xref: /freebsd/sys/dev/mps/mps_sas.c (revision 514fb3872166a361faa81d89909f65913e90b1b2)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2009 Yahoo! Inc.
5  * Copyright (c) 2011-2015 LSI Corp.
6  * Copyright (c) 2013-2015 Avago Technologies
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  * Avago Technologies (LSI) MPT-Fusion Host Adapter FreeBSD
31  *
32  * $FreeBSD$
33  */
34 
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37 
38 /* Communications core for Avago Technologies (LSI) MPT2 */
39 
40 /* TODO Move headers to mpsvar */
41 #include <sys/types.h>
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/kernel.h>
45 #include <sys/selinfo.h>
46 #include <sys/module.h>
47 #include <sys/bus.h>
48 #include <sys/conf.h>
49 #include <sys/bio.h>
50 #include <sys/malloc.h>
51 #include <sys/uio.h>
52 #include <sys/sysctl.h>
53 #include <sys/endian.h>
54 #include <sys/queue.h>
55 #include <sys/kthread.h>
56 #include <sys/taskqueue.h>
57 #include <sys/sbuf.h>
58 
59 #include <machine/bus.h>
60 #include <machine/resource.h>
61 #include <sys/rman.h>
62 
63 #include <machine/stdarg.h>
64 
65 #include <cam/cam.h>
66 #include <cam/cam_ccb.h>
67 #include <cam/cam_xpt.h>
68 #include <cam/cam_debug.h>
69 #include <cam/cam_sim.h>
70 #include <cam/cam_xpt_sim.h>
71 #include <cam/cam_xpt_periph.h>
72 #include <cam/cam_periph.h>
73 #include <cam/scsi/scsi_all.h>
74 #include <cam/scsi/scsi_message.h>
75 #include <cam/scsi/smp_all.h>
76 
77 #include <dev/mps/mpi/mpi2_type.h>
78 #include <dev/mps/mpi/mpi2.h>
79 #include <dev/mps/mpi/mpi2_ioc.h>
80 #include <dev/mps/mpi/mpi2_sas.h>
81 #include <dev/mps/mpi/mpi2_cnfg.h>
82 #include <dev/mps/mpi/mpi2_init.h>
83 #include <dev/mps/mpi/mpi2_tool.h>
84 #include <dev/mps/mps_ioctl.h>
85 #include <dev/mps/mpsvar.h>
86 #include <dev/mps/mps_table.h>
87 #include <dev/mps/mps_sas.h>
88 
89 /*
90  * static array to check SCSI OpCode for EEDP protection bits
91  */
92 #define	PRO_R MPI2_SCSIIO_EEDPFLAGS_CHECK_REMOVE_OP
93 #define	PRO_W MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
94 #define	PRO_V MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
95 static uint8_t op_code_prot[256] = {
96 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
97 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
98 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
99 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
100 	0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
101 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
102 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
103 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
104 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
105 	0, 0, 0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
106 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
107 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
108 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
109 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
110 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
111 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
112 };
113 
114 MALLOC_DEFINE(M_MPSSAS, "MPSSAS", "MPS SAS memory");
115 
116 static void mpssas_remove_device(struct mps_softc *, struct mps_command *);
117 static void mpssas_remove_complete(struct mps_softc *, struct mps_command *);
118 static void mpssas_action(struct cam_sim *sim, union ccb *ccb);
119 static void mpssas_poll(struct cam_sim *sim);
120 static int mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm,
121     struct mps_command *cm);
122 static void mpssas_scsiio_timeout(void *data);
123 static void mpssas_abort_complete(struct mps_softc *sc, struct mps_command *cm);
124 static void mpssas_direct_drive_io(struct mpssas_softc *sassc,
125     struct mps_command *cm, union ccb *ccb);
126 static void mpssas_action_scsiio(struct mpssas_softc *, union ccb *);
127 static void mpssas_scsiio_complete(struct mps_softc *, struct mps_command *);
128 static void mpssas_action_resetdev(struct mpssas_softc *, union ccb *);
129 static void mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm);
130 static void mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb,
131 			       uint64_t sasaddr);
132 static void mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb);
133 static void mpssas_resetdev_complete(struct mps_softc *, struct mps_command *);
134 static void mpssas_async(void *callback_arg, uint32_t code,
135 			 struct cam_path *path, void *arg);
136 static int mpssas_send_portenable(struct mps_softc *sc);
137 static void mpssas_portenable_complete(struct mps_softc *sc,
138     struct mps_command *cm);
139 
140 struct mpssas_target *
141 mpssas_find_target_by_handle(struct mpssas_softc *sassc, int start, uint16_t handle)
142 {
143 	struct mpssas_target *target;
144 	int i;
145 
146 	for (i = start; i < sassc->maxtargets; i++) {
147 		target = &sassc->targets[i];
148 		if (target->handle == handle)
149 			return (target);
150 	}
151 
152 	return (NULL);
153 }
154 
155 /* we need to freeze the simq during attach and diag reset, to avoid failing
156  * commands before device handles have been found by discovery.  Since
157  * discovery involves reading config pages and possibly sending commands,
158  * discovery actions may continue even after we receive the end of discovery
159  * event, so refcount discovery actions instead of assuming we can unfreeze
160  * the simq when we get the event.
161  */
162 void
163 mpssas_startup_increment(struct mpssas_softc *sassc)
164 {
165 	MPS_FUNCTRACE(sassc->sc);
166 
167 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
168 		if (sassc->startup_refcount++ == 0) {
169 			/* just starting, freeze the simq */
170 			mps_dprint(sassc->sc, MPS_INIT,
171 			    "%s freezing simq\n", __func__);
172 			xpt_hold_boot();
173 			xpt_freeze_simq(sassc->sim, 1);
174 		}
175 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
176 		    sassc->startup_refcount);
177 	}
178 }
179 
180 void
181 mpssas_release_simq_reinit(struct mpssas_softc *sassc)
182 {
183 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
184 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
185 		xpt_release_simq(sassc->sim, 1);
186 		mps_dprint(sassc->sc, MPS_INFO, "Unfreezing SIM queue\n");
187 	}
188 }
189 
190 void
191 mpssas_startup_decrement(struct mpssas_softc *sassc)
192 {
193 	MPS_FUNCTRACE(sassc->sc);
194 
195 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
196 		if (--sassc->startup_refcount == 0) {
197 			/* finished all discovery-related actions, release
198 			 * the simq and rescan for the latest topology.
199 			 */
200 			mps_dprint(sassc->sc, MPS_INIT,
201 			    "%s releasing simq\n", __func__);
202 			sassc->flags &= ~MPSSAS_IN_STARTUP;
203 			xpt_release_simq(sassc->sim, 1);
204 			xpt_release_boot();
205 		}
206 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
207 		    sassc->startup_refcount);
208 	}
209 }
210 
211 /*
212  * The firmware requires us to stop sending commands when we're doing task
213  * management.
214  * XXX The logic for serializing the device has been made lazy and moved to
215  * mpssas_prepare_for_tm().
216  */
217 struct mps_command *
218 mpssas_alloc_tm(struct mps_softc *sc)
219 {
220 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
221 	struct mps_command *tm;
222 
223 	tm = mps_alloc_high_priority_command(sc);
224 	if (tm == NULL)
225 		return (NULL);
226 
227 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
228 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
229 	return tm;
230 }
231 
232 void
233 mpssas_free_tm(struct mps_softc *sc, struct mps_command *tm)
234 {
235 	if (tm == NULL)
236 		return;
237 
238 	/*
239 	 * For TM's the devq is frozen for the device.  Unfreeze it here and
240 	 * free the resources used for freezing the devq.  Must clear the
241 	 * INRESET flag as well or scsi I/O will not work.
242 	 */
243 	if (tm->cm_ccb) {
244 		mps_dprint(sc, MPS_XINFO | MPS_RECOVERY,
245 		    "Unfreezing devq for target ID %d\n",
246 		    tm->cm_targ->tid);
247 		tm->cm_targ->flags &= ~MPSSAS_TARGET_INRESET;
248 		xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE);
249 		xpt_free_path(tm->cm_ccb->ccb_h.path);
250 		xpt_free_ccb(tm->cm_ccb);
251 	}
252 
253 	mps_free_high_priority_command(sc, tm);
254 }
255 
256 void
257 mpssas_rescan_target(struct mps_softc *sc, struct mpssas_target *targ)
258 {
259 	struct mpssas_softc *sassc = sc->sassc;
260 	path_id_t pathid;
261 	target_id_t targetid;
262 	union ccb *ccb;
263 
264 	MPS_FUNCTRACE(sc);
265 	pathid = cam_sim_path(sassc->sim);
266 	if (targ == NULL)
267 		targetid = CAM_TARGET_WILDCARD;
268 	else
269 		targetid = targ - sassc->targets;
270 
271 	/*
272 	 * Allocate a CCB and schedule a rescan.
273 	 */
274 	ccb = xpt_alloc_ccb_nowait();
275 	if (ccb == NULL) {
276 		mps_dprint(sc, MPS_ERROR, "unable to alloc CCB for rescan\n");
277 		return;
278 	}
279 
280 	if (xpt_create_path(&ccb->ccb_h.path, NULL, pathid,
281 	    targetid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
282 		mps_dprint(sc, MPS_ERROR, "unable to create path for rescan\n");
283 		xpt_free_ccb(ccb);
284 		return;
285 	}
286 
287 	if (targetid == CAM_TARGET_WILDCARD)
288 		ccb->ccb_h.func_code = XPT_SCAN_BUS;
289 	else
290 		ccb->ccb_h.func_code = XPT_SCAN_TGT;
291 
292 	mps_dprint(sc, MPS_TRACE, "%s targetid %u\n", __func__, targetid);
293 	xpt_rescan(ccb);
294 }
295 
296 static void
297 mpssas_log_command(struct mps_command *cm, u_int level, const char *fmt, ...)
298 {
299 	struct sbuf sb;
300 	va_list ap;
301 	char str[224];
302 	char path_str[64];
303 
304 	if (cm == NULL)
305 		return;
306 
307 	/* No need to be in here if debugging isn't enabled */
308 	if ((cm->cm_sc->mps_debug & level) == 0)
309 		return;
310 
311 	sbuf_new(&sb, str, sizeof(str), 0);
312 
313 	va_start(ap, fmt);
314 
315 	if (cm->cm_ccb != NULL) {
316 		xpt_path_string(cm->cm_ccb->csio.ccb_h.path, path_str,
317 				sizeof(path_str));
318 		sbuf_cat(&sb, path_str);
319 		if (cm->cm_ccb->ccb_h.func_code == XPT_SCSI_IO) {
320 			scsi_command_string(&cm->cm_ccb->csio, &sb);
321 			sbuf_printf(&sb, "length %d ",
322 				    cm->cm_ccb->csio.dxfer_len);
323 		}
324 	}
325 	else {
326 		sbuf_printf(&sb, "(noperiph:%s%d:%u:%u:%u): ",
327 		    cam_sim_name(cm->cm_sc->sassc->sim),
328 		    cam_sim_unit(cm->cm_sc->sassc->sim),
329 		    cam_sim_bus(cm->cm_sc->sassc->sim),
330 		    cm->cm_targ ? cm->cm_targ->tid : 0xFFFFFFFF,
331 		    cm->cm_lun);
332 	}
333 
334 	sbuf_printf(&sb, "SMID %u ", cm->cm_desc.Default.SMID);
335 	sbuf_vprintf(&sb, fmt, ap);
336 	sbuf_finish(&sb);
337 	mps_print_field(cm->cm_sc, "%s", sbuf_data(&sb));
338 
339 	va_end(ap);
340 }
341 
342 static void
343 mpssas_remove_volume(struct mps_softc *sc, struct mps_command *tm)
344 {
345 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
346 	struct mpssas_target *targ;
347 	uint16_t handle;
348 
349 	MPS_FUNCTRACE(sc);
350 
351 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
352 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
353 	targ = tm->cm_targ;
354 
355 	if (reply == NULL) {
356 		/* XXX retry the remove after the diag reset completes? */
357 		mps_dprint(sc, MPS_FAULT,
358 		    "%s NULL reply resetting device 0x%04x\n", __func__,
359 		    handle);
360 		mpssas_free_tm(sc, tm);
361 		return;
362 	}
363 
364 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
365 	    MPI2_IOCSTATUS_SUCCESS) {
366 		mps_dprint(sc, MPS_ERROR,
367 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
368 		   le16toh(reply->IOCStatus), handle);
369 	}
370 
371 	mps_dprint(sc, MPS_XINFO,
372 	    "Reset aborted %u commands\n", reply->TerminationCount);
373 	mps_free_reply(sc, tm->cm_reply_data);
374 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
375 
376 	mps_dprint(sc, MPS_XINFO,
377 	    "clearing target %u handle 0x%04x\n", targ->tid, handle);
378 
379 	/*
380 	 * Don't clear target if remove fails because things will get confusing.
381 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
382 	 * this target id if possible, and so we can assign the same target id
383 	 * to this device if it comes back in the future.
384 	 */
385 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
386 	    MPI2_IOCSTATUS_SUCCESS) {
387 		targ = tm->cm_targ;
388 		targ->handle = 0x0;
389 		targ->encl_handle = 0x0;
390 		targ->encl_slot = 0x0;
391 		targ->exp_dev_handle = 0x0;
392 		targ->phy_num = 0x0;
393 		targ->linkrate = 0x0;
394 		targ->devinfo = 0x0;
395 		targ->flags = 0x0;
396 	}
397 
398 	mpssas_free_tm(sc, tm);
399 }
400 
401 /*
402  * No Need to call "MPI2_SAS_OP_REMOVE_DEVICE" For Volume removal.
403  * Otherwise Volume Delete is same as Bare Drive Removal.
404  */
405 void
406 mpssas_prepare_volume_remove(struct mpssas_softc *sassc, uint16_t handle)
407 {
408 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
409 	struct mps_softc *sc;
410 	struct mps_command *tm;
411 	struct mpssas_target *targ = NULL;
412 
413 	MPS_FUNCTRACE(sassc->sc);
414 	sc = sassc->sc;
415 
416 #ifdef WD_SUPPORT
417 	/*
418 	 * If this is a WD controller, determine if the disk should be exposed
419 	 * to the OS or not.  If disk should be exposed, return from this
420 	 * function without doing anything.
421 	 */
422 	if (sc->WD_available && (sc->WD_hide_expose ==
423 	    MPS_WD_EXPOSE_ALWAYS)) {
424 		return;
425 	}
426 #endif //WD_SUPPORT
427 
428 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
429 	if (targ == NULL) {
430 		/* FIXME: what is the action? */
431 		/* We don't know about this device? */
432 		mps_dprint(sc, MPS_ERROR,
433 		   "%s %d : invalid handle 0x%x \n", __func__,__LINE__, handle);
434 		return;
435 	}
436 
437 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
438 
439 	tm = mpssas_alloc_tm(sc);
440 	if (tm == NULL) {
441 		mps_dprint(sc, MPS_ERROR,
442 		    "%s: command alloc failure\n", __func__);
443 		return;
444 	}
445 
446 	mpssas_rescan_target(sc, targ);
447 
448 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
449 	req->DevHandle = targ->handle;
450 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
451 
452 	/* SAS Hard Link Reset / SATA Link Reset */
453 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
454 
455 	tm->cm_targ = targ;
456 	tm->cm_data = NULL;
457 	tm->cm_complete = mpssas_remove_volume;
458 	tm->cm_complete_data = (void *)(uintptr_t)handle;
459 
460 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
461 	    __func__, targ->tid);
462 	mpssas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
463 
464 	mps_map_command(sc, tm);
465 }
466 
467 /*
468  * The MPT2 firmware performs debounce on the link to avoid transient link
469  * errors and false removals.  When it does decide that link has been lost
470  * and a device need to go away, it expects that the host will perform a
471  * target reset and then an op remove.  The reset has the side-effect of
472  * aborting any outstanding requests for the device, which is required for
473  * the op-remove to succeed.  It's not clear if the host should check for
474  * the device coming back alive after the reset.
475  */
476 void
477 mpssas_prepare_remove(struct mpssas_softc *sassc, uint16_t handle)
478 {
479 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
480 	struct mps_softc *sc;
481 	struct mps_command *cm;
482 	struct mpssas_target *targ = NULL;
483 
484 	MPS_FUNCTRACE(sassc->sc);
485 
486 	sc = sassc->sc;
487 
488 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
489 	if (targ == NULL) {
490 		/* FIXME: what is the action? */
491 		/* We don't know about this device? */
492 		mps_dprint(sc, MPS_ERROR,
493 		    "%s : invalid handle 0x%x \n", __func__, handle);
494 		return;
495 	}
496 
497 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
498 
499 	cm = mpssas_alloc_tm(sc);
500 	if (cm == NULL) {
501 		mps_dprint(sc, MPS_ERROR,
502 		    "%s: command alloc failure\n", __func__);
503 		return;
504 	}
505 
506 	mpssas_rescan_target(sc, targ);
507 
508 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
509 	req->DevHandle = htole16(targ->handle);
510 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
511 
512 	/* SAS Hard Link Reset / SATA Link Reset */
513 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
514 
515 	cm->cm_targ = targ;
516 	cm->cm_data = NULL;
517 	cm->cm_complete = mpssas_remove_device;
518 	cm->cm_complete_data = (void *)(uintptr_t)handle;
519 
520 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
521 	    __func__, targ->tid);
522 	mpssas_prepare_for_tm(sc, cm, targ, CAM_LUN_WILDCARD);
523 
524 	mps_map_command(sc, cm);
525 }
526 
527 static void
528 mpssas_remove_device(struct mps_softc *sc, struct mps_command *tm)
529 {
530 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
531 	MPI2_SAS_IOUNIT_CONTROL_REQUEST *req;
532 	struct mpssas_target *targ;
533 	uint16_t handle;
534 
535 	MPS_FUNCTRACE(sc);
536 
537 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
538 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
539 	targ = tm->cm_targ;
540 
541 	/*
542 	 * Currently there should be no way we can hit this case.  It only
543 	 * happens when we have a failure to allocate chain frames, and
544 	 * task management commands don't have S/G lists.
545 	 */
546 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
547 		mps_dprint(sc, MPS_ERROR,
548 		    "%s: cm_flags = %#x for remove of handle %#04x! "
549 		    "This should not happen!\n", __func__, tm->cm_flags,
550 		    handle);
551 	}
552 
553 	if (reply == NULL) {
554 		/* XXX retry the remove after the diag reset completes? */
555 		mps_dprint(sc, MPS_FAULT,
556 		    "%s NULL reply resetting device 0x%04x\n", __func__,
557 		    handle);
558 		mpssas_free_tm(sc, tm);
559 		return;
560 	}
561 
562 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
563 	    MPI2_IOCSTATUS_SUCCESS) {
564 		mps_dprint(sc, MPS_ERROR,
565 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
566 		   le16toh(reply->IOCStatus), handle);
567 	}
568 
569 	mps_dprint(sc, MPS_XINFO, "Reset aborted %u commands\n",
570 	    le32toh(reply->TerminationCount));
571 	mps_free_reply(sc, tm->cm_reply_data);
572 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
573 
574 	/* Reuse the existing command */
575 	req = (MPI2_SAS_IOUNIT_CONTROL_REQUEST *)tm->cm_req;
576 	memset(req, 0, sizeof(*req));
577 	req->Function = MPI2_FUNCTION_SAS_IO_UNIT_CONTROL;
578 	req->Operation = MPI2_SAS_OP_REMOVE_DEVICE;
579 	req->DevHandle = htole16(handle);
580 	tm->cm_data = NULL;
581 	tm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
582 	tm->cm_complete = mpssas_remove_complete;
583 	tm->cm_complete_data = (void *)(uintptr_t)handle;
584 
585 	/*
586 	 * Wait to send the REMOVE_DEVICE until all the commands have cleared.
587 	 * They should be aborted or time out and we'll kick thus off there
588 	 * if so.
589 	 */
590 	if (TAILQ_FIRST(&targ->commands) == NULL) {
591 		mps_dprint(sc, MPS_INFO,
592 		    "No pending commands: starting remove_device target %u handle 0x%04x\n",
593 		    targ->tid, handle);
594 		mps_map_command(sc, tm);
595 		targ->pending_remove_tm = NULL;
596 	} else {
597 		targ->pending_remove_tm = tm;
598 	}
599 
600 	mps_dprint(sc, MPS_XINFO, "clearing target %u handle 0x%04x\n",
601 		   targ->tid, handle);
602 }
603 
604 static void
605 mpssas_remove_complete(struct mps_softc *sc, struct mps_command *tm)
606 {
607 	MPI2_SAS_IOUNIT_CONTROL_REPLY *reply;
608 	uint16_t handle;
609 	struct mpssas_target *targ;
610 	struct mpssas_lun *lun;
611 
612 	MPS_FUNCTRACE(sc);
613 
614 	reply = (MPI2_SAS_IOUNIT_CONTROL_REPLY *)tm->cm_reply;
615 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
616 	targ = tm->cm_targ;
617 
618 	/*
619 	 * At this point, we should have no pending commands for the target.
620 	 * The remove target has just completed.
621 	 */
622 	KASSERT(TAILQ_FIRST(&targ->commands) == NULL,
623 	    ("%s: no commands should be pending\n", __func__));
624 
625 	/*
626 	 * Currently there should be no way we can hit this case.  It only
627 	 * happens when we have a failure to allocate chain frames, and
628 	 * task management commands don't have S/G lists.
629 	 */
630 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
631 		mps_dprint(sc, MPS_XINFO,
632 			   "%s: cm_flags = %#x for remove of handle %#04x! "
633 			   "This should not happen!\n", __func__, tm->cm_flags,
634 			   handle);
635 		mpssas_free_tm(sc, tm);
636 		return;
637 	}
638 
639 	if (reply == NULL) {
640 		/* most likely a chip reset */
641 		mps_dprint(sc, MPS_FAULT,
642 		    "%s NULL reply removing device 0x%04x\n", __func__, handle);
643 		mpssas_free_tm(sc, tm);
644 		return;
645 	}
646 
647 	mps_dprint(sc, MPS_XINFO,
648 	    "%s on handle 0x%04x, IOCStatus= 0x%x\n", __func__,
649 	    handle, le16toh(reply->IOCStatus));
650 
651 	/*
652 	 * Don't clear target if remove fails because things will get confusing.
653 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
654 	 * this target id if possible, and so we can assign the same target id
655 	 * to this device if it comes back in the future.
656 	 */
657 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
658 	    MPI2_IOCSTATUS_SUCCESS) {
659 		targ->handle = 0x0;
660 		targ->encl_handle = 0x0;
661 		targ->encl_slot = 0x0;
662 		targ->exp_dev_handle = 0x0;
663 		targ->phy_num = 0x0;
664 		targ->linkrate = 0x0;
665 		targ->devinfo = 0x0;
666 		targ->flags = 0x0;
667 
668 		while(!SLIST_EMPTY(&targ->luns)) {
669 			lun = SLIST_FIRST(&targ->luns);
670 			SLIST_REMOVE_HEAD(&targ->luns, lun_link);
671 			free(lun, M_MPT2);
672 		}
673 	}
674 
675 	mpssas_free_tm(sc, tm);
676 }
677 
678 static int
679 mpssas_register_events(struct mps_softc *sc)
680 {
681 	u32 events[MPI2_EVENT_NOTIFY_EVENTMASK_WORDS];
682 
683 	bzero(events, 16);
684 	setbit(events, MPI2_EVENT_SAS_DEVICE_STATUS_CHANGE);
685 	setbit(events, MPI2_EVENT_SAS_DISCOVERY);
686 	setbit(events, MPI2_EVENT_SAS_BROADCAST_PRIMITIVE);
687 	setbit(events, MPI2_EVENT_SAS_INIT_DEVICE_STATUS_CHANGE);
688 	setbit(events, MPI2_EVENT_SAS_INIT_TABLE_OVERFLOW);
689 	setbit(events, MPI2_EVENT_SAS_TOPOLOGY_CHANGE_LIST);
690 	setbit(events, MPI2_EVENT_SAS_ENCL_DEVICE_STATUS_CHANGE);
691 	setbit(events, MPI2_EVENT_IR_CONFIGURATION_CHANGE_LIST);
692 	setbit(events, MPI2_EVENT_IR_VOLUME);
693 	setbit(events, MPI2_EVENT_IR_PHYSICAL_DISK);
694 	setbit(events, MPI2_EVENT_IR_OPERATION_STATUS);
695 	setbit(events, MPI2_EVENT_LOG_ENTRY_ADDED);
696 
697 	mps_register_events(sc, events, mpssas_evt_handler, NULL,
698 	    &sc->sassc->mpssas_eh);
699 
700 	return (0);
701 }
702 
703 int
704 mps_attach_sas(struct mps_softc *sc)
705 {
706 	struct mpssas_softc *sassc;
707 	cam_status status;
708 	int unit, error = 0, reqs;
709 
710 	MPS_FUNCTRACE(sc);
711 	mps_dprint(sc, MPS_INIT, "%s entered\n", __func__);
712 
713 	sassc = malloc(sizeof(struct mpssas_softc), M_MPT2, M_WAITOK|M_ZERO);
714 
715 	/*
716 	 * XXX MaxTargets could change during a reinit.  Since we don't
717 	 * resize the targets[] array during such an event, cache the value
718 	 * of MaxTargets here so that we don't get into trouble later.  This
719 	 * should move into the reinit logic.
720 	 */
721 	sassc->maxtargets = sc->facts->MaxTargets + sc->facts->MaxVolumes;
722 	sassc->targets = malloc(sizeof(struct mpssas_target) *
723 	    sassc->maxtargets, M_MPT2, M_WAITOK|M_ZERO);
724 	sc->sassc = sassc;
725 	sassc->sc = sc;
726 
727 	reqs = sc->num_reqs - sc->num_prireqs - 1;
728 	if ((sassc->devq = cam_simq_alloc(reqs)) == NULL) {
729 		mps_dprint(sc, MPS_ERROR, "Cannot allocate SIMQ\n");
730 		error = ENOMEM;
731 		goto out;
732 	}
733 
734 	unit = device_get_unit(sc->mps_dev);
735 	sassc->sim = cam_sim_alloc(mpssas_action, mpssas_poll, "mps", sassc,
736 	    unit, &sc->mps_mtx, reqs, reqs, sassc->devq);
737 	if (sassc->sim == NULL) {
738 		mps_dprint(sc, MPS_INIT|MPS_ERROR, "Cannot allocate SIM\n");
739 		error = EINVAL;
740 		goto out;
741 	}
742 
743 	TAILQ_INIT(&sassc->ev_queue);
744 
745 	/* Initialize taskqueue for Event Handling */
746 	TASK_INIT(&sassc->ev_task, 0, mpssas_firmware_event_work, sc);
747 	sassc->ev_tq = taskqueue_create("mps_taskq", M_NOWAIT | M_ZERO,
748 	    taskqueue_thread_enqueue, &sassc->ev_tq);
749 	taskqueue_start_threads(&sassc->ev_tq, 1, PRIBIO, "%s taskq",
750 	    device_get_nameunit(sc->mps_dev));
751 
752 	mps_lock(sc);
753 
754 	/*
755 	 * XXX There should be a bus for every port on the adapter, but since
756 	 * we're just going to fake the topology for now, we'll pretend that
757 	 * everything is just a target on a single bus.
758 	 */
759 	if ((error = xpt_bus_register(sassc->sim, sc->mps_dev, 0)) != 0) {
760 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
761 		    "Error %d registering SCSI bus\n", error);
762 		mps_unlock(sc);
763 		goto out;
764 	}
765 
766 	/*
767 	 * Assume that discovery events will start right away.
768 	 *
769 	 * Hold off boot until discovery is complete.
770 	 */
771 	sassc->flags |= MPSSAS_IN_STARTUP | MPSSAS_IN_DISCOVERY;
772 	sc->sassc->startup_refcount = 0;
773 	mpssas_startup_increment(sassc);
774 
775 	mps_unlock(sc);
776 
777 	/*
778 	 * Register for async events so we can determine the EEDP
779 	 * capabilities of devices.
780 	 */
781 	status = xpt_create_path(&sassc->path, /*periph*/NULL,
782 	    cam_sim_path(sc->sassc->sim), CAM_TARGET_WILDCARD,
783 	    CAM_LUN_WILDCARD);
784 	if (status != CAM_REQ_CMP) {
785 		mps_dprint(sc, MPS_ERROR|MPS_INIT,
786 		    "Error %#x creating sim path\n", status);
787 		sassc->path = NULL;
788 	} else {
789 		int event;
790 
791 		event = AC_ADVINFO_CHANGED;
792 		status = xpt_register_async(event, mpssas_async, sc,
793 					    sassc->path);
794 		if (status != CAM_REQ_CMP) {
795 			mps_dprint(sc, MPS_ERROR,
796 			    "Error %#x registering async handler for "
797 			    "AC_ADVINFO_CHANGED events\n", status);
798 			xpt_free_path(sassc->path);
799 			sassc->path = NULL;
800 		}
801 	}
802 	if (status != CAM_REQ_CMP) {
803 		/*
804 		 * EEDP use is the exception, not the rule.
805 		 * Warn the user, but do not fail to attach.
806 		 */
807 		mps_printf(sc, "EEDP capabilities disabled.\n");
808 	}
809 
810 	mpssas_register_events(sc);
811 out:
812 	if (error)
813 		mps_detach_sas(sc);
814 
815 	mps_dprint(sc, MPS_INIT, "%s exit error= %d\n", __func__, error);
816 	return (error);
817 }
818 
819 int
820 mps_detach_sas(struct mps_softc *sc)
821 {
822 	struct mpssas_softc *sassc;
823 	struct mpssas_lun *lun, *lun_tmp;
824 	struct mpssas_target *targ;
825 	int i;
826 
827 	MPS_FUNCTRACE(sc);
828 
829 	if (sc->sassc == NULL)
830 		return (0);
831 
832 	sassc = sc->sassc;
833 	mps_deregister_events(sc, sassc->mpssas_eh);
834 
835 	/*
836 	 * Drain and free the event handling taskqueue with the lock
837 	 * unheld so that any parallel processing tasks drain properly
838 	 * without deadlocking.
839 	 */
840 	if (sassc->ev_tq != NULL)
841 		taskqueue_free(sassc->ev_tq);
842 
843 	/* Deregister our async handler */
844 	if (sassc->path != NULL) {
845 		xpt_register_async(0, mpssas_async, sc, sassc->path);
846 		xpt_free_path(sassc->path);
847 		sassc->path = NULL;
848 	}
849 
850 	/* Make sure CAM doesn't wedge if we had to bail out early. */
851 	mps_lock(sc);
852 
853 	while (sassc->startup_refcount != 0)
854 		mpssas_startup_decrement(sassc);
855 
856 	if (sassc->flags & MPSSAS_IN_STARTUP)
857 		xpt_release_simq(sassc->sim, 1);
858 
859 	if (sassc->sim != NULL) {
860 		xpt_bus_deregister(cam_sim_path(sassc->sim));
861 		cam_sim_free(sassc->sim, FALSE);
862 	}
863 
864 	mps_unlock(sc);
865 
866 	if (sassc->devq != NULL)
867 		cam_simq_free(sassc->devq);
868 
869 	for(i=0; i< sassc->maxtargets ;i++) {
870 		targ = &sassc->targets[i];
871 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
872 			free(lun, M_MPT2);
873 		}
874 	}
875 	free(sassc->targets, M_MPT2);
876 	free(sassc, M_MPT2);
877 	sc->sassc = NULL;
878 
879 	return (0);
880 }
881 
882 void
883 mpssas_discovery_end(struct mpssas_softc *sassc)
884 {
885 	struct mps_softc *sc = sassc->sc;
886 
887 	MPS_FUNCTRACE(sc);
888 
889 	/*
890 	 * After discovery has completed, check the mapping table for any
891 	 * missing devices and update their missing counts. Only do this once
892 	 * whenever the driver is initialized so that missing counts aren't
893 	 * updated unnecessarily. Note that just because discovery has
894 	 * completed doesn't mean that events have been processed yet. The
895 	 * check_devices function is a callout timer that checks if ALL devices
896 	 * are missing. If so, it will wait a little longer for events to
897 	 * complete and keep resetting itself until some device in the mapping
898 	 * table is not missing, meaning that event processing has started.
899 	 */
900 	if (sc->track_mapping_events) {
901 		mps_dprint(sc, MPS_XINFO | MPS_MAPPING, "Discovery has "
902 		    "completed. Check for missing devices in the mapping "
903 		    "table.\n");
904 		callout_reset(&sc->device_check_callout,
905 		    MPS_MISSING_CHECK_DELAY * hz, mps_mapping_check_devices,
906 		    sc);
907 	}
908 }
909 
910 static void
911 mpssas_action(struct cam_sim *sim, union ccb *ccb)
912 {
913 	struct mpssas_softc *sassc;
914 
915 	sassc = cam_sim_softc(sim);
916 
917 	MPS_FUNCTRACE(sassc->sc);
918 	mps_dprint(sassc->sc, MPS_TRACE, "ccb func_code 0x%x\n",
919 	    ccb->ccb_h.func_code);
920 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
921 
922 	switch (ccb->ccb_h.func_code) {
923 	case XPT_PATH_INQ:
924 	{
925 		struct ccb_pathinq *cpi = &ccb->cpi;
926 		struct mps_softc *sc = sassc->sc;
927 
928 		cpi->version_num = 1;
929 		cpi->hba_inquiry = PI_SDTR_ABLE|PI_TAG_ABLE|PI_WIDE_16;
930 		cpi->target_sprt = 0;
931 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED | PIM_NOSCAN;
932 		cpi->hba_eng_cnt = 0;
933 		cpi->max_target = sassc->maxtargets - 1;
934 		cpi->max_lun = 255;
935 
936 		/*
937 		 * initiator_id is set here to an ID outside the set of valid
938 		 * target IDs (including volumes).
939 		 */
940 		cpi->initiator_id = sassc->maxtargets;
941 		strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
942 		strlcpy(cpi->hba_vid, "Avago Tech", HBA_IDLEN);
943 		strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
944 		cpi->unit_number = cam_sim_unit(sim);
945 		cpi->bus_id = cam_sim_bus(sim);
946 		cpi->base_transfer_speed = 150000;
947 		cpi->transport = XPORT_SAS;
948 		cpi->transport_version = 0;
949 		cpi->protocol = PROTO_SCSI;
950 		cpi->protocol_version = SCSI_REV_SPC;
951 		cpi->maxio = sc->maxio;
952 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
953 		break;
954 	}
955 	case XPT_GET_TRAN_SETTINGS:
956 	{
957 		struct ccb_trans_settings	*cts;
958 		struct ccb_trans_settings_sas	*sas;
959 		struct ccb_trans_settings_scsi	*scsi;
960 		struct mpssas_target *targ;
961 
962 		cts = &ccb->cts;
963 		sas = &cts->xport_specific.sas;
964 		scsi = &cts->proto_specific.scsi;
965 
966 		KASSERT(cts->ccb_h.target_id < sassc->maxtargets,
967 		    ("Target %d out of bounds in XPT_GET_TRANS_SETTINGS\n",
968 		    cts->ccb_h.target_id));
969 		targ = &sassc->targets[cts->ccb_h.target_id];
970 		if (targ->handle == 0x0) {
971 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
972 			break;
973 		}
974 
975 		cts->protocol_version = SCSI_REV_SPC2;
976 		cts->transport = XPORT_SAS;
977 		cts->transport_version = 0;
978 
979 		sas->valid = CTS_SAS_VALID_SPEED;
980 		switch (targ->linkrate) {
981 		case 0x08:
982 			sas->bitrate = 150000;
983 			break;
984 		case 0x09:
985 			sas->bitrate = 300000;
986 			break;
987 		case 0x0a:
988 			sas->bitrate = 600000;
989 			break;
990 		default:
991 			sas->valid = 0;
992 		}
993 
994 		cts->protocol = PROTO_SCSI;
995 		scsi->valid = CTS_SCSI_VALID_TQ;
996 		scsi->flags = CTS_SCSI_FLAGS_TAG_ENB;
997 
998 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
999 		break;
1000 	}
1001 	case XPT_CALC_GEOMETRY:
1002 		cam_calc_geometry(&ccb->ccg, /*extended*/1);
1003 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1004 		break;
1005 	case XPT_RESET_DEV:
1006 		mps_dprint(sassc->sc, MPS_XINFO, "mpssas_action XPT_RESET_DEV\n");
1007 		mpssas_action_resetdev(sassc, ccb);
1008 		return;
1009 	case XPT_RESET_BUS:
1010 	case XPT_ABORT:
1011 	case XPT_TERM_IO:
1012 		mps_dprint(sassc->sc, MPS_XINFO,
1013 		    "mpssas_action faking success for abort or reset\n");
1014 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1015 		break;
1016 	case XPT_SCSI_IO:
1017 		mpssas_action_scsiio(sassc, ccb);
1018 		return;
1019 	case XPT_SMP_IO:
1020 		mpssas_action_smpio(sassc, ccb);
1021 		return;
1022 	default:
1023 		mpssas_set_ccbstatus(ccb, CAM_FUNC_NOTAVAIL);
1024 		break;
1025 	}
1026 	xpt_done(ccb);
1027 
1028 }
1029 
1030 static void
1031 mpssas_announce_reset(struct mps_softc *sc, uint32_t ac_code,
1032     target_id_t target_id, lun_id_t lun_id)
1033 {
1034 	path_id_t path_id = cam_sim_path(sc->sassc->sim);
1035 	struct cam_path *path;
1036 
1037 	mps_dprint(sc, MPS_XINFO, "%s code %x target %d lun %jx\n", __func__,
1038 	    ac_code, target_id, (uintmax_t)lun_id);
1039 
1040 	if (xpt_create_path(&path, NULL,
1041 		path_id, target_id, lun_id) != CAM_REQ_CMP) {
1042 		mps_dprint(sc, MPS_ERROR, "unable to create path for reset "
1043 			   "notification\n");
1044 		return;
1045 	}
1046 
1047 	xpt_async(ac_code, path, NULL);
1048 	xpt_free_path(path);
1049 }
1050 
1051 static void
1052 mpssas_complete_all_commands(struct mps_softc *sc)
1053 {
1054 	struct mps_command *cm;
1055 	int i;
1056 	int completed;
1057 
1058 	MPS_FUNCTRACE(sc);
1059 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1060 
1061 	/* complete all commands with a NULL reply */
1062 	for (i = 1; i < sc->num_reqs; i++) {
1063 		cm = &sc->commands[i];
1064 		if (cm->cm_state == MPS_CM_STATE_FREE)
1065 			continue;
1066 
1067 		cm->cm_state = MPS_CM_STATE_BUSY;
1068 		cm->cm_reply = NULL;
1069 		completed = 0;
1070 
1071 		if (cm->cm_flags & MPS_CM_FLAGS_SATA_ID_TIMEOUT) {
1072 			MPASS(cm->cm_data);
1073 			free(cm->cm_data, M_MPT2);
1074 			cm->cm_data = NULL;
1075 		}
1076 
1077 		if (cm->cm_flags & MPS_CM_FLAGS_POLLED)
1078 			cm->cm_flags |= MPS_CM_FLAGS_COMPLETE;
1079 
1080 		if (cm->cm_complete != NULL) {
1081 			mpssas_log_command(cm, MPS_RECOVERY,
1082 			    "completing cm %p state %x ccb %p for diag reset\n",
1083 			    cm, cm->cm_state, cm->cm_ccb);
1084 
1085 			cm->cm_complete(sc, cm);
1086 			completed = 1;
1087 		} else if (cm->cm_flags & MPS_CM_FLAGS_WAKEUP) {
1088 			mpssas_log_command(cm, MPS_RECOVERY,
1089 			    "waking up cm %p state %x ccb %p for diag reset\n",
1090 			    cm, cm->cm_state, cm->cm_ccb);
1091 			wakeup(cm);
1092 			completed = 1;
1093 		}
1094 
1095 		if ((completed == 0) && (cm->cm_state != MPS_CM_STATE_FREE)) {
1096 			/* this should never happen, but if it does, log */
1097 			mpssas_log_command(cm, MPS_RECOVERY,
1098 			    "cm %p state %x flags 0x%x ccb %p during diag "
1099 			    "reset\n", cm, cm->cm_state, cm->cm_flags,
1100 			    cm->cm_ccb);
1101 		}
1102 	}
1103 
1104 	sc->io_cmds_active = 0;
1105 }
1106 
1107 void
1108 mpssas_handle_reinit(struct mps_softc *sc)
1109 {
1110 	int i;
1111 
1112 	/* Go back into startup mode and freeze the simq, so that CAM
1113 	 * doesn't send any commands until after we've rediscovered all
1114 	 * targets and found the proper device handles for them.
1115 	 *
1116 	 * After the reset, portenable will trigger discovery, and after all
1117 	 * discovery-related activities have finished, the simq will be
1118 	 * released.
1119 	 */
1120 	mps_dprint(sc, MPS_INIT, "%s startup\n", __func__);
1121 	sc->sassc->flags |= MPSSAS_IN_STARTUP;
1122 	sc->sassc->flags |= MPSSAS_IN_DISCOVERY;
1123 	mpssas_startup_increment(sc->sassc);
1124 
1125 	/* notify CAM of a bus reset */
1126 	mpssas_announce_reset(sc, AC_BUS_RESET, CAM_TARGET_WILDCARD,
1127 	    CAM_LUN_WILDCARD);
1128 
1129 	/* complete and cleanup after all outstanding commands */
1130 	mpssas_complete_all_commands(sc);
1131 
1132 	mps_dprint(sc, MPS_INIT,
1133 	    "%s startup %u after command completion\n", __func__,
1134 	    sc->sassc->startup_refcount);
1135 
1136 	/* zero all the target handles, since they may change after the
1137 	 * reset, and we have to rediscover all the targets and use the new
1138 	 * handles.
1139 	 */
1140 	for (i = 0; i < sc->sassc->maxtargets; i++) {
1141 		if (sc->sassc->targets[i].outstanding != 0)
1142 			mps_dprint(sc, MPS_INIT, "target %u outstanding %u\n",
1143 			    i, sc->sassc->targets[i].outstanding);
1144 		sc->sassc->targets[i].handle = 0x0;
1145 		sc->sassc->targets[i].exp_dev_handle = 0x0;
1146 		sc->sassc->targets[i].outstanding = 0;
1147 		sc->sassc->targets[i].flags = MPSSAS_TARGET_INDIAGRESET;
1148 	}
1149 }
1150 
1151 static void
1152 mpssas_tm_timeout(void *data)
1153 {
1154 	struct mps_command *tm = data;
1155 	struct mps_softc *sc = tm->cm_sc;
1156 
1157 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1158 
1159 	mpssas_log_command(tm, MPS_INFO|MPS_RECOVERY,
1160 	    "task mgmt %p timed out\n", tm);
1161 
1162 	KASSERT(tm->cm_state == MPS_CM_STATE_INQUEUE,
1163 	    ("command not inqueue, state = %u\n", tm->cm_state));
1164 
1165 	tm->cm_state = MPS_CM_STATE_BUSY;
1166 	mps_reinit(sc);
1167 }
1168 
1169 static void
1170 mpssas_logical_unit_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1171 {
1172 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1173 	unsigned int cm_count = 0;
1174 	struct mps_command *cm;
1175 	struct mpssas_target *targ;
1176 
1177 	callout_stop(&tm->cm_callout);
1178 
1179 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1180 	targ = tm->cm_targ;
1181 
1182 	/*
1183 	 * Currently there should be no way we can hit this case.  It only
1184 	 * happens when we have a failure to allocate chain frames, and
1185 	 * task management commands don't have S/G lists.
1186 	 * XXXSL So should it be an assertion?
1187 	 */
1188 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1189 		mps_dprint(sc, MPS_RECOVERY|MPS_ERROR,
1190 		    "%s: cm_flags = %#x for LUN reset! "
1191 		   "This should not happen!\n", __func__, tm->cm_flags);
1192 		mpssas_free_tm(sc, tm);
1193 		return;
1194 	}
1195 
1196 	if (reply == NULL) {
1197 		mps_dprint(sc, MPS_RECOVERY, "NULL reset reply for tm %p\n",
1198 		    tm);
1199 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1200 			/* this completion was due to a reset, just cleanup */
1201 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1202 			    "reset, ignoring NULL LUN reset reply\n");
1203 			targ->tm = NULL;
1204 			mpssas_free_tm(sc, tm);
1205 		}
1206 		else {
1207 			/* we should have gotten a reply. */
1208 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1209 			    "LUN reset attempt, resetting controller\n");
1210 			mps_reinit(sc);
1211 		}
1212 		return;
1213 	}
1214 
1215 	mps_dprint(sc, MPS_RECOVERY,
1216 	    "logical unit reset status 0x%x code 0x%x count %u\n",
1217 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1218 	    le32toh(reply->TerminationCount));
1219 
1220 	/*
1221 	 * See if there are any outstanding commands for this LUN.
1222 	 * This could be made more efficient by using a per-LU data
1223 	 * structure of some sort.
1224 	 */
1225 	TAILQ_FOREACH(cm, &targ->commands, cm_link) {
1226 		if (cm->cm_lun == tm->cm_lun)
1227 			cm_count++;
1228 	}
1229 
1230 	if (cm_count == 0) {
1231 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1232 		    "Finished recovery after LUN reset for target %u\n",
1233 		    targ->tid);
1234 
1235 		mpssas_announce_reset(sc, AC_SENT_BDR, targ->tid, tm->cm_lun);
1236 
1237 		/*
1238 		 * We've finished recovery for this logical unit.  check and
1239 		 * see if some other logical unit has a timedout command
1240 		 * that needs to be processed.
1241 		 */
1242 		cm = TAILQ_FIRST(&targ->timedout_commands);
1243 		if (cm) {
1244 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1245 			    "More commands to abort for target %u\n",
1246 			    targ->tid);
1247 			mpssas_send_abort(sc, tm, cm);
1248 		} else {
1249 			targ->tm = NULL;
1250 			mpssas_free_tm(sc, tm);
1251 		}
1252 	} else {
1253 		/*
1254 		 * If we still have commands for this LUN, the reset
1255 		 * effectively failed, regardless of the status reported.
1256 		 * Escalate to a target reset.
1257 		 */
1258 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1259 		    "logical unit reset complete for target %u, but still "
1260 		    "have %u command(s), sending target reset\n", targ->tid,
1261 		    cm_count);
1262 		mpssas_send_reset(sc, tm,
1263 		    MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET);
1264 	}
1265 }
1266 
1267 static void
1268 mpssas_target_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1269 {
1270 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1271 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1272 	struct mpssas_target *targ;
1273 
1274 	callout_stop(&tm->cm_callout);
1275 
1276 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1277 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1278 	targ = tm->cm_targ;
1279 
1280 	/*
1281 	 * Currently there should be no way we can hit this case.  It only
1282 	 * happens when we have a failure to allocate chain frames, and
1283 	 * task management commands don't have S/G lists.
1284 	 */
1285 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1286 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x for target reset! "
1287 			   "This should not happen!\n", __func__, tm->cm_flags);
1288 		mpssas_free_tm(sc, tm);
1289 		return;
1290 	}
1291 
1292 	if (reply == NULL) {
1293 		mps_dprint(sc, MPS_RECOVERY,
1294 		    "NULL target reset reply for tm %pi TaskMID %u\n",
1295 		    tm, le16toh(req->TaskMID));
1296 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1297 			/* this completion was due to a reset, just cleanup */
1298 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1299 			    "reset, ignoring NULL target reset reply\n");
1300 			targ->tm = NULL;
1301 			mpssas_free_tm(sc, tm);
1302 		} else {
1303 			/* we should have gotten a reply. */
1304 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1305 			    "target reset attempt, resetting controller\n");
1306 			mps_reinit(sc);
1307 		}
1308 		return;
1309 	}
1310 
1311 	mps_dprint(sc, MPS_RECOVERY,
1312 	    "target reset status 0x%x code 0x%x count %u\n",
1313 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1314 	    le32toh(reply->TerminationCount));
1315 
1316 	if (targ->outstanding == 0) {
1317 		/* we've finished recovery for this target and all
1318 		 * of its logical units.
1319 		 */
1320 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1321 		    "Finished reset recovery for target %u\n", targ->tid);
1322 
1323 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
1324 		    CAM_LUN_WILDCARD);
1325 
1326 		targ->tm = NULL;
1327 		mpssas_free_tm(sc, tm);
1328 	} else {
1329 		/*
1330 		 * After a target reset, if this target still has
1331 		 * outstanding commands, the reset effectively failed,
1332 		 * regardless of the status reported.  escalate.
1333 		 */
1334 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1335 		    "Target reset complete for target %u, but still have %u "
1336 		    "command(s), resetting controller\n", targ->tid,
1337 		    targ->outstanding);
1338 		mps_reinit(sc);
1339 	}
1340 }
1341 
1342 #define MPS_RESET_TIMEOUT 30
1343 
1344 int
1345 mpssas_send_reset(struct mps_softc *sc, struct mps_command *tm, uint8_t type)
1346 {
1347 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1348 	struct mpssas_target *target;
1349 	int err;
1350 
1351 	target = tm->cm_targ;
1352 	if (target->handle == 0) {
1353 		mps_dprint(sc, MPS_ERROR,"%s null devhandle for target_id %d\n",
1354 		    __func__, target->tid);
1355 		return -1;
1356 	}
1357 
1358 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1359 	req->DevHandle = htole16(target->handle);
1360 	req->TaskType = type;
1361 
1362 	if (type == MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET) {
1363 		/* XXX Need to handle invalid LUNs */
1364 		MPS_SET_LUN(req->LUN, tm->cm_lun);
1365 		tm->cm_targ->logical_unit_resets++;
1366 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1367 		    "Sending logical unit reset to target %u lun %d\n",
1368 		    target->tid, tm->cm_lun);
1369 		tm->cm_complete = mpssas_logical_unit_reset_complete;
1370 		mpssas_prepare_for_tm(sc, tm, target, tm->cm_lun);
1371 	} else if (type == MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET) {
1372 		/*
1373 		 * Target reset method =
1374 		 * 	SAS Hard Link Reset / SATA Link Reset
1375 		 */
1376 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
1377 		tm->cm_targ->target_resets++;
1378 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1379 		    "Sending target reset to target %u\n", target->tid);
1380 		tm->cm_complete = mpssas_target_reset_complete;
1381 		mpssas_prepare_for_tm(sc, tm, target, CAM_LUN_WILDCARD);
1382 	} else {
1383 		mps_dprint(sc, MPS_ERROR, "unexpected reset type 0x%x\n", type);
1384 		return -1;
1385 	}
1386 
1387 	tm->cm_data = NULL;
1388 	tm->cm_complete_data = (void *)tm;
1389 
1390 	callout_reset(&tm->cm_callout, MPS_RESET_TIMEOUT * hz,
1391 	    mpssas_tm_timeout, tm);
1392 
1393 	err = mps_map_command(sc, tm);
1394 	if (err)
1395 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1396 		    "error %d sending reset type %u\n",
1397 		    err, type);
1398 
1399 	return err;
1400 }
1401 
1402 static void
1403 mpssas_abort_complete(struct mps_softc *sc, struct mps_command *tm)
1404 {
1405 	struct mps_command *cm;
1406 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1407 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1408 	struct mpssas_target *targ;
1409 
1410 	callout_stop(&tm->cm_callout);
1411 
1412 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1413 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1414 	targ = tm->cm_targ;
1415 
1416 	/*
1417 	 * Currently there should be no way we can hit this case.  It only
1418 	 * happens when we have a failure to allocate chain frames, and
1419 	 * task management commands don't have S/G lists.
1420 	 */
1421 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1422 		mps_dprint(sc, MPS_RECOVERY,
1423 		    "cm_flags = %#x for abort %p TaskMID %u!\n",
1424 		    tm->cm_flags, tm, le16toh(req->TaskMID));
1425 		mpssas_free_tm(sc, tm);
1426 		return;
1427 	}
1428 
1429 	if (reply == NULL) {
1430 		mps_dprint(sc, MPS_RECOVERY,
1431 		    "NULL abort reply for tm %p TaskMID %u\n",
1432 		    tm, le16toh(req->TaskMID));
1433 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1434 			/* this completion was due to a reset, just cleanup */
1435 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1436 			    "reset, ignoring NULL abort reply\n");
1437 			targ->tm = NULL;
1438 			mpssas_free_tm(sc, tm);
1439 		} else {
1440 			/* we should have gotten a reply. */
1441 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1442 			    "abort attempt, resetting controller\n");
1443 			mps_reinit(sc);
1444 		}
1445 		return;
1446 	}
1447 
1448 	mps_dprint(sc, MPS_RECOVERY,
1449 	    "abort TaskMID %u status 0x%x code 0x%x count %u\n",
1450 	    le16toh(req->TaskMID),
1451 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1452 	    le32toh(reply->TerminationCount));
1453 
1454 	cm = TAILQ_FIRST(&tm->cm_targ->timedout_commands);
1455 	if (cm == NULL) {
1456 		/*
1457 		 * If there are no more timedout commands, we're done with
1458 		 * error recovery for this target.
1459 		 */
1460 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1461 		    "Finished abort recovery for target %u\n", targ->tid);
1462 
1463 		targ->tm = NULL;
1464 		mpssas_free_tm(sc, tm);
1465 	} else if (le16toh(req->TaskMID) != cm->cm_desc.Default.SMID) {
1466 		/* abort success, but we have more timedout commands to abort */
1467 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1468 		    "Continuing abort recovery for target %u\n", targ->tid);
1469 
1470 		mpssas_send_abort(sc, tm, cm);
1471 	} else {
1472 		/* we didn't get a command completion, so the abort
1473 		 * failed as far as we're concerned.  escalate.
1474 		 */
1475 		mps_dprint(sc, MPS_RECOVERY,
1476 		    "Abort failed for target %u, sending logical unit reset\n",
1477 		    targ->tid);
1478 
1479 		mpssas_send_reset(sc, tm,
1480 		    MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET);
1481 	}
1482 }
1483 
1484 #define MPS_ABORT_TIMEOUT 5
1485 
1486 static int
1487 mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm, struct mps_command *cm)
1488 {
1489 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1490 	struct mpssas_target *targ;
1491 	int err;
1492 
1493 	targ = cm->cm_targ;
1494 	if (targ->handle == 0) {
1495 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1496 		    "%s null devhandle for target_id %d\n",
1497 		    __func__, cm->cm_ccb->ccb_h.target_id);
1498 		return -1;
1499 	}
1500 
1501 	mpssas_log_command(cm, MPS_RECOVERY|MPS_INFO,
1502 	    "Aborting command %p\n", cm);
1503 
1504 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1505 	req->DevHandle = htole16(targ->handle);
1506 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_ABORT_TASK;
1507 
1508 	/* XXX Need to handle invalid LUNs */
1509 	MPS_SET_LUN(req->LUN, cm->cm_ccb->ccb_h.target_lun);
1510 
1511 	req->TaskMID = htole16(cm->cm_desc.Default.SMID);
1512 
1513 	tm->cm_data = NULL;
1514 	tm->cm_complete = mpssas_abort_complete;
1515 	tm->cm_complete_data = (void *)tm;
1516 	tm->cm_targ = cm->cm_targ;
1517 	tm->cm_lun = cm->cm_lun;
1518 
1519 	callout_reset(&tm->cm_callout, MPS_ABORT_TIMEOUT * hz,
1520 	    mpssas_tm_timeout, tm);
1521 
1522 	targ->aborts++;
1523 
1524 	mpssas_prepare_for_tm(sc, tm, targ, tm->cm_lun);
1525 
1526 	err = mps_map_command(sc, tm);
1527 	if (err)
1528 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1529 		    "error %d sending abort for cm %p SMID %u\n",
1530 		    err, cm, req->TaskMID);
1531 	return err;
1532 }
1533 
1534 static void
1535 mpssas_scsiio_timeout(void *data)
1536 {
1537 	sbintime_t elapsed, now;
1538 	union ccb *ccb;
1539 	struct mps_softc *sc;
1540 	struct mps_command *cm;
1541 	struct mpssas_target *targ;
1542 
1543 	cm = (struct mps_command *)data;
1544 	sc = cm->cm_sc;
1545 	ccb = cm->cm_ccb;
1546 	now = sbinuptime();
1547 
1548 	MPS_FUNCTRACE(sc);
1549 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1550 
1551 	mps_dprint(sc, MPS_XINFO|MPS_RECOVERY, "Timeout checking cm %p\n", cm);
1552 
1553 	/*
1554 	 * Run the interrupt handler to make sure it's not pending.  This
1555 	 * isn't perfect because the command could have already completed
1556 	 * and been re-used, though this is unlikely.
1557 	 */
1558 	mps_intr_locked(sc);
1559 	if (cm->cm_flags & MPS_CM_FLAGS_ON_RECOVERY) {
1560 		mpssas_log_command(cm, MPS_XINFO,
1561 		    "SCSI command %p almost timed out\n", cm);
1562 		return;
1563 	}
1564 
1565 	if (cm->cm_ccb == NULL) {
1566 		mps_dprint(sc, MPS_ERROR, "command timeout with NULL ccb\n");
1567 		return;
1568 	}
1569 
1570 	targ = cm->cm_targ;
1571 	targ->timeouts++;
1572 
1573 	elapsed = now - ccb->ccb_h.qos.sim_data;
1574 	mpssas_log_command(cm, MPS_INFO|MPS_RECOVERY,
1575 	    "Command timeout on target %u(0x%04x) %d set, %d.%d elapsed\n",
1576 	    targ->tid, targ->handle, ccb->ccb_h.timeout,
1577 	    sbintime_getsec(elapsed), elapsed & 0xffffffff);
1578 
1579 	/* XXX first, check the firmware state, to see if it's still
1580 	 * operational.  if not, do a diag reset.
1581 	 */
1582 	mpssas_set_ccbstatus(cm->cm_ccb, CAM_CMD_TIMEOUT);
1583 	cm->cm_flags |= MPS_CM_FLAGS_ON_RECOVERY | MPS_CM_FLAGS_TIMEDOUT;
1584 	TAILQ_INSERT_TAIL(&targ->timedout_commands, cm, cm_recovery);
1585 
1586 	if (targ->tm != NULL) {
1587 		/* target already in recovery, just queue up another
1588 		 * timedout command to be processed later.
1589 		 */
1590 		mps_dprint(sc, MPS_RECOVERY,
1591 		    "queued timedout cm %p for processing by tm %p\n",
1592 		    cm, targ->tm);
1593 	} else if ((targ->tm = mpssas_alloc_tm(sc)) != NULL) {
1594 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1595 		    "Sending abort to target %u for SMID %d\n", targ->tid,
1596 		    cm->cm_desc.Default.SMID);
1597 		mps_dprint(sc, MPS_RECOVERY, "timedout cm %p allocated tm %p\n",
1598 		    cm, targ->tm);
1599 
1600 		/* start recovery by aborting the first timedout command */
1601 		mpssas_send_abort(sc, targ->tm, cm);
1602 	} else {
1603 		/* XXX queue this target up for recovery once a TM becomes
1604 		 * available.  The firmware only has a limited number of
1605 		 * HighPriority credits for the high priority requests used
1606 		 * for task management, and we ran out.
1607 		 *
1608 		 * Isilon: don't worry about this for now, since we have
1609 		 * more credits than disks in an enclosure, and limit
1610 		 * ourselves to one TM per target for recovery.
1611 		 */
1612 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1613 		    "timedout cm %p failed to allocate a tm\n", cm);
1614 	}
1615 
1616 }
1617 
1618 static void
1619 mpssas_action_scsiio(struct mpssas_softc *sassc, union ccb *ccb)
1620 {
1621 	MPI2_SCSI_IO_REQUEST *req;
1622 	struct ccb_scsiio *csio;
1623 	struct mps_softc *sc;
1624 	struct mpssas_target *targ;
1625 	struct mpssas_lun *lun;
1626 	struct mps_command *cm;
1627 	uint8_t i, lba_byte, *ref_tag_addr;
1628 	uint16_t eedp_flags;
1629 	uint32_t mpi_control;
1630 
1631 	sc = sassc->sc;
1632 	MPS_FUNCTRACE(sc);
1633 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1634 
1635 	csio = &ccb->csio;
1636 	KASSERT(csio->ccb_h.target_id < sassc->maxtargets,
1637 	    ("Target %d out of bounds in XPT_SCSI_IO\n",
1638 	     csio->ccb_h.target_id));
1639 	targ = &sassc->targets[csio->ccb_h.target_id];
1640 	mps_dprint(sc, MPS_TRACE, "ccb %p target flag %x\n", ccb, targ->flags);
1641 	if (targ->handle == 0x0) {
1642 		if (targ->flags & MPSSAS_TARGET_INDIAGRESET) {
1643 			mps_dprint(sc, MPS_ERROR,
1644 			    "%s NULL handle for target %u in diag reset freezing queue\n",
1645 			    __func__, csio->ccb_h.target_id);
1646 			ccb->ccb_h.status = CAM_REQUEUE_REQ | CAM_DEV_QFRZN;
1647 			xpt_freeze_devq(ccb->ccb_h.path, 1);
1648 			xpt_done(ccb);
1649 			return;
1650 		}
1651 		mps_dprint(sc, MPS_ERROR, "%s NULL handle for target %u\n",
1652 		    __func__, csio->ccb_h.target_id);
1653 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1654 		xpt_done(ccb);
1655 		return;
1656 	}
1657 	if (targ->flags & MPS_TARGET_FLAGS_RAID_COMPONENT) {
1658 		mps_dprint(sc, MPS_ERROR, "%s Raid component no SCSI IO "
1659 		    "supported %u\n", __func__, csio->ccb_h.target_id);
1660 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1661 		xpt_done(ccb);
1662 		return;
1663 	}
1664 	/*
1665 	 * Sometimes, it is possible to get a command that is not "In
1666 	 * Progress" and was actually aborted by the upper layer.  Check for
1667 	 * this here and complete the command without error.
1668 	 */
1669 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_INPROG) {
1670 		mps_dprint(sc, MPS_TRACE, "%s Command is not in progress for "
1671 		    "target %u\n", __func__, csio->ccb_h.target_id);
1672 		xpt_done(ccb);
1673 		return;
1674 	}
1675 	/*
1676 	 * If devinfo is 0 this will be a volume.  In that case don't tell CAM
1677 	 * that the volume has timed out.  We want volumes to be enumerated
1678 	 * until they are deleted/removed, not just failed. In either event,
1679 	 * we're removing the target due to a firmware event telling us
1680 	 * the device is now gone (as opposed to some transient event). Since
1681 	 * we're opting to remove failed devices from the OS's view, we need
1682 	 * to propagate that status up the stack.
1683 	 */
1684 	if (targ->flags & MPSSAS_TARGET_INREMOVAL) {
1685 		if (targ->devinfo == 0)
1686 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1687 		else
1688 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1689 		xpt_done(ccb);
1690 		return;
1691 	}
1692 
1693 	if ((sc->mps_flags & MPS_FLAGS_SHUTDOWN) != 0) {
1694 		mps_dprint(sc, MPS_INFO, "%s shutting down\n", __func__);
1695 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1696 		xpt_done(ccb);
1697 		return;
1698 	}
1699 
1700 	/*
1701 	 * If target has a reset in progress, the devq should be frozen.
1702 	 * Geting here we likely hit a race, so just requeue.
1703 	 */
1704 	if (targ->flags & MPSSAS_TARGET_INRESET) {
1705 		ccb->ccb_h.status = CAM_REQUEUE_REQ | CAM_DEV_QFRZN;
1706 		mps_dprint(sc, MPS_INFO, "%s: Freezing devq for target ID %d\n",
1707 		    __func__, targ->tid);
1708 		xpt_freeze_devq(ccb->ccb_h.path, 1);
1709 		xpt_done(ccb);
1710 		return;
1711 	}
1712 
1713 	cm = mps_alloc_command(sc);
1714 	if (cm == NULL || (sc->mps_flags & MPS_FLAGS_DIAGRESET)) {
1715 		if (cm != NULL) {
1716 			mps_free_command(sc, cm);
1717 		}
1718 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
1719 			xpt_freeze_simq(sassc->sim, 1);
1720 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
1721 		}
1722 		ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
1723 		ccb->ccb_h.status |= CAM_REQUEUE_REQ;
1724 		xpt_done(ccb);
1725 		return;
1726 	}
1727 
1728 	req = (MPI2_SCSI_IO_REQUEST *)cm->cm_req;
1729 	bzero(req, sizeof(*req));
1730 	req->DevHandle = htole16(targ->handle);
1731 	req->Function = MPI2_FUNCTION_SCSI_IO_REQUEST;
1732 	req->MsgFlags = 0;
1733 	req->SenseBufferLowAddress = htole32(cm->cm_sense_busaddr);
1734 	req->SenseBufferLength = MPS_SENSE_LEN;
1735 	req->SGLFlags = 0;
1736 	req->ChainOffset = 0;
1737 	req->SGLOffset0 = 24;	/* 32bit word offset to the SGL */
1738 	req->SGLOffset1= 0;
1739 	req->SGLOffset2= 0;
1740 	req->SGLOffset3= 0;
1741 	req->SkipCount = 0;
1742 	req->DataLength = htole32(csio->dxfer_len);
1743 	req->BidirectionalDataLength = 0;
1744 	req->IoFlags = htole16(csio->cdb_len);
1745 	req->EEDPFlags = 0;
1746 
1747 	/* Note: BiDirectional transfers are not supported */
1748 	switch (csio->ccb_h.flags & CAM_DIR_MASK) {
1749 	case CAM_DIR_IN:
1750 		mpi_control = MPI2_SCSIIO_CONTROL_READ;
1751 		cm->cm_flags |= MPS_CM_FLAGS_DATAIN;
1752 		break;
1753 	case CAM_DIR_OUT:
1754 		mpi_control = MPI2_SCSIIO_CONTROL_WRITE;
1755 		cm->cm_flags |= MPS_CM_FLAGS_DATAOUT;
1756 		break;
1757 	case CAM_DIR_NONE:
1758 	default:
1759 		mpi_control = MPI2_SCSIIO_CONTROL_NODATATRANSFER;
1760 		break;
1761 	}
1762 
1763 	if (csio->cdb_len == 32)
1764                 mpi_control |= 4 << MPI2_SCSIIO_CONTROL_ADDCDBLEN_SHIFT;
1765 	/*
1766 	 * It looks like the hardware doesn't require an explicit tag
1767 	 * number for each transaction.  SAM Task Management not supported
1768 	 * at the moment.
1769 	 */
1770 	switch (csio->tag_action) {
1771 	case MSG_HEAD_OF_Q_TAG:
1772 		mpi_control |= MPI2_SCSIIO_CONTROL_HEADOFQ;
1773 		break;
1774 	case MSG_ORDERED_Q_TAG:
1775 		mpi_control |= MPI2_SCSIIO_CONTROL_ORDEREDQ;
1776 		break;
1777 	case MSG_ACA_TASK:
1778 		mpi_control |= MPI2_SCSIIO_CONTROL_ACAQ;
1779 		break;
1780 	case CAM_TAG_ACTION_NONE:
1781 	case MSG_SIMPLE_Q_TAG:
1782 	default:
1783 		mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
1784 		break;
1785 	}
1786 	mpi_control |= (csio->priority << MPI2_SCSIIO_CONTROL_TASKPRI_SHIFT) &
1787 	    MPI2_SCSIIO_CONTROL_TASKPRI_MASK;
1788 	mpi_control |= sc->mapping_table[csio->ccb_h.target_id].TLR_bits;
1789 	req->Control = htole32(mpi_control);
1790 	if (MPS_SET_LUN(req->LUN, csio->ccb_h.target_lun) != 0) {
1791 		mps_free_command(sc, cm);
1792 		mpssas_set_ccbstatus(ccb, CAM_LUN_INVALID);
1793 		xpt_done(ccb);
1794 		return;
1795 	}
1796 
1797 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
1798 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
1799 	else
1800 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
1801 	req->IoFlags = htole16(csio->cdb_len);
1802 
1803 	/*
1804 	 * Check if EEDP is supported and enabled.  If it is then check if the
1805 	 * SCSI opcode could be using EEDP.  If so, make sure the LUN exists and
1806 	 * is formatted for EEDP support.  If all of this is true, set CDB up
1807 	 * for EEDP transfer.
1808 	 */
1809 	eedp_flags = op_code_prot[req->CDB.CDB32[0]];
1810 	if (sc->eedp_enabled && eedp_flags) {
1811 		SLIST_FOREACH(lun, &targ->luns, lun_link) {
1812 			if (lun->lun_id == csio->ccb_h.target_lun) {
1813 				break;
1814 			}
1815 		}
1816 
1817 		if ((lun != NULL) && (lun->eedp_formatted)) {
1818 			req->EEDPBlockSize = htole16(lun->eedp_block_size);
1819 			eedp_flags |= (MPI2_SCSIIO_EEDPFLAGS_INC_PRI_REFTAG |
1820 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_REFTAG |
1821 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_GUARD);
1822 			req->EEDPFlags = htole16(eedp_flags);
1823 
1824 			/*
1825 			 * If CDB less than 32, fill in Primary Ref Tag with
1826 			 * low 4 bytes of LBA.  If CDB is 32, tag stuff is
1827 			 * already there.  Also, set protection bit.  FreeBSD
1828 			 * currently does not support CDBs bigger than 16, but
1829 			 * the code doesn't hurt, and will be here for the
1830 			 * future.
1831 			 */
1832 			if (csio->cdb_len != 32) {
1833 				lba_byte = (csio->cdb_len == 16) ? 6 : 2;
1834 				ref_tag_addr = (uint8_t *)&req->CDB.EEDP32.
1835 				    PrimaryReferenceTag;
1836 				for (i = 0; i < 4; i++) {
1837 					*ref_tag_addr =
1838 					    req->CDB.CDB32[lba_byte + i];
1839 					ref_tag_addr++;
1840 				}
1841 				req->CDB.EEDP32.PrimaryReferenceTag =
1842 					htole32(req->CDB.EEDP32.PrimaryReferenceTag);
1843 				req->CDB.EEDP32.PrimaryApplicationTagMask =
1844 				    0xFFFF;
1845 				req->CDB.CDB32[1] = (req->CDB.CDB32[1] & 0x1F) |
1846 				    0x20;
1847 			} else {
1848 				eedp_flags |=
1849 				    MPI2_SCSIIO_EEDPFLAGS_INC_PRI_APPTAG;
1850 				req->EEDPFlags = htole16(eedp_flags);
1851 				req->CDB.CDB32[10] = (req->CDB.CDB32[10] &
1852 				    0x1F) | 0x20;
1853 			}
1854 		}
1855 	}
1856 
1857 	cm->cm_length = csio->dxfer_len;
1858 	if (cm->cm_length != 0) {
1859 		cm->cm_data = ccb;
1860 		cm->cm_flags |= MPS_CM_FLAGS_USE_CCB;
1861 	} else {
1862 		cm->cm_data = NULL;
1863 	}
1864 	cm->cm_sge = &req->SGL;
1865 	cm->cm_sglsize = (32 - 24) * 4;
1866 	cm->cm_desc.SCSIIO.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_SCSI_IO;
1867 	cm->cm_desc.SCSIIO.DevHandle = htole16(targ->handle);
1868 	cm->cm_complete = mpssas_scsiio_complete;
1869 	cm->cm_complete_data = ccb;
1870 	cm->cm_targ = targ;
1871 	cm->cm_lun = csio->ccb_h.target_lun;
1872 	cm->cm_ccb = ccb;
1873 
1874 	/*
1875 	 * If HBA is a WD and the command is not for a retry, try to build a
1876 	 * direct I/O message. If failed, or the command is for a retry, send
1877 	 * the I/O to the IR volume itself.
1878 	 */
1879 	if (sc->WD_valid_config) {
1880 		if (ccb->ccb_h.sim_priv.entries[0].field == MPS_WD_RETRY) {
1881 			mpssas_direct_drive_io(sassc, cm, ccb);
1882 		} else {
1883 			mpssas_set_ccbstatus(ccb, CAM_REQ_INPROG);
1884 		}
1885 	}
1886 
1887 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
1888 	if (csio->bio != NULL)
1889 		biotrack(csio->bio, __func__);
1890 #endif
1891 	csio->ccb_h.qos.sim_data = sbinuptime();
1892 	callout_reset_sbt(&cm->cm_callout, SBT_1MS * ccb->ccb_h.timeout, 0,
1893 	    mpssas_scsiio_timeout, cm, 0);
1894 
1895 	targ->issued++;
1896 	targ->outstanding++;
1897 	TAILQ_INSERT_TAIL(&targ->commands, cm, cm_link);
1898 	ccb->ccb_h.status |= CAM_SIM_QUEUED;
1899 
1900 	mpssas_log_command(cm, MPS_XINFO, "%s cm %p ccb %p outstanding %u\n",
1901 	    __func__, cm, ccb, targ->outstanding);
1902 
1903 	mps_map_command(sc, cm);
1904 	return;
1905 }
1906 
1907 /**
1908  * mps_sc_failed_io_info - translated non-succesfull SCSI_IO request
1909  */
1910 static void
1911 mps_sc_failed_io_info(struct mps_softc *sc, struct ccb_scsiio *csio,
1912     Mpi2SCSIIOReply_t *mpi_reply)
1913 {
1914 	u32 response_info;
1915 	u8 *response_bytes;
1916 	u16 ioc_status = le16toh(mpi_reply->IOCStatus) &
1917 	    MPI2_IOCSTATUS_MASK;
1918 	u8 scsi_state = mpi_reply->SCSIState;
1919 	u8 scsi_status = mpi_reply->SCSIStatus;
1920 	u32 log_info = le32toh(mpi_reply->IOCLogInfo);
1921 	const char *desc_ioc_state, *desc_scsi_status;
1922 
1923 	if (log_info == 0x31170000)
1924 		return;
1925 
1926 	desc_ioc_state = mps_describe_table(mps_iocstatus_string,
1927 	    ioc_status);
1928 	desc_scsi_status = mps_describe_table(mps_scsi_status_string,
1929 	    scsi_status);
1930 
1931 	mps_dprint(sc, MPS_XINFO, "\thandle(0x%04x), ioc_status(%s)(0x%04x)\n",
1932 	    le16toh(mpi_reply->DevHandle), desc_ioc_state, ioc_status);
1933 
1934 	/*
1935 	 *We can add more detail about underflow data here
1936 	 * TO-DO
1937 	 */
1938 	mps_dprint(sc, MPS_XINFO, "\tscsi_status(%s)(0x%02x), "
1939 	    "scsi_state %b\n", desc_scsi_status, scsi_status,
1940 	    scsi_state, "\20" "\1AutosenseValid" "\2AutosenseFailed"
1941 	    "\3NoScsiStatus" "\4Terminated" "\5Response InfoValid");
1942 
1943 	if (sc->mps_debug & MPS_XINFO &&
1944 		scsi_state & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
1945 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : Start :\n");
1946 		scsi_sense_print(csio);
1947 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : End :\n");
1948 	}
1949 
1950 	if (scsi_state & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) {
1951 		response_info = le32toh(mpi_reply->ResponseInfo);
1952 		response_bytes = (u8 *)&response_info;
1953 		mps_dprint(sc, MPS_XINFO, "response code(0x%1x): %s\n",
1954 		    response_bytes[0],
1955 		    mps_describe_table(mps_scsi_taskmgmt_string,
1956 		    response_bytes[0]));
1957 	}
1958 }
1959 
1960 static void
1961 mpssas_scsiio_complete(struct mps_softc *sc, struct mps_command *cm)
1962 {
1963 	MPI2_SCSI_IO_REPLY *rep;
1964 	union ccb *ccb;
1965 	struct ccb_scsiio *csio;
1966 	struct mpssas_softc *sassc;
1967 	struct scsi_vpd_supported_page_list *vpd_list = NULL;
1968 	u8 *TLR_bits, TLR_on;
1969 	int dir = 0, i;
1970 	u16 alloc_len;
1971 	struct mpssas_target *target;
1972 	target_id_t target_id;
1973 
1974 	MPS_FUNCTRACE(sc);
1975 	mps_dprint(sc, MPS_TRACE,
1976 	    "cm %p SMID %u ccb %p reply %p outstanding %u\n", cm,
1977 	    cm->cm_desc.Default.SMID, cm->cm_ccb, cm->cm_reply,
1978 	    cm->cm_targ->outstanding);
1979 
1980 	callout_stop(&cm->cm_callout);
1981 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1982 
1983 	sassc = sc->sassc;
1984 	ccb = cm->cm_complete_data;
1985 	csio = &ccb->csio;
1986 	target_id = csio->ccb_h.target_id;
1987 	rep = (MPI2_SCSI_IO_REPLY *)cm->cm_reply;
1988 	/*
1989 	 * XXX KDM if the chain allocation fails, does it matter if we do
1990 	 * the sync and unload here?  It is simpler to do it in every case,
1991 	 * assuming it doesn't cause problems.
1992 	 */
1993 	if (cm->cm_data != NULL) {
1994 		if (cm->cm_flags & MPS_CM_FLAGS_DATAIN)
1995 			dir = BUS_DMASYNC_POSTREAD;
1996 		else if (cm->cm_flags & MPS_CM_FLAGS_DATAOUT)
1997 			dir = BUS_DMASYNC_POSTWRITE;
1998 		bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap, dir);
1999 		bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2000 	}
2001 
2002 	cm->cm_targ->completed++;
2003 	cm->cm_targ->outstanding--;
2004 	TAILQ_REMOVE(&cm->cm_targ->commands, cm, cm_link);
2005 	ccb->ccb_h.status &= ~(CAM_STATUS_MASK | CAM_SIM_QUEUED);
2006 
2007 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
2008 	if (ccb->csio.bio != NULL)
2009 		biotrack(ccb->csio.bio, __func__);
2010 #endif
2011 
2012 	if (cm->cm_flags & MPS_CM_FLAGS_ON_RECOVERY) {
2013 		TAILQ_REMOVE(&cm->cm_targ->timedout_commands, cm, cm_recovery);
2014 		KASSERT(cm->cm_state == MPS_CM_STATE_BUSY,
2015 		    ("Not busy for CM_FLAGS_TIMEDOUT: %u\n", cm->cm_state));
2016 		cm->cm_flags &= ~MPS_CM_FLAGS_ON_RECOVERY;
2017 		if (cm->cm_reply != NULL)
2018 			mpssas_log_command(cm, MPS_RECOVERY,
2019 			    "completed timedout cm %p ccb %p during recovery "
2020 			    "ioc %x scsi %x state %x xfer %u\n",
2021 			    cm, cm->cm_ccb, le16toh(rep->IOCStatus),
2022 			    rep->SCSIStatus, rep->SCSIState,
2023 			    le32toh(rep->TransferCount));
2024 		else
2025 			mpssas_log_command(cm, MPS_RECOVERY,
2026 			    "completed timedout cm %p ccb %p during recovery\n",
2027 			    cm, cm->cm_ccb);
2028 	} else if (cm->cm_targ->tm != NULL) {
2029 		if (cm->cm_reply != NULL)
2030 			mpssas_log_command(cm, MPS_RECOVERY,
2031 			    "completed cm %p ccb %p during recovery "
2032 			    "ioc %x scsi %x state %x xfer %u\n",
2033 			    cm, cm->cm_ccb, le16toh(rep->IOCStatus),
2034 			    rep->SCSIStatus, rep->SCSIState,
2035 			    le32toh(rep->TransferCount));
2036 		else
2037 			mpssas_log_command(cm, MPS_RECOVERY,
2038 			    "completed cm %p ccb %p during recovery\n",
2039 			    cm, cm->cm_ccb);
2040 	} else if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
2041 		mpssas_log_command(cm, MPS_RECOVERY,
2042 		    "reset completed cm %p ccb %p\n",
2043 		    cm, cm->cm_ccb);
2044 	}
2045 
2046 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2047 		/*
2048 		 * We ran into an error after we tried to map the command,
2049 		 * so we're getting a callback without queueing the command
2050 		 * to the hardware.  So we set the status here, and it will
2051 		 * be retained below.  We'll go through the "fast path",
2052 		 * because there can be no reply when we haven't actually
2053 		 * gone out to the hardware.
2054 		 */
2055 		mpssas_set_ccbstatus(ccb, CAM_REQUEUE_REQ);
2056 
2057 		/*
2058 		 * Currently the only error included in the mask is
2059 		 * MPS_CM_FLAGS_CHAIN_FAILED, which means we're out of
2060 		 * chain frames.  We need to freeze the queue until we get
2061 		 * a command that completed without this error, which will
2062 		 * hopefully have some chain frames attached that we can
2063 		 * use.  If we wanted to get smarter about it, we would
2064 		 * only unfreeze the queue in this condition when we're
2065 		 * sure that we're getting some chain frames back.  That's
2066 		 * probably unnecessary.
2067 		 */
2068 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
2069 			xpt_freeze_simq(sassc->sim, 1);
2070 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
2071 			mps_dprint(sc, MPS_XINFO, "Error sending command, "
2072 				   "freezing SIM queue\n");
2073 		}
2074 	}
2075 
2076 	/*
2077 	 * If this is a Start Stop Unit command and it was issued by the driver
2078 	 * during shutdown, decrement the refcount to account for all of the
2079 	 * commands that were sent.  All SSU commands should be completed before
2080 	 * shutdown completes, meaning SSU_refcount will be 0 after SSU_started
2081 	 * is TRUE.
2082 	 */
2083 	if (sc->SSU_started && (csio->cdb_io.cdb_bytes[0] == START_STOP_UNIT)) {
2084 		mps_dprint(sc, MPS_INFO, "Decrementing SSU count.\n");
2085 		sc->SSU_refcount--;
2086 	}
2087 
2088 	/* Take the fast path to completion */
2089 	if (cm->cm_reply == NULL) {
2090 		if (mpssas_get_ccbstatus(ccb) == CAM_REQ_INPROG) {
2091 			if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0)
2092 				mpssas_set_ccbstatus(ccb, CAM_SCSI_BUS_RESET);
2093 			else {
2094 				mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2095 				ccb->csio.scsi_status = SCSI_STATUS_OK;
2096 			}
2097 			if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2098 				ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2099 				sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2100 				mps_dprint(sc, MPS_XINFO,
2101 				    "Unfreezing SIM queue\n");
2102 			}
2103 		}
2104 
2105 		/*
2106 		 * There are two scenarios where the status won't be
2107 		 * CAM_REQ_CMP.  The first is if MPS_CM_FLAGS_ERROR_MASK is
2108 		 * set, the second is in the MPS_FLAGS_DIAGRESET above.
2109 		 */
2110 		if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2111 			/*
2112 			 * Freeze the dev queue so that commands are
2113 			 * executed in the correct order after error
2114 			 * recovery.
2115 			 */
2116 			ccb->ccb_h.status |= CAM_DEV_QFRZN;
2117 			xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2118 		}
2119 		mps_free_command(sc, cm);
2120 		xpt_done(ccb);
2121 		return;
2122 	}
2123 
2124 	mpssas_log_command(cm, MPS_XINFO,
2125 	    "ioc %x scsi %x state %x xfer %u\n",
2126 	    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2127 	    le32toh(rep->TransferCount));
2128 
2129 	/*
2130 	 * If this is a Direct Drive I/O, reissue the I/O to the original IR
2131 	 * Volume if an error occurred (normal I/O retry).  Use the original
2132 	 * CCB, but set a flag that this will be a retry so that it's sent to
2133 	 * the original volume.  Free the command but reuse the CCB.
2134 	 */
2135 	if (cm->cm_flags & MPS_CM_FLAGS_DD_IO) {
2136 		mps_free_command(sc, cm);
2137 		ccb->ccb_h.sim_priv.entries[0].field = MPS_WD_RETRY;
2138 		mpssas_action_scsiio(sassc, ccb);
2139 		return;
2140 	} else
2141 		ccb->ccb_h.sim_priv.entries[0].field = 0;
2142 
2143 	switch (le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) {
2144 	case MPI2_IOCSTATUS_SCSI_DATA_UNDERRUN:
2145 		csio->resid = cm->cm_length - le32toh(rep->TransferCount);
2146 		/* FALLTHROUGH */
2147 	case MPI2_IOCSTATUS_SUCCESS:
2148 	case MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR:
2149 
2150 		if ((le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
2151 		    MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR)
2152 			mpssas_log_command(cm, MPS_XINFO, "recovered error\n");
2153 
2154 		/* Completion failed at the transport level. */
2155 		if (rep->SCSIState & (MPI2_SCSI_STATE_NO_SCSI_STATUS |
2156 		    MPI2_SCSI_STATE_TERMINATED)) {
2157 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2158 			break;
2159 		}
2160 
2161 		/* In a modern packetized environment, an autosense failure
2162 		 * implies that there's not much else that can be done to
2163 		 * recover the command.
2164 		 */
2165 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_FAILED) {
2166 			mpssas_set_ccbstatus(ccb, CAM_AUTOSENSE_FAIL);
2167 			break;
2168 		}
2169 
2170 		/*
2171 		 * CAM doesn't care about SAS Response Info data, but if this is
2172 		 * the state check if TLR should be done.  If not, clear the
2173 		 * TLR_bits for the target.
2174 		 */
2175 		if ((rep->SCSIState & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) &&
2176 		    ((le32toh(rep->ResponseInfo) &
2177 		    MPI2_SCSI_RI_MASK_REASONCODE) ==
2178 		    MPS_SCSI_RI_INVALID_FRAME)) {
2179 			sc->mapping_table[target_id].TLR_bits =
2180 			    (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2181 		}
2182 
2183 		/*
2184 		 * Intentionally override the normal SCSI status reporting
2185 		 * for these two cases.  These are likely to happen in a
2186 		 * multi-initiator environment, and we want to make sure that
2187 		 * CAM retries these commands rather than fail them.
2188 		 */
2189 		if ((rep->SCSIStatus == MPI2_SCSI_STATUS_COMMAND_TERMINATED) ||
2190 		    (rep->SCSIStatus == MPI2_SCSI_STATUS_TASK_ABORTED)) {
2191 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2192 			break;
2193 		}
2194 
2195 		/* Handle normal status and sense */
2196 		csio->scsi_status = rep->SCSIStatus;
2197 		if (rep->SCSIStatus == MPI2_SCSI_STATUS_GOOD)
2198 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2199 		else
2200 			mpssas_set_ccbstatus(ccb, CAM_SCSI_STATUS_ERROR);
2201 
2202 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
2203 			int sense_len, returned_sense_len;
2204 
2205 			returned_sense_len = min(le32toh(rep->SenseCount),
2206 			    sizeof(struct scsi_sense_data));
2207 			if (returned_sense_len < ccb->csio.sense_len)
2208 				ccb->csio.sense_resid = ccb->csio.sense_len -
2209 					returned_sense_len;
2210 			else
2211 				ccb->csio.sense_resid = 0;
2212 
2213 			sense_len = min(returned_sense_len,
2214 			    ccb->csio.sense_len - ccb->csio.sense_resid);
2215 			bzero(&ccb->csio.sense_data,
2216 			      sizeof(ccb->csio.sense_data));
2217 			bcopy(cm->cm_sense, &ccb->csio.sense_data, sense_len);
2218 			ccb->ccb_h.status |= CAM_AUTOSNS_VALID;
2219 		}
2220 
2221 		/*
2222 		 * Check if this is an INQUIRY command.  If it's a VPD inquiry,
2223 		 * and it's page code 0 (Supported Page List), and there is
2224 		 * inquiry data, and this is for a sequential access device, and
2225 		 * the device is an SSP target, and TLR is supported by the
2226 		 * controller, turn the TLR_bits value ON if page 0x90 is
2227 		 * supported.
2228 		 */
2229 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2230 		    (csio->cdb_io.cdb_bytes[1] & SI_EVPD) &&
2231 		    (csio->cdb_io.cdb_bytes[2] == SVPD_SUPPORTED_PAGE_LIST) &&
2232 		    ((csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) &&
2233 		    (csio->data_ptr != NULL) &&
2234 		    ((csio->data_ptr[0] & 0x1f) == T_SEQUENTIAL) &&
2235 		    (sc->control_TLR) &&
2236 		    (sc->mapping_table[target_id].device_info &
2237 		    MPI2_SAS_DEVICE_INFO_SSP_TARGET)) {
2238 			vpd_list = (struct scsi_vpd_supported_page_list *)
2239 			    csio->data_ptr;
2240 			TLR_bits = &sc->mapping_table[target_id].TLR_bits;
2241 			*TLR_bits = (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2242 			TLR_on = (u8)MPI2_SCSIIO_CONTROL_TLR_ON;
2243 			alloc_len = ((u16)csio->cdb_io.cdb_bytes[3] << 8) +
2244 			    csio->cdb_io.cdb_bytes[4];
2245 			alloc_len -= csio->resid;
2246 			for (i = 0; i < MIN(vpd_list->length, alloc_len); i++) {
2247 				if (vpd_list->list[i] == 0x90) {
2248 					*TLR_bits = TLR_on;
2249 					break;
2250 				}
2251 			}
2252 		}
2253 
2254 		/*
2255 		 * If this is a SATA direct-access end device, mark it so that
2256 		 * a SCSI StartStopUnit command will be sent to it when the
2257 		 * driver is being shutdown.
2258 		 */
2259 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2260 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
2261 		    (sc->mapping_table[target_id].device_info &
2262 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&
2263 		    ((sc->mapping_table[target_id].device_info &
2264 		    MPI2_SAS_DEVICE_INFO_MASK_DEVICE_TYPE) ==
2265 		    MPI2_SAS_DEVICE_INFO_END_DEVICE)) {
2266 			target = &sassc->targets[target_id];
2267 			target->supports_SSU = TRUE;
2268 			mps_dprint(sc, MPS_XINFO, "Target %d supports SSU\n",
2269 			    target_id);
2270 		}
2271 		break;
2272 	case MPI2_IOCSTATUS_SCSI_INVALID_DEVHANDLE:
2273 	case MPI2_IOCSTATUS_SCSI_DEVICE_NOT_THERE:
2274 		/*
2275 		 * If devinfo is 0 this will be a volume.  In that case don't
2276 		 * tell CAM that the volume is not there.  We want volumes to
2277 		 * be enumerated until they are deleted/removed, not just
2278 		 * failed.
2279 		 */
2280 		if (cm->cm_targ->devinfo == 0)
2281 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2282 		else
2283 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2284 		break;
2285 	case MPI2_IOCSTATUS_INVALID_SGL:
2286 		mps_print_scsiio_cmd(sc, cm);
2287 		mpssas_set_ccbstatus(ccb, CAM_UNREC_HBA_ERROR);
2288 		break;
2289 	case MPI2_IOCSTATUS_SCSI_TASK_TERMINATED:
2290 		/*
2291 		 * This is one of the responses that comes back when an I/O
2292 		 * has been aborted.  If it is because of a timeout that we
2293 		 * initiated, just set the status to CAM_CMD_TIMEOUT.
2294 		 * Otherwise set it to CAM_REQ_ABORTED.  The effect on the
2295 		 * command is the same (it gets retried, subject to the
2296 		 * retry counter), the only difference is what gets printed
2297 		 * on the console.
2298 		 */
2299 		if (cm->cm_flags & MPS_CM_FLAGS_TIMEDOUT)
2300 			mpssas_set_ccbstatus(ccb, CAM_CMD_TIMEOUT);
2301 		else
2302 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2303 		break;
2304 	case MPI2_IOCSTATUS_SCSI_DATA_OVERRUN:
2305 		/* resid is ignored for this condition */
2306 		csio->resid = 0;
2307 		mpssas_set_ccbstatus(ccb, CAM_DATA_RUN_ERR);
2308 		break;
2309 	case MPI2_IOCSTATUS_SCSI_IOC_TERMINATED:
2310 	case MPI2_IOCSTATUS_SCSI_EXT_TERMINATED:
2311 		/*
2312 		 * These can sometimes be transient transport-related
2313 		 * errors, and sometimes persistent drive-related errors.
2314 		 * We used to retry these without decrementing the retry
2315 		 * count by returning CAM_REQUEUE_REQ.  Unfortunately, if
2316 		 * we hit a persistent drive problem that returns one of
2317 		 * these error codes, we would retry indefinitely.  So,
2318 		 * return CAM_REQ_CMP_ERROR so that we decrement the retry
2319 		 * count and avoid infinite retries.  We're taking the
2320 		 * potential risk of flagging false failures in the event
2321 		 * of a topology-related error (e.g. a SAS expander problem
2322 		 * causes a command addressed to a drive to fail), but
2323 		 * avoiding getting into an infinite retry loop. However,
2324 		 * if we get them while were moving a device, we should
2325 		 * fail the request as 'not there' because the device
2326 		 * is effectively gone.
2327 		 */
2328 		if (cm->cm_targ->flags & MPSSAS_TARGET_INREMOVAL)
2329 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2330 		else
2331 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2332 		mps_dprint(sc, MPS_INFO,
2333 		    "Controller reported %s tgt %u SMID %u loginfo %x%s\n",
2334 		    mps_describe_table(mps_iocstatus_string,
2335 		    le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK),
2336 		    target_id, cm->cm_desc.Default.SMID,
2337 		    le32toh(rep->IOCLogInfo),
2338 		    (cm->cm_targ->flags & MPSSAS_TARGET_INREMOVAL) ? " departing" : "");
2339 		mps_dprint(sc, MPS_XINFO,
2340 		    "SCSIStatus %x SCSIState %x xfercount %u\n",
2341 		    rep->SCSIStatus, rep->SCSIState,
2342 		    le32toh(rep->TransferCount));
2343 		break;
2344 	case MPI2_IOCSTATUS_INVALID_FUNCTION:
2345 	case MPI2_IOCSTATUS_INTERNAL_ERROR:
2346 	case MPI2_IOCSTATUS_INVALID_VPID:
2347 	case MPI2_IOCSTATUS_INVALID_FIELD:
2348 	case MPI2_IOCSTATUS_INVALID_STATE:
2349 	case MPI2_IOCSTATUS_OP_STATE_NOT_SUPPORTED:
2350 	case MPI2_IOCSTATUS_SCSI_IO_DATA_ERROR:
2351 	case MPI2_IOCSTATUS_SCSI_PROTOCOL_ERROR:
2352 	case MPI2_IOCSTATUS_SCSI_RESIDUAL_MISMATCH:
2353 	case MPI2_IOCSTATUS_SCSI_TASK_MGMT_FAILED:
2354 	default:
2355 		mpssas_log_command(cm, MPS_XINFO,
2356 		    "completed ioc %x loginfo %x scsi %x state %x xfer %u\n",
2357 		    le16toh(rep->IOCStatus), le32toh(rep->IOCLogInfo),
2358 		    rep->SCSIStatus, rep->SCSIState,
2359 		    le32toh(rep->TransferCount));
2360 		csio->resid = cm->cm_length;
2361 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2362 		break;
2363 	}
2364 
2365 	mps_sc_failed_io_info(sc,csio,rep);
2366 
2367 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2368 		ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2369 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2370 		mps_dprint(sc, MPS_XINFO, "Command completed, "
2371 		    "unfreezing SIM queue\n");
2372 	}
2373 
2374 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2375 		ccb->ccb_h.status |= CAM_DEV_QFRZN;
2376 		xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2377 	}
2378 
2379 	/*
2380 	 * Check to see if we're removing the device. If so, and this is the
2381 	 * last command on the queue, proceed with the deferred removal of the
2382 	 * device.  Note, for removing a volume, this won't trigger because
2383 	 * pending_remove_tm will be NULL.
2384 	 */
2385 	if (cm->cm_targ->flags & MPSSAS_TARGET_INREMOVAL) {
2386 		if (TAILQ_FIRST(&cm->cm_targ->commands) == NULL &&
2387 		    cm->cm_targ->pending_remove_tm != NULL) {
2388 			mps_dprint(sc, MPS_INFO,
2389 			    "Last pending command complete: starting remove_device target %u handle 0x%04x\n",
2390 			    cm->cm_targ->tid, cm->cm_targ->handle);
2391 			mps_map_command(sc, cm->cm_targ->pending_remove_tm);
2392 			cm->cm_targ->pending_remove_tm = NULL;
2393 		}
2394 	}
2395 
2396 	mps_free_command(sc, cm);
2397 	xpt_done(ccb);
2398 }
2399 
2400 /* All Request reached here are Endian safe */
2401 static void
2402 mpssas_direct_drive_io(struct mpssas_softc *sassc, struct mps_command *cm,
2403     union ccb *ccb) {
2404 	pMpi2SCSIIORequest_t	pIO_req;
2405 	struct mps_softc	*sc = sassc->sc;
2406 	uint64_t		virtLBA;
2407 	uint32_t		physLBA, stripe_offset, stripe_unit;
2408 	uint32_t		io_size, column;
2409 	uint8_t			*ptrLBA, lba_idx, physLBA_byte, *CDB;
2410 
2411 	/*
2412 	 * If this is a valid SCSI command (Read6, Read10, Read16, Write6,
2413 	 * Write10, or Write16), build a direct I/O message.  Otherwise, the I/O
2414 	 * will be sent to the IR volume itself.  Since Read6 and Write6 are a
2415 	 * bit different than the 10/16 CDBs, handle them separately.
2416 	 */
2417 	pIO_req = (pMpi2SCSIIORequest_t)cm->cm_req;
2418 	CDB = pIO_req->CDB.CDB32;
2419 
2420 	/*
2421 	 * Handle 6 byte CDBs.
2422 	 */
2423 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_6) ||
2424 	    (CDB[0] == WRITE_6))) {
2425 		/*
2426 		 * Get the transfer size in blocks.
2427 		 */
2428 		io_size = (cm->cm_length >> sc->DD_block_exponent);
2429 
2430 		/*
2431 		 * Get virtual LBA given in the CDB.
2432 		 */
2433 		virtLBA = ((uint64_t)(CDB[1] & 0x1F) << 16) |
2434 		    ((uint64_t)CDB[2] << 8) | (uint64_t)CDB[3];
2435 
2436 		/*
2437 		 * Check that LBA range for I/O does not exceed volume's
2438 		 * MaxLBA.
2439 		 */
2440 		if ((virtLBA + (uint64_t)io_size - 1) <=
2441 		    sc->DD_max_lba) {
2442 			/*
2443 			 * Check if the I/O crosses a stripe boundary.  If not,
2444 			 * translate the virtual LBA to a physical LBA and set
2445 			 * the DevHandle for the PhysDisk to be used.  If it
2446 			 * does cross a boundary, do normal I/O.  To get the
2447 			 * right DevHandle to use, get the map number for the
2448 			 * column, then use that map number to look up the
2449 			 * DevHandle of the PhysDisk.
2450 			 */
2451 			stripe_offset = (uint32_t)virtLBA &
2452 			    (sc->DD_stripe_size - 1);
2453 			if ((stripe_offset + io_size) <= sc->DD_stripe_size) {
2454 				physLBA = (uint32_t)virtLBA >>
2455 				    sc->DD_stripe_exponent;
2456 				stripe_unit = physLBA / sc->DD_num_phys_disks;
2457 				column = physLBA % sc->DD_num_phys_disks;
2458 				pIO_req->DevHandle =
2459 				    htole16(sc->DD_column_map[column].dev_handle);
2460 				/* ???? Is this endian safe*/
2461 				cm->cm_desc.SCSIIO.DevHandle =
2462 				    pIO_req->DevHandle;
2463 
2464 				physLBA = (stripe_unit <<
2465 				    sc->DD_stripe_exponent) + stripe_offset;
2466 				ptrLBA = &pIO_req->CDB.CDB32[1];
2467 				physLBA_byte = (uint8_t)(physLBA >> 16);
2468 				*ptrLBA = physLBA_byte;
2469 				ptrLBA = &pIO_req->CDB.CDB32[2];
2470 				physLBA_byte = (uint8_t)(physLBA >> 8);
2471 				*ptrLBA = physLBA_byte;
2472 				ptrLBA = &pIO_req->CDB.CDB32[3];
2473 				physLBA_byte = (uint8_t)physLBA;
2474 				*ptrLBA = physLBA_byte;
2475 
2476 				/*
2477 				 * Set flag that Direct Drive I/O is
2478 				 * being done.
2479 				 */
2480 				cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2481 			}
2482 		}
2483 		return;
2484 	}
2485 
2486 	/*
2487 	 * Handle 10, 12 or 16 byte CDBs.
2488 	 */
2489 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_10) ||
2490 	    (CDB[0] == WRITE_10) || (CDB[0] == READ_16) ||
2491 	    (CDB[0] == WRITE_16) || (CDB[0] == READ_12) ||
2492 	    (CDB[0] == WRITE_12))) {
2493 		/*
2494 		 * For 16-byte CDB's, verify that the upper 4 bytes of the CDB
2495 		 * are 0.  If not, this is accessing beyond 2TB so handle it in
2496 		 * the else section.  10-byte and 12-byte CDB's are OK.
2497 		 * FreeBSD sends very rare 12 byte READ/WRITE, but driver is
2498 		 * ready to accept 12byte CDB for Direct IOs.
2499 		 */
2500 		if ((CDB[0] == READ_10 || CDB[0] == WRITE_10) ||
2501 		    (CDB[0] == READ_12 || CDB[0] == WRITE_12) ||
2502 		    !(CDB[2] | CDB[3] | CDB[4] | CDB[5])) {
2503 			/*
2504 			 * Get the transfer size in blocks.
2505 			 */
2506 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2507 
2508 			/*
2509 			 * Get virtual LBA.  Point to correct lower 4 bytes of
2510 			 * LBA in the CDB depending on command.
2511 			 */
2512 			lba_idx = ((CDB[0] == READ_12) ||
2513 				(CDB[0] == WRITE_12) ||
2514 				(CDB[0] == READ_10) ||
2515 				(CDB[0] == WRITE_10))? 2 : 6;
2516 			virtLBA = ((uint64_t)CDB[lba_idx] << 24) |
2517 			    ((uint64_t)CDB[lba_idx + 1] << 16) |
2518 			    ((uint64_t)CDB[lba_idx + 2] << 8) |
2519 			    (uint64_t)CDB[lba_idx + 3];
2520 
2521 			/*
2522 			 * Check that LBA range for I/O does not exceed volume's
2523 			 * MaxLBA.
2524 			 */
2525 			if ((virtLBA + (uint64_t)io_size - 1) <=
2526 			    sc->DD_max_lba) {
2527 				/*
2528 				 * Check if the I/O crosses a stripe boundary.
2529 				 * If not, translate the virtual LBA to a
2530 				 * physical LBA and set the DevHandle for the
2531 				 * PhysDisk to be used.  If it does cross a
2532 				 * boundary, do normal I/O.  To get the right
2533 				 * DevHandle to use, get the map number for the
2534 				 * column, then use that map number to look up
2535 				 * the DevHandle of the PhysDisk.
2536 				 */
2537 				stripe_offset = (uint32_t)virtLBA &
2538 				    (sc->DD_stripe_size - 1);
2539 				if ((stripe_offset + io_size) <=
2540 				    sc->DD_stripe_size) {
2541 					physLBA = (uint32_t)virtLBA >>
2542 					    sc->DD_stripe_exponent;
2543 					stripe_unit = physLBA /
2544 					    sc->DD_num_phys_disks;
2545 					column = physLBA %
2546 					    sc->DD_num_phys_disks;
2547 					pIO_req->DevHandle =
2548 					    htole16(sc->DD_column_map[column].
2549 					    dev_handle);
2550 					cm->cm_desc.SCSIIO.DevHandle =
2551 					    pIO_req->DevHandle;
2552 
2553 					physLBA = (stripe_unit <<
2554 					    sc->DD_stripe_exponent) +
2555 					    stripe_offset;
2556 					ptrLBA =
2557 					    &pIO_req->CDB.CDB32[lba_idx];
2558 					physLBA_byte = (uint8_t)(physLBA >> 24);
2559 					*ptrLBA = physLBA_byte;
2560 					ptrLBA =
2561 					    &pIO_req->CDB.CDB32[lba_idx + 1];
2562 					physLBA_byte = (uint8_t)(physLBA >> 16);
2563 					*ptrLBA = physLBA_byte;
2564 					ptrLBA =
2565 					    &pIO_req->CDB.CDB32[lba_idx + 2];
2566 					physLBA_byte = (uint8_t)(physLBA >> 8);
2567 					*ptrLBA = physLBA_byte;
2568 					ptrLBA =
2569 					    &pIO_req->CDB.CDB32[lba_idx + 3];
2570 					physLBA_byte = (uint8_t)physLBA;
2571 					*ptrLBA = physLBA_byte;
2572 
2573 					/*
2574 					 * Set flag that Direct Drive I/O is
2575 					 * being done.
2576 					 */
2577 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2578 				}
2579 			}
2580 		} else {
2581 			/*
2582 			 * 16-byte CDB and the upper 4 bytes of the CDB are not
2583 			 * 0.  Get the transfer size in blocks.
2584 			 */
2585 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2586 
2587 			/*
2588 			 * Get virtual LBA.
2589 			 */
2590 			virtLBA = ((uint64_t)CDB[2] << 54) |
2591 			    ((uint64_t)CDB[3] << 48) |
2592 			    ((uint64_t)CDB[4] << 40) |
2593 			    ((uint64_t)CDB[5] << 32) |
2594 			    ((uint64_t)CDB[6] << 24) |
2595 			    ((uint64_t)CDB[7] << 16) |
2596 			    ((uint64_t)CDB[8] << 8) |
2597 			    (uint64_t)CDB[9];
2598 
2599 			/*
2600 			 * Check that LBA range for I/O does not exceed volume's
2601 			 * MaxLBA.
2602 			 */
2603 			if ((virtLBA + (uint64_t)io_size - 1) <=
2604 			    sc->DD_max_lba) {
2605 				/*
2606 				 * Check if the I/O crosses a stripe boundary.
2607 				 * If not, translate the virtual LBA to a
2608 				 * physical LBA and set the DevHandle for the
2609 				 * PhysDisk to be used.  If it does cross a
2610 				 * boundary, do normal I/O.  To get the right
2611 				 * DevHandle to use, get the map number for the
2612 				 * column, then use that map number to look up
2613 				 * the DevHandle of the PhysDisk.
2614 				 */
2615 				stripe_offset = (uint32_t)virtLBA &
2616 				    (sc->DD_stripe_size - 1);
2617 				if ((stripe_offset + io_size) <=
2618 				    sc->DD_stripe_size) {
2619 					physLBA = (uint32_t)(virtLBA >>
2620 					    sc->DD_stripe_exponent);
2621 					stripe_unit = physLBA /
2622 					    sc->DD_num_phys_disks;
2623 					column = physLBA %
2624 					    sc->DD_num_phys_disks;
2625 					pIO_req->DevHandle =
2626 					    htole16(sc->DD_column_map[column].
2627 					    dev_handle);
2628 					cm->cm_desc.SCSIIO.DevHandle =
2629 					    pIO_req->DevHandle;
2630 
2631 					physLBA = (stripe_unit <<
2632 					    sc->DD_stripe_exponent) +
2633 					    stripe_offset;
2634 
2635 					/*
2636 					 * Set upper 4 bytes of LBA to 0.  We
2637 					 * assume that the phys disks are less
2638 					 * than 2 TB's in size.  Then, set the
2639 					 * lower 4 bytes.
2640 					 */
2641 					pIO_req->CDB.CDB32[2] = 0;
2642 					pIO_req->CDB.CDB32[3] = 0;
2643 					pIO_req->CDB.CDB32[4] = 0;
2644 					pIO_req->CDB.CDB32[5] = 0;
2645 					ptrLBA = &pIO_req->CDB.CDB32[6];
2646 					physLBA_byte = (uint8_t)(physLBA >> 24);
2647 					*ptrLBA = physLBA_byte;
2648 					ptrLBA = &pIO_req->CDB.CDB32[7];
2649 					physLBA_byte = (uint8_t)(physLBA >> 16);
2650 					*ptrLBA = physLBA_byte;
2651 					ptrLBA = &pIO_req->CDB.CDB32[8];
2652 					physLBA_byte = (uint8_t)(physLBA >> 8);
2653 					*ptrLBA = physLBA_byte;
2654 					ptrLBA = &pIO_req->CDB.CDB32[9];
2655 					physLBA_byte = (uint8_t)physLBA;
2656 					*ptrLBA = physLBA_byte;
2657 
2658 					/*
2659 					 * Set flag that Direct Drive I/O is
2660 					 * being done.
2661 					 */
2662 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2663 				}
2664 			}
2665 		}
2666 	}
2667 }
2668 
2669 static void
2670 mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm)
2671 {
2672 	MPI2_SMP_PASSTHROUGH_REPLY *rpl;
2673 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2674 	uint64_t sasaddr;
2675 	union ccb *ccb;
2676 
2677 	ccb = cm->cm_complete_data;
2678 
2679 	/*
2680 	 * Currently there should be no way we can hit this case.  It only
2681 	 * happens when we have a failure to allocate chain frames, and SMP
2682 	 * commands require two S/G elements only.  That should be handled
2683 	 * in the standard request size.
2684 	 */
2685 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2686 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x on SMP request!\n",
2687 			   __func__, cm->cm_flags);
2688 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2689 		goto bailout;
2690         }
2691 
2692 	rpl = (MPI2_SMP_PASSTHROUGH_REPLY *)cm->cm_reply;
2693 	if (rpl == NULL) {
2694 		mps_dprint(sc, MPS_ERROR, "%s: NULL cm_reply!\n", __func__);
2695 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2696 		goto bailout;
2697 	}
2698 
2699 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2700 	sasaddr = le32toh(req->SASAddress.Low);
2701 	sasaddr |= ((uint64_t)(le32toh(req->SASAddress.High))) << 32;
2702 
2703 	if ((le16toh(rpl->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
2704 	    MPI2_IOCSTATUS_SUCCESS ||
2705 	    rpl->SASStatus != MPI2_SASSTATUS_SUCCESS) {
2706 		mps_dprint(sc, MPS_XINFO, "%s: IOCStatus %04x SASStatus %02x\n",
2707 		    __func__, le16toh(rpl->IOCStatus), rpl->SASStatus);
2708 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2709 		goto bailout;
2710 	}
2711 
2712 	mps_dprint(sc, MPS_XINFO, "%s: SMP request to SAS address "
2713 		   "%#jx completed successfully\n", __func__,
2714 		   (uintmax_t)sasaddr);
2715 
2716 	if (ccb->smpio.smp_response[2] == SMP_FR_ACCEPTED)
2717 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2718 	else
2719 		mpssas_set_ccbstatus(ccb, CAM_SMP_STATUS_ERROR);
2720 
2721 bailout:
2722 	/*
2723 	 * We sync in both directions because we had DMAs in the S/G list
2724 	 * in both directions.
2725 	 */
2726 	bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap,
2727 			BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
2728 	bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2729 	mps_free_command(sc, cm);
2730 	xpt_done(ccb);
2731 }
2732 
2733 static void
2734 mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb, uint64_t sasaddr)
2735 {
2736 	struct mps_command *cm;
2737 	uint8_t *request, *response;
2738 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2739 	struct mps_softc *sc;
2740 	int error;
2741 
2742 	sc = sassc->sc;
2743 	error = 0;
2744 
2745 	/*
2746 	 * XXX We don't yet support physical addresses here.
2747 	 */
2748 	switch ((ccb->ccb_h.flags & CAM_DATA_MASK)) {
2749 	case CAM_DATA_PADDR:
2750 	case CAM_DATA_SG_PADDR:
2751 		mps_dprint(sc, MPS_ERROR,
2752 			   "%s: physical addresses not supported\n", __func__);
2753 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2754 		xpt_done(ccb);
2755 		return;
2756 	case CAM_DATA_SG:
2757 		/*
2758 		 * The chip does not support more than one buffer for the
2759 		 * request or response.
2760 		 */
2761 	 	if ((ccb->smpio.smp_request_sglist_cnt > 1)
2762 		  || (ccb->smpio.smp_response_sglist_cnt > 1)) {
2763 			mps_dprint(sc, MPS_ERROR,
2764 				   "%s: multiple request or response "
2765 				   "buffer segments not supported for SMP\n",
2766 				   __func__);
2767 			mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2768 			xpt_done(ccb);
2769 			return;
2770 		}
2771 
2772 		/*
2773 		 * The CAM_SCATTER_VALID flag was originally implemented
2774 		 * for the XPT_SCSI_IO CCB, which only has one data pointer.
2775 		 * We have two.  So, just take that flag to mean that we
2776 		 * might have S/G lists, and look at the S/G segment count
2777 		 * to figure out whether that is the case for each individual
2778 		 * buffer.
2779 		 */
2780 		if (ccb->smpio.smp_request_sglist_cnt != 0) {
2781 			bus_dma_segment_t *req_sg;
2782 
2783 			req_sg = (bus_dma_segment_t *)ccb->smpio.smp_request;
2784 			request = (uint8_t *)(uintptr_t)req_sg[0].ds_addr;
2785 		} else
2786 			request = ccb->smpio.smp_request;
2787 
2788 		if (ccb->smpio.smp_response_sglist_cnt != 0) {
2789 			bus_dma_segment_t *rsp_sg;
2790 
2791 			rsp_sg = (bus_dma_segment_t *)ccb->smpio.smp_response;
2792 			response = (uint8_t *)(uintptr_t)rsp_sg[0].ds_addr;
2793 		} else
2794 			response = ccb->smpio.smp_response;
2795 		break;
2796 	case CAM_DATA_VADDR:
2797 		request = ccb->smpio.smp_request;
2798 		response = ccb->smpio.smp_response;
2799 		break;
2800 	default:
2801 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2802 		xpt_done(ccb);
2803 		return;
2804 	}
2805 
2806 	cm = mps_alloc_command(sc);
2807 	if (cm == NULL) {
2808 		mps_dprint(sc, MPS_ERROR,
2809 		    "%s: cannot allocate command\n", __func__);
2810 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2811 		xpt_done(ccb);
2812 		return;
2813 	}
2814 
2815 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2816 	bzero(req, sizeof(*req));
2817 	req->Function = MPI2_FUNCTION_SMP_PASSTHROUGH;
2818 
2819 	/* Allow the chip to use any route to this SAS address. */
2820 	req->PhysicalPort = 0xff;
2821 
2822 	req->RequestDataLength = htole16(ccb->smpio.smp_request_len);
2823 	req->SGLFlags =
2824 	    MPI2_SGLFLAGS_SYSTEM_ADDRESS_SPACE | MPI2_SGLFLAGS_SGL_TYPE_MPI;
2825 
2826 	mps_dprint(sc, MPS_XINFO, "%s: sending SMP request to SAS "
2827 	    "address %#jx\n", __func__, (uintmax_t)sasaddr);
2828 
2829 	mpi_init_sge(cm, req, &req->SGL);
2830 
2831 	/*
2832 	 * Set up a uio to pass into mps_map_command().  This allows us to
2833 	 * do one map command, and one busdma call in there.
2834 	 */
2835 	cm->cm_uio.uio_iov = cm->cm_iovec;
2836 	cm->cm_uio.uio_iovcnt = 2;
2837 	cm->cm_uio.uio_segflg = UIO_SYSSPACE;
2838 
2839 	/*
2840 	 * The read/write flag isn't used by busdma, but set it just in
2841 	 * case.  This isn't exactly accurate, either, since we're going in
2842 	 * both directions.
2843 	 */
2844 	cm->cm_uio.uio_rw = UIO_WRITE;
2845 
2846 	cm->cm_iovec[0].iov_base = request;
2847 	cm->cm_iovec[0].iov_len = le16toh(req->RequestDataLength);
2848 	cm->cm_iovec[1].iov_base = response;
2849 	cm->cm_iovec[1].iov_len = ccb->smpio.smp_response_len;
2850 
2851 	cm->cm_uio.uio_resid = cm->cm_iovec[0].iov_len +
2852 			       cm->cm_iovec[1].iov_len;
2853 
2854 	/*
2855 	 * Trigger a warning message in mps_data_cb() for the user if we
2856 	 * wind up exceeding two S/G segments.  The chip expects one
2857 	 * segment for the request and another for the response.
2858 	 */
2859 	cm->cm_max_segs = 2;
2860 
2861 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
2862 	cm->cm_complete = mpssas_smpio_complete;
2863 	cm->cm_complete_data = ccb;
2864 
2865 	/*
2866 	 * Tell the mapping code that we're using a uio, and that this is
2867 	 * an SMP passthrough request.  There is a little special-case
2868 	 * logic there (in mps_data_cb()) to handle the bidirectional
2869 	 * transfer.
2870 	 */
2871 	cm->cm_flags |= MPS_CM_FLAGS_USE_UIO | MPS_CM_FLAGS_SMP_PASS |
2872 			MPS_CM_FLAGS_DATAIN | MPS_CM_FLAGS_DATAOUT;
2873 
2874 	/* The chip data format is little endian. */
2875 	req->SASAddress.High = htole32(sasaddr >> 32);
2876 	req->SASAddress.Low = htole32(sasaddr);
2877 
2878 	/*
2879 	 * XXX Note that we don't have a timeout/abort mechanism here.
2880 	 * From the manual, it looks like task management requests only
2881 	 * work for SCSI IO and SATA passthrough requests.  We may need to
2882 	 * have a mechanism to retry requests in the event of a chip reset
2883 	 * at least.  Hopefully the chip will insure that any errors short
2884 	 * of that are relayed back to the driver.
2885 	 */
2886 	error = mps_map_command(sc, cm);
2887 	if ((error != 0) && (error != EINPROGRESS)) {
2888 		mps_dprint(sc, MPS_ERROR,
2889 			   "%s: error %d returned from mps_map_command()\n",
2890 			   __func__, error);
2891 		goto bailout_error;
2892 	}
2893 
2894 	return;
2895 
2896 bailout_error:
2897 	mps_free_command(sc, cm);
2898 	mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2899 	xpt_done(ccb);
2900 	return;
2901 
2902 }
2903 
2904 static void
2905 mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb)
2906 {
2907 	struct mps_softc *sc;
2908 	struct mpssas_target *targ;
2909 	uint64_t sasaddr = 0;
2910 
2911 	sc = sassc->sc;
2912 
2913 	/*
2914 	 * Make sure the target exists.
2915 	 */
2916 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
2917 	    ("Target %d out of bounds in XPT_SMP_IO\n", ccb->ccb_h.target_id));
2918 	targ = &sassc->targets[ccb->ccb_h.target_id];
2919 	if (targ->handle == 0x0) {
2920 		mps_dprint(sc, MPS_ERROR,
2921 			   "%s: target %d does not exist!\n", __func__,
2922 			   ccb->ccb_h.target_id);
2923 		mpssas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
2924 		xpt_done(ccb);
2925 		return;
2926 	}
2927 
2928 	/*
2929 	 * If this device has an embedded SMP target, we'll talk to it
2930 	 * directly.
2931 	 * figure out what the expander's address is.
2932 	 */
2933 	if ((targ->devinfo & MPI2_SAS_DEVICE_INFO_SMP_TARGET) != 0)
2934 		sasaddr = targ->sasaddr;
2935 
2936 	/*
2937 	 * If we don't have a SAS address for the expander yet, try
2938 	 * grabbing it from the page 0x83 information cached in the
2939 	 * transport layer for this target.  LSI expanders report the
2940 	 * expander SAS address as the port-associated SAS address in
2941 	 * Inquiry VPD page 0x83.  Maxim expanders don't report it in page
2942 	 * 0x83.
2943 	 *
2944 	 * XXX KDM disable this for now, but leave it commented out so that
2945 	 * it is obvious that this is another possible way to get the SAS
2946 	 * address.
2947 	 *
2948 	 * The parent handle method below is a little more reliable, and
2949 	 * the other benefit is that it works for devices other than SES
2950 	 * devices.  So you can send a SMP request to a da(4) device and it
2951 	 * will get routed to the expander that device is attached to.
2952 	 * (Assuming the da(4) device doesn't contain an SMP target...)
2953 	 */
2954 #if 0
2955 	if (sasaddr == 0)
2956 		sasaddr = xpt_path_sas_addr(ccb->ccb_h.path);
2957 #endif
2958 
2959 	/*
2960 	 * If we still don't have a SAS address for the expander, look for
2961 	 * the parent device of this device, which is probably the expander.
2962 	 */
2963 	if (sasaddr == 0) {
2964 #ifdef OLD_MPS_PROBE
2965 		struct mpssas_target *parent_target;
2966 #endif
2967 
2968 		if (targ->parent_handle == 0x0) {
2969 			mps_dprint(sc, MPS_ERROR,
2970 				   "%s: handle %d does not have a valid "
2971 				   "parent handle!\n", __func__, targ->handle);
2972 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2973 			goto bailout;
2974 		}
2975 #ifdef OLD_MPS_PROBE
2976 		parent_target = mpssas_find_target_by_handle(sassc, 0,
2977 			targ->parent_handle);
2978 
2979 		if (parent_target == NULL) {
2980 			mps_dprint(sc, MPS_ERROR,
2981 				   "%s: handle %d does not have a valid "
2982 				   "parent target!\n", __func__, targ->handle);
2983 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2984 			goto bailout;
2985 		}
2986 
2987 		if ((parent_target->devinfo &
2988 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
2989 			mps_dprint(sc, MPS_ERROR,
2990 				   "%s: handle %d parent %d does not "
2991 				   "have an SMP target!\n", __func__,
2992 				   targ->handle, parent_target->handle);
2993 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2994 			goto bailout;
2995 		}
2996 
2997 		sasaddr = parent_target->sasaddr;
2998 #else /* OLD_MPS_PROBE */
2999 		if ((targ->parent_devinfo &
3000 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
3001 			mps_dprint(sc, MPS_ERROR,
3002 				   "%s: handle %d parent %d does not "
3003 				   "have an SMP target!\n", __func__,
3004 				   targ->handle, targ->parent_handle);
3005 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3006 			goto bailout;
3007 		}
3008 		if (targ->parent_sasaddr == 0x0) {
3009 			mps_dprint(sc, MPS_ERROR,
3010 				   "%s: handle %d parent handle %d does "
3011 				   "not have a valid SAS address!\n",
3012 				   __func__, targ->handle, targ->parent_handle);
3013 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3014 			goto bailout;
3015 		}
3016 
3017 		sasaddr = targ->parent_sasaddr;
3018 #endif /* OLD_MPS_PROBE */
3019 	}
3020 
3021 	if (sasaddr == 0) {
3022 		mps_dprint(sc, MPS_INFO,
3023 			   "%s: unable to find SAS address for handle %d\n",
3024 			   __func__, targ->handle);
3025 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3026 		goto bailout;
3027 	}
3028 	mpssas_send_smpcmd(sassc, ccb, sasaddr);
3029 
3030 	return;
3031 
3032 bailout:
3033 	xpt_done(ccb);
3034 
3035 }
3036 
3037 static void
3038 mpssas_action_resetdev(struct mpssas_softc *sassc, union ccb *ccb)
3039 {
3040 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3041 	struct mps_softc *sc;
3042 	struct mps_command *tm;
3043 	struct mpssas_target *targ;
3044 
3045 	MPS_FUNCTRACE(sassc->sc);
3046 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
3047 
3048 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
3049 	    ("Target %d out of bounds in XPT_RESET_DEV\n",
3050 	     ccb->ccb_h.target_id));
3051 	sc = sassc->sc;
3052 	tm = mpssas_alloc_tm(sc);
3053 	if (tm == NULL) {
3054 		mps_dprint(sc, MPS_ERROR,
3055 		    "command alloc failure in mpssas_action_resetdev\n");
3056 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
3057 		xpt_done(ccb);
3058 		return;
3059 	}
3060 
3061 	targ = &sassc->targets[ccb->ccb_h.target_id];
3062 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3063 	req->DevHandle = htole16(targ->handle);
3064 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
3065 
3066 	/* SAS Hard Link Reset / SATA Link Reset */
3067 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
3068 
3069 	tm->cm_data = NULL;
3070 	tm->cm_complete = mpssas_resetdev_complete;
3071 	tm->cm_complete_data = ccb;
3072 	tm->cm_targ = targ;
3073 
3074 	mpssas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
3075 	mps_map_command(sc, tm);
3076 }
3077 
3078 static void
3079 mpssas_resetdev_complete(struct mps_softc *sc, struct mps_command *tm)
3080 {
3081 	MPI2_SCSI_TASK_MANAGE_REPLY *resp;
3082 	union ccb *ccb;
3083 
3084 	MPS_FUNCTRACE(sc);
3085 	mtx_assert(&sc->mps_mtx, MA_OWNED);
3086 
3087 	resp = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
3088 	ccb = tm->cm_complete_data;
3089 
3090 	/*
3091 	 * Currently there should be no way we can hit this case.  It only
3092 	 * happens when we have a failure to allocate chain frames, and
3093 	 * task management commands don't have S/G lists.
3094 	 */
3095 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3096 		MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3097 
3098 		req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3099 
3100 		mps_dprint(sc, MPS_ERROR,
3101 			   "%s: cm_flags = %#x for reset of handle %#04x! "
3102 			   "This should not happen!\n", __func__, tm->cm_flags,
3103 			   req->DevHandle);
3104 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3105 		goto bailout;
3106 	}
3107 
3108 	mps_dprint(sc, MPS_XINFO,
3109 	    "%s: IOCStatus = 0x%x ResponseCode = 0x%x\n", __func__,
3110 	    le16toh(resp->IOCStatus), le32toh(resp->ResponseCode));
3111 
3112 	if (le32toh(resp->ResponseCode) == MPI2_SCSITASKMGMT_RSP_TM_COMPLETE) {
3113 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
3114 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
3115 		    CAM_LUN_WILDCARD);
3116 	}
3117 	else
3118 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3119 
3120 bailout:
3121 
3122 	mpssas_free_tm(sc, tm);
3123 	xpt_done(ccb);
3124 }
3125 
3126 static void
3127 mpssas_poll(struct cam_sim *sim)
3128 {
3129 	struct mpssas_softc *sassc;
3130 
3131 	sassc = cam_sim_softc(sim);
3132 
3133 	if (sassc->sc->mps_debug & MPS_TRACE) {
3134 		/* frequent debug messages during a panic just slow
3135 		 * everything down too much.
3136 		 */
3137 		mps_printf(sassc->sc, "%s clearing MPS_TRACE\n", __func__);
3138 		sassc->sc->mps_debug &= ~MPS_TRACE;
3139 	}
3140 
3141 	mps_intr_locked(sassc->sc);
3142 }
3143 
3144 static void
3145 mpssas_async(void *callback_arg, uint32_t code, struct cam_path *path,
3146 	     void *arg)
3147 {
3148 	struct mps_softc *sc;
3149 
3150 	sc = (struct mps_softc *)callback_arg;
3151 
3152 	mps_lock(sc);
3153 	switch (code) {
3154 	case AC_ADVINFO_CHANGED: {
3155 		struct mpssas_target *target;
3156 		struct mpssas_softc *sassc;
3157 		struct scsi_read_capacity_data_long rcap_buf;
3158 		struct ccb_dev_advinfo cdai;
3159 		struct mpssas_lun *lun;
3160 		lun_id_t lunid;
3161 		int found_lun;
3162 		uintptr_t buftype;
3163 
3164 		buftype = (uintptr_t)arg;
3165 
3166 		found_lun = 0;
3167 		sassc = sc->sassc;
3168 
3169 		/*
3170 		 * We're only interested in read capacity data changes.
3171 		 */
3172 		if (buftype != CDAI_TYPE_RCAPLONG)
3173 			break;
3174 
3175 		/*
3176 		 * We should have a handle for this, but check to make sure.
3177 		 */
3178 		KASSERT(xpt_path_target_id(path) < sassc->maxtargets,
3179 		    ("Target %d out of bounds in mpssas_async\n",
3180 		    xpt_path_target_id(path)));
3181 		target = &sassc->targets[xpt_path_target_id(path)];
3182 		if (target->handle == 0)
3183 			break;
3184 
3185 		lunid = xpt_path_lun_id(path);
3186 
3187 		SLIST_FOREACH(lun, &target->luns, lun_link) {
3188 			if (lun->lun_id == lunid) {
3189 				found_lun = 1;
3190 				break;
3191 			}
3192 		}
3193 
3194 		if (found_lun == 0) {
3195 			lun = malloc(sizeof(struct mpssas_lun), M_MPT2,
3196 				     M_NOWAIT | M_ZERO);
3197 			if (lun == NULL) {
3198 				mps_dprint(sc, MPS_ERROR, "Unable to alloc "
3199 					   "LUN for EEDP support.\n");
3200 				break;
3201 			}
3202 			lun->lun_id = lunid;
3203 			SLIST_INSERT_HEAD(&target->luns, lun, lun_link);
3204 		}
3205 
3206 		bzero(&rcap_buf, sizeof(rcap_buf));
3207 		bzero(&cdai, sizeof(cdai));
3208 		xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL);
3209 		cdai.ccb_h.func_code = XPT_DEV_ADVINFO;
3210 		cdai.ccb_h.flags = CAM_DIR_IN;
3211 		cdai.buftype = CDAI_TYPE_RCAPLONG;
3212 		cdai.flags = CDAI_FLAG_NONE;
3213 		cdai.bufsiz = sizeof(rcap_buf);
3214 		cdai.buf = (uint8_t *)&rcap_buf;
3215 		xpt_action((union ccb *)&cdai);
3216 		if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
3217 			cam_release_devq(cdai.ccb_h.path,
3218 					 0, 0, 0, FALSE);
3219 
3220 		if ((mpssas_get_ccbstatus((union ccb *)&cdai) == CAM_REQ_CMP)
3221 		 && (rcap_buf.prot & SRC16_PROT_EN)) {
3222 			switch (rcap_buf.prot & SRC16_P_TYPE) {
3223 			case SRC16_PTYPE_1:
3224 			case SRC16_PTYPE_3:
3225 				lun->eedp_formatted = TRUE;
3226 				lun->eedp_block_size =
3227 				    scsi_4btoul(rcap_buf.length);
3228 				break;
3229 			case SRC16_PTYPE_2:
3230 			default:
3231 				lun->eedp_formatted = FALSE;
3232 				lun->eedp_block_size = 0;
3233 				break;
3234 			}
3235 		} else {
3236 			lun->eedp_formatted = FALSE;
3237 			lun->eedp_block_size = 0;
3238 		}
3239 		break;
3240 	}
3241 	default:
3242 		break;
3243 	}
3244 	mps_unlock(sc);
3245 }
3246 
3247 /*
3248  * Freeze the devq and set the INRESET flag so that no I/O will be sent to
3249  * the target until the reset has completed.  The CCB holds the path which
3250  * is used to release the devq.  The devq is released and the CCB is freed
3251  * when the TM completes.
3252  * We only need to do this when we're entering reset, not at each time we
3253  * need to send an abort (which will happen if multiple commands timeout
3254  * while we're sending the abort). We do not release the queue for each
3255  * command we complete (just at the end when we free the tm), so freezing
3256  * it each time doesn't make sense.
3257  */
3258 void
3259 mpssas_prepare_for_tm(struct mps_softc *sc, struct mps_command *tm,
3260     struct mpssas_target *target, lun_id_t lun_id)
3261 {
3262 	union ccb *ccb;
3263 	path_id_t path_id;
3264 
3265 	ccb = xpt_alloc_ccb_nowait();
3266 	if (ccb) {
3267 		path_id = cam_sim_path(sc->sassc->sim);
3268 		if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, path_id,
3269 		    target->tid, lun_id) != CAM_REQ_CMP) {
3270 			xpt_free_ccb(ccb);
3271 		} else {
3272 			tm->cm_ccb = ccb;
3273 			tm->cm_targ = target;
3274 			if ((target->flags & MPSSAS_TARGET_INRESET) == 0) {
3275 				mps_dprint(sc, MPS_XINFO | MPS_RECOVERY,
3276 				    "%s: Freezing devq for target ID %d\n",
3277 				    __func__, target->tid);
3278 				xpt_freeze_devq(ccb->ccb_h.path, 1);
3279 				target->flags |= MPSSAS_TARGET_INRESET;
3280 			}
3281 		}
3282 	}
3283 }
3284 
3285 int
3286 mpssas_startup(struct mps_softc *sc)
3287 {
3288 
3289 	/*
3290 	 * Send the port enable message and set the wait_for_port_enable flag.
3291 	 * This flag helps to keep the simq frozen until all discovery events
3292 	 * are processed.
3293 	 */
3294 	sc->wait_for_port_enable = 1;
3295 	mpssas_send_portenable(sc);
3296 	return (0);
3297 }
3298 
3299 static int
3300 mpssas_send_portenable(struct mps_softc *sc)
3301 {
3302 	MPI2_PORT_ENABLE_REQUEST *request;
3303 	struct mps_command *cm;
3304 
3305 	MPS_FUNCTRACE(sc);
3306 
3307 	if ((cm = mps_alloc_command(sc)) == NULL)
3308 		return (EBUSY);
3309 	request = (MPI2_PORT_ENABLE_REQUEST *)cm->cm_req;
3310 	request->Function = MPI2_FUNCTION_PORT_ENABLE;
3311 	request->MsgFlags = 0;
3312 	request->VP_ID = 0;
3313 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
3314 	cm->cm_complete = mpssas_portenable_complete;
3315 	cm->cm_data = NULL;
3316 	cm->cm_sge = NULL;
3317 
3318 	mps_map_command(sc, cm);
3319 	mps_dprint(sc, MPS_XINFO,
3320 	    "mps_send_portenable finished cm %p req %p complete %p\n",
3321 	    cm, cm->cm_req, cm->cm_complete);
3322 	return (0);
3323 }
3324 
3325 static void
3326 mpssas_portenable_complete(struct mps_softc *sc, struct mps_command *cm)
3327 {
3328 	MPI2_PORT_ENABLE_REPLY *reply;
3329 	struct mpssas_softc *sassc;
3330 
3331 	MPS_FUNCTRACE(sc);
3332 	sassc = sc->sassc;
3333 
3334 	/*
3335 	 * Currently there should be no way we can hit this case.  It only
3336 	 * happens when we have a failure to allocate chain frames, and
3337 	 * port enable commands don't have S/G lists.
3338 	 */
3339 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3340 		mps_dprint(sc, MPS_ERROR, "%s: cm_flags = %#x for port enable! "
3341 			   "This should not happen!\n", __func__, cm->cm_flags);
3342 	}
3343 
3344 	reply = (MPI2_PORT_ENABLE_REPLY *)cm->cm_reply;
3345 	if (reply == NULL)
3346 		mps_dprint(sc, MPS_FAULT, "Portenable NULL reply\n");
3347 	else if (le16toh(reply->IOCStatus & MPI2_IOCSTATUS_MASK) !=
3348 	    MPI2_IOCSTATUS_SUCCESS)
3349 		mps_dprint(sc, MPS_FAULT, "Portenable failed\n");
3350 
3351 	mps_free_command(sc, cm);
3352 
3353 	/*
3354 	 * Get WarpDrive info after discovery is complete but before the scan
3355 	 * starts.  At this point, all devices are ready to be exposed to the
3356 	 * OS.  If devices should be hidden instead, take them out of the
3357 	 * 'targets' array before the scan.  The devinfo for a disk will have
3358 	 * some info and a volume's will be 0.  Use that to remove disks.
3359 	 */
3360 	mps_wd_config_pages(sc);
3361 
3362 	/*
3363 	 * Done waiting for port enable to complete.  Decrement the refcount.
3364 	 * If refcount is 0, discovery is complete and a rescan of the bus can
3365 	 * take place.  Since the simq was explicitly frozen before port
3366 	 * enable, it must be explicitly released here to keep the
3367 	 * freeze/release count in sync.
3368 	 */
3369 	sc->wait_for_port_enable = 0;
3370 	sc->port_enable_complete = 1;
3371 	wakeup(&sc->port_enable_complete);
3372 	mpssas_startup_decrement(sassc);
3373 }
3374 
3375 int
3376 mpssas_check_id(struct mpssas_softc *sassc, int id)
3377 {
3378 	struct mps_softc *sc = sassc->sc;
3379 	char *ids;
3380 	char *name;
3381 
3382 	ids = &sc->exclude_ids[0];
3383 	while((name = strsep(&ids, ",")) != NULL) {
3384 		if (name[0] == '\0')
3385 			continue;
3386 		if (strtol(name, NULL, 0) == (long)id)
3387 			return (1);
3388 	}
3389 
3390 	return (0);
3391 }
3392 
3393 void
3394 mpssas_realloc_targets(struct mps_softc *sc, int maxtargets)
3395 {
3396 	struct mpssas_softc *sassc;
3397 	struct mpssas_lun *lun, *lun_tmp;
3398 	struct mpssas_target *targ;
3399 	int i;
3400 
3401 	sassc = sc->sassc;
3402 	/*
3403 	 * The number of targets is based on IOC Facts, so free all of
3404 	 * the allocated LUNs for each target and then the target buffer
3405 	 * itself.
3406 	 */
3407 	for (i=0; i< maxtargets; i++) {
3408 		targ = &sassc->targets[i];
3409 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
3410 			free(lun, M_MPT2);
3411 		}
3412 	}
3413 	free(sassc->targets, M_MPT2);
3414 
3415 	sassc->targets = malloc(sizeof(struct mpssas_target) * maxtargets,
3416 	    M_MPT2, M_WAITOK|M_ZERO);
3417 }
3418