xref: /freebsd/sys/dev/mpr/mpr_sas.c (revision 3332f1b444d4a73238e9f59cca27bfc95fe936bd)
1 /*-
2  * Copyright (c) 2009 Yahoo! Inc.
3  * Copyright (c) 2011-2015 LSI Corp.
4  * Copyright (c) 2013-2016 Avago Technologies
5  * Copyright 2000-2020 Broadcom Inc.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  * Broadcom Inc. (LSI) MPT-Fusion Host Adapter FreeBSD
30  *
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 /* Communications core for Avago Technologies (LSI) MPT3 */
37 
38 /* TODO Move headers to mprvar */
39 #include <sys/types.h>
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/kernel.h>
43 #include <sys/selinfo.h>
44 #include <sys/module.h>
45 #include <sys/bus.h>
46 #include <sys/conf.h>
47 #include <sys/bio.h>
48 #include <sys/malloc.h>
49 #include <sys/uio.h>
50 #include <sys/sysctl.h>
51 #include <sys/endian.h>
52 #include <sys/queue.h>
53 #include <sys/kthread.h>
54 #include <sys/taskqueue.h>
55 #include <sys/sbuf.h>
56 
57 #include <machine/bus.h>
58 #include <machine/resource.h>
59 #include <sys/rman.h>
60 
61 #include <machine/stdarg.h>
62 
63 #include <cam/cam.h>
64 #include <cam/cam_ccb.h>
65 #include <cam/cam_debug.h>
66 #include <cam/cam_sim.h>
67 #include <cam/cam_xpt_sim.h>
68 #include <cam/cam_xpt_periph.h>
69 #include <cam/cam_periph.h>
70 #include <cam/scsi/scsi_all.h>
71 #include <cam/scsi/scsi_message.h>
72 #include <cam/scsi/smp_all.h>
73 
74 #include <dev/nvme/nvme.h>
75 
76 #include <dev/mpr/mpi/mpi2_type.h>
77 #include <dev/mpr/mpi/mpi2.h>
78 #include <dev/mpr/mpi/mpi2_ioc.h>
79 #include <dev/mpr/mpi/mpi2_sas.h>
80 #include <dev/mpr/mpi/mpi2_pci.h>
81 #include <dev/mpr/mpi/mpi2_cnfg.h>
82 #include <dev/mpr/mpi/mpi2_init.h>
83 #include <dev/mpr/mpi/mpi2_tool.h>
84 #include <dev/mpr/mpr_ioctl.h>
85 #include <dev/mpr/mprvar.h>
86 #include <dev/mpr/mpr_table.h>
87 #include <dev/mpr/mpr_sas.h>
88 
89 #define MPRSAS_DISCOVERY_TIMEOUT	20
90 #define MPRSAS_MAX_DISCOVERY_TIMEOUTS	10 /* 200 seconds */
91 
92 /*
93  * static array to check SCSI OpCode for EEDP protection bits
94  */
95 #define	PRO_R MPI2_SCSIIO_EEDPFLAGS_CHECK_REMOVE_OP
96 #define	PRO_W MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
97 #define	PRO_V MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
98 static uint8_t op_code_prot[256] = {
99 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
100 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
101 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
102 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
103 	0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
104 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
105 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
106 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
107 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
108 	0, 0, 0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
109 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
110 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
111 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
112 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
113 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
114 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
115 };
116 
117 MALLOC_DEFINE(M_MPRSAS, "MPRSAS", "MPR SAS memory");
118 
119 static void mprsas_remove_device(struct mpr_softc *, struct mpr_command *);
120 static void mprsas_remove_complete(struct mpr_softc *, struct mpr_command *);
121 static void mprsas_action(struct cam_sim *sim, union ccb *ccb);
122 static void mprsas_poll(struct cam_sim *sim);
123 static void mprsas_scsiio_timeout(void *data);
124 static void mprsas_abort_complete(struct mpr_softc *sc, struct mpr_command *cm);
125 static void mprsas_action_scsiio(struct mprsas_softc *, union ccb *);
126 static void mprsas_scsiio_complete(struct mpr_softc *, struct mpr_command *);
127 static void mprsas_action_resetdev(struct mprsas_softc *, union ccb *);
128 static void mprsas_resetdev_complete(struct mpr_softc *, struct mpr_command *);
129 static int mprsas_send_abort(struct mpr_softc *sc, struct mpr_command *tm,
130     struct mpr_command *cm);
131 static void mprsas_async(void *callback_arg, uint32_t code,
132     struct cam_path *path, void *arg);
133 static int mprsas_send_portenable(struct mpr_softc *sc);
134 static void mprsas_portenable_complete(struct mpr_softc *sc,
135     struct mpr_command *cm);
136 
137 static void mprsas_smpio_complete(struct mpr_softc *sc, struct mpr_command *cm);
138 static void mprsas_send_smpcmd(struct mprsas_softc *sassc, union ccb *ccb,
139     uint64_t sasaddr);
140 static void mprsas_action_smpio(struct mprsas_softc *sassc, union ccb *ccb);
141 
142 struct mprsas_target *
143 mprsas_find_target_by_handle(struct mprsas_softc *sassc, int start,
144     uint16_t handle)
145 {
146 	struct mprsas_target *target;
147 	int i;
148 
149 	for (i = start; i < sassc->maxtargets; i++) {
150 		target = &sassc->targets[i];
151 		if (target->handle == handle)
152 			return (target);
153 	}
154 
155 	return (NULL);
156 }
157 
158 /* we need to freeze the simq during attach and diag reset, to avoid failing
159  * commands before device handles have been found by discovery.  Since
160  * discovery involves reading config pages and possibly sending commands,
161  * discovery actions may continue even after we receive the end of discovery
162  * event, so refcount discovery actions instead of assuming we can unfreeze
163  * the simq when we get the event.
164  */
165 void
166 mprsas_startup_increment(struct mprsas_softc *sassc)
167 {
168 	MPR_FUNCTRACE(sassc->sc);
169 
170 	if ((sassc->flags & MPRSAS_IN_STARTUP) != 0) {
171 		if (sassc->startup_refcount++ == 0) {
172 			/* just starting, freeze the simq */
173 			mpr_dprint(sassc->sc, MPR_INIT,
174 			    "%s freezing simq\n", __func__);
175 			xpt_hold_boot();
176 			xpt_freeze_simq(sassc->sim, 1);
177 		}
178 		mpr_dprint(sassc->sc, MPR_INIT, "%s refcount %u\n", __func__,
179 		    sassc->startup_refcount);
180 	}
181 }
182 
183 void
184 mprsas_release_simq_reinit(struct mprsas_softc *sassc)
185 {
186 	if (sassc->flags & MPRSAS_QUEUE_FROZEN) {
187 		sassc->flags &= ~MPRSAS_QUEUE_FROZEN;
188 		xpt_release_simq(sassc->sim, 1);
189 		mpr_dprint(sassc->sc, MPR_INFO, "Unfreezing SIM queue\n");
190 	}
191 }
192 
193 void
194 mprsas_startup_decrement(struct mprsas_softc *sassc)
195 {
196 	MPR_FUNCTRACE(sassc->sc);
197 
198 	if ((sassc->flags & MPRSAS_IN_STARTUP) != 0) {
199 		if (--sassc->startup_refcount == 0) {
200 			/* finished all discovery-related actions, release
201 			 * the simq and rescan for the latest topology.
202 			 */
203 			mpr_dprint(sassc->sc, MPR_INIT,
204 			    "%s releasing simq\n", __func__);
205 			sassc->flags &= ~MPRSAS_IN_STARTUP;
206 			xpt_release_simq(sassc->sim, 1);
207 			xpt_release_boot();
208 		}
209 		mpr_dprint(sassc->sc, MPR_INIT, "%s refcount %u\n", __func__,
210 		    sassc->startup_refcount);
211 	}
212 }
213 
214 /*
215  * The firmware requires us to stop sending commands when we're doing task
216  * management.
217  * use.
218  * XXX The logic for serializing the device has been made lazy and moved to
219  * mprsas_prepare_for_tm().
220  */
221 struct mpr_command *
222 mprsas_alloc_tm(struct mpr_softc *sc)
223 {
224 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
225 	struct mpr_command *tm;
226 
227 	MPR_FUNCTRACE(sc);
228 	tm = mpr_alloc_high_priority_command(sc);
229 	if (tm == NULL)
230 		return (NULL);
231 
232 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
233 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
234 	return tm;
235 }
236 
237 void
238 mprsas_free_tm(struct mpr_softc *sc, struct mpr_command *tm)
239 {
240 
241 	MPR_FUNCTRACE(sc);
242 	if (tm == NULL)
243 		return;
244 
245 	/*
246 	 * For TM's the devq is frozen for the device.  Unfreeze it here and
247 	 * free the resources used for freezing the devq.  Must clear the
248 	 * INRESET flag as well or scsi I/O will not work.
249 	 */
250 	if (tm->cm_ccb) {
251 		mpr_dprint(sc, MPR_XINFO, "Unfreezing devq for target ID %d\n",
252 		    tm->cm_targ->tid);
253 		tm->cm_targ->flags &= ~MPRSAS_TARGET_INRESET;
254 		xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE);
255 		xpt_free_path(tm->cm_ccb->ccb_h.path);
256 		xpt_free_ccb(tm->cm_ccb);
257 	}
258 
259 	mpr_free_high_priority_command(sc, tm);
260 }
261 
262 void
263 mprsas_rescan_target(struct mpr_softc *sc, struct mprsas_target *targ)
264 {
265 	struct mprsas_softc *sassc = sc->sassc;
266 	path_id_t pathid;
267 	target_id_t targetid;
268 	union ccb *ccb;
269 
270 	MPR_FUNCTRACE(sc);
271 	pathid = cam_sim_path(sassc->sim);
272 	if (targ == NULL)
273 		targetid = CAM_TARGET_WILDCARD;
274 	else
275 		targetid = targ - sassc->targets;
276 
277 	/*
278 	 * Allocate a CCB and schedule a rescan.
279 	 */
280 	ccb = xpt_alloc_ccb_nowait();
281 	if (ccb == NULL) {
282 		mpr_dprint(sc, MPR_ERROR, "unable to alloc CCB for rescan\n");
283 		return;
284 	}
285 
286 	if (xpt_create_path(&ccb->ccb_h.path, NULL, pathid, targetid,
287 	    CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
288 		mpr_dprint(sc, MPR_ERROR, "unable to create path for rescan\n");
289 		xpt_free_ccb(ccb);
290 		return;
291 	}
292 
293 	if (targetid == CAM_TARGET_WILDCARD)
294 		ccb->ccb_h.func_code = XPT_SCAN_BUS;
295 	else
296 		ccb->ccb_h.func_code = XPT_SCAN_TGT;
297 
298 	mpr_dprint(sc, MPR_TRACE, "%s targetid %u\n", __func__, targetid);
299 	xpt_rescan(ccb);
300 }
301 
302 static void
303 mprsas_log_command(struct mpr_command *cm, u_int level, const char *fmt, ...)
304 {
305 	struct sbuf sb;
306 	va_list ap;
307 	char str[224];
308 	char path_str[64];
309 
310 	if (cm == NULL)
311 		return;
312 
313 	/* No need to be in here if debugging isn't enabled */
314 	if ((cm->cm_sc->mpr_debug & level) == 0)
315 		return;
316 
317 	sbuf_new(&sb, str, sizeof(str), 0);
318 
319 	va_start(ap, fmt);
320 
321 	if (cm->cm_ccb != NULL) {
322 		xpt_path_string(cm->cm_ccb->csio.ccb_h.path, path_str,
323 		    sizeof(path_str));
324 		sbuf_cat(&sb, path_str);
325 		if (cm->cm_ccb->ccb_h.func_code == XPT_SCSI_IO) {
326 			scsi_command_string(&cm->cm_ccb->csio, &sb);
327 			sbuf_printf(&sb, "length %d ",
328 			    cm->cm_ccb->csio.dxfer_len);
329 		}
330 	} else {
331 		sbuf_printf(&sb, "(noperiph:%s%d:%u:%u:%u): ",
332 		    cam_sim_name(cm->cm_sc->sassc->sim),
333 		    cam_sim_unit(cm->cm_sc->sassc->sim),
334 		    cam_sim_bus(cm->cm_sc->sassc->sim),
335 		    cm->cm_targ ? cm->cm_targ->tid : 0xFFFFFFFF,
336 		    cm->cm_lun);
337 	}
338 
339 	sbuf_printf(&sb, "SMID %u ", cm->cm_desc.Default.SMID);
340 	sbuf_vprintf(&sb, fmt, ap);
341 	sbuf_finish(&sb);
342 	mpr_print_field(cm->cm_sc, "%s", sbuf_data(&sb));
343 
344 	va_end(ap);
345 }
346 
347 static void
348 mprsas_remove_volume(struct mpr_softc *sc, struct mpr_command *tm)
349 {
350 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
351 	struct mprsas_target *targ;
352 	uint16_t handle;
353 
354 	MPR_FUNCTRACE(sc);
355 
356 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
357 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
358 	targ = tm->cm_targ;
359 
360 	if (reply == NULL) {
361 		/* XXX retry the remove after the diag reset completes? */
362 		mpr_dprint(sc, MPR_FAULT, "%s NULL reply resetting device "
363 		    "0x%04x\n", __func__, handle);
364 		mprsas_free_tm(sc, tm);
365 		return;
366 	}
367 
368 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
369 	    MPI2_IOCSTATUS_SUCCESS) {
370 		mpr_dprint(sc, MPR_ERROR, "IOCStatus = 0x%x while resetting "
371 		    "device 0x%x\n", le16toh(reply->IOCStatus), handle);
372 	}
373 
374 	mpr_dprint(sc, MPR_XINFO, "Reset aborted %u commands\n",
375 	    le32toh(reply->TerminationCount));
376 	mpr_free_reply(sc, tm->cm_reply_data);
377 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
378 
379 	mpr_dprint(sc, MPR_XINFO, "clearing target %u handle 0x%04x\n",
380 	    targ->tid, handle);
381 
382 	/*
383 	 * Don't clear target if remove fails because things will get confusing.
384 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
385 	 * this target id if possible, and so we can assign the same target id
386 	 * to this device if it comes back in the future.
387 	 */
388 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
389 	    MPI2_IOCSTATUS_SUCCESS) {
390 		targ = tm->cm_targ;
391 		targ->handle = 0x0;
392 		targ->encl_handle = 0x0;
393 		targ->encl_level_valid = 0x0;
394 		targ->encl_level = 0x0;
395 		targ->connector_name[0] = ' ';
396 		targ->connector_name[1] = ' ';
397 		targ->connector_name[2] = ' ';
398 		targ->connector_name[3] = ' ';
399 		targ->encl_slot = 0x0;
400 		targ->exp_dev_handle = 0x0;
401 		targ->phy_num = 0x0;
402 		targ->linkrate = 0x0;
403 		targ->devinfo = 0x0;
404 		targ->flags = 0x0;
405 		targ->scsi_req_desc_type = 0;
406 	}
407 
408 	mprsas_free_tm(sc, tm);
409 }
410 
411 /*
412  * Retry mprsas_prepare_remove() if some previous attempt failed to allocate
413  * high priority command due to limit reached.
414  */
415 void
416 mprsas_prepare_remove_retry(struct mprsas_softc *sassc)
417 {
418 	struct mprsas_target *target;
419 	int i;
420 
421 	if ((sassc->flags & MPRSAS_TOREMOVE) == 0)
422 		return;
423 
424 	for (i = 0; i < sassc->maxtargets; i++) {
425 		target = &sassc->targets[i];
426 		if ((target->flags & MPRSAS_TARGET_TOREMOVE) == 0)
427 			continue;
428 		if (TAILQ_EMPTY(&sassc->sc->high_priority_req_list))
429 			return;
430 		target->flags &= ~MPRSAS_TARGET_TOREMOVE;
431 		if (target->flags & MPR_TARGET_FLAGS_VOLUME)
432 			mprsas_prepare_volume_remove(sassc, target->handle);
433 		else
434 			mprsas_prepare_remove(sassc, target->handle);
435 	}
436 	sassc->flags &= ~MPRSAS_TOREMOVE;
437 }
438 
439 /*
440  * No Need to call "MPI2_SAS_OP_REMOVE_DEVICE" For Volume removal.
441  * Otherwise Volume Delete is same as Bare Drive Removal.
442  */
443 void
444 mprsas_prepare_volume_remove(struct mprsas_softc *sassc, uint16_t handle)
445 {
446 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
447 	struct mpr_softc *sc;
448 	struct mpr_command *cm;
449 	struct mprsas_target *targ = NULL;
450 
451 	MPR_FUNCTRACE(sassc->sc);
452 	sc = sassc->sc;
453 
454 	targ = mprsas_find_target_by_handle(sassc, 0, handle);
455 	if (targ == NULL) {
456 		/* FIXME: what is the action? */
457 		/* We don't know about this device? */
458 		mpr_dprint(sc, MPR_ERROR,
459 		   "%s %d : invalid handle 0x%x \n", __func__,__LINE__, handle);
460 		return;
461 	}
462 
463 	targ->flags |= MPRSAS_TARGET_INREMOVAL;
464 
465 	cm = mprsas_alloc_tm(sc);
466 	if (cm == NULL) {
467 		targ->flags |= MPRSAS_TARGET_TOREMOVE;
468 		sassc->flags |= MPRSAS_TOREMOVE;
469 		return;
470 	}
471 
472 	mprsas_rescan_target(sc, targ);
473 
474 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
475 	req->DevHandle = targ->handle;
476 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
477 
478 	if (!targ->is_nvme || sc->custom_nvme_tm_handling) {
479 		/* SAS Hard Link Reset / SATA Link Reset */
480 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
481 	} else {
482 		/* PCIe Protocol Level Reset*/
483 		req->MsgFlags =
484 		    MPI26_SCSITASKMGMT_MSGFLAGS_PROTOCOL_LVL_RST_PCIE;
485 	}
486 
487 	cm->cm_targ = targ;
488 	cm->cm_data = NULL;
489 	cm->cm_complete = mprsas_remove_volume;
490 	cm->cm_complete_data = (void *)(uintptr_t)handle;
491 
492 	mpr_dprint(sc, MPR_INFO, "%s: Sending reset for target ID %d\n",
493 	    __func__, targ->tid);
494 	mprsas_prepare_for_tm(sc, cm, targ, CAM_LUN_WILDCARD);
495 
496 	mpr_map_command(sc, cm);
497 }
498 
499 /*
500  * The firmware performs debounce on the link to avoid transient link errors
501  * and false removals.  When it does decide that link has been lost and a
502  * device needs to go away, it expects that the host will perform a target reset
503  * and then an op remove.  The reset has the side-effect of aborting any
504  * outstanding requests for the device, which is required for the op-remove to
505  * succeed.  It's not clear if the host should check for the device coming back
506  * alive after the reset.
507  */
508 void
509 mprsas_prepare_remove(struct mprsas_softc *sassc, uint16_t handle)
510 {
511 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
512 	struct mpr_softc *sc;
513 	struct mpr_command *tm;
514 	struct mprsas_target *targ = NULL;
515 
516 	MPR_FUNCTRACE(sassc->sc);
517 
518 	sc = sassc->sc;
519 
520 	targ = mprsas_find_target_by_handle(sassc, 0, handle);
521 	if (targ == NULL) {
522 		/* FIXME: what is the action? */
523 		/* We don't know about this device? */
524 		mpr_dprint(sc, MPR_ERROR, "%s : invalid handle 0x%x \n",
525 		    __func__, handle);
526 		return;
527 	}
528 
529 	targ->flags |= MPRSAS_TARGET_INREMOVAL;
530 
531 	tm = mprsas_alloc_tm(sc);
532 	if (tm == NULL) {
533 		targ->flags |= MPRSAS_TARGET_TOREMOVE;
534 		sassc->flags |= MPRSAS_TOREMOVE;
535 		return;
536 	}
537 
538 	mprsas_rescan_target(sc, targ);
539 
540 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
541 	req->DevHandle = htole16(targ->handle);
542 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
543 
544 	/* SAS Hard Link Reset / SATA Link Reset */
545 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
546 
547 	tm->cm_targ = targ;
548 	tm->cm_data = NULL;
549 	tm->cm_complete = mprsas_remove_device;
550 	tm->cm_complete_data = (void *)(uintptr_t)handle;
551 
552 	mpr_dprint(sc, MPR_INFO, "%s: Sending reset for target ID %d\n",
553 	    __func__, targ->tid);
554 	mprsas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
555 
556 	mpr_map_command(sc, tm);
557 }
558 
559 static void
560 mprsas_remove_device(struct mpr_softc *sc, struct mpr_command *tm)
561 {
562 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
563 	MPI2_SAS_IOUNIT_CONTROL_REQUEST *req;
564 	struct mprsas_target *targ;
565 	uint16_t handle;
566 
567 	MPR_FUNCTRACE(sc);
568 
569 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
570 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
571 	targ = tm->cm_targ;
572 
573 	/*
574 	 * Currently there should be no way we can hit this case.  It only
575 	 * happens when we have a failure to allocate chain frames, and
576 	 * task management commands don't have S/G lists.
577 	 */
578 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
579 		mpr_dprint(sc, MPR_ERROR, "%s: cm_flags = %#x for remove of "
580 		    "handle %#04x! This should not happen!\n", __func__,
581 		    tm->cm_flags, handle);
582 	}
583 
584 	if (reply == NULL) {
585 		/* XXX retry the remove after the diag reset completes? */
586 		mpr_dprint(sc, MPR_FAULT, "%s NULL reply resetting device "
587 		    "0x%04x\n", __func__, handle);
588 		mprsas_free_tm(sc, tm);
589 		return;
590 	}
591 
592 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
593 	    MPI2_IOCSTATUS_SUCCESS) {
594 		mpr_dprint(sc, MPR_ERROR, "IOCStatus = 0x%x while resetting "
595 		    "device 0x%x\n", le16toh(reply->IOCStatus), handle);
596 	}
597 
598 	mpr_dprint(sc, MPR_XINFO, "Reset aborted %u commands\n",
599 	    le32toh(reply->TerminationCount));
600 	mpr_free_reply(sc, tm->cm_reply_data);
601 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
602 
603 	/* Reuse the existing command */
604 	req = (MPI2_SAS_IOUNIT_CONTROL_REQUEST *)tm->cm_req;
605 	memset(req, 0, sizeof(*req));
606 	req->Function = MPI2_FUNCTION_SAS_IO_UNIT_CONTROL;
607 	req->Operation = MPI2_SAS_OP_REMOVE_DEVICE;
608 	req->DevHandle = htole16(handle);
609 	tm->cm_data = NULL;
610 	tm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
611 	tm->cm_complete = mprsas_remove_complete;
612 	tm->cm_complete_data = (void *)(uintptr_t)handle;
613 
614 	/*
615 	 * Wait to send the REMOVE_DEVICE until all the commands have cleared.
616 	 * They should be aborted or time out and we'll kick thus off there
617 	 * if so.
618 	 */
619 	if (TAILQ_FIRST(&targ->commands) == NULL) {
620 		mpr_dprint(sc, MPR_INFO, "No pending commands: starting remove_device\n");
621 		mpr_map_command(sc, tm);
622 		targ->pending_remove_tm = NULL;
623 	} else {
624 		targ->pending_remove_tm = tm;
625 	}
626 
627 	mpr_dprint(sc, MPR_INFO, "clearing target %u handle 0x%04x\n",
628 	    targ->tid, handle);
629 	if (targ->encl_level_valid) {
630 		mpr_dprint(sc, MPR_INFO, "At enclosure level %d, slot %d, "
631 		    "connector name (%4s)\n", targ->encl_level, targ->encl_slot,
632 		    targ->connector_name);
633 	}
634 }
635 
636 static void
637 mprsas_remove_complete(struct mpr_softc *sc, struct mpr_command *tm)
638 {
639 	MPI2_SAS_IOUNIT_CONTROL_REPLY *reply;
640 	uint16_t handle;
641 	struct mprsas_target *targ;
642 	struct mprsas_lun *lun;
643 
644 	MPR_FUNCTRACE(sc);
645 
646 	reply = (MPI2_SAS_IOUNIT_CONTROL_REPLY *)tm->cm_reply;
647 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
648 
649 	targ = tm->cm_targ;
650 
651 	/*
652 	 * At this point, we should have no pending commands for the target.
653 	 * The remove target has just completed.
654 	 */
655 	KASSERT(TAILQ_FIRST(&targ->commands) == NULL,
656 	    ("%s: no commands should be pending\n", __func__));
657 
658 	/*
659 	 * Currently there should be no way we can hit this case.  It only
660 	 * happens when we have a failure to allocate chain frames, and
661 	 * task management commands don't have S/G lists.
662 	 */
663 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
664 		mpr_dprint(sc, MPR_XINFO, "%s: cm_flags = %#x for remove of "
665 		    "handle %#04x! This should not happen!\n", __func__,
666 		    tm->cm_flags, handle);
667 		mprsas_free_tm(sc, tm);
668 		return;
669 	}
670 
671 	if (reply == NULL) {
672 		/* most likely a chip reset */
673 		mpr_dprint(sc, MPR_FAULT, "%s NULL reply removing device "
674 		    "0x%04x\n", __func__, handle);
675 		mprsas_free_tm(sc, tm);
676 		return;
677 	}
678 
679 	mpr_dprint(sc, MPR_XINFO, "%s on handle 0x%04x, IOCStatus= 0x%x\n",
680 	    __func__, handle, le16toh(reply->IOCStatus));
681 
682 	/*
683 	 * Don't clear target if remove fails because things will get confusing.
684 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
685 	 * this target id if possible, and so we can assign the same target id
686 	 * to this device if it comes back in the future.
687 	 */
688 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
689 	    MPI2_IOCSTATUS_SUCCESS) {
690 		targ->handle = 0x0;
691 		targ->encl_handle = 0x0;
692 		targ->encl_level_valid = 0x0;
693 		targ->encl_level = 0x0;
694 		targ->connector_name[0] = ' ';
695 		targ->connector_name[1] = ' ';
696 		targ->connector_name[2] = ' ';
697 		targ->connector_name[3] = ' ';
698 		targ->encl_slot = 0x0;
699 		targ->exp_dev_handle = 0x0;
700 		targ->phy_num = 0x0;
701 		targ->linkrate = 0x0;
702 		targ->devinfo = 0x0;
703 		targ->flags = 0x0;
704 		targ->scsi_req_desc_type = 0;
705 
706 		while (!SLIST_EMPTY(&targ->luns)) {
707 			lun = SLIST_FIRST(&targ->luns);
708 			SLIST_REMOVE_HEAD(&targ->luns, lun_link);
709 			free(lun, M_MPR);
710 		}
711 	}
712 
713 	mprsas_free_tm(sc, tm);
714 }
715 
716 static int
717 mprsas_register_events(struct mpr_softc *sc)
718 {
719 	uint8_t events[16];
720 
721 	bzero(events, 16);
722 	setbit(events, MPI2_EVENT_SAS_DEVICE_STATUS_CHANGE);
723 	setbit(events, MPI2_EVENT_SAS_DISCOVERY);
724 	setbit(events, MPI2_EVENT_SAS_BROADCAST_PRIMITIVE);
725 	setbit(events, MPI2_EVENT_SAS_INIT_DEVICE_STATUS_CHANGE);
726 	setbit(events, MPI2_EVENT_SAS_INIT_TABLE_OVERFLOW);
727 	setbit(events, MPI2_EVENT_SAS_TOPOLOGY_CHANGE_LIST);
728 	setbit(events, MPI2_EVENT_SAS_ENCL_DEVICE_STATUS_CHANGE);
729 	setbit(events, MPI2_EVENT_IR_CONFIGURATION_CHANGE_LIST);
730 	setbit(events, MPI2_EVENT_IR_VOLUME);
731 	setbit(events, MPI2_EVENT_IR_PHYSICAL_DISK);
732 	setbit(events, MPI2_EVENT_IR_OPERATION_STATUS);
733 	setbit(events, MPI2_EVENT_TEMP_THRESHOLD);
734 	setbit(events, MPI2_EVENT_SAS_DEVICE_DISCOVERY_ERROR);
735 	if (sc->facts->MsgVersion >= MPI2_VERSION_02_06) {
736 		setbit(events, MPI2_EVENT_ACTIVE_CABLE_EXCEPTION);
737 		if (sc->mpr_flags & MPR_FLAGS_GEN35_IOC) {
738 			setbit(events, MPI2_EVENT_PCIE_DEVICE_STATUS_CHANGE);
739 			setbit(events, MPI2_EVENT_PCIE_ENUMERATION);
740 			setbit(events, MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST);
741 		}
742 	}
743 
744 	mpr_register_events(sc, events, mprsas_evt_handler, NULL,
745 	    &sc->sassc->mprsas_eh);
746 
747 	return (0);
748 }
749 
750 int
751 mpr_attach_sas(struct mpr_softc *sc)
752 {
753 	struct mprsas_softc *sassc;
754 	cam_status status;
755 	int unit, error = 0, reqs;
756 
757 	MPR_FUNCTRACE(sc);
758 	mpr_dprint(sc, MPR_INIT, "%s entered\n", __func__);
759 
760 	sassc = malloc(sizeof(struct mprsas_softc), M_MPR, M_WAITOK|M_ZERO);
761 
762 	/*
763 	 * XXX MaxTargets could change during a reinit.  Since we don't
764 	 * resize the targets[] array during such an event, cache the value
765 	 * of MaxTargets here so that we don't get into trouble later.  This
766 	 * should move into the reinit logic.
767 	 */
768 	sassc->maxtargets = sc->facts->MaxTargets + sc->facts->MaxVolumes;
769 	sassc->targets = malloc(sizeof(struct mprsas_target) *
770 	    sassc->maxtargets, M_MPR, M_WAITOK|M_ZERO);
771 	sc->sassc = sassc;
772 	sassc->sc = sc;
773 
774 	reqs = sc->num_reqs - sc->num_prireqs - 1;
775 	if ((sassc->devq = cam_simq_alloc(reqs)) == NULL) {
776 		mpr_dprint(sc, MPR_INIT|MPR_ERROR, "Cannot allocate SIMQ\n");
777 		error = ENOMEM;
778 		goto out;
779 	}
780 
781 	unit = device_get_unit(sc->mpr_dev);
782 	sassc->sim = cam_sim_alloc(mprsas_action, mprsas_poll, "mpr", sassc,
783 	    unit, &sc->mpr_mtx, reqs, reqs, sassc->devq);
784 	if (sassc->sim == NULL) {
785 		mpr_dprint(sc, MPR_INIT|MPR_ERROR, "Cannot allocate SIM\n");
786 		error = EINVAL;
787 		goto out;
788 	}
789 
790 	TAILQ_INIT(&sassc->ev_queue);
791 
792 	/* Initialize taskqueue for Event Handling */
793 	TASK_INIT(&sassc->ev_task, 0, mprsas_firmware_event_work, sc);
794 	sassc->ev_tq = taskqueue_create("mpr_taskq", M_NOWAIT | M_ZERO,
795 	    taskqueue_thread_enqueue, &sassc->ev_tq);
796 	taskqueue_start_threads(&sassc->ev_tq, 1, PRIBIO, "%s taskq",
797 	    device_get_nameunit(sc->mpr_dev));
798 
799 	mpr_lock(sc);
800 
801 	/*
802 	 * XXX There should be a bus for every port on the adapter, but since
803 	 * we're just going to fake the topology for now, we'll pretend that
804 	 * everything is just a target on a single bus.
805 	 */
806 	if ((error = xpt_bus_register(sassc->sim, sc->mpr_dev, 0)) != 0) {
807 		mpr_dprint(sc, MPR_INIT|MPR_ERROR,
808 		    "Error %d registering SCSI bus\n", error);
809 		mpr_unlock(sc);
810 		goto out;
811 	}
812 
813 	/*
814 	 * Assume that discovery events will start right away.
815 	 *
816 	 * Hold off boot until discovery is complete.
817 	 */
818 	sassc->flags |= MPRSAS_IN_STARTUP | MPRSAS_IN_DISCOVERY;
819 	sc->sassc->startup_refcount = 0;
820 	mprsas_startup_increment(sassc);
821 
822 	callout_init(&sassc->discovery_callout, 1 /*mpsafe*/);
823 
824 	mpr_unlock(sc);
825 
826 	/*
827 	 * Register for async events so we can determine the EEDP
828 	 * capabilities of devices.
829 	 */
830 	status = xpt_create_path(&sassc->path, /*periph*/NULL,
831 	    cam_sim_path(sc->sassc->sim), CAM_TARGET_WILDCARD,
832 	    CAM_LUN_WILDCARD);
833 	if (status != CAM_REQ_CMP) {
834 		mpr_dprint(sc, MPR_INIT|MPR_ERROR,
835 		    "Error %#x creating sim path\n", status);
836 		sassc->path = NULL;
837 	} else {
838 		int event;
839 
840 		event = AC_ADVINFO_CHANGED;
841 		status = xpt_register_async(event, mprsas_async, sc,
842 					    sassc->path);
843 
844 		if (status != CAM_REQ_CMP) {
845 			mpr_dprint(sc, MPR_ERROR,
846 			    "Error %#x registering async handler for "
847 			    "AC_ADVINFO_CHANGED events\n", status);
848 			xpt_free_path(sassc->path);
849 			sassc->path = NULL;
850 		}
851 	}
852 	if (status != CAM_REQ_CMP) {
853 		/*
854 		 * EEDP use is the exception, not the rule.
855 		 * Warn the user, but do not fail to attach.
856 		 */
857 		mpr_printf(sc, "EEDP capabilities disabled.\n");
858 	}
859 
860 	mprsas_register_events(sc);
861 out:
862 	if (error)
863 		mpr_detach_sas(sc);
864 
865 	mpr_dprint(sc, MPR_INIT, "%s exit, error= %d\n", __func__, error);
866 	return (error);
867 }
868 
869 int
870 mpr_detach_sas(struct mpr_softc *sc)
871 {
872 	struct mprsas_softc *sassc;
873 	struct mprsas_lun *lun, *lun_tmp;
874 	struct mprsas_target *targ;
875 	int i;
876 
877 	MPR_FUNCTRACE(sc);
878 
879 	if (sc->sassc == NULL)
880 		return (0);
881 
882 	sassc = sc->sassc;
883 	mpr_deregister_events(sc, sassc->mprsas_eh);
884 
885 	/*
886 	 * Drain and free the event handling taskqueue with the lock
887 	 * unheld so that any parallel processing tasks drain properly
888 	 * without deadlocking.
889 	 */
890 	if (sassc->ev_tq != NULL)
891 		taskqueue_free(sassc->ev_tq);
892 
893 	/* Deregister our async handler */
894 	if (sassc->path != NULL) {
895 		xpt_register_async(0, mprsas_async, sc, sassc->path);
896 		xpt_free_path(sassc->path);
897 		sassc->path = NULL;
898 	}
899 
900 	/* Make sure CAM doesn't wedge if we had to bail out early. */
901 	mpr_lock(sc);
902 
903 	while (sassc->startup_refcount != 0)
904 		mprsas_startup_decrement(sassc);
905 
906 	if (sassc->flags & MPRSAS_IN_STARTUP)
907 		xpt_release_simq(sassc->sim, 1);
908 
909 	if (sassc->sim != NULL) {
910 		xpt_bus_deregister(cam_sim_path(sassc->sim));
911 		cam_sim_free(sassc->sim, FALSE);
912 	}
913 
914 	mpr_unlock(sc);
915 
916 	if (sassc->devq != NULL)
917 		cam_simq_free(sassc->devq);
918 
919 	for (i = 0; i < sassc->maxtargets; i++) {
920 		targ = &sassc->targets[i];
921 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
922 			free(lun, M_MPR);
923 		}
924 	}
925 	free(sassc->targets, M_MPR);
926 	free(sassc, M_MPR);
927 	sc->sassc = NULL;
928 
929 	return (0);
930 }
931 
932 void
933 mprsas_discovery_end(struct mprsas_softc *sassc)
934 {
935 	struct mpr_softc *sc = sassc->sc;
936 
937 	MPR_FUNCTRACE(sc);
938 
939 	if (sassc->flags & MPRSAS_DISCOVERY_TIMEOUT_PENDING)
940 		callout_stop(&sassc->discovery_callout);
941 
942 	/*
943 	 * After discovery has completed, check the mapping table for any
944 	 * missing devices and update their missing counts. Only do this once
945 	 * whenever the driver is initialized so that missing counts aren't
946 	 * updated unnecessarily. Note that just because discovery has
947 	 * completed doesn't mean that events have been processed yet. The
948 	 * check_devices function is a callout timer that checks if ALL devices
949 	 * are missing. If so, it will wait a little longer for events to
950 	 * complete and keep resetting itself until some device in the mapping
951 	 * table is not missing, meaning that event processing has started.
952 	 */
953 	if (sc->track_mapping_events) {
954 		mpr_dprint(sc, MPR_XINFO | MPR_MAPPING, "Discovery has "
955 		    "completed. Check for missing devices in the mapping "
956 		    "table.\n");
957 		callout_reset(&sc->device_check_callout,
958 		    MPR_MISSING_CHECK_DELAY * hz, mpr_mapping_check_devices,
959 		    sc);
960 	}
961 }
962 
963 static void
964 mprsas_action(struct cam_sim *sim, union ccb *ccb)
965 {
966 	struct mprsas_softc *sassc;
967 
968 	sassc = cam_sim_softc(sim);
969 
970 	MPR_FUNCTRACE(sassc->sc);
971 	mpr_dprint(sassc->sc, MPR_TRACE, "ccb func_code 0x%x\n",
972 	    ccb->ccb_h.func_code);
973 	mtx_assert(&sassc->sc->mpr_mtx, MA_OWNED);
974 
975 	switch (ccb->ccb_h.func_code) {
976 	case XPT_PATH_INQ:
977 	{
978 		struct ccb_pathinq *cpi = &ccb->cpi;
979 		struct mpr_softc *sc = sassc->sc;
980 
981 		cpi->version_num = 1;
982 		cpi->hba_inquiry = PI_SDTR_ABLE|PI_TAG_ABLE|PI_WIDE_16;
983 		cpi->target_sprt = 0;
984 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED | PIM_NOSCAN;
985 		cpi->hba_eng_cnt = 0;
986 		cpi->max_target = sassc->maxtargets - 1;
987 		cpi->max_lun = 255;
988 
989 		/*
990 		 * initiator_id is set here to an ID outside the set of valid
991 		 * target IDs (including volumes).
992 		 */
993 		cpi->initiator_id = sassc->maxtargets;
994 		strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
995 		strlcpy(cpi->hba_vid, "Avago Tech", HBA_IDLEN);
996 		strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
997 		cpi->unit_number = cam_sim_unit(sim);
998 		cpi->bus_id = cam_sim_bus(sim);
999 		/*
1000 		 * XXXSLM-I think this needs to change based on config page or
1001 		 * something instead of hardcoded to 150000.
1002 		 */
1003 		cpi->base_transfer_speed = 150000;
1004 		cpi->transport = XPORT_SAS;
1005 		cpi->transport_version = 0;
1006 		cpi->protocol = PROTO_SCSI;
1007 		cpi->protocol_version = SCSI_REV_SPC;
1008 		cpi->maxio = sc->maxio;
1009 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1010 		break;
1011 	}
1012 	case XPT_GET_TRAN_SETTINGS:
1013 	{
1014 		struct ccb_trans_settings	*cts;
1015 		struct ccb_trans_settings_sas	*sas;
1016 		struct ccb_trans_settings_scsi	*scsi;
1017 		struct mprsas_target *targ;
1018 
1019 		cts = &ccb->cts;
1020 		sas = &cts->xport_specific.sas;
1021 		scsi = &cts->proto_specific.scsi;
1022 
1023 		KASSERT(cts->ccb_h.target_id < sassc->maxtargets,
1024 		    ("Target %d out of bounds in XPT_GET_TRAN_SETTINGS\n",
1025 		    cts->ccb_h.target_id));
1026 		targ = &sassc->targets[cts->ccb_h.target_id];
1027 		if (targ->handle == 0x0) {
1028 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1029 			break;
1030 		}
1031 
1032 		cts->protocol_version = SCSI_REV_SPC2;
1033 		cts->transport = XPORT_SAS;
1034 		cts->transport_version = 0;
1035 
1036 		sas->valid = CTS_SAS_VALID_SPEED;
1037 		switch (targ->linkrate) {
1038 		case 0x08:
1039 			sas->bitrate = 150000;
1040 			break;
1041 		case 0x09:
1042 			sas->bitrate = 300000;
1043 			break;
1044 		case 0x0a:
1045 			sas->bitrate = 600000;
1046 			break;
1047 		case 0x0b:
1048 			sas->bitrate = 1200000;
1049 			break;
1050 		default:
1051 			sas->valid = 0;
1052 		}
1053 
1054 		cts->protocol = PROTO_SCSI;
1055 		scsi->valid = CTS_SCSI_VALID_TQ;
1056 		scsi->flags = CTS_SCSI_FLAGS_TAG_ENB;
1057 
1058 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1059 		break;
1060 	}
1061 	case XPT_CALC_GEOMETRY:
1062 		cam_calc_geometry(&ccb->ccg, /*extended*/1);
1063 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1064 		break;
1065 	case XPT_RESET_DEV:
1066 		mpr_dprint(sassc->sc, MPR_XINFO, "mprsas_action "
1067 		    "XPT_RESET_DEV\n");
1068 		mprsas_action_resetdev(sassc, ccb);
1069 		return;
1070 	case XPT_RESET_BUS:
1071 	case XPT_ABORT:
1072 	case XPT_TERM_IO:
1073 		mpr_dprint(sassc->sc, MPR_XINFO, "mprsas_action faking success "
1074 		    "for abort or reset\n");
1075 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1076 		break;
1077 	case XPT_SCSI_IO:
1078 		mprsas_action_scsiio(sassc, ccb);
1079 		return;
1080 	case XPT_SMP_IO:
1081 		mprsas_action_smpio(sassc, ccb);
1082 		return;
1083 	default:
1084 		mprsas_set_ccbstatus(ccb, CAM_FUNC_NOTAVAIL);
1085 		break;
1086 	}
1087 	xpt_done(ccb);
1088 
1089 }
1090 
1091 static void
1092 mprsas_announce_reset(struct mpr_softc *sc, uint32_t ac_code,
1093     target_id_t target_id, lun_id_t lun_id)
1094 {
1095 	path_id_t path_id = cam_sim_path(sc->sassc->sim);
1096 	struct cam_path *path;
1097 
1098 	mpr_dprint(sc, MPR_XINFO, "%s code %x target %d lun %jx\n", __func__,
1099 	    ac_code, target_id, (uintmax_t)lun_id);
1100 
1101 	if (xpt_create_path(&path, NULL,
1102 		path_id, target_id, lun_id) != CAM_REQ_CMP) {
1103 		mpr_dprint(sc, MPR_ERROR, "unable to create path for reset "
1104 		    "notification\n");
1105 		return;
1106 	}
1107 
1108 	xpt_async(ac_code, path, NULL);
1109 	xpt_free_path(path);
1110 }
1111 
1112 static void
1113 mprsas_complete_all_commands(struct mpr_softc *sc)
1114 {
1115 	struct mpr_command *cm;
1116 	int i;
1117 	int completed;
1118 
1119 	MPR_FUNCTRACE(sc);
1120 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
1121 
1122 	/* complete all commands with a NULL reply */
1123 	for (i = 1; i < sc->num_reqs; i++) {
1124 		cm = &sc->commands[i];
1125 		if (cm->cm_state == MPR_CM_STATE_FREE)
1126 			continue;
1127 
1128 		cm->cm_state = MPR_CM_STATE_BUSY;
1129 		cm->cm_reply = NULL;
1130 		completed = 0;
1131 
1132 		if (cm->cm_flags & MPR_CM_FLAGS_SATA_ID_TIMEOUT) {
1133 			MPASS(cm->cm_data);
1134 			free(cm->cm_data, M_MPR);
1135 			cm->cm_data = NULL;
1136 		}
1137 
1138 		if (cm->cm_flags & MPR_CM_FLAGS_POLLED)
1139 			cm->cm_flags |= MPR_CM_FLAGS_COMPLETE;
1140 
1141 		if (cm->cm_complete != NULL) {
1142 			mprsas_log_command(cm, MPR_RECOVERY,
1143 			    "completing cm %p state %x ccb %p for diag reset\n",
1144 			    cm, cm->cm_state, cm->cm_ccb);
1145 			cm->cm_complete(sc, cm);
1146 			completed = 1;
1147 		} else if (cm->cm_flags & MPR_CM_FLAGS_WAKEUP) {
1148 			mprsas_log_command(cm, MPR_RECOVERY,
1149 			    "waking up cm %p state %x ccb %p for diag reset\n",
1150 			    cm, cm->cm_state, cm->cm_ccb);
1151 			wakeup(cm);
1152 			completed = 1;
1153 		}
1154 
1155 		if ((completed == 0) && (cm->cm_state != MPR_CM_STATE_FREE)) {
1156 			/* this should never happen, but if it does, log */
1157 			mprsas_log_command(cm, MPR_RECOVERY,
1158 			    "cm %p state %x flags 0x%x ccb %p during diag "
1159 			    "reset\n", cm, cm->cm_state, cm->cm_flags,
1160 			    cm->cm_ccb);
1161 		}
1162 	}
1163 
1164 	sc->io_cmds_active = 0;
1165 }
1166 
1167 void
1168 mprsas_handle_reinit(struct mpr_softc *sc)
1169 {
1170 	int i;
1171 
1172 	/* Go back into startup mode and freeze the simq, so that CAM
1173 	 * doesn't send any commands until after we've rediscovered all
1174 	 * targets and found the proper device handles for them.
1175 	 *
1176 	 * After the reset, portenable will trigger discovery, and after all
1177 	 * discovery-related activities have finished, the simq will be
1178 	 * released.
1179 	 */
1180 	mpr_dprint(sc, MPR_INIT, "%s startup\n", __func__);
1181 	sc->sassc->flags |= MPRSAS_IN_STARTUP;
1182 	sc->sassc->flags |= MPRSAS_IN_DISCOVERY;
1183 	mprsas_startup_increment(sc->sassc);
1184 
1185 	/* notify CAM of a bus reset */
1186 	mprsas_announce_reset(sc, AC_BUS_RESET, CAM_TARGET_WILDCARD,
1187 	    CAM_LUN_WILDCARD);
1188 
1189 	/* complete and cleanup after all outstanding commands */
1190 	mprsas_complete_all_commands(sc);
1191 
1192 	mpr_dprint(sc, MPR_INIT, "%s startup %u after command completion\n",
1193 	    __func__, sc->sassc->startup_refcount);
1194 
1195 	/* zero all the target handles, since they may change after the
1196 	 * reset, and we have to rediscover all the targets and use the new
1197 	 * handles.
1198 	 */
1199 	for (i = 0; i < sc->sassc->maxtargets; i++) {
1200 		if (sc->sassc->targets[i].outstanding != 0)
1201 			mpr_dprint(sc, MPR_INIT, "target %u outstanding %u\n",
1202 			    i, sc->sassc->targets[i].outstanding);
1203 		sc->sassc->targets[i].handle = 0x0;
1204 		sc->sassc->targets[i].exp_dev_handle = 0x0;
1205 		sc->sassc->targets[i].outstanding = 0;
1206 		sc->sassc->targets[i].flags = MPRSAS_TARGET_INDIAGRESET;
1207 	}
1208 }
1209 static void
1210 mprsas_tm_timeout(void *data)
1211 {
1212 	struct mpr_command *tm = data;
1213 	struct mpr_softc *sc = tm->cm_sc;
1214 
1215 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
1216 
1217 	mprsas_log_command(tm, MPR_INFO|MPR_RECOVERY, "task mgmt %p timed "
1218 	    "out\n", tm);
1219 
1220 	KASSERT(tm->cm_state == MPR_CM_STATE_INQUEUE,
1221 	    ("command not inqueue, state = %u\n", tm->cm_state));
1222 
1223 	tm->cm_state = MPR_CM_STATE_BUSY;
1224 	mpr_reinit(sc);
1225 }
1226 
1227 static void
1228 mprsas_logical_unit_reset_complete(struct mpr_softc *sc, struct mpr_command *tm)
1229 {
1230 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1231 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1232 	unsigned int cm_count = 0;
1233 	struct mpr_command *cm;
1234 	struct mprsas_target *targ;
1235 
1236 	callout_stop(&tm->cm_callout);
1237 
1238 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1239 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1240 	targ = tm->cm_targ;
1241 
1242 	/*
1243 	 * Currently there should be no way we can hit this case.  It only
1244 	 * happens when we have a failure to allocate chain frames, and
1245 	 * task management commands don't have S/G lists.
1246 	 */
1247 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
1248 		mpr_dprint(sc, MPR_RECOVERY|MPR_ERROR,
1249 		    "%s: cm_flags = %#x for LUN reset! "
1250 		    "This should not happen!\n", __func__, tm->cm_flags);
1251 		mprsas_free_tm(sc, tm);
1252 		return;
1253 	}
1254 
1255 	if (reply == NULL) {
1256 		mpr_dprint(sc, MPR_RECOVERY, "NULL reset reply for tm %p\n",
1257 		    tm);
1258 		if ((sc->mpr_flags & MPR_FLAGS_DIAGRESET) != 0) {
1259 			/* this completion was due to a reset, just cleanup */
1260 			mpr_dprint(sc, MPR_RECOVERY, "Hardware undergoing "
1261 			    "reset, ignoring NULL LUN reset reply\n");
1262 			targ->tm = NULL;
1263 			mprsas_free_tm(sc, tm);
1264 		}
1265 		else {
1266 			/* we should have gotten a reply. */
1267 			mpr_dprint(sc, MPR_INFO|MPR_RECOVERY, "NULL reply on "
1268 			    "LUN reset attempt, resetting controller\n");
1269 			mpr_reinit(sc);
1270 		}
1271 		return;
1272 	}
1273 
1274 	mpr_dprint(sc, MPR_RECOVERY,
1275 	    "logical unit reset status 0x%x code 0x%x count %u\n",
1276 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1277 	    le32toh(reply->TerminationCount));
1278 
1279 	/*
1280 	 * See if there are any outstanding commands for this LUN.
1281 	 * This could be made more efficient by using a per-LU data
1282 	 * structure of some sort.
1283 	 */
1284 	TAILQ_FOREACH(cm, &targ->commands, cm_link) {
1285 		if (cm->cm_lun == tm->cm_lun)
1286 			cm_count++;
1287 	}
1288 
1289 	if (cm_count == 0) {
1290 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1291 		    "Finished recovery after LUN reset for target %u\n",
1292 		    targ->tid);
1293 
1294 		mprsas_announce_reset(sc, AC_SENT_BDR, targ->tid,
1295 		    tm->cm_lun);
1296 
1297 		/*
1298 		 * We've finished recovery for this logical unit.  check and
1299 		 * see if some other logical unit has a timedout command
1300 		 * that needs to be processed.
1301 		 */
1302 		cm = TAILQ_FIRST(&targ->timedout_commands);
1303 		if (cm) {
1304 			mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1305 			   "More commands to abort for target %u\n", targ->tid);
1306 			mprsas_send_abort(sc, tm, cm);
1307 		} else {
1308 			targ->tm = NULL;
1309 			mprsas_free_tm(sc, tm);
1310 		}
1311 	} else {
1312 		/* if we still have commands for this LUN, the reset
1313 		 * effectively failed, regardless of the status reported.
1314 		 * Escalate to a target reset.
1315 		 */
1316 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1317 		    "logical unit reset complete for target %u, but still "
1318 		    "have %u command(s), sending target reset\n", targ->tid,
1319 		    cm_count);
1320 		if (!targ->is_nvme || sc->custom_nvme_tm_handling)
1321 			mprsas_send_reset(sc, tm,
1322 			    MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET);
1323 		else
1324 			mpr_reinit(sc);
1325 	}
1326 }
1327 
1328 static void
1329 mprsas_target_reset_complete(struct mpr_softc *sc, struct mpr_command *tm)
1330 {
1331 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1332 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1333 	struct mprsas_target *targ;
1334 
1335 	callout_stop(&tm->cm_callout);
1336 
1337 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1338 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1339 	targ = tm->cm_targ;
1340 
1341 	/*
1342 	 * Currently there should be no way we can hit this case.  It only
1343 	 * happens when we have a failure to allocate chain frames, and
1344 	 * task management commands don't have S/G lists.
1345 	 */
1346 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
1347 		mpr_dprint(sc, MPR_ERROR, "%s: cm_flags = %#x for target "
1348 		    "reset! This should not happen!\n", __func__, tm->cm_flags);
1349 		mprsas_free_tm(sc, tm);
1350 		return;
1351 	}
1352 
1353 	if (reply == NULL) {
1354 		mpr_dprint(sc, MPR_RECOVERY,
1355 		    "NULL target reset reply for tm %p TaskMID %u\n",
1356 		    tm, le16toh(req->TaskMID));
1357 		if ((sc->mpr_flags & MPR_FLAGS_DIAGRESET) != 0) {
1358 			/* this completion was due to a reset, just cleanup */
1359 			mpr_dprint(sc, MPR_RECOVERY, "Hardware undergoing "
1360 			    "reset, ignoring NULL target reset reply\n");
1361 			targ->tm = NULL;
1362 			mprsas_free_tm(sc, tm);
1363 		}
1364 		else {
1365 			/* we should have gotten a reply. */
1366 			mpr_dprint(sc, MPR_INFO|MPR_RECOVERY, "NULL reply on "
1367 			    "target reset attempt, resetting controller\n");
1368 			mpr_reinit(sc);
1369 		}
1370 		return;
1371 	}
1372 
1373 	mpr_dprint(sc, MPR_RECOVERY,
1374 	    "target reset status 0x%x code 0x%x count %u\n",
1375 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1376 	    le32toh(reply->TerminationCount));
1377 
1378 	if (targ->outstanding == 0) {
1379 		/*
1380 		 * We've finished recovery for this target and all
1381 		 * of its logical units.
1382 		 */
1383 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1384 		    "Finished reset recovery for target %u\n", targ->tid);
1385 
1386 		mprsas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
1387 		    CAM_LUN_WILDCARD);
1388 
1389 		targ->tm = NULL;
1390 		mprsas_free_tm(sc, tm);
1391 	} else {
1392 		/*
1393 		 * After a target reset, if this target still has
1394 		 * outstanding commands, the reset effectively failed,
1395 		 * regardless of the status reported.  escalate.
1396 		 */
1397 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1398 		    "Target reset complete for target %u, but still have %u "
1399 		    "command(s), resetting controller\n", targ->tid,
1400 		    targ->outstanding);
1401 		mpr_reinit(sc);
1402 	}
1403 }
1404 
1405 #define MPR_RESET_TIMEOUT 30
1406 
1407 int
1408 mprsas_send_reset(struct mpr_softc *sc, struct mpr_command *tm, uint8_t type)
1409 {
1410 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1411 	struct mprsas_target *target;
1412 	int err, timeout;
1413 
1414 	target = tm->cm_targ;
1415 	if (target->handle == 0) {
1416 		mpr_dprint(sc, MPR_ERROR, "%s null devhandle for target_id "
1417 		    "%d\n", __func__, target->tid);
1418 		return -1;
1419 	}
1420 
1421 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1422 	req->DevHandle = htole16(target->handle);
1423 	req->TaskType = type;
1424 
1425 	if (!target->is_nvme || sc->custom_nvme_tm_handling) {
1426 		timeout = MPR_RESET_TIMEOUT;
1427 		/*
1428 		 * Target reset method =
1429 		 *     SAS Hard Link Reset / SATA Link Reset
1430 		 */
1431 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
1432 	} else {
1433 		timeout = (target->controller_reset_timeout) ? (
1434 		    target->controller_reset_timeout) : (MPR_RESET_TIMEOUT);
1435 		/* PCIe Protocol Level Reset*/
1436 		req->MsgFlags =
1437 		    MPI26_SCSITASKMGMT_MSGFLAGS_PROTOCOL_LVL_RST_PCIE;
1438 	}
1439 
1440 	if (type == MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET) {
1441 		/* XXX Need to handle invalid LUNs */
1442 		MPR_SET_LUN(req->LUN, tm->cm_lun);
1443 		tm->cm_targ->logical_unit_resets++;
1444 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1445 		    "Sending logical unit reset to target %u lun %d\n",
1446 		    target->tid, tm->cm_lun);
1447 		tm->cm_complete = mprsas_logical_unit_reset_complete;
1448 		mprsas_prepare_for_tm(sc, tm, target, tm->cm_lun);
1449 	} else if (type == MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET) {
1450 		tm->cm_targ->target_resets++;
1451 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1452 		    "Sending target reset to target %u\n", target->tid);
1453 		tm->cm_complete = mprsas_target_reset_complete;
1454 		mprsas_prepare_for_tm(sc, tm, target, CAM_LUN_WILDCARD);
1455 	}
1456 	else {
1457 		mpr_dprint(sc, MPR_ERROR, "unexpected reset type 0x%x\n", type);
1458 		return -1;
1459 	}
1460 
1461 	if (target->encl_level_valid) {
1462 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1463 		    "At enclosure level %d, slot %d, connector name (%4s)\n",
1464 		    target->encl_level, target->encl_slot,
1465 		    target->connector_name);
1466 	}
1467 
1468 	tm->cm_data = NULL;
1469 	tm->cm_complete_data = (void *)tm;
1470 
1471 	callout_reset(&tm->cm_callout, timeout * hz,
1472 	    mprsas_tm_timeout, tm);
1473 
1474 	err = mpr_map_command(sc, tm);
1475 	if (err)
1476 		mpr_dprint(sc, MPR_ERROR|MPR_RECOVERY,
1477 		    "error %d sending reset type %u\n", err, type);
1478 
1479 	return err;
1480 }
1481 
1482 static void
1483 mprsas_abort_complete(struct mpr_softc *sc, struct mpr_command *tm)
1484 {
1485 	struct mpr_command *cm;
1486 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1487 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1488 	struct mprsas_target *targ;
1489 
1490 	callout_stop(&tm->cm_callout);
1491 
1492 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1493 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1494 	targ = tm->cm_targ;
1495 
1496 	/*
1497 	 * Currently there should be no way we can hit this case.  It only
1498 	 * happens when we have a failure to allocate chain frames, and
1499 	 * task management commands don't have S/G lists.
1500 	 */
1501 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
1502 		mpr_dprint(sc, MPR_RECOVERY|MPR_ERROR,
1503 		    "cm_flags = %#x for abort %p TaskMID %u!\n",
1504 		    tm->cm_flags, tm, le16toh(req->TaskMID));
1505 		mprsas_free_tm(sc, tm);
1506 		return;
1507 	}
1508 
1509 	if (reply == NULL) {
1510 		mpr_dprint(sc, MPR_RECOVERY,
1511 		    "NULL abort reply for tm %p TaskMID %u\n",
1512 		    tm, le16toh(req->TaskMID));
1513 		if ((sc->mpr_flags & MPR_FLAGS_DIAGRESET) != 0) {
1514 			/* this completion was due to a reset, just cleanup */
1515 			mpr_dprint(sc, MPR_RECOVERY, "Hardware undergoing "
1516 			    "reset, ignoring NULL abort reply\n");
1517 			targ->tm = NULL;
1518 			mprsas_free_tm(sc, tm);
1519 		} else {
1520 			/* we should have gotten a reply. */
1521 			mpr_dprint(sc, MPR_INFO|MPR_RECOVERY, "NULL reply on "
1522 			    "abort attempt, resetting controller\n");
1523 			mpr_reinit(sc);
1524 		}
1525 		return;
1526 	}
1527 
1528 	mpr_dprint(sc, MPR_RECOVERY,
1529 	    "abort TaskMID %u status 0x%x code 0x%x count %u\n",
1530 	    le16toh(req->TaskMID),
1531 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1532 	    le32toh(reply->TerminationCount));
1533 
1534 	cm = TAILQ_FIRST(&tm->cm_targ->timedout_commands);
1535 	if (cm == NULL) {
1536 		/*
1537 		 * if there are no more timedout commands, we're done with
1538 		 * error recovery for this target.
1539 		 */
1540 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1541 		    "Finished abort recovery for target %u\n", targ->tid);
1542 		targ->tm = NULL;
1543 		mprsas_free_tm(sc, tm);
1544 	} else if (le16toh(req->TaskMID) != cm->cm_desc.Default.SMID) {
1545 		/* abort success, but we have more timedout commands to abort */
1546 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1547 		    "Continuing abort recovery for target %u\n", targ->tid);
1548 		mprsas_send_abort(sc, tm, cm);
1549 	} else {
1550 		/*
1551 		 * we didn't get a command completion, so the abort
1552 		 * failed as far as we're concerned.  escalate.
1553 		 */
1554 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1555 		    "Abort failed for target %u, sending logical unit reset\n",
1556 		    targ->tid);
1557 
1558 		mprsas_send_reset(sc, tm,
1559 		    MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET);
1560 	}
1561 }
1562 
1563 #define MPR_ABORT_TIMEOUT 5
1564 
1565 static int
1566 mprsas_send_abort(struct mpr_softc *sc, struct mpr_command *tm,
1567     struct mpr_command *cm)
1568 {
1569 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1570 	struct mprsas_target *targ;
1571 	int err, timeout;
1572 
1573 	targ = cm->cm_targ;
1574 	if (targ->handle == 0) {
1575 		mpr_dprint(sc, MPR_ERROR|MPR_RECOVERY,
1576 		   "%s null devhandle for target_id %d\n",
1577 		    __func__, cm->cm_ccb->ccb_h.target_id);
1578 		return -1;
1579 	}
1580 
1581 	mprsas_log_command(cm, MPR_RECOVERY|MPR_INFO,
1582 	    "Aborting command %p\n", cm);
1583 
1584 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1585 	req->DevHandle = htole16(targ->handle);
1586 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_ABORT_TASK;
1587 
1588 	/* XXX Need to handle invalid LUNs */
1589 	MPR_SET_LUN(req->LUN, cm->cm_ccb->ccb_h.target_lun);
1590 
1591 	req->TaskMID = htole16(cm->cm_desc.Default.SMID);
1592 
1593 	tm->cm_data = NULL;
1594 	tm->cm_complete = mprsas_abort_complete;
1595 	tm->cm_complete_data = (void *)tm;
1596 	tm->cm_targ = cm->cm_targ;
1597 	tm->cm_lun = cm->cm_lun;
1598 
1599 	if (!targ->is_nvme || sc->custom_nvme_tm_handling)
1600 		timeout	= MPR_ABORT_TIMEOUT;
1601 	else
1602 		timeout = sc->nvme_abort_timeout;
1603 
1604 	callout_reset(&tm->cm_callout, timeout * hz,
1605 	    mprsas_tm_timeout, tm);
1606 
1607 	targ->aborts++;
1608 
1609 	mprsas_prepare_for_tm(sc, tm, targ, tm->cm_lun);
1610 
1611 	err = mpr_map_command(sc, tm);
1612 	if (err)
1613 		mpr_dprint(sc, MPR_ERROR|MPR_RECOVERY,
1614 		    "error %d sending abort for cm %p SMID %u\n",
1615 		    err, cm, req->TaskMID);
1616 	return err;
1617 }
1618 
1619 static void
1620 mprsas_scsiio_timeout(void *data)
1621 {
1622 	sbintime_t elapsed, now;
1623 	union ccb *ccb;
1624 	struct mpr_softc *sc;
1625 	struct mpr_command *cm;
1626 	struct mprsas_target *targ;
1627 
1628 	cm = (struct mpr_command *)data;
1629 	sc = cm->cm_sc;
1630 	ccb = cm->cm_ccb;
1631 	now = sbinuptime();
1632 
1633 	MPR_FUNCTRACE(sc);
1634 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
1635 
1636 	mpr_dprint(sc, MPR_XINFO|MPR_RECOVERY, "Timeout checking cm %p\n", cm);
1637 
1638 	/*
1639 	 * Run the interrupt handler to make sure it's not pending.  This
1640 	 * isn't perfect because the command could have already completed
1641 	 * and been re-used, though this is unlikely.
1642 	 */
1643 	mpr_intr_locked(sc);
1644 	if (cm->cm_flags & MPR_CM_FLAGS_ON_RECOVERY) {
1645 		mprsas_log_command(cm, MPR_XINFO,
1646 		    "SCSI command %p almost timed out\n", cm);
1647 		return;
1648 	}
1649 
1650 	if (cm->cm_ccb == NULL) {
1651 		mpr_dprint(sc, MPR_ERROR, "command timeout with NULL ccb\n");
1652 		return;
1653 	}
1654 
1655 	targ = cm->cm_targ;
1656 	targ->timeouts++;
1657 
1658 	elapsed = now - ccb->ccb_h.qos.sim_data;
1659 	mprsas_log_command(cm, MPR_INFO|MPR_RECOVERY,
1660 	    "Command timeout on target %u(0x%04x), %d set, %d.%d elapsed\n",
1661 	    targ->tid, targ->handle, ccb->ccb_h.timeout,
1662 	    sbintime_getsec(elapsed), elapsed & 0xffffffff);
1663 	if (targ->encl_level_valid) {
1664 		mpr_dprint(sc, MPR_INFO|MPR_RECOVERY,
1665 		    "At enclosure level %d, slot %d, connector name (%4s)\n",
1666 		    targ->encl_level, targ->encl_slot, targ->connector_name);
1667 	}
1668 
1669 	/* XXX first, check the firmware state, to see if it's still
1670 	 * operational.  if not, do a diag reset.
1671 	 */
1672 	mprsas_set_ccbstatus(cm->cm_ccb, CAM_CMD_TIMEOUT);
1673 	cm->cm_flags |= MPR_CM_FLAGS_ON_RECOVERY | MPR_CM_FLAGS_TIMEDOUT;
1674 	TAILQ_INSERT_TAIL(&targ->timedout_commands, cm, cm_recovery);
1675 
1676 	if (targ->tm != NULL) {
1677 		/* target already in recovery, just queue up another
1678 		 * timedout command to be processed later.
1679 		 */
1680 		mpr_dprint(sc, MPR_RECOVERY, "queued timedout cm %p for "
1681 		    "processing by tm %p\n", cm, targ->tm);
1682 	}
1683 	else if ((targ->tm = mprsas_alloc_tm(sc)) != NULL) {
1684 		/* start recovery by aborting the first timedout command */
1685 		mpr_dprint(sc, MPR_RECOVERY|MPR_INFO,
1686 		    "Sending abort to target %u for SMID %d\n", targ->tid,
1687 		    cm->cm_desc.Default.SMID);
1688 		mpr_dprint(sc, MPR_RECOVERY, "timedout cm %p allocated tm %p\n",
1689 		    cm, targ->tm);
1690 		mprsas_send_abort(sc, targ->tm, cm);
1691 	}
1692 	else {
1693 		/* XXX queue this target up for recovery once a TM becomes
1694 		 * available.  The firmware only has a limited number of
1695 		 * HighPriority credits for the high priority requests used
1696 		 * for task management, and we ran out.
1697 		 *
1698 		 * Isilon: don't worry about this for now, since we have
1699 		 * more credits than disks in an enclosure, and limit
1700 		 * ourselves to one TM per target for recovery.
1701 		 */
1702 		mpr_dprint(sc, MPR_ERROR|MPR_RECOVERY,
1703 		    "timedout cm %p failed to allocate a tm\n", cm);
1704 	}
1705 }
1706 
1707 /**
1708  * mprsas_build_nvme_unmap - Build Native NVMe DSM command equivalent
1709  *			     to SCSI Unmap.
1710  * Return 0 - for success,
1711  *	  1 - to immediately return back the command with success status to CAM
1712  *	  negative value - to fallback to firmware path i.e. issue scsi unmap
1713  *			   to FW without any translation.
1714  */
1715 static int
1716 mprsas_build_nvme_unmap(struct mpr_softc *sc, struct mpr_command *cm,
1717     union ccb *ccb, struct mprsas_target *targ)
1718 {
1719 	Mpi26NVMeEncapsulatedRequest_t *req = NULL;
1720 	struct ccb_scsiio *csio;
1721 	struct unmap_parm_list *plist;
1722 	struct nvme_dsm_range *nvme_dsm_ranges = NULL;
1723 	struct nvme_command *c;
1724 	int i, res;
1725 	uint16_t ndesc, list_len, data_length;
1726 	struct mpr_prp_page *prp_page_info;
1727 	uint64_t nvme_dsm_ranges_dma_handle;
1728 
1729 	csio = &ccb->csio;
1730 	list_len = (scsiio_cdb_ptr(csio)[7] << 8 | scsiio_cdb_ptr(csio)[8]);
1731 	if (!list_len) {
1732 		mpr_dprint(sc, MPR_ERROR, "Parameter list length is Zero\n");
1733 		return -EINVAL;
1734 	}
1735 
1736 	plist = malloc(csio->dxfer_len, M_MPR, M_ZERO|M_NOWAIT);
1737 	if (!plist) {
1738 		mpr_dprint(sc, MPR_ERROR, "Unable to allocate memory to "
1739 		    "save UNMAP data\n");
1740 		return -ENOMEM;
1741 	}
1742 
1743 	/* Copy SCSI unmap data to a local buffer */
1744 	bcopy(csio->data_ptr, plist, csio->dxfer_len);
1745 
1746 	/* return back the unmap command to CAM with success status,
1747 	 * if number of descripts is zero.
1748 	 */
1749 	ndesc = be16toh(plist->unmap_blk_desc_data_len) >> 4;
1750 	if (!ndesc) {
1751 		mpr_dprint(sc, MPR_XINFO, "Number of descriptors in "
1752 		    "UNMAP cmd is Zero\n");
1753 		res = 1;
1754 		goto out;
1755 	}
1756 
1757 	data_length = ndesc * sizeof(struct nvme_dsm_range);
1758 	if (data_length > targ->MDTS) {
1759 		mpr_dprint(sc, MPR_ERROR, "data length: %d is greater than "
1760 		    "Device's MDTS: %d\n", data_length, targ->MDTS);
1761 		res = -EINVAL;
1762 		goto out;
1763 	}
1764 
1765 	prp_page_info = mpr_alloc_prp_page(sc);
1766 	KASSERT(prp_page_info != NULL, ("%s: There is no PRP Page for "
1767 	    "UNMAP command.\n", __func__));
1768 
1769 	/*
1770 	 * Insert the allocated PRP page into the command's PRP page list. This
1771 	 * will be freed when the command is freed.
1772 	 */
1773 	TAILQ_INSERT_TAIL(&cm->cm_prp_page_list, prp_page_info, prp_page_link);
1774 
1775 	nvme_dsm_ranges = (struct nvme_dsm_range *)prp_page_info->prp_page;
1776 	nvme_dsm_ranges_dma_handle = prp_page_info->prp_page_busaddr;
1777 
1778 	bzero(nvme_dsm_ranges, data_length);
1779 
1780 	/* Convert SCSI unmap's descriptor data to NVMe DSM specific Range data
1781 	 * for each descriptors contained in SCSI UNMAP data.
1782 	 */
1783 	for (i = 0; i < ndesc; i++) {
1784 		nvme_dsm_ranges[i].length =
1785 		    htole32(be32toh(plist->desc[i].nlb));
1786 		nvme_dsm_ranges[i].starting_lba =
1787 		    htole64(be64toh(plist->desc[i].slba));
1788 		nvme_dsm_ranges[i].attributes = 0;
1789 	}
1790 
1791 	/* Build MPI2.6's NVMe Encapsulated Request Message */
1792 	req = (Mpi26NVMeEncapsulatedRequest_t *)cm->cm_req;
1793 	bzero(req, sizeof(*req));
1794 	req->DevHandle = htole16(targ->handle);
1795 	req->Function = MPI2_FUNCTION_NVME_ENCAPSULATED;
1796 	req->Flags = MPI26_NVME_FLAGS_WRITE;
1797 	req->ErrorResponseBaseAddress.High =
1798 	    htole32((uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32));
1799 	req->ErrorResponseBaseAddress.Low =
1800 	    htole32(cm->cm_sense_busaddr);
1801 	req->ErrorResponseAllocationLength =
1802 	    htole16(sizeof(struct nvme_completion));
1803 	req->EncapsulatedCommandLength =
1804 	    htole16(sizeof(struct nvme_command));
1805 	req->DataLength = htole32(data_length);
1806 
1807 	/* Build NVMe DSM command */
1808 	c = (struct nvme_command *) req->NVMe_Command;
1809 	c->opc = NVME_OPC_DATASET_MANAGEMENT;
1810 	c->nsid = htole32(csio->ccb_h.target_lun + 1);
1811 	c->cdw10 = htole32(ndesc - 1);
1812 	c->cdw11 = htole32(NVME_DSM_ATTR_DEALLOCATE);
1813 
1814 	cm->cm_length = data_length;
1815 	cm->cm_data = NULL;
1816 
1817 	cm->cm_complete = mprsas_scsiio_complete;
1818 	cm->cm_complete_data = ccb;
1819 	cm->cm_targ = targ;
1820 	cm->cm_lun = csio->ccb_h.target_lun;
1821 	cm->cm_ccb = ccb;
1822 
1823 	cm->cm_desc.Default.RequestFlags =
1824 	    MPI26_REQ_DESCRIPT_FLAGS_PCIE_ENCAPSULATED;
1825 
1826 	csio->ccb_h.qos.sim_data = sbinuptime();
1827 	callout_reset_sbt(&cm->cm_callout, SBT_1MS * ccb->ccb_h.timeout, 0,
1828 	    mprsas_scsiio_timeout, cm, 0);
1829 
1830 	targ->issued++;
1831 	targ->outstanding++;
1832 	TAILQ_INSERT_TAIL(&targ->commands, cm, cm_link);
1833 	ccb->ccb_h.status |= CAM_SIM_QUEUED;
1834 
1835 	mprsas_log_command(cm, MPR_XINFO, "%s cm %p ccb %p outstanding %u\n",
1836 	    __func__, cm, ccb, targ->outstanding);
1837 
1838 	mpr_build_nvme_prp(sc, cm, req,
1839 	    (void *)(uintptr_t)nvme_dsm_ranges_dma_handle, 0, data_length);
1840 	mpr_map_command(sc, cm);
1841 
1842 out:
1843 	free(plist, M_MPR);
1844 	return 0;
1845 }
1846 
1847 static void
1848 mprsas_action_scsiio(struct mprsas_softc *sassc, union ccb *ccb)
1849 {
1850 	MPI2_SCSI_IO_REQUEST *req;
1851 	struct ccb_scsiio *csio;
1852 	struct mpr_softc *sc;
1853 	struct mprsas_target *targ;
1854 	struct mprsas_lun *lun;
1855 	struct mpr_command *cm;
1856 	uint8_t i, lba_byte, *ref_tag_addr, scsi_opcode;
1857 	uint16_t eedp_flags;
1858 	uint32_t mpi_control;
1859 	int rc;
1860 
1861 	sc = sassc->sc;
1862 	MPR_FUNCTRACE(sc);
1863 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
1864 
1865 	csio = &ccb->csio;
1866 	KASSERT(csio->ccb_h.target_id < sassc->maxtargets,
1867 	    ("Target %d out of bounds in XPT_SCSI_IO\n",
1868 	     csio->ccb_h.target_id));
1869 	targ = &sassc->targets[csio->ccb_h.target_id];
1870 	mpr_dprint(sc, MPR_TRACE, "ccb %p target flag %x\n", ccb, targ->flags);
1871 	if (targ->handle == 0x0) {
1872 		mpr_dprint(sc, MPR_ERROR, "%s NULL handle for target %u\n",
1873 		    __func__, csio->ccb_h.target_id);
1874 		mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1875 		xpt_done(ccb);
1876 		return;
1877 	}
1878 	if (targ->flags & MPR_TARGET_FLAGS_RAID_COMPONENT) {
1879 		mpr_dprint(sc, MPR_ERROR, "%s Raid component no SCSI IO "
1880 		    "supported %u\n", __func__, csio->ccb_h.target_id);
1881 		mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1882 		xpt_done(ccb);
1883 		return;
1884 	}
1885 	/*
1886 	 * Sometimes, it is possible to get a command that is not "In
1887 	 * Progress" and was actually aborted by the upper layer.  Check for
1888 	 * this here and complete the command without error.
1889 	 */
1890 	if (mprsas_get_ccbstatus(ccb) != CAM_REQ_INPROG) {
1891 		mpr_dprint(sc, MPR_TRACE, "%s Command is not in progress for "
1892 		    "target %u\n", __func__, csio->ccb_h.target_id);
1893 		xpt_done(ccb);
1894 		return;
1895 	}
1896 	/*
1897 	 * If devinfo is 0 this will be a volume.  In that case don't tell CAM
1898 	 * that the volume has timed out.  We want volumes to be enumerated
1899 	 * until they are deleted/removed, not just failed. In either event,
1900 	 * we're removing the target due to a firmware event telling us
1901 	 * the device is now gone (as opposed to some transient event). Since
1902 	 * we're opting to remove failed devices from the OS's view, we need
1903 	 * to propagate that status up the stack.
1904 	 */
1905 	if (targ->flags & MPRSAS_TARGET_INREMOVAL) {
1906 		if (targ->devinfo == 0)
1907 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1908 		else
1909 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1910 		xpt_done(ccb);
1911 		return;
1912 	}
1913 
1914 	if ((sc->mpr_flags & MPR_FLAGS_SHUTDOWN) != 0) {
1915 		mpr_dprint(sc, MPR_INFO, "%s shutting down\n", __func__);
1916 		mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1917 		xpt_done(ccb);
1918 		return;
1919 	}
1920 
1921 	/*
1922 	 * If target has a reset in progress, the devq should be frozen.
1923 	 * Geting here we likely hit a race, so just requeue.
1924 	 */
1925 	if (targ->flags & MPRSAS_TARGET_INRESET) {
1926 		ccb->ccb_h.status = CAM_REQUEUE_REQ | CAM_DEV_QFRZN;
1927 		xpt_freeze_devq(ccb->ccb_h.path, 1);
1928 		xpt_done(ccb);
1929 		return;
1930 	}
1931 
1932 	cm = mpr_alloc_command(sc);
1933 	if (cm == NULL || (sc->mpr_flags & MPR_FLAGS_DIAGRESET)) {
1934 		if (cm != NULL) {
1935 			mpr_free_command(sc, cm);
1936 		}
1937 		if ((sassc->flags & MPRSAS_QUEUE_FROZEN) == 0) {
1938 			xpt_freeze_simq(sassc->sim, 1);
1939 			sassc->flags |= MPRSAS_QUEUE_FROZEN;
1940 		}
1941 		ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
1942 		ccb->ccb_h.status |= CAM_REQUEUE_REQ;
1943 		xpt_done(ccb);
1944 		return;
1945 	}
1946 
1947 	/* For NVME device's issue UNMAP command directly to NVME drives by
1948 	 * constructing equivalent native NVMe DataSetManagement command.
1949 	 */
1950 	scsi_opcode = scsiio_cdb_ptr(csio)[0];
1951 	if (scsi_opcode == UNMAP &&
1952 	    targ->is_nvme &&
1953 	    (csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
1954 		rc = mprsas_build_nvme_unmap(sc, cm, ccb, targ);
1955 		if (rc == 1) { /* return command to CAM with success status */
1956 			mpr_free_command(sc, cm);
1957 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
1958 			xpt_done(ccb);
1959 			return;
1960 		} else if (!rc) /* Issued NVMe Encapsulated Request Message */
1961 			return;
1962 	}
1963 
1964 	req = (MPI2_SCSI_IO_REQUEST *)cm->cm_req;
1965 	bzero(req, sizeof(*req));
1966 	req->DevHandle = htole16(targ->handle);
1967 	req->Function = MPI2_FUNCTION_SCSI_IO_REQUEST;
1968 	req->MsgFlags = 0;
1969 	req->SenseBufferLowAddress = htole32(cm->cm_sense_busaddr);
1970 	req->SenseBufferLength = MPR_SENSE_LEN;
1971 	req->SGLFlags = 0;
1972 	req->ChainOffset = 0;
1973 	req->SGLOffset0 = 24;	/* 32bit word offset to the SGL */
1974 	req->SGLOffset1= 0;
1975 	req->SGLOffset2= 0;
1976 	req->SGLOffset3= 0;
1977 	req->SkipCount = 0;
1978 	req->DataLength = htole32(csio->dxfer_len);
1979 	req->BidirectionalDataLength = 0;
1980 	req->IoFlags = htole16(csio->cdb_len);
1981 	req->EEDPFlags = 0;
1982 
1983 	/* Note: BiDirectional transfers are not supported */
1984 	switch (csio->ccb_h.flags & CAM_DIR_MASK) {
1985 	case CAM_DIR_IN:
1986 		mpi_control = MPI2_SCSIIO_CONTROL_READ;
1987 		cm->cm_flags |= MPR_CM_FLAGS_DATAIN;
1988 		break;
1989 	case CAM_DIR_OUT:
1990 		mpi_control = MPI2_SCSIIO_CONTROL_WRITE;
1991 		cm->cm_flags |= MPR_CM_FLAGS_DATAOUT;
1992 		break;
1993 	case CAM_DIR_NONE:
1994 	default:
1995 		mpi_control = MPI2_SCSIIO_CONTROL_NODATATRANSFER;
1996 		break;
1997 	}
1998 
1999 	if (csio->cdb_len == 32)
2000 		mpi_control |= 4 << MPI2_SCSIIO_CONTROL_ADDCDBLEN_SHIFT;
2001 	/*
2002 	 * It looks like the hardware doesn't require an explicit tag
2003 	 * number for each transaction.  SAM Task Management not supported
2004 	 * at the moment.
2005 	 */
2006 	switch (csio->tag_action) {
2007 	case MSG_HEAD_OF_Q_TAG:
2008 		mpi_control |= MPI2_SCSIIO_CONTROL_HEADOFQ;
2009 		break;
2010 	case MSG_ORDERED_Q_TAG:
2011 		mpi_control |= MPI2_SCSIIO_CONTROL_ORDEREDQ;
2012 		break;
2013 	case MSG_ACA_TASK:
2014 		mpi_control |= MPI2_SCSIIO_CONTROL_ACAQ;
2015 		break;
2016 	case CAM_TAG_ACTION_NONE:
2017 	case MSG_SIMPLE_Q_TAG:
2018 	default:
2019 		mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
2020 		break;
2021 	}
2022 	mpi_control |= (csio->priority << MPI2_SCSIIO_CONTROL_CMDPRI_SHIFT) &
2023 	    MPI2_SCSIIO_CONTROL_CMDPRI_MASK;
2024 	mpi_control |= sc->mapping_table[csio->ccb_h.target_id].TLR_bits;
2025 	req->Control = htole32(mpi_control);
2026 
2027 	if (MPR_SET_LUN(req->LUN, csio->ccb_h.target_lun) != 0) {
2028 		mpr_free_command(sc, cm);
2029 		mprsas_set_ccbstatus(ccb, CAM_LUN_INVALID);
2030 		xpt_done(ccb);
2031 		return;
2032 	}
2033 
2034 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
2035 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
2036 	else {
2037 		KASSERT(csio->cdb_len <= IOCDBLEN,
2038 		    ("cdb_len %d is greater than IOCDBLEN but CAM_CDB_POINTER "
2039 		    "is not set", csio->cdb_len));
2040 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
2041 	}
2042 	req->IoFlags = htole16(csio->cdb_len);
2043 
2044 	/*
2045 	 * Check if EEDP is supported and enabled.  If it is then check if the
2046 	 * SCSI opcode could be using EEDP.  If so, make sure the LUN exists and
2047 	 * is formatted for EEDP support.  If all of this is true, set CDB up
2048 	 * for EEDP transfer.
2049 	 */
2050 	eedp_flags = op_code_prot[req->CDB.CDB32[0]];
2051 	if (sc->eedp_enabled && eedp_flags) {
2052 		SLIST_FOREACH(lun, &targ->luns, lun_link) {
2053 			if (lun->lun_id == csio->ccb_h.target_lun) {
2054 				break;
2055 			}
2056 		}
2057 
2058 		if ((lun != NULL) && (lun->eedp_formatted)) {
2059 			req->EEDPBlockSize = htole32(lun->eedp_block_size);
2060 			eedp_flags |= (MPI2_SCSIIO_EEDPFLAGS_INC_PRI_REFTAG |
2061 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_REFTAG |
2062 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_GUARD);
2063 			if (sc->mpr_flags & MPR_FLAGS_GEN35_IOC) {
2064 				eedp_flags |=
2065 				    MPI25_SCSIIO_EEDPFLAGS_APPTAG_DISABLE_MODE;
2066 			}
2067 			req->EEDPFlags = htole16(eedp_flags);
2068 
2069 			/*
2070 			 * If CDB less than 32, fill in Primary Ref Tag with
2071 			 * low 4 bytes of LBA.  If CDB is 32, tag stuff is
2072 			 * already there.  Also, set protection bit.  FreeBSD
2073 			 * currently does not support CDBs bigger than 16, but
2074 			 * the code doesn't hurt, and will be here for the
2075 			 * future.
2076 			 */
2077 			if (csio->cdb_len != 32) {
2078 				lba_byte = (csio->cdb_len == 16) ? 6 : 2;
2079 				ref_tag_addr = (uint8_t *)&req->CDB.EEDP32.
2080 				    PrimaryReferenceTag;
2081 				for (i = 0; i < 4; i++) {
2082 					*ref_tag_addr =
2083 					    req->CDB.CDB32[lba_byte + i];
2084 					ref_tag_addr++;
2085 				}
2086 				req->CDB.EEDP32.PrimaryReferenceTag =
2087 				    htole32(req->
2088 				    CDB.EEDP32.PrimaryReferenceTag);
2089 				req->CDB.EEDP32.PrimaryApplicationTagMask =
2090 				    0xFFFF;
2091 				req->CDB.CDB32[1] =
2092 				    (req->CDB.CDB32[1] & 0x1F) | 0x20;
2093 			} else {
2094 				eedp_flags |=
2095 				    MPI2_SCSIIO_EEDPFLAGS_INC_PRI_APPTAG;
2096 				req->EEDPFlags = htole16(eedp_flags);
2097 				req->CDB.CDB32[10] = (req->CDB.CDB32[10] &
2098 				    0x1F) | 0x20;
2099 			}
2100 		}
2101 	}
2102 
2103 	cm->cm_length = csio->dxfer_len;
2104 	if (cm->cm_length != 0) {
2105 		cm->cm_data = ccb;
2106 		cm->cm_flags |= MPR_CM_FLAGS_USE_CCB;
2107 	} else {
2108 		cm->cm_data = NULL;
2109 	}
2110 	cm->cm_sge = &req->SGL;
2111 	cm->cm_sglsize = (32 - 24) * 4;
2112 	cm->cm_complete = mprsas_scsiio_complete;
2113 	cm->cm_complete_data = ccb;
2114 	cm->cm_targ = targ;
2115 	cm->cm_lun = csio->ccb_h.target_lun;
2116 	cm->cm_ccb = ccb;
2117 	/*
2118 	 * If using FP desc type, need to set a bit in IoFlags (SCSI IO is 0)
2119 	 * and set descriptor type.
2120 	 */
2121 	if (targ->scsi_req_desc_type ==
2122 	    MPI25_REQ_DESCRIPT_FLAGS_FAST_PATH_SCSI_IO) {
2123 		req->IoFlags |= MPI25_SCSIIO_IOFLAGS_FAST_PATH;
2124 		cm->cm_desc.FastPathSCSIIO.RequestFlags =
2125 		    MPI25_REQ_DESCRIPT_FLAGS_FAST_PATH_SCSI_IO;
2126 		if (!sc->atomic_desc_capable) {
2127 			cm->cm_desc.FastPathSCSIIO.DevHandle =
2128 			    htole16(targ->handle);
2129 		}
2130 	} else {
2131 		cm->cm_desc.SCSIIO.RequestFlags =
2132 		    MPI2_REQ_DESCRIPT_FLAGS_SCSI_IO;
2133 		if (!sc->atomic_desc_capable)
2134 			cm->cm_desc.SCSIIO.DevHandle = htole16(targ->handle);
2135 	}
2136 
2137 	csio->ccb_h.qos.sim_data = sbinuptime();
2138 	callout_reset_sbt(&cm->cm_callout, SBT_1MS * ccb->ccb_h.timeout, 0,
2139 	    mprsas_scsiio_timeout, cm, 0);
2140 
2141 	targ->issued++;
2142 	targ->outstanding++;
2143 	TAILQ_INSERT_TAIL(&targ->commands, cm, cm_link);
2144 	ccb->ccb_h.status |= CAM_SIM_QUEUED;
2145 
2146 	mprsas_log_command(cm, MPR_XINFO, "%s cm %p ccb %p outstanding %u\n",
2147 	    __func__, cm, ccb, targ->outstanding);
2148 
2149 	mpr_map_command(sc, cm);
2150 	return;
2151 }
2152 
2153 /**
2154  * mpr_sc_failed_io_info - translated non-succesfull SCSI_IO request
2155  */
2156 static void
2157 mpr_sc_failed_io_info(struct mpr_softc *sc, struct ccb_scsiio *csio,
2158     Mpi2SCSIIOReply_t *mpi_reply, struct mprsas_target *targ)
2159 {
2160 	u32 response_info;
2161 	u8 *response_bytes;
2162 	u16 ioc_status = le16toh(mpi_reply->IOCStatus) &
2163 	    MPI2_IOCSTATUS_MASK;
2164 	u8 scsi_state = mpi_reply->SCSIState;
2165 	u8 scsi_status = mpi_reply->SCSIStatus;
2166 	char *desc_ioc_state = NULL;
2167 	char *desc_scsi_status = NULL;
2168 	u32 log_info = le32toh(mpi_reply->IOCLogInfo);
2169 
2170 	if (log_info == 0x31170000)
2171 		return;
2172 
2173 	desc_ioc_state = mpr_describe_table(mpr_iocstatus_string,
2174 	     ioc_status);
2175 	desc_scsi_status = mpr_describe_table(mpr_scsi_status_string,
2176 	    scsi_status);
2177 
2178 	mpr_dprint(sc, MPR_XINFO, "\thandle(0x%04x), ioc_status(%s)(0x%04x)\n",
2179 	    le16toh(mpi_reply->DevHandle), desc_ioc_state, ioc_status);
2180 	if (targ->encl_level_valid) {
2181 		mpr_dprint(sc, MPR_XINFO, "At enclosure level %d, slot %d, "
2182 		    "connector name (%4s)\n", targ->encl_level, targ->encl_slot,
2183 		    targ->connector_name);
2184 	}
2185 
2186 	/*
2187 	 * We can add more detail about underflow data here
2188 	 * TO-DO
2189 	 */
2190 	mpr_dprint(sc, MPR_XINFO, "\tscsi_status(%s)(0x%02x), "
2191 	    "scsi_state %b\n", desc_scsi_status, scsi_status,
2192 	    scsi_state, "\20" "\1AutosenseValid" "\2AutosenseFailed"
2193 	    "\3NoScsiStatus" "\4Terminated" "\5Response InfoValid");
2194 
2195 	if (sc->mpr_debug & MPR_XINFO &&
2196 	    scsi_state & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
2197 		mpr_dprint(sc, MPR_XINFO, "-> Sense Buffer Data : Start :\n");
2198 		scsi_sense_print(csio);
2199 		mpr_dprint(sc, MPR_XINFO, "-> Sense Buffer Data : End :\n");
2200 	}
2201 
2202 	if (scsi_state & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) {
2203 		response_info = le32toh(mpi_reply->ResponseInfo);
2204 		response_bytes = (u8 *)&response_info;
2205 		mpr_dprint(sc, MPR_XINFO, "response code(0x%01x): %s\n",
2206 		    response_bytes[0],
2207 		    mpr_describe_table(mpr_scsi_taskmgmt_string,
2208 		    response_bytes[0]));
2209 	}
2210 }
2211 
2212 /** mprsas_nvme_trans_status_code
2213  *
2214  * Convert Native NVMe command error status to
2215  * equivalent SCSI error status.
2216  *
2217  * Returns appropriate scsi_status
2218  */
2219 static u8
2220 mprsas_nvme_trans_status_code(uint16_t nvme_status,
2221     struct mpr_command *cm)
2222 {
2223 	u8 status = MPI2_SCSI_STATUS_GOOD;
2224 	int skey, asc, ascq;
2225 	union ccb *ccb = cm->cm_complete_data;
2226 	int returned_sense_len;
2227 	uint8_t sct, sc;
2228 
2229 	sct = NVME_STATUS_GET_SCT(nvme_status);
2230 	sc = NVME_STATUS_GET_SC(nvme_status);
2231 
2232 	status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2233 	skey = SSD_KEY_ILLEGAL_REQUEST;
2234 	asc = SCSI_ASC_NO_SENSE;
2235 	ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2236 
2237 	switch (sct) {
2238 	case NVME_SCT_GENERIC:
2239 		switch (sc) {
2240 		case NVME_SC_SUCCESS:
2241 			status = MPI2_SCSI_STATUS_GOOD;
2242 			skey = SSD_KEY_NO_SENSE;
2243 			asc = SCSI_ASC_NO_SENSE;
2244 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2245 			break;
2246 		case NVME_SC_INVALID_OPCODE:
2247 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2248 			skey = SSD_KEY_ILLEGAL_REQUEST;
2249 			asc = SCSI_ASC_ILLEGAL_COMMAND;
2250 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2251 			break;
2252 		case NVME_SC_INVALID_FIELD:
2253 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2254 			skey = SSD_KEY_ILLEGAL_REQUEST;
2255 			asc = SCSI_ASC_INVALID_CDB;
2256 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2257 			break;
2258 		case NVME_SC_DATA_TRANSFER_ERROR:
2259 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2260 			skey = SSD_KEY_MEDIUM_ERROR;
2261 			asc = SCSI_ASC_NO_SENSE;
2262 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2263 			break;
2264 		case NVME_SC_ABORTED_POWER_LOSS:
2265 			status = MPI2_SCSI_STATUS_TASK_ABORTED;
2266 			skey = SSD_KEY_ABORTED_COMMAND;
2267 			asc = SCSI_ASC_WARNING;
2268 			ascq = SCSI_ASCQ_POWER_LOSS_EXPECTED;
2269 			break;
2270 		case NVME_SC_INTERNAL_DEVICE_ERROR:
2271 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2272 			skey = SSD_KEY_HARDWARE_ERROR;
2273 			asc = SCSI_ASC_INTERNAL_TARGET_FAILURE;
2274 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2275 			break;
2276 		case NVME_SC_ABORTED_BY_REQUEST:
2277 		case NVME_SC_ABORTED_SQ_DELETION:
2278 		case NVME_SC_ABORTED_FAILED_FUSED:
2279 		case NVME_SC_ABORTED_MISSING_FUSED:
2280 			status = MPI2_SCSI_STATUS_TASK_ABORTED;
2281 			skey = SSD_KEY_ABORTED_COMMAND;
2282 			asc = SCSI_ASC_NO_SENSE;
2283 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2284 			break;
2285 		case NVME_SC_INVALID_NAMESPACE_OR_FORMAT:
2286 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2287 			skey = SSD_KEY_ILLEGAL_REQUEST;
2288 			asc = SCSI_ASC_ACCESS_DENIED_INVALID_LUN_ID;
2289 			ascq = SCSI_ASCQ_INVALID_LUN_ID;
2290 			break;
2291 		case NVME_SC_LBA_OUT_OF_RANGE:
2292 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2293 			skey = SSD_KEY_ILLEGAL_REQUEST;
2294 			asc = SCSI_ASC_ILLEGAL_BLOCK;
2295 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2296 			break;
2297 		case NVME_SC_CAPACITY_EXCEEDED:
2298 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2299 			skey = SSD_KEY_MEDIUM_ERROR;
2300 			asc = SCSI_ASC_NO_SENSE;
2301 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2302 			break;
2303 		case NVME_SC_NAMESPACE_NOT_READY:
2304 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2305 			skey = SSD_KEY_NOT_READY;
2306 			asc = SCSI_ASC_LUN_NOT_READY;
2307 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2308 			break;
2309 		}
2310 		break;
2311 	case NVME_SCT_COMMAND_SPECIFIC:
2312 		switch (sc) {
2313 		case NVME_SC_INVALID_FORMAT:
2314 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2315 			skey = SSD_KEY_ILLEGAL_REQUEST;
2316 			asc = SCSI_ASC_FORMAT_COMMAND_FAILED;
2317 			ascq = SCSI_ASCQ_FORMAT_COMMAND_FAILED;
2318 			break;
2319 		case NVME_SC_CONFLICTING_ATTRIBUTES:
2320 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2321 			skey = SSD_KEY_ILLEGAL_REQUEST;
2322 			asc = SCSI_ASC_INVALID_CDB;
2323 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2324 			break;
2325 		}
2326 		break;
2327 	case NVME_SCT_MEDIA_ERROR:
2328 		switch (sc) {
2329 		case NVME_SC_WRITE_FAULTS:
2330 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2331 			skey = SSD_KEY_MEDIUM_ERROR;
2332 			asc = SCSI_ASC_PERIPHERAL_DEV_WRITE_FAULT;
2333 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2334 			break;
2335 		case NVME_SC_UNRECOVERED_READ_ERROR:
2336 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2337 			skey = SSD_KEY_MEDIUM_ERROR;
2338 			asc = SCSI_ASC_UNRECOVERED_READ_ERROR;
2339 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2340 			break;
2341 		case NVME_SC_GUARD_CHECK_ERROR:
2342 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2343 			skey = SSD_KEY_MEDIUM_ERROR;
2344 			asc = SCSI_ASC_LOG_BLOCK_GUARD_CHECK_FAILED;
2345 			ascq = SCSI_ASCQ_LOG_BLOCK_GUARD_CHECK_FAILED;
2346 			break;
2347 		case NVME_SC_APPLICATION_TAG_CHECK_ERROR:
2348 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2349 			skey = SSD_KEY_MEDIUM_ERROR;
2350 			asc = SCSI_ASC_LOG_BLOCK_APPTAG_CHECK_FAILED;
2351 			ascq = SCSI_ASCQ_LOG_BLOCK_APPTAG_CHECK_FAILED;
2352 			break;
2353 		case NVME_SC_REFERENCE_TAG_CHECK_ERROR:
2354 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2355 			skey = SSD_KEY_MEDIUM_ERROR;
2356 			asc = SCSI_ASC_LOG_BLOCK_REFTAG_CHECK_FAILED;
2357 			ascq = SCSI_ASCQ_LOG_BLOCK_REFTAG_CHECK_FAILED;
2358 			break;
2359 		case NVME_SC_COMPARE_FAILURE:
2360 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2361 			skey = SSD_KEY_MISCOMPARE;
2362 			asc = SCSI_ASC_MISCOMPARE_DURING_VERIFY;
2363 			ascq = SCSI_ASCQ_CAUSE_NOT_REPORTABLE;
2364 			break;
2365 		case NVME_SC_ACCESS_DENIED:
2366 			status = MPI2_SCSI_STATUS_CHECK_CONDITION;
2367 			skey = SSD_KEY_ILLEGAL_REQUEST;
2368 			asc = SCSI_ASC_ACCESS_DENIED_INVALID_LUN_ID;
2369 			ascq = SCSI_ASCQ_INVALID_LUN_ID;
2370 			break;
2371 		}
2372 		break;
2373 	}
2374 
2375 	returned_sense_len = sizeof(struct scsi_sense_data);
2376 	if (returned_sense_len < ccb->csio.sense_len)
2377 		ccb->csio.sense_resid = ccb->csio.sense_len -
2378 		    returned_sense_len;
2379 	else
2380 		ccb->csio.sense_resid = 0;
2381 
2382 	scsi_set_sense_data(&ccb->csio.sense_data, SSD_TYPE_FIXED,
2383 	    1, skey, asc, ascq, SSD_ELEM_NONE);
2384 	ccb->ccb_h.status |= CAM_AUTOSNS_VALID;
2385 
2386 	return status;
2387 }
2388 
2389 /** mprsas_complete_nvme_unmap
2390  *
2391  * Complete native NVMe command issued using NVMe Encapsulated
2392  * Request Message.
2393  */
2394 static u8
2395 mprsas_complete_nvme_unmap(struct mpr_softc *sc, struct mpr_command *cm)
2396 {
2397 	Mpi26NVMeEncapsulatedErrorReply_t *mpi_reply;
2398 	struct nvme_completion *nvme_completion = NULL;
2399 	u8 scsi_status = MPI2_SCSI_STATUS_GOOD;
2400 
2401 	mpi_reply =(Mpi26NVMeEncapsulatedErrorReply_t *)cm->cm_reply;
2402 	if (le16toh(mpi_reply->ErrorResponseCount)){
2403 		nvme_completion = (struct nvme_completion *)cm->cm_sense;
2404 		scsi_status = mprsas_nvme_trans_status_code(
2405 		    nvme_completion->status, cm);
2406 	}
2407 	return scsi_status;
2408 }
2409 
2410 static void
2411 mprsas_scsiio_complete(struct mpr_softc *sc, struct mpr_command *cm)
2412 {
2413 	MPI2_SCSI_IO_REPLY *rep;
2414 	union ccb *ccb;
2415 	struct ccb_scsiio *csio;
2416 	struct mprsas_softc *sassc;
2417 	struct scsi_vpd_supported_page_list *vpd_list = NULL;
2418 	u8 *TLR_bits, TLR_on, *scsi_cdb;
2419 	int dir = 0, i;
2420 	u16 alloc_len;
2421 	struct mprsas_target *target;
2422 	target_id_t target_id;
2423 
2424 	MPR_FUNCTRACE(sc);
2425 
2426 	callout_stop(&cm->cm_callout);
2427 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
2428 
2429 	sassc = sc->sassc;
2430 	ccb = cm->cm_complete_data;
2431 	csio = &ccb->csio;
2432 	target_id = csio->ccb_h.target_id;
2433 	rep = (MPI2_SCSI_IO_REPLY *)cm->cm_reply;
2434 	mpr_dprint(sc, MPR_TRACE,
2435 	    "cm %p SMID %u ccb %p reply %p outstanding %u csio->scsi_status 0x%x,"
2436 	    "csio->dxfer_len 0x%x, csio->msg_le 0x%xn\n", cm,
2437 	    cm->cm_desc.Default.SMID, cm->cm_ccb, cm->cm_reply,
2438 	    cm->cm_targ->outstanding, csio->scsi_status,
2439 	    csio->dxfer_len, csio->msg_len);
2440 	/*
2441 	 * XXX KDM if the chain allocation fails, does it matter if we do
2442 	 * the sync and unload here?  It is simpler to do it in every case,
2443 	 * assuming it doesn't cause problems.
2444 	 */
2445 	if (cm->cm_data != NULL) {
2446 		if (cm->cm_flags & MPR_CM_FLAGS_DATAIN)
2447 			dir = BUS_DMASYNC_POSTREAD;
2448 		else if (cm->cm_flags & MPR_CM_FLAGS_DATAOUT)
2449 			dir = BUS_DMASYNC_POSTWRITE;
2450 		bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap, dir);
2451 		bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2452 	}
2453 
2454 	cm->cm_targ->completed++;
2455 	cm->cm_targ->outstanding--;
2456 	TAILQ_REMOVE(&cm->cm_targ->commands, cm, cm_link);
2457 	ccb->ccb_h.status &= ~(CAM_STATUS_MASK | CAM_SIM_QUEUED);
2458 
2459 	if (cm->cm_flags & MPR_CM_FLAGS_ON_RECOVERY) {
2460 		TAILQ_REMOVE(&cm->cm_targ->timedout_commands, cm, cm_recovery);
2461 		KASSERT(cm->cm_state == MPR_CM_STATE_BUSY,
2462 		    ("Not busy for CM_FLAGS_TIMEDOUT: %u\n", cm->cm_state));
2463 		cm->cm_flags &= ~MPR_CM_FLAGS_ON_RECOVERY;
2464 		if (cm->cm_reply != NULL)
2465 			mprsas_log_command(cm, MPR_RECOVERY,
2466 			    "completed timedout cm %p ccb %p during recovery "
2467 			    "ioc %x scsi %x state %x xfer %u\n", cm, cm->cm_ccb,
2468 			    le16toh(rep->IOCStatus), rep->SCSIStatus,
2469 			    rep->SCSIState, le32toh(rep->TransferCount));
2470 		else
2471 			mprsas_log_command(cm, MPR_RECOVERY,
2472 			    "completed timedout cm %p ccb %p during recovery\n",
2473 			    cm, cm->cm_ccb);
2474 	} else if (cm->cm_targ->tm != NULL) {
2475 		if (cm->cm_reply != NULL)
2476 			mprsas_log_command(cm, MPR_RECOVERY,
2477 			    "completed cm %p ccb %p during recovery "
2478 			    "ioc %x scsi %x state %x xfer %u\n",
2479 			    cm, cm->cm_ccb, le16toh(rep->IOCStatus),
2480 			    rep->SCSIStatus, rep->SCSIState,
2481 			    le32toh(rep->TransferCount));
2482 		else
2483 			mprsas_log_command(cm, MPR_RECOVERY,
2484 			    "completed cm %p ccb %p during recovery\n",
2485 			    cm, cm->cm_ccb);
2486 	} else if ((sc->mpr_flags & MPR_FLAGS_DIAGRESET) != 0) {
2487 		mprsas_log_command(cm, MPR_RECOVERY,
2488 		    "reset completed cm %p ccb %p\n", cm, cm->cm_ccb);
2489 	}
2490 
2491 	if ((cm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
2492 		/*
2493 		 * We ran into an error after we tried to map the command,
2494 		 * so we're getting a callback without queueing the command
2495 		 * to the hardware.  So we set the status here, and it will
2496 		 * be retained below.  We'll go through the "fast path",
2497 		 * because there can be no reply when we haven't actually
2498 		 * gone out to the hardware.
2499 		 */
2500 		mprsas_set_ccbstatus(ccb, CAM_REQUEUE_REQ);
2501 
2502 		/*
2503 		 * Currently the only error included in the mask is
2504 		 * MPR_CM_FLAGS_CHAIN_FAILED, which means we're out of
2505 		 * chain frames.  We need to freeze the queue until we get
2506 		 * a command that completed without this error, which will
2507 		 * hopefully have some chain frames attached that we can
2508 		 * use.  If we wanted to get smarter about it, we would
2509 		 * only unfreeze the queue in this condition when we're
2510 		 * sure that we're getting some chain frames back.  That's
2511 		 * probably unnecessary.
2512 		 */
2513 		if ((sassc->flags & MPRSAS_QUEUE_FROZEN) == 0) {
2514 			xpt_freeze_simq(sassc->sim, 1);
2515 			sassc->flags |= MPRSAS_QUEUE_FROZEN;
2516 			mpr_dprint(sc, MPR_XINFO, "Error sending command, "
2517 			    "freezing SIM queue\n");
2518 		}
2519 	}
2520 
2521 	/*
2522 	 * Point to the SCSI CDB, which is dependent on the CAM_CDB_POINTER
2523 	 * flag, and use it in a few places in the rest of this function for
2524 	 * convenience. Use the macro if available.
2525 	 */
2526 	scsi_cdb = scsiio_cdb_ptr(csio);
2527 
2528 	/*
2529 	 * If this is a Start Stop Unit command and it was issued by the driver
2530 	 * during shutdown, decrement the refcount to account for all of the
2531 	 * commands that were sent.  All SSU commands should be completed before
2532 	 * shutdown completes, meaning SSU_refcount will be 0 after SSU_started
2533 	 * is TRUE.
2534 	 */
2535 	if (sc->SSU_started && (scsi_cdb[0] == START_STOP_UNIT)) {
2536 		mpr_dprint(sc, MPR_INFO, "Decrementing SSU count.\n");
2537 		sc->SSU_refcount--;
2538 	}
2539 
2540 	/* Take the fast path to completion */
2541 	if (cm->cm_reply == NULL) {
2542 		if (mprsas_get_ccbstatus(ccb) == CAM_REQ_INPROG) {
2543 			if ((sc->mpr_flags & MPR_FLAGS_DIAGRESET) != 0)
2544 				mprsas_set_ccbstatus(ccb, CAM_SCSI_BUS_RESET);
2545 			else {
2546 				mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
2547 				csio->scsi_status = SCSI_STATUS_OK;
2548 			}
2549 			if (sassc->flags & MPRSAS_QUEUE_FROZEN) {
2550 				ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2551 				sassc->flags &= ~MPRSAS_QUEUE_FROZEN;
2552 				mpr_dprint(sc, MPR_XINFO,
2553 				    "Unfreezing SIM queue\n");
2554 			}
2555 		}
2556 
2557 		/*
2558 		 * There are two scenarios where the status won't be
2559 		 * CAM_REQ_CMP.  The first is if MPR_CM_FLAGS_ERROR_MASK is
2560 		 * set, the second is in the MPR_FLAGS_DIAGRESET above.
2561 		 */
2562 		if (mprsas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2563 			/*
2564 			 * Freeze the dev queue so that commands are
2565 			 * executed in the correct order after error
2566 			 * recovery.
2567 			 */
2568 			ccb->ccb_h.status |= CAM_DEV_QFRZN;
2569 			xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2570 		}
2571 		mpr_free_command(sc, cm);
2572 		xpt_done(ccb);
2573 		return;
2574 	}
2575 
2576 	target = &sassc->targets[target_id];
2577 	if (scsi_cdb[0] == UNMAP &&
2578 	    target->is_nvme &&
2579 	    (csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
2580 		rep->SCSIStatus = mprsas_complete_nvme_unmap(sc, cm);
2581 		csio->scsi_status = rep->SCSIStatus;
2582 	}
2583 
2584 	mprsas_log_command(cm, MPR_XINFO,
2585 	    "ioc %x scsi %x state %x xfer %u\n",
2586 	    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2587 	    le32toh(rep->TransferCount));
2588 
2589 	switch (le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) {
2590 	case MPI2_IOCSTATUS_SCSI_DATA_UNDERRUN:
2591 		csio->resid = cm->cm_length - le32toh(rep->TransferCount);
2592 		/* FALLTHROUGH */
2593 	case MPI2_IOCSTATUS_SUCCESS:
2594 	case MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR:
2595 		if ((le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
2596 		    MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR)
2597 			mprsas_log_command(cm, MPR_XINFO, "recovered error\n");
2598 
2599 		/* Completion failed at the transport level. */
2600 		if (rep->SCSIState & (MPI2_SCSI_STATE_NO_SCSI_STATUS |
2601 		    MPI2_SCSI_STATE_TERMINATED)) {
2602 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2603 			break;
2604 		}
2605 
2606 		/* In a modern packetized environment, an autosense failure
2607 		 * implies that there's not much else that can be done to
2608 		 * recover the command.
2609 		 */
2610 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_FAILED) {
2611 			mprsas_set_ccbstatus(ccb, CAM_AUTOSENSE_FAIL);
2612 			break;
2613 		}
2614 
2615 		/*
2616 		 * CAM doesn't care about SAS Response Info data, but if this is
2617 		 * the state check if TLR should be done.  If not, clear the
2618 		 * TLR_bits for the target.
2619 		 */
2620 		if ((rep->SCSIState & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) &&
2621 		    ((le32toh(rep->ResponseInfo) & MPI2_SCSI_RI_MASK_REASONCODE)
2622 		    == MPR_SCSI_RI_INVALID_FRAME)) {
2623 			sc->mapping_table[target_id].TLR_bits =
2624 			    (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2625 		}
2626 
2627 		/*
2628 		 * Intentionally override the normal SCSI status reporting
2629 		 * for these two cases.  These are likely to happen in a
2630 		 * multi-initiator environment, and we want to make sure that
2631 		 * CAM retries these commands rather than fail them.
2632 		 */
2633 		if ((rep->SCSIStatus == MPI2_SCSI_STATUS_COMMAND_TERMINATED) ||
2634 		    (rep->SCSIStatus == MPI2_SCSI_STATUS_TASK_ABORTED)) {
2635 			mprsas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2636 			break;
2637 		}
2638 
2639 		/* Handle normal status and sense */
2640 		csio->scsi_status = rep->SCSIStatus;
2641 		if (rep->SCSIStatus == MPI2_SCSI_STATUS_GOOD)
2642 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
2643 		else
2644 			mprsas_set_ccbstatus(ccb, CAM_SCSI_STATUS_ERROR);
2645 
2646 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
2647 			int sense_len, returned_sense_len;
2648 
2649 			returned_sense_len = min(le32toh(rep->SenseCount),
2650 			    sizeof(struct scsi_sense_data));
2651 			if (returned_sense_len < csio->sense_len)
2652 				csio->sense_resid = csio->sense_len -
2653 				    returned_sense_len;
2654 			else
2655 				csio->sense_resid = 0;
2656 
2657 			sense_len = min(returned_sense_len,
2658 			    csio->sense_len - csio->sense_resid);
2659 			bzero(&csio->sense_data, sizeof(csio->sense_data));
2660 			bcopy(cm->cm_sense, &csio->sense_data, sense_len);
2661 			ccb->ccb_h.status |= CAM_AUTOSNS_VALID;
2662 		}
2663 
2664 		/*
2665 		 * Check if this is an INQUIRY command.  If it's a VPD inquiry,
2666 		 * and it's page code 0 (Supported Page List), and there is
2667 		 * inquiry data, and this is for a sequential access device, and
2668 		 * the device is an SSP target, and TLR is supported by the
2669 		 * controller, turn the TLR_bits value ON if page 0x90 is
2670 		 * supported.
2671 		 */
2672 		if ((scsi_cdb[0] == INQUIRY) &&
2673 		    (scsi_cdb[1] & SI_EVPD) &&
2674 		    (scsi_cdb[2] == SVPD_SUPPORTED_PAGE_LIST) &&
2675 		    ((csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) &&
2676 		    (csio->data_ptr != NULL) &&
2677 		    ((csio->data_ptr[0] & 0x1f) == T_SEQUENTIAL) &&
2678 		    (sc->control_TLR) &&
2679 		    (sc->mapping_table[target_id].device_info &
2680 		    MPI2_SAS_DEVICE_INFO_SSP_TARGET)) {
2681 			vpd_list = (struct scsi_vpd_supported_page_list *)
2682 			    csio->data_ptr;
2683 			TLR_bits = &sc->mapping_table[target_id].TLR_bits;
2684 			*TLR_bits = (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2685 			TLR_on = (u8)MPI2_SCSIIO_CONTROL_TLR_ON;
2686 			alloc_len = ((u16)scsi_cdb[3] << 8) + scsi_cdb[4];
2687 			alloc_len -= csio->resid;
2688 			for (i = 0; i < MIN(vpd_list->length, alloc_len); i++) {
2689 				if (vpd_list->list[i] == 0x90) {
2690 					*TLR_bits = TLR_on;
2691 					break;
2692 				}
2693 			}
2694 		}
2695 
2696 		/*
2697 		 * If this is a SATA direct-access end device, mark it so that
2698 		 * a SCSI StartStopUnit command will be sent to it when the
2699 		 * driver is being shutdown.
2700 		 */
2701 		if ((scsi_cdb[0] == INQUIRY) &&
2702 		    (csio->data_ptr != NULL) &&
2703 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
2704 		    (sc->mapping_table[target_id].device_info &
2705 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&
2706 		    ((sc->mapping_table[target_id].device_info &
2707 		    MPI2_SAS_DEVICE_INFO_MASK_DEVICE_TYPE) ==
2708 		    MPI2_SAS_DEVICE_INFO_END_DEVICE)) {
2709 			target = &sassc->targets[target_id];
2710 			target->supports_SSU = TRUE;
2711 			mpr_dprint(sc, MPR_XINFO, "Target %d supports SSU\n",
2712 			    target_id);
2713 		}
2714 		break;
2715 	case MPI2_IOCSTATUS_SCSI_INVALID_DEVHANDLE:
2716 	case MPI2_IOCSTATUS_SCSI_DEVICE_NOT_THERE:
2717 		/*
2718 		 * If devinfo is 0 this will be a volume.  In that case don't
2719 		 * tell CAM that the volume is not there.  We want volumes to
2720 		 * be enumerated until they are deleted/removed, not just
2721 		 * failed.
2722 		 */
2723 		if (cm->cm_targ->devinfo == 0)
2724 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
2725 		else
2726 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2727 		break;
2728 	case MPI2_IOCSTATUS_INVALID_SGL:
2729 		mpr_print_scsiio_cmd(sc, cm);
2730 		mprsas_set_ccbstatus(ccb, CAM_UNREC_HBA_ERROR);
2731 		break;
2732 	case MPI2_IOCSTATUS_SCSI_TASK_TERMINATED:
2733 		/*
2734 		 * This is one of the responses that comes back when an I/O
2735 		 * has been aborted.  If it is because of a timeout that we
2736 		 * initiated, just set the status to CAM_CMD_TIMEOUT.
2737 		 * Otherwise set it to CAM_REQ_ABORTED.  The effect on the
2738 		 * command is the same (it gets retried, subject to the
2739 		 * retry counter), the only difference is what gets printed
2740 		 * on the console.
2741 		 */
2742 		if (cm->cm_flags & MPR_CM_FLAGS_TIMEDOUT)
2743 			mprsas_set_ccbstatus(ccb, CAM_CMD_TIMEOUT);
2744 		else
2745 			mprsas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2746 		break;
2747 	case MPI2_IOCSTATUS_SCSI_DATA_OVERRUN:
2748 		/* resid is ignored for this condition */
2749 		csio->resid = 0;
2750 		mprsas_set_ccbstatus(ccb, CAM_DATA_RUN_ERR);
2751 		break;
2752 	case MPI2_IOCSTATUS_SCSI_IOC_TERMINATED:
2753 	case MPI2_IOCSTATUS_SCSI_EXT_TERMINATED:
2754 		/*
2755 		 * These can sometimes be transient transport-related
2756 		 * errors, and sometimes persistent drive-related errors.
2757 		 * We used to retry these without decrementing the retry
2758 		 * count by returning CAM_REQUEUE_REQ.  Unfortunately, if
2759 		 * we hit a persistent drive problem that returns one of
2760 		 * these error codes, we would retry indefinitely.  So,
2761 		 * return CAM_REQ_CMP_ERROR so that we decrement the retry
2762 		 * count and avoid infinite retries.  We're taking the
2763 		 * potential risk of flagging false failures in the event
2764 		 * of a topology-related error (e.g. a SAS expander problem
2765 		 * causes a command addressed to a drive to fail), but
2766 		 * avoiding getting into an infinite retry loop. However,
2767 		 * if we get them while were moving a device, we should
2768 		 * fail the request as 'not there' because the device
2769 		 * is effectively gone.
2770 		 */
2771 		if (cm->cm_targ->flags & MPRSAS_TARGET_INREMOVAL)
2772 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2773 		else
2774 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2775 		mpr_dprint(sc, MPR_INFO,
2776 		    "Controller reported %s tgt %u SMID %u loginfo %x%s\n",
2777 		    mpr_describe_table(mpr_iocstatus_string,
2778 		    le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK),
2779 		    target_id, cm->cm_desc.Default.SMID,
2780 		    le32toh(rep->IOCLogInfo),
2781 		    (cm->cm_targ->flags & MPRSAS_TARGET_INREMOVAL) ? " departing" : "");
2782 		mpr_dprint(sc, MPR_XINFO,
2783 		    "SCSIStatus %x SCSIState %x xfercount %u\n",
2784 		    rep->SCSIStatus, rep->SCSIState,
2785 		    le32toh(rep->TransferCount));
2786 		break;
2787 	case MPI2_IOCSTATUS_INVALID_FUNCTION:
2788 	case MPI2_IOCSTATUS_INTERNAL_ERROR:
2789 	case MPI2_IOCSTATUS_INVALID_VPID:
2790 	case MPI2_IOCSTATUS_INVALID_FIELD:
2791 	case MPI2_IOCSTATUS_INVALID_STATE:
2792 	case MPI2_IOCSTATUS_OP_STATE_NOT_SUPPORTED:
2793 	case MPI2_IOCSTATUS_SCSI_IO_DATA_ERROR:
2794 	case MPI2_IOCSTATUS_SCSI_PROTOCOL_ERROR:
2795 	case MPI2_IOCSTATUS_SCSI_RESIDUAL_MISMATCH:
2796 	case MPI2_IOCSTATUS_SCSI_TASK_MGMT_FAILED:
2797 	default:
2798 		mprsas_log_command(cm, MPR_XINFO,
2799 		    "completed ioc %x loginfo %x scsi %x state %x xfer %u\n",
2800 		    le16toh(rep->IOCStatus), le32toh(rep->IOCLogInfo),
2801 		    rep->SCSIStatus, rep->SCSIState,
2802 		    le32toh(rep->TransferCount));
2803 		csio->resid = cm->cm_length;
2804 
2805 		if (scsi_cdb[0] == UNMAP &&
2806 		    target->is_nvme &&
2807 		    (csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR)
2808 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
2809 		else
2810 			mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2811 
2812 		break;
2813 	}
2814 
2815 	mpr_sc_failed_io_info(sc, csio, rep, cm->cm_targ);
2816 
2817 	if (sassc->flags & MPRSAS_QUEUE_FROZEN) {
2818 		ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2819 		sassc->flags &= ~MPRSAS_QUEUE_FROZEN;
2820 		mpr_dprint(sc, MPR_XINFO, "Command completed, unfreezing SIM "
2821 		    "queue\n");
2822 	}
2823 
2824 	if (mprsas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2825 		ccb->ccb_h.status |= CAM_DEV_QFRZN;
2826 		xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2827 	}
2828 
2829 	/*
2830 	 * Check to see if we're removing the device. If so, and this is the
2831 	 * last command on the queue, proceed with the deferred removal of the
2832 	 * device.  Note, for removing a volume, this won't trigger because
2833 	 * pending_remove_tm will be NULL.
2834 	 */
2835 	if (cm->cm_targ->flags & MPRSAS_TARGET_INREMOVAL) {
2836 		if (TAILQ_FIRST(&cm->cm_targ->commands) == NULL &&
2837 		    cm->cm_targ->pending_remove_tm != NULL) {
2838 			mpr_dprint(sc, MPR_INFO, "Last pending command complete: starting remove_device\n");
2839 			mpr_map_command(sc, cm->cm_targ->pending_remove_tm);
2840 			cm->cm_targ->pending_remove_tm = NULL;
2841 		}
2842 	}
2843 
2844 	mpr_free_command(sc, cm);
2845 	xpt_done(ccb);
2846 }
2847 
2848 static void
2849 mprsas_smpio_complete(struct mpr_softc *sc, struct mpr_command *cm)
2850 {
2851 	MPI2_SMP_PASSTHROUGH_REPLY *rpl;
2852 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2853 	uint64_t sasaddr;
2854 	union ccb *ccb;
2855 
2856 	ccb = cm->cm_complete_data;
2857 
2858 	/*
2859 	 * Currently there should be no way we can hit this case.  It only
2860 	 * happens when we have a failure to allocate chain frames, and SMP
2861 	 * commands require two S/G elements only.  That should be handled
2862 	 * in the standard request size.
2863 	 */
2864 	if ((cm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
2865 		mpr_dprint(sc, MPR_ERROR, "%s: cm_flags = %#x on SMP "
2866 		    "request!\n", __func__, cm->cm_flags);
2867 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2868 		goto bailout;
2869         }
2870 
2871 	rpl = (MPI2_SMP_PASSTHROUGH_REPLY *)cm->cm_reply;
2872 	if (rpl == NULL) {
2873 		mpr_dprint(sc, MPR_ERROR, "%s: NULL cm_reply!\n", __func__);
2874 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2875 		goto bailout;
2876 	}
2877 
2878 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2879 	sasaddr = le32toh(req->SASAddress.Low);
2880 	sasaddr |= ((uint64_t)(le32toh(req->SASAddress.High))) << 32;
2881 
2882 	if ((le16toh(rpl->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
2883 	    MPI2_IOCSTATUS_SUCCESS ||
2884 	    rpl->SASStatus != MPI2_SASSTATUS_SUCCESS) {
2885 		mpr_dprint(sc, MPR_XINFO, "%s: IOCStatus %04x SASStatus %02x\n",
2886 		    __func__, le16toh(rpl->IOCStatus), rpl->SASStatus);
2887 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2888 		goto bailout;
2889 	}
2890 
2891 	mpr_dprint(sc, MPR_XINFO, "%s: SMP request to SAS address %#jx "
2892 	    "completed successfully\n", __func__, (uintmax_t)sasaddr);
2893 
2894 	if (ccb->smpio.smp_response[2] == SMP_FR_ACCEPTED)
2895 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
2896 	else
2897 		mprsas_set_ccbstatus(ccb, CAM_SMP_STATUS_ERROR);
2898 
2899 bailout:
2900 	/*
2901 	 * We sync in both directions because we had DMAs in the S/G list
2902 	 * in both directions.
2903 	 */
2904 	bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap,
2905 			BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
2906 	bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2907 	mpr_free_command(sc, cm);
2908 	xpt_done(ccb);
2909 }
2910 
2911 static void
2912 mprsas_send_smpcmd(struct mprsas_softc *sassc, union ccb *ccb, uint64_t sasaddr)
2913 {
2914 	struct mpr_command *cm;
2915 	uint8_t *request, *response;
2916 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2917 	struct mpr_softc *sc;
2918 	struct sglist *sg;
2919 	int error;
2920 
2921 	sc = sassc->sc;
2922 	sg = NULL;
2923 	error = 0;
2924 
2925 	switch (ccb->ccb_h.flags & CAM_DATA_MASK) {
2926 	case CAM_DATA_PADDR:
2927 	case CAM_DATA_SG_PADDR:
2928 		/*
2929 		 * XXX We don't yet support physical addresses here.
2930 		 */
2931 		mpr_dprint(sc, MPR_ERROR, "%s: physical addresses not "
2932 		    "supported\n", __func__);
2933 		mprsas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2934 		xpt_done(ccb);
2935 		return;
2936 	case CAM_DATA_SG:
2937 		/*
2938 		 * The chip does not support more than one buffer for the
2939 		 * request or response.
2940 		 */
2941 		if ((ccb->smpio.smp_request_sglist_cnt > 1)
2942 		    || (ccb->smpio.smp_response_sglist_cnt > 1)) {
2943 			mpr_dprint(sc, MPR_ERROR, "%s: multiple request or "
2944 			    "response buffer segments not supported for SMP\n",
2945 			    __func__);
2946 			mprsas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2947 			xpt_done(ccb);
2948 			return;
2949 		}
2950 
2951 		/*
2952 		 * The CAM_SCATTER_VALID flag was originally implemented
2953 		 * for the XPT_SCSI_IO CCB, which only has one data pointer.
2954 		 * We have two.  So, just take that flag to mean that we
2955 		 * might have S/G lists, and look at the S/G segment count
2956 		 * to figure out whether that is the case for each individual
2957 		 * buffer.
2958 		 */
2959 		if (ccb->smpio.smp_request_sglist_cnt != 0) {
2960 			bus_dma_segment_t *req_sg;
2961 
2962 			req_sg = (bus_dma_segment_t *)ccb->smpio.smp_request;
2963 			request = (uint8_t *)(uintptr_t)req_sg[0].ds_addr;
2964 		} else
2965 			request = ccb->smpio.smp_request;
2966 
2967 		if (ccb->smpio.smp_response_sglist_cnt != 0) {
2968 			bus_dma_segment_t *rsp_sg;
2969 
2970 			rsp_sg = (bus_dma_segment_t *)ccb->smpio.smp_response;
2971 			response = (uint8_t *)(uintptr_t)rsp_sg[0].ds_addr;
2972 		} else
2973 			response = ccb->smpio.smp_response;
2974 		break;
2975 	case CAM_DATA_VADDR:
2976 		request = ccb->smpio.smp_request;
2977 		response = ccb->smpio.smp_response;
2978 		break;
2979 	default:
2980 		mprsas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2981 		xpt_done(ccb);
2982 		return;
2983 	}
2984 
2985 	cm = mpr_alloc_command(sc);
2986 	if (cm == NULL) {
2987 		mpr_dprint(sc, MPR_ERROR, "%s: cannot allocate command\n",
2988 		    __func__);
2989 		mprsas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2990 		xpt_done(ccb);
2991 		return;
2992 	}
2993 
2994 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2995 	bzero(req, sizeof(*req));
2996 	req->Function = MPI2_FUNCTION_SMP_PASSTHROUGH;
2997 
2998 	/* Allow the chip to use any route to this SAS address. */
2999 	req->PhysicalPort = 0xff;
3000 
3001 	req->RequestDataLength = htole16(ccb->smpio.smp_request_len);
3002 	req->SGLFlags =
3003 	    MPI2_SGLFLAGS_SYSTEM_ADDRESS_SPACE | MPI2_SGLFLAGS_SGL_TYPE_MPI;
3004 
3005 	mpr_dprint(sc, MPR_XINFO, "%s: sending SMP request to SAS address "
3006 	    "%#jx\n", __func__, (uintmax_t)sasaddr);
3007 
3008 	mpr_init_sge(cm, req, &req->SGL);
3009 
3010 	/*
3011 	 * Set up a uio to pass into mpr_map_command().  This allows us to
3012 	 * do one map command, and one busdma call in there.
3013 	 */
3014 	cm->cm_uio.uio_iov = cm->cm_iovec;
3015 	cm->cm_uio.uio_iovcnt = 2;
3016 	cm->cm_uio.uio_segflg = UIO_SYSSPACE;
3017 
3018 	/*
3019 	 * The read/write flag isn't used by busdma, but set it just in
3020 	 * case.  This isn't exactly accurate, either, since we're going in
3021 	 * both directions.
3022 	 */
3023 	cm->cm_uio.uio_rw = UIO_WRITE;
3024 
3025 	cm->cm_iovec[0].iov_base = request;
3026 	cm->cm_iovec[0].iov_len = le16toh(req->RequestDataLength);
3027 	cm->cm_iovec[1].iov_base = response;
3028 	cm->cm_iovec[1].iov_len = ccb->smpio.smp_response_len;
3029 
3030 	cm->cm_uio.uio_resid = cm->cm_iovec[0].iov_len +
3031 			       cm->cm_iovec[1].iov_len;
3032 
3033 	/*
3034 	 * Trigger a warning message in mpr_data_cb() for the user if we
3035 	 * wind up exceeding two S/G segments.  The chip expects one
3036 	 * segment for the request and another for the response.
3037 	 */
3038 	cm->cm_max_segs = 2;
3039 
3040 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
3041 	cm->cm_complete = mprsas_smpio_complete;
3042 	cm->cm_complete_data = ccb;
3043 
3044 	/*
3045 	 * Tell the mapping code that we're using a uio, and that this is
3046 	 * an SMP passthrough request.  There is a little special-case
3047 	 * logic there (in mpr_data_cb()) to handle the bidirectional
3048 	 * transfer.
3049 	 */
3050 	cm->cm_flags |= MPR_CM_FLAGS_USE_UIO | MPR_CM_FLAGS_SMP_PASS |
3051 			MPR_CM_FLAGS_DATAIN | MPR_CM_FLAGS_DATAOUT;
3052 
3053 	/* The chip data format is little endian. */
3054 	req->SASAddress.High = htole32(sasaddr >> 32);
3055 	req->SASAddress.Low = htole32(sasaddr);
3056 
3057 	/*
3058 	 * XXX Note that we don't have a timeout/abort mechanism here.
3059 	 * From the manual, it looks like task management requests only
3060 	 * work for SCSI IO and SATA passthrough requests.  We may need to
3061 	 * have a mechanism to retry requests in the event of a chip reset
3062 	 * at least.  Hopefully the chip will insure that any errors short
3063 	 * of that are relayed back to the driver.
3064 	 */
3065 	error = mpr_map_command(sc, cm);
3066 	if ((error != 0) && (error != EINPROGRESS)) {
3067 		mpr_dprint(sc, MPR_ERROR, "%s: error %d returned from "
3068 		    "mpr_map_command()\n", __func__, error);
3069 		goto bailout_error;
3070 	}
3071 
3072 	return;
3073 
3074 bailout_error:
3075 	mpr_free_command(sc, cm);
3076 	mprsas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
3077 	xpt_done(ccb);
3078 	return;
3079 }
3080 
3081 static void
3082 mprsas_action_smpio(struct mprsas_softc *sassc, union ccb *ccb)
3083 {
3084 	struct mpr_softc *sc;
3085 	struct mprsas_target *targ;
3086 	uint64_t sasaddr = 0;
3087 
3088 	sc = sassc->sc;
3089 
3090 	/*
3091 	 * Make sure the target exists.
3092 	 */
3093 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
3094 	    ("Target %d out of bounds in XPT_SMP_IO\n", ccb->ccb_h.target_id));
3095 	targ = &sassc->targets[ccb->ccb_h.target_id];
3096 	if (targ->handle == 0x0) {
3097 		mpr_dprint(sc, MPR_ERROR, "%s: target %d does not exist!\n",
3098 		    __func__, ccb->ccb_h.target_id);
3099 		mprsas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
3100 		xpt_done(ccb);
3101 		return;
3102 	}
3103 
3104 	/*
3105 	 * If this device has an embedded SMP target, we'll talk to it
3106 	 * directly.
3107 	 * figure out what the expander's address is.
3108 	 */
3109 	if ((targ->devinfo & MPI2_SAS_DEVICE_INFO_SMP_TARGET) != 0)
3110 		sasaddr = targ->sasaddr;
3111 
3112 	/*
3113 	 * If we don't have a SAS address for the expander yet, try
3114 	 * grabbing it from the page 0x83 information cached in the
3115 	 * transport layer for this target.  LSI expanders report the
3116 	 * expander SAS address as the port-associated SAS address in
3117 	 * Inquiry VPD page 0x83.  Maxim expanders don't report it in page
3118 	 * 0x83.
3119 	 *
3120 	 * XXX KDM disable this for now, but leave it commented out so that
3121 	 * it is obvious that this is another possible way to get the SAS
3122 	 * address.
3123 	 *
3124 	 * The parent handle method below is a little more reliable, and
3125 	 * the other benefit is that it works for devices other than SES
3126 	 * devices.  So you can send a SMP request to a da(4) device and it
3127 	 * will get routed to the expander that device is attached to.
3128 	 * (Assuming the da(4) device doesn't contain an SMP target...)
3129 	 */
3130 #if 0
3131 	if (sasaddr == 0)
3132 		sasaddr = xpt_path_sas_addr(ccb->ccb_h.path);
3133 #endif
3134 
3135 	/*
3136 	 * If we still don't have a SAS address for the expander, look for
3137 	 * the parent device of this device, which is probably the expander.
3138 	 */
3139 	if (sasaddr == 0) {
3140 #ifdef OLD_MPR_PROBE
3141 		struct mprsas_target *parent_target;
3142 #endif
3143 
3144 		if (targ->parent_handle == 0x0) {
3145 			mpr_dprint(sc, MPR_ERROR, "%s: handle %d does not have "
3146 			    "a valid parent handle!\n", __func__, targ->handle);
3147 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3148 			goto bailout;
3149 		}
3150 #ifdef OLD_MPR_PROBE
3151 		parent_target = mprsas_find_target_by_handle(sassc, 0,
3152 		    targ->parent_handle);
3153 
3154 		if (parent_target == NULL) {
3155 			mpr_dprint(sc, MPR_ERROR, "%s: handle %d does not have "
3156 			    "a valid parent target!\n", __func__, targ->handle);
3157 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3158 			goto bailout;
3159 		}
3160 
3161 		if ((parent_target->devinfo &
3162 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
3163 			mpr_dprint(sc, MPR_ERROR, "%s: handle %d parent %d "
3164 			    "does not have an SMP target!\n", __func__,
3165 			    targ->handle, parent_target->handle);
3166 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3167 			goto bailout;
3168 		}
3169 
3170 		sasaddr = parent_target->sasaddr;
3171 #else /* OLD_MPR_PROBE */
3172 		if ((targ->parent_devinfo &
3173 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
3174 			mpr_dprint(sc, MPR_ERROR, "%s: handle %d parent %d "
3175 			    "does not have an SMP target!\n", __func__,
3176 			    targ->handle, targ->parent_handle);
3177 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3178 			goto bailout;
3179 		}
3180 		if (targ->parent_sasaddr == 0x0) {
3181 			mpr_dprint(sc, MPR_ERROR, "%s: handle %d parent handle "
3182 			    "%d does not have a valid SAS address!\n", __func__,
3183 			    targ->handle, targ->parent_handle);
3184 			mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3185 			goto bailout;
3186 		}
3187 
3188 		sasaddr = targ->parent_sasaddr;
3189 #endif /* OLD_MPR_PROBE */
3190 	}
3191 
3192 	if (sasaddr == 0) {
3193 		mpr_dprint(sc, MPR_INFO, "%s: unable to find SAS address for "
3194 		    "handle %d\n", __func__, targ->handle);
3195 		mprsas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3196 		goto bailout;
3197 	}
3198 	mprsas_send_smpcmd(sassc, ccb, sasaddr);
3199 
3200 	return;
3201 
3202 bailout:
3203 	xpt_done(ccb);
3204 
3205 }
3206 
3207 static void
3208 mprsas_action_resetdev(struct mprsas_softc *sassc, union ccb *ccb)
3209 {
3210 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3211 	struct mpr_softc *sc;
3212 	struct mpr_command *tm;
3213 	struct mprsas_target *targ;
3214 
3215 	MPR_FUNCTRACE(sassc->sc);
3216 	mtx_assert(&sassc->sc->mpr_mtx, MA_OWNED);
3217 
3218 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets, ("Target %d out of "
3219 	    "bounds in XPT_RESET_DEV\n", ccb->ccb_h.target_id));
3220 	sc = sassc->sc;
3221 	tm = mprsas_alloc_tm(sc);
3222 	if (tm == NULL) {
3223 		mpr_dprint(sc, MPR_ERROR, "command alloc failure in "
3224 		    "mprsas_action_resetdev\n");
3225 		mprsas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
3226 		xpt_done(ccb);
3227 		return;
3228 	}
3229 
3230 	targ = &sassc->targets[ccb->ccb_h.target_id];
3231 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3232 	req->DevHandle = htole16(targ->handle);
3233 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
3234 
3235 	if (!targ->is_nvme || sc->custom_nvme_tm_handling) {
3236 		/* SAS Hard Link Reset / SATA Link Reset */
3237 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
3238 	} else {
3239 		/* PCIe Protocol Level Reset*/
3240 		req->MsgFlags =
3241 		    MPI26_SCSITASKMGMT_MSGFLAGS_PROTOCOL_LVL_RST_PCIE;
3242 	}
3243 
3244 	tm->cm_data = NULL;
3245 	tm->cm_complete = mprsas_resetdev_complete;
3246 	tm->cm_complete_data = ccb;
3247 
3248 	mpr_dprint(sc, MPR_INFO, "%s: Sending reset for target ID %d\n",
3249 	    __func__, targ->tid);
3250 	tm->cm_targ = targ;
3251 
3252 	mprsas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
3253 	mpr_map_command(sc, tm);
3254 }
3255 
3256 static void
3257 mprsas_resetdev_complete(struct mpr_softc *sc, struct mpr_command *tm)
3258 {
3259 	MPI2_SCSI_TASK_MANAGE_REPLY *resp;
3260 	union ccb *ccb;
3261 
3262 	MPR_FUNCTRACE(sc);
3263 	mtx_assert(&sc->mpr_mtx, MA_OWNED);
3264 
3265 	resp = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
3266 	ccb = tm->cm_complete_data;
3267 
3268 	/*
3269 	 * Currently there should be no way we can hit this case.  It only
3270 	 * happens when we have a failure to allocate chain frames, and
3271 	 * task management commands don't have S/G lists.
3272 	 */
3273 	if ((tm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
3274 		MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3275 
3276 		req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3277 
3278 		mpr_dprint(sc, MPR_ERROR, "%s: cm_flags = %#x for reset of "
3279 		    "handle %#04x! This should not happen!\n", __func__,
3280 		    tm->cm_flags, req->DevHandle);
3281 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3282 		goto bailout;
3283 	}
3284 
3285 	mpr_dprint(sc, MPR_XINFO, "%s: IOCStatus = 0x%x ResponseCode = 0x%x\n",
3286 	    __func__, le16toh(resp->IOCStatus), le32toh(resp->ResponseCode));
3287 
3288 	if (le32toh(resp->ResponseCode) == MPI2_SCSITASKMGMT_RSP_TM_COMPLETE) {
3289 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP);
3290 		mprsas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
3291 		    CAM_LUN_WILDCARD);
3292 	}
3293 	else
3294 		mprsas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3295 
3296 bailout:
3297 
3298 	mprsas_free_tm(sc, tm);
3299 	xpt_done(ccb);
3300 }
3301 
3302 static void
3303 mprsas_poll(struct cam_sim *sim)
3304 {
3305 	struct mprsas_softc *sassc;
3306 
3307 	sassc = cam_sim_softc(sim);
3308 
3309 	if (sassc->sc->mpr_debug & MPR_TRACE) {
3310 		/* frequent debug messages during a panic just slow
3311 		 * everything down too much.
3312 		 */
3313 		mpr_dprint(sassc->sc, MPR_XINFO, "%s clearing MPR_TRACE\n",
3314 		    __func__);
3315 		sassc->sc->mpr_debug &= ~MPR_TRACE;
3316 	}
3317 
3318 	mpr_intr_locked(sassc->sc);
3319 }
3320 
3321 static void
3322 mprsas_async(void *callback_arg, uint32_t code, struct cam_path *path,
3323     void *arg)
3324 {
3325 	struct mpr_softc *sc;
3326 
3327 	sc = (struct mpr_softc *)callback_arg;
3328 
3329 	mpr_lock(sc);
3330 	switch (code) {
3331 	case AC_ADVINFO_CHANGED: {
3332 		struct mprsas_target *target;
3333 		struct mprsas_softc *sassc;
3334 		struct scsi_read_capacity_data_long rcap_buf;
3335 		struct ccb_dev_advinfo cdai;
3336 		struct mprsas_lun *lun;
3337 		lun_id_t lunid;
3338 		int found_lun;
3339 		uintptr_t buftype;
3340 
3341 		buftype = (uintptr_t)arg;
3342 
3343 		found_lun = 0;
3344 		sassc = sc->sassc;
3345 
3346 		/*
3347 		 * We're only interested in read capacity data changes.
3348 		 */
3349 		if (buftype != CDAI_TYPE_RCAPLONG)
3350 			break;
3351 
3352 		/*
3353 		 * We should have a handle for this, but check to make sure.
3354 		 */
3355 		KASSERT(xpt_path_target_id(path) < sassc->maxtargets,
3356 		    ("Target %d out of bounds in mprsas_async\n",
3357 		    xpt_path_target_id(path)));
3358 		target = &sassc->targets[xpt_path_target_id(path)];
3359 		if (target->handle == 0)
3360 			break;
3361 
3362 		lunid = xpt_path_lun_id(path);
3363 
3364 		SLIST_FOREACH(lun, &target->luns, lun_link) {
3365 			if (lun->lun_id == lunid) {
3366 				found_lun = 1;
3367 				break;
3368 			}
3369 		}
3370 
3371 		if (found_lun == 0) {
3372 			lun = malloc(sizeof(struct mprsas_lun), M_MPR,
3373 			    M_NOWAIT | M_ZERO);
3374 			if (lun == NULL) {
3375 				mpr_dprint(sc, MPR_ERROR, "Unable to alloc "
3376 				    "LUN for EEDP support.\n");
3377 				break;
3378 			}
3379 			lun->lun_id = lunid;
3380 			SLIST_INSERT_HEAD(&target->luns, lun, lun_link);
3381 		}
3382 
3383 		bzero(&rcap_buf, sizeof(rcap_buf));
3384 		bzero(&cdai, sizeof(cdai));
3385 		xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL);
3386 		cdai.ccb_h.func_code = XPT_DEV_ADVINFO;
3387 		cdai.ccb_h.flags = CAM_DIR_IN;
3388 		cdai.buftype = CDAI_TYPE_RCAPLONG;
3389 		cdai.flags = CDAI_FLAG_NONE;
3390 		cdai.bufsiz = sizeof(rcap_buf);
3391 		cdai.buf = (uint8_t *)&rcap_buf;
3392 		xpt_action((union ccb *)&cdai);
3393 		if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
3394 			cam_release_devq(cdai.ccb_h.path, 0, 0, 0, FALSE);
3395 
3396 		if ((mprsas_get_ccbstatus((union ccb *)&cdai) == CAM_REQ_CMP)
3397 		    && (rcap_buf.prot & SRC16_PROT_EN)) {
3398 			switch (rcap_buf.prot & SRC16_P_TYPE) {
3399 			case SRC16_PTYPE_1:
3400 			case SRC16_PTYPE_3:
3401 				lun->eedp_formatted = TRUE;
3402 				lun->eedp_block_size =
3403 				    scsi_4btoul(rcap_buf.length);
3404 				break;
3405 			case SRC16_PTYPE_2:
3406 			default:
3407 				lun->eedp_formatted = FALSE;
3408 				lun->eedp_block_size = 0;
3409 				break;
3410 			}
3411 		} else {
3412 			lun->eedp_formatted = FALSE;
3413 			lun->eedp_block_size = 0;
3414 		}
3415 		break;
3416 	}
3417 	default:
3418 		break;
3419 	}
3420 	mpr_unlock(sc);
3421 }
3422 
3423 /*
3424  * Freeze the devq and set the INRESET flag so that no I/O will be sent to
3425  * the target until the reset has completed.  The CCB holds the path which
3426  * is used to release the devq.  The devq is released and the CCB is freed
3427  * when the TM completes.
3428  */
3429 void
3430 mprsas_prepare_for_tm(struct mpr_softc *sc, struct mpr_command *tm,
3431     struct mprsas_target *target, lun_id_t lun_id)
3432 {
3433 	union ccb *ccb;
3434 	path_id_t path_id;
3435 
3436 	ccb = xpt_alloc_ccb_nowait();
3437 	if (ccb) {
3438 		path_id = cam_sim_path(sc->sassc->sim);
3439 		if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, path_id,
3440 		    target->tid, lun_id) != CAM_REQ_CMP) {
3441 			xpt_free_ccb(ccb);
3442 		} else {
3443 			mpr_dprint(sc, MPR_XINFO,
3444 			    "%s: Freezing devq for target ID %d\n",
3445 			    __func__, target->tid);
3446 			xpt_freeze_devq(ccb->ccb_h.path, 1);
3447 			tm->cm_ccb = ccb;
3448 			tm->cm_targ = target;
3449 			target->flags |= MPRSAS_TARGET_INRESET;
3450 		}
3451 	}
3452 }
3453 
3454 int
3455 mprsas_startup(struct mpr_softc *sc)
3456 {
3457 	/*
3458 	 * Send the port enable message and set the wait_for_port_enable flag.
3459 	 * This flag helps to keep the simq frozen until all discovery events
3460 	 * are processed.
3461 	 */
3462 	sc->wait_for_port_enable = 1;
3463 	mprsas_send_portenable(sc);
3464 	return (0);
3465 }
3466 
3467 static int
3468 mprsas_send_portenable(struct mpr_softc *sc)
3469 {
3470 	MPI2_PORT_ENABLE_REQUEST *request;
3471 	struct mpr_command *cm;
3472 
3473 	MPR_FUNCTRACE(sc);
3474 
3475 	if ((cm = mpr_alloc_command(sc)) == NULL)
3476 		return (EBUSY);
3477 	request = (MPI2_PORT_ENABLE_REQUEST *)cm->cm_req;
3478 	request->Function = MPI2_FUNCTION_PORT_ENABLE;
3479 	request->MsgFlags = 0;
3480 	request->VP_ID = 0;
3481 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
3482 	cm->cm_complete = mprsas_portenable_complete;
3483 	cm->cm_data = NULL;
3484 	cm->cm_sge = NULL;
3485 
3486 	mpr_map_command(sc, cm);
3487 	mpr_dprint(sc, MPR_XINFO,
3488 	    "mpr_send_portenable finished cm %p req %p complete %p\n",
3489 	    cm, cm->cm_req, cm->cm_complete);
3490 	return (0);
3491 }
3492 
3493 static void
3494 mprsas_portenable_complete(struct mpr_softc *sc, struct mpr_command *cm)
3495 {
3496 	MPI2_PORT_ENABLE_REPLY *reply;
3497 	struct mprsas_softc *sassc;
3498 
3499 	MPR_FUNCTRACE(sc);
3500 	sassc = sc->sassc;
3501 
3502 	/*
3503 	 * Currently there should be no way we can hit this case.  It only
3504 	 * happens when we have a failure to allocate chain frames, and
3505 	 * port enable commands don't have S/G lists.
3506 	 */
3507 	if ((cm->cm_flags & MPR_CM_FLAGS_ERROR_MASK) != 0) {
3508 		mpr_dprint(sc, MPR_ERROR, "%s: cm_flags = %#x for port enable! "
3509 		    "This should not happen!\n", __func__, cm->cm_flags);
3510 	}
3511 
3512 	reply = (MPI2_PORT_ENABLE_REPLY *)cm->cm_reply;
3513 	if (reply == NULL)
3514 		mpr_dprint(sc, MPR_FAULT, "Portenable NULL reply\n");
3515 	else if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
3516 	    MPI2_IOCSTATUS_SUCCESS)
3517 		mpr_dprint(sc, MPR_FAULT, "Portenable failed\n");
3518 
3519 	mpr_free_command(sc, cm);
3520 	/*
3521 	 * Done waiting for port enable to complete.  Decrement the refcount.
3522 	 * If refcount is 0, discovery is complete and a rescan of the bus can
3523 	 * take place.
3524 	 */
3525 	sc->wait_for_port_enable = 0;
3526 	sc->port_enable_complete = 1;
3527 	wakeup(&sc->port_enable_complete);
3528 	mprsas_startup_decrement(sassc);
3529 }
3530 
3531 int
3532 mprsas_check_id(struct mprsas_softc *sassc, int id)
3533 {
3534 	struct mpr_softc *sc = sassc->sc;
3535 	char *ids;
3536 	char *name;
3537 
3538 	ids = &sc->exclude_ids[0];
3539 	while((name = strsep(&ids, ",")) != NULL) {
3540 		if (name[0] == '\0')
3541 			continue;
3542 		if (strtol(name, NULL, 0) == (long)id)
3543 			return (1);
3544 	}
3545 
3546 	return (0);
3547 }
3548 
3549 void
3550 mprsas_realloc_targets(struct mpr_softc *sc, int maxtargets)
3551 {
3552 	struct mprsas_softc *sassc;
3553 	struct mprsas_lun *lun, *lun_tmp;
3554 	struct mprsas_target *targ;
3555 	int i;
3556 
3557 	sassc = sc->sassc;
3558 	/*
3559 	 * The number of targets is based on IOC Facts, so free all of
3560 	 * the allocated LUNs for each target and then the target buffer
3561 	 * itself.
3562 	 */
3563 	for (i=0; i< maxtargets; i++) {
3564 		targ = &sassc->targets[i];
3565 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
3566 			free(lun, M_MPR);
3567 		}
3568 	}
3569 	free(sassc->targets, M_MPR);
3570 
3571 	sassc->targets = malloc(sizeof(struct mprsas_target) * maxtargets,
3572 	    M_MPR, M_WAITOK|M_ZERO);
3573 }
3574