define UFSWLU(obj) OBJECT_CHECK(UfsWLu, (obj), TYPE_UFS_WLU)
 +
  typedef enum UfsQueryFlagPerm {
      UFS_QUERY_FLAG_NONE = 0x0,
      UFS_QUERY_FLAG_READ = 0x1,
@@ -XXX,XX +XXX,XX @@ typedef enum UfsQueryAttrPerm {
      UFS_QUERY_ATTR_WRITE = 0x2,
  } UfsQueryAttrPerm;
 +static inline bool is_wlun(uint8_t lun)
 +{
 +    return (lun == UFS_UPIU_REPORT_LUNS_WLUN ||
 +            lun == UFS_UPIU_UFS_DEVICE_WLUN || lun == UFS_UPIU_BOOT_WLUN ||
 +            lun == UFS_UPIU_RPMB_WLUN);
 +}
 +
  #endif /* HW_UFS_UFS_H */
 diff --git a/include/scsi/constants.h b/include/scsi/constants.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/scsi/constants.h
 +++ b/include/scsi/constants.h
@@ -XXX,XX +XXX,XX @@
  #define MODE_PAGE_FLEXIBLE_DISK_GEOMETRY      0x05
  #define MODE_PAGE_CACHING                     0x08
  #define MODE_PAGE_AUDIO_CTL                   0x0e
 +#define MODE_PAGE_CONTROL                     0x0a
  #define MODE_PAGE_POWER                       0x1a
  #define MODE_PAGE_FAULT_FAIL                  0x1c
  #define MODE_PAGE_TO_PROTECT                  0x1d
 diff --git a/hw/ufs/lu.c b/hw/ufs/lu.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/util/vhost-user-server.h
++++ b/hw/ufs/lu.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Sharing QEMU devices via vhost-user protocol
++ * QEMU UFS Logical Unit
 + *
-+ * Copyright (c) Coiby Xu <coiby.xu@gmail.com>.
++ * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
 + * Copyright (c) 2020 Red Hat, Inc.
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or
++ * Written by Jeuk Kim <jeuk20.kim@samsung.com>
-+ * later.  See the COPYING file in the top-level directory.
++ *
 + * This code is licensed under the GNU GPL v2 or later.
 + */
 +
-+#ifndef VHOST_USER_SERVER_H
++#include "qemu/osdep.h"
-+#define VHOST_USER_SERVER_H
++#include "qemu/units.h"
 +
 +#include "contrib/libvhost-user/libvhost-user.h"
 +#include "io/channel-socket.h"
 +#include "io/channel-file.h"
 +#include "io/net-listener.h"
 +#include "qemu/error-report.h"
 +#include "qapi/error.h"
-+#include "standard-headers/linux/virtio_blk.h"
++#include "qemu/memalign.h"
-+
++#include "hw/scsi/scsi.h"
-+typedef struct VuFdWatch {
++#include "scsi/constants.h"
-+    VuDev *vu_dev;
++#include "sysemu/block-backend.h"
-+    int fd; /*kick fd*/
++#include "qemu/cutils.h"
-+    void *pvt;
++#include "trace.h"
-+    vu_watch_cb cb;
++#include "ufs.h"
-+    bool processing;
++
-+    QTAILQ_ENTRY(VuFdWatch) next;
++/*
-+} VuFdWatch;
++ * The code below handling SCSI commands is copied from hw/scsi/scsi-disk.c,
-+
++ * with minor adjustments to make it work for UFS.
-+typedef struct VuServer VuServer;
++ */
-+typedef void DevicePanicNotifierFn(VuServer *server);
++
-+
++#define SCSI_DMA_BUF_SIZE (128 * KiB)
-+struct VuServer {
++#define SCSI_MAX_INQUIRY_LEN 256
-+    QIONetListener *listener;
++#define SCSI_INQUIRY_DATA_SIZE 36
-+    AioContext *ctx;
++#define SCSI_MAX_MODE_LEN 256
-+    DevicePanicNotifierFn *device_panic_notifier;
++
-+    int max_queues;
++typedef struct UfsSCSIReq {
-+    const VuDevIface *vu_iface;
++    SCSIRequest req;
-+    VuDev vu_dev;
++    /* Both sector and sector_count are in terms of BDRV_SECTOR_SIZE bytes.  */
-+    QIOChannel *ioc; /* The I/O channel with the client */
++    uint64_t sector;
-+    QIOChannelSocket *sioc; /* The underlying data channel with the client */
++    uint32_t sector_count;
-+    /* IOChannel for fd provided via VHOST_USER_SET_SLAVE_REQ_FD */
++    uint32_t buflen;
-+    QIOChannel *ioc_slave;
++    bool started;
-+    QIOChannelSocket *sioc_slave;
++    bool need_fua_emulation;
-+    Coroutine *co_trip; /* coroutine for processing VhostUserMsg */
++    struct iovec iov;
-+    QTAILQ_HEAD(, VuFdWatch) vu_fd_watches;
++    QEMUIOVector qiov;
-+    /* restart coroutine co_trip if AIOContext is changed */
++    BlockAcctCookie acct;
-+    bool aio_context_changed;
++} UfsSCSIReq;
-+    bool processing_msg;
++
 +static void ufs_scsi_free_request(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +
 +    qemu_vfree(r->iov.iov_base);
 +}
 +
 +static void scsi_check_condition(UfsSCSIReq *r, SCSISense sense)
 +{
 +    trace_ufs_scsi_check_condition(r->req.tag, sense.key, sense.asc,
 +                                   sense.ascq);
 +    scsi_req_build_sense(&r->req, sense);
 +    scsi_req_complete(&r->req, CHECK_CONDITION);
 +}
 +
 +static int ufs_scsi_emulate_vpd_page(SCSIRequest *req, uint8_t *outbuf,
 +                                     uint32_t outbuf_len)
 +{
 +    UfsHc *u = UFS(req->bus->qbus.parent);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, req->dev);
 +    uint8_t page_code = req->cmd.buf[2];
 +    int start, buflen = 0;
 +
 +    if (outbuf_len < SCSI_INQUIRY_DATA_SIZE) {
 +        return -1;
 +    }
 +
 +    outbuf[buflen++] = lu->qdev.type & 0x1f;
 +    outbuf[buflen++] = page_code;
 +    outbuf[buflen++] = 0x00;
 +    outbuf[buflen++] = 0x00;
 +    start = buflen;
 +
 +    switch (page_code) {
 +    case 0x00: /* Supported page codes, mandatory */
 +    {
 +        trace_ufs_scsi_emulate_vpd_page_00(req->cmd.xfer);
 +        outbuf[buflen++] = 0x00; /* list of supported pages (this page) */
 +        if (u->params.serial) {
 +            outbuf[buflen++] = 0x80; /* unit serial number */
 +        }
 +        outbuf[buflen++] = 0x87; /* mode page policy */
 +        break;
 +    }
 +    case 0x80: /* Device serial number, optional */
 +    {
 +        int l;
 +
 +        if (!u->params.serial) {
 +            trace_ufs_scsi_emulate_vpd_page_80_not_supported();
 +            return -1;
 +        }
 +
 +        l = strlen(u->params.serial);
 +        if (l > SCSI_INQUIRY_DATA_SIZE) {
 +            l = SCSI_INQUIRY_DATA_SIZE;
 +        }
 +
 +        trace_ufs_scsi_emulate_vpd_page_80(req->cmd.xfer);
 +        memcpy(outbuf + buflen, u->params.serial, l);
 +        buflen += l;
 +        break;
 +    }
 +    case 0x87: /* Mode Page Policy, mandatory */
 +    {
 +        trace_ufs_scsi_emulate_vpd_page_87(req->cmd.xfer);
 +        outbuf[buflen++] = 0x3f; /* apply to all mode pages and subpages */
 +        outbuf[buflen++] = 0xff;
 +        outbuf[buflen++] = 0; /* shared */
 +        outbuf[buflen++] = 0;
 +        break;
 +    }
 +    default:
 +        return -1;
 +    }
 +    /* done with EVPD */
 +    assert(buflen - start <= 255);
 +    outbuf[start - 1] = buflen - start;
 +    return buflen;
 +}
 +
 +static int ufs_scsi_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf,
 +                                    uint32_t outbuf_len)
 +{
 +    int buflen = 0;
 +
 +    if (outbuf_len < SCSI_INQUIRY_DATA_SIZE) {
 +        return -1;
 +    }
 +
 +    if (req->cmd.buf[1] & 0x1) {
 +        /* Vital product data */
 +        return ufs_scsi_emulate_vpd_page(req, outbuf, outbuf_len);
 +    }
 +
 +    /* Standard INQUIRY data */
 +    if (req->cmd.buf[2] != 0) {
 +        return -1;
 +    }
 +
 +    /* PAGE CODE == 0 */
 +    buflen = req->cmd.xfer;
 +    if (buflen > SCSI_MAX_INQUIRY_LEN) {
 +        buflen = SCSI_MAX_INQUIRY_LEN;
 +    }
 +
 +    if (is_wlun(req->lun)) {
 +        outbuf[0] = TYPE_WLUN;
 +    } else {
 +        outbuf[0] = 0;
 +    }
 +    outbuf[1] = 0;
 +
 +    strpadcpy((char *)&outbuf[16], 16, "QEMU UFS", ' ');
 +    strpadcpy((char *)&outbuf[8], 8, "QEMU", ' ');
 +
 +    memset(&outbuf[32], 0, 4);
 +
 +    outbuf[2] = 0x06; /* SPC-4 */
 +    outbuf[3] = 0x2;
 +
 +    if (buflen > SCSI_INQUIRY_DATA_SIZE) {
 +        outbuf[4] = buflen - 5; /* Additional Length = (Len - 1) - 4 */
 +    } else {
 +        /*
 +         * If the allocation length of CDB is too small, the additional
 +         * length is not adjusted
 +         */
 +        outbuf[4] = SCSI_INQUIRY_DATA_SIZE - 5;
 +    }
 +
 +    /* Support TCQ.  */
 +    outbuf[7] = req->bus->info->tcq ? 0x02 : 0;
 +    return buflen;
 +}
 +
 +static int mode_sense_page(UfsLu *lu, int page, uint8_t **p_outbuf,
 +                           int page_control)
 +{
 +    static const int mode_sense_valid[0x3f] = {
 +        [MODE_PAGE_CACHING] = 1,
 +        [MODE_PAGE_R_W_ERROR] = 1,
 +        [MODE_PAGE_CONTROL] = 1,
 +    };
 +
 +    uint8_t *p = *p_outbuf + 2;
 +    int length;
 +
 +    assert(page < ARRAY_SIZE(mode_sense_valid));
 +    if ((mode_sense_valid[page]) == 0) {
 +        return -1;
 +    }
 +
 +    /*
 +     * If Changeable Values are requested, a mask denoting those mode parameters
 +     * that are changeable shall be returned. As we currently don't support
 +     * parameter changes via MODE_SELECT all bits are returned set to zero.
 +     * The buffer was already memset to zero by the caller of this function.
 +     */
 +    switch (page) {
 +    case MODE_PAGE_CACHING:
 +        length = 0x12;
 +        if (page_control == 1 || /* Changeable Values */
 +            blk_enable_write_cache(lu->qdev.conf.blk)) {
 +            p[0] = 4; /* WCE */
 +        }
 +        break;
 +
 +    case MODE_PAGE_R_W_ERROR:
 +        length = 10;
 +        if (page_control == 1) { /* Changeable Values */
 +            break;
 +        }
 +        p[0] = 0x80; /* Automatic Write Reallocation Enabled */
 +        break;
 +
 +    case MODE_PAGE_CONTROL:
 +        length = 10;
 +        if (page_control == 1) { /* Changeable Values */
 +            break;
 +        }
 +        p[1] = 0x10; /* Queue Algorithm modifier */
 +        p[8] = 0xff; /* Busy Timeout Period */
 +        p[9] = 0xff;
 +        break;
 +
 +    default:
 +        return -1;
 +    }
 +
 +    assert(length < 256);
 +    (*p_outbuf)[0] = page;
 +    (*p_outbuf)[1] = length;
 +    *p_outbuf += length + 2;
 +    return length + 2;
 +}
 +
 +static int ufs_scsi_emulate_mode_sense(UfsSCSIReq *r, uint8_t *outbuf)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    bool dbd;
 +    int page, buflen, ret, page_control;
 +    uint8_t *p;
 +    uint8_t dev_specific_param = 0;
 +
 +    dbd = (r->req.cmd.buf[1] & 0x8) != 0;
 +    if (!dbd) {
 +        return -1;
 +    }
 +
 +    page = r->req.cmd.buf[2] & 0x3f;
 +    page_control = (r->req.cmd.buf[2] & 0xc0) >> 6;
 +
 +    trace_ufs_scsi_emulate_mode_sense((r->req.cmd.buf[0] == MODE_SENSE) ? 6 :
 +                                                                          10,
 +                                      page, r->req.cmd.xfer, page_control);
 +    memset(outbuf, 0, r->req.cmd.xfer);
 +    p = outbuf;
 +
 +    if (!blk_is_writable(lu->qdev.conf.blk)) {
 +        dev_specific_param |= 0x80; /* Readonly.  */
 +    }
 +
 +    p[2] = 0; /* Medium type.  */
 +    p[3] = dev_specific_param;
 +    p[6] = p[7] = 0; /* Block descriptor length.  */
 +    p += 8;
 +
 +    if (page_control == 3) {
 +        /* Saved Values */
 +        scsi_check_condition(r, SENSE_CODE(SAVING_PARAMS_NOT_SUPPORTED));
 +        return -1;
 +    }
 +
 +    if (page == 0x3f) {
 +        for (page = 0; page <= 0x3e; page++) {
 +            mode_sense_page(lu, page, &p, page_control);
 +        }
 +    } else {
 +        ret = mode_sense_page(lu, page, &p, page_control);
 +        if (ret == -1) {
 +            return -1;
 +        }
 +    }
 +
 +    buflen = p - outbuf;
 +    /*
 +     * The mode data length field specifies the length in bytes of the
 +     * following data that is available to be transferred. The mode data
 +     * length does not include itself.
 +     */
 +    outbuf[0] = ((buflen - 2) >> 8) & 0xff;
 +    outbuf[1] = (buflen - 2) & 0xff;
 +    return buflen;
 +}
 +
 +/*
 + * scsi_handle_rw_error has two return values.  False means that the error
 + * must be ignored, true means that the error has been processed and the
 + * caller should not do anything else for this request.  Note that
 + * scsi_handle_rw_error always manages its reference counts, independent
 + * of the return value.
 + */
 +static bool scsi_handle_rw_error(UfsSCSIReq *r, int ret, bool acct_failed)
 +{
 +    bool is_read = (r->req.cmd.mode == SCSI_XFER_FROM_DEV);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    SCSISense sense = SENSE_CODE(NO_SENSE);
 +    int error = 0;
 +    bool req_has_sense = false;
 +    BlockErrorAction action;
 +    int status;
 +
 +    if (ret < 0) {
 +        status = scsi_sense_from_errno(-ret, &sense);
 +        error = -ret;
 +    } else {
 +        /* A passthrough command has completed with nonzero status.  */
 +        status = ret;
 +        if (status == CHECK_CONDITION) {
 +            req_has_sense = true;
 +            error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
 +        } else {
 +            error = EINVAL;
 +        }
 +    }
 +
 +    /*
 +     * Check whether the error has to be handled by the guest or should
 +     * rather follow the rerror=/werror= settings.  Guest-handled errors
 +     * are usually retried immediately, so do not post them to QMP and
 +     * do not account them as failed I/O.
 +     */
 +    if (req_has_sense && scsi_sense_buf_is_guest_recoverable(
 +                             r->req.sense, sizeof(r->req.sense))) {
 +        action = BLOCK_ERROR_ACTION_REPORT;
 +        acct_failed = false;
 +    } else {
 +        action = blk_get_error_action(lu->qdev.conf.blk, is_read, error);
 +        blk_error_action(lu->qdev.conf.blk, action, is_read, error);
 +    }
 +
 +    switch (action) {
 +    case BLOCK_ERROR_ACTION_REPORT:
 +        if (acct_failed) {
 +            block_acct_failed(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +        }
 +        if (!req_has_sense && status == CHECK_CONDITION) {
 +            scsi_req_build_sense(&r->req, sense);
 +        }
 +        scsi_req_complete(&r->req, status);
 +        return true;
 +
 +    case BLOCK_ERROR_ACTION_IGNORE:
 +        return false;
 +
 +    case BLOCK_ERROR_ACTION_STOP:
 +        scsi_req_retry(&r->req);
 +        return true;
 +
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
 +static bool ufs_scsi_req_check_error(UfsSCSIReq *r, int ret, bool acct_failed)
 +{
 +    if (r->req.io_canceled) {
 +        scsi_req_cancel_complete(&r->req);
 +        return true;
 +    }
 +
 +    if (ret < 0) {
 +        return scsi_handle_rw_error(r, ret, acct_failed);
 +    }
 +
 +    return false;
 +}
 +
 +static void scsi_aio_complete(void *opaque, int ret)
 +{
 +    UfsSCSIReq *r = (UfsSCSIReq *)opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb != NULL);
 +    r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(lu->qdev.conf.blk));
 +    if (ufs_scsi_req_check_error(r, ret, true)) {
 +        goto done;
 +    }
 +
 +    block_acct_done(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    scsi_req_complete(&r->req, GOOD);
 +
 +done:
 +    aio_context_release(blk_get_aio_context(lu->qdev.conf.blk));
 +    scsi_req_unref(&r->req);
 +}
 +
 +static int32_t ufs_scsi_emulate_command(SCSIRequest *req, uint8_t *buf)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, req->dev);
 +    uint32_t last_block = 0;
 +    uint8_t *outbuf;
 +    int buflen;
 +
 +    switch (req->cmd.buf[0]) {
 +    case INQUIRY:
 +    case MODE_SENSE_10:
 +    case START_STOP:
 +    case REQUEST_SENSE:
 +        break;
 +
 +    default:
 +        if (!blk_is_available(lu->qdev.conf.blk)) {
 +            scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
 +            return 0;
 +        }
 +        break;
 +    }
 +
 +    /*
 +     * FIXME: we shouldn't return anything bigger than 4k, but the code
 +     * requires the buffer to be as big as req->cmd.xfer in several
 +     * places.  So, do not allow CDBs with a very large ALLOCATION
 +     * LENGTH.  The real fix would be to modify scsi_read_data and
 +     * dma_buf_read, so that they return data beyond the buflen
 +     * as all zeros.
 +     */
 +    if (req->cmd.xfer > 65536) {
 +        goto illegal_request;
 +    }
 +    r->buflen = MAX(4096, req->cmd.xfer);
 +
 +    if (!r->iov.iov_base) {
 +        r->iov.iov_base = blk_blockalign(lu->qdev.conf.blk, r->buflen);
 +    }
 +
 +    outbuf = r->iov.iov_base;
 +    memset(outbuf, 0, r->buflen);
 +    switch (req->cmd.buf[0]) {
 +    case TEST_UNIT_READY:
 +        assert(blk_is_available(lu->qdev.conf.blk));
 +        break;
 +    case INQUIRY:
 +        buflen = ufs_scsi_emulate_inquiry(req, outbuf, r->buflen);
 +        if (buflen < 0) {
 +            goto illegal_request;
 +        }
 +        break;
 +    case MODE_SENSE_10:
 +        buflen = ufs_scsi_emulate_mode_sense(r, outbuf);
 +        if (buflen < 0) {
 +            goto illegal_request;
 +        }
 +        break;
 +    case READ_CAPACITY_10:
 +        /* The normal LEN field for this command is zero.  */
 +        memset(outbuf, 0, 8);
 +        if (lu->qdev.max_lba > 0) {
 +            last_block = lu->qdev.max_lba - 1;
 +        };
 +        outbuf[0] = (last_block >> 24) & 0xff;
 +        outbuf[1] = (last_block >> 16) & 0xff;
 +        outbuf[2] = (last_block >> 8) & 0xff;
 +        outbuf[3] = last_block & 0xff;
 +        outbuf[4] = (lu->qdev.blocksize >> 24) & 0xff;
 +        outbuf[5] = (lu->qdev.blocksize >> 16) & 0xff;
 +        outbuf[6] = (lu->qdev.blocksize >> 8) & 0xff;
 +        outbuf[7] = lu->qdev.blocksize & 0xff;
 +        break;
 +    case REQUEST_SENSE:
 +        /* Just return "NO SENSE".  */
 +        buflen = scsi_convert_sense(NULL, 0, outbuf, r->buflen,
 +                                    (req->cmd.buf[1] & 1) == 0);
 +        if (buflen < 0) {
 +            goto illegal_request;
 +        }
 +        break;
 +    case SYNCHRONIZE_CACHE:
 +        /* The request is used as the AIO opaque value, so add a ref.  */
 +        scsi_req_ref(&r->req);
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct, 0,
 +                         BLOCK_ACCT_FLUSH);
 +        r->req.aiocb = blk_aio_flush(lu->qdev.conf.blk, scsi_aio_complete, r);
 +        return 0;
 +    case VERIFY_10:
 +        trace_ufs_scsi_emulate_command_VERIFY((req->cmd.buf[1] >> 1) & 3);
 +        if (req->cmd.buf[1] & 6) {
 +            goto illegal_request;
 +        }
 +        break;
 +    case SERVICE_ACTION_IN_16:
 +        /* Service Action In subcommands. */
 +        if ((req->cmd.buf[1] & 31) == SAI_READ_CAPACITY_16) {
 +            trace_ufs_scsi_emulate_command_SAI_16();
 +            memset(outbuf, 0, req->cmd.xfer);
 +
 +            if (lu->qdev.max_lba > 0) {
 +                last_block = lu->qdev.max_lba - 1;
 +            };
 +            outbuf[0] = 0;
 +            outbuf[1] = 0;
 +            outbuf[2] = 0;
 +            outbuf[3] = 0;
 +            outbuf[4] = (last_block >> 24) & 0xff;
 +            outbuf[5] = (last_block >> 16) & 0xff;
 +            outbuf[6] = (last_block >> 8) & 0xff;
 +            outbuf[7] = last_block & 0xff;
 +            outbuf[8] = (lu->qdev.blocksize >> 24) & 0xff;
 +            outbuf[9] = (lu->qdev.blocksize >> 16) & 0xff;
 +            outbuf[10] = (lu->qdev.blocksize >> 8) & 0xff;
 +            outbuf[11] = lu->qdev.blocksize & 0xff;
 +            outbuf[12] = 0;
 +            outbuf[13] = get_physical_block_exp(&lu->qdev.conf);
 +
 +            if (lu->unit_desc.provisioning_type == 2 ||
 +                lu->unit_desc.provisioning_type == 3) {
 +                outbuf[14] = 0x80;
 +            }
 +            /* Protection, exponent and lowest lba field left blank. */
 +            break;
 +        }
 +        trace_ufs_scsi_emulate_command_SAI_unsupported();
 +        goto illegal_request;
 +    case MODE_SELECT_10:
 +        trace_ufs_scsi_emulate_command_MODE_SELECT_10(r->req.cmd.xfer);
 +        break;
 +    case START_STOP:
 +        /*
 +         * TODO: START_STOP is not yet implemented. It always returns success.
 +         * Revisit it when ufs power management is implemented.
 +         */
 +        trace_ufs_scsi_emulate_command_START_STOP();
 +        break;
 +    case FORMAT_UNIT:
 +        trace_ufs_scsi_emulate_command_FORMAT_UNIT();
 +        break;
 +    case SEND_DIAGNOSTIC:
 +        trace_ufs_scsi_emulate_command_SEND_DIAGNOSTIC();
 +        break;
 +    default:
 +        trace_ufs_scsi_emulate_command_UNKNOWN(buf[0],
 +                                               scsi_command_name(buf[0]));
 +        scsi_check_condition(r, SENSE_CODE(INVALID_OPCODE));
 +        return 0;
 +    }
 +    assert(!r->req.aiocb);
 +    r->iov.iov_len = MIN(r->buflen, req->cmd.xfer);
 +    if (r->iov.iov_len == 0) {
 +        scsi_req_complete(&r->req, GOOD);
 +    }
 +    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
 +        assert(r->iov.iov_len == req->cmd.xfer);
 +        return -r->iov.iov_len;
 +    } else {
 +        return r->iov.iov_len;
 +    }
 +
 +illegal_request:
 +    if (r->req.status == -1) {
 +        scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
 +    }
 +    return 0;
 +}
 +
 +static void ufs_scsi_emulate_read_data(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +    int buflen = r->iov.iov_len;
 +
 +    if (buflen) {
 +        trace_ufs_scsi_emulate_read_data(buflen);
 +        r->iov.iov_len = 0;
 +        r->started = true;
 +        scsi_req_data(&r->req, buflen);
 +        return;
 +    }
 +
 +    /* This also clears the sense buffer for REQUEST SENSE.  */
 +    scsi_req_complete(&r->req, GOOD);
 +}
 +
 +static int ufs_scsi_check_mode_select(UfsLu *lu, int page, uint8_t *inbuf,
 +                                      int inlen)
 +{
 +    uint8_t mode_current[SCSI_MAX_MODE_LEN];
 +    uint8_t mode_changeable[SCSI_MAX_MODE_LEN];
 +    uint8_t *p;
 +    int len, expected_len, changeable_len, i;
 +
 +    /*
 +     * The input buffer does not include the page header, so it is
 +     * off by 2 bytes.
 +     */
 +    expected_len = inlen + 2;
 +    if (expected_len > SCSI_MAX_MODE_LEN) {
 +        return -1;
 +    }
 +
 +    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
 +    if (page == MODE_PAGE_ALLS) {
 +        return -1;
 +    }
 +
 +    p = mode_current;
 +    memset(mode_current, 0, inlen + 2);
 +    len = mode_sense_page(lu, page, &p, 0);
 +    if (len < 0 || len != expected_len) {
 +        return -1;
 +    }
 +
 +    p = mode_changeable;
 +    memset(mode_changeable, 0, inlen + 2);
 +    changeable_len = mode_sense_page(lu, page, &p, 1);
 +    assert(changeable_len == len);
 +
 +    /*
 +     * Check that unchangeable bits are the same as what MODE SENSE
 +     * would return.
 +     */
 +    for (i = 2; i < len; i++) {
 +        if (((mode_current[i] ^ inbuf[i - 2]) & ~mode_changeable[i]) != 0) {
 +            return -1;
 +        }
 +    }
 +    return 0;
 +}
 +
 +static void ufs_scsi_apply_mode_select(UfsLu *lu, int page, uint8_t *p)
 +{
 +    switch (page) {
 +    case MODE_PAGE_CACHING:
 +        blk_set_enable_write_cache(lu->qdev.conf.blk, (p[0] & 4) != 0);
 +        break;
 +
 +    default:
 +        break;
 +    }
 +}
 +
 +static int mode_select_pages(UfsSCSIReq *r, uint8_t *p, int len, bool change)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    while (len > 0) {
 +        int page, page_len;
 +
 +        page = p[0] & 0x3f;
 +        if (p[0] & 0x40) {
 +            goto invalid_param;
 +        } else {
 +            if (len < 2) {
 +                goto invalid_param_len;
 +            }
 +            page_len = p[1];
 +            p += 2;
 +            len -= 2;
 +        }
 +
 +        if (page_len > len) {
 +            goto invalid_param_len;
 +        }
 +
 +        if (!change) {
 +            if (ufs_scsi_check_mode_select(lu, page, p, page_len) < 0) {
 +                goto invalid_param;
 +            }
 +        } else {
 +            ufs_scsi_apply_mode_select(lu, page, p);
 +        }
 +
 +        p += page_len;
 +        len -= page_len;
 +    }
 +    return 0;
 +
 +invalid_param:
 +    scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
 +    return -1;
 +
 +invalid_param_len:
 +    scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
 +    return -1;
 +}
 +
 +static void ufs_scsi_emulate_mode_select(UfsSCSIReq *r, uint8_t *inbuf)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    uint8_t *p = inbuf;
 +    int len = r->req.cmd.xfer;
 +    int hdr_len = 8;
 +    int bd_len;
 +    int pass;
 +
 +    /* We only support PF=1, SP=0.  */
 +    if ((r->req.cmd.buf[1] & 0x11) != 0x10) {
 +        goto invalid_field;
 +    }
 +
 +    if (len < hdr_len) {
 +        goto invalid_param_len;
 +    }
 +
 +    bd_len = lduw_be_p(&p[6]);
 +    if (bd_len != 0) {
 +        goto invalid_param;
 +    }
 +
 +    len -= hdr_len;
 +    p += hdr_len;
 +
 +    /* Ensure no change is made if there is an error!  */
 +    for (pass = 0; pass < 2; pass++) {
 +        if (mode_select_pages(r, p, len, pass == 1) < 0) {
 +            assert(pass == 0);
 +            return;
 +        }
 +    }
 +
 +    if (!blk_enable_write_cache(lu->qdev.conf.blk)) {
 +        /* The request is used as the AIO opaque value, so add a ref.  */
 +        scsi_req_ref(&r->req);
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct, 0,
 +                         BLOCK_ACCT_FLUSH);
 +        r->req.aiocb = blk_aio_flush(lu->qdev.conf.blk, scsi_aio_complete, r);
 +        return;
 +    }
 +
 +    scsi_req_complete(&r->req, GOOD);
 +    return;
 +
 +invalid_param:
 +    scsi_check_condition(r, SENSE_CODE(INVALID_PARAM));
 +    return;
 +
 +invalid_param_len:
 +    scsi_check_condition(r, SENSE_CODE(INVALID_PARAM_LEN));
 +    return;
 +
 +invalid_field:
 +    scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
 +}
 +
 +/* block_num and nb_blocks expected to be in qdev blocksize */
 +static inline bool check_lba_range(UfsLu *lu, uint64_t block_num,
 +                                   uint32_t nb_blocks)
 +{
 +    /*
 +     * The first line tests that no overflow happens when computing the last
 +     * block.  The second line tests that the last accessed block is in
 +     * range.
 +     *
 +     * Careful, the computations should not underflow for nb_blocks == 0,
 +     * and a 0-block read to the first LBA beyond the end of device is
 +     * valid.
 +     */
 +    return (block_num <= block_num + nb_blocks &&
 +            block_num + nb_blocks <= lu->qdev.max_lba + 1);
 +}
 +
 +static void ufs_scsi_emulate_write_data(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +
 +    if (r->iov.iov_len) {
 +        int buflen = r->iov.iov_len;
 +        trace_ufs_scsi_emulate_write_data(buflen);
 +        r->iov.iov_len = 0;
 +        scsi_req_data(&r->req, buflen);
 +        return;
 +    }
 +
 +    switch (req->cmd.buf[0]) {
 +    case MODE_SELECT_10:
 +        /* This also clears the sense buffer for REQUEST SENSE.  */
 +        ufs_scsi_emulate_mode_select(r, r->iov.iov_base);
 +        break;
 +    default:
 +        abort();
 +    }
 +}
 +
 +/* Return a pointer to the data buffer.  */
 +static uint8_t *ufs_scsi_get_buf(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +
 +    return (uint8_t *)r->iov.iov_base;
 +}
 +
 +static int32_t ufs_scsi_dma_command(SCSIRequest *req, uint8_t *buf)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, req->dev);
 +    uint32_t len;
 +    uint8_t command;
 +
 +    command = buf[0];
 +
 +    if (!blk_is_available(lu->qdev.conf.blk)) {
 +        scsi_check_condition(r, SENSE_CODE(NO_MEDIUM));
 +        return 0;
 +    }
 +
 +    len = scsi_data_cdb_xfer(r->req.cmd.buf);
 +    switch (command) {
 +    case READ_6:
 +    case READ_10:
 +        trace_ufs_scsi_dma_command_READ(r->req.cmd.lba, len);
 +        if (r->req.cmd.buf[1] & 0xe0) {
 +            goto illegal_request;
 +        }
 +        if (!check_lba_range(lu, r->req.cmd.lba, len)) {
 +            goto illegal_lba;
 +        }
 +        r->sector = r->req.cmd.lba * (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
 +        r->sector_count = len * (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
 +        break;
 +    case WRITE_6:
 +    case WRITE_10:
 +        trace_ufs_scsi_dma_command_WRITE(r->req.cmd.lba, len);
 +        if (!blk_is_writable(lu->qdev.conf.blk)) {
 +            scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
 +            return 0;
 +        }
 +        if (r->req.cmd.buf[1] & 0xe0) {
 +            goto illegal_request;
 +        }
 +        if (!check_lba_range(lu, r->req.cmd.lba, len)) {
 +            goto illegal_lba;
 +        }
 +        r->sector = r->req.cmd.lba * (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
 +        r->sector_count = len * (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
 +        break;
 +    default:
 +        abort();
 +    illegal_request:
 +        scsi_check_condition(r, SENSE_CODE(INVALID_FIELD));
 +        return 0;
 +    illegal_lba:
 +        scsi_check_condition(r, SENSE_CODE(LBA_OUT_OF_RANGE));
 +        return 0;
 +    }
 +    r->need_fua_emulation = ((r->req.cmd.buf[1] & 8) != 0);
 +    if (r->sector_count == 0) {
 +        scsi_req_complete(&r->req, GOOD);
 +    }
 +    assert(r->iov.iov_len == 0);
 +    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
 +        return -r->sector_count * BDRV_SECTOR_SIZE;
 +    } else {
 +        return r->sector_count * BDRV_SECTOR_SIZE;
 +    }
 +}
 +
 +static void scsi_write_do_fua(UfsSCSIReq *r)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb == NULL);
 +    assert(!r->req.io_canceled);
 +
 +    if (r->need_fua_emulation) {
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct, 0,
 +                         BLOCK_ACCT_FLUSH);
 +        r->req.aiocb = blk_aio_flush(lu->qdev.conf.blk, scsi_aio_complete, r);
 +        return;
 +    }
 +
 +    scsi_req_complete(&r->req, GOOD);
 +    scsi_req_unref(&r->req);
 +}
 +
 +static void scsi_dma_complete_noio(UfsSCSIReq *r, int ret)
 +{
 +    assert(r->req.aiocb == NULL);
 +    if (ufs_scsi_req_check_error(r, ret, false)) {
 +        goto done;
 +    }
 +
 +    r->sector += r->sector_count;
 +    r->sector_count = 0;
 +    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
 +        scsi_write_do_fua(r);
 +        return;
 +    } else {
 +        scsi_req_complete(&r->req, GOOD);
 +    }
 +
 +done:
 +    scsi_req_unref(&r->req);
 +}
 +
 +static void scsi_dma_complete(void *opaque, int ret)
 +{
 +    UfsSCSIReq *r = (UfsSCSIReq *)opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb != NULL);
 +    r->req.aiocb = NULL;
 +
 +    aio_context_acquire(blk_get_aio_context(lu->qdev.conf.blk));
 +    if (ret < 0) {
 +        block_acct_failed(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    } else {
 +        block_acct_done(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    }
 +    scsi_dma_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(lu->qdev.conf.blk));
 +}
 +
 +static BlockAIOCB *scsi_dma_readv(int64_t offset, QEMUIOVector *iov,
 +                                  BlockCompletionFunc *cb, void *cb_opaque,
 +                                  void *opaque)
 +{
 +    UfsSCSIReq *r = opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    return blk_aio_preadv(lu->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
 +}
 +
 +static void scsi_init_iovec(UfsSCSIReq *r, size_t size)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    if (!r->iov.iov_base) {
 +        r->buflen = size;
 +        r->iov.iov_base = blk_blockalign(lu->qdev.conf.blk, r->buflen);
 +    }
 +    r->iov.iov_len = MIN(r->sector_count * BDRV_SECTOR_SIZE, r->buflen);
 +    qemu_iovec_init_external(&r->qiov, &r->iov, 1);
 +}
 +
 +static void scsi_read_complete_noio(UfsSCSIReq *r, int ret)
 +{
 +    uint32_t n;
 +
 +    assert(r->req.aiocb == NULL);
 +    if (ufs_scsi_req_check_error(r, ret, false)) {
 +        goto done;
 +    }
 +
 +    n = r->qiov.size / BDRV_SECTOR_SIZE;
 +    r->sector += n;
 +    r->sector_count -= n;
 +    scsi_req_data(&r->req, r->qiov.size);
 +
 +done:
 +    scsi_req_unref(&r->req);
 +}
 +
 +static void scsi_read_complete(void *opaque, int ret)
 +{
 +    UfsSCSIReq *r = (UfsSCSIReq *)opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb != NULL);
 +    r->req.aiocb = NULL;
 +    trace_ufs_scsi_read_data_count(r->sector_count);
 +    aio_context_acquire(blk_get_aio_context(lu->qdev.conf.blk));
 +    if (ret < 0) {
 +        block_acct_failed(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    } else {
 +        block_acct_done(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +        trace_ufs_scsi_read_complete(r->req.tag, r->qiov.size);
 +    }
 +    scsi_read_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(lu->qdev.conf.blk));
 +}
 +
 +/* Actually issue a read to the block device.  */
 +static void scsi_do_read(UfsSCSIReq *r, int ret)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb == NULL);
 +    if (ufs_scsi_req_check_error(r, ret, false)) {
 +        goto done;
 +    }
 +
 +    /* The request is used as the AIO opaque value, so add a ref.  */
 +    scsi_req_ref(&r->req);
 +
 +    if (r->req.sg) {
 +        dma_acct_start(lu->qdev.conf.blk, &r->acct, r->req.sg, BLOCK_ACCT_READ);
 +        r->req.residual -= r->req.sg->size;
 +        r->req.aiocb = dma_blk_io(
 +            blk_get_aio_context(lu->qdev.conf.blk), r->req.sg,
 +            r->sector << BDRV_SECTOR_BITS, BDRV_SECTOR_SIZE, scsi_dma_readv, r,
 +            scsi_dma_complete, r, DMA_DIRECTION_FROM_DEVICE);
 +    } else {
 +        scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct,
 +                         r->qiov.size, BLOCK_ACCT_READ);
 +        r->req.aiocb = scsi_dma_readv(r->sector << BDRV_SECTOR_BITS, &r->qiov,
 +                                      scsi_read_complete, r, r);
 +    }
 +
 +done:
 +    scsi_req_unref(&r->req);
 +}
 +
 +static void scsi_do_read_cb(void *opaque, int ret)
 +{
 +    UfsSCSIReq *r = (UfsSCSIReq *)opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb != NULL);
 +    r->req.aiocb = NULL;
 +
 +    aio_context_acquire(blk_get_aio_context(lu->qdev.conf.blk));
 +    if (ret < 0) {
 +        block_acct_failed(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    } else {
 +        block_acct_done(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    }
 +    scsi_do_read(opaque, ret);
 +    aio_context_release(blk_get_aio_context(lu->qdev.conf.blk));
 +}
 +
 +/* Read more data from scsi device into buffer.  */
 +static void scsi_read_data(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    bool first;
 +
 +    trace_ufs_scsi_read_data_count(r->sector_count);
 +    if (r->sector_count == 0) {
 +        /* This also clears the sense buffer for REQUEST SENSE.  */
 +        scsi_req_complete(&r->req, GOOD);
 +        return;
 +    }
 +
 +    /* No data transfer may already be in progress */
 +    assert(r->req.aiocb == NULL);
 +
 +    /* The request is used as the AIO opaque value, so add a ref.  */
 +    scsi_req_ref(&r->req);
 +    if (r->req.cmd.mode == SCSI_XFER_TO_DEV) {
 +        trace_ufs_scsi_read_data_invalid();
 +        scsi_read_complete_noio(r, -EINVAL);
 +        return;
 +    }
 +
 +    if (!blk_is_available(req->dev->conf.blk)) {
 +        scsi_read_complete_noio(r, -ENOMEDIUM);
 +        return;
 +    }
 +
 +    first = !r->started;
 +    r->started = true;
 +    if (first && r->need_fua_emulation) {
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct, 0,
 +                         BLOCK_ACCT_FLUSH);
 +        r->req.aiocb = blk_aio_flush(lu->qdev.conf.blk, scsi_do_read_cb, r);
 +    } else {
 +        scsi_do_read(r, 0);
 +    }
 +}
 +
 +static void scsi_write_complete_noio(UfsSCSIReq *r, int ret)
 +{
 +    uint32_t n;
 +
 +    assert(r->req.aiocb == NULL);
 +    if (ufs_scsi_req_check_error(r, ret, false)) {
 +        goto done;
 +    }
 +
 +    n = r->qiov.size / BDRV_SECTOR_SIZE;
 +    r->sector += n;
 +    r->sector_count -= n;
 +    if (r->sector_count == 0) {
 +        scsi_write_do_fua(r);
 +        return;
 +    } else {
 +        scsi_init_iovec(r, SCSI_DMA_BUF_SIZE);
 +        trace_ufs_scsi_write_complete_noio(r->req.tag, r->qiov.size);
 +        scsi_req_data(&r->req, r->qiov.size);
 +    }
 +
 +done:
 +    scsi_req_unref(&r->req);
 +}
 +
 +static void scsi_write_complete(void *opaque, int ret)
 +{
 +    UfsSCSIReq *r = (UfsSCSIReq *)opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    assert(r->req.aiocb != NULL);
 +    r->req.aiocb = NULL;
 +
 +    aio_context_acquire(blk_get_aio_context(lu->qdev.conf.blk));
 +    if (ret < 0) {
 +        block_acct_failed(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    } else {
 +        block_acct_done(blk_get_stats(lu->qdev.conf.blk), &r->acct);
 +    }
 +    scsi_write_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(lu->qdev.conf.blk));
 +}
 +
 +static BlockAIOCB *scsi_dma_writev(int64_t offset, QEMUIOVector *iov,
 +                                   BlockCompletionFunc *cb, void *cb_opaque,
 +                                   void *opaque)
 +{
 +    UfsSCSIReq *r = opaque;
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +    return blk_aio_pwritev(lu->qdev.conf.blk, offset, iov, 0, cb, cb_opaque);
 +}
 +
 +static void scsi_write_data(SCSIRequest *req)
 +{
 +    UfsSCSIReq *r = DO_UPCAST(UfsSCSIReq, req, req);
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, r->req.dev);
 +
 +    /* No data transfer may already be in progress */
 +    assert(r->req.aiocb == NULL);
 +
 +    /* The request is used as the AIO opaque value, so add a ref.  */
 +    scsi_req_ref(&r->req);
 +    if (r->req.cmd.mode != SCSI_XFER_TO_DEV) {
 +        trace_ufs_scsi_write_data_invalid();
 +        scsi_write_complete_noio(r, -EINVAL);
 +        return;
 +    }
 +
 +    if (!r->req.sg && !r->qiov.size) {
 +        /* Called for the first time.  Ask the driver to send us more data.  */
 +        r->started = true;
 +        scsi_write_complete_noio(r, 0);
 +        return;
 +    }
 +    if (!blk_is_available(req->dev->conf.blk)) {
 +        scsi_write_complete_noio(r, -ENOMEDIUM);
 +        return;
 +    }
 +
 +    if (r->req.sg) {
 +        dma_acct_start(lu->qdev.conf.blk, &r->acct, r->req.sg,
 +                       BLOCK_ACCT_WRITE);
 +        r->req.residual -= r->req.sg->size;
 +        r->req.aiocb = dma_blk_io(
 +            blk_get_aio_context(lu->qdev.conf.blk), r->req.sg,
 +            r->sector << BDRV_SECTOR_BITS, BDRV_SECTOR_SIZE, scsi_dma_writev, r,
 +            scsi_dma_complete, r, DMA_DIRECTION_TO_DEVICE);
 +    } else {
 +        block_acct_start(blk_get_stats(lu->qdev.conf.blk), &r->acct,
 +                         r->qiov.size, BLOCK_ACCT_WRITE);
 +        r->req.aiocb = scsi_dma_writev(r->sector << BDRV_SECTOR_BITS, &r->qiov,
 +                                       scsi_write_complete, r, r);
 +    }
 +}
 +
 +static const SCSIReqOps ufs_scsi_emulate_reqops = {
 +    .size = sizeof(UfsSCSIReq),
 +    .free_req = ufs_scsi_free_request,
 +    .send_command = ufs_scsi_emulate_command,
 +    .read_data = ufs_scsi_emulate_read_data,
 +    .write_data = ufs_scsi_emulate_write_data,
 +    .get_buf = ufs_scsi_get_buf,
 +};
 +
-+bool vhost_user_server_start(VuServer *server,
++static const SCSIReqOps ufs_scsi_dma_reqops = {
-+                             SocketAddress *unix_socket,
++    .size = sizeof(UfsSCSIReq),
-+                             AioContext *ctx,
++    .free_req = ufs_scsi_free_request,
-+                             uint16_t max_queues,
++    .send_command = ufs_scsi_dma_command,
-+                             DevicePanicNotifierFn *device_panic_notifier,
++    .read_data = scsi_read_data,
-+                             const VuDevIface *vu_iface,
++    .write_data = scsi_write_data,
-+                             Error **errp);
++    .get_buf = ufs_scsi_get_buf,
-+
++};
-+void vhost_user_server_stop(VuServer *server);
++
-+
++/*
-+void vhost_user_server_set_aio_context(VuServer *server, AioContext *ctx);
++ * Following commands are not yet supported
-+
++ * PRE_FETCH(10),
-+#endif /* VHOST_USER_SERVER_H */
++ * UNMAP,
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
++ * WRITE_BUFFER, READ_BUFFER,
-new file mode 100644
++ * SECURITY_PROTOCOL_IN, SECURITY_PROTOCOL_OUT
-index XXXXXXX..XXXXXXX
++ */
---- /dev/null
++static const SCSIReqOps *const ufs_scsi_reqops_dispatch[256] = {
-+++ b/util/vhost-user-server.c
++    [TEST_UNIT_READY] = &ufs_scsi_emulate_reqops,
 +    [INQUIRY] = &ufs_scsi_emulate_reqops,
 +    [MODE_SENSE_10] = &ufs_scsi_emulate_reqops,
 +    [START_STOP] = &ufs_scsi_emulate_reqops,
 +    [READ_CAPACITY_10] = &ufs_scsi_emulate_reqops,
 +    [REQUEST_SENSE] = &ufs_scsi_emulate_reqops,
 +    [SYNCHRONIZE_CACHE] = &ufs_scsi_emulate_reqops,
 +    [MODE_SELECT_10] = &ufs_scsi_emulate_reqops,
 +    [VERIFY_10] = &ufs_scsi_emulate_reqops,
 +    [FORMAT_UNIT] = &ufs_scsi_emulate_reqops,
 +    [SERVICE_ACTION_IN_16] = &ufs_scsi_emulate_reqops,
 +    [SEND_DIAGNOSTIC] = &ufs_scsi_emulate_reqops,
 +
 +    [READ_6] = &ufs_scsi_dma_reqops,
 +    [READ_10] = &ufs_scsi_dma_reqops,
 +    [WRITE_6] = &ufs_scsi_dma_reqops,
 +    [WRITE_10] = &ufs_scsi_dma_reqops,
 +};
 +
 +static SCSIRequest *scsi_new_request(SCSIDevice *dev, uint32_t tag,
 +                                     uint32_t lun, uint8_t *buf,
 +                                     void *hba_private)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, dev);
 +    SCSIRequest *req;
 +    const SCSIReqOps *ops;
 +    uint8_t command;
 +
 +    command = buf[0];
 +    ops = ufs_scsi_reqops_dispatch[command];
 +    if (!ops) {
 +        ops = &ufs_scsi_emulate_reqops;
 +    }
 +    req = scsi_req_alloc(ops, &lu->qdev, tag, lun, hba_private);
 +
 +    return req;
 +}
 +
 +static Property ufs_lu_props[] = {
 +    DEFINE_PROP_DRIVE("drive", UfsLu, qdev.conf.blk),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static bool ufs_lu_brdv_init(UfsLu *lu, Error **errp)
 +{
 +    SCSIDevice *dev = &lu->qdev;
 +    bool read_only;
 +
 +    if (!lu->qdev.conf.blk) {
 +        error_setg(errp, "drive property not set");
 +        return false;
 +    }
 +
 +    if (!blkconf_blocksizes(&lu->qdev.conf, errp)) {
 +        return false;
 +    }
 +
 +    if (blk_get_aio_context(lu->qdev.conf.blk) != qemu_get_aio_context() &&
 +        !lu->qdev.hba_supports_iothread) {
 +        error_setg(errp, "HBA does not support iothreads");
 +        return false;
 +    }
 +
 +    read_only = !blk_supports_write_perm(lu->qdev.conf.blk);
 +
 +    if (!blkconf_apply_backend_options(&dev->conf, read_only,
 +                                       dev->type == TYPE_DISK, errp)) {
 +        return false;
 +    }
 +
 +    if (blk_is_sg(lu->qdev.conf.blk)) {
 +        error_setg(errp, "unwanted /dev/sg*");
 +        return false;
 +    }
 +
 +    blk_iostatus_enable(lu->qdev.conf.blk);
 +    return true;
 +}
 +
 +static bool ufs_add_lu(UfsHc *u, UfsLu *lu, Error **errp)
 +{
 +    BlockBackend *blk = lu->qdev.conf.blk;
 +    int64_t brdv_len = blk_getlength(blk);
 +    uint64_t raw_dev_cap =
 +        be64_to_cpu(u->geometry_desc.total_raw_device_capacity);
 +
 +    if (u->device_desc.number_lu >= UFS_MAX_LUS) {
 +        error_setg(errp, "ufs host controller has too many logical units.");
 +        return false;
 +    }
 +
 +    if (u->lus[lu->lun] != NULL) {
 +        error_setg(errp, "ufs logical unit %d already exists.", lu->lun);
 +        return false;
 +    }
 +
 +    u->lus[lu->lun] = lu;
 +    u->device_desc.number_lu++;
 +    raw_dev_cap += (brdv_len >> UFS_GEOMETRY_CAPACITY_SHIFT);
 +    u->geometry_desc.total_raw_device_capacity = cpu_to_be64(raw_dev_cap);
 +    return true;
 +}
 +
 +static inline uint8_t ufs_log2(uint64_t input)
 +{
 +    int log = 0;
 +    while (input >>= 1) {
 +        log++;
 +    }
 +    return log;
 +}
 +
 +static void ufs_init_lu(UfsLu *lu)
 +{
 +    BlockBackend *blk = lu->qdev.conf.blk;
 +    int64_t brdv_len = blk_getlength(blk);
 +
 +    lu->lun = lu->qdev.lun;
 +    memset(&lu->unit_desc, 0, sizeof(lu->unit_desc));
 +    lu->unit_desc.length = sizeof(UnitDescriptor);
 +    lu->unit_desc.descriptor_idn = QUERY_DESC_IDN_UNIT;
 +    lu->unit_desc.lu_enable = 0x01;
 +    lu->unit_desc.logical_block_size = ufs_log2(lu->qdev.blocksize);
 +    lu->unit_desc.unit_index = lu->qdev.lun;
 +    lu->unit_desc.logical_block_count =
 +        cpu_to_be64(brdv_len / (1 << lu->unit_desc.logical_block_size));
 +}
 +
 +static bool ufs_lu_check_constraints(UfsLu *lu, Error **errp)
 +{
 +    if (!lu->qdev.conf.blk) {
 +        error_setg(errp, "drive property not set");
 +        return false;
 +    }
 +
 +    if (lu->qdev.channel != 0) {
 +        error_setg(errp, "ufs logical unit does not support channel");
 +        return false;
 +    }
 +
 +    if (lu->qdev.lun >= UFS_MAX_LUS) {
 +        error_setg(errp, "lun must be between 1 and %d", UFS_MAX_LUS - 1);
 +        return false;
 +    }
 +
 +    return true;
 +}
 +
 +static void ufs_lu_realize(SCSIDevice *dev, Error **errp)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, dev);
 +    BusState *s = qdev_get_parent_bus(&dev->qdev);
 +    UfsHc *u = UFS(s->parent);
 +    AioContext *ctx = NULL;
 +    uint64_t nb_sectors, nb_blocks;
 +
 +    if (!ufs_lu_check_constraints(lu, errp)) {
 +        return;
 +    }
 +
 +    if (lu->qdev.conf.blk) {
 +        ctx = blk_get_aio_context(lu->qdev.conf.blk);
 +        aio_context_acquire(ctx);
 +        if (!blkconf_blocksizes(&lu->qdev.conf, errp)) {
 +            goto out;
 +        }
 +    }
 +    lu->qdev.blocksize = UFS_BLOCK_SIZE;
 +    blk_get_geometry(lu->qdev.conf.blk, &nb_sectors);
 +    nb_blocks = nb_sectors / (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
 +    if (nb_blocks > UINT32_MAX) {
 +        nb_blocks = UINT32_MAX;
 +    }
 +    lu->qdev.max_lba = nb_blocks;
 +    lu->qdev.type = TYPE_DISK;
 +
 +    ufs_init_lu(lu);
 +    if (!ufs_add_lu(u, lu, errp)) {
 +        goto out;
 +    }
 +
 +    ufs_lu_brdv_init(lu, errp);
 +out:
 +    if (ctx) {
 +        aio_context_release(ctx);
 +    }
 +}
 +
 +static void ufs_lu_unrealize(SCSIDevice *dev)
 +{
 +    UfsLu *lu = DO_UPCAST(UfsLu, qdev, dev);
 +
 +    blk_drain(lu->qdev.conf.blk);
 +}
 +
 +static void ufs_wlu_realize(DeviceState *qdev, Error **errp)
 +{
 +    UfsWLu *wlu = UFSWLU(qdev);
 +    SCSIDevice *dev = &wlu->qdev;
 +
 +    if (!is_wlun(dev->lun)) {
 +        error_setg(errp, "not well-known logical unit number");
 +        return;
 +    }
 +
 +    QTAILQ_INIT(&dev->requests);
 +}
 +
 +static void ufs_lu_class_init(ObjectClass *oc, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(oc);
 +    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(oc);
 +
 +    sc->realize = ufs_lu_realize;
 +    sc->unrealize = ufs_lu_unrealize;
 +    sc->alloc_req = scsi_new_request;
 +    dc->bus_type = TYPE_UFS_BUS;
 +    device_class_set_props(dc, ufs_lu_props);
 +    dc->desc = "Virtual UFS logical unit";
 +}
 +
 +static void ufs_wlu_class_init(ObjectClass *oc, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(oc);
 +    SCSIDeviceClass *sc = SCSI_DEVICE_CLASS(oc);
 +
 +    /*
 +     * The realize() function of TYPE_SCSI_DEVICE causes a segmentation fault
 +     * if a block drive does not exist. Define a new realize function for
 +     * well-known LUs that do not have a block drive.
 +     */
 +    dc->realize = ufs_wlu_realize;
 +    sc->alloc_req = scsi_new_request;
 +    dc->bus_type = TYPE_UFS_BUS;
 +    dc->desc = "Virtual UFS well-known logical unit";
 +}
 +
 +static const TypeInfo ufs_lu_info = {
 +    .name = TYPE_UFS_LU,
 +    .parent = TYPE_SCSI_DEVICE,
 +    .class_init = ufs_lu_class_init,
 +    .instance_size = sizeof(UfsLu),
 +};
 +
 +static const TypeInfo ufs_wlu_info = {
 +    .name = TYPE_UFS_WLU,
 +    .parent = TYPE_SCSI_DEVICE,
 +    .class_init = ufs_wlu_class_init,
 +    .instance_size = sizeof(UfsWLu),
 +};
 +
 +static void ufs_lu_register_types(void)
 +{
 +    type_register_static(&ufs_lu_info);
 +    type_register_static(&ufs_wlu_info);
 +}
 +
 +type_init(ufs_lu_register_types)
 diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/ufs/ufs.c
 +++ b/hw/ufs/ufs.c
 @@ -XXX,XX +XXX,XX @@
-+/*
+  * SPDX-License-Identifier: GPL-2.0-or-later
-+ * Sharing QEMU devices via vhost-user protocol
+  */
 +/**
 + * Reference Specs: https://www.jedec.org/, 3.1
 + *
-+ * Copyright (c) Coiby Xu <coiby.xu@gmail.com>.
++ * Usage
-+ * Copyright (c) 2020 Red Hat, Inc.
++ * -----
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or
++ * Add options:
-+ * later.  See the COPYING file in the top-level directory.
++ *      -drive file=<file>,if=none,id=<drive_id>
 + *      -device ufs,serial=<serial>,id=<bus_name>, \
 + *              nutrs=<N[optional]>,nutmrs=<N[optional]>
 + *      -device ufs-lu,drive=<drive_id>,bus=<bus_name>
 + */
-+#include "qemu/osdep.h"
++
-+#include "qemu/main-loop.h"
+ #include "qemu/osdep.h"
-+#include "vhost-user-server.h"
+ #include "qapi/error.h"
-+
+ #include "migration/vmstate.h"
-+static void vmsg_close_fds(VhostUserMsg *vmsg)
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ufs_mmio_ops = {
-+{
+     },
-+    int i;
+ };
-+    for (i = 0; i < vmsg->fd_num; i++) {
-+        close(vmsg->fds[i]);
++static QEMUSGList *ufs_get_sg_list(SCSIRequest *scsi_req)
-+    }
++{
-+}
++    UfsRequest *req = scsi_req->hba_private;
-+
++    return req->sg;
-+static void vmsg_unblock_fds(VhostUserMsg *vmsg)
++}
-+{
++
-+    int i;
++static void ufs_build_upiu_sense_data(UfsRequest *req, SCSIRequest *scsi_req)
-+    for (i = 0; i < vmsg->fd_num; i++) {
++{
-+        qemu_set_nonblock(vmsg->fds[i]);
++    req->rsp_upiu.sr.sense_data_len = cpu_to_be16(scsi_req->sense_len);
-+    }
++    assert(scsi_req->sense_len <= SCSI_SENSE_LEN);
-+}
++    memcpy(req->rsp_upiu.sr.sense_data, scsi_req->sense, scsi_req->sense_len);
-+
++}
-+static void vu_accept(QIONetListener *listener, QIOChannelSocket *sioc,
++
-+                      gpointer opaque);
+ static void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type,
-+
+                                   uint8_t flags, uint8_t response,
-+static void close_client(VuServer *server)
+                                   uint8_t scsi_status,
-+{
+@@ -XXX,XX +XXX,XX @@ static void ufs_build_upiu_header(UfsRequest *req, uint8_t trans_type,
      req->rsp_upiu.header.data_segment_length = cpu_to_be16(data_segment_length);
  }
 +static void ufs_scsi_command_complete(SCSIRequest *scsi_req, size_t resid)
 +{
 +    UfsRequest *req = scsi_req->hba_private;
 +    int16_t status = scsi_req->status;
 +    uint32_t expected_len = be32_to_cpu(req->req_upiu.sc.exp_data_transfer_len);
 +    uint32_t transfered_len = scsi_req->cmd.xfer - resid;
 +    uint8_t flags = 0, response = COMMAND_RESULT_SUCESS;
 +    uint16_t data_segment_length;
 +
 +    if (expected_len > transfered_len) {
 +        req->rsp_upiu.sr.residual_transfer_count =
 +            cpu_to_be32(expected_len - transfered_len);
 +        flags |= UFS_UPIU_FLAG_UNDERFLOW;
 +    } else if (expected_len < transfered_len) {
 +        req->rsp_upiu.sr.residual_transfer_count =
 +            cpu_to_be32(transfered_len - expected_len);
 +        flags |= UFS_UPIU_FLAG_OVERFLOW;
 +    }
 +
 +    if (status != 0) {
 +        ufs_build_upiu_sense_data(req, scsi_req);
 +        response = COMMAND_RESULT_FAIL;
 +    }
 +
 +    data_segment_length = cpu_to_be16(scsi_req->sense_len +
 +                                      sizeof(req->rsp_upiu.sr.sense_data_len));
 +    ufs_build_upiu_header(req, UPIU_TRANSACTION_RESPONSE, flags, response,
 +                          status, data_segment_length);
 +
 +    ufs_complete_req(req, UFS_REQUEST_SUCCESS);
 +
 +    scsi_req->hba_private = NULL;
 +    scsi_req_unref(scsi_req);
 +}
 +
 +static const struct SCSIBusInfo ufs_scsi_info = {
 +    .tcq = true,
 +    .max_target = 0,
 +    .max_lun = UFS_MAX_LUS,
 +    .max_channel = 0,
 +
 +    .get_sg_list = ufs_get_sg_list,
 +    .complete = ufs_scsi_command_complete,
 +};
 +
 +static UfsReqResult ufs_exec_scsi_cmd(UfsRequest *req)
 +{
 +    UfsHc *u = req->hc;
 +    uint8_t lun = req->req_upiu.header.lun;
 +    uint8_t task_tag = req->req_upiu.header.task_tag;
 +    SCSIDevice *dev = NULL;
 +
 +    trace_ufs_exec_scsi_cmd(req->slot, lun, req->req_upiu.sc.cdb[0]);
 +
 +    if (!is_wlun(lun)) {
 +        if (lun >= u->device_desc.number_lu) {
 +            trace_ufs_err_scsi_cmd_invalid_lun(lun);
 +            return UFS_REQUEST_FAIL;
 +        } else if (u->lus[lun] == NULL) {
 +            trace_ufs_err_scsi_cmd_invalid_lun(lun);
 +            return UFS_REQUEST_FAIL;
 +        }
 +    }
 +
 +    switch (lun) {
 +    case UFS_UPIU_REPORT_LUNS_WLUN:
 +        dev = &u->report_wlu->qdev;
 +        break;
 +    case UFS_UPIU_UFS_DEVICE_WLUN:
 +        dev = &u->dev_wlu->qdev;
 +        break;
 +    case UFS_UPIU_BOOT_WLUN:
 +        dev = &u->boot_wlu->qdev;
 +        break;
 +    case UFS_UPIU_RPMB_WLUN:
 +        dev = &u->rpmb_wlu->qdev;
 +        break;
 +    default:
 +        dev = &u->lus[lun]->qdev;
 +    }
 +
 +    SCSIRequest *scsi_req = scsi_req_new(
 +        dev, task_tag, lun, req->req_upiu.sc.cdb, UFS_CDB_SIZE, req);
 +
 +    uint32_t len = scsi_req_enqueue(scsi_req);
 +    if (len) {
 +        scsi_req_continue(scsi_req);
 +    }
 +
 +    return UFS_REQUEST_NO_COMPLETE;
 +}
 +
  static UfsReqResult ufs_exec_nop_cmd(UfsRequest *req)
  {
      trace_ufs_exec_nop_cmd(req->slot);
@@ -XXX,XX +XXX,XX @@ static const RpmbUnitDescriptor rpmb_unit_desc = {
  static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
  {
 +    UfsHc *u = req->hc;
      uint8_t lun = req->req_upiu.qr.index;
 -    if (lun != UFS_UPIU_RPMB_WLUN && lun > UFS_MAX_LUS) {
 +    if (lun != UFS_UPIU_RPMB_WLUN &&
 +        (lun > UFS_MAX_LUS || u->lus[lun] == NULL)) {
          trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
          return QUERY_RESULT_INVALID_INDEX;
      }
@@ -XXX,XX +XXX,XX @@ static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
      if (lun == UFS_UPIU_RPMB_WLUN) {
          memcpy(&req->rsp_upiu.qr.data, &rpmb_unit_desc, rpmb_unit_desc.length);
      } else {
 -        /* unit descriptor is not yet supported */
 -        return QUERY_RESULT_INVALID_INDEX;
 +        memcpy(&req->rsp_upiu.qr.data, &u->lus[lun]->unit_desc,
 +               sizeof(u->lus[lun]->unit_desc));
      }
      return QUERY_RESULT_SUCCESS;
@@ -XXX,XX +XXX,XX @@ static void ufs_exec_req(UfsRequest *req)
          req_result = ufs_exec_nop_cmd(req);
          break;
      case UPIU_TRANSACTION_COMMAND:
 -        /* Not yet implemented */
 -        req_result = UFS_REQUEST_FAIL;
 +        req_result = ufs_exec_scsi_cmd(req);
          break;
      case UPIU_TRANSACTION_QUERY_REQ:
          req_result = ufs_exec_query_cmd(req);
@@ -XXX,XX +XXX,XX @@ static void ufs_exec_req(UfsRequest *req)
          req_result = UFS_REQUEST_FAIL;
      }
 -    ufs_complete_req(req, req_result);
 +    /*
-+     * Before closing the client
++     * The ufs_complete_req for scsi commands is handled by the
-+     *
++     * ufs_scsi_command_complete() callback function. Therefore, to avoid
-+     * 1. Let vu_client_trip stop processing new vhost-user msg
++     * duplicate processing, ufs_complete_req() is not called for scsi commands.
 +     *
 +     * 2. remove kick_handler
 +     *
 +     * 3. wait for the kick handler to be finished
 +     *
 +     * 4. wait for the current vhost-user msg to be finished processing
 +     */
-+
++    if (req_result != UFS_REQUEST_NO_COMPLETE) {
-+    QIOChannelSocket *sioc = server->sioc;
++        ufs_complete_req(req, req_result);
-+    /* When this is set vu_client_trip will stop new processing vhost-user message */
++    }
-+    server->sioc = NULL;
+ }
-+
-+    VuFdWatch *vu_fd_watch, *next;
+ static void ufs_process_req(void *opaque)
-+    QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
+@@ -XXX,XX +XXX,XX @@ static void ufs_init_hc(UfsHc *u)
-+        aio_set_fd_handler(server->ioc->ctx, vu_fd_watch->fd, true, NULL,
+     u->flags.permanently_disable_fw_update = 1;
-+                           NULL, NULL, NULL);
+ }
-+    }
-+
++static bool ufs_init_wlu(UfsHc *u, UfsWLu **wlu, uint8_t wlun, Error **errp)
-+    while (!QTAILQ_EMPTY(&server->vu_fd_watches)) {
++{
-+        QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
++    UfsWLu *new_wlu = UFSWLU(qdev_new(TYPE_UFS_WLU));
-+            if (!vu_fd_watch->processing) {
++
-+                QTAILQ_REMOVE(&server->vu_fd_watches, vu_fd_watch, next);
++    qdev_prop_set_uint32(DEVICE(new_wlu), "lun", wlun);
 +                g_free(vu_fd_watch);
 +            }
 +        }
 +    }
 +
 +    while (server->processing_msg) {
 +        if (server->ioc->read_coroutine) {
 +            server->ioc->read_coroutine = NULL;
 +            qio_channel_set_aio_fd_handler(server->ioc, server->ioc->ctx, NULL,
 +                                           NULL, server->ioc);
 +            server->processing_msg = false;
 +        }
 +    }
 +
 +    vu_deinit(&server->vu_dev);
 +    object_unref(OBJECT(sioc));
 +    object_unref(OBJECT(server->ioc));
 +}
 +
 +static void panic_cb(VuDev *vu_dev, const char *buf)
 +{
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +
 +    /* avoid while loop in close_client */
 +    server->processing_msg = false;
 +
 +    if (buf) {
 +        error_report("vu_panic: %s", buf);
 +    }
 +
 +    if (server->sioc) {
 +        close_client(server);
 +    }
 +
 +    if (server->device_panic_notifier) {
 +        server->device_panic_notifier(server);
 +    }
 +
 +    /*
-+     * Set the callback function for network listener so another
++     * The well-known lu shares the same bus as the normal lu. If the well-known
-+     * vhost-user client can connect to this server
++     * lu writes the same channel value as the normal lu, the report will be
 +     * made not only for the normal lu but also for the well-known lu at
 +     * REPORT_LUN time. To prevent this, the channel value of normal lu is fixed
 +     * to 0 and the channel value of well-known lu is fixed to 1.
 +     */
-+    qio_net_listener_set_client_func(server->listener,
++    qdev_prop_set_uint32(DEVICE(new_wlu), "channel", 1);
-+                                     vu_accept,
++    if (!qdev_realize_and_unref(DEVICE(new_wlu), BUS(&u->bus), errp)) {
-+                                     server,
++        return false;
-+                                     NULL);
++    }
-+}
++
-+
++    *wlu = new_wlu;
 +static bool coroutine_fn
 +vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
 +{
 +    struct iovec iov = {
 +        .iov_base = (char *)vmsg,
 +        .iov_len = VHOST_USER_HDR_SIZE,
 +    };
 +    int rc, read_bytes = 0;
 +    Error *local_err = NULL;
 +    /*
 +     * Store fds/nfds returned from qio_channel_readv_full into
 +     * temporary variables.
 +     *
 +     * VhostUserMsg is a packed structure, gcc will complain about passing
 +     * pointer to a packed structure member if we pass &VhostUserMsg.fd_num
 +     * and &VhostUserMsg.fds directly when calling qio_channel_readv_full,
 +     * thus two temporary variables nfds and fds are used here.
 +     */
 +    size_t nfds = 0, nfds_t = 0;
 +    const size_t max_fds = G_N_ELEMENTS(vmsg->fds);
 +    int *fds_t = NULL;
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +    QIOChannel *ioc = server->ioc;
 +
 +    if (!ioc) {
 +        error_report_err(local_err);
 +        goto fail;
 +    }
 +
 +    assert(qemu_in_coroutine());
 +    do {
 +        /*
 +         * qio_channel_readv_full may have short reads, keeping calling it
 +         * until getting VHOST_USER_HDR_SIZE or 0 bytes in total
 +         */
 +        rc = qio_channel_readv_full(ioc, &iov, 1, &fds_t, &nfds_t, &local_err);
 +        if (rc < 0) {
 +            if (rc == QIO_CHANNEL_ERR_BLOCK) {
 +                qio_channel_yield(ioc, G_IO_IN);
 +                continue;
 +            } else {
 +                error_report_err(local_err);
 +                return false;
 +            }
 +        }
 +        read_bytes += rc;
 +        if (nfds_t > 0) {
 +            if (nfds + nfds_t > max_fds) {
 +                error_report("A maximum of %zu fds are allowed, "
 +                             "however got %zu fds now",
 +                             max_fds, nfds + nfds_t);
 +                goto fail;
 +            }
 +            memcpy(vmsg->fds + nfds, fds_t,
 +                   nfds_t *sizeof(vmsg->fds[0]));
 +            nfds += nfds_t;
 +            g_free(fds_t);
 +        }
 +        if (read_bytes == VHOST_USER_HDR_SIZE || rc == 0) {
 +            break;
 +        }
 +        iov.iov_base = (char *)vmsg + read_bytes;
 +        iov.iov_len = VHOST_USER_HDR_SIZE - read_bytes;
 +    } while (true);
 +
 +    vmsg->fd_num = nfds;
 +    /* qio_channel_readv_full will make socket fds blocking, unblock them */
 +    vmsg_unblock_fds(vmsg);
 +    if (vmsg->size > sizeof(vmsg->payload)) {
 +        error_report("Error: too big message request: %d, "
 +                     "size: vmsg->size: %u, "
 +                     "while sizeof(vmsg->payload) = %zu",
 +                     vmsg->request, vmsg->size, sizeof(vmsg->payload));
 +        goto fail;
 +    }
 +
 +    struct iovec iov_payload = {
 +        .iov_base = (char *)&vmsg->payload,
 +        .iov_len = vmsg->size,
 +    };
 +    if (vmsg->size) {
 +        rc = qio_channel_readv_all_eof(ioc, &iov_payload, 1, &local_err);
 +        if (rc == -1) {
 +            error_report_err(local_err);
 +            goto fail;
 +        }
 +    }
 +
 +    return true;
-+
++}
-+fail:
++
-+    vmsg_close_fds(vmsg);
+ static void ufs_realize(PCIDevice *pci_dev, Error **errp)
-+
+ {
-+    return false;
+     UfsHc *u = UFS(pci_dev);
-+}
+@@ -XXX,XX +XXX,XX @@ static void ufs_realize(PCIDevice *pci_dev, Error **errp)
-+
+         return;
-+
+     }
-+static void vu_client_start(VuServer *server);
-+static coroutine_fn void vu_client_trip(void *opaque)
++    qbus_init(&u->bus, sizeof(UfsBus), TYPE_UFS_BUS, &pci_dev->qdev,
-+{
++              u->parent_obj.qdev.id);
-+    VuServer *server = opaque;
++    u->bus.parent_bus.info = &ufs_scsi_info;
 +
-+    while (!server->aio_context_changed && server->sioc) {
+     ufs_init_state(u);
-+        server->processing_msg = true;
+     ufs_init_hc(u);
-+        vu_dispatch(&server->vu_dev);
+     ufs_init_pci(u, pci_dev);
-+        server->processing_msg = false;
++
-+    }
++    if (!ufs_init_wlu(u, &u->report_wlu, UFS_UPIU_REPORT_LUNS_WLUN, errp)) {
 +
 +    if (server->aio_context_changed && server->sioc) {
 +        server->aio_context_changed = false;
 +        vu_client_start(server);
 +    }
 +}
 +
 +static void vu_client_start(VuServer *server)
 +{
 +    server->co_trip = qemu_coroutine_create(vu_client_trip, server);
 +    aio_co_enter(server->ctx, server->co_trip);
 +}
 +
 +/*
 + * a wrapper for vu_kick_cb
 + *
 + * since aio_dispatch can only pass one user data pointer to the
 + * callback function, pack VuDev and pvt into a struct. Then unpack it
 + * and pass them to vu_kick_cb
 + */
 +static void kick_handler(void *opaque)
 +{
 +    VuFdWatch *vu_fd_watch = opaque;
 +    vu_fd_watch->processing = true;
 +    vu_fd_watch->cb(vu_fd_watch->vu_dev, 0, vu_fd_watch->pvt);
 +    vu_fd_watch->processing = false;
 +}
 +
 +
 +static VuFdWatch *find_vu_fd_watch(VuServer *server, int fd)
 +{
 +
 +    VuFdWatch *vu_fd_watch, *next;
 +    QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
 +        if (vu_fd_watch->fd == fd) {
 +            return vu_fd_watch;
 +        }
 +    }
 +    return NULL;
 +}
 +
 +static void
 +set_watch(VuDev *vu_dev, int fd, int vu_evt,
 +          vu_watch_cb cb, void *pvt)
 +{
 +
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +    g_assert(vu_dev);
 +    g_assert(fd >= 0);
 +    g_assert(cb);
 +
 +    VuFdWatch *vu_fd_watch = find_vu_fd_watch(server, fd);
 +
 +    if (!vu_fd_watch) {
 +        VuFdWatch *vu_fd_watch = g_new0(VuFdWatch, 1);
 +
 +        QTAILQ_INSERT_TAIL(&server->vu_fd_watches, vu_fd_watch, next);
 +
 +        vu_fd_watch->fd = fd;
 +        vu_fd_watch->cb = cb;
 +        qemu_set_nonblock(fd);
 +        aio_set_fd_handler(server->ioc->ctx, fd, true, kick_handler,
 +                           NULL, NULL, vu_fd_watch);
 +        vu_fd_watch->vu_dev = vu_dev;
 +        vu_fd_watch->pvt = pvt;
 +    }
 +}
 +
 +
 +static void remove_watch(VuDev *vu_dev, int fd)
 +{
 +    VuServer *server;
 +    g_assert(vu_dev);
 +    g_assert(fd >= 0);
 +
 +    server = container_of(vu_dev, VuServer, vu_dev);
 +
 +    VuFdWatch *vu_fd_watch = find_vu_fd_watch(server, fd);
 +
 +    if (!vu_fd_watch) {
 +        return;
 +    }
-+    aio_set_fd_handler(server->ioc->ctx, fd, true, NULL, NULL, NULL, NULL);
++
-+
++    if (!ufs_init_wlu(u, &u->dev_wlu, UFS_UPIU_UFS_DEVICE_WLUN, errp)) {
 +    QTAILQ_REMOVE(&server->vu_fd_watches, vu_fd_watch, next);
 +    g_free(vu_fd_watch);
 +}
 +
 +
 +static void vu_accept(QIONetListener *listener, QIOChannelSocket *sioc,
 +                      gpointer opaque)
 +{
 +    VuServer *server = opaque;
 +
 +    if (server->sioc) {
 +        warn_report("Only one vhost-user client is allowed to "
 +                    "connect the server one time");
 +        return;
 +    }
 +
-+    if (!vu_init(&server->vu_dev, server->max_queues, sioc->fd, panic_cb,
++    if (!ufs_init_wlu(u, &u->boot_wlu, UFS_UPIU_BOOT_WLUN, errp)) {
 +                 vu_message_read, set_watch, remove_watch, server->vu_iface)) {
 +        error_report("Failed to initialize libvhost-user");
 +        return;
 +    }
 +
-+    /*
++    if (!ufs_init_wlu(u, &u->rpmb_wlu, UFS_UPIU_RPMB_WLUN, errp)) {
 +     * Unset the callback function for network listener to make another
 +     * vhost-user client keeping waiting until this client disconnects
 +     */
 +    qio_net_listener_set_client_func(server->listener,
 +                                     NULL,
 +                                     NULL,
 +                                     NULL);
 +    server->sioc = sioc;
 +    /*
 +     * Increase the object reference, so sioc will not freed by
 +     * qio_net_listener_channel_func which will call object_unref(OBJECT(sioc))
 +     */
 +    object_ref(OBJECT(server->sioc));
 +    qio_channel_set_name(QIO_CHANNEL(sioc), "vhost-user client");
 +    server->ioc = QIO_CHANNEL(sioc);
 +    object_ref(OBJECT(server->ioc));
 +    qio_channel_attach_aio_context(server->ioc, server->ctx);
 +    qio_channel_set_blocking(QIO_CHANNEL(server->sioc), false, NULL);
 +    vu_client_start(server);
 +}
 +
 +
 +void vhost_user_server_stop(VuServer *server)
 +{
 +    if (server->sioc) {
 +        close_client(server);
 +    }
 +
 +    if (server->listener) {
 +        qio_net_listener_disconnect(server->listener);
 +        object_unref(OBJECT(server->listener));
 +    }
 +
 +}
 +
 +void vhost_user_server_set_aio_context(VuServer *server, AioContext *ctx)
 +{
 +    VuFdWatch *vu_fd_watch, *next;
 +    void *opaque = NULL;
 +    IOHandler *io_read = NULL;
 +    bool attach;
 +
 +    server->ctx = ctx ? ctx : qemu_get_aio_context();
 +
 +    if (!server->sioc) {
 +        /* not yet serving any client*/
 +        return;
 +    }
-+
+ }
-+    if (ctx) {
-+        qio_channel_attach_aio_context(server->ioc, ctx);
+ static void ufs_exit(PCIDevice *pci_dev)
-+        server->aio_context_changed = true;
+ {
-+        io_read = kick_handler;
+     UfsHc *u = UFS(pci_dev);
-+        attach = true;
-+    } else {
++    if (u->dev_wlu) {
-+        qio_channel_detach_aio_context(server->ioc);
++        object_unref(OBJECT(u->dev_wlu));
-+        /* server->ioc->ctx keeps the old AioConext */
++        u->dev_wlu = NULL;
-+        ctx = server->ioc->ctx;
++    }
-+        attach = false;
++
-+    }
++    if (u->report_wlu) {
-+
++        object_unref(OBJECT(u->report_wlu));
-+    QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
++        u->report_wlu = NULL;
-+        if (vu_fd_watch->cb) {
++    }
-+            opaque = attach ? vu_fd_watch : NULL;
++
-+            aio_set_fd_handler(ctx, vu_fd_watch->fd, true,
++    if (u->rpmb_wlu) {
-+                               io_read, NULL, NULL,
++        object_unref(OBJECT(u->rpmb_wlu));
-+                               opaque);
++        u->rpmb_wlu = NULL;
-+        }
++    }
-+    }
++
-+}
++    if (u->boot_wlu) {
-+
++        object_unref(OBJECT(u->boot_wlu));
-+
++        u->boot_wlu = NULL;
-+bool vhost_user_server_start(VuServer *server,
++    }
-+                             SocketAddress *socket_addr,
++
-+                             AioContext *ctx,
+     qemu_bh_delete(u->doorbell_bh);
-+                             uint16_t max_queues,
+     qemu_bh_delete(u->complete_bh);
-+                             DevicePanicNotifierFn *device_panic_notifier,
-+                             const VuDevIface *vu_iface,
+@@ -XXX,XX +XXX,XX @@ static void ufs_class_init(ObjectClass *oc, void *data)
-+                             Error **errp)
+     dc->vmsd = &ufs_vmstate;
-+{
+ }
-+    QIONetListener *listener = qio_net_listener_new();
-+    if (qio_net_listener_open_sync(listener, socket_addr, 1,
++static bool ufs_bus_check_address(BusState *qbus, DeviceState *qdev,
-+                                   errp) < 0) {
++                                  Error **errp)
-+        object_unref(OBJECT(listener));
++{
 +    SCSIDevice *dev = SCSI_DEVICE(qdev);
 +    UfsBusClass *ubc = UFS_BUS_GET_CLASS(qbus);
 +    UfsHc *u = UFS(qbus->parent);
 +
 +    if (strcmp(object_get_typename(OBJECT(dev)), TYPE_UFS_WLU) == 0) {
 +        if (dev->lun != UFS_UPIU_REPORT_LUNS_WLUN &&
 +            dev->lun != UFS_UPIU_UFS_DEVICE_WLUN &&
 +            dev->lun != UFS_UPIU_BOOT_WLUN && dev->lun != UFS_UPIU_RPMB_WLUN) {
 +            error_setg(errp, "bad well-known lun: %d", dev->lun);
 +            return false;
 +        }
 +
 +        if ((dev->lun == UFS_UPIU_REPORT_LUNS_WLUN && u->report_wlu != NULL) ||
 +            (dev->lun == UFS_UPIU_UFS_DEVICE_WLUN && u->dev_wlu != NULL) ||
 +            (dev->lun == UFS_UPIU_BOOT_WLUN && u->boot_wlu != NULL) ||
 +            (dev->lun == UFS_UPIU_RPMB_WLUN && u->rpmb_wlu != NULL)) {
 +            error_setg(errp, "well-known lun %d already exists", dev->lun);
 +            return false;
 +        }
 +
 +        return true;
 +    }
 +
 +    if (strcmp(object_get_typename(OBJECT(dev)), TYPE_UFS_LU) != 0) {
 +        error_setg(errp, "%s cannot be connected to ufs-bus",
 +                   object_get_typename(OBJECT(dev)));
 +        return false;
 +    }
 +
-+    /* zero out unspecified fileds */
++    return ubc->parent_check_address(qbus, qdev, errp);
-+    *server = (VuServer) {
++}
-+        .listener              = listener,
++
-+        .vu_iface              = vu_iface,
++static void ufs_bus_class_init(ObjectClass *class, void *data)
-+        .max_queues            = max_queues,
++{
-+        .ctx                   = ctx,
++    BusClass *bc = BUS_CLASS(class);
-+        .device_panic_notifier = device_panic_notifier,
++    UfsBusClass *ubc = UFS_BUS_CLASS(class);
-+    };
++    ubc->parent_check_address = bc->check_address;
-+
++    bc->check_address = ufs_bus_check_address;
-+    qio_net_listener_set_name(server->listener, "vhost-user-backend-listener");
++}
 +
-+    qio_net_listener_set_client_func(server->listener,
+ static const TypeInfo ufs_info = {
-+                                     vu_accept,
+     .name = TYPE_UFS,
-+                                     server,
+     .parent = TYPE_PCI_DEVICE,
-+                                     NULL);
+@@ -XXX,XX +XXX,XX @@ static const TypeInfo ufs_info = {
-+
+     .interfaces = (InterfaceInfo[]){ { INTERFACE_PCIE_DEVICE }, {} },
-+    QTAILQ_INIT(&server->vu_fd_watches);
+ };
-+    return true;
-+}
++static const TypeInfo ufs_bus_info = {
-diff --git a/util/meson.build b/util/meson.build
++    .name = TYPE_UFS_BUS,
 +    .parent = TYPE_SCSI_BUS,
 +    .class_init = ufs_bus_class_init,
 +    .class_size = sizeof(UfsBusClass),
 +    .instance_size = sizeof(UfsBus),
 +};
 +
  static void ufs_register_types(void)
  {
      type_register_static(&ufs_info);
 +    type_register_static(&ufs_bus_info);
  }
  type_init(ufs_register_types)
 diff --git a/hw/ufs/meson.build b/hw/ufs/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/util/meson.build
+--- a/hw/ufs/meson.build
-+++ b/util/meson.build
++++ b/hw/ufs/meson.build
-@@ -XXX,XX +XXX,XX @@ if have_block
+@@ -1 +1 @@
-   util_ss.add(files('main-loop.c'))
+-system_ss.add(when: 'CONFIG_UFS_PCI', if_true: files('ufs.c'))
-   util_ss.add(files('nvdimm-utils.c'))
++system_ss.add(when: 'CONFIG_UFS_PCI', if_true: files('ufs.c', 'lu.c'))
-   util_ss.add(files('qemu-coroutine.c', 'qemu-coroutine-lock.c', 'qemu-coroutine-io.c'))
+diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events
-+  util_ss.add(when: 'CONFIG_LINUX', if_true: files('vhost-user-server.c'))
+index XXXXXXX..XXXXXXX 100644
-   util_ss.add(files('qemu-coroutine-sleep.c'))
+--- a/hw/ufs/trace-events
-   util_ss.add(files('qemu-co-shared-resource.c'))
++++ b/hw/ufs/trace-events
-   util_ss.add(files('thread-pool.c', 'qemu-timer.c'))
+@@ -XXX,XX +XXX,XX @@ ufs_exec_scsi_cmd(uint32_t slot, uint8_t lun, uint8_t opcode) "slot %"PRIu32", l
  ufs_exec_query_cmd(uint32_t slot, uint8_t opcode) "slot %"PRIu32", opcode 0x%"PRIx8""
  ufs_process_uiccmd(uint32_t uiccmd, uint32_t ucmdarg1, uint32_t ucmdarg2, uint32_t ucmdarg3) "uiccmd 0x%"PRIx32", ucmdarg1 0x%"PRIx32", ucmdarg2 0x%"PRIx32", ucmdarg3 0x%"PRIx32""
 +# lu.c
 +ufs_scsi_check_condition(uint32_t tag, uint8_t key, uint8_t asc, uint8_t ascq) "Command complete tag=0x%x sense=%d/%d/%d"
 +ufs_scsi_read_complete(uint32_t tag, size_t size) "Data ready tag=0x%x len=%zd"
 +ufs_scsi_read_data_count(uint32_t sector_count) "Read sector_count=%d"
 +ufs_scsi_read_data_invalid(void) "Data transfer direction invalid"
 +ufs_scsi_write_complete_noio(uint32_t tag, size_t size) "Write complete tag=0x%x more=%zd"
 +ufs_scsi_write_data_invalid(void) "Data transfer direction invalid"
 +ufs_scsi_emulate_vpd_page_00(size_t xfer) "Inquiry EVPD[Supported pages] buffer size %zd"
 +ufs_scsi_emulate_vpd_page_80_not_supported(void) "Inquiry EVPD[Serial number] not supported"
 +ufs_scsi_emulate_vpd_page_80(size_t xfer) "Inquiry EVPD[Serial number] buffer size %zd"
 +ufs_scsi_emulate_vpd_page_87(size_t xfer) "Inquiry EVPD[Mode Page Policy] buffer size %zd"
 +ufs_scsi_emulate_mode_sense(int cmd, int page, size_t xfer, int control) "Mode Sense(%d) (page %d, xfer %zd, page_control %d)"
 +ufs_scsi_emulate_read_data(int buflen) "Read buf_len=%d"
 +ufs_scsi_emulate_write_data(int buflen) "Write buf_len=%d"
 +ufs_scsi_emulate_command_START_STOP(void) "START STOP UNIT"
 +ufs_scsi_emulate_command_FORMAT_UNIT(void) "FORMAT UNIT"
 +ufs_scsi_emulate_command_SEND_DIAGNOSTIC(void) "SEND DIAGNOSTIC"
 +ufs_scsi_emulate_command_SAI_16(void) "SAI READ CAPACITY(16)"
 +ufs_scsi_emulate_command_SAI_unsupported(void) "Unsupported Service Action In"
 +ufs_scsi_emulate_command_MODE_SELECT_10(size_t xfer) "Mode Select(10) (len %zd)"
 +ufs_scsi_emulate_command_VERIFY(int bytchk) "Verify (bytchk %d)"
 +ufs_scsi_emulate_command_UNKNOWN(int cmd, const char *name) "Unknown SCSI command (0x%2.2x=%s)"
 +ufs_scsi_dma_command_READ(uint64_t lba, uint32_t len) "Read (block %" PRIu64 ", count %u)"
 +ufs_scsi_dma_command_WRITE(uint64_t lba, int len) "Write (block %" PRIu64 ", count %u)"
 +
  # error condition
  ufs_err_dma_read_utrd(uint32_t slot, uint64_t addr) "failed to read utrd. UTRLDBR slot %"PRIu32", UTRD dma addr %"PRIu64""
  ufs_err_dma_read_req_upiu(uint32_t slot, uint64_t addr) "failed to read req upiu. UTRLDBR slot %"PRIu32", request upiu addr %"PRIu64""
 --
-.26.2
+.41.0

-[PULL v2 05/28] block: move logical block size check function to a common utility function
+[PULL v2 4/8] tests/qtest: Introduce tests for UFS
-From: Coiby Xu <coiby.xu@gmail.com>
+From: Jeuk Kim <jeuk20.kim@gmail.com>
-Move the constants from hw/core/qdev-properties.c to
+This patch includes the following tests
-util/block-helpers.h so that knowledge of the min/max values is
+  Test mmio read
   Test ufs device initialization and ufs-lu recognition
   Test I/O (Performs a write followed by a read to verify)
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
-Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: af6b8d54c049490b3533a784a0aeac4798bb9217.1691062912.git.jeuk20.kim@samsung.com
 Acked-by: Eduardo Habkost <ehabkost@redhat.com>
 Message-id: 20200918080912.321299-5-coiby.xu@gmail.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/block-helpers.h             | 19 +++++++++++++
+ MAINTAINERS             |   1 +
- hw/core/qdev-properties-system.c | 31 ++++-----------------
+ tests/qtest/ufs-test.c  | 584 ++++++++++++++++++++++++++++++++++++++++
- util/block-helpers.c             | 46 ++++++++++++++++++++++++++++++++
+ tests/qtest/meson.build |   1 +
- util/meson.build                 |  1 +
+files changed, 586 insertions(+)
-files changed, 71 insertions(+), 26 deletions(-)
+ create mode 100644 tests/qtest/ufs-test.c
  create mode 100644 util/block-helpers.h
  create mode 100644 util/block-helpers.c
-diff --git a/util/block-helpers.h b/util/block-helpers.h
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Jeuk Kim <jeuk20.kim@samsung.com>
  S: Supported
  F: hw/ufs/*
  F: include/block/ufs.h
 +F: tests/qtest/ufs-test.c
  megasas
  M: Hannes Reinecke <hare@suse.com>
 diff --git a/tests/qtest/ufs-test.c b/tests/qtest/ufs-test.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/util/block-helpers.h
++++ b/tests/qtest/ufs-test.c
@@ -XXX,XX +XXX,XX @@
 +#ifndef BLOCK_HELPERS_H
 +#define BLOCK_HELPERS_H
 +
 +#include "qemu/units.h"
 +
 +/* lower limit is sector size */
 +#define MIN_BLOCK_SIZE          INT64_C(512)
 +#define MIN_BLOCK_SIZE_STR      "512 B"
 +/*
 + * upper limit is arbitrary, 2 MiB looks sufficient for all sensible uses, and
 + * matches qcow2 cluster size limit
 + */
 +#define MAX_BLOCK_SIZE          (2 * MiB)
 +#define MAX_BLOCK_SIZE_STR      "2 MiB"
 +
 +void check_block_size(const char *id, const char *name, int64_t value,
 +                      Error **errp);
 +
 +#endif /* BLOCK_HELPERS_H */
 diff --git a/hw/core/qdev-properties-system.c b/hw/core/qdev-properties-system.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/core/qdev-properties-system.c
 +++ b/hw/core/qdev-properties-system.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/blockdev.h"
  #include "net/net.h"
  #include "hw/pci/pci.h"
 +#include "util/block-helpers.h"
  static bool check_prop_still_unset(DeviceState *dev, const char *name,
                                     const void *old_val, const char *new_val,
@@ -XXX,XX +XXX,XX @@ const PropertyInfo qdev_prop_losttickpolicy = {
  /* --- blocksize --- */
 -/* lower limit is sector size */
 -#define MIN_BLOCK_SIZE          512
 -#define MIN_BLOCK_SIZE_STR      "512 B"
 -/*
 - * upper limit is arbitrary, 2 MiB looks sufficient for all sensible uses, and
 - * matches qcow2 cluster size limit
 - */
 -#define MAX_BLOCK_SIZE          (2 * MiB)
 -#define MAX_BLOCK_SIZE_STR      "2 MiB"
 -
  static void set_blocksize(Object *obj, Visitor *v, const char *name,
                            void *opaque, Error **errp)
  {
@@ -XXX,XX +XXX,XX @@ static void set_blocksize(Object *obj, Visitor *v, const char *name,
      Property *prop = opaque;
      uint32_t *ptr = qdev_get_prop_ptr(dev, prop);
      uint64_t value;
 +    Error *local_err = NULL;
      if (dev->realized) {
          qdev_prop_set_after_realize(dev, name, errp);
@@ -XXX,XX +XXX,XX @@ static void set_blocksize(Object *obj, Visitor *v, const char *name,
      if (!visit_type_size(v, name, &value, errp)) {
          return;
      }
 -    /* value of 0 means "unset" */
 -    if (value && (value < MIN_BLOCK_SIZE || value > MAX_BLOCK_SIZE)) {
 -        error_setg(errp,
 -                   "Property %s.%s doesn't take value %" PRIu64
 -                   " (minimum: " MIN_BLOCK_SIZE_STR
 -                   ", maximum: " MAX_BLOCK_SIZE_STR ")",
 -                   dev->id ? : "", name, value);
 +    check_block_size(dev->id ? : "", name, value, &local_err);
 +    if (local_err) {
 +        error_propagate(errp, local_err);
          return;
      }
 -
 -    /* We rely on power-of-2 blocksizes for bitmasks */
 -    if ((value & (value - 1)) != 0) {
 -        error_setg(errp,
 -                  "Property %s.%s doesn't take value '%" PRId64 "', "
 -                  "it's not a power of 2", dev->id ?: "", name, (int64_t)value);
 -        return;
 -    }
 -
      *ptr = value;
  }
 diff --git a/util/block-helpers.c b/util/block-helpers.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/util/block-helpers.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Block utility functions
++ * QTest testcase for UFS
 + *
-+ * Copyright IBM, Corp. 2011
++ * Copyright (c) 2023 Samsung Electronics Co., Ltd. All rights reserved.
 + * Copyright (c) 2020 Coiby Xu <coiby.xu@gmail.com>
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * SPDX-License-Identifier: GPL-2.0-or-later
 + * See the COPYING file in the top-level directory.
 + */
 +
 +#include "qemu/osdep.h"
-+#include "qapi/error.h"
++#include "qemu/module.h"
-+#include "qapi/qmp/qerror.h"
++#include "qemu/units.h"
-+#include "block-helpers.h"
++#include "libqtest.h"
 +#include "libqos/qgraph.h"
 +#include "libqos/pci.h"
 +#include "scsi/constants.h"
 +#include "include/block/ufs.h"
 +
 +/* Test images sizes in Bytes */
 +#define TEST_IMAGE_SIZE (64 * 1024 * 1024)
 +/* Timeout for various operations, in seconds. */
 +#define TIMEOUT_SECONDS 10
 +/* Maximum PRD entry count */
 +#define MAX_PRD_ENTRY_COUNT 10
 +#define PRD_ENTRY_DATA_SIZE 4096
 +/* Constants to build upiu */
 +#define UTP_COMMAND_DESCRIPTOR_SIZE 4096
 +#define UTP_RESPONSE_UPIU_OFFSET 1024
 +#define UTP_PRDT_UPIU_OFFSET 2048
 +
 +typedef struct QUfs QUfs;
 +
 +struct QUfs {
 +    QOSGraphObject obj;
 +    QPCIDevice dev;
 +    QPCIBar bar;
 +
 +    uint64_t utrlba;
 +    uint64_t utmrlba;
 +    uint64_t cmd_desc_addr;
 +    uint64_t data_buffer_addr;
 +
 +    bool enabled;
 +};
 +
 +static inline uint32_t ufs_rreg(QUfs *ufs, size_t offset)
 +{
 +    return qpci_io_readl(&ufs->dev, ufs->bar, offset);
 +}
 +
 +static inline void ufs_wreg(QUfs *ufs, size_t offset, uint32_t value)
 +{
 +    qpci_io_writel(&ufs->dev, ufs->bar, offset, value);
 +}
 +
 +static void ufs_wait_for_irq(QUfs *ufs)
 +{
 +    uint64_t end_time;
 +    uint32_t is;
 +    /* Wait for device to reset as the linux driver does. */
 +    end_time = g_get_monotonic_time() + TIMEOUT_SECONDS * G_TIME_SPAN_SECOND;
 +    do {
 +        qtest_clock_step(ufs->dev.bus->qts, 100);
 +        is = ufs_rreg(ufs, A_IS);
 +    } while (is == 0 && g_get_monotonic_time() < end_time);
 +}
 +
 +static UtpTransferReqDesc ufs_build_req_utrd(uint64_t cmd_desc_addr,
 +                                             uint8_t slot,
 +                                             uint32_t data_direction,
 +                                             uint16_t prd_table_length)
 +{
 +    UtpTransferReqDesc req = { 0 };
 +    uint64_t command_desc_base_addr =
 +        cmd_desc_addr + slot * UTP_COMMAND_DESCRIPTOR_SIZE;
 +
 +    req.header.dword_0 =
 +        cpu_to_le32(1 << 28 | data_direction | UTP_REQ_DESC_INT_CMD);
 +    req.header.dword_2 = cpu_to_le32(OCS_INVALID_COMMAND_STATUS);
 +
 +    req.command_desc_base_addr_hi = cpu_to_le32(command_desc_base_addr >> 32);
 +    req.command_desc_base_addr_lo =
 +        cpu_to_le32(command_desc_base_addr & 0xffffffff);
 +    req.response_upiu_offset =
 +        cpu_to_le16(UTP_RESPONSE_UPIU_OFFSET / sizeof(uint32_t));
 +    req.response_upiu_length = cpu_to_le16(sizeof(UtpUpiuRsp));
 +    req.prd_table_offset = cpu_to_le16(UTP_PRDT_UPIU_OFFSET / sizeof(uint32_t));
 +    req.prd_table_length = cpu_to_le16(prd_table_length);
 +    return req;
 +}
 +
 +static void ufs_send_nop_out(QUfs *ufs, uint8_t slot,
 +                             UtpTransferReqDesc *utrd_out, UtpUpiuRsp *rsp_out)
 +{
 +    /* Build up utp transfer request descriptor */
 +    UtpTransferReqDesc utrd =
 +        ufs_build_req_utrd(ufs->cmd_desc_addr, slot, UTP_NO_DATA_TRANSFER, 0);
 +    uint64_t utrd_addr = ufs->utrlba + slot * sizeof(UtpTransferReqDesc);
 +    uint64_t req_upiu_addr =
 +        ufs->cmd_desc_addr + slot * UTP_COMMAND_DESCRIPTOR_SIZE;
 +    uint64_t rsp_upiu_addr = req_upiu_addr + UTP_RESPONSE_UPIU_OFFSET;
 +    qtest_memwrite(ufs->dev.bus->qts, utrd_addr, &utrd, sizeof(utrd));
 +
 +    /* Build up request upiu */
 +    UtpUpiuReq req_upiu = { 0 };
 +    req_upiu.header.trans_type = UPIU_TRANSACTION_NOP_OUT;
 +    req_upiu.header.task_tag = slot;
 +    qtest_memwrite(ufs->dev.bus->qts, req_upiu_addr, &req_upiu,
 +                   sizeof(req_upiu));
 +
 +    /* Ring Doorbell */
 +    ufs_wreg(ufs, A_UTRLDBR, 1);
 +    ufs_wait_for_irq(ufs);
 +    g_assert_true(FIELD_EX32(ufs_rreg(ufs, A_IS), IS, UTRCS));
 +    ufs_wreg(ufs, A_IS, FIELD_DP32(0, IS, UTRCS, 1));
 +
 +    qtest_memread(ufs->dev.bus->qts, utrd_addr, utrd_out, sizeof(*utrd_out));
 +    qtest_memread(ufs->dev.bus->qts, rsp_upiu_addr, rsp_out, sizeof(*rsp_out));
 +}
 +
 +static void ufs_send_query(QUfs *ufs, uint8_t slot, uint8_t query_function,
 +                           uint8_t query_opcode, uint8_t idn, uint8_t index,
 +                           UtpTransferReqDesc *utrd_out, UtpUpiuRsp *rsp_out)
 +{
 +    /* Build up utp transfer request descriptor */
 +    UtpTransferReqDesc utrd =
 +        ufs_build_req_utrd(ufs->cmd_desc_addr, slot, UTP_NO_DATA_TRANSFER, 0);
 +    uint64_t utrd_addr = ufs->utrlba + slot * sizeof(UtpTransferReqDesc);
 +    uint64_t req_upiu_addr =
 +        ufs->cmd_desc_addr + slot * UTP_COMMAND_DESCRIPTOR_SIZE;
 +    uint64_t rsp_upiu_addr = req_upiu_addr + UTP_RESPONSE_UPIU_OFFSET;
 +    qtest_memwrite(ufs->dev.bus->qts, utrd_addr, &utrd, sizeof(utrd));
 +
 +    /* Build up request upiu */
 +    UtpUpiuReq req_upiu = { 0 };
 +    req_upiu.header.trans_type = UPIU_TRANSACTION_QUERY_REQ;
 +    req_upiu.header.query_func = query_function;
 +    req_upiu.header.task_tag = slot;
 +    /*
 +     * QEMU UFS does not currently support Write descriptor and Write attribute,
 +     * so the value of data_segment_length is always 0.
 +     */
 +    req_upiu.header.data_segment_length = 0;
 +    req_upiu.qr.opcode = query_opcode;
 +    req_upiu.qr.idn = idn;
 +    req_upiu.qr.index = index;
 +    qtest_memwrite(ufs->dev.bus->qts, req_upiu_addr, &req_upiu,
 +                   sizeof(req_upiu));
 +
 +    /* Ring Doorbell */
 +    ufs_wreg(ufs, A_UTRLDBR, 1);
 +    ufs_wait_for_irq(ufs);
 +    g_assert_true(FIELD_EX32(ufs_rreg(ufs, A_IS), IS, UTRCS));
 +    ufs_wreg(ufs, A_IS, FIELD_DP32(0, IS, UTRCS, 1));
 +
 +    qtest_memread(ufs->dev.bus->qts, utrd_addr, utrd_out, sizeof(*utrd_out));
 +    qtest_memread(ufs->dev.bus->qts, rsp_upiu_addr, rsp_out, sizeof(*rsp_out));
 +}
 +
 +static void ufs_send_scsi_command(QUfs *ufs, uint8_t slot, uint8_t lun,
 +                                  const uint8_t *cdb, const uint8_t *data_in,
 +                                  size_t data_in_len, uint8_t *data_out,
 +                                  size_t data_out_len,
 +                                  UtpTransferReqDesc *utrd_out,
 +                                  UtpUpiuRsp *rsp_out)
 +
 +{
 +    /* Build up PRDT */
 +    UfshcdSgEntry entries[MAX_PRD_ENTRY_COUNT] = {
 +        0,
 +    };
 +    uint8_t flags;
 +    uint16_t prd_table_length, i;
 +    uint32_t data_direction, data_len;
 +    uint64_t req_upiu_addr =
 +        ufs->cmd_desc_addr + slot * UTP_COMMAND_DESCRIPTOR_SIZE;
 +    uint64_t prdt_addr = req_upiu_addr + UTP_PRDT_UPIU_OFFSET;
 +
 +    g_assert_true(data_in_len < MAX_PRD_ENTRY_COUNT * PRD_ENTRY_DATA_SIZE);
 +    g_assert_true(data_out_len < MAX_PRD_ENTRY_COUNT * PRD_ENTRY_DATA_SIZE);
 +    if (data_in_len > 0) {
 +        g_assert_nonnull(data_in);
 +        data_direction = UTP_HOST_TO_DEVICE;
 +        data_len = data_in_len;
 +        flags = UPIU_CMD_FLAGS_WRITE;
 +    } else if (data_out_len > 0) {
 +        g_assert_nonnull(data_out);
 +        data_direction = UTP_DEVICE_TO_HOST;
 +        data_len = data_out_len;
 +        flags = UPIU_CMD_FLAGS_READ;
 +    } else {
 +        data_direction = UTP_NO_DATA_TRANSFER;
 +        data_len = 0;
 +        flags = UPIU_CMD_FLAGS_NONE;
 +    }
 +    prd_table_length = DIV_ROUND_UP(data_len, PRD_ENTRY_DATA_SIZE);
 +
 +    qtest_memset(ufs->dev.bus->qts, ufs->data_buffer_addr, 0,
 +                 MAX_PRD_ENTRY_COUNT * PRD_ENTRY_DATA_SIZE);
 +    if (data_in_len) {
 +        qtest_memwrite(ufs->dev.bus->qts, ufs->data_buffer_addr, data_in,
 +                       data_in_len);
 +    }
 +
 +    for (i = 0; i < prd_table_length; i++) {
 +        entries[i].addr =
 +            cpu_to_le64(ufs->data_buffer_addr + i * sizeof(UfshcdSgEntry));
 +        if (i + 1 != prd_table_length) {
 +            entries[i].size = cpu_to_le32(PRD_ENTRY_DATA_SIZE - 1);
 +        } else {
 +            entries[i].size = cpu_to_le32(
 +                data_len - (PRD_ENTRY_DATA_SIZE * (prd_table_length - 1)) - 1);
 +        }
 +    }
 +    qtest_memwrite(ufs->dev.bus->qts, prdt_addr, entries,
 +                   prd_table_length * sizeof(UfshcdSgEntry));
 +
 +    /* Build up utp transfer request descriptor */
 +    UtpTransferReqDesc utrd = ufs_build_req_utrd(
 +        ufs->cmd_desc_addr, slot, data_direction, prd_table_length);
 +    uint64_t utrd_addr = ufs->utrlba + slot * sizeof(UtpTransferReqDesc);
 +    uint64_t rsp_upiu_addr = req_upiu_addr + UTP_RESPONSE_UPIU_OFFSET;
 +    qtest_memwrite(ufs->dev.bus->qts, utrd_addr, &utrd, sizeof(utrd));
 +
 +    /* Build up request upiu */
 +    UtpUpiuReq req_upiu = { 0 };
 +    req_upiu.header.trans_type = UPIU_TRANSACTION_COMMAND;
 +    req_upiu.header.flags = flags;
 +    req_upiu.header.lun = lun;
 +    req_upiu.header.task_tag = slot;
 +    req_upiu.sc.exp_data_transfer_len = cpu_to_be32(data_len);
 +    memcpy(req_upiu.sc.cdb, cdb, UFS_CDB_SIZE);
 +    qtest_memwrite(ufs->dev.bus->qts, req_upiu_addr, &req_upiu,
 +                   sizeof(req_upiu));
 +
 +    /* Ring Doorbell */
 +    ufs_wreg(ufs, A_UTRLDBR, 1);
 +    ufs_wait_for_irq(ufs);
 +    g_assert_true(FIELD_EX32(ufs_rreg(ufs, A_IS), IS, UTRCS));
 +    ufs_wreg(ufs, A_IS, FIELD_DP32(0, IS, UTRCS, 1));
 +
 +    qtest_memread(ufs->dev.bus->qts, utrd_addr, utrd_out, sizeof(*utrd_out));
 +    qtest_memread(ufs->dev.bus->qts, rsp_upiu_addr, rsp_out, sizeof(*rsp_out));
 +    if (data_out_len) {
 +        qtest_memread(ufs->dev.bus->qts, ufs->data_buffer_addr, data_out,
 +                      data_out_len);
 +    }
 +}
 +
 +/**
-+ * check_block_size:
++ * Initialize Ufs host controller and logical unit.
-+ * @id: The unique ID of the object
++ * After running this function, you can make a transfer request to the UFS.
 + * @name: The name of the property being validated
 + * @value: The block size in bytes
 + * @errp: A pointer to an area to store an error
 + *
 + * This function checks that the block size meets the following conditions:
 + * 1. At least MIN_BLOCK_SIZE
 + * 2. No larger than MAX_BLOCK_SIZE
 + * 3. A power of 2
 + */
-+void check_block_size(const char *id, const char *name, int64_t value,
++static void ufs_init(QUfs *ufs, QGuestAllocator *alloc)
-+                      Error **errp)
++{
-+{
++    uint64_t end_time;
-+    /* value of 0 means "unset" */
++    uint32_t nutrs, nutmrs;
-+    if (value && (value < MIN_BLOCK_SIZE || value > MAX_BLOCK_SIZE)) {
++    uint32_t hcs, is, ucmdarg2, cap;
-+        error_setg(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
++    uint32_t hce = 0, ie = 0;
-+                   id, name, value, MIN_BLOCK_SIZE, MAX_BLOCK_SIZE);
++    UtpTransferReqDesc utrd;
 +    UtpUpiuRsp rsp_upiu;
 +
 +    ufs->bar = qpci_iomap(&ufs->dev, 0, NULL);
 +    qpci_device_enable(&ufs->dev);
 +
 +    /* Start host controller initialization */
 +    hce = FIELD_DP32(hce, HCE, HCE, 1);
 +    ufs_wreg(ufs, A_HCE, hce);
 +
 +    /* Wait for device to reset */
 +    end_time = g_get_monotonic_time() + TIMEOUT_SECONDS * G_TIME_SPAN_SECOND;
 +    do {
 +        qtest_clock_step(ufs->dev.bus->qts, 100);
 +        hce = FIELD_EX32(ufs_rreg(ufs, A_HCE), HCE, HCE);
 +    } while (hce == 0 && g_get_monotonic_time() < end_time);
 +    g_assert_cmpuint(hce, ==, 1);
 +
 +    /* Enable interrupt */
 +    ie = FIELD_DP32(ie, IE, UCCE, 1);
 +    ie = FIELD_DP32(ie, IE, UHESE, 1);
 +    ie = FIELD_DP32(ie, IE, UHXSE, 1);
 +    ie = FIELD_DP32(ie, IE, UPMSE, 1);
 +    ufs_wreg(ufs, A_IE, ie);
 +
 +    /* Send DME_LINK_STARTUP uic command */
 +    hcs = ufs_rreg(ufs, A_HCS);
 +    g_assert_true(FIELD_EX32(hcs, HCS, UCRDY));
 +
 +    ufs_wreg(ufs, A_UCMDARG1, 0);
 +    ufs_wreg(ufs, A_UCMDARG2, 0);
 +    ufs_wreg(ufs, A_UCMDARG3, 0);
 +    ufs_wreg(ufs, A_UICCMD, UIC_CMD_DME_LINK_STARTUP);
 +
 +    is = ufs_rreg(ufs, A_IS);
 +    g_assert_true(FIELD_EX32(is, IS, UCCS));
 +    ufs_wreg(ufs, A_IS, FIELD_DP32(0, IS, UCCS, 1));
 +
 +    ucmdarg2 = ufs_rreg(ufs, A_UCMDARG2);
 +    g_assert_cmpuint(ucmdarg2, ==, 0);
 +    is = ufs_rreg(ufs, A_IS);
 +    g_assert_cmpuint(is, ==, 0);
 +    hcs = ufs_rreg(ufs, A_HCS);
 +    g_assert_true(FIELD_EX32(hcs, HCS, DP));
 +    g_assert_true(FIELD_EX32(hcs, HCS, UTRLRDY));
 +    g_assert_true(FIELD_EX32(hcs, HCS, UTMRLRDY));
 +    g_assert_true(FIELD_EX32(hcs, HCS, UCRDY));
 +
 +    /* Enable all interrupt functions */
 +    ie = FIELD_DP32(ie, IE, UTRCE, 1);
 +    ie = FIELD_DP32(ie, IE, UEE, 1);
 +    ie = FIELD_DP32(ie, IE, UPMSE, 1);
 +    ie = FIELD_DP32(ie, IE, UHXSE, 1);
 +    ie = FIELD_DP32(ie, IE, UHESE, 1);
 +    ie = FIELD_DP32(ie, IE, UTMRCE, 1);
 +    ie = FIELD_DP32(ie, IE, UCCE, 1);
 +    ie = FIELD_DP32(ie, IE, DFEE, 1);
 +    ie = FIELD_DP32(ie, IE, HCFEE, 1);
 +    ie = FIELD_DP32(ie, IE, SBFEE, 1);
 +    ie = FIELD_DP32(ie, IE, CEFEE, 1);
 +    ufs_wreg(ufs, A_IE, ie);
 +    ufs_wreg(ufs, A_UTRIACR, 0);
 +
 +    /* Enable tranfer request and task management request */
 +    cap = ufs_rreg(ufs, A_CAP);
 +    nutrs = FIELD_EX32(cap, CAP, NUTRS) + 1;
 +    nutmrs = FIELD_EX32(cap, CAP, NUTMRS) + 1;
 +    ufs->cmd_desc_addr =
 +        guest_alloc(alloc, nutrs * UTP_COMMAND_DESCRIPTOR_SIZE);
 +    ufs->data_buffer_addr =
 +        guest_alloc(alloc, MAX_PRD_ENTRY_COUNT * PRD_ENTRY_DATA_SIZE);
 +    ufs->utrlba = guest_alloc(alloc, nutrs * sizeof(UtpTransferReqDesc));
 +    ufs->utmrlba = guest_alloc(alloc, nutmrs * sizeof(UtpTaskReqDesc));
 +
 +    ufs_wreg(ufs, A_UTRLBA, ufs->utrlba & 0xffffffff);
 +    ufs_wreg(ufs, A_UTRLBAU, ufs->utrlba >> 32);
 +    ufs_wreg(ufs, A_UTMRLBA, ufs->utmrlba & 0xffffffff);
 +    ufs_wreg(ufs, A_UTMRLBAU, ufs->utmrlba >> 32);
 +    ufs_wreg(ufs, A_UTRLRSR, 1);
 +    ufs_wreg(ufs, A_UTMRLRSR, 1);
 +
 +    /* Send nop out to test transfer request */
 +    ufs_send_nop_out(ufs, 0, &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +
 +    /* Set fDeviceInit flag via query request */
 +    ufs_send_query(ufs, 0, UPIU_QUERY_FUNC_STANDARD_WRITE_REQUEST,
 +                   UPIU_QUERY_OPCODE_SET_FLAG, QUERY_FLAG_IDN_FDEVICEINIT, 0,
 +                   &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +
 +    /* Wait for device to reset */
 +    end_time = g_get_monotonic_time() + TIMEOUT_SECONDS * G_TIME_SPAN_SECOND;
 +    do {
 +        qtest_clock_step(ufs->dev.bus->qts, 100);
 +        ufs_send_query(ufs, 0, UPIU_QUERY_FUNC_STANDARD_READ_REQUEST,
 +                       UPIU_QUERY_OPCODE_READ_FLAG, QUERY_FLAG_IDN_FDEVICEINIT,
 +                       0, &utrd, &rsp_upiu);
 +    } while (be32_to_cpu(rsp_upiu.qr.value) != 0 &&
 +             g_get_monotonic_time() < end_time);
 +    g_assert_cmpuint(be32_to_cpu(rsp_upiu.qr.value), ==, 0);
 +
 +    ufs->enabled = true;
 +}
 +
 +static void ufs_exit(QUfs *ufs, QGuestAllocator *alloc)
 +{
 +    if (ufs->enabled) {
 +        guest_free(alloc, ufs->utrlba);
 +        guest_free(alloc, ufs->utmrlba);
 +        guest_free(alloc, ufs->cmd_desc_addr);
 +        guest_free(alloc, ufs->data_buffer_addr);
 +    }
 +
 +    qpci_iounmap(&ufs->dev, ufs->bar);
 +}
 +
 +static void *ufs_get_driver(void *obj, const char *interface)
 +{
 +    QUfs *ufs = obj;
 +
 +    if (!g_strcmp0(interface, "pci-device")) {
 +        return &ufs->dev;
 +    }
 +
 +    fprintf(stderr, "%s not present in ufs\n", interface);
 +    g_assert_not_reached();
 +}
 +
 +static void *ufs_create(void *pci_bus, QGuestAllocator *alloc, void *addr)
 +{
 +    QUfs *ufs = g_new0(QUfs, 1);
 +    QPCIBus *bus = pci_bus;
 +
 +    qpci_device_init(&ufs->dev, bus, addr);
 +    ufs->obj.get_driver = ufs_get_driver;
 +
 +    return &ufs->obj;
 +}
 +
 +static void ufstest_reg_read(void *obj, void *data, QGuestAllocator *alloc)
 +{
 +    QUfs *ufs = obj;
 +    uint32_t cap;
 +
 +    ufs->bar = qpci_iomap(&ufs->dev, 0, NULL);
 +    qpci_device_enable(&ufs->dev);
 +
 +    cap = ufs_rreg(ufs, A_CAP);
 +    g_assert_cmpuint(FIELD_EX32(cap, CAP, NUTRS), ==, 31);
 +    g_assert_cmpuint(FIELD_EX32(cap, CAP, NUTMRS), ==, 7);
 +    g_assert_cmpuint(FIELD_EX32(cap, CAP, 64AS), ==, 1);
 +
 +    qpci_iounmap(&ufs->dev, ufs->bar);
 +}
 +
 +static void ufstest_init(void *obj, void *data, QGuestAllocator *alloc)
 +{
 +    QUfs *ufs = obj;
 +
 +    uint8_t buf[4096] = { 0 };
 +    const uint8_t report_luns_cdb[UFS_CDB_SIZE] = {
 +        /* allocation length 4096 */
 +        REPORT_LUNS, 0x00, 0x00, 0x00, 0x00, 0x00,
 +        0x00,        0x00, 0x10, 0x00, 0x00, 0x00
 +    };
 +    const uint8_t test_unit_ready_cdb[UFS_CDB_SIZE] = {
 +        TEST_UNIT_READY,
 +    };
 +    UtpTransferReqDesc utrd;
 +    UtpUpiuRsp rsp_upiu;
 +
 +    ufs_init(ufs, alloc);
 +
 +    /* Check REPORT_LUNS */
 +    ufs_send_scsi_command(ufs, 0, 0, report_luns_cdb, NULL, 0, buf, sizeof(buf),
 +                          &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +    g_assert_cmpuint(rsp_upiu.header.scsi_status, ==, GOOD);
 +    /* LUN LIST LENGTH should be 8, in big endian */
 +    g_assert_cmpuint(buf[3], ==, 8);
 +    /* There is one logical unit whose lun is 0 */
 +    g_assert_cmpuint(buf[9], ==, 0);
 +
 +    /* Check TEST_UNIT_READY */
 +    ufs_send_scsi_command(ufs, 0, 0, test_unit_ready_cdb, NULL, 0, NULL, 0,
 +                          &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +    g_assert_cmpuint(rsp_upiu.header.scsi_status, ==, GOOD);
 +
 +    ufs_exit(ufs, alloc);
 +}
 +
 +static void ufstest_read_write(void *obj, void *data, QGuestAllocator *alloc)
 +{
 +    QUfs *ufs = obj;
 +    uint8_t read_buf[4096] = { 0 };
 +    uint8_t write_buf[4096] = { 0 };
 +    const uint8_t read_capacity_cdb[UFS_CDB_SIZE] = {
 +        /* allocation length 4096 */
 +        SERVICE_ACTION_IN_16,
 +        SAI_READ_CAPACITY_16,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x00,
 +        0x10,
 +        0x00,
 +        0x00,
 +        0x00
 +    };
 +    const uint8_t read_cdb[UFS_CDB_SIZE] = {
 +        /* READ(10) to LBA 0, transfer length 1 */
 +        READ_10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00
 +    };
 +    const uint8_t write_cdb[UFS_CDB_SIZE] = {
 +        /* WRITE(10) to LBA 0, transfer length 1 */
 +        WRITE_10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00
 +    };
 +    uint32_t block_size;
 +    UtpTransferReqDesc utrd;
 +    UtpUpiuRsp rsp_upiu;
 +
 +    ufs_init(ufs, alloc);
 +
 +    /* Read capacity */
 +    ufs_send_scsi_command(ufs, 0, 1, read_capacity_cdb, NULL, 0, read_buf,
 +                          sizeof(read_buf), &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +    g_assert_cmpuint(rsp_upiu.header.scsi_status, ==, COMMAND_RESULT_SUCESS);
 +    block_size = ldl_be_p(&read_buf[8]);
 +    g_assert_cmpuint(block_size, ==, 4096);
 +
 +    /* Write data */
 +    memset(write_buf, rand() % 255 + 1, block_size);
 +    ufs_send_scsi_command(ufs, 0, 1, write_cdb, write_buf, block_size, NULL, 0,
 +                          &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +    g_assert_cmpuint(rsp_upiu.header.scsi_status, ==, COMMAND_RESULT_SUCESS);
 +
 +    /* Read data and verify */
 +    ufs_send_scsi_command(ufs, 0, 1, read_cdb, NULL, 0, read_buf, block_size,
 +                          &utrd, &rsp_upiu);
 +    g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, OCS_SUCCESS);
 +    g_assert_cmpuint(rsp_upiu.header.scsi_status, ==, COMMAND_RESULT_SUCESS);
 +    g_assert_cmpint(memcmp(read_buf, write_buf, block_size), ==, 0);
 +
 +    ufs_exit(ufs, alloc);
 +}
 +
 +static void drive_destroy(void *path)
 +{
 +    unlink(path);
 +    g_free(path);
 +    qos_invalidate_command_line();
 +}
 +
 +static char *drive_create(void)
 +{
 +    int fd, ret;
 +    char *t_path;
 +
 +    /* Create a temporary raw image */
 +    fd = g_file_open_tmp("qtest-ufs.XXXXXX", &t_path, NULL);
 +    g_assert_cmpint(fd, >=, 0);
 +    ret = ftruncate(fd, TEST_IMAGE_SIZE);
 +    g_assert_cmpint(ret, ==, 0);
 +    close(fd);
 +
 +    g_test_queue_destroy(drive_destroy, t_path);
 +    return t_path;
 +}
 +
 +static void *ufs_blk_test_setup(GString *cmd_line, void *arg)
 +{
 +    char *tmp_path = drive_create();
 +
 +    g_string_append_printf(cmd_line,
 +                           " -blockdev file,filename=%s,node-name=drv1 "
 +                           "-device ufs-lu,bus=ufs0,drive=drv1,lun=1 ",
 +                           tmp_path);
 +
 +    return arg;
 +}
 +
 +static void ufs_register_nodes(void)
 +{
 +    const char *arch;
 +    QOSGraphEdgeOptions edge_opts = {
 +        .before_cmd_line = "-blockdev null-co,node-name=drv0,read-zeroes=on",
 +        .after_cmd_line = "-device ufs-lu,bus=ufs0,drive=drv0,lun=0",
 +        .extra_device_opts = "addr=04.0,id=ufs0,nutrs=32,nutmrs=8"
 +    };
 +
 +    QOSGraphTestOptions io_test_opts = {
 +        .before = ufs_blk_test_setup,
 +    };
 +
 +    add_qpci_address(&edge_opts, &(QPCIAddress){ .devfn = QPCI_DEVFN(4, 0) });
 +
 +    qos_node_create_driver("ufs", ufs_create);
 +    qos_node_consumes("ufs", "pci-bus", &edge_opts);
 +    qos_node_produces("ufs", "pci-device");
 +
 +    qos_add_test("reg-read", "ufs", ufstest_reg_read, NULL);
 +
 +    /*
 +     * Check architecture
 +     * TODO: Enable ufs io tests for ppc64
 +     */
 +    arch = qtest_get_arch();
 +    if (!strcmp(arch, "ppc64")) {
 +        g_test_message("Skipping ufs io tests for ppc64");
 +        return;
 +    }
-+
++    qos_add_test("init", "ufs", ufstest_init, NULL);
-+    /* We rely on power-of-2 blocksizes for bitmasks */
++    qos_add_test("read-write", "ufs", ufstest_read_write, &io_test_opts);
-+    if ((value & (value - 1)) != 0) {
++}
-+        error_setg(errp,
++
-+                   "Property %s.%s doesn't take value '%" PRId64
++libqos_init(ufs_register_nodes);
-+                   "', it's not a power of 2",
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
 +                   id, name, value);
 +        return;
 +    }
 +}
 diff --git a/util/meson.build b/util/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/util/meson.build
+--- a/tests/qtest/meson.build
-+++ b/util/meson.build
++++ b/tests/qtest/meson.build
-@@ -XXX,XX +XXX,XX @@ if have_block
+@@ -XXX,XX +XXX,XX @@ qos_test_ss.add(
-   util_ss.add(files('nvdimm-utils.c'))
+   'virtio-iommu-test.c',
-   util_ss.add(files('qemu-coroutine.c', 'qemu-coroutine-lock.c', 'qemu-coroutine-io.c'))
+   'vmxnet3-test.c',
-   util_ss.add(when: 'CONFIG_LINUX', if_true: files('vhost-user-server.c'))
+   'igb-test.c',
-+  util_ss.add(files('block-helpers.c'))
++  'ufs-test.c',
-   util_ss.add(files('qemu-coroutine-sleep.c'))
+ )
-   util_ss.add(files('qemu-co-shared-resource.c'))
-   util_ss.add(files('thread-pool.c', 'qemu-timer.c'))
+ if config_all_devices.has_key('CONFIG_VIRTIO_SERIAL')
 --
-.26.2
+.41.0

-[PULL v2 07/28] MAINTAINERS: Add vhost-user block device backend server maintainer
+Deleted patch
-From: Coiby Xu <coiby.xu@gmail.com>
-Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
-Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 20200918080912.321299-8-coiby.xu@gmail.com
-[Removed reference to vhost-user-blk-test.c, it will be sent in a
-separate pull request.
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- MAINTAINERS | 7 +++++++
-file changed, 7 insertions(+)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ L: qemu-block@nongnu.org
- S: Supported
- F: tests/image-fuzzer/
-+Vhost-user block device backend server
-+M: Coiby Xu <Coiby.Xu@gmail.com>
-+S: Maintained
-+F: block/export/vhost-user-blk-server.c
-+F: util/vhost-user-server.c
-+F: tests/qtest/libqos/vhost-user-blk.c
-+
- Replication
- M: Wen Congyang <wencongyang2@huawei.com>
- M: Xie Changlong <xiechanglong.d@gmail.com>
---
-.26.2

-[PULL v2 08/28] util/vhost-user-server: s/fileds/fields/ typo fix
+Deleted patch
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-3-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
-         return false;
-     }
--    /* zero out unspecified fileds */
-+    /* zero out unspecified fields */
-     *server = (VuServer) {
-         .listener              = listener,
-         .vu_iface              = vu_iface,
---
-.26.2

-[PULL v2 09/28] util/vhost-user-server: drop unnecessary QOM cast
+Deleted patch
-We already have access to the value with the correct type (ioc and sioc
-are the same QIOChannel).
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-4-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ static void vu_accept(QIONetListener *listener, QIOChannelSocket *sioc,
-     server->ioc = QIO_CHANNEL(sioc);
-     object_ref(OBJECT(server->ioc));
-     qio_channel_attach_aio_context(server->ioc, server->ctx);
--    qio_channel_set_blocking(QIO_CHANNEL(server->sioc), false, NULL);
-+    qio_channel_set_blocking(server->ioc, false, NULL);
-     vu_client_start(server);
- }
---
-.26.2

-[PULL v2 10/28] util/vhost-user-server: drop unnecessary watch deletion
+Deleted patch
-Explicitly deleting watches is not necessary since libvhost-user calls
-remove_watch() during vu_deinit(). Add an assertion to check this
-though.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-5-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.c | 19 ++++---------------
-file changed, 4 insertions(+), 15 deletions(-)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ static void close_client(VuServer *server)
-     /* When this is set vu_client_trip will stop new processing vhost-user message */
-     server->sioc = NULL;
--    VuFdWatch *vu_fd_watch, *next;
--    QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
--        aio_set_fd_handler(server->ioc->ctx, vu_fd_watch->fd, true, NULL,
--                           NULL, NULL, NULL);
--    }
--
--    while (!QTAILQ_EMPTY(&server->vu_fd_watches)) {
--        QTAILQ_FOREACH_SAFE(vu_fd_watch, &server->vu_fd_watches, next, next) {
--            if (!vu_fd_watch->processing) {
--                QTAILQ_REMOVE(&server->vu_fd_watches, vu_fd_watch, next);
--                g_free(vu_fd_watch);
--            }
--        }
--    }
--
-     while (server->processing_msg) {
-         if (server->ioc->read_coroutine) {
-             server->ioc->read_coroutine = NULL;
-@@ -XXX,XX +XXX,XX @@ static void close_client(VuServer *server)
-     }
-     vu_deinit(&server->vu_dev);
-+
-+    /* vu_deinit() should have called remove_watch() */
-+    assert(QTAILQ_EMPTY(&server->vu_fd_watches));
-+
-     object_unref(OBJECT(sioc));
-     object_unref(OBJECT(server->ioc));
- }
---
-.26.2

-[PULL v2 11/28] block/export: consolidate request structs into VuBlockReq
+[PULL v2 5/8] block-migration: Ensure we don't crash during migration cleanup
-Only one struct is needed per request. Drop req_data and the separate
+From: Fabiano Rosas <farosas@suse.de>
 VuBlockReq instance. Instead let vu_queue_pop() allocate everything at
 once.
-This fixes the req_data memory leak in vu_block_virtio_process_req().
+We can fail the blk_insert_bs() at init_blk_migration(), leaving the
 BlkMigDevState without a dirty_bitmap and BlockDriverState. Account
 for the possibly missing elements when doing cleanup.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Fix the following crashes:
-Message-id: 20200924151549.913737-6-stefanha@redhat.com
 Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
 x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
 BlockDriverState *bs = bitmap->bs;
  #0  0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
  #1  0x0000555555bba331 in unset_dirty_tracking () at ../migration/block.c:371
  #2  0x0000555555bbad98 in block_migration_cleanup_bmds () at ../migration/block.c:681
 Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
 x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
 QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
  #0  0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
  #1  0x0000555555e9734a in bdrv_op_unblock_all (bs=0x0, reason=0x0) at ../block.c:7095
  #2  0x0000555555bbae13 in block_migration_cleanup_bmds () at ../migration/block.c:690
 Signed-off-by: Fabiano Rosas <farosas@suse.de>
 Message-id: 20230731203338.27581-1-farosas@suse.de
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- block/export/vhost-user-blk-server.c | 68 +++++++++-------------------
+ migration/block.c | 11 +++++++++--
-file changed, 21 insertions(+), 47 deletions(-)
+file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
+diff --git a/migration/block.c b/migration/block.c
 index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
+--- a/migration/block.c
-+++ b/block/export/vhost-user-blk-server.c
++++ b/migration/block.c
-@@ -XXX,XX +XXX,XX @@ struct virtio_blk_inhdr {
+@@ -XXX,XX +XXX,XX @@ static void unset_dirty_tracking(void)
- };
+     BlkMigDevState *bmds;
- typedef struct VuBlockReq {
+     QSIMPLEQ_FOREACH(bmds, &block_mig_state.bmds_list, entry) {
--    VuVirtqElement *elem;
+-        bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
-+    VuVirtqElement elem;
++        if (bmds->dirty_bitmap) {
-     int64_t sector_num;
++            bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
-     size_t size;
++        }
      struct virtio_blk_inhdr *in;
@@ -XXX,XX +XXX,XX @@ static void vu_block_req_complete(VuBlockReq *req)
      VuDev *vu_dev = &req->server->vu_dev;
      /* IO size with 1 extra status byte */
 -    vu_queue_push(vu_dev, req->vq, req->elem, req->size + 1);
 +    vu_queue_push(vu_dev, req->vq, &req->elem, req->size + 1);
      vu_queue_notify(vu_dev, req->vq);
 -    if (req->elem) {
 -        free(req->elem);
 -    }
 -
 -    g_free(req);
 +    free(req);
  }
  static VuBlockDev *get_vu_block_device_by_server(VuServer *server)
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_flush(VuBlockReq *req)
      blk_co_flush(backend);
  }
 -struct req_data {
 -    VuServer *server;
 -    VuVirtq *vq;
 -    VuVirtqElement *elem;
 -};
 -
  static void coroutine_fn vu_block_virtio_process_req(void *opaque)
  {
 -    struct req_data *data = opaque;
 -    VuServer *server = data->server;
 -    VuVirtq *vq = data->vq;
 -    VuVirtqElement *elem = data->elem;
 +    VuBlockReq *req = opaque;
 +    VuServer *server = req->server;
 +    VuVirtqElement *elem = &req->elem;
      uint32_t type;
 -    VuBlockReq *req;
      VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
      BlockBackend *backend = vdev_blk->backend;
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
      struct iovec *out_iov = elem->out_sg;
      unsigned in_num = elem->in_num;
      unsigned out_num = elem->out_num;
 +
      /* refer to hw/block/virtio_blk.c */
      if (elem->out_num < 1 || elem->in_num < 1) {
          error_report("virtio-blk request missing headers");
 -        free(elem);
 -        return;
 +        goto err;
      }
 -    req = g_new0(VuBlockReq, 1);
 -    req->server = server;
 -    req->vq = vq;
 -    req->elem = elem;
 -
      if (unlikely(iov_to_buf(out_iov, out_num, 0, &req->out,
                              sizeof(req->out)) != sizeof(req->out))) {
          error_report("virtio-blk request outhdr too short");
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
  err:
      free(elem);
 -    g_free(req);
 -    return;
  }
  static void vu_block_process_vq(VuDev *vu_dev, int idx)
  {
 -    VuServer *server;
 -    VuVirtq *vq;
 -    struct req_data *req_data;
 +    VuServer *server = container_of(vu_dev, VuServer, vu_dev);
 +    VuVirtq *vq = vu_get_queue(vu_dev, idx);
 -    server = container_of(vu_dev, VuServer, vu_dev);
 -    assert(server);
 -
 -    vq = vu_get_queue(vu_dev, idx);
 -    assert(vq);
 -    VuVirtqElement *elem;
      while (1) {
 -        elem = vu_queue_pop(vu_dev, vq, sizeof(VuVirtqElement) +
 -                                    sizeof(VuBlockReq));
 -        if (elem) {
 -            req_data = g_new0(struct req_data, 1);
 -            req_data->server = server;
 -            req_data->vq = vq;
 -            req_data->elem = elem;
 -            Coroutine *co = qemu_coroutine_create(vu_block_virtio_process_req,
 -                                                  req_data);
 -            aio_co_enter(server->ioc->ctx, co);
 -        } else {
 +        VuBlockReq *req;
 +
 +        req = vu_queue_pop(vu_dev, vq, sizeof(VuBlockReq));
 +        if (!req) {
              break;
          }
 +
 +        req->server = server;
 +        req->vq = vq;
 +
 +        Coroutine *co =
 +            qemu_coroutine_create(vu_block_virtio_process_req, req);
 +        qemu_coroutine_enter(co);
      }
  }
+@@ -XXX,XX +XXX,XX @@ static int64_t get_remaining_dirty(void)
+ static void block_migration_cleanup_bmds(void)
+ {
+     BlkMigDevState *bmds;
++    BlockDriverState *bs;
+     AioContext *ctx;
+     unset_dirty_tracking();
+     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
+         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
+-        bdrv_op_unblock_all(blk_bs(bmds->blk), bmds->blocker);
++
++        bs = blk_bs(bmds->blk);
++        if (bs) {
++            bdrv_op_unblock_all(bs, bmds->blocker);
++        }
+         error_free(bmds->blocker);
+         /* Save ctx, because bmds->blk can disappear during blk_unref.  */
 --
-.26.2
+.41.0

-[PULL v2 12/28] util/vhost-user-server: drop unused DevicePanicNotifier
+Deleted patch
-The device panic notifier callback is not used. Drop it.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-7-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.h             | 3 ---
- block/export/vhost-user-blk-server.c | 3 +--
- util/vhost-user-server.c             | 6 ------
-files changed, 1 insertion(+), 11 deletions(-)
-diff --git a/util/vhost-user-server.h b/util/vhost-user-server.h
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.h
-+++ b/util/vhost-user-server.h
-@@ -XXX,XX +XXX,XX @@ typedef struct VuFdWatch {
- } VuFdWatch;
- typedef struct VuServer VuServer;
--typedef void DevicePanicNotifierFn(VuServer *server);
- struct VuServer {
-     QIONetListener *listener;
-     AioContext *ctx;
--    DevicePanicNotifierFn *device_panic_notifier;
-     int max_queues;
-     const VuDevIface *vu_iface;
-     VuDev vu_dev;
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
-                              SocketAddress *unix_socket,
-                              AioContext *ctx,
-                              uint16_t max_queues,
--                             DevicePanicNotifierFn *device_panic_notifier,
-                              const VuDevIface *vu_iface,
-                              Error **errp);
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@ static void vhost_user_blk_server_start(VuBlockDev *vu_block_device,
-     ctx = bdrv_get_aio_context(blk_bs(vu_block_device->backend));
-     if (!vhost_user_server_start(&vu_block_device->vu_server, addr, ctx,
--                                 VHOST_USER_BLK_MAX_QUEUES,
--                                 NULL, &vu_block_iface,
-+                                 VHOST_USER_BLK_MAX_QUEUES, &vu_block_iface,
-                                  errp)) {
-         goto error;
-     }
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ static void panic_cb(VuDev *vu_dev, const char *buf)
-         close_client(server);
-     }
--    if (server->device_panic_notifier) {
--        server->device_panic_notifier(server);
--    }
--
-     /*
-      * Set the callback function for network listener so another
-      * vhost-user client can connect to this server
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
-                              SocketAddress *socket_addr,
-                              AioContext *ctx,
-                              uint16_t max_queues,
--                             DevicePanicNotifierFn *device_panic_notifier,
-                              const VuDevIface *vu_iface,
-                              Error **errp)
- {
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
-         .vu_iface              = vu_iface,
-         .max_queues            = max_queues,
-         .ctx                   = ctx,
--        .device_panic_notifier = device_panic_notifier,
-     };
-     qio_net_listener_set_name(server->listener, "vhost-user-backend-listener");
---
-.26.2

-[PULL v2 13/28] util/vhost-user-server: fix memory leak in vu_message_read()
+Deleted patch
-fds[] is leaked when qio_channel_readv_full() fails.
-Use vmsg->fds[] instead of keeping a local fds[] array. Then we can
-reuse goto fail to clean up fds. vmsg->fd_num must be zeroed before the
-loop to make this safe.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-8-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.c | 50 ++++++++++++++++++----------------------
-file changed, 23 insertions(+), 27 deletions(-)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
-     };
-     int rc, read_bytes = 0;
-     Error *local_err = NULL;
--    /*
--     * Store fds/nfds returned from qio_channel_readv_full into
--     * temporary variables.
--     *
--     * VhostUserMsg is a packed structure, gcc will complain about passing
--     * pointer to a packed structure member if we pass &VhostUserMsg.fd_num
--     * and &VhostUserMsg.fds directly when calling qio_channel_readv_full,
--     * thus two temporary variables nfds and fds are used here.
--     */
--    size_t nfds = 0, nfds_t = 0;
-     const size_t max_fds = G_N_ELEMENTS(vmsg->fds);
--    int *fds_t = NULL;
-     VuServer *server = container_of(vu_dev, VuServer, vu_dev);
-     QIOChannel *ioc = server->ioc;
-+    vmsg->fd_num = 0;
-     if (!ioc) {
-         error_report_err(local_err);
-         goto fail;
-@@ -XXX,XX +XXX,XX @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
-     assert(qemu_in_coroutine());
-     do {
-+        size_t nfds = 0;
-+        int *fds = NULL;
-+
-         /*
-          * qio_channel_readv_full may have short reads, keeping calling it
-          * until getting VHOST_USER_HDR_SIZE or 0 bytes in total
-          */
--        rc = qio_channel_readv_full(ioc, &iov, 1, &fds_t, &nfds_t, &local_err);
-+        rc = qio_channel_readv_full(ioc, &iov, 1, &fds, &nfds, &local_err);
-         if (rc < 0) {
-             if (rc == QIO_CHANNEL_ERR_BLOCK) {
-+                assert(local_err == NULL);
-                 qio_channel_yield(ioc, G_IO_IN);
-                 continue;
-             } else {
-                 error_report_err(local_err);
--                return false;
-+                goto fail;
-             }
-         }
--        read_bytes += rc;
--        if (nfds_t > 0) {
--            if (nfds + nfds_t > max_fds) {
-+
-+        if (nfds > 0) {
-+            if (vmsg->fd_num + nfds > max_fds) {
-                 error_report("A maximum of %zu fds are allowed, "
-                              "however got %zu fds now",
--                             max_fds, nfds + nfds_t);
-+                             max_fds, vmsg->fd_num + nfds);
-+                g_free(fds);
-                 goto fail;
-             }
--            memcpy(vmsg->fds + nfds, fds_t,
--                   nfds_t *sizeof(vmsg->fds[0]));
--            nfds += nfds_t;
--            g_free(fds_t);
-+            memcpy(vmsg->fds + vmsg->fd_num, fds, nfds * sizeof(vmsg->fds[0]));
-+            vmsg->fd_num += nfds;
-+            g_free(fds);
-         }
--        if (read_bytes == VHOST_USER_HDR_SIZE || rc == 0) {
--            break;
-+
-+        if (rc == 0) { /* socket closed */
-+            goto fail;
-         }
--        iov.iov_base = (char *)vmsg + read_bytes;
--        iov.iov_len = VHOST_USER_HDR_SIZE - read_bytes;
--    } while (true);
--    vmsg->fd_num = nfds;
-+        iov.iov_base += rc;
-+        iov.iov_len -= rc;
-+        read_bytes += rc;
-+    } while (read_bytes != VHOST_USER_HDR_SIZE);
-+
-     /* qio_channel_readv_full will make socket fds blocking, unblock them */
-     vmsg_unblock_fds(vmsg);
-     if (vmsg->size > sizeof(vmsg->payload)) {
---
-.26.2

-[PULL v2 14/28] util/vhost-user-server: check EOF when reading payload
+Deleted patch
-Unexpected EOF is an error that must be reported.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-9-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/vhost-user-server.c | 6 ++++--
-file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
-     };
-     if (vmsg->size) {
-         rc = qio_channel_readv_all_eof(ioc, &iov_payload, 1, &local_err);
--        if (rc == -1) {
--            error_report_err(local_err);
-+        if (rc != 1) {
-+            if (local_err) {
-+                error_report_err(local_err);
-+            }
-             goto fail;
-         }
-     }
---
-.26.2

-[PULL v2 16/28] block/export: report flush errors
+Deleted patch
-Propagate the flush return value since errors are possible.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-11-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/export/vhost-user-blk-server.c | 11 +++++++----
-file changed, 7 insertions(+), 4 deletions(-)
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@ vu_block_discard_write_zeroes(VuBlockReq *req, struct iovec *iov,
-     return -EINVAL;
- }
--static void coroutine_fn vu_block_flush(VuBlockReq *req)
-+static int coroutine_fn vu_block_flush(VuBlockReq *req)
- {
-     VuBlockDev *vdev_blk = get_vu_block_device_by_server(req->server);
-     BlockBackend *backend = vdev_blk->backend;
--    blk_co_flush(backend);
-+    return blk_co_flush(backend);
- }
- static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-         break;
-     }
-     case VIRTIO_BLK_T_FLUSH:
--        vu_block_flush(req);
--        req->in->status = VIRTIO_BLK_S_OK;
-+        if (vu_block_flush(req) == 0) {
-+            req->in->status = VIRTIO_BLK_S_OK;
-+        } else {
-+            req->in->status = VIRTIO_BLK_S_IOERR;
-+        }
-         break;
-     case VIRTIO_BLK_T_GET_ID: {
-         size_t size = MIN(iov_size(&elem->in_sg[0], in_num),
---
-.26.2

-[PULL v2 17/28] block/export: convert vhost-user-blk server to block export API
+Deleted patch
-Use the new QAPI block exports API instead of defining our own QOM
-objects.
-This is a large change because the lifecycle of VuBlockDev needs to
-follow BlockExportDriver. QOM properties are replaced by QAPI options
-objects.
-VuBlockDev is renamed VuBlkExport and contains a BlockExport field.
-Several fields can be dropped since BlockExport already has equivalents.
-The file names and meson build integration will be adjusted in a future
-patch. libvhost-user should probably be built as a static library that
-is linked into QEMU instead of as a .c file that results in duplicate
-compilation.
-The new command-line syntax is:
-  $ qemu-storage-daemon \
-      --blockdev file,node-name=drive0,filename=test.img \
-      --export vhost-user-blk,node-name=drive0,id=export0,unix-socket=/tmp/vhost-user-blk.sock
-Note that unix-socket is optional because we may wish to accept chardevs
-too in the future.
-Markus noted that supported address families are not explicit in the
-QAPI schema. It is unlikely that support for more address families will
-be added since file descriptor passing is required and few address
-families support it. If a new address family needs to be added, then the
-QAPI 'features' syntax can be used to advertize them.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Message-id: 20200924151549.913737-12-stefanha@redhat.com
-[Skip test on big-endian host architectures because this device doesn't
-support them yet (as already mentioned in a code comment).
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qapi/block-export.json               |  21 +-
- block/export/vhost-user-blk-server.h |  23 +-
- block/export/export.c                |   6 +
- block/export/vhost-user-blk-server.c | 452 +++++++--------------------
- util/vhost-user-server.c             |  10 +-
- block/export/meson.build             |   1 +
- block/meson.build                    |   1 -
-files changed, 156 insertions(+), 358 deletions(-)
-diff --git a/qapi/block-export.json b/qapi/block-export.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/block-export.json
-+++ b/qapi/block-export.json
-@@ -XXX,XX +XXX,XX @@
-   'data': { '*name': 'str', '*description': 'str',
-             '*bitmap': 'str' } }
-+##
-+# @BlockExportOptionsVhostUserBlk:
-+#
-+# A vhost-user-blk block export.
-+#
-+# @addr: The vhost-user socket on which to listen. Both 'unix' and 'fd'
-+#        SocketAddress types are supported. Passed fds must be UNIX domain
-+#        sockets.
-+# @logical-block-size: Logical block size in bytes. Defaults to 512 bytes.
-+#
-+# Since: 5.2
-+##
-+{ 'struct': 'BlockExportOptionsVhostUserBlk',
-+  'data': { 'addr': 'SocketAddress', '*logical-block-size': 'size' } }
-+
- ##
- # @NbdServerAddOptions:
- #
-@@ -XXX,XX +XXX,XX @@
- # An enumeration of block export types
- #
- # @nbd: NBD export
-+# @vhost-user-blk: vhost-user-blk export (since 5.2)
- #
- # Since: 4.2
- ##
- { 'enum': 'BlockExportType',
--  'data': [ 'nbd' ] }
-+  'data': [ 'nbd', 'vhost-user-blk' ] }
- ##
- # @BlockExportOptions:
-@@ -XXX,XX +XXX,XX @@
-             '*writethrough': 'bool' },
-   'discriminator': 'type',
-   'data': {
--      'nbd': 'BlockExportOptionsNbd'
-+      'nbd': 'BlockExportOptionsNbd',
-+      'vhost-user-blk': 'BlockExportOptionsVhostUserBlk'
-    } }
- ##
-diff --git a/block/export/vhost-user-blk-server.h b/block/export/vhost-user-blk-server.h
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.h
-+++ b/block/export/vhost-user-blk-server.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef VHOST_USER_BLK_SERVER_H
- #define VHOST_USER_BLK_SERVER_H
--#include "util/vhost-user-server.h"
--typedef struct VuBlockDev VuBlockDev;
--#define TYPE_VHOST_USER_BLK_SERVER "vhost-user-blk-server"
--#define VHOST_USER_BLK_SERVER(obj) \
--   OBJECT_CHECK(VuBlockDev, obj, TYPE_VHOST_USER_BLK_SERVER)
-+#include "block/export.h"
--/* vhost user block device */
--struct VuBlockDev {
--    Object parent_obj;
--    char *node_name;
--    SocketAddress *addr;
--    AioContext *ctx;
--    VuServer vu_server;
--    bool running;
--    uint32_t blk_size;
--    BlockBackend *backend;
--    QIOChannelSocket *sioc;
--    QTAILQ_ENTRY(VuBlockDev) next;
--    struct virtio_blk_config blkcfg;
--    bool writable;
--};
-+/* For block/export/export.c */
-+extern const BlockExportDriver blk_exp_vhost_user_blk;
- #endif /* VHOST_USER_BLK_SERVER_H */
-diff --git a/block/export/export.c b/block/export/export.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/export.c
-+++ b/block/export/export.c
-@@ -XXX,XX +XXX,XX @@
- #include "sysemu/block-backend.h"
- #include "block/export.h"
- #include "block/nbd.h"
-+#if CONFIG_LINUX
-+#include "block/export/vhost-user-blk-server.h"
-+#endif
- #include "qapi/error.h"
- #include "qapi/qapi-commands-block-export.h"
- #include "qapi/qapi-events-block-export.h"
-@@ -XXX,XX +XXX,XX @@
- static const BlockExportDriver *blk_exp_drivers[] = {
-     &blk_exp_nbd,
-+#if CONFIG_LINUX
-+    &blk_exp_vhost_user_blk,
-+#endif
- };
- /* Only accessed from the main thread */
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@
-  */
- #include "qemu/osdep.h"
- #include "block/block.h"
-+#include "contrib/libvhost-user/libvhost-user.h"
-+#include "standard-headers/linux/virtio_blk.h"
-+#include "util/vhost-user-server.h"
- #include "vhost-user-blk-server.h"
- #include "qapi/error.h"
- #include "qom/object_interfaces.h"
-@@ -XXX,XX +XXX,XX @@ struct virtio_blk_inhdr {
-     unsigned char status;
- };
--typedef struct VuBlockReq {
-+typedef struct VuBlkReq {
-     VuVirtqElement elem;
-     int64_t sector_num;
-     size_t size;
-@@ -XXX,XX +XXX,XX @@ typedef struct VuBlockReq {
-     struct virtio_blk_outhdr out;
-     VuServer *server;
-     struct VuVirtq *vq;
--} VuBlockReq;
-+} VuBlkReq;
--static void vu_block_req_complete(VuBlockReq *req)
-+/* vhost user block device */
-+typedef struct {
-+    BlockExport export;
-+    VuServer vu_server;
-+    uint32_t blk_size;
-+    QIOChannelSocket *sioc;
-+    struct virtio_blk_config blkcfg;
-+    bool writable;
-+} VuBlkExport;
-+
-+static void vu_blk_req_complete(VuBlkReq *req)
- {
-     VuDev *vu_dev = &req->server->vu_dev;
-@@ -XXX,XX +XXX,XX @@ static void vu_block_req_complete(VuBlockReq *req)
-     free(req);
- }
--static VuBlockDev *get_vu_block_device_by_server(VuServer *server)
--{
--    return container_of(server, VuBlockDev, vu_server);
--}
--
- static int coroutine_fn
--vu_block_discard_write_zeroes(VuBlockReq *req, struct iovec *iov,
--                              uint32_t iovcnt, uint32_t type)
-+vu_blk_discard_write_zeroes(BlockBackend *blk, struct iovec *iov,
-+                            uint32_t iovcnt, uint32_t type)
- {
-     struct virtio_blk_discard_write_zeroes desc;
-     ssize_t size = iov_to_buf(iov, iovcnt, 0, &desc, sizeof(desc));
-@@ -XXX,XX +XXX,XX @@ vu_block_discard_write_zeroes(VuBlockReq *req, struct iovec *iov,
-         return -EINVAL;
-     }
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(req->server);
-     uint64_t range[2] = { le64_to_cpu(desc.sector) << 9,
-                           le32_to_cpu(desc.num_sectors) << 9 };
-     if (type == VIRTIO_BLK_T_DISCARD) {
--        if (blk_co_pdiscard(vdev_blk->backend, range[0], range[1]) == 0) {
-+        if (blk_co_pdiscard(blk, range[0], range[1]) == 0) {
-             return 0;
-         }
-     } else if (type == VIRTIO_BLK_T_WRITE_ZEROES) {
--        if (blk_co_pwrite_zeroes(vdev_blk->backend,
--                                 range[0], range[1], 0) == 0) {
-+        if (blk_co_pwrite_zeroes(blk, range[0], range[1], 0) == 0) {
-             return 0;
-         }
-     }
-@@ -XXX,XX +XXX,XX @@ vu_block_discard_write_zeroes(VuBlockReq *req, struct iovec *iov,
-     return -EINVAL;
- }
--static int coroutine_fn vu_block_flush(VuBlockReq *req)
-+static void coroutine_fn vu_blk_virtio_process_req(void *opaque)
- {
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(req->server);
--    BlockBackend *backend = vdev_blk->backend;
--    return blk_co_flush(backend);
--}
--
--static void coroutine_fn vu_block_virtio_process_req(void *opaque)
--{
--    VuBlockReq *req = opaque;
-+    VuBlkReq *req = opaque;
-     VuServer *server = req->server;
-     VuVirtqElement *elem = &req->elem;
-     uint32_t type;
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
--    BlockBackend *backend = vdev_blk->backend;
-+    VuBlkExport *vexp = container_of(server, VuBlkExport, vu_server);
-+    BlockBackend *blk = vexp->export.blk;
-     struct iovec *in_iov = elem->in_sg;
-     struct iovec *out_iov = elem->out_sg;
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-         bool is_write = type & VIRTIO_BLK_T_OUT;
-         req->sector_num = le64_to_cpu(req->out.sector);
--        int64_t offset = req->sector_num * vdev_blk->blk_size;
-+        if (is_write && !vexp->writable) {
-+            req->in->status = VIRTIO_BLK_S_IOERR;
-+            break;
-+        }
-+
-+        int64_t offset = req->sector_num * vexp->blk_size;
-         QEMUIOVector qiov;
-         if (is_write) {
-             qemu_iovec_init_external(&qiov, out_iov, out_num);
--            ret = blk_co_pwritev(backend, offset, qiov.size,
--                                 &qiov, 0);
-+            ret = blk_co_pwritev(blk, offset, qiov.size, &qiov, 0);
-         } else {
-             qemu_iovec_init_external(&qiov, in_iov, in_num);
--            ret = blk_co_preadv(backend, offset, qiov.size,
--                                &qiov, 0);
-+            ret = blk_co_preadv(blk, offset, qiov.size, &qiov, 0);
-         }
-         if (ret >= 0) {
-             req->in->status = VIRTIO_BLK_S_OK;
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-         break;
-     }
-     case VIRTIO_BLK_T_FLUSH:
--        if (vu_block_flush(req) == 0) {
-+        if (blk_co_flush(blk) == 0) {
-             req->in->status = VIRTIO_BLK_S_OK;
-         } else {
-             req->in->status = VIRTIO_BLK_S_IOERR;
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-     case VIRTIO_BLK_T_DISCARD:
-     case VIRTIO_BLK_T_WRITE_ZEROES: {
-         int rc;
--        rc = vu_block_discard_write_zeroes(req, &elem->out_sg[1],
--                                           out_num, type);
-+
-+        if (!vexp->writable) {
-+            req->in->status = VIRTIO_BLK_S_IOERR;
-+            break;
-+        }
-+
-+        rc = vu_blk_discard_write_zeroes(blk, &elem->out_sg[1], out_num, type);
-         if (rc == 0) {
-             req->in->status = VIRTIO_BLK_S_OK;
-         } else {
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn vu_block_virtio_process_req(void *opaque)
-         break;
-     }
--    vu_block_req_complete(req);
-+    vu_blk_req_complete(req);
-     return;
- err:
--    free(elem);
-+    free(req);
- }
--static void vu_block_process_vq(VuDev *vu_dev, int idx)
-+static void vu_blk_process_vq(VuDev *vu_dev, int idx)
- {
-     VuServer *server = container_of(vu_dev, VuServer, vu_dev);
-     VuVirtq *vq = vu_get_queue(vu_dev, idx);
-     while (1) {
--        VuBlockReq *req;
-+        VuBlkReq *req;
--        req = vu_queue_pop(vu_dev, vq, sizeof(VuBlockReq));
-+        req = vu_queue_pop(vu_dev, vq, sizeof(VuBlkReq));
-         if (!req) {
-             break;
-         }
-@@ -XXX,XX +XXX,XX @@ static void vu_block_process_vq(VuDev *vu_dev, int idx)
-         req->vq = vq;
-         Coroutine *co =
--            qemu_coroutine_create(vu_block_virtio_process_req, req);
-+            qemu_coroutine_create(vu_blk_virtio_process_req, req);
-         qemu_coroutine_enter(co);
-     }
- }
--static void vu_block_queue_set_started(VuDev *vu_dev, int idx, bool started)
-+static void vu_blk_queue_set_started(VuDev *vu_dev, int idx, bool started)
- {
-     VuVirtq *vq;
-     assert(vu_dev);
-     vq = vu_get_queue(vu_dev, idx);
--    vu_set_queue_handler(vu_dev, vq, started ? vu_block_process_vq : NULL);
-+    vu_set_queue_handler(vu_dev, vq, started ? vu_blk_process_vq : NULL);
- }
--static uint64_t vu_block_get_features(VuDev *dev)
-+static uint64_t vu_blk_get_features(VuDev *dev)
- {
-     uint64_t features;
-     VuServer *server = container_of(dev, VuServer, vu_dev);
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
-+    VuBlkExport *vexp = container_of(server, VuBlkExport, vu_server);
-     features = 1ull << VIRTIO_BLK_F_SIZE_MAX |
-ull << VIRTIO_BLK_F_SEG_MAX |
-ull << VIRTIO_BLK_F_TOPOLOGY |
-@@ -XXX,XX +XXX,XX @@ static uint64_t vu_block_get_features(VuDev *dev)
-ull << VIRTIO_RING_F_EVENT_IDX |
-ull << VHOST_USER_F_PROTOCOL_FEATURES;
--    if (!vdev_blk->writable) {
-+    if (!vexp->writable) {
-         features |= 1ull << VIRTIO_BLK_F_RO;
-     }
-     return features;
- }
--static uint64_t vu_block_get_protocol_features(VuDev *dev)
-+static uint64_t vu_blk_get_protocol_features(VuDev *dev)
- {
-     return 1ull << VHOST_USER_PROTOCOL_F_CONFIG |
-ull << VHOST_USER_PROTOCOL_F_INFLIGHT_SHMFD;
- }
- static int
--vu_block_get_config(VuDev *vu_dev, uint8_t *config, uint32_t len)
-+vu_blk_get_config(VuDev *vu_dev, uint8_t *config, uint32_t len)
- {
-+    /* TODO blkcfg must be little-endian for VIRTIO 1.0 */
-     VuServer *server = container_of(vu_dev, VuServer, vu_dev);
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
--    memcpy(config, &vdev_blk->blkcfg, len);
--
-+    VuBlkExport *vexp = container_of(server, VuBlkExport, vu_server);
-+    memcpy(config, &vexp->blkcfg, len);
-     return 0;
- }
- static int
--vu_block_set_config(VuDev *vu_dev, const uint8_t *data,
-+vu_blk_set_config(VuDev *vu_dev, const uint8_t *data,
-                     uint32_t offset, uint32_t size, uint32_t flags)
- {
-     VuServer *server = container_of(vu_dev, VuServer, vu_dev);
--    VuBlockDev *vdev_blk = get_vu_block_device_by_server(server);
-+    VuBlkExport *vexp = container_of(server, VuBlkExport, vu_server);
-     uint8_t wce;
-     /* don't support live migration */
-@@ -XXX,XX +XXX,XX @@ vu_block_set_config(VuDev *vu_dev, const uint8_t *data,
-     }
-     wce = *data;
--    vdev_blk->blkcfg.wce = wce;
--    blk_set_enable_write_cache(vdev_blk->backend, wce);
-+    vexp->blkcfg.wce = wce;
-+    blk_set_enable_write_cache(vexp->export.blk, wce);
-     return 0;
- }
-@@ -XXX,XX +XXX,XX @@ vu_block_set_config(VuDev *vu_dev, const uint8_t *data,
-  * of vu_process_message.
-  *
-  */
--static int vu_block_process_msg(VuDev *dev, VhostUserMsg *vmsg, int *do_reply)
-+static int vu_blk_process_msg(VuDev *dev, VhostUserMsg *vmsg, int *do_reply)
- {
-     if (vmsg->request == VHOST_USER_NONE) {
-         dev->panic(dev, "disconnect");
-@@ -XXX,XX +XXX,XX @@ static int vu_block_process_msg(VuDev *dev, VhostUserMsg *vmsg, int *do_reply)
-     return false;
- }
--static const VuDevIface vu_block_iface = {
--    .get_features          = vu_block_get_features,
--    .queue_set_started     = vu_block_queue_set_started,
--    .get_protocol_features = vu_block_get_protocol_features,
--    .get_config            = vu_block_get_config,
--    .set_config            = vu_block_set_config,
--    .process_msg           = vu_block_process_msg,
-+static const VuDevIface vu_blk_iface = {
-+    .get_features          = vu_blk_get_features,
-+    .queue_set_started     = vu_blk_queue_set_started,
-+    .get_protocol_features = vu_blk_get_protocol_features,
-+    .get_config            = vu_blk_get_config,
-+    .set_config            = vu_blk_set_config,
-+    .process_msg           = vu_blk_process_msg,
- };
- static void blk_aio_attached(AioContext *ctx, void *opaque)
- {
--    VuBlockDev *vub_dev = opaque;
--    vhost_user_server_attach_aio_context(&vub_dev->vu_server, ctx);
-+    VuBlkExport *vexp = opaque;
-+    vhost_user_server_attach_aio_context(&vexp->vu_server, ctx);
- }
- static void blk_aio_detach(void *opaque)
- {
--    VuBlockDev *vub_dev = opaque;
--    vhost_user_server_detach_aio_context(&vub_dev->vu_server);
-+    VuBlkExport *vexp = opaque;
-+    vhost_user_server_detach_aio_context(&vexp->vu_server);
- }
- static void
--vu_block_initialize_config(BlockDriverState *bs,
-+vu_blk_initialize_config(BlockDriverState *bs,
-                            struct virtio_blk_config *config, uint32_t blk_size)
- {
-     config->capacity = bdrv_getlength(bs) >> BDRV_SECTOR_BITS;
-@@ -XXX,XX +XXX,XX @@ vu_block_initialize_config(BlockDriverState *bs,
-     config->max_write_zeroes_seg = 1;
- }
--static VuBlockDev *vu_block_init(VuBlockDev *vu_block_device, Error **errp)
-+static void vu_blk_exp_request_shutdown(BlockExport *exp)
- {
-+    VuBlkExport *vexp = container_of(exp, VuBlkExport, export);
--    BlockBackend *blk;
--    Error *local_error = NULL;
--    const char *node_name = vu_block_device->node_name;
--    bool writable = vu_block_device->writable;
--    uint64_t perm = BLK_PERM_CONSISTENT_READ;
--    int ret;
--
--    AioContext *ctx;
--
--    BlockDriverState *bs = bdrv_lookup_bs(node_name, node_name, &local_error);
--
--    if (!bs) {
--        error_propagate(errp, local_error);
--        return NULL;
--    }
--
--    if (bdrv_is_read_only(bs)) {
--        writable = false;
--    }
--
--    if (writable) {
--        perm |= BLK_PERM_WRITE;
--    }
--
--    ctx = bdrv_get_aio_context(bs);
--    aio_context_acquire(ctx);
--    bdrv_invalidate_cache(bs, NULL);
--    aio_context_release(ctx);
--
--    /*
--     * Don't allow resize while the vhost user server is running,
--     * otherwise we don't care what happens with the node.
--     */
--    blk = blk_new(bdrv_get_aio_context(bs), perm,
--                  BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANGED |
--                  BLK_PERM_WRITE | BLK_PERM_GRAPH_MOD);
--    ret = blk_insert_bs(blk, bs, errp);
--
--    if (ret < 0) {
--        goto fail;
--    }
--
--    blk_set_enable_write_cache(blk, false);
--
--    blk_set_allow_aio_context_change(blk, true);
--
--    vu_block_device->blkcfg.wce = 0;
--    vu_block_device->backend = blk;
--    if (!vu_block_device->blk_size) {
--        vu_block_device->blk_size = BDRV_SECTOR_SIZE;
--    }
--    vu_block_device->blkcfg.blk_size = vu_block_device->blk_size;
--    blk_set_guest_block_size(blk, vu_block_device->blk_size);
--    vu_block_initialize_config(bs, &vu_block_device->blkcfg,
--                                   vu_block_device->blk_size);
--    return vu_block_device;
--
--fail:
--    blk_unref(blk);
--    return NULL;
--}
--
--static void vu_block_deinit(VuBlockDev *vu_block_device)
--{
--    if (vu_block_device->backend) {
--        blk_remove_aio_context_notifier(vu_block_device->backend, blk_aio_attached,
--                                        blk_aio_detach, vu_block_device);
--    }
--
--    blk_unref(vu_block_device->backend);
--}
--
--static void vhost_user_blk_server_stop(VuBlockDev *vu_block_device)
--{
--    vhost_user_server_stop(&vu_block_device->vu_server);
--    vu_block_deinit(vu_block_device);
--}
--
--static void vhost_user_blk_server_start(VuBlockDev *vu_block_device,
--                                        Error **errp)
--{
--    AioContext *ctx;
--    SocketAddress *addr = vu_block_device->addr;
--
--    if (!vu_block_init(vu_block_device, errp)) {
--        return;
--    }
--
--    ctx = bdrv_get_aio_context(blk_bs(vu_block_device->backend));
--
--    if (!vhost_user_server_start(&vu_block_device->vu_server, addr, ctx,
--                                 VHOST_USER_BLK_MAX_QUEUES, &vu_block_iface,
--                                 errp)) {
--        goto error;
--    }
--
--    blk_add_aio_context_notifier(vu_block_device->backend, blk_aio_attached,
--                                 blk_aio_detach, vu_block_device);
--    vu_block_device->running = true;
--    return;
--
-- error:
--    vu_block_deinit(vu_block_device);
--}
--
--static bool vu_prop_modifiable(VuBlockDev *vus, Error **errp)
--{
--    if (vus->running) {
--            error_setg(errp, "The property can't be modified "
--                       "while the server is running");
--            return false;
--    }
--    return true;
--}
--
--static void vu_set_node_name(Object *obj, const char *value, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--
--    if (!vu_prop_modifiable(vus, errp)) {
--        return;
--    }
--
--    if (vus->node_name) {
--        g_free(vus->node_name);
--    }
--
--    vus->node_name = g_strdup(value);
--}
--
--static char *vu_get_node_name(Object *obj, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--    return g_strdup(vus->node_name);
--}
--
--static void free_socket_addr(SocketAddress *addr)
--{
--        g_free(addr->u.q_unix.path);
--        g_free(addr);
--}
--
--static void vu_set_unix_socket(Object *obj, const char *value,
--                               Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--
--    if (!vu_prop_modifiable(vus, errp)) {
--        return;
--    }
--
--    if (vus->addr) {
--        free_socket_addr(vus->addr);
--    }
--
--    SocketAddress *addr = g_new0(SocketAddress, 1);
--    addr->type = SOCKET_ADDRESS_TYPE_UNIX;
--    addr->u.q_unix.path = g_strdup(value);
--    vus->addr = addr;
-+    vhost_user_server_stop(&vexp->vu_server);
- }
--static char *vu_get_unix_socket(Object *obj, Error **errp)
-+static int vu_blk_exp_create(BlockExport *exp, BlockExportOptions *opts,
-+                             Error **errp)
- {
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--    return g_strdup(vus->addr->u.q_unix.path);
--}
--
--static bool vu_get_block_writable(Object *obj, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--    return vus->writable;
--}
--
--static void vu_set_block_writable(Object *obj, bool value, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--
--    if (!vu_prop_modifiable(vus, errp)) {
--            return;
--    }
--
--    vus->writable = value;
--}
--
--static void vu_get_blk_size(Object *obj, Visitor *v, const char *name,
--                            void *opaque, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--    uint32_t value = vus->blk_size;
--
--    visit_type_uint32(v, name, &value, errp);
--}
--
--static void vu_set_blk_size(Object *obj, Visitor *v, const char *name,
--                            void *opaque, Error **errp)
--{
--    VuBlockDev *vus = VHOST_USER_BLK_SERVER(obj);
--
-+    VuBlkExport *vexp = container_of(exp, VuBlkExport, export);
-+    BlockExportOptionsVhostUserBlk *vu_opts = &opts->u.vhost_user_blk;
-     Error *local_err = NULL;
--    uint32_t value;
-+    uint64_t logical_block_size;
--    if (!vu_prop_modifiable(vus, errp)) {
--            return;
--    }
-+    vexp->writable = opts->writable;
-+    vexp->blkcfg.wce = 0;
--    visit_type_uint32(v, name, &value, &local_err);
--    if (local_err) {
--        goto out;
-+    if (vu_opts->has_logical_block_size) {
-+        logical_block_size = vu_opts->logical_block_size;
-+    } else {
-+        logical_block_size = BDRV_SECTOR_SIZE;
-     }
--
--    check_block_size(object_get_typename(obj), name, value, &local_err);
-+    check_block_size(exp->id, "logical-block-size", logical_block_size,
-+                     &local_err);
-     if (local_err) {
--        goto out;
-+        error_propagate(errp, local_err);
-+        return -EINVAL;
-+    }
-+    vexp->blk_size = logical_block_size;
-+    blk_set_guest_block_size(exp->blk, logical_block_size);
-+    vu_blk_initialize_config(blk_bs(exp->blk), &vexp->blkcfg,
-+                               logical_block_size);
-+
-+    blk_set_allow_aio_context_change(exp->blk, true);
-+    blk_add_aio_context_notifier(exp->blk, blk_aio_attached, blk_aio_detach,
-+                                 vexp);
-+
-+    if (!vhost_user_server_start(&vexp->vu_server, vu_opts->addr, exp->ctx,
-+                                 VHOST_USER_BLK_MAX_QUEUES, &vu_blk_iface,
-+                                 errp)) {
-+        blk_remove_aio_context_notifier(exp->blk, blk_aio_attached,
-+                                        blk_aio_detach, vexp);
-+        return -EADDRNOTAVAIL;
-     }
--    vus->blk_size = value;
--
--out:
--    error_propagate(errp, local_err);
--}
--
--static void vhost_user_blk_server_instance_finalize(Object *obj)
--{
--    VuBlockDev *vub = VHOST_USER_BLK_SERVER(obj);
--
--    vhost_user_blk_server_stop(vub);
--
--    /*
--     * Unlike object_property_add_str, object_class_property_add_str
--     * doesn't have a release method. Thus manual memory freeing is
--     * needed.
--     */
--    free_socket_addr(vub->addr);
--    g_free(vub->node_name);
--}
--
--static void vhost_user_blk_server_complete(UserCreatable *obj, Error **errp)
--{
--    VuBlockDev *vub = VHOST_USER_BLK_SERVER(obj);
--
--    vhost_user_blk_server_start(vub, errp);
-+    return 0;
- }
--static void vhost_user_blk_server_class_init(ObjectClass *klass,
--                                             void *class_data)
-+static void vu_blk_exp_delete(BlockExport *exp)
- {
--    UserCreatableClass *ucc = USER_CREATABLE_CLASS(klass);
--    ucc->complete = vhost_user_blk_server_complete;
--
--    object_class_property_add_bool(klass, "writable",
--                                   vu_get_block_writable,
--                                   vu_set_block_writable);
--
--    object_class_property_add_str(klass, "node-name",
--                                  vu_get_node_name,
--                                  vu_set_node_name);
--
--    object_class_property_add_str(klass, "unix-socket",
--                                  vu_get_unix_socket,
--                                  vu_set_unix_socket);
-+    VuBlkExport *vexp = container_of(exp, VuBlkExport, export);
--    object_class_property_add(klass, "logical-block-size", "uint32",
--                              vu_get_blk_size, vu_set_blk_size,
--                              NULL, NULL);
-+    blk_remove_aio_context_notifier(exp->blk, blk_aio_attached, blk_aio_detach,
-+                                    vexp);
- }
--static const TypeInfo vhost_user_blk_server_info = {
--    .name = TYPE_VHOST_USER_BLK_SERVER,
--    .parent = TYPE_OBJECT,
--    .instance_size = sizeof(VuBlockDev),
--    .instance_finalize = vhost_user_blk_server_instance_finalize,
--    .class_init = vhost_user_blk_server_class_init,
--    .interfaces = (InterfaceInfo[]) {
--        {TYPE_USER_CREATABLE},
--        {}
--    },
-+const BlockExportDriver blk_exp_vhost_user_blk = {
-+    .type               = BLOCK_EXPORT_TYPE_VHOST_USER_BLK,
-+    .instance_size      = sizeof(VuBlkExport),
-+    .create             = vu_blk_exp_create,
-+    .delete             = vu_blk_exp_delete,
-+    .request_shutdown   = vu_blk_exp_request_shutdown,
- };
--
--static void vhost_user_blk_server_register_types(void)
--{
--    type_register_static(&vhost_user_blk_server_info);
--}
--
--type_init(vhost_user_blk_server_register_types)
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@ bool vhost_user_server_start(VuServer *server,
-                              Error **errp)
- {
-     QEMUBH *bh;
--    QIONetListener *listener = qio_net_listener_new();
-+    QIONetListener *listener;
-+
-+    if (socket_addr->type != SOCKET_ADDRESS_TYPE_UNIX &&
-+        socket_addr->type != SOCKET_ADDRESS_TYPE_FD) {
-+        error_setg(errp, "Only socket address types 'unix' and 'fd' are supported");
-+        return false;
-+    }
-+
-+    listener = qio_net_listener_new();
-     if (qio_net_listener_open_sync(listener, socket_addr, 1,
-                                    errp) < 0) {
-         object_unref(OBJECT(listener));
-diff --git a/block/export/meson.build b/block/export/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/meson.build
-+++ b/block/export/meson.build
-@@ -1 +1,2 @@
- block_ss.add(files('export.c'))
-+block_ss.add(when: 'CONFIG_LINUX', if_true: files('vhost-user-blk-server.c', '../../contrib/libvhost-user/libvhost-user.c'))
-diff --git a/block/meson.build b/block/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/block/meson.build
-+++ b/block/meson.build
-@@ -XXX,XX +XXX,XX @@ block_ss.add(when: 'CONFIG_WIN32', if_true: files('file-win32.c', 'win32-aio.c')
- block_ss.add(when: 'CONFIG_POSIX', if_true: [files('file-posix.c'), coref, iokit])
- block_ss.add(when: 'CONFIG_LIBISCSI', if_true: files('iscsi-opts.c'))
- block_ss.add(when: 'CONFIG_LINUX', if_true: files('nvme.c'))
--block_ss.add(when: 'CONFIG_LINUX', if_true: files('export/vhost-user-blk-server.c', '../contrib/libvhost-user/libvhost-user.c'))
- block_ss.add(when: 'CONFIG_REPLICATION', if_true: files('replication.c'))
- block_ss.add(when: 'CONFIG_SHEEPDOG', if_true: files('sheepdog.c'))
- block_ss.add(when: ['CONFIG_LINUX_AIO', libaio], if_true: files('linux-aio.c'))
---
-.26.2

-[PULL v2 18/28] util/vhost-user-server: move header to include/
+Deleted patch
-Headers used by other subsystems are located in include/. Also add the
-vhost-user-server and vhost-user-blk-server headers to MAINTAINERS.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-13-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- MAINTAINERS                                | 4 +++-
- {util => include/qemu}/vhost-user-server.h | 0
- block/export/vhost-user-blk-server.c       | 2 +-
- util/vhost-user-server.c                   | 2 +-
-files changed, 5 insertions(+), 3 deletions(-)
- rename {util => include/qemu}/vhost-user-server.h (100%)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ Vhost-user block device backend server
- M: Coiby Xu <Coiby.Xu@gmail.com>
- S: Maintained
- F: block/export/vhost-user-blk-server.c
--F: util/vhost-user-server.c
-+F: block/export/vhost-user-blk-server.h
-+F: include/qemu/vhost-user-server.h
- F: tests/qtest/libqos/vhost-user-blk.c
-+F: util/vhost-user-server.c
- Replication
- M: Wen Congyang <wencongyang2@huawei.com>
-diff --git a/util/vhost-user-server.h b/include/qemu/vhost-user-server.h
-similarity index 100%
-rename from util/vhost-user-server.h
-rename to include/qemu/vhost-user-server.h
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@
- #include "block/block.h"
- #include "contrib/libvhost-user/libvhost-user.h"
- #include "standard-headers/linux/virtio_blk.h"
--#include "util/vhost-user-server.h"
-+#include "qemu/vhost-user-server.h"
- #include "vhost-user-blk-server.h"
- #include "qapi/error.h"
- #include "qom/object_interfaces.h"
-diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/vhost-user-server.c
-+++ b/util/vhost-user-server.c
-@@ -XXX,XX +XXX,XX @@
-  */
- #include "qemu/osdep.h"
- #include "qemu/main-loop.h"
-+#include "qemu/vhost-user-server.h"
- #include "block/aio-wait.h"
--#include "vhost-user-server.h"
- /*
-  * Theory of operation:
---
-.26.2

-[PULL v2 19/28] util/vhost-user-server: use static library in meson.build
+Deleted patch
-Don't compile contrib/libvhost-user/libvhost-user.c again. Instead build
-the static library once and then reuse it throughout QEMU.
-Also switch from CONFIG_LINUX to CONFIG_VHOST_USER, which is what the
-vhost-user tools (vhost-user-gpu, etc) do.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200924151549.913737-14-stefanha@redhat.com
-[Added CONFIG_LINUX again because libvhost-user doesn't build on macOS.
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/export/export.c             | 8 ++++----
- block/export/meson.build          | 2 +-
- contrib/libvhost-user/meson.build | 1 +
- meson.build                       | 6 +++++-
- util/meson.build                  | 4 +++-
-files changed, 14 insertions(+), 7 deletions(-)
-diff --git a/block/export/export.c b/block/export/export.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/export.c
-+++ b/block/export/export.c
-@@ -XXX,XX +XXX,XX @@
- #include "sysemu/block-backend.h"
- #include "block/export.h"
- #include "block/nbd.h"
--#if CONFIG_LINUX
--#include "block/export/vhost-user-blk-server.h"
--#endif
- #include "qapi/error.h"
- #include "qapi/qapi-commands-block-export.h"
- #include "qapi/qapi-events-block-export.h"
- #include "qemu/id.h"
-+#ifdef CONFIG_VHOST_USER
-+#include "vhost-user-blk-server.h"
-+#endif
- static const BlockExportDriver *blk_exp_drivers[] = {
-     &blk_exp_nbd,
--#if CONFIG_LINUX
-+#ifdef CONFIG_VHOST_USER
-     &blk_exp_vhost_user_blk,
- #endif
- };
-diff --git a/block/export/meson.build b/block/export/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/meson.build
-+++ b/block/export/meson.build
-@@ -XXX,XX +XXX,XX @@
- block_ss.add(files('export.c'))
--block_ss.add(when: 'CONFIG_LINUX', if_true: files('vhost-user-blk-server.c', '../../contrib/libvhost-user/libvhost-user.c'))
-+block_ss.add(when: ['CONFIG_LINUX', 'CONFIG_VHOST_USER'], if_true: files('vhost-user-blk-server.c'))
-diff --git a/contrib/libvhost-user/meson.build b/contrib/libvhost-user/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/contrib/libvhost-user/meson.build
-+++ b/contrib/libvhost-user/meson.build
-@@ -XXX,XX +XXX,XX @@
- libvhost_user = static_library('vhost-user',
-                                files('libvhost-user.c', 'libvhost-user-glib.c'),
-                                build_by_default: false)
-+vhost_user = declare_dependency(link_with: libvhost_user)
-diff --git a/meson.build b/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/meson.build
-+++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ trace_events_subdirs += [
-   'util',
- ]
-+vhost_user = not_found
-+if 'CONFIG_VHOST_USER' in config_host
-+  subdir('contrib/libvhost-user')
-+endif
-+
- subdir('qapi')
- subdir('qobject')
- subdir('stubs')
-@@ -XXX,XX +XXX,XX @@ if have_tools
-              install: true)
-   if 'CONFIG_VHOST_USER' in config_host
--    subdir('contrib/libvhost-user')
-     subdir('contrib/vhost-user-blk')
-     subdir('contrib/vhost-user-gpu')
-     subdir('contrib/vhost-user-input')
-diff --git a/util/meson.build b/util/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/util/meson.build
-+++ b/util/meson.build
-@@ -XXX,XX +XXX,XX @@ if have_block
-   util_ss.add(files('main-loop.c'))
-   util_ss.add(files('nvdimm-utils.c'))
-   util_ss.add(files('qemu-coroutine.c', 'qemu-coroutine-lock.c', 'qemu-coroutine-io.c'))
--  util_ss.add(when: 'CONFIG_LINUX', if_true: files('vhost-user-server.c'))
-+  util_ss.add(when: ['CONFIG_LINUX', 'CONFIG_VHOST_USER'], if_true: [
-+    files('vhost-user-server.c'), vhost_user
-+  ])
-   util_ss.add(files('block-helpers.c'))
-   util_ss.add(files('qemu-coroutine-sleep.c'))
-   util_ss.add(files('qemu-co-shared-resource.c'))
---
-.26.2

-[PULL v2 20/28] qemu-storage-daemon: avoid compiling blockdev_ss twice
+Deleted patch
-Introduce libblkdev.fa to avoid recompiling blockdev_ss twice.
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200929125516.186715-3-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- meson.build                | 12 ++++++++++--
- storage-daemon/meson.build |  3 +--
-files changed, 11 insertions(+), 4 deletions(-)
-diff --git a/meson.build b/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/meson.build
-+++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ blockdev_ss.add(files(
- # os-win32.c does not
- blockdev_ss.add(when: 'CONFIG_POSIX', if_true: files('os-posix.c'))
- softmmu_ss.add(when: 'CONFIG_WIN32', if_true: [files('os-win32.c')])
--softmmu_ss.add_all(blockdev_ss)
- common_ss.add(files('cpus-common.c'))
-@@ -XXX,XX +XXX,XX @@ block = declare_dependency(link_whole: [libblock],
-                            link_args: '@block.syms',
-                            dependencies: [crypto, io])
-+blockdev_ss = blockdev_ss.apply(config_host, strict: false)
-+libblockdev = static_library('blockdev', blockdev_ss.sources() + genh,
-+                             dependencies: blockdev_ss.dependencies(),
-+                             name_suffix: 'fa',
-+                             build_by_default: false)
-+
-+blockdev = declare_dependency(link_whole: [libblockdev],
-+                              dependencies: [block])
-+
- qmp_ss = qmp_ss.apply(config_host, strict: false)
- libqmp = static_library('qmp', qmp_ss.sources() + genh,
-                         dependencies: qmp_ss.dependencies(),
-@@ -XXX,XX +XXX,XX @@ foreach m : block_mods + softmmu_mods
-                 install_dir: config_host['qemu_moddir'])
- endforeach
--softmmu_ss.add(authz, block, chardev, crypto, io, qmp)
-+softmmu_ss.add(authz, blockdev, chardev, crypto, io, qmp)
- common_ss.add(qom, qemuutil)
- common_ss.add_all(when: 'CONFIG_SOFTMMU', if_true: [softmmu_ss])
-diff --git a/storage-daemon/meson.build b/storage-daemon/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/storage-daemon/meson.build
-+++ b/storage-daemon/meson.build
-@@ -XXX,XX +XXX,XX @@
- qsd_ss = ss.source_set()
- qsd_ss.add(files('qemu-storage-daemon.c'))
--qsd_ss.add(block, chardev, qmp, qom, qemuutil)
--qsd_ss.add_all(blockdev_ss)
-+qsd_ss.add(blockdev, chardev, qmp, qom, qemuutil)
- subdir('qapi')
---
-.26.2

-[PULL v2 21/28] block: move block exports to libblockdev
+Deleted patch
-Block exports are used by softmmu, qemu-storage-daemon, and qemu-nbd.
-They are not used by other programs and are not otherwise needed in
-libblock.
-Undo the recent move of blockdev-nbd.c from blockdev_ss into block_ss.
-Since bdrv_close_all() (libblock) calls blk_exp_close_all()
-(libblockdev) a stub function is required..
-Make qemu-nbd.c use signal handling utility functions instead of
-duplicating the code. This helps because os-posix.c is in libblockdev
-and it depends on a qemu_system_killed() symbol that qemu-nbd.c lacks.
-Once we use the signal handling utility functions we also end up
-providing the necessary symbol.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Message-id: 20200929125516.186715-4-stefanha@redhat.com
-[Fixed s/ndb/nbd/ typo in commit description as suggested by Eric Blake
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qemu-nbd.c                | 21 ++++++++-------------
- stubs/blk-exp-close-all.c |  7 +++++++
- block/export/meson.build  |  4 ++--
- meson.build               |  4 ++--
- nbd/meson.build           |  2 ++
- stubs/meson.build         |  1 +
-files changed, 22 insertions(+), 17 deletions(-)
- create mode 100644 stubs/blk-exp-close-all.c
-diff --git a/qemu-nbd.c b/qemu-nbd.c
-index XXXXXXX..XXXXXXX 100644
---- a/qemu-nbd.c
-+++ b/qemu-nbd.c
-@@ -XXX,XX +XXX,XX @@
- #include "qapi/error.h"
- #include "qemu/cutils.h"
- #include "sysemu/block-backend.h"
-+#include "sysemu/runstate.h" /* for qemu_system_killed() prototype */
- #include "block/block_int.h"
- #include "block/nbd.h"
- #include "qemu/main-loop.h"
-@@ -XXX,XX +XXX,XX @@ QEMU_COPYRIGHT "\n"
- }
- #ifdef CONFIG_POSIX
--static void termsig_handler(int signum)
-+/*
-+ * The client thread uses SIGTERM to interrupt the server.  A signal
-+ * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
-+ */
-+void qemu_system_killed(int signum, pid_t pid)
- {
-     qatomic_cmpxchg(&state, RUNNING, TERMINATE);
-     qemu_notify_event();
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-     BlockExportOptions *export_opts;
- #ifdef CONFIG_POSIX
--    /*
--     * Exit gracefully on various signals, which includes SIGTERM used
--     * by 'qemu-nbd -v -c'.
--     */
--    struct sigaction sa_sigterm;
--    memset(&sa_sigterm, 0, sizeof(sa_sigterm));
--    sa_sigterm.sa_handler = termsig_handler;
--    sigaction(SIGTERM, &sa_sigterm, NULL);
--    sigaction(SIGINT, &sa_sigterm, NULL);
--    sigaction(SIGHUP, &sa_sigterm, NULL);
--
--    signal(SIGPIPE, SIG_IGN);
-+    os_setup_early_signal_handling();
-+    os_setup_signal_handling();
- #endif
-     socket_init();
-diff --git a/stubs/blk-exp-close-all.c b/stubs/blk-exp-close-all.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/stubs/blk-exp-close-all.c
-@@ -XXX,XX +XXX,XX @@
-+#include "qemu/osdep.h"
-+#include "block/export.h"
-+
-+/* Only used in programs that support block exports (libblockdev.fa) */
-+void blk_exp_close_all(void)
-+{
-+}
-diff --git a/block/export/meson.build b/block/export/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/meson.build
-+++ b/block/export/meson.build
-@@ -XXX,XX +XXX,XX @@
--block_ss.add(files('export.c'))
--block_ss.add(when: ['CONFIG_LINUX', 'CONFIG_VHOST_USER'], if_true: files('vhost-user-blk-server.c'))
-+blockdev_ss.add(files('export.c'))
-+blockdev_ss.add(when: ['CONFIG_LINUX', 'CONFIG_VHOST_USER'], if_true: files('vhost-user-blk-server.c'))
-diff --git a/meson.build b/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/meson.build
-+++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ subdir('dump')
- block_ss.add(files(
-   'block.c',
--  'blockdev-nbd.c',
-   'blockjob.c',
-   'job.c',
-   'qemu-io-cmds.c',
-@@ -XXX,XX +XXX,XX @@ subdir('block')
- blockdev_ss.add(files(
-   'blockdev.c',
-+  'blockdev-nbd.c',
-   'iothread.c',
-   'job-qmp.c',
- ))
-@@ -XXX,XX +XXX,XX @@ if have_tools
-   qemu_io = executable('qemu-io', files('qemu-io.c'),
-              dependencies: [block, qemuutil], install: true)
-   qemu_nbd = executable('qemu-nbd', files('qemu-nbd.c'),
--               dependencies: [block, qemuutil], install: true)
-+               dependencies: [blockdev, qemuutil], install: true)
-   subdir('storage-daemon')
-   subdir('contrib/rdmacm-mux')
-diff --git a/nbd/meson.build b/nbd/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/nbd/meson.build
-+++ b/nbd/meson.build
-@@ -XXX,XX +XXX,XX @@
- block_ss.add(files(
-   'client.c',
-   'common.c',
-+))
-+blockdev_ss.add(files(
-   'server.c',
- ))
-diff --git a/stubs/meson.build b/stubs/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/stubs/meson.build
-+++ b/stubs/meson.build
-@@ -XXX,XX +XXX,XX @@
- stub_ss.add(files('arch_type.c'))
- stub_ss.add(files('bdrv-next-monitor-owned.c'))
- stub_ss.add(files('blk-commit-all.c'))
-+stub_ss.add(files('blk-exp-close-all.c'))
- stub_ss.add(files('blockdev-close-all-bdrv-states.c'))
- stub_ss.add(files('change-state-handler.c'))
- stub_ss.add(files('cmos.c'))
---
-.26.2

-[PULL v2 22/28] block/export: add iothread and fixed-iothread options
+Deleted patch
-Make it possible to specify the iothread where the export will run. By
-default the block node can be moved to other AioContexts later and the
-export will follow. The fixed-iothread option forces strict behavior
-that prevents changing AioContext while the export is active. See the
-QAPI docs for details.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200929125516.186715-5-stefanha@redhat.com
-[Fix stray '#' character in block-export.json and add missing "(since:
-.2)" as suggested by Eric Blake.
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qapi/block-export.json               | 11 ++++++++++
- block/export/export.c                | 31 +++++++++++++++++++++++++++-
- block/export/vhost-user-blk-server.c |  5 ++++-
- nbd/server.c                         |  2 --
-files changed, 45 insertions(+), 4 deletions(-)
-diff --git a/qapi/block-export.json b/qapi/block-export.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/block-export.json
-+++ b/qapi/block-export.json
-@@ -XXX,XX +XXX,XX @@
- #                export before completion is signalled. (since: 5.2;
- #                default: false)
- #
-+# @iothread: The name of the iothread object where the export will run. The
-+#            default is to use the thread currently associated with the
-+#            block node. (since: 5.2)
-+#
-+# @fixed-iothread: True prevents the block node from being moved to another
-+#                  thread while the export is active. If true and @iothread is
-+#                  given, export creation fails if the block node cannot be
-+#                  moved to the iothread. The default is false. (since: 5.2)
-+#
- # Since: 4.2
- ##
- { 'union': 'BlockExportOptions',
-   'base': { 'type': 'BlockExportType',
-             'id': 'str',
-+        '*fixed-iothread': 'bool',
-+        '*iothread': 'str',
-             'node-name': 'str',
-             '*writable': 'bool',
-             '*writethrough': 'bool' },
-diff --git a/block/export/export.c b/block/export/export.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/export.c
-+++ b/block/export/export.c
-@@ -XXX,XX +XXX,XX @@
- #include "block/block.h"
- #include "sysemu/block-backend.h"
-+#include "sysemu/iothread.h"
- #include "block/export.h"
- #include "block/nbd.h"
- #include "qapi/error.h"
-@@ -XXX,XX +XXX,XX @@ static const BlockExportDriver *blk_exp_find_driver(BlockExportType type)
- BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
- {
-+    bool fixed_iothread = export->has_fixed_iothread && export->fixed_iothread;
-     const BlockExportDriver *drv;
-     BlockExport *exp = NULL;
-     BlockDriverState *bs;
--    BlockBackend *blk;
-+    BlockBackend *blk = NULL;
-     AioContext *ctx;
-     uint64_t perm;
-     int ret;
-@@ -XXX,XX +XXX,XX @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
-     ctx = bdrv_get_aio_context(bs);
-     aio_context_acquire(ctx);
-+    if (export->has_iothread) {
-+        IOThread *iothread;
-+        AioContext *new_ctx;
-+
-+        iothread = iothread_by_id(export->iothread);
-+        if (!iothread) {
-+            error_setg(errp, "iothread \"%s\" not found", export->iothread);
-+            goto fail;
-+        }
-+
-+        new_ctx = iothread_get_aio_context(iothread);
-+
-+        ret = bdrv_try_set_aio_context(bs, new_ctx, errp);
-+        if (ret == 0) {
-+            aio_context_release(ctx);
-+            aio_context_acquire(new_ctx);
-+            ctx = new_ctx;
-+        } else if (fixed_iothread) {
-+            goto fail;
-+        }
-+    }
-+
-     /*
-      * Block exports are used for non-shared storage migration. Make sure
-      * that BDRV_O_INACTIVE is cleared and the image is ready for write
-@@ -XXX,XX +XXX,XX @@ BlockExport *blk_exp_add(BlockExportOptions *export, Error **errp)
-     }
-     blk = blk_new(ctx, perm, BLK_PERM_ALL);
-+
-+    if (!fixed_iothread) {
-+        blk_set_allow_aio_context_change(blk, true);
-+    }
-+
-     ret = blk_insert_bs(blk, bs, errp);
-     if (ret < 0) {
-         goto fail;
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@ static const VuDevIface vu_blk_iface = {
- static void blk_aio_attached(AioContext *ctx, void *opaque)
- {
-     VuBlkExport *vexp = opaque;
-+
-+    vexp->export.ctx = ctx;
-     vhost_user_server_attach_aio_context(&vexp->vu_server, ctx);
- }
- static void blk_aio_detach(void *opaque)
- {
-     VuBlkExport *vexp = opaque;
-+
-     vhost_user_server_detach_aio_context(&vexp->vu_server);
-+    vexp->export.ctx = NULL;
- }
- static void
-@@ -XXX,XX +XXX,XX @@ static int vu_blk_exp_create(BlockExport *exp, BlockExportOptions *opts,
-     vu_blk_initialize_config(blk_bs(exp->blk), &vexp->blkcfg,
-                                logical_block_size);
--    blk_set_allow_aio_context_change(exp->blk, true);
-     blk_add_aio_context_notifier(exp->blk, blk_aio_attached, blk_aio_detach,
-                                  vexp);
-diff --git a/nbd/server.c b/nbd/server.c
-index XXXXXXX..XXXXXXX 100644
---- a/nbd/server.c
-+++ b/nbd/server.c
-@@ -XXX,XX +XXX,XX @@ static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args,
-         return ret;
-     }
--    blk_set_allow_aio_context_change(blk, true);
--
-     QTAILQ_INIT(&exp->clients);
-     exp->name = g_strdup(arg->name);
-     exp->description = g_strdup(arg->description);
---
-.26.2

-[PULL v2 23/28] block/export: add vhost-user-blk multi-queue support
+Deleted patch
-Allow the number of queues to be configured using --export
-vhost-user-blk,num-queues=N. This setting should match the QEMU --device
-vhost-user-blk-pci,num-queues=N setting but QEMU vhost-user-blk.c lowers
-its own value if the vhost-user-blk backend offers fewer queues than
-QEMU.
-The vhost-user-blk-server.c code is already capable of multi-queue. All
-virtqueue processing runs in the same AioContext. No new locking is
-needed.
-Add the num-queues=N option and set the VIRTIO_BLK_F_MQ feature bit.
-Note that the feature bit only announces the presence of the num_queues
-configuration space field. It does not promise that there is more than 1
-virtqueue, so we can set it unconditionally.
-I tested multi-queue by running a random read fio test with numjobs=4 on
-an -smp 4 guest. After the benchmark finished the guest /proc/interrupts
-file showed activity on all 4 virtio-blk MSI-X. The /sys/block/vda/mq/
-directory shows that Linux blk-mq has 4 queues configured.
-An automated test is included in the next commit.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Message-id: 20201001144604.559733-2-stefanha@redhat.com
-[Fixed accidental tab characters as suggested by Markus Armbruster
---Stefan]
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qapi/block-export.json               | 10 +++++++---
- block/export/vhost-user-blk-server.c | 24 ++++++++++++++++++------
-files changed, 25 insertions(+), 9 deletions(-)
-diff --git a/qapi/block-export.json b/qapi/block-export.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/block-export.json
-+++ b/qapi/block-export.json
-@@ -XXX,XX +XXX,XX @@
- #        SocketAddress types are supported. Passed fds must be UNIX domain
- #        sockets.
- # @logical-block-size: Logical block size in bytes. Defaults to 512 bytes.
-+# @num-queues: Number of request virtqueues. Must be greater than 0. Defaults
-+#              to 1.
- #
- # Since: 5.2
- ##
- { 'struct': 'BlockExportOptionsVhostUserBlk',
--  'data': { 'addr': 'SocketAddress', '*logical-block-size': 'size' } }
-+  'data': { 'addr': 'SocketAddress',
-+        '*logical-block-size': 'size',
-+            '*num-queues': 'uint16'} }
- ##
- # @NbdServerAddOptions:
-@@ -XXX,XX +XXX,XX @@
- { 'union': 'BlockExportOptions',
-   'base': { 'type': 'BlockExportType',
-             'id': 'str',
--        '*fixed-iothread': 'bool',
--        '*iothread': 'str',
-+            '*fixed-iothread': 'bool',
-+            '*iothread': 'str',
-             'node-name': 'str',
-             '*writable': 'bool',
-             '*writethrough': 'bool' },
-diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/export/vhost-user-blk-server.c
-+++ b/block/export/vhost-user-blk-server.c
-@@ -XXX,XX +XXX,XX @@
- #include "util/block-helpers.h"
- enum {
--    VHOST_USER_BLK_MAX_QUEUES = 1,
-+    VHOST_USER_BLK_NUM_QUEUES_DEFAULT = 1,
- };
- struct virtio_blk_inhdr {
-     unsigned char status;
-@@ -XXX,XX +XXX,XX @@ static uint64_t vu_blk_get_features(VuDev *dev)
-ull << VIRTIO_BLK_F_DISCARD |
-ull << VIRTIO_BLK_F_WRITE_ZEROES |
-ull << VIRTIO_BLK_F_CONFIG_WCE |
-+               1ull << VIRTIO_BLK_F_MQ |
-ull << VIRTIO_F_VERSION_1 |
-ull << VIRTIO_RING_F_INDIRECT_DESC |
-ull << VIRTIO_RING_F_EVENT_IDX |
-@@ -XXX,XX +XXX,XX @@ static void blk_aio_detach(void *opaque)
- static void
- vu_blk_initialize_config(BlockDriverState *bs,
--                           struct virtio_blk_config *config, uint32_t blk_size)
-+                         struct virtio_blk_config *config,
-+                         uint32_t blk_size,
-+                         uint16_t num_queues)
- {
-     config->capacity = bdrv_getlength(bs) >> BDRV_SECTOR_BITS;
-     config->blk_size = blk_size;
-@@ -XXX,XX +XXX,XX @@ vu_blk_initialize_config(BlockDriverState *bs,
-     config->seg_max = 128 - 2;
-     config->min_io_size = 1;
-     config->opt_io_size = 1;
--    config->num_queues = VHOST_USER_BLK_MAX_QUEUES;
-+    config->num_queues = num_queues;
-     config->max_discard_sectors = 32768;
-     config->max_discard_seg = 1;
-     config->discard_sector_alignment = config->blk_size >> 9;
-@@ -XXX,XX +XXX,XX @@ static int vu_blk_exp_create(BlockExport *exp, BlockExportOptions *opts,
-     BlockExportOptionsVhostUserBlk *vu_opts = &opts->u.vhost_user_blk;
-     Error *local_err = NULL;
-     uint64_t logical_block_size;
-+    uint16_t num_queues = VHOST_USER_BLK_NUM_QUEUES_DEFAULT;
-     vexp->writable = opts->writable;
-     vexp->blkcfg.wce = 0;
-@@ -XXX,XX +XXX,XX @@ static int vu_blk_exp_create(BlockExport *exp, BlockExportOptions *opts,
-     }
-     vexp->blk_size = logical_block_size;
-     blk_set_guest_block_size(exp->blk, logical_block_size);
-+
-+    if (vu_opts->has_num_queues) {
-+        num_queues = vu_opts->num_queues;
-+    }
-+    if (num_queues == 0) {
-+        error_setg(errp, "num-queues must be greater than 0");
-+        return -EINVAL;
-+    }
-+
-     vu_blk_initialize_config(blk_bs(exp->blk), &vexp->blkcfg,
--                               logical_block_size);
-+                             logical_block_size, num_queues);
-     blk_add_aio_context_notifier(exp->blk, blk_aio_attached, blk_aio_detach,
-                                  vexp);
-     if (!vhost_user_server_start(&vexp->vu_server, vu_opts->addr, exp->ctx,
--                                 VHOST_USER_BLK_MAX_QUEUES, &vu_blk_iface,
--                                 errp)) {
-+                                 num_queues, &vu_blk_iface, errp)) {
-         blk_remove_aio_context_notifier(exp->blk, blk_aio_attached,
-                                         blk_aio_detach, vexp);
-         return -EADDRNOTAVAIL;
---
-.26.2

-[PULL v2 24/28] block/io: fix bdrv_co_block_status_above
+[PULL v2 6/8] block: add subcluster_size field to BlockDriverInfo
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-bdrv_co_block_status_above has several design problems with handling
+This is going to be used in the subsequent commit as requests alignment
-short backing files:
+(in particular, during copy-on-read).  This value only makes sense for
 the formats which support subclusters (currently QCOW2 only).  If this
 field isn't set by driver's own bdrv_get_info() implementation, we
 simply set it equal to the cluster size thus treating each cluster as
 having a single subcluster.
-. With want_zeros=true, it may return ret with BDRV_BLOCK_ZERO but
+Reviewed-by: Eric Blake <eblake@redhat.com>
-without BDRV_BLOCK_ALLOCATED flag, when actually short backing file
+Reviewed-by: Denis V. Lunev <den@openvz.org>
-which produces these after-EOF zeros is inside requested backing
+Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-sequence.
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-ID: <20230711172553.234055-2-andrey.drobyshev@virtuozzo.com>
 ---
  include/block/block-common.h | 5 +++++
  block.c                      | 7 +++++++
  block/qcow2.c                | 1 +
 files changed, 13 insertions(+)
-. With want_zero=false, it may return pnum=0 prior to actual EOF,
+diff --git a/include/block/block-common.h b/include/block/block-common.h
 because of EOF of short backing file.
 Fix these things, making logic about short backing files clearer.
 With fixed bdrv_block_status_above we also have to improve is_zero in
 qcow2 code, otherwise iotest 154 will fail, because with this patch we
 stop to merge zeros of different types (produced by fully unallocated
 in the whole backing chain regions vs produced by short backing files).
 Note also, that this patch leaves for another day the general problem
 around block-status: misuse of BDRV_BLOCK_ALLOCATED as is-fs-allocated
 vs go-to-backing.
 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 Reviewed-by: Alberto Garcia <berto@igalia.com>
 Reviewed-by: Eric Blake <eblake@redhat.com>
 Message-id: 20200924194003.22080-2-vsementsov@virtuozzo.com
 [Fix s/comes/come/ as suggested by Eric Blake
 --Stefan]
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
  block/io.c    | 68 ++++++++++++++++++++++++++++++++++++++++-----------
  block/qcow2.c | 16 ++++++++++--
 files changed, 68 insertions(+), 16 deletions(-)
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
---- a/block/io.c
+--- a/include/block/block-common.h
-+++ b/block/io.c
++++ b/include/block/block-common.h
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
+@@ -XXX,XX +XXX,XX @@ typedef struct BlockZoneWps {
-                                   int64_t *map,
+ typedef struct BlockDriverInfo {
-                                   BlockDriverState **file)
+     /* in bytes, 0 if irrelevant */
- {
+     int cluster_size;
-+    int ret;
++    /*
-     BlockDriverState *p;
++     * A fraction of cluster_size, if supported (currently QCOW2 only); if
--    int ret = 0;
++     * disabled or unsupported, set equal to cluster_size.
--    bool first = true;
++     */
-+    int64_t eof = 0;
++    int subcluster_size;
+     /* offset at which the VM state can be saved (0 if not possible) */
-     assert(bs != base);
+     int64_t vm_state_offset;
--    for (p = bs; p != base; p = bdrv_filter_or_cow_bs(p)) {
+     bool is_dirty;
-+
+diff --git a/block.c b/block.c
-+    ret = bdrv_co_block_status(bs, want_zero, offset, bytes, pnum, map, file);
+index XXXXXXX..XXXXXXX 100644
-+    if (ret < 0 || *pnum == 0 || ret & BDRV_BLOCK_ALLOCATED) {
+--- a/block.c
-+        return ret;
++++ b/block.c
@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
      }
      memset(bdi, 0, sizeof(*bdi));
      ret = drv->bdrv_co_get_info(bs, bdi);
 +    if (bdi->subcluster_size == 0) {
 +        /*
 +         * If the driver left this unset, subclusters are not supported.
 +         * Then it is safe to treat each cluster as having only one subcluster.
 +         */
 +        bdi->subcluster_size = bdi->cluster_size;
 +    }
-+
+     if (ret < 0) {
-+    if (ret & BDRV_BLOCK_EOF) {
+         return ret;
 +        eof = offset + *pnum;
 +    }
 +
 +    assert(*pnum <= bytes);
 +    bytes = *pnum;
 +
 +    for (p = bdrv_filter_or_cow_bs(bs); p != base;
 +         p = bdrv_filter_or_cow_bs(p))
 +    {
          ret = bdrv_co_block_status(p, want_zero, offset, bytes, pnum, map,
                                     file);
          if (ret < 0) {
 -            break;
 +            return ret;
          }
 -        if (ret & BDRV_BLOCK_ZERO && ret & BDRV_BLOCK_EOF && !first) {
 +        if (*pnum == 0) {
              /*
 -             * Reading beyond the end of the file continues to read
 -             * zeroes, but we can only widen the result to the
 -             * unallocated length we learned from an earlier
 -             * iteration.
 +             * The top layer deferred to this layer, and because this layer is
 +             * short, any zeroes that we synthesize beyond EOF behave as if they
 +             * were allocated at this layer.
 +             *
 +             * We don't include BDRV_BLOCK_EOF into ret, as upper layer may be
 +             * larger. We'll add BDRV_BLOCK_EOF if needed at function end, see
 +             * below.
               */
 +            assert(ret & BDRV_BLOCK_EOF);
              *pnum = bytes;
 +            if (file) {
 +                *file = p;
 +            }
 +            ret = BDRV_BLOCK_ZERO | BDRV_BLOCK_ALLOCATED;
 +            break;
          }
 -        if (ret & (BDRV_BLOCK_ZERO | BDRV_BLOCK_DATA)) {
 +        if (ret & BDRV_BLOCK_ALLOCATED) {
 +            /*
 +             * We've found the node and the status, we must break.
 +             *
 +             * Drop BDRV_BLOCK_EOF, as it's not for upper layer, which may be
 +             * larger. We'll add BDRV_BLOCK_EOF if needed at function end, see
 +             * below.
 +             */
 +            ret &= ~BDRV_BLOCK_EOF;
              break;
          }
 -        /* [offset, pnum] unallocated on this layer, which could be only
 -         * the first part of [offset, bytes].  */
 -        bytes = MIN(bytes, *pnum);
 -        first = false;
 +
 +        /*
 +         * OK, [offset, offset + *pnum) region is unallocated on this layer,
 +         * let's continue the diving.
 +         */
 +        assert(*pnum <= bytes);
 +        bytes = *pnum;
 +    }
 +
 +    if (offset + *pnum == eof) {
 +        ret |= BDRV_BLOCK_EOF;
      }
-+
-     return ret;
- }
 diff --git a/block/qcow2.c b/block/qcow2.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/qcow2.c
 +++ b/block/qcow2.c
-@@ -XXX,XX +XXX,XX @@ static bool is_zero(BlockDriverState *bs, int64_t offset, int64_t bytes)
+@@ -XXX,XX +XXX,XX @@ qcow2_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
-     if (!bytes) {
+ {
-         return true;
+     BDRVQcow2State *s = bs->opaque;
-     }
+     bdi->cluster_size = s->cluster_size;
--    res = bdrv_block_status_above(bs, NULL, offset, bytes, &nr, NULL, NULL);
++    bdi->subcluster_size = s->subcluster_size;
--    return res >= 0 && (res & BDRV_BLOCK_ZERO) && nr == bytes;
+     bdi->vm_state_offset = qcow2_vm_state_offset(s);
-+
+     bdi->is_dirty = s->incompatible_features & QCOW2_INCOMPAT_DIRTY;
-+    /*
+     return 0;
 +     * bdrv_block_status_above doesn't merge different types of zeros, for
 +     * example, zeros which come from the region which is unallocated in
 +     * the whole backing chain, and zeros which come because of a short
 +     * backing file. So, we need a loop.
 +     */
 +    do {
 +        res = bdrv_block_status_above(bs, NULL, offset, bytes, &nr, NULL, NULL);
 +        offset += nr;
 +        bytes -= nr;
 +    } while (res >= 0 && (res & BDRV_BLOCK_ZERO) && nr && bytes);
 +
 +    return res >= 0 && (res & BDRV_BLOCK_ZERO) && bytes == 0;
  }
  static coroutine_fn int qcow2_co_pwrite_zeroes(BlockDriverState *bs,
 --
-.26.2
+.41.0

-[PULL v2 25/28] block/io: bdrv_common_block_status_above: support include_base
+Deleted patch
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-In order to reuse bdrv_common_block_status_above in
-bdrv_is_allocated_above, let's support include_base parameter.
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Reviewed-by: Alberto Garcia <berto@igalia.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Message-id: 20200924194003.22080-3-vsementsov@virtuozzo.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/coroutines.h |  2 ++
- block/io.c         | 21 ++++++++++++++-------
-files changed, 16 insertions(+), 7 deletions(-)
-diff --git a/block/coroutines.h b/block/coroutines.h
-index XXXXXXX..XXXXXXX 100644
---- a/block/coroutines.h
-+++ b/block/coroutines.h
-@@ -XXX,XX +XXX,XX @@ bdrv_pwritev(BdrvChild *child, int64_t offset, unsigned int bytes,
- int coroutine_fn
- bdrv_co_common_block_status_above(BlockDriverState *bs,
-                                   BlockDriverState *base,
-+                                  bool include_base,
-                                   bool want_zero,
-                                   int64_t offset,
-                                   int64_t bytes,
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
- int generated_co_wrapper
- bdrv_common_block_status_above(BlockDriverState *bs,
-                                BlockDriverState *base,
-+                               bool include_base,
-                                bool want_zero,
-                                int64_t offset,
-                                int64_t bytes,
-diff --git a/block/io.c b/block/io.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -XXX,XX +XXX,XX @@ early_out:
- int coroutine_fn
- bdrv_co_common_block_status_above(BlockDriverState *bs,
-                                   BlockDriverState *base,
-+                                  bool include_base,
-                                   bool want_zero,
-                                   int64_t offset,
-                                   int64_t bytes,
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
-     BlockDriverState *p;
-     int64_t eof = 0;
--    assert(bs != base);
-+    assert(include_base || bs != base);
-+    assert(!include_base || base); /* Can't include NULL base */
-     ret = bdrv_co_block_status(bs, want_zero, offset, bytes, pnum, map, file);
--    if (ret < 0 || *pnum == 0 || ret & BDRV_BLOCK_ALLOCATED) {
-+    if (ret < 0 || *pnum == 0 || ret & BDRV_BLOCK_ALLOCATED || bs == base) {
-         return ret;
-     }
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
-     assert(*pnum <= bytes);
-     bytes = *pnum;
--    for (p = bdrv_filter_or_cow_bs(bs); p != base;
-+    for (p = bdrv_filter_or_cow_bs(bs); include_base || p != base;
-          p = bdrv_filter_or_cow_bs(p))
-     {
-         ret = bdrv_co_block_status(p, want_zero, offset, bytes, pnum, map,
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
-             break;
-         }
-+        if (p == base) {
-+            assert(include_base);
-+            break;
-+        }
-+
-         /*
-          * OK, [offset, offset + *pnum) region is unallocated on this layer,
-          * let's continue the diving.
-@@ -XXX,XX +XXX,XX @@ int bdrv_block_status_above(BlockDriverState *bs, BlockDriverState *base,
-                             int64_t offset, int64_t bytes, int64_t *pnum,
-                             int64_t *map, BlockDriverState **file)
- {
--    return bdrv_common_block_status_above(bs, base, true, offset, bytes,
-+    return bdrv_common_block_status_above(bs, base, false, true, offset, bytes,
-                                           pnum, map, file);
- }
-@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_is_allocated(BlockDriverState *bs, int64_t offset,
-     int ret;
-     int64_t dummy;
--    ret = bdrv_common_block_status_above(bs, bdrv_filter_or_cow_bs(bs), false,
--                                         offset, bytes, pnum ? pnum : &dummy,
--                                         NULL, NULL);
-+    ret = bdrv_common_block_status_above(bs, bs, true, false, offset,
-+                                         bytes, pnum ? pnum : &dummy, NULL,
-+                                         NULL);
-     if (ret < 0) {
-         return ret;
-     }
---
-.26.2

-[PULL v2 26/28] block/io: bdrv_common_block_status_above: support bs == base
+Deleted patch
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-We are going to reuse bdrv_common_block_status_above in
-bdrv_is_allocated_above. bdrv_is_allocated_above may be called with
-include_base == false and still bs == base (for ex. from img_rebase()).
-So, support this corner case.
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Reviewed-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Alberto Garcia <berto@igalia.com>
-Message-id: 20200924194003.22080-4-vsementsov@virtuozzo.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/io.c | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/block/io.c b/block/io.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -XXX,XX +XXX,XX @@ bdrv_co_common_block_status_above(BlockDriverState *bs,
-     BlockDriverState *p;
-     int64_t eof = 0;
--    assert(include_base || bs != base);
-     assert(!include_base || base); /* Can't include NULL base */
-+    if (!include_base && bs == base) {
-+        *pnum = bytes;
-+        return 0;
-+    }
-+
-     ret = bdrv_co_block_status(bs, want_zero, offset, bytes, pnum, map, file);
-     if (ret < 0 || *pnum == 0 || ret & BDRV_BLOCK_ALLOCATED || bs == base) {
-         return ret;
---
-.26.2

-[PULL v2 27/28] block/io: fix bdrv_is_allocated_above
+[PULL v2 7/8] block/io: align requests to subcluster_size
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-bdrv_is_allocated_above wrongly handles short backing files: it reports
+When target image is using subclusters, and we align the request during
-after-EOF space as UNALLOCATED which is wrong, as on read the data is
+copy-on-read, it makes sense to align to subcluster_size rather than
-generated on the level of short backing file (if all overlays have
+cluster_size.  Otherwise we end up with unnecessary allocations.
-unallocated areas at that place).
+This commit renames bdrv_round_to_clusters() to bdrv_round_to_subclusters()
-Reusing bdrv_common_block_status_above fixes the issue and unifies code
+and utilizes subcluster_size field of BlockDriverInfo to make necessary
-path.
+alignments.  It affects copy-on-read as well as mirror job (which is
+using bdrv_round_to_clusters()).
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 This change also fixes the following bug with failing assert (covered by
 the test in the subsequent commit):
 qemu-img create -f qcow2 base.qcow2 64K
 qemu-img create -f qcow2 -o extended_l2=on,backing_file=base.qcow2,backing_fmt=qcow2 img.qcow2 64K
 qemu-io -c "write -P 0xaa 0 2K" img.qcow2
 qemu-io -C -c "read -P 0x00 2K 62K" img.qcow2
 qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.
 Reviewed-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Alberto Garcia <berto@igalia.com>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
-Message-id: 20200924194003.22080-5-vsementsov@virtuozzo.com
+Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-[Fix s/has/have/ as suggested by Eric Blake. Fix s/area/areas/.
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
 --Stefan]
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-ID: <20230711172553.234055-3-andrey.drobyshev@virtuozzo.com>
 ---
- block/io.c | 43 +++++--------------------------------------
+ include/block/block-io.h |  8 +++----
-file changed, 5 insertions(+), 38 deletions(-)
+ block/io.c               | 50 ++++++++++++++++++++--------------------
+ block/mirror.c           |  8 +++----
 files changed, 33 insertions(+), 33 deletions(-)
 diff --git a/include/block/block-io.h b/include/block/block-io.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/block/block-io.h
 +++ b/include/block/block-io.h
@@ -XXX,XX +XXX,XX @@ bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi);
  ImageInfoSpecific *bdrv_get_specific_info(BlockDriverState *bs,
                                            Error **errp);
  BlockStatsSpecific *bdrv_get_specific_stats(BlockDriverState *bs);
 -void bdrv_round_to_clusters(BlockDriverState *bs,
 -                            int64_t offset, int64_t bytes,
 -                            int64_t *cluster_offset,
 -                            int64_t *cluster_bytes);
 +void bdrv_round_to_subclusters(BlockDriverState *bs,
 +                               int64_t offset, int64_t bytes,
 +                               int64_t *cluster_offset,
 +                               int64_t *cluster_bytes);
  void bdrv_get_backing_filename(BlockDriverState *bs,
                                 char *filename, int filename_size);
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/io.c
 +++ b/block/io.c
-@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_is_allocated(BlockDriverState *bs, int64_t offset,
+@@ -XXX,XX +XXX,XX @@ BdrvTrackedRequest *coroutine_fn bdrv_co_get_self_request(BlockDriverState *bs)
-  * at 'offset + *pnum' may return the same allocation status (in other
+ }
-  * words, the result is not necessarily the maximum possible range);
-  * but 'pnum' will only be 0 when end of file is reached.
+ /**
-- *
+- * Round a region to cluster boundaries
 + * Round a region to subcluster (if supported) or cluster boundaries
   */
- int bdrv_is_allocated_above(BlockDriverState *top,
+ void coroutine_fn GRAPH_RDLOCK
-                             BlockDriverState *base,
+-bdrv_round_to_clusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
-                             bool include_base, int64_t offset,
+-                       int64_t *cluster_offset, int64_t *cluster_bytes)
-                             int64_t bytes, int64_t *pnum)
++bdrv_round_to_subclusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
 +                          int64_t *align_offset, int64_t *align_bytes)
  {
--    BlockDriverState *intermediate;
+     BlockDriverInfo bdi;
--    int ret;
+     IO_CODE();
--    int64_t n = bytes;
+-    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.cluster_size == 0) {
--
+-        *cluster_offset = offset;
--    assert(base || !include_base);
+-        *cluster_bytes = bytes;
--
++    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.subcluster_size == 0) {
--    intermediate = top;
++        *align_offset = offset;
--    while (include_base || intermediate != base) {
++        *align_bytes = bytes;
--        int64_t pnum_inter;
+     } else {
--        int64_t size_inter;
+-        int64_t c = bdi.cluster_size;
--
+-        *cluster_offset = QEMU_ALIGN_DOWN(offset, c);
--        assert(intermediate);
+-        *cluster_bytes = QEMU_ALIGN_UP(offset - *cluster_offset + bytes, c);
--        ret = bdrv_is_allocated(intermediate, offset, bytes, &pnum_inter);
++        int64_t c = bdi.subcluster_size;
--        if (ret < 0) {
++        *align_offset = QEMU_ALIGN_DOWN(offset, c);
--            return ret;
++        *align_bytes = QEMU_ALIGN_UP(offset - *align_offset + bytes, c);
 -        }
 -        if (ret) {
 -            *pnum = pnum_inter;
 -            return 1;
 -        }
 -
 -        size_inter = bdrv_getlength(intermediate);
 -        if (size_inter < 0) {
 -            return size_inter;
 -        }
 -        if (n > pnum_inter &&
 -            (intermediate == top || offset + pnum_inter < size_inter)) {
 -            n = pnum_inter;
 -        }
 -
 -        if (intermediate == base) {
 -            break;
 -        }
 -
 -        intermediate = bdrv_filter_or_cow_bs(intermediate);
 +    int ret = bdrv_common_block_status_above(top, base, include_base, false,
 +                                             offset, bytes, pnum, NULL, NULL);
 +    if (ret < 0) {
 +        return ret;
      }
--    *pnum = n;
--    return 0;
-+    return !!(ret & BDRV_BLOCK_ALLOCATED);
  }
- int coroutine_fn
+@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
      void *bounce_buffer = NULL;
      BlockDriver *drv = bs->drv;
 -    int64_t cluster_offset;
 -    int64_t cluster_bytes;
 +    int64_t align_offset;
 +    int64_t align_bytes;
      int64_t skip_bytes;
      int ret;
      int max_transfer = MIN_NON_ZERO(bs->bl.max_transfer,
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
       * BDRV_REQUEST_MAX_BYTES (even when the original read did not), which
       * is one reason we loop rather than doing it all at once.
       */
 -    bdrv_round_to_clusters(bs, offset, bytes, &cluster_offset, &cluster_bytes);
 -    skip_bytes = offset - cluster_offset;
 +    bdrv_round_to_subclusters(bs, offset, bytes, &align_offset, &align_bytes);
 +    skip_bytes = offset - align_offset;
      trace_bdrv_co_do_copy_on_readv(bs, offset, bytes,
 -                                   cluster_offset, cluster_bytes);
 +                                   align_offset, align_bytes);
 -    while (cluster_bytes) {
 +    while (align_bytes) {
          int64_t pnum;
          if (skip_write) {
              ret = 1; /* "already allocated", so nothing will be copied */
 -            pnum = MIN(cluster_bytes, max_transfer);
 +            pnum = MIN(align_bytes, max_transfer);
          } else {
 -            ret = bdrv_is_allocated(bs, cluster_offset,
 -                                    MIN(cluster_bytes, max_transfer), &pnum);
 +            ret = bdrv_is_allocated(bs, align_offset,
 +                                    MIN(align_bytes, max_transfer), &pnum);
              if (ret < 0) {
                  /*
                   * Safe to treat errors in querying allocation as if
                   * unallocated; we'll probably fail again soon on the
                   * read, but at least that will set a decent errno.
                   */
 -                pnum = MIN(cluster_bytes, max_transfer);
 +                pnum = MIN(align_bytes, max_transfer);
              }
              /* Stop at EOF if the image ends in the middle of the cluster */
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              /* Must copy-on-read; use the bounce buffer */
              pnum = MIN(pnum, MAX_BOUNCE_BUFFER);
              if (!bounce_buffer) {
 -                int64_t max_we_need = MAX(pnum, cluster_bytes - pnum);
 +                int64_t max_we_need = MAX(pnum, align_bytes - pnum);
                  int64_t max_allowed = MIN(max_transfer, MAX_BOUNCE_BUFFER);
                  int64_t bounce_buffer_len = MIN(max_we_need, max_allowed);
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              }
              qemu_iovec_init_buf(&local_qiov, bounce_buffer, pnum);
 -            ret = bdrv_driver_preadv(bs, cluster_offset, pnum,
 +            ret = bdrv_driver_preadv(bs, align_offset, pnum,
                                       &local_qiov, 0, 0);
              if (ret < 0) {
                  goto err;
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
                  /* FIXME: Should we (perhaps conditionally) be setting
                   * BDRV_REQ_MAY_UNMAP, if it will allow for a sparser copy
                   * that still correctly reads as zero? */
 -                ret = bdrv_co_do_pwrite_zeroes(bs, cluster_offset, pnum,
 +                ret = bdrv_co_do_pwrite_zeroes(bs, align_offset, pnum,
                                                 BDRV_REQ_WRITE_UNCHANGED);
              } else {
                  /* This does not change the data on the disk, it is not
                   * necessary to flush even in cache=writethrough mode.
                   */
 -                ret = bdrv_driver_pwritev(bs, cluster_offset, pnum,
 +                ret = bdrv_driver_pwritev(bs, align_offset, pnum,
                                            &local_qiov, 0,
                                            BDRV_REQ_WRITE_UNCHANGED);
              }
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              }
          }
 -        cluster_offset += pnum;
 -        cluster_bytes -= pnum;
 +        align_offset += pnum;
 +        align_bytes -= pnum;
          progress += pnum - skip_bytes;
          skip_bytes = 0;
      }
 diff --git a/block/mirror.c b/block/mirror.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
@@ -XXX,XX +XXX,XX @@ static int coroutine_fn mirror_cow_align(MirrorBlockJob *s, int64_t *offset,
      need_cow |= !test_bit((*offset + *bytes - 1) / s->granularity,
                            s->cow_bitmap);
      if (need_cow) {
 -        bdrv_round_to_clusters(blk_bs(s->target), *offset, *bytes,
 -                               &align_offset, &align_bytes);
 +        bdrv_round_to_subclusters(blk_bs(s->target), *offset, *bytes,
 +                                  &align_offset, &align_bytes);
      }
      if (align_bytes > max_bytes) {
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
              int64_t target_offset;
              int64_t target_bytes;
              WITH_GRAPH_RDLOCK_GUARD() {
 -                bdrv_round_to_clusters(blk_bs(s->target), offset, io_bytes,
 -                                       &target_offset, &target_bytes);
 +                bdrv_round_to_subclusters(blk_bs(s->target), offset, io_bytes,
 +                                          &target_offset, &target_bytes);
              }
              if (target_offset == offset &&
                  target_bytes == io_bytes) {
 --
-.26.2
+.41.0

-[PULL v2 28/28] iotests: add commit top->base cases to 274
+[PULL v2 8/8] tests/qemu-iotests/197: add testcase for CoR with subclusters
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-These cases are fixed by previous patches around block_status and
+Add testcase which checks that allocations during copy-on-read are
-is_allocated.
+performed on the subcluster basis when subclusters are enabled in target
 image.
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+This testcase also triggers the following assert with previous commit
 not being applied, so we check that as well:
 qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.
 Reviewed-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Alberto Garcia <berto@igalia.com>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
-Message-id: 20200924194003.22080-6-vsementsov@virtuozzo.com
+Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
 Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-ID: <20230711172553.234055-4-andrey.drobyshev@virtuozzo.com>
 ---
- tests/qemu-iotests/274     | 20 +++++++++++
+ tests/qemu-iotests/197     | 29 +++++++++++++++++++++++++++++
- tests/qemu-iotests/274.out | 68 ++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/197.out | 24 ++++++++++++++++++++++++
-files changed, 88 insertions(+)
+files changed, 53 insertions(+)
-diff --git a/tests/qemu-iotests/274 b/tests/qemu-iotests/274
+diff --git a/tests/qemu-iotests/197 b/tests/qemu-iotests/197
 index XXXXXXX..XXXXXXX 100755
---- a/tests/qemu-iotests/274
+--- a/tests/qemu-iotests/197
-+++ b/tests/qemu-iotests/274
++++ b/tests/qemu-iotests/197
-@@ -XXX,XX +XXX,XX @@ with iotests.FilePath('base') as base, \
+@@ -XXX,XX +XXX,XX @@ $QEMU_IO -f qcow2 -C -c 'read 0 1024' "$TEST_WRAP" | _filter_qemu_io
-     iotests.qemu_io_log('-c', 'read -P 1 0 %d' % size_short, mid)
+ $QEMU_IO -f qcow2 -c map "$TEST_WRAP"
-     iotests.qemu_io_log('-c', 'read -P 0 %d %d' % (size_short, size_diff), mid)
+ _check_test_img
-+    iotests.log('=== Testing qemu-img commit (top -> base) ===')
++echo
 +echo '=== Copy-on-read with subclusters ==='
 +echo
 +
-+    create_chain()
++# Create base and top images 64K (1 cluster) each.  Make subclusters enabled
-+    iotests.qemu_img_log('commit', '-b', base, top)
++# for the top image
-+    iotests.img_info_log(base)
++_make_test_img 64K
-+    iotests.qemu_io_log('-c', 'read -P 1 0 %d' % size_short, base)
++IMGPROTO=file IMGFMT=qcow2 TEST_IMG_FILE="$TEST_WRAP" \
-+    iotests.qemu_io_log('-c', 'read -P 0 %d %d' % (size_short, size_diff), base)
++    _make_test_img --no-opts -o extended_l2=true -F "$IMGFMT" -b "$TEST_IMG" \
 +    64K | _filter_img_create
 +
-+    iotests.log('=== Testing QMP active commit (top -> base) ===')
++$QEMU_IO -c "write -P 0xaa 0 64k" "$TEST_IMG" | _filter_qemu_io
 +
-+    create_chain()
++# Allocate individual subclusters in the top image, and not the whole cluster
-+    with create_vm() as vm:
++$QEMU_IO -c "write -P 0xbb 28K 2K" -c "write -P 0xcc 34K 2K" "$TEST_WRAP" \
-+        vm.launch()
++    | _filter_qemu_io
 +        vm.qmp_log('block-commit', device='top', base_node='base',
 +                   job_id='job0', auto_dismiss=False)
 +        vm.run_job('job0', wait=5)
 +
-+    iotests.img_info_log(mid)
++# Only 2 subclusters should be allocated in the top image at this point
-+    iotests.qemu_io_log('-c', 'read -P 1 0 %d' % size_short, base)
++$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
-+    iotests.qemu_io_log('-c', 'read -P 0 %d %d' % (size_short, size_diff), base)
++
++# Actual copy-on-read operation
-     iotests.log('== Resize tests ==')
++$QEMU_IO -C -c "read -P 0xaa 30K 4K" "$TEST_WRAP" | _filter_qemu_io
++
-diff --git a/tests/qemu-iotests/274.out b/tests/qemu-iotests/274.out
++# And here we should have 4 subclusters allocated right in the middle of the
 +# top image. Make sure the whole cluster remains unallocated
 +$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
 +
 +_check_test_img
 +
  # success, all done
  echo '*** done'
  status=0
 diff --git a/tests/qemu-iotests/197.out b/tests/qemu-iotests/197.out
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qemu-iotests/274.out
+--- a/tests/qemu-iotests/197.out
-+++ b/tests/qemu-iotests/274.out
++++ b/tests/qemu-iotests/197.out
-@@ -XXX,XX +XXX,XX @@ read 1048576/1048576 bytes at offset 0
+@@ -XXX,XX +XXX,XX @@ read 1024/1024 bytes at offset 0
- read 1048576/1048576 bytes at offset 1048576
+KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+KiB (0x400) bytes     allocated at offset 0 bytes (0x0)
+ No errors were found on the image.
 +=== Testing qemu-img commit (top -> base) ===
 +Formatting 'TEST_DIR/PID-base', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2097152 lazy_refcounts=off refcount_bits=16
 +
-+Formatting 'TEST_DIR/PID-mid', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=1048576 backing_file=TEST_DIR/PID-base backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
++=== Copy-on-read with subclusters ===
 +
-+Formatting 'TEST_DIR/PID-top', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2097152 backing_file=TEST_DIR/PID-mid backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536
-+
++Formatting 'TEST_DIR/t.wrap.IMGFMT', fmt=IMGFMT size=65536 backing_file=TEST_DIR/t.IMGFMT backing_fmt=IMGFMT
-+wrote 2097152/2097152 bytes at offset 0
++wrote 65536/65536 bytes at offset 0
-+2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-+
++wrote 2048/2048 bytes at offset 28672
-+Image committed.
++2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-+
++wrote 2048/2048 bytes at offset 34816
-+image: TEST_IMG
++2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-+file format: IMGFMT
++Offset          Length          File
-+virtual size: 2 MiB (2097152 bytes)
++0               0x7000          TEST_DIR/t.IMGFMT
-+cluster_size: 65536
++0x7000          0x800           TEST_DIR/t.wrap.IMGFMT
-+Format specific information:
++0x7800          0x1000          TEST_DIR/t.IMGFMT
-+    compat: 1.1
++0x8800          0x800           TEST_DIR/t.wrap.IMGFMT
-+    compression type: zlib
++0x9000          0x7000          TEST_DIR/t.IMGFMT
-+    lazy refcounts: false
++read 4096/4096 bytes at offset 30720
-+    refcount bits: 16
++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-+    corrupt: false
++Offset          Length          File
-+    extended l2: false
++0               0x7000          TEST_DIR/t.IMGFMT
-+
++0x7000          0x2000          TEST_DIR/t.wrap.IMGFMT
-+read 1048576/1048576 bytes at offset 0
++0x9000          0x7000          TEST_DIR/t.IMGFMT
-+1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++No errors were found on the image.
-+
+ *** done
 +read 1048576/1048576 bytes at offset 1048576
 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +
 +=== Testing QMP active commit (top -> base) ===
 +Formatting 'TEST_DIR/PID-base', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2097152 lazy_refcounts=off refcount_bits=16
 +
 +Formatting 'TEST_DIR/PID-mid', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=1048576 backing_file=TEST_DIR/PID-base backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
 +
 +Formatting 'TEST_DIR/PID-top', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2097152 backing_file=TEST_DIR/PID-mid backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
 +
 +wrote 2097152/2097152 bytes at offset 0
 +2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +
 +{"execute": "block-commit", "arguments": {"auto-dismiss": false, "base-node": "base", "device": "top", "job-id": "job0"}}
 +{"return": {}}
 +{"execute": "job-complete", "arguments": {"id": "job0"}}
 +{"return": {}}
 +{"data": {"device": "job0", "len": 1048576, "offset": 1048576, "speed": 0, "type": "commit"}, "event": "BLOCK_JOB_READY", "timestamp": {"microseconds": "USECS", "seconds": "SECS"}}
 +{"data": {"device": "job0", "len": 1048576, "offset": 1048576, "speed": 0, "type": "commit"}, "event": "BLOCK_JOB_COMPLETED", "timestamp": {"microseconds": "USECS", "seconds": "SECS"}}
 +{"execute": "job-dismiss", "arguments": {"id": "job0"}}
 +{"return": {}}
 +image: TEST_IMG
 +file format: IMGFMT
 +virtual size: 1 MiB (1048576 bytes)
 +cluster_size: 65536
 +backing file: TEST_DIR/PID-base
 +backing file format: IMGFMT
 +Format specific information:
 +    compat: 1.1
 +    compression type: zlib
 +    lazy refcounts: false
 +    refcount bits: 16
 +    corrupt: false
 +    extended l2: false
 +
 +read 1048576/1048576 bytes at offset 0
 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +
 +read 1048576/1048576 bytes at offset 1048576
 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +
  == Resize tests ==
  === preallocation=off ===
  Formatting 'TEST_DIR/PID-base', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=6442450944 lazy_refcounts=off refcount_bits=16
 --
-.26.2
+.41.0

The following changes since commit ac793156f650ae2d77834932d72224175ee69086:

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20201020-1' into staging (2020-10-20 21:11:35 +0100)

are available in the Git repository at:

https://gitlab.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to 32a3fd65e7e3551337fd26bfc0e2f899d70c028c:

iotests: add commit top->base cases to 274 (2020-10-22 09:55:39 +0100)

----------------------------------------------------------------
Pull request

v2:
 * Fix format string issues on 32-bit hosts [Peter]
 * Fix qemu-nbd.c CONFIG_POSIX ifdef issue [Eric]
 * Fix missing eventfd.h header on macOS [Peter]
 * Drop unreliable vhost-user-blk test (will send a new patch when ready) [Peter]

This pull request contains the vhost-user-blk server by Coiby Xu along with my
additions, block/nvme.c alignment and hardware error statistics by Philippe
Mathieu-Daudé, and bdrv_co_block_status_above() fixes by Vladimir
Sementsov-Ogievskiy.

----------------------------------------------------------------

Coiby Xu (6):
  libvhost-user: Allow vu_message_read to be replaced
  libvhost-user: remove watch for kick_fd when de-initialize vu-dev
  util/vhost-user-server: generic vhost user server
  block: move logical block size check function to a common utility
    function
  block/export: vhost-user block device backend server
  MAINTAINERS: Add vhost-user block device backend server maintainer

Philippe Mathieu-Daudé (1):
  block/nvme: Add driver statistics for access alignment and hw errors

Stefan Hajnoczi (16):
  util/vhost-user-server: s/fileds/fields/ typo fix
  util/vhost-user-server: drop unnecessary QOM cast
  util/vhost-user-server: drop unnecessary watch deletion
  block/export: consolidate request structs into VuBlockReq
  util/vhost-user-server: drop unused DevicePanicNotifier
  util/vhost-user-server: fix memory leak in vu_message_read()
  util/vhost-user-server: check EOF when reading payload
  util/vhost-user-server: rework vu_client_trip() coroutine lifecycle
  block/export: report flush errors
  block/export: convert vhost-user-blk server to block export API
  util/vhost-user-server: move header to include/
  util/vhost-user-server: use static library in meson.build
  qemu-storage-daemon: avoid compiling blockdev_ss twice
  block: move block exports to libblockdev
  block/export: add iothread and fixed-iothread options
  block/export: add vhost-user-blk multi-queue support

Vladimir Sementsov-Ogievskiy (5):
  block/io: fix bdrv_co_block_status_above
  block/io: bdrv_common_block_status_above: support include_base
  block/io: bdrv_common_block_status_above: support bs == base
  block/io: fix bdrv_is_allocated_above
  iotests: add commit top->base cases to 274

-- 
2.26.2

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Keep statistics of some hardware errors, and number of
aligned/unaligned I/O accesses.

QMP example booting a full RHEL 8.3 aarch64 guest:

{ "execute": "query-blockstats" }
{
    "return": [
        {
            "device": "",
            "node-name": "drive0",
            "stats": {
                "flush_total_time_ns": 6026948,
                "wr_highest_offset": 3383991230464,
                "wr_total_time_ns": 807450995,
                "failed_wr_operations": 0,
                "failed_rd_operations": 0,
                "wr_merged": 3,
                "wr_bytes": 50133504,
                "failed_unmap_operations": 0,
                "failed_flush_operations": 0,
                "account_invalid": false,
                "rd_total_time_ns": 1846979900,
                "flush_operations": 130,
                "wr_operations": 659,
                "rd_merged": 1192,
                "rd_bytes": 218244096,
                "account_failed": false,
                "idle_time_ns": 2678641497,
                "rd_operations": 7406,
            },
            "driver-specific": {
                "driver": "nvme",
                "completion-errors": 0,
                "unaligned-accesses": 2959,
                "aligned-accesses": 4477
            },
            "qdev": "/machine/peripheral-anon/device[0]/virtio-backend"
        }
    ]
}

Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20201001162939.1567915-1-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 qapi/block-core.json | 24 +++++++++++++++++++++++-
 block/nvme.c         | 27 +++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/qapi/block-core.json b/qapi/block-core.json
index XXXXXXX..XXXXXXX 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -XXX,XX +XXX,XX @@
       'discard-nb-failed': 'uint64',
       'discard-bytes-ok': 'uint64' } }
 
+##
+# @BlockStatsSpecificNvme:
+#
+# NVMe driver statistics
+#
+# @completion-errors: The number of completion errors.
+#
+# @aligned-accesses: The number of aligned accesses performed by
+#                    the driver.
+#
+# @unaligned-accesses: The number of unaligned accesses performed by
+#                      the driver.
+#
+# Since: 5.2
+##
+{ 'struct': 'BlockStatsSpecificNvme',
+  'data': {
+      'completion-errors': 'uint64',
+      'aligned-accesses': 'uint64',
+      'unaligned-accesses': 'uint64' } }
+
 ##
 # @BlockStatsSpecific:
 #
@@ -XXX,XX +XXX,XX @@
   'discriminator': 'driver',
   'data': {
       'file': 'BlockStatsSpecificFile',
-      'host_device': 'BlockStatsSpecificFile' } }
+      'host_device': 'BlockStatsSpecificFile',
+      'nvme': 'BlockStatsSpecificNvme' } }
 
 ##
 # @BlockStats:
diff --git a/block/nvme.c b/block/nvme.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -XXX,XX +XXX,XX @@ struct BDRVNVMeState {
 
     /* PCI address (required for nvme_refresh_filename()) */
     char *device;
+
+    struct {
+        uint64_t completion_errors;
+        uint64_t aligned_accesses;
+        uint64_t unaligned_accesses;
+    } stats;
 };
 
 #define NVME_BLOCK_OPT_DEVICE "device"
@@ -XXX,XX +XXX,XX @@ static bool nvme_process_completion(NVMeQueuePair *q)
             break;
         }
         ret = nvme_translate_error(c);
+        if (ret) {
+            s->stats.completion_errors++;
+        }
         q->cq.head = (q->cq.head + 1) % NVME_QUEUE_SIZE;
         if (!q->cq.head) {
             q->cq_phase = !q->cq_phase;
@@ -XXX,XX +XXX,XX @@ static int nvme_co_prw(BlockDriverState *bs, uint64_t offset, uint64_t bytes,
     assert(QEMU_IS_ALIGNED(bytes, s->page_size));
     assert(bytes <= s->max_transfer);
     if (nvme_qiov_aligned(bs, qiov)) {
+        s->stats.aligned_accesses++;
         return nvme_co_prw_aligned(bs, offset, bytes, qiov, is_write, flags);
     }
+    s->stats.unaligned_accesses++;
     trace_nvme_prw_buffered(s, offset, bytes, qiov->niov, is_write);
     buf = qemu_try_memalign(s->page_size, bytes);
 
@@ -XXX,XX +XXX,XX @@ static void nvme_unregister_buf(BlockDriverState *bs, void *host)
     qemu_vfio_dma_unmap(s->vfio, host);
 }
 
+static BlockStatsSpecific *nvme_get_specific_stats(BlockDriverState *bs)
+{
+    BlockStatsSpecific *stats = g_new(BlockStatsSpecific, 1);
+    BDRVNVMeState *s = bs->opaque;
+
+    stats->driver = BLOCKDEV_DRIVER_NVME;
+    stats->u.nvme = (BlockStatsSpecificNvme) {
+        .completion_errors = s->stats.completion_errors,
+        .aligned_accesses = s->stats.aligned_accesses,
+        .unaligned_accesses = s->stats.unaligned_accesses,
+    };
+
+    return stats;
+}
+
 static const char *const nvme_strong_runtime_opts[] = {
     NVME_BLOCK_OPT_DEVICE,
     NVME_BLOCK_OPT_NAMESPACE,
@@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_nvme = {
     .bdrv_refresh_filename    = nvme_refresh_filename,
     .bdrv_refresh_limits      = nvme_refresh_limits,
     .strong_runtime_opts      = nvme_strong_runtime_opts,
+    .bdrv_get_specific_stats  = nvme_get_specific_stats,
 
     .bdrv_detach_aio_context  = nvme_detach_aio_context,
     .bdrv_attach_aio_context  = nvme_attach_aio_context,
-- 
2.26.2