xref: /freebsd/sys/dev/mps/mps_sas.c (revision 52c2bb75163559a6e2866ad374a7de67a4ea1273)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2009 Yahoo! Inc.
5  * Copyright (c) 2011-2015 LSI Corp.
6  * Copyright (c) 2013-2015 Avago Technologies
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  * Avago Technologies (LSI) MPT-Fusion Host Adapter FreeBSD
31  *
32  * $FreeBSD$
33  */
34 
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37 
38 /* Communications core for Avago Technologies (LSI) MPT2 */
39 
40 /* TODO Move headers to mpsvar */
41 #include <sys/types.h>
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/kernel.h>
45 #include <sys/selinfo.h>
46 #include <sys/module.h>
47 #include <sys/bus.h>
48 #include <sys/conf.h>
49 #include <sys/bio.h>
50 #include <sys/malloc.h>
51 #include <sys/uio.h>
52 #include <sys/sysctl.h>
53 #include <sys/endian.h>
54 #include <sys/queue.h>
55 #include <sys/kthread.h>
56 #include <sys/taskqueue.h>
57 #include <sys/sbuf.h>
58 
59 #include <machine/bus.h>
60 #include <machine/resource.h>
61 #include <sys/rman.h>
62 
63 #include <machine/stdarg.h>
64 
65 #include <cam/cam.h>
66 #include <cam/cam_ccb.h>
67 #include <cam/cam_xpt.h>
68 #include <cam/cam_debug.h>
69 #include <cam/cam_sim.h>
70 #include <cam/cam_xpt_sim.h>
71 #include <cam/cam_xpt_periph.h>
72 #include <cam/cam_periph.h>
73 #include <cam/scsi/scsi_all.h>
74 #include <cam/scsi/scsi_message.h>
75 #if __FreeBSD_version >= 900026
76 #include <cam/scsi/smp_all.h>
77 #endif
78 
79 #include <dev/mps/mpi/mpi2_type.h>
80 #include <dev/mps/mpi/mpi2.h>
81 #include <dev/mps/mpi/mpi2_ioc.h>
82 #include <dev/mps/mpi/mpi2_sas.h>
83 #include <dev/mps/mpi/mpi2_cnfg.h>
84 #include <dev/mps/mpi/mpi2_init.h>
85 #include <dev/mps/mpi/mpi2_tool.h>
86 #include <dev/mps/mps_ioctl.h>
87 #include <dev/mps/mpsvar.h>
88 #include <dev/mps/mps_table.h>
89 #include <dev/mps/mps_sas.h>
90 
91 #define MPSSAS_DISCOVERY_TIMEOUT	20
92 #define MPSSAS_MAX_DISCOVERY_TIMEOUTS	10 /* 200 seconds */
93 
94 /*
95  * static array to check SCSI OpCode for EEDP protection bits
96  */
97 #define	PRO_R MPI2_SCSIIO_EEDPFLAGS_CHECK_REMOVE_OP
98 #define	PRO_W MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
99 #define	PRO_V MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
100 static uint8_t op_code_prot[256] = {
101 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
102 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
103 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
104 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
105 	0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
106 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
107 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
108 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
109 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
110 	0, 0, 0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
111 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
112 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
113 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
114 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
115 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
116 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
117 };
118 
119 MALLOC_DEFINE(M_MPSSAS, "MPSSAS", "MPS SAS memory");
120 
121 static void mpssas_remove_device(struct mps_softc *, struct mps_command *);
122 static void mpssas_remove_complete(struct mps_softc *, struct mps_command *);
123 static void mpssas_action(struct cam_sim *sim, union ccb *ccb);
124 static void mpssas_poll(struct cam_sim *sim);
125 static int mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm,
126     struct mps_command *cm);
127 static void mpssas_scsiio_timeout(void *data);
128 static void mpssas_abort_complete(struct mps_softc *sc, struct mps_command *cm);
129 static void mpssas_direct_drive_io(struct mpssas_softc *sassc,
130     struct mps_command *cm, union ccb *ccb);
131 static void mpssas_action_scsiio(struct mpssas_softc *, union ccb *);
132 static void mpssas_scsiio_complete(struct mps_softc *, struct mps_command *);
133 static void mpssas_action_resetdev(struct mpssas_softc *, union ccb *);
134 #if __FreeBSD_version >= 900026
135 static void mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm);
136 static void mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb,
137 			       uint64_t sasaddr);
138 static void mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb);
139 #endif //FreeBSD_version >= 900026
140 static void mpssas_resetdev_complete(struct mps_softc *, struct mps_command *);
141 static void mpssas_async(void *callback_arg, uint32_t code,
142 			 struct cam_path *path, void *arg);
143 #if (__FreeBSD_version < 901503) || \
144     ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006))
145 static void mpssas_check_eedp(struct mps_softc *sc, struct cam_path *path,
146 			      struct ccb_getdev *cgd);
147 static void mpssas_read_cap_done(struct cam_periph *periph, union ccb *done_ccb);
148 #endif
149 static int mpssas_send_portenable(struct mps_softc *sc);
150 static void mpssas_portenable_complete(struct mps_softc *sc,
151     struct mps_command *cm);
152 
153 struct mpssas_target *
154 mpssas_find_target_by_handle(struct mpssas_softc *sassc, int start, uint16_t handle)
155 {
156 	struct mpssas_target *target;
157 	int i;
158 
159 	for (i = start; i < sassc->maxtargets; i++) {
160 		target = &sassc->targets[i];
161 		if (target->handle == handle)
162 			return (target);
163 	}
164 
165 	return (NULL);
166 }
167 
168 /* we need to freeze the simq during attach and diag reset, to avoid failing
169  * commands before device handles have been found by discovery.  Since
170  * discovery involves reading config pages and possibly sending commands,
171  * discovery actions may continue even after we receive the end of discovery
172  * event, so refcount discovery actions instead of assuming we can unfreeze
173  * the simq when we get the event.
174  */
175 void
176 mpssas_startup_increment(struct mpssas_softc *sassc)
177 {
178 	MPS_FUNCTRACE(sassc->sc);
179 
180 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
181 		if (sassc->startup_refcount++ == 0) {
182 			/* just starting, freeze the simq */
183 			mps_dprint(sassc->sc, MPS_INIT,
184 			    "%s freezing simq\n", __func__);
185 #if __FreeBSD_version >= 1000039
186 			xpt_hold_boot();
187 #endif
188 			xpt_freeze_simq(sassc->sim, 1);
189 		}
190 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
191 		    sassc->startup_refcount);
192 	}
193 }
194 
195 void
196 mpssas_release_simq_reinit(struct mpssas_softc *sassc)
197 {
198 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
199 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
200 		xpt_release_simq(sassc->sim, 1);
201 		mps_dprint(sassc->sc, MPS_INFO, "Unfreezing SIM queue\n");
202 	}
203 }
204 
205 void
206 mpssas_startup_decrement(struct mpssas_softc *sassc)
207 {
208 	MPS_FUNCTRACE(sassc->sc);
209 
210 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
211 		if (--sassc->startup_refcount == 0) {
212 			/* finished all discovery-related actions, release
213 			 * the simq and rescan for the latest topology.
214 			 */
215 			mps_dprint(sassc->sc, MPS_INIT,
216 			    "%s releasing simq\n", __func__);
217 			sassc->flags &= ~MPSSAS_IN_STARTUP;
218 			xpt_release_simq(sassc->sim, 1);
219 #if __FreeBSD_version >= 1000039
220 			xpt_release_boot();
221 #else
222 			mpssas_rescan_target(sassc->sc, NULL);
223 #endif
224 		}
225 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
226 		    sassc->startup_refcount);
227 	}
228 }
229 
230 /*
231  * The firmware requires us to stop sending commands when we're doing task
232  * management.
233  * XXX The logic for serializing the device has been made lazy and moved to
234  * mpssas_prepare_for_tm().
235  */
236 struct mps_command *
237 mpssas_alloc_tm(struct mps_softc *sc)
238 {
239 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
240 	struct mps_command *tm;
241 
242 	tm = mps_alloc_high_priority_command(sc);
243 	if (tm == NULL)
244 		return (NULL);
245 
246 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
247 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
248 	return tm;
249 }
250 
251 void
252 mpssas_free_tm(struct mps_softc *sc, struct mps_command *tm)
253 {
254 	int target_id = 0xFFFFFFFF;
255 
256 	if (tm == NULL)
257 		return;
258 
259 	/*
260 	 * For TM's the devq is frozen for the device.  Unfreeze it here and
261 	 * free the resources used for freezing the devq.  Must clear the
262 	 * INRESET flag as well or scsi I/O will not work.
263 	 */
264 	if (tm->cm_targ != NULL) {
265 		tm->cm_targ->flags &= ~MPSSAS_TARGET_INRESET;
266 		target_id = tm->cm_targ->tid;
267 	}
268 	if (tm->cm_ccb) {
269 		mps_dprint(sc, MPS_INFO, "Unfreezing devq for target ID %d\n",
270 		    target_id);
271 		xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE);
272 		xpt_free_path(tm->cm_ccb->ccb_h.path);
273 		xpt_free_ccb(tm->cm_ccb);
274 	}
275 
276 	mps_free_high_priority_command(sc, tm);
277 }
278 
279 void
280 mpssas_rescan_target(struct mps_softc *sc, struct mpssas_target *targ)
281 {
282 	struct mpssas_softc *sassc = sc->sassc;
283 	path_id_t pathid;
284 	target_id_t targetid;
285 	union ccb *ccb;
286 
287 	MPS_FUNCTRACE(sc);
288 	pathid = cam_sim_path(sassc->sim);
289 	if (targ == NULL)
290 		targetid = CAM_TARGET_WILDCARD;
291 	else
292 		targetid = targ - sassc->targets;
293 
294 	/*
295 	 * Allocate a CCB and schedule a rescan.
296 	 */
297 	ccb = xpt_alloc_ccb_nowait();
298 	if (ccb == NULL) {
299 		mps_dprint(sc, MPS_ERROR, "unable to alloc CCB for rescan\n");
300 		return;
301 	}
302 
303 	if (xpt_create_path(&ccb->ccb_h.path, NULL, pathid,
304 	    targetid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
305 		mps_dprint(sc, MPS_ERROR, "unable to create path for rescan\n");
306 		xpt_free_ccb(ccb);
307 		return;
308 	}
309 
310 	if (targetid == CAM_TARGET_WILDCARD)
311 		ccb->ccb_h.func_code = XPT_SCAN_BUS;
312 	else
313 		ccb->ccb_h.func_code = XPT_SCAN_TGT;
314 
315 	mps_dprint(sc, MPS_TRACE, "%s targetid %u\n", __func__, targetid);
316 	xpt_rescan(ccb);
317 }
318 
319 static void
320 mpssas_log_command(struct mps_command *cm, u_int level, const char *fmt, ...)
321 {
322 	struct sbuf sb;
323 	va_list ap;
324 	char str[192];
325 	char path_str[64];
326 
327 	if (cm == NULL)
328 		return;
329 
330 	/* No need to be in here if debugging isn't enabled */
331 	if ((cm->cm_sc->mps_debug & level) == 0)
332 		return;
333 
334 	sbuf_new(&sb, str, sizeof(str), 0);
335 
336 	va_start(ap, fmt);
337 
338 	if (cm->cm_ccb != NULL) {
339 		xpt_path_string(cm->cm_ccb->csio.ccb_h.path, path_str,
340 				sizeof(path_str));
341 		sbuf_cat(&sb, path_str);
342 		if (cm->cm_ccb->ccb_h.func_code == XPT_SCSI_IO) {
343 			scsi_command_string(&cm->cm_ccb->csio, &sb);
344 			sbuf_printf(&sb, "length %d ",
345 				    cm->cm_ccb->csio.dxfer_len);
346 		}
347 	}
348 	else {
349 		sbuf_printf(&sb, "(noperiph:%s%d:%u:%u:%u): ",
350 		    cam_sim_name(cm->cm_sc->sassc->sim),
351 		    cam_sim_unit(cm->cm_sc->sassc->sim),
352 		    cam_sim_bus(cm->cm_sc->sassc->sim),
353 		    cm->cm_targ ? cm->cm_targ->tid : 0xFFFFFFFF,
354 		    cm->cm_lun);
355 	}
356 
357 	sbuf_printf(&sb, "SMID %u ", cm->cm_desc.Default.SMID);
358 	sbuf_vprintf(&sb, fmt, ap);
359 	sbuf_finish(&sb);
360 	mps_print_field(cm->cm_sc, "%s", sbuf_data(&sb));
361 
362 	va_end(ap);
363 }
364 
365 
366 static void
367 mpssas_remove_volume(struct mps_softc *sc, struct mps_command *tm)
368 {
369 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
370 	struct mpssas_target *targ;
371 	uint16_t handle;
372 
373 	MPS_FUNCTRACE(sc);
374 
375 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
376 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
377 	targ = tm->cm_targ;
378 
379 	if (reply == NULL) {
380 		/* XXX retry the remove after the diag reset completes? */
381 		mps_dprint(sc, MPS_FAULT,
382 		    "%s NULL reply resetting device 0x%04x\n", __func__,
383 		    handle);
384 		mpssas_free_tm(sc, tm);
385 		return;
386 	}
387 
388 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
389 	    MPI2_IOCSTATUS_SUCCESS) {
390 		mps_dprint(sc, MPS_ERROR,
391 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
392 		   le16toh(reply->IOCStatus), handle);
393 	}
394 
395 	mps_dprint(sc, MPS_XINFO,
396 	    "Reset aborted %u commands\n", reply->TerminationCount);
397 	mps_free_reply(sc, tm->cm_reply_data);
398 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
399 
400 	mps_dprint(sc, MPS_XINFO,
401 	    "clearing target %u handle 0x%04x\n", targ->tid, handle);
402 
403 	/*
404 	 * Don't clear target if remove fails because things will get confusing.
405 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
406 	 * this target id if possible, and so we can assign the same target id
407 	 * to this device if it comes back in the future.
408 	 */
409 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
410 	    MPI2_IOCSTATUS_SUCCESS) {
411 		targ = tm->cm_targ;
412 		targ->handle = 0x0;
413 		targ->encl_handle = 0x0;
414 		targ->encl_slot = 0x0;
415 		targ->exp_dev_handle = 0x0;
416 		targ->phy_num = 0x0;
417 		targ->linkrate = 0x0;
418 		targ->devinfo = 0x0;
419 		targ->flags = 0x0;
420 	}
421 
422 	mpssas_free_tm(sc, tm);
423 }
424 
425 
426 /*
427  * No Need to call "MPI2_SAS_OP_REMOVE_DEVICE" For Volume removal.
428  * Otherwise Volume Delete is same as Bare Drive Removal.
429  */
430 void
431 mpssas_prepare_volume_remove(struct mpssas_softc *sassc, uint16_t handle)
432 {
433 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
434 	struct mps_softc *sc;
435 	struct mps_command *tm;
436 	struct mpssas_target *targ = NULL;
437 
438 	MPS_FUNCTRACE(sassc->sc);
439 	sc = sassc->sc;
440 
441 #ifdef WD_SUPPORT
442 	/*
443 	 * If this is a WD controller, determine if the disk should be exposed
444 	 * to the OS or not.  If disk should be exposed, return from this
445 	 * function without doing anything.
446 	 */
447 	if (sc->WD_available && (sc->WD_hide_expose ==
448 	    MPS_WD_EXPOSE_ALWAYS)) {
449 		return;
450 	}
451 #endif //WD_SUPPORT
452 
453 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
454 	if (targ == NULL) {
455 		/* FIXME: what is the action? */
456 		/* We don't know about this device? */
457 		mps_dprint(sc, MPS_ERROR,
458 		   "%s %d : invalid handle 0x%x \n", __func__,__LINE__, handle);
459 		return;
460 	}
461 
462 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
463 
464 	tm = mpssas_alloc_tm(sc);
465 	if (tm == NULL) {
466 		mps_dprint(sc, MPS_ERROR,
467 		    "%s: command alloc failure\n", __func__);
468 		return;
469 	}
470 
471 	mpssas_rescan_target(sc, targ);
472 
473 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
474 	req->DevHandle = targ->handle;
475 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
476 
477 	/* SAS Hard Link Reset / SATA Link Reset */
478 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
479 
480 	tm->cm_targ = targ;
481 	tm->cm_data = NULL;
482 	tm->cm_complete = mpssas_remove_volume;
483 	tm->cm_complete_data = (void *)(uintptr_t)handle;
484 
485 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
486 	    __func__, targ->tid);
487 	mpssas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
488 
489 	mps_map_command(sc, tm);
490 }
491 
492 /*
493  * The MPT2 firmware performs debounce on the link to avoid transient link
494  * errors and false removals.  When it does decide that link has been lost
495  * and a device need to go away, it expects that the host will perform a
496  * target reset and then an op remove.  The reset has the side-effect of
497  * aborting any outstanding requests for the device, which is required for
498  * the op-remove to succeed.  It's not clear if the host should check for
499  * the device coming back alive after the reset.
500  */
501 void
502 mpssas_prepare_remove(struct mpssas_softc *sassc, uint16_t handle)
503 {
504 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
505 	struct mps_softc *sc;
506 	struct mps_command *cm;
507 	struct mpssas_target *targ = NULL;
508 
509 	MPS_FUNCTRACE(sassc->sc);
510 
511 	sc = sassc->sc;
512 
513 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
514 	if (targ == NULL) {
515 		/* FIXME: what is the action? */
516 		/* We don't know about this device? */
517 		mps_dprint(sc, MPS_ERROR,
518 		    "%s : invalid handle 0x%x \n", __func__, handle);
519 		return;
520 	}
521 
522 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
523 
524 	cm = mpssas_alloc_tm(sc);
525 	if (cm == NULL) {
526 		mps_dprint(sc, MPS_ERROR,
527 		    "%s: command alloc failure\n", __func__);
528 		return;
529 	}
530 
531 	mpssas_rescan_target(sc, targ);
532 
533 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
534 	memset(req, 0, sizeof(*req));
535 	req->DevHandle = htole16(targ->handle);
536 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
537 
538 	/* SAS Hard Link Reset / SATA Link Reset */
539 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
540 
541 	cm->cm_targ = targ;
542 	cm->cm_data = NULL;
543 	cm->cm_complete = mpssas_remove_device;
544 	cm->cm_complete_data = (void *)(uintptr_t)handle;
545 
546 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
547 	    __func__, targ->tid);
548 	mpssas_prepare_for_tm(sc, cm, targ, CAM_LUN_WILDCARD);
549 
550 	mps_map_command(sc, cm);
551 }
552 
553 static void
554 mpssas_remove_device(struct mps_softc *sc, struct mps_command *tm)
555 {
556 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
557 	MPI2_SAS_IOUNIT_CONTROL_REQUEST *req;
558 	struct mpssas_target *targ;
559 	struct mps_command *next_cm;
560 	uint16_t handle;
561 
562 	MPS_FUNCTRACE(sc);
563 
564 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
565 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
566 	targ = tm->cm_targ;
567 
568 	/*
569 	 * Currently there should be no way we can hit this case.  It only
570 	 * happens when we have a failure to allocate chain frames, and
571 	 * task management commands don't have S/G lists.
572 	 */
573 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
574 		mps_dprint(sc, MPS_ERROR,
575 		    "%s: cm_flags = %#x for remove of handle %#04x! "
576 		    "This should not happen!\n", __func__, tm->cm_flags,
577 		    handle);
578 	}
579 
580 	if (reply == NULL) {
581 		/* XXX retry the remove after the diag reset completes? */
582 		mps_dprint(sc, MPS_FAULT,
583 		    "%s NULL reply resetting device 0x%04x\n", __func__,
584 		    handle);
585 		mpssas_free_tm(sc, tm);
586 		return;
587 	}
588 
589 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
590 	    MPI2_IOCSTATUS_SUCCESS) {
591 		mps_dprint(sc, MPS_ERROR,
592 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
593 		   le16toh(reply->IOCStatus), handle);
594 	}
595 
596 	mps_dprint(sc, MPS_XINFO, "Reset aborted %u commands\n",
597 	    le32toh(reply->TerminationCount));
598 	mps_free_reply(sc, tm->cm_reply_data);
599 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
600 
601 	/* Reuse the existing command */
602 	req = (MPI2_SAS_IOUNIT_CONTROL_REQUEST *)tm->cm_req;
603 	memset(req, 0, sizeof(*req));
604 	req->Function = MPI2_FUNCTION_SAS_IO_UNIT_CONTROL;
605 	req->Operation = MPI2_SAS_OP_REMOVE_DEVICE;
606 	req->DevHandle = htole16(handle);
607 	tm->cm_data = NULL;
608 	tm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
609 	tm->cm_complete = mpssas_remove_complete;
610 	tm->cm_complete_data = (void *)(uintptr_t)handle;
611 
612 	mps_map_command(sc, tm);
613 
614 	mps_dprint(sc, MPS_XINFO, "clearing target %u handle 0x%04x\n",
615 		   targ->tid, handle);
616 	TAILQ_FOREACH_SAFE(tm, &targ->commands, cm_link, next_cm) {
617 		union ccb *ccb;
618 
619 		mps_dprint(sc, MPS_XINFO, "Completing missed command %p\n", tm);
620 		ccb = tm->cm_complete_data;
621 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
622 		mpssas_scsiio_complete(sc, tm);
623 	}
624 }
625 
626 static void
627 mpssas_remove_complete(struct mps_softc *sc, struct mps_command *tm)
628 {
629 	MPI2_SAS_IOUNIT_CONTROL_REPLY *reply;
630 	uint16_t handle;
631 	struct mpssas_target *targ;
632 	struct mpssas_lun *lun;
633 
634 	MPS_FUNCTRACE(sc);
635 
636 	reply = (MPI2_SAS_IOUNIT_CONTROL_REPLY *)tm->cm_reply;
637 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
638 
639 	/*
640 	 * Currently there should be no way we can hit this case.  It only
641 	 * happens when we have a failure to allocate chain frames, and
642 	 * task management commands don't have S/G lists.
643 	 */
644 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
645 		mps_dprint(sc, MPS_XINFO,
646 			   "%s: cm_flags = %#x for remove of handle %#04x! "
647 			   "This should not happen!\n", __func__, tm->cm_flags,
648 			   handle);
649 		mpssas_free_tm(sc, tm);
650 		return;
651 	}
652 
653 	if (reply == NULL) {
654 		/* most likely a chip reset */
655 		mps_dprint(sc, MPS_FAULT,
656 		    "%s NULL reply removing device 0x%04x\n", __func__, handle);
657 		mpssas_free_tm(sc, tm);
658 		return;
659 	}
660 
661 	mps_dprint(sc, MPS_XINFO,
662 	    "%s on handle 0x%04x, IOCStatus= 0x%x\n", __func__,
663 	    handle, le16toh(reply->IOCStatus));
664 
665 	/*
666 	 * Don't clear target if remove fails because things will get confusing.
667 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
668 	 * this target id if possible, and so we can assign the same target id
669 	 * to this device if it comes back in the future.
670 	 */
671 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
672 	    MPI2_IOCSTATUS_SUCCESS) {
673 		targ = tm->cm_targ;
674 		targ->handle = 0x0;
675 		targ->encl_handle = 0x0;
676 		targ->encl_slot = 0x0;
677 		targ->exp_dev_handle = 0x0;
678 		targ->phy_num = 0x0;
679 		targ->linkrate = 0x0;
680 		targ->devinfo = 0x0;
681 		targ->flags = 0x0;
682 
683 		while(!SLIST_EMPTY(&targ->luns)) {
684 			lun = SLIST_FIRST(&targ->luns);
685 			SLIST_REMOVE_HEAD(&targ->luns, lun_link);
686 			free(lun, M_MPT2);
687 		}
688 	}
689 
690 
691 	mpssas_free_tm(sc, tm);
692 }
693 
694 static int
695 mpssas_register_events(struct mps_softc *sc)
696 {
697 	u32 events[MPI2_EVENT_NOTIFY_EVENTMASK_WORDS];
698 
699 	bzero(events, 16);
700 	setbit(events, MPI2_EVENT_SAS_DEVICE_STATUS_CHANGE);
701 	setbit(events, MPI2_EVENT_SAS_DISCOVERY);
702 	setbit(events, MPI2_EVENT_SAS_BROADCAST_PRIMITIVE);
703 	setbit(events, MPI2_EVENT_SAS_INIT_DEVICE_STATUS_CHANGE);
704 	setbit(events, MPI2_EVENT_SAS_INIT_TABLE_OVERFLOW);
705 	setbit(events, MPI2_EVENT_SAS_TOPOLOGY_CHANGE_LIST);
706 	setbit(events, MPI2_EVENT_SAS_ENCL_DEVICE_STATUS_CHANGE);
707 	setbit(events, MPI2_EVENT_IR_CONFIGURATION_CHANGE_LIST);
708 	setbit(events, MPI2_EVENT_IR_VOLUME);
709 	setbit(events, MPI2_EVENT_IR_PHYSICAL_DISK);
710 	setbit(events, MPI2_EVENT_IR_OPERATION_STATUS);
711 	setbit(events, MPI2_EVENT_LOG_ENTRY_ADDED);
712 
713 	mps_register_events(sc, events, mpssas_evt_handler, NULL,
714 	    &sc->sassc->mpssas_eh);
715 
716 	return (0);
717 }
718 
719 int
720 mps_attach_sas(struct mps_softc *sc)
721 {
722 	struct mpssas_softc *sassc;
723 	cam_status status;
724 	int unit, error = 0, reqs;
725 
726 	MPS_FUNCTRACE(sc);
727 	mps_dprint(sc, MPS_INIT, "%s entered\n", __func__);
728 
729 	sassc = malloc(sizeof(struct mpssas_softc), M_MPT2, M_WAITOK|M_ZERO);
730 	if(!sassc) {
731 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
732 		    "Cannot allocate SAS controller memory\n");
733 		return (ENOMEM);
734 	}
735 
736 	/*
737 	 * XXX MaxTargets could change during a reinit.  Since we don't
738 	 * resize the targets[] array during such an event, cache the value
739 	 * of MaxTargets here so that we don't get into trouble later.  This
740 	 * should move into the reinit logic.
741 	 */
742 	sassc->maxtargets = sc->facts->MaxTargets + sc->facts->MaxVolumes;
743 	sassc->targets = malloc(sizeof(struct mpssas_target) *
744 	    sassc->maxtargets, M_MPT2, M_WAITOK|M_ZERO);
745 	if(!sassc->targets) {
746 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
747 		    "Cannot allocate SAS target memory\n");
748 		free(sassc, M_MPT2);
749 		return (ENOMEM);
750 	}
751 	sc->sassc = sassc;
752 	sassc->sc = sc;
753 
754 	reqs = sc->num_reqs - sc->num_prireqs - 1;
755 	if ((sassc->devq = cam_simq_alloc(reqs)) == NULL) {
756 		mps_dprint(sc, MPS_ERROR, "Cannot allocate SIMQ\n");
757 		error = ENOMEM;
758 		goto out;
759 	}
760 
761 	unit = device_get_unit(sc->mps_dev);
762 	sassc->sim = cam_sim_alloc(mpssas_action, mpssas_poll, "mps", sassc,
763 	    unit, &sc->mps_mtx, reqs, reqs, sassc->devq);
764 	if (sassc->sim == NULL) {
765 		mps_dprint(sc, MPS_INIT|MPS_ERROR, "Cannot allocate SIM\n");
766 		error = EINVAL;
767 		goto out;
768 	}
769 
770 	TAILQ_INIT(&sassc->ev_queue);
771 
772 	/* Initialize taskqueue for Event Handling */
773 	TASK_INIT(&sassc->ev_task, 0, mpssas_firmware_event_work, sc);
774 	sassc->ev_tq = taskqueue_create("mps_taskq", M_NOWAIT | M_ZERO,
775 	    taskqueue_thread_enqueue, &sassc->ev_tq);
776 	taskqueue_start_threads(&sassc->ev_tq, 1, PRIBIO, "%s taskq",
777 	    device_get_nameunit(sc->mps_dev));
778 
779 	mps_lock(sc);
780 
781 	/*
782 	 * XXX There should be a bus for every port on the adapter, but since
783 	 * we're just going to fake the topology for now, we'll pretend that
784 	 * everything is just a target on a single bus.
785 	 */
786 	if ((error = xpt_bus_register(sassc->sim, sc->mps_dev, 0)) != 0) {
787 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
788 		    "Error %d registering SCSI bus\n", error);
789 		mps_unlock(sc);
790 		goto out;
791 	}
792 
793 	/*
794 	 * Assume that discovery events will start right away.
795 	 *
796 	 * Hold off boot until discovery is complete.
797 	 */
798 	sassc->flags |= MPSSAS_IN_STARTUP | MPSSAS_IN_DISCOVERY;
799 	sc->sassc->startup_refcount = 0;
800 	mpssas_startup_increment(sassc);
801 
802 	callout_init(&sassc->discovery_callout, 1 /*mpsafe*/);
803 
804 	/*
805 	 * Register for async events so we can determine the EEDP
806 	 * capabilities of devices.
807 	 */
808 	status = xpt_create_path(&sassc->path, /*periph*/NULL,
809 	    cam_sim_path(sc->sassc->sim), CAM_TARGET_WILDCARD,
810 	    CAM_LUN_WILDCARD);
811 	if (status != CAM_REQ_CMP) {
812 		mps_dprint(sc, MPS_ERROR|MPS_INIT,
813 		    "Error %#x creating sim path\n", status);
814 		sassc->path = NULL;
815 	} else {
816 		int event;
817 
818 #if (__FreeBSD_version >= 1000006) || \
819     ((__FreeBSD_version >= 901503) && (__FreeBSD_version < 1000000))
820 		event = AC_ADVINFO_CHANGED;
821 #else
822 		event = AC_FOUND_DEVICE;
823 #endif
824 		status = xpt_register_async(event, mpssas_async, sc,
825 					    sassc->path);
826 		if (status != CAM_REQ_CMP) {
827 			mps_dprint(sc, MPS_ERROR,
828 			    "Error %#x registering async handler for "
829 			    "AC_ADVINFO_CHANGED events\n", status);
830 			xpt_free_path(sassc->path);
831 			sassc->path = NULL;
832 		}
833 	}
834 	if (status != CAM_REQ_CMP) {
835 		/*
836 		 * EEDP use is the exception, not the rule.
837 		 * Warn the user, but do not fail to attach.
838 		 */
839 		mps_printf(sc, "EEDP capabilities disabled.\n");
840 	}
841 
842 	mps_unlock(sc);
843 
844 	mpssas_register_events(sc);
845 out:
846 	if (error)
847 		mps_detach_sas(sc);
848 
849 	mps_dprint(sc, MPS_INIT, "%s exit error= %d\n", __func__, error);
850 	return (error);
851 }
852 
853 int
854 mps_detach_sas(struct mps_softc *sc)
855 {
856 	struct mpssas_softc *sassc;
857 	struct mpssas_lun *lun, *lun_tmp;
858 	struct mpssas_target *targ;
859 	int i;
860 
861 	MPS_FUNCTRACE(sc);
862 
863 	if (sc->sassc == NULL)
864 		return (0);
865 
866 	sassc = sc->sassc;
867 	mps_deregister_events(sc, sassc->mpssas_eh);
868 
869 	/*
870 	 * Drain and free the event handling taskqueue with the lock
871 	 * unheld so that any parallel processing tasks drain properly
872 	 * without deadlocking.
873 	 */
874 	if (sassc->ev_tq != NULL)
875 		taskqueue_free(sassc->ev_tq);
876 
877 	/* Make sure CAM doesn't wedge if we had to bail out early. */
878 	mps_lock(sc);
879 
880 	while (sassc->startup_refcount != 0)
881 		mpssas_startup_decrement(sassc);
882 
883 	/* Deregister our async handler */
884 	if (sassc->path != NULL) {
885 		xpt_register_async(0, mpssas_async, sc, sassc->path);
886 		xpt_free_path(sassc->path);
887 		sassc->path = NULL;
888 	}
889 
890 	if (sassc->flags & MPSSAS_IN_STARTUP)
891 		xpt_release_simq(sassc->sim, 1);
892 
893 	if (sassc->sim != NULL) {
894 		xpt_bus_deregister(cam_sim_path(sassc->sim));
895 		cam_sim_free(sassc->sim, FALSE);
896 	}
897 
898 	mps_unlock(sc);
899 
900 	if (sassc->devq != NULL)
901 		cam_simq_free(sassc->devq);
902 
903 	for(i=0; i< sassc->maxtargets ;i++) {
904 		targ = &sassc->targets[i];
905 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
906 			free(lun, M_MPT2);
907 		}
908 	}
909 	free(sassc->targets, M_MPT2);
910 	free(sassc, M_MPT2);
911 	sc->sassc = NULL;
912 
913 	return (0);
914 }
915 
916 void
917 mpssas_discovery_end(struct mpssas_softc *sassc)
918 {
919 	struct mps_softc *sc = sassc->sc;
920 
921 	MPS_FUNCTRACE(sc);
922 
923 	if (sassc->flags & MPSSAS_DISCOVERY_TIMEOUT_PENDING)
924 		callout_stop(&sassc->discovery_callout);
925 
926 	/*
927 	 * After discovery has completed, check the mapping table for any
928 	 * missing devices and update their missing counts. Only do this once
929 	 * whenever the driver is initialized so that missing counts aren't
930 	 * updated unnecessarily. Note that just because discovery has
931 	 * completed doesn't mean that events have been processed yet. The
932 	 * check_devices function is a callout timer that checks if ALL devices
933 	 * are missing. If so, it will wait a little longer for events to
934 	 * complete and keep resetting itself until some device in the mapping
935 	 * table is not missing, meaning that event processing has started.
936 	 */
937 	if (sc->track_mapping_events) {
938 		mps_dprint(sc, MPS_XINFO | MPS_MAPPING, "Discovery has "
939 		    "completed. Check for missing devices in the mapping "
940 		    "table.\n");
941 		callout_reset(&sc->device_check_callout,
942 		    MPS_MISSING_CHECK_DELAY * hz, mps_mapping_check_devices,
943 		    sc);
944 	}
945 }
946 
947 static void
948 mpssas_action(struct cam_sim *sim, union ccb *ccb)
949 {
950 	struct mpssas_softc *sassc;
951 
952 	sassc = cam_sim_softc(sim);
953 
954 	MPS_FUNCTRACE(sassc->sc);
955 	mps_dprint(sassc->sc, MPS_TRACE, "ccb func_code 0x%x\n",
956 	    ccb->ccb_h.func_code);
957 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
958 
959 	switch (ccb->ccb_h.func_code) {
960 	case XPT_PATH_INQ:
961 	{
962 		struct ccb_pathinq *cpi = &ccb->cpi;
963 		struct mps_softc *sc = sassc->sc;
964 
965 		cpi->version_num = 1;
966 		cpi->hba_inquiry = PI_SDTR_ABLE|PI_TAG_ABLE|PI_WIDE_16;
967 		cpi->target_sprt = 0;
968 #if __FreeBSD_version >= 1000039
969 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED | PIM_NOSCAN;
970 #else
971 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED;
972 #endif
973 		cpi->hba_eng_cnt = 0;
974 		cpi->max_target = sassc->maxtargets - 1;
975 		cpi->max_lun = 255;
976 
977 		/*
978 		 * initiator_id is set here to an ID outside the set of valid
979 		 * target IDs (including volumes).
980 		 */
981 		cpi->initiator_id = sassc->maxtargets;
982 		strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
983 		strlcpy(cpi->hba_vid, "Avago Tech", HBA_IDLEN);
984 		strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
985 		cpi->unit_number = cam_sim_unit(sim);
986 		cpi->bus_id = cam_sim_bus(sim);
987 		cpi->base_transfer_speed = 150000;
988 		cpi->transport = XPORT_SAS;
989 		cpi->transport_version = 0;
990 		cpi->protocol = PROTO_SCSI;
991 		cpi->protocol_version = SCSI_REV_SPC;
992 		cpi->maxio = sc->maxio;
993 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
994 		break;
995 	}
996 	case XPT_GET_TRAN_SETTINGS:
997 	{
998 		struct ccb_trans_settings	*cts;
999 		struct ccb_trans_settings_sas	*sas;
1000 		struct ccb_trans_settings_scsi	*scsi;
1001 		struct mpssas_target *targ;
1002 
1003 		cts = &ccb->cts;
1004 		sas = &cts->xport_specific.sas;
1005 		scsi = &cts->proto_specific.scsi;
1006 
1007 		KASSERT(cts->ccb_h.target_id < sassc->maxtargets,
1008 		    ("Target %d out of bounds in XPT_GET_TRANS_SETTINGS\n",
1009 		    cts->ccb_h.target_id));
1010 		targ = &sassc->targets[cts->ccb_h.target_id];
1011 		if (targ->handle == 0x0) {
1012 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1013 			break;
1014 		}
1015 
1016 		cts->protocol_version = SCSI_REV_SPC2;
1017 		cts->transport = XPORT_SAS;
1018 		cts->transport_version = 0;
1019 
1020 		sas->valid = CTS_SAS_VALID_SPEED;
1021 		switch (targ->linkrate) {
1022 		case 0x08:
1023 			sas->bitrate = 150000;
1024 			break;
1025 		case 0x09:
1026 			sas->bitrate = 300000;
1027 			break;
1028 		case 0x0a:
1029 			sas->bitrate = 600000;
1030 			break;
1031 		default:
1032 			sas->valid = 0;
1033 		}
1034 
1035 		cts->protocol = PROTO_SCSI;
1036 		scsi->valid = CTS_SCSI_VALID_TQ;
1037 		scsi->flags = CTS_SCSI_FLAGS_TAG_ENB;
1038 
1039 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1040 		break;
1041 	}
1042 	case XPT_CALC_GEOMETRY:
1043 		cam_calc_geometry(&ccb->ccg, /*extended*/1);
1044 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1045 		break;
1046 	case XPT_RESET_DEV:
1047 		mps_dprint(sassc->sc, MPS_XINFO, "mpssas_action XPT_RESET_DEV\n");
1048 		mpssas_action_resetdev(sassc, ccb);
1049 		return;
1050 	case XPT_RESET_BUS:
1051 	case XPT_ABORT:
1052 	case XPT_TERM_IO:
1053 		mps_dprint(sassc->sc, MPS_XINFO,
1054 		    "mpssas_action faking success for abort or reset\n");
1055 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1056 		break;
1057 	case XPT_SCSI_IO:
1058 		mpssas_action_scsiio(sassc, ccb);
1059 		return;
1060 #if __FreeBSD_version >= 900026
1061 	case XPT_SMP_IO:
1062 		mpssas_action_smpio(sassc, ccb);
1063 		return;
1064 #endif
1065 	default:
1066 		mpssas_set_ccbstatus(ccb, CAM_FUNC_NOTAVAIL);
1067 		break;
1068 	}
1069 	xpt_done(ccb);
1070 
1071 }
1072 
1073 static void
1074 mpssas_announce_reset(struct mps_softc *sc, uint32_t ac_code,
1075     target_id_t target_id, lun_id_t lun_id)
1076 {
1077 	path_id_t path_id = cam_sim_path(sc->sassc->sim);
1078 	struct cam_path *path;
1079 
1080 	mps_dprint(sc, MPS_XINFO, "%s code %x target %d lun %jx\n", __func__,
1081 	    ac_code, target_id, (uintmax_t)lun_id);
1082 
1083 	if (xpt_create_path(&path, NULL,
1084 		path_id, target_id, lun_id) != CAM_REQ_CMP) {
1085 		mps_dprint(sc, MPS_ERROR, "unable to create path for reset "
1086 			   "notification\n");
1087 		return;
1088 	}
1089 
1090 	xpt_async(ac_code, path, NULL);
1091 	xpt_free_path(path);
1092 }
1093 
1094 static void
1095 mpssas_complete_all_commands(struct mps_softc *sc)
1096 {
1097 	struct mps_command *cm;
1098 	int i;
1099 	int completed;
1100 
1101 	MPS_FUNCTRACE(sc);
1102 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1103 
1104 	/* complete all commands with a NULL reply */
1105 	for (i = 1; i < sc->num_reqs; i++) {
1106 		cm = &sc->commands[i];
1107 		if (cm->cm_state == MPS_CM_STATE_FREE)
1108 			continue;
1109 
1110 		cm->cm_state = MPS_CM_STATE_BUSY;
1111 		cm->cm_reply = NULL;
1112 		completed = 0;
1113 
1114 		if (cm->cm_flags & MPS_CM_FLAGS_SATA_ID_TIMEOUT) {
1115 			MPASS(cm->cm_data);
1116 			free(cm->cm_data, M_MPT2);
1117 			cm->cm_data = NULL;
1118 		}
1119 
1120 		if (cm->cm_flags & MPS_CM_FLAGS_POLLED)
1121 			cm->cm_flags |= MPS_CM_FLAGS_COMPLETE;
1122 
1123 		if (cm->cm_complete != NULL) {
1124 			mpssas_log_command(cm, MPS_RECOVERY,
1125 			    "completing cm %p state %x ccb %p for diag reset\n",
1126 			    cm, cm->cm_state, cm->cm_ccb);
1127 
1128 			cm->cm_complete(sc, cm);
1129 			completed = 1;
1130 		} else if (cm->cm_flags & MPS_CM_FLAGS_WAKEUP) {
1131 			mpssas_log_command(cm, MPS_RECOVERY,
1132 			    "waking up cm %p state %x ccb %p for diag reset\n",
1133 			    cm, cm->cm_state, cm->cm_ccb);
1134 			wakeup(cm);
1135 			completed = 1;
1136 		}
1137 
1138 		if ((completed == 0) && (cm->cm_state != MPS_CM_STATE_FREE)) {
1139 			/* this should never happen, but if it does, log */
1140 			mpssas_log_command(cm, MPS_RECOVERY,
1141 			    "cm %p state %x flags 0x%x ccb %p during diag "
1142 			    "reset\n", cm, cm->cm_state, cm->cm_flags,
1143 			    cm->cm_ccb);
1144 		}
1145 	}
1146 
1147 	sc->io_cmds_active = 0;
1148 }
1149 
1150 void
1151 mpssas_handle_reinit(struct mps_softc *sc)
1152 {
1153 	int i;
1154 
1155 	/* Go back into startup mode and freeze the simq, so that CAM
1156 	 * doesn't send any commands until after we've rediscovered all
1157 	 * targets and found the proper device handles for them.
1158 	 *
1159 	 * After the reset, portenable will trigger discovery, and after all
1160 	 * discovery-related activities have finished, the simq will be
1161 	 * released.
1162 	 */
1163 	mps_dprint(sc, MPS_INIT, "%s startup\n", __func__);
1164 	sc->sassc->flags |= MPSSAS_IN_STARTUP;
1165 	sc->sassc->flags |= MPSSAS_IN_DISCOVERY;
1166 	mpssas_startup_increment(sc->sassc);
1167 
1168 	/* notify CAM of a bus reset */
1169 	mpssas_announce_reset(sc, AC_BUS_RESET, CAM_TARGET_WILDCARD,
1170 	    CAM_LUN_WILDCARD);
1171 
1172 	/* complete and cleanup after all outstanding commands */
1173 	mpssas_complete_all_commands(sc);
1174 
1175 	mps_dprint(sc, MPS_INIT,
1176 	    "%s startup %u after command completion\n", __func__,
1177 	    sc->sassc->startup_refcount);
1178 
1179 	/* zero all the target handles, since they may change after the
1180 	 * reset, and we have to rediscover all the targets and use the new
1181 	 * handles.
1182 	 */
1183 	for (i = 0; i < sc->sassc->maxtargets; i++) {
1184 		if (sc->sassc->targets[i].outstanding != 0)
1185 			mps_dprint(sc, MPS_INIT, "target %u outstanding %u\n",
1186 			    i, sc->sassc->targets[i].outstanding);
1187 		sc->sassc->targets[i].handle = 0x0;
1188 		sc->sassc->targets[i].exp_dev_handle = 0x0;
1189 		sc->sassc->targets[i].outstanding = 0;
1190 		sc->sassc->targets[i].flags = MPSSAS_TARGET_INDIAGRESET;
1191 	}
1192 }
1193 
1194 static void
1195 mpssas_tm_timeout(void *data)
1196 {
1197 	struct mps_command *tm = data;
1198 	struct mps_softc *sc = tm->cm_sc;
1199 
1200 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1201 
1202 	mpssas_log_command(tm, MPS_INFO|MPS_RECOVERY,
1203 	    "task mgmt %p timed out\n", tm);
1204 
1205 	KASSERT(tm->cm_state == MPS_CM_STATE_INQUEUE,
1206 	    ("command not inqueue\n"));
1207 
1208 	tm->cm_state = MPS_CM_STATE_BUSY;
1209 	mps_reinit(sc);
1210 }
1211 
1212 static void
1213 mpssas_logical_unit_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1214 {
1215 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1216 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1217 	unsigned int cm_count = 0;
1218 	struct mps_command *cm;
1219 	struct mpssas_target *targ;
1220 
1221 	callout_stop(&tm->cm_callout);
1222 
1223 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1224 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1225 	targ = tm->cm_targ;
1226 
1227 	/*
1228 	 * Currently there should be no way we can hit this case.  It only
1229 	 * happens when we have a failure to allocate chain frames, and
1230 	 * task management commands don't have S/G lists.
1231 	 * XXXSL So should it be an assertion?
1232 	 */
1233 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1234 		mps_dprint(sc, MPS_RECOVERY|MPS_ERROR,
1235 		    "%s: cm_flags = %#x for LUN reset! "
1236 		   "This should not happen!\n", __func__, tm->cm_flags);
1237 		mpssas_free_tm(sc, tm);
1238 		return;
1239 	}
1240 
1241 	if (reply == NULL) {
1242 		mps_dprint(sc, MPS_RECOVERY, "NULL reset reply for tm %p\n",
1243 		    tm);
1244 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1245 			/* this completion was due to a reset, just cleanup */
1246 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1247 			    "reset, ignoring NULL LUN reset reply\n");
1248 			targ->tm = NULL;
1249 			mpssas_free_tm(sc, tm);
1250 		}
1251 		else {
1252 			/* we should have gotten a reply. */
1253 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1254 			    "LUN reset attempt, resetting controller\n");
1255 			mps_reinit(sc);
1256 		}
1257 		return;
1258 	}
1259 
1260 	mps_dprint(sc, MPS_RECOVERY,
1261 	    "logical unit reset status 0x%x code 0x%x count %u\n",
1262 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1263 	    le32toh(reply->TerminationCount));
1264 
1265 	/*
1266 	 * See if there are any outstanding commands for this LUN.
1267 	 * This could be made more efficient by using a per-LU data
1268 	 * structure of some sort.
1269 	 */
1270 	TAILQ_FOREACH(cm, &targ->commands, cm_link) {
1271 		if (cm->cm_lun == tm->cm_lun)
1272 			cm_count++;
1273 	}
1274 
1275 	if (cm_count == 0) {
1276 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1277 		    "Finished recovery after LUN reset for target %u\n",
1278 		    targ->tid);
1279 
1280 		mpssas_announce_reset(sc, AC_SENT_BDR, targ->tid, tm->cm_lun);
1281 
1282 		/*
1283 		 * We've finished recovery for this logical unit.  check and
1284 		 * see if some other logical unit has a timedout command
1285 		 * that needs to be processed.
1286 		 */
1287 		cm = TAILQ_FIRST(&targ->timedout_commands);
1288 		if (cm) {
1289 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1290 			    "More commands to abort for target %u\n",
1291 			    targ->tid);
1292 			mpssas_send_abort(sc, tm, cm);
1293 		} else {
1294 			targ->tm = NULL;
1295 			mpssas_free_tm(sc, tm);
1296 		}
1297 	} else {
1298 		/*
1299 		 * If we still have commands for this LUN, the reset
1300 		 * effectively failed, regardless of the status reported.
1301 		 * Escalate to a target reset.
1302 		 */
1303 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1304 		    "logical unit reset complete for target %u, but still "
1305 		    "have %u command(s), sending target reset\n", targ->tid,
1306 		    cm_count);
1307 		mpssas_send_reset(sc, tm,
1308 		    MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET);
1309 	}
1310 }
1311 
1312 static void
1313 mpssas_target_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1314 {
1315 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1316 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1317 	struct mpssas_target *targ;
1318 
1319 	callout_stop(&tm->cm_callout);
1320 
1321 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1322 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1323 	targ = tm->cm_targ;
1324 
1325 	/*
1326 	 * Currently there should be no way we can hit this case.  It only
1327 	 * happens when we have a failure to allocate chain frames, and
1328 	 * task management commands don't have S/G lists.
1329 	 */
1330 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1331 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x for target reset! "
1332 			   "This should not happen!\n", __func__, tm->cm_flags);
1333 		mpssas_free_tm(sc, tm);
1334 		return;
1335 	}
1336 
1337 	if (reply == NULL) {
1338 		mps_dprint(sc, MPS_RECOVERY,
1339 		    "NULL target reset reply for tm %pi TaskMID %u\n",
1340 		    tm, le16toh(req->TaskMID));
1341 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1342 			/* this completion was due to a reset, just cleanup */
1343 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1344 			    "reset, ignoring NULL target reset reply\n");
1345 			targ->tm = NULL;
1346 			mpssas_free_tm(sc, tm);
1347 		} else {
1348 			/* we should have gotten a reply. */
1349 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1350 			    "target reset attempt, resetting controller\n");
1351 			mps_reinit(sc);
1352 		}
1353 		return;
1354 	}
1355 
1356 	mps_dprint(sc, MPS_RECOVERY,
1357 	    "target reset status 0x%x code 0x%x count %u\n",
1358 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1359 	    le32toh(reply->TerminationCount));
1360 
1361 	if (targ->outstanding == 0) {
1362 		/* we've finished recovery for this target and all
1363 		 * of its logical units.
1364 		 */
1365 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1366 		    "Finished reset recovery for target %u\n", targ->tid);
1367 
1368 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
1369 		    CAM_LUN_WILDCARD);
1370 
1371 		targ->tm = NULL;
1372 		mpssas_free_tm(sc, tm);
1373 	} else {
1374 		/*
1375 		 * After a target reset, if this target still has
1376 		 * outstanding commands, the reset effectively failed,
1377 		 * regardless of the status reported.  escalate.
1378 		 */
1379 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1380 		    "Target reset complete for target %u, but still have %u "
1381 		    "command(s), resetting controller\n", targ->tid,
1382 		    targ->outstanding);
1383 		mps_reinit(sc);
1384 	}
1385 }
1386 
1387 #define MPS_RESET_TIMEOUT 30
1388 
1389 int
1390 mpssas_send_reset(struct mps_softc *sc, struct mps_command *tm, uint8_t type)
1391 {
1392 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1393 	struct mpssas_target *target;
1394 	int err;
1395 
1396 	target = tm->cm_targ;
1397 	if (target->handle == 0) {
1398 		mps_dprint(sc, MPS_ERROR,"%s null devhandle for target_id %d\n",
1399 		    __func__, target->tid);
1400 		return -1;
1401 	}
1402 
1403 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1404 	req->DevHandle = htole16(target->handle);
1405 	req->TaskType = type;
1406 
1407 	if (type == MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET) {
1408 		/* XXX Need to handle invalid LUNs */
1409 		MPS_SET_LUN(req->LUN, tm->cm_lun);
1410 		tm->cm_targ->logical_unit_resets++;
1411 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1412 		    "Sending logical unit reset to target %u lun %d\n",
1413 		    target->tid, tm->cm_lun);
1414 		tm->cm_complete = mpssas_logical_unit_reset_complete;
1415 		mpssas_prepare_for_tm(sc, tm, target, tm->cm_lun);
1416 	} else if (type == MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET) {
1417 		/*
1418 		 * Target reset method =
1419 		 * 	SAS Hard Link Reset / SATA Link Reset
1420 		 */
1421 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
1422 		tm->cm_targ->target_resets++;
1423 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1424 		    "Sending target reset to target %u\n", target->tid);
1425 		tm->cm_complete = mpssas_target_reset_complete;
1426 		mpssas_prepare_for_tm(sc, tm, target, CAM_LUN_WILDCARD);
1427 	} else {
1428 		mps_dprint(sc, MPS_ERROR, "unexpected reset type 0x%x\n", type);
1429 		return -1;
1430 	}
1431 
1432 	tm->cm_data = NULL;
1433 	tm->cm_complete_data = (void *)tm;
1434 
1435 	callout_reset(&tm->cm_callout, MPS_RESET_TIMEOUT * hz,
1436 	    mpssas_tm_timeout, tm);
1437 
1438 	err = mps_map_command(sc, tm);
1439 	if (err)
1440 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1441 		    "error %d sending reset type %u\n",
1442 		    err, type);
1443 
1444 	return err;
1445 }
1446 
1447 
1448 static void
1449 mpssas_abort_complete(struct mps_softc *sc, struct mps_command *tm)
1450 {
1451 	struct mps_command *cm;
1452 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1453 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1454 	struct mpssas_target *targ;
1455 
1456 	callout_stop(&tm->cm_callout);
1457 
1458 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1459 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1460 	targ = tm->cm_targ;
1461 
1462 	/*
1463 	 * Currently there should be no way we can hit this case.  It only
1464 	 * happens when we have a failure to allocate chain frames, and
1465 	 * task management commands don't have S/G lists.
1466 	 */
1467 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1468 		mps_dprint(sc, MPS_RECOVERY,
1469 		    "cm_flags = %#x for abort %p TaskMID %u!\n",
1470 		    tm->cm_flags, tm, le16toh(req->TaskMID));
1471 		mpssas_free_tm(sc, tm);
1472 		return;
1473 	}
1474 
1475 	if (reply == NULL) {
1476 		mps_dprint(sc, MPS_RECOVERY,
1477 		    "NULL abort reply for tm %p TaskMID %u\n",
1478 		    tm, le16toh(req->TaskMID));
1479 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1480 			/* this completion was due to a reset, just cleanup */
1481 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1482 			    "reset, ignoring NULL abort reply\n");
1483 			targ->tm = NULL;
1484 			mpssas_free_tm(sc, tm);
1485 		} else {
1486 			/* we should have gotten a reply. */
1487 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1488 			    "abort attempt, resetting controller\n");
1489 			mps_reinit(sc);
1490 		}
1491 		return;
1492 	}
1493 
1494 	mps_dprint(sc, MPS_RECOVERY,
1495 	    "abort TaskMID %u status 0x%x code 0x%x count %u\n",
1496 	    le16toh(req->TaskMID),
1497 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1498 	    le32toh(reply->TerminationCount));
1499 
1500 	cm = TAILQ_FIRST(&tm->cm_targ->timedout_commands);
1501 	if (cm == NULL) {
1502 		/*
1503 		 * If there are no more timedout commands, we're done with
1504 		 * error recovery for this target.
1505 		 */
1506 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1507 		    "Finished abort recovery for target %u\n", targ->tid);
1508 
1509 		targ->tm = NULL;
1510 		mpssas_free_tm(sc, tm);
1511 	} else if (le16toh(req->TaskMID) != cm->cm_desc.Default.SMID) {
1512 		/* abort success, but we have more timedout commands to abort */
1513 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1514 		    "Continuing abort recovery for target %u\n", targ->tid);
1515 
1516 		mpssas_send_abort(sc, tm, cm);
1517 	} else {
1518 		/* we didn't get a command completion, so the abort
1519 		 * failed as far as we're concerned.  escalate.
1520 		 */
1521 		mps_dprint(sc, MPS_RECOVERY,
1522 		    "Abort failed for target %u, sending logical unit reset\n",
1523 		    targ->tid);
1524 
1525 		mpssas_send_reset(sc, tm,
1526 		    MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET);
1527 	}
1528 }
1529 
1530 #define MPS_ABORT_TIMEOUT 5
1531 
1532 static int
1533 mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm, struct mps_command *cm)
1534 {
1535 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1536 	struct mpssas_target *targ;
1537 	int err;
1538 
1539 	targ = cm->cm_targ;
1540 	if (targ->handle == 0) {
1541 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1542 		    "%s null devhandle for target_id %d\n",
1543 		    __func__, cm->cm_ccb->ccb_h.target_id);
1544 		return -1;
1545 	}
1546 
1547 	mpssas_log_command(cm, MPS_RECOVERY|MPS_INFO,
1548 	    "Aborting command %p\n", cm);
1549 
1550 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1551 	req->DevHandle = htole16(targ->handle);
1552 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_ABORT_TASK;
1553 
1554 	/* XXX Need to handle invalid LUNs */
1555 	MPS_SET_LUN(req->LUN, cm->cm_ccb->ccb_h.target_lun);
1556 
1557 	req->TaskMID = htole16(cm->cm_desc.Default.SMID);
1558 
1559 	tm->cm_data = NULL;
1560 	tm->cm_complete = mpssas_abort_complete;
1561 	tm->cm_complete_data = (void *)tm;
1562 	tm->cm_targ = cm->cm_targ;
1563 	tm->cm_lun = cm->cm_lun;
1564 
1565 	callout_reset(&tm->cm_callout, MPS_ABORT_TIMEOUT * hz,
1566 	    mpssas_tm_timeout, tm);
1567 
1568 	targ->aborts++;
1569 
1570 	mpssas_prepare_for_tm(sc, tm, targ, tm->cm_lun);
1571 
1572 	err = mps_map_command(sc, tm);
1573 	if (err)
1574 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1575 		    "error %d sending abort for cm %p SMID %u\n",
1576 		    err, cm, req->TaskMID);
1577 	return err;
1578 }
1579 
1580 static void
1581 mpssas_scsiio_timeout(void *data)
1582 {
1583 	sbintime_t elapsed, now;
1584 	union ccb *ccb;
1585 	struct mps_softc *sc;
1586 	struct mps_command *cm;
1587 	struct mpssas_target *targ;
1588 
1589 	cm = (struct mps_command *)data;
1590 	sc = cm->cm_sc;
1591 	ccb = cm->cm_ccb;
1592 	now = sbinuptime();
1593 
1594 	MPS_FUNCTRACE(sc);
1595 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1596 
1597 	mps_dprint(sc, MPS_XINFO|MPS_RECOVERY, "Timeout checking cm %p\n", sc);
1598 
1599 	/*
1600 	 * Run the interrupt handler to make sure it's not pending.  This
1601 	 * isn't perfect because the command could have already completed
1602 	 * and been re-used, though this is unlikely.
1603 	 */
1604 	mps_intr_locked(sc);
1605 	if (cm->cm_state != MPS_CM_STATE_INQUEUE) {
1606 		mpssas_log_command(cm, MPS_XINFO,
1607 		    "SCSI command %p almost timed out\n", cm);
1608 		return;
1609 	}
1610 
1611 	if (cm->cm_ccb == NULL) {
1612 		mps_dprint(sc, MPS_ERROR, "command timeout with NULL ccb\n");
1613 		return;
1614 	}
1615 
1616 	targ = cm->cm_targ;
1617 	targ->timeouts++;
1618 
1619 	elapsed = now - ccb->ccb_h.qos.sim_data;
1620 	mpssas_log_command(cm, MPS_INFO|MPS_RECOVERY,
1621 	    "Command timeout on target %u(0x%04x) %d set, %d.%d elapsed\n",
1622 	    targ->tid, targ->handle, ccb->ccb_h.timeout,
1623 	    sbintime_getsec(elapsed), elapsed & 0xffffffff);
1624 
1625 	/* XXX first, check the firmware state, to see if it's still
1626 	 * operational.  if not, do a diag reset.
1627 	 */
1628 	mpssas_set_ccbstatus(cm->cm_ccb, CAM_CMD_TIMEOUT);
1629 	cm->cm_state = MPS_CM_STATE_TIMEDOUT;
1630 	TAILQ_INSERT_TAIL(&targ->timedout_commands, cm, cm_recovery);
1631 
1632 	if (targ->tm != NULL) {
1633 		/* target already in recovery, just queue up another
1634 		 * timedout command to be processed later.
1635 		 */
1636 		mps_dprint(sc, MPS_RECOVERY,
1637 		    "queued timedout cm %p for processing by tm %p\n",
1638 		    cm, targ->tm);
1639 	} else if ((targ->tm = mpssas_alloc_tm(sc)) != NULL) {
1640 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1641 		    "Sending abort to target %u for SMID %d\n", targ->tid,
1642 		    cm->cm_desc.Default.SMID);
1643 		mps_dprint(sc, MPS_RECOVERY, "timedout cm %p allocated tm %p\n",
1644 		    cm, targ->tm);
1645 
1646 		/* start recovery by aborting the first timedout command */
1647 		mpssas_send_abort(sc, targ->tm, cm);
1648 	} else {
1649 		/* XXX queue this target up for recovery once a TM becomes
1650 		 * available.  The firmware only has a limited number of
1651 		 * HighPriority credits for the high priority requests used
1652 		 * for task management, and we ran out.
1653 		 *
1654 		 * Isilon: don't worry about this for now, since we have
1655 		 * more credits than disks in an enclosure, and limit
1656 		 * ourselves to one TM per target for recovery.
1657 		 */
1658 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1659 		    "timedout cm %p failed to allocate a tm\n", cm);
1660 	}
1661 
1662 }
1663 
1664 static void
1665 mpssas_action_scsiio(struct mpssas_softc *sassc, union ccb *ccb)
1666 {
1667 	MPI2_SCSI_IO_REQUEST *req;
1668 	struct ccb_scsiio *csio;
1669 	struct mps_softc *sc;
1670 	struct mpssas_target *targ;
1671 	struct mpssas_lun *lun;
1672 	struct mps_command *cm;
1673 	uint8_t i, lba_byte, *ref_tag_addr;
1674 	uint16_t eedp_flags;
1675 	uint32_t mpi_control;
1676 
1677 	sc = sassc->sc;
1678 	MPS_FUNCTRACE(sc);
1679 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1680 
1681 	csio = &ccb->csio;
1682 	KASSERT(csio->ccb_h.target_id < sassc->maxtargets,
1683 	    ("Target %d out of bounds in XPT_SCSI_IO\n",
1684 	     csio->ccb_h.target_id));
1685 	targ = &sassc->targets[csio->ccb_h.target_id];
1686 	mps_dprint(sc, MPS_TRACE, "ccb %p target flag %x\n", ccb, targ->flags);
1687 	if (targ->handle == 0x0) {
1688 		mps_dprint(sc, MPS_ERROR, "%s NULL handle for target %u\n",
1689 		    __func__, csio->ccb_h.target_id);
1690 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1691 		xpt_done(ccb);
1692 		return;
1693 	}
1694 	if (targ->flags & MPS_TARGET_FLAGS_RAID_COMPONENT) {
1695 		mps_dprint(sc, MPS_ERROR, "%s Raid component no SCSI IO "
1696 		    "supported %u\n", __func__, csio->ccb_h.target_id);
1697 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1698 		xpt_done(ccb);
1699 		return;
1700 	}
1701 	/*
1702 	 * Sometimes, it is possible to get a command that is not "In
1703 	 * Progress" and was actually aborted by the upper layer.  Check for
1704 	 * this here and complete the command without error.
1705 	 */
1706 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_INPROG) {
1707 		mps_dprint(sc, MPS_TRACE, "%s Command is not in progress for "
1708 		    "target %u\n", __func__, csio->ccb_h.target_id);
1709 		xpt_done(ccb);
1710 		return;
1711 	}
1712 	/*
1713 	 * If devinfo is 0 this will be a volume.  In that case don't tell CAM
1714 	 * that the volume has timed out.  We want volumes to be enumerated
1715 	 * until they are deleted/removed, not just failed.
1716 	 */
1717 	if (targ->flags & MPSSAS_TARGET_INREMOVAL) {
1718 		if (targ->devinfo == 0)
1719 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1720 		else
1721 			mpssas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
1722 		xpt_done(ccb);
1723 		return;
1724 	}
1725 
1726 	if ((sc->mps_flags & MPS_FLAGS_SHUTDOWN) != 0) {
1727 		mps_dprint(sc, MPS_INFO, "%s shutting down\n", __func__);
1728 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1729 		xpt_done(ccb);
1730 		return;
1731 	}
1732 
1733 	/*
1734 	 * If target has a reset in progress, freeze the devq and return.  The
1735 	 * devq will be released when the TM reset is finished.
1736 	 */
1737 	if (targ->flags & MPSSAS_TARGET_INRESET) {
1738 		ccb->ccb_h.status = CAM_BUSY | CAM_DEV_QFRZN;
1739 		mps_dprint(sc, MPS_INFO, "%s: Freezing devq for target ID %d\n",
1740 		    __func__, targ->tid);
1741 		xpt_freeze_devq(ccb->ccb_h.path, 1);
1742 		xpt_done(ccb);
1743 		return;
1744 	}
1745 
1746 	cm = mps_alloc_command(sc);
1747 	if (cm == NULL || (sc->mps_flags & MPS_FLAGS_DIAGRESET)) {
1748 		if (cm != NULL) {
1749 			mps_free_command(sc, cm);
1750 		}
1751 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
1752 			xpt_freeze_simq(sassc->sim, 1);
1753 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
1754 		}
1755 		ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
1756 		ccb->ccb_h.status |= CAM_REQUEUE_REQ;
1757 		xpt_done(ccb);
1758 		return;
1759 	}
1760 
1761 	req = (MPI2_SCSI_IO_REQUEST *)cm->cm_req;
1762 	bzero(req, sizeof(*req));
1763 	req->DevHandle = htole16(targ->handle);
1764 	req->Function = MPI2_FUNCTION_SCSI_IO_REQUEST;
1765 	req->MsgFlags = 0;
1766 	req->SenseBufferLowAddress = htole32(cm->cm_sense_busaddr);
1767 	req->SenseBufferLength = MPS_SENSE_LEN;
1768 	req->SGLFlags = 0;
1769 	req->ChainOffset = 0;
1770 	req->SGLOffset0 = 24;	/* 32bit word offset to the SGL */
1771 	req->SGLOffset1= 0;
1772 	req->SGLOffset2= 0;
1773 	req->SGLOffset3= 0;
1774 	req->SkipCount = 0;
1775 	req->DataLength = htole32(csio->dxfer_len);
1776 	req->BidirectionalDataLength = 0;
1777 	req->IoFlags = htole16(csio->cdb_len);
1778 	req->EEDPFlags = 0;
1779 
1780 	/* Note: BiDirectional transfers are not supported */
1781 	switch (csio->ccb_h.flags & CAM_DIR_MASK) {
1782 	case CAM_DIR_IN:
1783 		mpi_control = MPI2_SCSIIO_CONTROL_READ;
1784 		cm->cm_flags |= MPS_CM_FLAGS_DATAIN;
1785 		break;
1786 	case CAM_DIR_OUT:
1787 		mpi_control = MPI2_SCSIIO_CONTROL_WRITE;
1788 		cm->cm_flags |= MPS_CM_FLAGS_DATAOUT;
1789 		break;
1790 	case CAM_DIR_NONE:
1791 	default:
1792 		mpi_control = MPI2_SCSIIO_CONTROL_NODATATRANSFER;
1793 		break;
1794 	}
1795 
1796 	if (csio->cdb_len == 32)
1797                 mpi_control |= 4 << MPI2_SCSIIO_CONTROL_ADDCDBLEN_SHIFT;
1798 	/*
1799 	 * It looks like the hardware doesn't require an explicit tag
1800 	 * number for each transaction.  SAM Task Management not supported
1801 	 * at the moment.
1802 	 */
1803 	switch (csio->tag_action) {
1804 	case MSG_HEAD_OF_Q_TAG:
1805 		mpi_control |= MPI2_SCSIIO_CONTROL_HEADOFQ;
1806 		break;
1807 	case MSG_ORDERED_Q_TAG:
1808 		mpi_control |= MPI2_SCSIIO_CONTROL_ORDEREDQ;
1809 		break;
1810 	case MSG_ACA_TASK:
1811 		mpi_control |= MPI2_SCSIIO_CONTROL_ACAQ;
1812 		break;
1813 	case CAM_TAG_ACTION_NONE:
1814 	case MSG_SIMPLE_Q_TAG:
1815 	default:
1816 		mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
1817 		break;
1818 	}
1819 	mpi_control |= sc->mapping_table[csio->ccb_h.target_id].TLR_bits;
1820 	req->Control = htole32(mpi_control);
1821 	if (MPS_SET_LUN(req->LUN, csio->ccb_h.target_lun) != 0) {
1822 		mps_free_command(sc, cm);
1823 		mpssas_set_ccbstatus(ccb, CAM_LUN_INVALID);
1824 		xpt_done(ccb);
1825 		return;
1826 	}
1827 
1828 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
1829 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
1830 	else
1831 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
1832 	req->IoFlags = htole16(csio->cdb_len);
1833 
1834 	/*
1835 	 * Check if EEDP is supported and enabled.  If it is then check if the
1836 	 * SCSI opcode could be using EEDP.  If so, make sure the LUN exists and
1837 	 * is formatted for EEDP support.  If all of this is true, set CDB up
1838 	 * for EEDP transfer.
1839 	 */
1840 	eedp_flags = op_code_prot[req->CDB.CDB32[0]];
1841 	if (sc->eedp_enabled && eedp_flags) {
1842 		SLIST_FOREACH(lun, &targ->luns, lun_link) {
1843 			if (lun->lun_id == csio->ccb_h.target_lun) {
1844 				break;
1845 			}
1846 		}
1847 
1848 		if ((lun != NULL) && (lun->eedp_formatted)) {
1849 			req->EEDPBlockSize = htole16(lun->eedp_block_size);
1850 			eedp_flags |= (MPI2_SCSIIO_EEDPFLAGS_INC_PRI_REFTAG |
1851 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_REFTAG |
1852 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_GUARD);
1853 			req->EEDPFlags = htole16(eedp_flags);
1854 
1855 			/*
1856 			 * If CDB less than 32, fill in Primary Ref Tag with
1857 			 * low 4 bytes of LBA.  If CDB is 32, tag stuff is
1858 			 * already there.  Also, set protection bit.  FreeBSD
1859 			 * currently does not support CDBs bigger than 16, but
1860 			 * the code doesn't hurt, and will be here for the
1861 			 * future.
1862 			 */
1863 			if (csio->cdb_len != 32) {
1864 				lba_byte = (csio->cdb_len == 16) ? 6 : 2;
1865 				ref_tag_addr = (uint8_t *)&req->CDB.EEDP32.
1866 				    PrimaryReferenceTag;
1867 				for (i = 0; i < 4; i++) {
1868 					*ref_tag_addr =
1869 					    req->CDB.CDB32[lba_byte + i];
1870 					ref_tag_addr++;
1871 				}
1872 				req->CDB.EEDP32.PrimaryReferenceTag =
1873 					htole32(req->CDB.EEDP32.PrimaryReferenceTag);
1874 				req->CDB.EEDP32.PrimaryApplicationTagMask =
1875 				    0xFFFF;
1876 				req->CDB.CDB32[1] = (req->CDB.CDB32[1] & 0x1F) |
1877 				    0x20;
1878 			} else {
1879 				eedp_flags |=
1880 				    MPI2_SCSIIO_EEDPFLAGS_INC_PRI_APPTAG;
1881 				req->EEDPFlags = htole16(eedp_flags);
1882 				req->CDB.CDB32[10] = (req->CDB.CDB32[10] &
1883 				    0x1F) | 0x20;
1884 			}
1885 		}
1886 	}
1887 
1888 	cm->cm_length = csio->dxfer_len;
1889 	if (cm->cm_length != 0) {
1890 		cm->cm_data = ccb;
1891 		cm->cm_flags |= MPS_CM_FLAGS_USE_CCB;
1892 	} else {
1893 		cm->cm_data = NULL;
1894 	}
1895 	cm->cm_sge = &req->SGL;
1896 	cm->cm_sglsize = (32 - 24) * 4;
1897 	cm->cm_desc.SCSIIO.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_SCSI_IO;
1898 	cm->cm_desc.SCSIIO.DevHandle = htole16(targ->handle);
1899 	cm->cm_complete = mpssas_scsiio_complete;
1900 	cm->cm_complete_data = ccb;
1901 	cm->cm_targ = targ;
1902 	cm->cm_lun = csio->ccb_h.target_lun;
1903 	cm->cm_ccb = ccb;
1904 
1905 	/*
1906 	 * If HBA is a WD and the command is not for a retry, try to build a
1907 	 * direct I/O message. If failed, or the command is for a retry, send
1908 	 * the I/O to the IR volume itself.
1909 	 */
1910 	if (sc->WD_valid_config) {
1911 		if (ccb->ccb_h.sim_priv.entries[0].field == MPS_WD_RETRY) {
1912 			mpssas_direct_drive_io(sassc, cm, ccb);
1913 		} else {
1914 			mpssas_set_ccbstatus(ccb, CAM_REQ_INPROG);
1915 		}
1916 	}
1917 
1918 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
1919 	if (csio->bio != NULL)
1920 		biotrack(csio->bio, __func__);
1921 #endif
1922 	csio->ccb_h.qos.sim_data = sbinuptime();
1923 	callout_reset_sbt(&cm->cm_callout, SBT_1MS * ccb->ccb_h.timeout, 0,
1924 	    mpssas_scsiio_timeout, cm, 0);
1925 
1926 	targ->issued++;
1927 	targ->outstanding++;
1928 	TAILQ_INSERT_TAIL(&targ->commands, cm, cm_link);
1929 	ccb->ccb_h.status |= CAM_SIM_QUEUED;
1930 
1931 	mpssas_log_command(cm, MPS_XINFO, "%s cm %p ccb %p outstanding %u\n",
1932 	    __func__, cm, ccb, targ->outstanding);
1933 
1934 	mps_map_command(sc, cm);
1935 	return;
1936 }
1937 
1938 /**
1939  * mps_sc_failed_io_info - translated non-succesfull SCSI_IO request
1940  */
1941 static void
1942 mps_sc_failed_io_info(struct mps_softc *sc, struct ccb_scsiio *csio,
1943     Mpi2SCSIIOReply_t *mpi_reply)
1944 {
1945 	u32 response_info;
1946 	u8 *response_bytes;
1947 	u16 ioc_status = le16toh(mpi_reply->IOCStatus) &
1948 	    MPI2_IOCSTATUS_MASK;
1949 	u8 scsi_state = mpi_reply->SCSIState;
1950 	u8 scsi_status = mpi_reply->SCSIStatus;
1951 	u32 log_info = le32toh(mpi_reply->IOCLogInfo);
1952 	const char *desc_ioc_state, *desc_scsi_status;
1953 
1954 	if (log_info == 0x31170000)
1955 		return;
1956 
1957 	desc_ioc_state = mps_describe_table(mps_iocstatus_string,
1958 	    ioc_status);
1959 	desc_scsi_status = mps_describe_table(mps_scsi_status_string,
1960 	    scsi_status);
1961 
1962 	mps_dprint(sc, MPS_XINFO, "\thandle(0x%04x), ioc_status(%s)(0x%04x)\n",
1963 	    le16toh(mpi_reply->DevHandle), desc_ioc_state, ioc_status);
1964 
1965 	/*
1966 	 *We can add more detail about underflow data here
1967 	 * TO-DO
1968 	 */
1969 	mps_dprint(sc, MPS_XINFO, "\tscsi_status(%s)(0x%02x), "
1970 	    "scsi_state %b\n", desc_scsi_status, scsi_status,
1971 	    scsi_state, "\20" "\1AutosenseValid" "\2AutosenseFailed"
1972 	    "\3NoScsiStatus" "\4Terminated" "\5Response InfoValid");
1973 
1974 	if (sc->mps_debug & MPS_XINFO &&
1975 		scsi_state & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
1976 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : Start :\n");
1977 		scsi_sense_print(csio);
1978 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : End :\n");
1979 	}
1980 
1981 	if (scsi_state & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) {
1982 		response_info = le32toh(mpi_reply->ResponseInfo);
1983 		response_bytes = (u8 *)&response_info;
1984 		mps_dprint(sc, MPS_XINFO, "response code(0x%1x): %s\n",
1985 		    response_bytes[0],
1986 		    mps_describe_table(mps_scsi_taskmgmt_string,
1987 		    response_bytes[0]));
1988 	}
1989 }
1990 
1991 static void
1992 mpssas_scsiio_complete(struct mps_softc *sc, struct mps_command *cm)
1993 {
1994 	MPI2_SCSI_IO_REPLY *rep;
1995 	union ccb *ccb;
1996 	struct ccb_scsiio *csio;
1997 	struct mpssas_softc *sassc;
1998 	struct scsi_vpd_supported_page_list *vpd_list = NULL;
1999 	u8 *TLR_bits, TLR_on;
2000 	int dir = 0, i;
2001 	u16 alloc_len;
2002 	struct mpssas_target *target;
2003 	target_id_t target_id;
2004 
2005 	MPS_FUNCTRACE(sc);
2006 	mps_dprint(sc, MPS_TRACE,
2007 	    "cm %p SMID %u ccb %p reply %p outstanding %u\n", cm,
2008 	    cm->cm_desc.Default.SMID, cm->cm_ccb, cm->cm_reply,
2009 	    cm->cm_targ->outstanding);
2010 
2011 	callout_stop(&cm->cm_callout);
2012 	mtx_assert(&sc->mps_mtx, MA_OWNED);
2013 
2014 	sassc = sc->sassc;
2015 	ccb = cm->cm_complete_data;
2016 	csio = &ccb->csio;
2017 	target_id = csio->ccb_h.target_id;
2018 	rep = (MPI2_SCSI_IO_REPLY *)cm->cm_reply;
2019 	/*
2020 	 * XXX KDM if the chain allocation fails, does it matter if we do
2021 	 * the sync and unload here?  It is simpler to do it in every case,
2022 	 * assuming it doesn't cause problems.
2023 	 */
2024 	if (cm->cm_data != NULL) {
2025 		if (cm->cm_flags & MPS_CM_FLAGS_DATAIN)
2026 			dir = BUS_DMASYNC_POSTREAD;
2027 		else if (cm->cm_flags & MPS_CM_FLAGS_DATAOUT)
2028 			dir = BUS_DMASYNC_POSTWRITE;
2029 		bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap, dir);
2030 		bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2031 	}
2032 
2033 	cm->cm_targ->completed++;
2034 	cm->cm_targ->outstanding--;
2035 	TAILQ_REMOVE(&cm->cm_targ->commands, cm, cm_link);
2036 	ccb->ccb_h.status &= ~(CAM_STATUS_MASK | CAM_SIM_QUEUED);
2037 
2038 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
2039 	if (ccb->csio.bio != NULL)
2040 		biotrack(ccb->csio.bio, __func__);
2041 #endif
2042 
2043 	if (cm->cm_state == MPS_CM_STATE_TIMEDOUT) {
2044 		TAILQ_REMOVE(&cm->cm_targ->timedout_commands, cm, cm_recovery);
2045 		cm->cm_state = MPS_CM_STATE_BUSY;
2046 		if (cm->cm_reply != NULL)
2047 			mpssas_log_command(cm, MPS_RECOVERY,
2048 			    "completed timedout cm %p ccb %p during recovery "
2049 			    "ioc %x scsi %x state %x xfer %u\n",
2050 			    cm, cm->cm_ccb, le16toh(rep->IOCStatus),
2051 			    rep->SCSIStatus, rep->SCSIState,
2052 			    le32toh(rep->TransferCount));
2053 		else
2054 			mpssas_log_command(cm, MPS_RECOVERY,
2055 			    "completed timedout cm %p ccb %p during recovery\n",
2056 			    cm, cm->cm_ccb);
2057 	} else if (cm->cm_targ->tm != NULL) {
2058 		if (cm->cm_reply != NULL)
2059 			mpssas_log_command(cm, MPS_RECOVERY,
2060 			    "completed cm %p ccb %p during recovery "
2061 			    "ioc %x scsi %x state %x xfer %u\n",
2062 			    cm, cm->cm_ccb, le16toh(rep->IOCStatus),
2063 			    rep->SCSIStatus, rep->SCSIState,
2064 			    le32toh(rep->TransferCount));
2065 		else
2066 			mpssas_log_command(cm, MPS_RECOVERY,
2067 			    "completed cm %p ccb %p during recovery\n",
2068 			    cm, cm->cm_ccb);
2069 	} else if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
2070 		mpssas_log_command(cm, MPS_RECOVERY,
2071 		    "reset completed cm %p ccb %p\n",
2072 		    cm, cm->cm_ccb);
2073 	}
2074 
2075 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2076 		/*
2077 		 * We ran into an error after we tried to map the command,
2078 		 * so we're getting a callback without queueing the command
2079 		 * to the hardware.  So we set the status here, and it will
2080 		 * be retained below.  We'll go through the "fast path",
2081 		 * because there can be no reply when we haven't actually
2082 		 * gone out to the hardware.
2083 		 */
2084 		mpssas_set_ccbstatus(ccb, CAM_REQUEUE_REQ);
2085 
2086 		/*
2087 		 * Currently the only error included in the mask is
2088 		 * MPS_CM_FLAGS_CHAIN_FAILED, which means we're out of
2089 		 * chain frames.  We need to freeze the queue until we get
2090 		 * a command that completed without this error, which will
2091 		 * hopefully have some chain frames attached that we can
2092 		 * use.  If we wanted to get smarter about it, we would
2093 		 * only unfreeze the queue in this condition when we're
2094 		 * sure that we're getting some chain frames back.  That's
2095 		 * probably unnecessary.
2096 		 */
2097 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
2098 			xpt_freeze_simq(sassc->sim, 1);
2099 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
2100 			mps_dprint(sc, MPS_XINFO, "Error sending command, "
2101 				   "freezing SIM queue\n");
2102 		}
2103 	}
2104 
2105 	/*
2106 	 * If this is a Start Stop Unit command and it was issued by the driver
2107 	 * during shutdown, decrement the refcount to account for all of the
2108 	 * commands that were sent.  All SSU commands should be completed before
2109 	 * shutdown completes, meaning SSU_refcount will be 0 after SSU_started
2110 	 * is TRUE.
2111 	 */
2112 	if (sc->SSU_started && (csio->cdb_io.cdb_bytes[0] == START_STOP_UNIT)) {
2113 		mps_dprint(sc, MPS_INFO, "Decrementing SSU count.\n");
2114 		sc->SSU_refcount--;
2115 	}
2116 
2117 	/* Take the fast path to completion */
2118 	if (cm->cm_reply == NULL) {
2119 		if (mpssas_get_ccbstatus(ccb) == CAM_REQ_INPROG) {
2120 			if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0)
2121 				mpssas_set_ccbstatus(ccb, CAM_SCSI_BUS_RESET);
2122 			else {
2123 				mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2124 				ccb->csio.scsi_status = SCSI_STATUS_OK;
2125 			}
2126 			if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2127 				ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2128 				sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2129 				mps_dprint(sc, MPS_XINFO,
2130 				    "Unfreezing SIM queue\n");
2131 			}
2132 		}
2133 
2134 		/*
2135 		 * There are two scenarios where the status won't be
2136 		 * CAM_REQ_CMP.  The first is if MPS_CM_FLAGS_ERROR_MASK is
2137 		 * set, the second is in the MPS_FLAGS_DIAGRESET above.
2138 		 */
2139 		if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2140 			/*
2141 			 * Freeze the dev queue so that commands are
2142 			 * executed in the correct order after error
2143 			 * recovery.
2144 			 */
2145 			ccb->ccb_h.status |= CAM_DEV_QFRZN;
2146 			xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2147 		}
2148 		mps_free_command(sc, cm);
2149 		xpt_done(ccb);
2150 		return;
2151 	}
2152 
2153 	mpssas_log_command(cm, MPS_XINFO,
2154 	    "ioc %x scsi %x state %x xfer %u\n",
2155 	    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2156 	    le32toh(rep->TransferCount));
2157 
2158 	/*
2159 	 * If this is a Direct Drive I/O, reissue the I/O to the original IR
2160 	 * Volume if an error occurred (normal I/O retry).  Use the original
2161 	 * CCB, but set a flag that this will be a retry so that it's sent to
2162 	 * the original volume.  Free the command but reuse the CCB.
2163 	 */
2164 	if (cm->cm_flags & MPS_CM_FLAGS_DD_IO) {
2165 		mps_free_command(sc, cm);
2166 		ccb->ccb_h.sim_priv.entries[0].field = MPS_WD_RETRY;
2167 		mpssas_action_scsiio(sassc, ccb);
2168 		return;
2169 	} else
2170 		ccb->ccb_h.sim_priv.entries[0].field = 0;
2171 
2172 	switch (le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) {
2173 	case MPI2_IOCSTATUS_SCSI_DATA_UNDERRUN:
2174 		csio->resid = cm->cm_length - le32toh(rep->TransferCount);
2175 		/* FALLTHROUGH */
2176 	case MPI2_IOCSTATUS_SUCCESS:
2177 	case MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR:
2178 
2179 		if ((le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
2180 		    MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR)
2181 			mpssas_log_command(cm, MPS_XINFO, "recovered error\n");
2182 
2183 		/* Completion failed at the transport level. */
2184 		if (rep->SCSIState & (MPI2_SCSI_STATE_NO_SCSI_STATUS |
2185 		    MPI2_SCSI_STATE_TERMINATED)) {
2186 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2187 			break;
2188 		}
2189 
2190 		/* In a modern packetized environment, an autosense failure
2191 		 * implies that there's not much else that can be done to
2192 		 * recover the command.
2193 		 */
2194 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_FAILED) {
2195 			mpssas_set_ccbstatus(ccb, CAM_AUTOSENSE_FAIL);
2196 			break;
2197 		}
2198 
2199 		/*
2200 		 * CAM doesn't care about SAS Response Info data, but if this is
2201 		 * the state check if TLR should be done.  If not, clear the
2202 		 * TLR_bits for the target.
2203 		 */
2204 		if ((rep->SCSIState & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) &&
2205 		    ((le32toh(rep->ResponseInfo) &
2206 		    MPI2_SCSI_RI_MASK_REASONCODE) ==
2207 		    MPS_SCSI_RI_INVALID_FRAME)) {
2208 			sc->mapping_table[target_id].TLR_bits =
2209 			    (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2210 		}
2211 
2212 		/*
2213 		 * Intentionally override the normal SCSI status reporting
2214 		 * for these two cases.  These are likely to happen in a
2215 		 * multi-initiator environment, and we want to make sure that
2216 		 * CAM retries these commands rather than fail them.
2217 		 */
2218 		if ((rep->SCSIStatus == MPI2_SCSI_STATUS_COMMAND_TERMINATED) ||
2219 		    (rep->SCSIStatus == MPI2_SCSI_STATUS_TASK_ABORTED)) {
2220 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2221 			break;
2222 		}
2223 
2224 		/* Handle normal status and sense */
2225 		csio->scsi_status = rep->SCSIStatus;
2226 		if (rep->SCSIStatus == MPI2_SCSI_STATUS_GOOD)
2227 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2228 		else
2229 			mpssas_set_ccbstatus(ccb, CAM_SCSI_STATUS_ERROR);
2230 
2231 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
2232 			int sense_len, returned_sense_len;
2233 
2234 			returned_sense_len = min(le32toh(rep->SenseCount),
2235 			    sizeof(struct scsi_sense_data));
2236 			if (returned_sense_len < ccb->csio.sense_len)
2237 				ccb->csio.sense_resid = ccb->csio.sense_len -
2238 					returned_sense_len;
2239 			else
2240 				ccb->csio.sense_resid = 0;
2241 
2242 			sense_len = min(returned_sense_len,
2243 			    ccb->csio.sense_len - ccb->csio.sense_resid);
2244 			bzero(&ccb->csio.sense_data,
2245 			      sizeof(ccb->csio.sense_data));
2246 			bcopy(cm->cm_sense, &ccb->csio.sense_data, sense_len);
2247 			ccb->ccb_h.status |= CAM_AUTOSNS_VALID;
2248 		}
2249 
2250 		/*
2251 		 * Check if this is an INQUIRY command.  If it's a VPD inquiry,
2252 		 * and it's page code 0 (Supported Page List), and there is
2253 		 * inquiry data, and this is for a sequential access device, and
2254 		 * the device is an SSP target, and TLR is supported by the
2255 		 * controller, turn the TLR_bits value ON if page 0x90 is
2256 		 * supported.
2257 		 */
2258 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2259 		    (csio->cdb_io.cdb_bytes[1] & SI_EVPD) &&
2260 		    (csio->cdb_io.cdb_bytes[2] == SVPD_SUPPORTED_PAGE_LIST) &&
2261 		    ((csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) &&
2262 		    (csio->data_ptr != NULL) &&
2263 		    ((csio->data_ptr[0] & 0x1f) == T_SEQUENTIAL) &&
2264 		    (sc->control_TLR) &&
2265 		    (sc->mapping_table[target_id].device_info &
2266 		    MPI2_SAS_DEVICE_INFO_SSP_TARGET)) {
2267 			vpd_list = (struct scsi_vpd_supported_page_list *)
2268 			    csio->data_ptr;
2269 			TLR_bits = &sc->mapping_table[target_id].TLR_bits;
2270 			*TLR_bits = (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2271 			TLR_on = (u8)MPI2_SCSIIO_CONTROL_TLR_ON;
2272 			alloc_len = ((u16)csio->cdb_io.cdb_bytes[3] << 8) +
2273 			    csio->cdb_io.cdb_bytes[4];
2274 			alloc_len -= csio->resid;
2275 			for (i = 0; i < MIN(vpd_list->length, alloc_len); i++) {
2276 				if (vpd_list->list[i] == 0x90) {
2277 					*TLR_bits = TLR_on;
2278 					break;
2279 				}
2280 			}
2281 		}
2282 
2283 		/*
2284 		 * If this is a SATA direct-access end device, mark it so that
2285 		 * a SCSI StartStopUnit command will be sent to it when the
2286 		 * driver is being shutdown.
2287 		 */
2288 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2289 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
2290 		    (sc->mapping_table[target_id].device_info &
2291 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&
2292 		    ((sc->mapping_table[target_id].device_info &
2293 		    MPI2_SAS_DEVICE_INFO_MASK_DEVICE_TYPE) ==
2294 		    MPI2_SAS_DEVICE_INFO_END_DEVICE)) {
2295 			target = &sassc->targets[target_id];
2296 			target->supports_SSU = TRUE;
2297 			mps_dprint(sc, MPS_XINFO, "Target %d supports SSU\n",
2298 			    target_id);
2299 		}
2300 		break;
2301 	case MPI2_IOCSTATUS_SCSI_INVALID_DEVHANDLE:
2302 	case MPI2_IOCSTATUS_SCSI_DEVICE_NOT_THERE:
2303 		/*
2304 		 * If devinfo is 0 this will be a volume.  In that case don't
2305 		 * tell CAM that the volume is not there.  We want volumes to
2306 		 * be enumerated until they are deleted/removed, not just
2307 		 * failed.
2308 		 */
2309 		if (cm->cm_targ->devinfo == 0)
2310 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2311 		else
2312 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2313 		break;
2314 	case MPI2_IOCSTATUS_INVALID_SGL:
2315 		mps_print_scsiio_cmd(sc, cm);
2316 		mpssas_set_ccbstatus(ccb, CAM_UNREC_HBA_ERROR);
2317 		break;
2318 	case MPI2_IOCSTATUS_SCSI_TASK_TERMINATED:
2319 		/*
2320 		 * This is one of the responses that comes back when an I/O
2321 		 * has been aborted.  If it is because of a timeout that we
2322 		 * initiated, just set the status to CAM_CMD_TIMEOUT.
2323 		 * Otherwise set it to CAM_REQ_ABORTED.  The effect on the
2324 		 * command is the same (it gets retried, subject to the
2325 		 * retry counter), the only difference is what gets printed
2326 		 * on the console.
2327 		 */
2328 		if (cm->cm_state == MPS_CM_STATE_TIMEDOUT)
2329 			mpssas_set_ccbstatus(ccb, CAM_CMD_TIMEOUT);
2330 		else
2331 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2332 		break;
2333 	case MPI2_IOCSTATUS_SCSI_DATA_OVERRUN:
2334 		/* resid is ignored for this condition */
2335 		csio->resid = 0;
2336 		mpssas_set_ccbstatus(ccb, CAM_DATA_RUN_ERR);
2337 		break;
2338 	case MPI2_IOCSTATUS_SCSI_IOC_TERMINATED:
2339 	case MPI2_IOCSTATUS_SCSI_EXT_TERMINATED:
2340 		/*
2341 		 * These can sometimes be transient transport-related
2342 		 * errors, and sometimes persistent drive-related errors.
2343 		 * We used to retry these without decrementing the retry
2344 		 * count by returning CAM_REQUEUE_REQ.  Unfortunately, if
2345 		 * we hit a persistent drive problem that returns one of
2346 		 * these error codes, we would retry indefinitely.  So,
2347 		 * return CAM_REQ_CMP_ERROR so that we decrement the retry
2348 		 * count and avoid infinite retries.  We're taking the
2349 		 * potential risk of flagging false failures in the event
2350 		 * of a topology-related error (e.g. a SAS expander problem
2351 		 * causes a command addressed to a drive to fail), but
2352 		 * avoiding getting into an infinite retry loop.
2353 		 */
2354 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2355 		mps_dprint(sc, MPS_INFO,
2356 		    "Controller reported %s tgt %u SMID %u loginfo %x\n",
2357 		    mps_describe_table(mps_iocstatus_string,
2358 		    le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK),
2359 		    target_id, cm->cm_desc.Default.SMID,
2360 		    le32toh(rep->IOCLogInfo));
2361 		mps_dprint(sc, MPS_XINFO,
2362 		    "SCSIStatus %x SCSIState %x xfercount %u\n",
2363 		    rep->SCSIStatus, rep->SCSIState,
2364 		    le32toh(rep->TransferCount));
2365 		break;
2366 	case MPI2_IOCSTATUS_INVALID_FUNCTION:
2367 	case MPI2_IOCSTATUS_INTERNAL_ERROR:
2368 	case MPI2_IOCSTATUS_INVALID_VPID:
2369 	case MPI2_IOCSTATUS_INVALID_FIELD:
2370 	case MPI2_IOCSTATUS_INVALID_STATE:
2371 	case MPI2_IOCSTATUS_OP_STATE_NOT_SUPPORTED:
2372 	case MPI2_IOCSTATUS_SCSI_IO_DATA_ERROR:
2373 	case MPI2_IOCSTATUS_SCSI_PROTOCOL_ERROR:
2374 	case MPI2_IOCSTATUS_SCSI_RESIDUAL_MISMATCH:
2375 	case MPI2_IOCSTATUS_SCSI_TASK_MGMT_FAILED:
2376 	default:
2377 		mpssas_log_command(cm, MPS_XINFO,
2378 		    "completed ioc %x loginfo %x scsi %x state %x xfer %u\n",
2379 		    le16toh(rep->IOCStatus), le32toh(rep->IOCLogInfo),
2380 		    rep->SCSIStatus, rep->SCSIState,
2381 		    le32toh(rep->TransferCount));
2382 		csio->resid = cm->cm_length;
2383 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2384 		break;
2385 	}
2386 
2387 	mps_sc_failed_io_info(sc,csio,rep);
2388 
2389 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2390 		ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2391 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2392 		mps_dprint(sc, MPS_XINFO, "Command completed, "
2393 		    "unfreezing SIM queue\n");
2394 	}
2395 
2396 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2397 		ccb->ccb_h.status |= CAM_DEV_QFRZN;
2398 		xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2399 	}
2400 
2401 	mps_free_command(sc, cm);
2402 	xpt_done(ccb);
2403 }
2404 
2405 /* All Request reached here are Endian safe */
2406 static void
2407 mpssas_direct_drive_io(struct mpssas_softc *sassc, struct mps_command *cm,
2408     union ccb *ccb) {
2409 	pMpi2SCSIIORequest_t	pIO_req;
2410 	struct mps_softc	*sc = sassc->sc;
2411 	uint64_t		virtLBA;
2412 	uint32_t		physLBA, stripe_offset, stripe_unit;
2413 	uint32_t		io_size, column;
2414 	uint8_t			*ptrLBA, lba_idx, physLBA_byte, *CDB;
2415 
2416 	/*
2417 	 * If this is a valid SCSI command (Read6, Read10, Read16, Write6,
2418 	 * Write10, or Write16), build a direct I/O message.  Otherwise, the I/O
2419 	 * will be sent to the IR volume itself.  Since Read6 and Write6 are a
2420 	 * bit different than the 10/16 CDBs, handle them separately.
2421 	 */
2422 	pIO_req = (pMpi2SCSIIORequest_t)cm->cm_req;
2423 	CDB = pIO_req->CDB.CDB32;
2424 
2425 	/*
2426 	 * Handle 6 byte CDBs.
2427 	 */
2428 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_6) ||
2429 	    (CDB[0] == WRITE_6))) {
2430 		/*
2431 		 * Get the transfer size in blocks.
2432 		 */
2433 		io_size = (cm->cm_length >> sc->DD_block_exponent);
2434 
2435 		/*
2436 		 * Get virtual LBA given in the CDB.
2437 		 */
2438 		virtLBA = ((uint64_t)(CDB[1] & 0x1F) << 16) |
2439 		    ((uint64_t)CDB[2] << 8) | (uint64_t)CDB[3];
2440 
2441 		/*
2442 		 * Check that LBA range for I/O does not exceed volume's
2443 		 * MaxLBA.
2444 		 */
2445 		if ((virtLBA + (uint64_t)io_size - 1) <=
2446 		    sc->DD_max_lba) {
2447 			/*
2448 			 * Check if the I/O crosses a stripe boundary.  If not,
2449 			 * translate the virtual LBA to a physical LBA and set
2450 			 * the DevHandle for the PhysDisk to be used.  If it
2451 			 * does cross a boundary, do normal I/O.  To get the
2452 			 * right DevHandle to use, get the map number for the
2453 			 * column, then use that map number to look up the
2454 			 * DevHandle of the PhysDisk.
2455 			 */
2456 			stripe_offset = (uint32_t)virtLBA &
2457 			    (sc->DD_stripe_size - 1);
2458 			if ((stripe_offset + io_size) <= sc->DD_stripe_size) {
2459 				physLBA = (uint32_t)virtLBA >>
2460 				    sc->DD_stripe_exponent;
2461 				stripe_unit = physLBA / sc->DD_num_phys_disks;
2462 				column = physLBA % sc->DD_num_phys_disks;
2463 				pIO_req->DevHandle =
2464 				    htole16(sc->DD_column_map[column].dev_handle);
2465 				/* ???? Is this endian safe*/
2466 				cm->cm_desc.SCSIIO.DevHandle =
2467 				    pIO_req->DevHandle;
2468 
2469 				physLBA = (stripe_unit <<
2470 				    sc->DD_stripe_exponent) + stripe_offset;
2471 				ptrLBA = &pIO_req->CDB.CDB32[1];
2472 				physLBA_byte = (uint8_t)(physLBA >> 16);
2473 				*ptrLBA = physLBA_byte;
2474 				ptrLBA = &pIO_req->CDB.CDB32[2];
2475 				physLBA_byte = (uint8_t)(physLBA >> 8);
2476 				*ptrLBA = physLBA_byte;
2477 				ptrLBA = &pIO_req->CDB.CDB32[3];
2478 				physLBA_byte = (uint8_t)physLBA;
2479 				*ptrLBA = physLBA_byte;
2480 
2481 				/*
2482 				 * Set flag that Direct Drive I/O is
2483 				 * being done.
2484 				 */
2485 				cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2486 			}
2487 		}
2488 		return;
2489 	}
2490 
2491 	/*
2492 	 * Handle 10, 12 or 16 byte CDBs.
2493 	 */
2494 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_10) ||
2495 	    (CDB[0] == WRITE_10) || (CDB[0] == READ_16) ||
2496 	    (CDB[0] == WRITE_16) || (CDB[0] == READ_12) ||
2497 	    (CDB[0] == WRITE_12))) {
2498 		/*
2499 		 * For 16-byte CDB's, verify that the upper 4 bytes of the CDB
2500 		 * are 0.  If not, this is accessing beyond 2TB so handle it in
2501 		 * the else section.  10-byte and 12-byte CDB's are OK.
2502 		 * FreeBSD sends very rare 12 byte READ/WRITE, but driver is
2503 		 * ready to accept 12byte CDB for Direct IOs.
2504 		 */
2505 		if ((CDB[0] == READ_10 || CDB[0] == WRITE_10) ||
2506 		    (CDB[0] == READ_12 || CDB[0] == WRITE_12) ||
2507 		    !(CDB[2] | CDB[3] | CDB[4] | CDB[5])) {
2508 			/*
2509 			 * Get the transfer size in blocks.
2510 			 */
2511 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2512 
2513 			/*
2514 			 * Get virtual LBA.  Point to correct lower 4 bytes of
2515 			 * LBA in the CDB depending on command.
2516 			 */
2517 			lba_idx = ((CDB[0] == READ_12) ||
2518 				(CDB[0] == WRITE_12) ||
2519 				(CDB[0] == READ_10) ||
2520 				(CDB[0] == WRITE_10))? 2 : 6;
2521 			virtLBA = ((uint64_t)CDB[lba_idx] << 24) |
2522 			    ((uint64_t)CDB[lba_idx + 1] << 16) |
2523 			    ((uint64_t)CDB[lba_idx + 2] << 8) |
2524 			    (uint64_t)CDB[lba_idx + 3];
2525 
2526 			/*
2527 			 * Check that LBA range for I/O does not exceed volume's
2528 			 * MaxLBA.
2529 			 */
2530 			if ((virtLBA + (uint64_t)io_size - 1) <=
2531 			    sc->DD_max_lba) {
2532 				/*
2533 				 * Check if the I/O crosses a stripe boundary.
2534 				 * If not, translate the virtual LBA to a
2535 				 * physical LBA and set the DevHandle for the
2536 				 * PhysDisk to be used.  If it does cross a
2537 				 * boundary, do normal I/O.  To get the right
2538 				 * DevHandle to use, get the map number for the
2539 				 * column, then use that map number to look up
2540 				 * the DevHandle of the PhysDisk.
2541 				 */
2542 				stripe_offset = (uint32_t)virtLBA &
2543 				    (sc->DD_stripe_size - 1);
2544 				if ((stripe_offset + io_size) <=
2545 				    sc->DD_stripe_size) {
2546 					physLBA = (uint32_t)virtLBA >>
2547 					    sc->DD_stripe_exponent;
2548 					stripe_unit = physLBA /
2549 					    sc->DD_num_phys_disks;
2550 					column = physLBA %
2551 					    sc->DD_num_phys_disks;
2552 					pIO_req->DevHandle =
2553 					    htole16(sc->DD_column_map[column].
2554 					    dev_handle);
2555 					cm->cm_desc.SCSIIO.DevHandle =
2556 					    pIO_req->DevHandle;
2557 
2558 					physLBA = (stripe_unit <<
2559 					    sc->DD_stripe_exponent) +
2560 					    stripe_offset;
2561 					ptrLBA =
2562 					    &pIO_req->CDB.CDB32[lba_idx];
2563 					physLBA_byte = (uint8_t)(physLBA >> 24);
2564 					*ptrLBA = physLBA_byte;
2565 					ptrLBA =
2566 					    &pIO_req->CDB.CDB32[lba_idx + 1];
2567 					physLBA_byte = (uint8_t)(physLBA >> 16);
2568 					*ptrLBA = physLBA_byte;
2569 					ptrLBA =
2570 					    &pIO_req->CDB.CDB32[lba_idx + 2];
2571 					physLBA_byte = (uint8_t)(physLBA >> 8);
2572 					*ptrLBA = physLBA_byte;
2573 					ptrLBA =
2574 					    &pIO_req->CDB.CDB32[lba_idx + 3];
2575 					physLBA_byte = (uint8_t)physLBA;
2576 					*ptrLBA = physLBA_byte;
2577 
2578 					/*
2579 					 * Set flag that Direct Drive I/O is
2580 					 * being done.
2581 					 */
2582 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2583 				}
2584 			}
2585 		} else {
2586 			/*
2587 			 * 16-byte CDB and the upper 4 bytes of the CDB are not
2588 			 * 0.  Get the transfer size in blocks.
2589 			 */
2590 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2591 
2592 			/*
2593 			 * Get virtual LBA.
2594 			 */
2595 			virtLBA = ((uint64_t)CDB[2] << 54) |
2596 			    ((uint64_t)CDB[3] << 48) |
2597 			    ((uint64_t)CDB[4] << 40) |
2598 			    ((uint64_t)CDB[5] << 32) |
2599 			    ((uint64_t)CDB[6] << 24) |
2600 			    ((uint64_t)CDB[7] << 16) |
2601 			    ((uint64_t)CDB[8] << 8) |
2602 			    (uint64_t)CDB[9];
2603 
2604 			/*
2605 			 * Check that LBA range for I/O does not exceed volume's
2606 			 * MaxLBA.
2607 			 */
2608 			if ((virtLBA + (uint64_t)io_size - 1) <=
2609 			    sc->DD_max_lba) {
2610 				/*
2611 				 * Check if the I/O crosses a stripe boundary.
2612 				 * If not, translate the virtual LBA to a
2613 				 * physical LBA and set the DevHandle for the
2614 				 * PhysDisk to be used.  If it does cross a
2615 				 * boundary, do normal I/O.  To get the right
2616 				 * DevHandle to use, get the map number for the
2617 				 * column, then use that map number to look up
2618 				 * the DevHandle of the PhysDisk.
2619 				 */
2620 				stripe_offset = (uint32_t)virtLBA &
2621 				    (sc->DD_stripe_size - 1);
2622 				if ((stripe_offset + io_size) <=
2623 				    sc->DD_stripe_size) {
2624 					physLBA = (uint32_t)(virtLBA >>
2625 					    sc->DD_stripe_exponent);
2626 					stripe_unit = physLBA /
2627 					    sc->DD_num_phys_disks;
2628 					column = physLBA %
2629 					    sc->DD_num_phys_disks;
2630 					pIO_req->DevHandle =
2631 					    htole16(sc->DD_column_map[column].
2632 					    dev_handle);
2633 					cm->cm_desc.SCSIIO.DevHandle =
2634 					    pIO_req->DevHandle;
2635 
2636 					physLBA = (stripe_unit <<
2637 					    sc->DD_stripe_exponent) +
2638 					    stripe_offset;
2639 
2640 					/*
2641 					 * Set upper 4 bytes of LBA to 0.  We
2642 					 * assume that the phys disks are less
2643 					 * than 2 TB's in size.  Then, set the
2644 					 * lower 4 bytes.
2645 					 */
2646 					pIO_req->CDB.CDB32[2] = 0;
2647 					pIO_req->CDB.CDB32[3] = 0;
2648 					pIO_req->CDB.CDB32[4] = 0;
2649 					pIO_req->CDB.CDB32[5] = 0;
2650 					ptrLBA = &pIO_req->CDB.CDB32[6];
2651 					physLBA_byte = (uint8_t)(physLBA >> 24);
2652 					*ptrLBA = physLBA_byte;
2653 					ptrLBA = &pIO_req->CDB.CDB32[7];
2654 					physLBA_byte = (uint8_t)(physLBA >> 16);
2655 					*ptrLBA = physLBA_byte;
2656 					ptrLBA = &pIO_req->CDB.CDB32[8];
2657 					physLBA_byte = (uint8_t)(physLBA >> 8);
2658 					*ptrLBA = physLBA_byte;
2659 					ptrLBA = &pIO_req->CDB.CDB32[9];
2660 					physLBA_byte = (uint8_t)physLBA;
2661 					*ptrLBA = physLBA_byte;
2662 
2663 					/*
2664 					 * Set flag that Direct Drive I/O is
2665 					 * being done.
2666 					 */
2667 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2668 				}
2669 			}
2670 		}
2671 	}
2672 }
2673 
2674 #if __FreeBSD_version >= 900026
2675 static void
2676 mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm)
2677 {
2678 	MPI2_SMP_PASSTHROUGH_REPLY *rpl;
2679 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2680 	uint64_t sasaddr;
2681 	union ccb *ccb;
2682 
2683 	ccb = cm->cm_complete_data;
2684 
2685 	/*
2686 	 * Currently there should be no way we can hit this case.  It only
2687 	 * happens when we have a failure to allocate chain frames, and SMP
2688 	 * commands require two S/G elements only.  That should be handled
2689 	 * in the standard request size.
2690 	 */
2691 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2692 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x on SMP request!\n",
2693 			   __func__, cm->cm_flags);
2694 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2695 		goto bailout;
2696         }
2697 
2698 	rpl = (MPI2_SMP_PASSTHROUGH_REPLY *)cm->cm_reply;
2699 	if (rpl == NULL) {
2700 		mps_dprint(sc, MPS_ERROR, "%s: NULL cm_reply!\n", __func__);
2701 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2702 		goto bailout;
2703 	}
2704 
2705 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2706 	sasaddr = le32toh(req->SASAddress.Low);
2707 	sasaddr |= ((uint64_t)(le32toh(req->SASAddress.High))) << 32;
2708 
2709 	if ((le16toh(rpl->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
2710 	    MPI2_IOCSTATUS_SUCCESS ||
2711 	    rpl->SASStatus != MPI2_SASSTATUS_SUCCESS) {
2712 		mps_dprint(sc, MPS_XINFO, "%s: IOCStatus %04x SASStatus %02x\n",
2713 		    __func__, le16toh(rpl->IOCStatus), rpl->SASStatus);
2714 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2715 		goto bailout;
2716 	}
2717 
2718 	mps_dprint(sc, MPS_XINFO, "%s: SMP request to SAS address "
2719 		   "%#jx completed successfully\n", __func__,
2720 		   (uintmax_t)sasaddr);
2721 
2722 	if (ccb->smpio.smp_response[2] == SMP_FR_ACCEPTED)
2723 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2724 	else
2725 		mpssas_set_ccbstatus(ccb, CAM_SMP_STATUS_ERROR);
2726 
2727 bailout:
2728 	/*
2729 	 * We sync in both directions because we had DMAs in the S/G list
2730 	 * in both directions.
2731 	 */
2732 	bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap,
2733 			BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
2734 	bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2735 	mps_free_command(sc, cm);
2736 	xpt_done(ccb);
2737 }
2738 
2739 static void
2740 mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb, uint64_t sasaddr)
2741 {
2742 	struct mps_command *cm;
2743 	uint8_t *request, *response;
2744 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2745 	struct mps_softc *sc;
2746 	int error;
2747 
2748 	sc = sassc->sc;
2749 	error = 0;
2750 
2751 	/*
2752 	 * XXX We don't yet support physical addresses here.
2753 	 */
2754 	switch ((ccb->ccb_h.flags & CAM_DATA_MASK)) {
2755 	case CAM_DATA_PADDR:
2756 	case CAM_DATA_SG_PADDR:
2757 		mps_dprint(sc, MPS_ERROR,
2758 			   "%s: physical addresses not supported\n", __func__);
2759 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2760 		xpt_done(ccb);
2761 		return;
2762 	case CAM_DATA_SG:
2763 		/*
2764 		 * The chip does not support more than one buffer for the
2765 		 * request or response.
2766 		 */
2767 	 	if ((ccb->smpio.smp_request_sglist_cnt > 1)
2768 		  || (ccb->smpio.smp_response_sglist_cnt > 1)) {
2769 			mps_dprint(sc, MPS_ERROR,
2770 				   "%s: multiple request or response "
2771 				   "buffer segments not supported for SMP\n",
2772 				   __func__);
2773 			mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2774 			xpt_done(ccb);
2775 			return;
2776 		}
2777 
2778 		/*
2779 		 * The CAM_SCATTER_VALID flag was originally implemented
2780 		 * for the XPT_SCSI_IO CCB, which only has one data pointer.
2781 		 * We have two.  So, just take that flag to mean that we
2782 		 * might have S/G lists, and look at the S/G segment count
2783 		 * to figure out whether that is the case for each individual
2784 		 * buffer.
2785 		 */
2786 		if (ccb->smpio.smp_request_sglist_cnt != 0) {
2787 			bus_dma_segment_t *req_sg;
2788 
2789 			req_sg = (bus_dma_segment_t *)ccb->smpio.smp_request;
2790 			request = (uint8_t *)(uintptr_t)req_sg[0].ds_addr;
2791 		} else
2792 			request = ccb->smpio.smp_request;
2793 
2794 		if (ccb->smpio.smp_response_sglist_cnt != 0) {
2795 			bus_dma_segment_t *rsp_sg;
2796 
2797 			rsp_sg = (bus_dma_segment_t *)ccb->smpio.smp_response;
2798 			response = (uint8_t *)(uintptr_t)rsp_sg[0].ds_addr;
2799 		} else
2800 			response = ccb->smpio.smp_response;
2801 		break;
2802 	case CAM_DATA_VADDR:
2803 		request = ccb->smpio.smp_request;
2804 		response = ccb->smpio.smp_response;
2805 		break;
2806 	default:
2807 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2808 		xpt_done(ccb);
2809 		return;
2810 	}
2811 
2812 	cm = mps_alloc_command(sc);
2813 	if (cm == NULL) {
2814 		mps_dprint(sc, MPS_ERROR,
2815 		    "%s: cannot allocate command\n", __func__);
2816 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2817 		xpt_done(ccb);
2818 		return;
2819 	}
2820 
2821 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2822 	bzero(req, sizeof(*req));
2823 	req->Function = MPI2_FUNCTION_SMP_PASSTHROUGH;
2824 
2825 	/* Allow the chip to use any route to this SAS address. */
2826 	req->PhysicalPort = 0xff;
2827 
2828 	req->RequestDataLength = htole16(ccb->smpio.smp_request_len);
2829 	req->SGLFlags =
2830 	    MPI2_SGLFLAGS_SYSTEM_ADDRESS_SPACE | MPI2_SGLFLAGS_SGL_TYPE_MPI;
2831 
2832 	mps_dprint(sc, MPS_XINFO, "%s: sending SMP request to SAS "
2833 	    "address %#jx\n", __func__, (uintmax_t)sasaddr);
2834 
2835 	mpi_init_sge(cm, req, &req->SGL);
2836 
2837 	/*
2838 	 * Set up a uio to pass into mps_map_command().  This allows us to
2839 	 * do one map command, and one busdma call in there.
2840 	 */
2841 	cm->cm_uio.uio_iov = cm->cm_iovec;
2842 	cm->cm_uio.uio_iovcnt = 2;
2843 	cm->cm_uio.uio_segflg = UIO_SYSSPACE;
2844 
2845 	/*
2846 	 * The read/write flag isn't used by busdma, but set it just in
2847 	 * case.  This isn't exactly accurate, either, since we're going in
2848 	 * both directions.
2849 	 */
2850 	cm->cm_uio.uio_rw = UIO_WRITE;
2851 
2852 	cm->cm_iovec[0].iov_base = request;
2853 	cm->cm_iovec[0].iov_len = le16toh(req->RequestDataLength);
2854 	cm->cm_iovec[1].iov_base = response;
2855 	cm->cm_iovec[1].iov_len = ccb->smpio.smp_response_len;
2856 
2857 	cm->cm_uio.uio_resid = cm->cm_iovec[0].iov_len +
2858 			       cm->cm_iovec[1].iov_len;
2859 
2860 	/*
2861 	 * Trigger a warning message in mps_data_cb() for the user if we
2862 	 * wind up exceeding two S/G segments.  The chip expects one
2863 	 * segment for the request and another for the response.
2864 	 */
2865 	cm->cm_max_segs = 2;
2866 
2867 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
2868 	cm->cm_complete = mpssas_smpio_complete;
2869 	cm->cm_complete_data = ccb;
2870 
2871 	/*
2872 	 * Tell the mapping code that we're using a uio, and that this is
2873 	 * an SMP passthrough request.  There is a little special-case
2874 	 * logic there (in mps_data_cb()) to handle the bidirectional
2875 	 * transfer.
2876 	 */
2877 	cm->cm_flags |= MPS_CM_FLAGS_USE_UIO | MPS_CM_FLAGS_SMP_PASS |
2878 			MPS_CM_FLAGS_DATAIN | MPS_CM_FLAGS_DATAOUT;
2879 
2880 	/* The chip data format is little endian. */
2881 	req->SASAddress.High = htole32(sasaddr >> 32);
2882 	req->SASAddress.Low = htole32(sasaddr);
2883 
2884 	/*
2885 	 * XXX Note that we don't have a timeout/abort mechanism here.
2886 	 * From the manual, it looks like task management requests only
2887 	 * work for SCSI IO and SATA passthrough requests.  We may need to
2888 	 * have a mechanism to retry requests in the event of a chip reset
2889 	 * at least.  Hopefully the chip will insure that any errors short
2890 	 * of that are relayed back to the driver.
2891 	 */
2892 	error = mps_map_command(sc, cm);
2893 	if ((error != 0) && (error != EINPROGRESS)) {
2894 		mps_dprint(sc, MPS_ERROR,
2895 			   "%s: error %d returned from mps_map_command()\n",
2896 			   __func__, error);
2897 		goto bailout_error;
2898 	}
2899 
2900 	return;
2901 
2902 bailout_error:
2903 	mps_free_command(sc, cm);
2904 	mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2905 	xpt_done(ccb);
2906 	return;
2907 
2908 }
2909 
2910 static void
2911 mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb)
2912 {
2913 	struct mps_softc *sc;
2914 	struct mpssas_target *targ;
2915 	uint64_t sasaddr = 0;
2916 
2917 	sc = sassc->sc;
2918 
2919 	/*
2920 	 * Make sure the target exists.
2921 	 */
2922 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
2923 	    ("Target %d out of bounds in XPT_SMP_IO\n", ccb->ccb_h.target_id));
2924 	targ = &sassc->targets[ccb->ccb_h.target_id];
2925 	if (targ->handle == 0x0) {
2926 		mps_dprint(sc, MPS_ERROR,
2927 			   "%s: target %d does not exist!\n", __func__,
2928 			   ccb->ccb_h.target_id);
2929 		mpssas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
2930 		xpt_done(ccb);
2931 		return;
2932 	}
2933 
2934 	/*
2935 	 * If this device has an embedded SMP target, we'll talk to it
2936 	 * directly.
2937 	 * figure out what the expander's address is.
2938 	 */
2939 	if ((targ->devinfo & MPI2_SAS_DEVICE_INFO_SMP_TARGET) != 0)
2940 		sasaddr = targ->sasaddr;
2941 
2942 	/*
2943 	 * If we don't have a SAS address for the expander yet, try
2944 	 * grabbing it from the page 0x83 information cached in the
2945 	 * transport layer for this target.  LSI expanders report the
2946 	 * expander SAS address as the port-associated SAS address in
2947 	 * Inquiry VPD page 0x83.  Maxim expanders don't report it in page
2948 	 * 0x83.
2949 	 *
2950 	 * XXX KDM disable this for now, but leave it commented out so that
2951 	 * it is obvious that this is another possible way to get the SAS
2952 	 * address.
2953 	 *
2954 	 * The parent handle method below is a little more reliable, and
2955 	 * the other benefit is that it works for devices other than SES
2956 	 * devices.  So you can send a SMP request to a da(4) device and it
2957 	 * will get routed to the expander that device is attached to.
2958 	 * (Assuming the da(4) device doesn't contain an SMP target...)
2959 	 */
2960 #if 0
2961 	if (sasaddr == 0)
2962 		sasaddr = xpt_path_sas_addr(ccb->ccb_h.path);
2963 #endif
2964 
2965 	/*
2966 	 * If we still don't have a SAS address for the expander, look for
2967 	 * the parent device of this device, which is probably the expander.
2968 	 */
2969 	if (sasaddr == 0) {
2970 #ifdef OLD_MPS_PROBE
2971 		struct mpssas_target *parent_target;
2972 #endif
2973 
2974 		if (targ->parent_handle == 0x0) {
2975 			mps_dprint(sc, MPS_ERROR,
2976 				   "%s: handle %d does not have a valid "
2977 				   "parent handle!\n", __func__, targ->handle);
2978 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2979 			goto bailout;
2980 		}
2981 #ifdef OLD_MPS_PROBE
2982 		parent_target = mpssas_find_target_by_handle(sassc, 0,
2983 			targ->parent_handle);
2984 
2985 		if (parent_target == NULL) {
2986 			mps_dprint(sc, MPS_ERROR,
2987 				   "%s: handle %d does not have a valid "
2988 				   "parent target!\n", __func__, targ->handle);
2989 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2990 			goto bailout;
2991 		}
2992 
2993 		if ((parent_target->devinfo &
2994 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
2995 			mps_dprint(sc, MPS_ERROR,
2996 				   "%s: handle %d parent %d does not "
2997 				   "have an SMP target!\n", __func__,
2998 				   targ->handle, parent_target->handle);
2999 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3000 			goto bailout;
3001 
3002 		}
3003 
3004 		sasaddr = parent_target->sasaddr;
3005 #else /* OLD_MPS_PROBE */
3006 		if ((targ->parent_devinfo &
3007 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
3008 			mps_dprint(sc, MPS_ERROR,
3009 				   "%s: handle %d parent %d does not "
3010 				   "have an SMP target!\n", __func__,
3011 				   targ->handle, targ->parent_handle);
3012 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3013 			goto bailout;
3014 
3015 		}
3016 		if (targ->parent_sasaddr == 0x0) {
3017 			mps_dprint(sc, MPS_ERROR,
3018 				   "%s: handle %d parent handle %d does "
3019 				   "not have a valid SAS address!\n",
3020 				   __func__, targ->handle, targ->parent_handle);
3021 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3022 			goto bailout;
3023 		}
3024 
3025 		sasaddr = targ->parent_sasaddr;
3026 #endif /* OLD_MPS_PROBE */
3027 
3028 	}
3029 
3030 	if (sasaddr == 0) {
3031 		mps_dprint(sc, MPS_INFO,
3032 			   "%s: unable to find SAS address for handle %d\n",
3033 			   __func__, targ->handle);
3034 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3035 		goto bailout;
3036 	}
3037 	mpssas_send_smpcmd(sassc, ccb, sasaddr);
3038 
3039 	return;
3040 
3041 bailout:
3042 	xpt_done(ccb);
3043 
3044 }
3045 #endif //__FreeBSD_version >= 900026
3046 
3047 static void
3048 mpssas_action_resetdev(struct mpssas_softc *sassc, union ccb *ccb)
3049 {
3050 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3051 	struct mps_softc *sc;
3052 	struct mps_command *tm;
3053 	struct mpssas_target *targ;
3054 
3055 	MPS_FUNCTRACE(sassc->sc);
3056 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
3057 
3058 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
3059 	    ("Target %d out of bounds in XPT_RESET_DEV\n",
3060 	     ccb->ccb_h.target_id));
3061 	sc = sassc->sc;
3062 	tm = mpssas_alloc_tm(sc);
3063 	if (tm == NULL) {
3064 		mps_dprint(sc, MPS_ERROR,
3065 		    "command alloc failure in mpssas_action_resetdev\n");
3066 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
3067 		xpt_done(ccb);
3068 		return;
3069 	}
3070 
3071 	targ = &sassc->targets[ccb->ccb_h.target_id];
3072 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3073 	req->DevHandle = htole16(targ->handle);
3074 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
3075 
3076 	/* SAS Hard Link Reset / SATA Link Reset */
3077 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
3078 
3079 	tm->cm_data = NULL;
3080 	tm->cm_complete = mpssas_resetdev_complete;
3081 	tm->cm_complete_data = ccb;
3082 	tm->cm_targ = targ;
3083 
3084 	mpssas_prepare_for_tm(sc, tm, targ, CAM_LUN_WILDCARD);
3085 	mps_map_command(sc, tm);
3086 }
3087 
3088 static void
3089 mpssas_resetdev_complete(struct mps_softc *sc, struct mps_command *tm)
3090 {
3091 	MPI2_SCSI_TASK_MANAGE_REPLY *resp;
3092 	union ccb *ccb;
3093 
3094 	MPS_FUNCTRACE(sc);
3095 	mtx_assert(&sc->mps_mtx, MA_OWNED);
3096 
3097 	resp = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
3098 	ccb = tm->cm_complete_data;
3099 
3100 	/*
3101 	 * Currently there should be no way we can hit this case.  It only
3102 	 * happens when we have a failure to allocate chain frames, and
3103 	 * task management commands don't have S/G lists.
3104 	 */
3105 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3106 		MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3107 
3108 		req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3109 
3110 		mps_dprint(sc, MPS_ERROR,
3111 			   "%s: cm_flags = %#x for reset of handle %#04x! "
3112 			   "This should not happen!\n", __func__, tm->cm_flags,
3113 			   req->DevHandle);
3114 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3115 		goto bailout;
3116 	}
3117 
3118 	mps_dprint(sc, MPS_XINFO,
3119 	    "%s: IOCStatus = 0x%x ResponseCode = 0x%x\n", __func__,
3120 	    le16toh(resp->IOCStatus), le32toh(resp->ResponseCode));
3121 
3122 	if (le32toh(resp->ResponseCode) == MPI2_SCSITASKMGMT_RSP_TM_COMPLETE) {
3123 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
3124 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
3125 		    CAM_LUN_WILDCARD);
3126 	}
3127 	else
3128 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3129 
3130 bailout:
3131 
3132 	mpssas_free_tm(sc, tm);
3133 	xpt_done(ccb);
3134 }
3135 
3136 static void
3137 mpssas_poll(struct cam_sim *sim)
3138 {
3139 	struct mpssas_softc *sassc;
3140 
3141 	sassc = cam_sim_softc(sim);
3142 
3143 	if (sassc->sc->mps_debug & MPS_TRACE) {
3144 		/* frequent debug messages during a panic just slow
3145 		 * everything down too much.
3146 		 */
3147 		mps_printf(sassc->sc, "%s clearing MPS_TRACE\n", __func__);
3148 		sassc->sc->mps_debug &= ~MPS_TRACE;
3149 	}
3150 
3151 	mps_intr_locked(sassc->sc);
3152 }
3153 
3154 static void
3155 mpssas_async(void *callback_arg, uint32_t code, struct cam_path *path,
3156 	     void *arg)
3157 {
3158 	struct mps_softc *sc;
3159 
3160 	sc = (struct mps_softc *)callback_arg;
3161 
3162 	switch (code) {
3163 #if (__FreeBSD_version >= 1000006) || \
3164     ((__FreeBSD_version >= 901503) && (__FreeBSD_version < 1000000))
3165 	case AC_ADVINFO_CHANGED: {
3166 		struct mpssas_target *target;
3167 		struct mpssas_softc *sassc;
3168 		struct scsi_read_capacity_data_long rcap_buf;
3169 		struct ccb_dev_advinfo cdai;
3170 		struct mpssas_lun *lun;
3171 		lun_id_t lunid;
3172 		int found_lun;
3173 		uintptr_t buftype;
3174 
3175 		buftype = (uintptr_t)arg;
3176 
3177 		found_lun = 0;
3178 		sassc = sc->sassc;
3179 
3180 		/*
3181 		 * We're only interested in read capacity data changes.
3182 		 */
3183 		if (buftype != CDAI_TYPE_RCAPLONG)
3184 			break;
3185 
3186 		/*
3187 		 * We should have a handle for this, but check to make sure.
3188 		 */
3189 		KASSERT(xpt_path_target_id(path) < sassc->maxtargets,
3190 		    ("Target %d out of bounds in mpssas_async\n",
3191 		    xpt_path_target_id(path)));
3192 		target = &sassc->targets[xpt_path_target_id(path)];
3193 		if (target->handle == 0)
3194 			break;
3195 
3196 		lunid = xpt_path_lun_id(path);
3197 
3198 		SLIST_FOREACH(lun, &target->luns, lun_link) {
3199 			if (lun->lun_id == lunid) {
3200 				found_lun = 1;
3201 				break;
3202 			}
3203 		}
3204 
3205 		if (found_lun == 0) {
3206 			lun = malloc(sizeof(struct mpssas_lun), M_MPT2,
3207 				     M_NOWAIT | M_ZERO);
3208 			if (lun == NULL) {
3209 				mps_dprint(sc, MPS_ERROR, "Unable to alloc "
3210 					   "LUN for EEDP support.\n");
3211 				break;
3212 			}
3213 			lun->lun_id = lunid;
3214 			SLIST_INSERT_HEAD(&target->luns, lun, lun_link);
3215 		}
3216 
3217 		bzero(&rcap_buf, sizeof(rcap_buf));
3218 		xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL);
3219 		cdai.ccb_h.func_code = XPT_DEV_ADVINFO;
3220 		cdai.ccb_h.flags = CAM_DIR_IN;
3221 		cdai.buftype = CDAI_TYPE_RCAPLONG;
3222 #if (__FreeBSD_version >= 1100061) || \
3223     ((__FreeBSD_version >= 1001510) && (__FreeBSD_version < 1100000))
3224 		cdai.flags = CDAI_FLAG_NONE;
3225 #else
3226 		cdai.flags = 0;
3227 #endif
3228 		cdai.bufsiz = sizeof(rcap_buf);
3229 		cdai.buf = (uint8_t *)&rcap_buf;
3230 		xpt_action((union ccb *)&cdai);
3231 		if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
3232 			cam_release_devq(cdai.ccb_h.path,
3233 					 0, 0, 0, FALSE);
3234 
3235 		if ((mpssas_get_ccbstatus((union ccb *)&cdai) == CAM_REQ_CMP)
3236 		 && (rcap_buf.prot & SRC16_PROT_EN)) {
3237 			switch (rcap_buf.prot & SRC16_P_TYPE) {
3238 			case SRC16_PTYPE_1:
3239 			case SRC16_PTYPE_3:
3240 				lun->eedp_formatted = TRUE;
3241 				lun->eedp_block_size =
3242 				    scsi_4btoul(rcap_buf.length);
3243 				break;
3244 			case SRC16_PTYPE_2:
3245 			default:
3246 				lun->eedp_formatted = FALSE;
3247 				lun->eedp_block_size = 0;
3248 				break;
3249 			}
3250 		} else {
3251 			lun->eedp_formatted = FALSE;
3252 			lun->eedp_block_size = 0;
3253 		}
3254 		break;
3255 	}
3256 #else
3257 	case AC_FOUND_DEVICE: {
3258 		struct ccb_getdev *cgd;
3259 
3260 		cgd = arg;
3261 		mpssas_check_eedp(sc, path, cgd);
3262 		break;
3263 	}
3264 #endif
3265 	default:
3266 		break;
3267 	}
3268 }
3269 
3270 #if (__FreeBSD_version < 901503) || \
3271     ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006))
3272 static void
3273 mpssas_check_eedp(struct mps_softc *sc, struct cam_path *path,
3274 		  struct ccb_getdev *cgd)
3275 {
3276 	struct mpssas_softc *sassc = sc->sassc;
3277 	struct ccb_scsiio *csio;
3278 	struct scsi_read_capacity_16 *scsi_cmd;
3279 	struct scsi_read_capacity_eedp *rcap_buf;
3280 	path_id_t pathid;
3281 	target_id_t targetid;
3282 	lun_id_t lunid;
3283 	union ccb *ccb;
3284 	struct cam_path *local_path;
3285 	struct mpssas_target *target;
3286 	struct mpssas_lun *lun;
3287 	uint8_t	found_lun;
3288 	char path_str[64];
3289 
3290 	sassc = sc->sassc;
3291 	pathid = cam_sim_path(sassc->sim);
3292 	targetid = xpt_path_target_id(path);
3293 	lunid = xpt_path_lun_id(path);
3294 
3295 	KASSERT(targetid < sassc->maxtargets,
3296 	    ("Target %d out of bounds in mpssas_check_eedp\n",
3297 	     targetid));
3298 	target = &sassc->targets[targetid];
3299 	if (target->handle == 0x0)
3300 		return;
3301 
3302 	/*
3303 	 * Determine if the device is EEDP capable.
3304 	 *
3305 	 * If this flag is set in the inquiry data,
3306 	 * the device supports protection information,
3307 	 * and must support the 16 byte read
3308 	 * capacity command, otherwise continue without
3309 	 * sending read cap 16
3310 	 */
3311 	if ((cgd->inq_data.spc3_flags & SPC3_SID_PROTECT) == 0)
3312 		return;
3313 
3314 	/*
3315 	 * Issue a READ CAPACITY 16 command.  This info
3316 	 * is used to determine if the LUN is formatted
3317 	 * for EEDP support.
3318 	 */
3319 	ccb = xpt_alloc_ccb_nowait();
3320 	if (ccb == NULL) {
3321 		mps_dprint(sc, MPS_ERROR, "Unable to alloc CCB "
3322 		    "for EEDP support.\n");
3323 		return;
3324 	}
3325 
3326 	if (xpt_create_path(&local_path, xpt_periph,
3327 	    pathid, targetid, lunid) != CAM_REQ_CMP) {
3328 		mps_dprint(sc, MPS_ERROR, "Unable to create "
3329 		    "path for EEDP support\n");
3330 		xpt_free_ccb(ccb);
3331 		return;
3332 	}
3333 
3334 	/*
3335 	 * If LUN is already in list, don't create a new
3336 	 * one.
3337 	 */
3338 	found_lun = FALSE;
3339 	SLIST_FOREACH(lun, &target->luns, lun_link) {
3340 		if (lun->lun_id == lunid) {
3341 			found_lun = TRUE;
3342 			break;
3343 		}
3344 	}
3345 	if (!found_lun) {
3346 		lun = malloc(sizeof(struct mpssas_lun), M_MPT2,
3347 		    M_NOWAIT | M_ZERO);
3348 		if (lun == NULL) {
3349 			mps_dprint(sc, MPS_ERROR,
3350 			    "Unable to alloc LUN for EEDP support.\n");
3351 			xpt_free_path(local_path);
3352 			xpt_free_ccb(ccb);
3353 			return;
3354 		}
3355 		lun->lun_id = lunid;
3356 		SLIST_INSERT_HEAD(&target->luns, lun,
3357 		    lun_link);
3358 	}
3359 
3360 	xpt_path_string(local_path, path_str, sizeof(path_str));
3361 
3362 	mps_dprint(sc, MPS_INFO, "Sending read cap: path %s handle %d\n",
3363 	    path_str, target->handle);
3364 
3365 	/*
3366 	 * Issue a READ CAPACITY 16 command for the LUN.
3367 	 * The mpssas_read_cap_done function will load
3368 	 * the read cap info into the LUN struct.
3369 	 */
3370 	rcap_buf = malloc(sizeof(struct scsi_read_capacity_eedp),
3371 	    M_MPT2, M_NOWAIT | M_ZERO);
3372 	if (rcap_buf == NULL) {
3373 		mps_dprint(sc, MPS_FAULT,
3374 		    "Unable to alloc read capacity buffer for EEDP support.\n");
3375 		xpt_free_path(ccb->ccb_h.path);
3376 		xpt_free_ccb(ccb);
3377 		return;
3378 	}
3379 	xpt_setup_ccb(&ccb->ccb_h, local_path, CAM_PRIORITY_XPT);
3380 	csio = &ccb->csio;
3381 	csio->ccb_h.func_code = XPT_SCSI_IO;
3382 	csio->ccb_h.flags = CAM_DIR_IN;
3383 	csio->ccb_h.retry_count = 4;
3384 	csio->ccb_h.cbfcnp = mpssas_read_cap_done;
3385 	csio->ccb_h.timeout = 60000;
3386 	csio->data_ptr = (uint8_t *)rcap_buf;
3387 	csio->dxfer_len = sizeof(struct scsi_read_capacity_eedp);
3388 	csio->sense_len = MPS_SENSE_LEN;
3389 	csio->cdb_len = sizeof(*scsi_cmd);
3390 	csio->tag_action = MSG_SIMPLE_Q_TAG;
3391 
3392 	scsi_cmd = (struct scsi_read_capacity_16 *)&csio->cdb_io.cdb_bytes;
3393 	bzero(scsi_cmd, sizeof(*scsi_cmd));
3394 	scsi_cmd->opcode = 0x9E;
3395 	scsi_cmd->service_action = SRC16_SERVICE_ACTION;
3396 	((uint8_t *)scsi_cmd)[13] = sizeof(struct scsi_read_capacity_eedp);
3397 
3398 	ccb->ccb_h.ppriv_ptr1 = sassc;
3399 	xpt_action(ccb);
3400 }
3401 
3402 static void
3403 mpssas_read_cap_done(struct cam_periph *periph, union ccb *done_ccb)
3404 {
3405 	struct mpssas_softc *sassc;
3406 	struct mpssas_target *target;
3407 	struct mpssas_lun *lun;
3408 	struct scsi_read_capacity_eedp *rcap_buf;
3409 
3410 	if (done_ccb == NULL)
3411 		return;
3412 
3413 	/* Driver need to release devq, it Scsi command is
3414 	 * generated by driver internally.
3415 	 * Currently there is a single place where driver
3416 	 * calls scsi command internally. In future if driver
3417 	 * calls more scsi command internally, it needs to release
3418 	 * devq internally, since those command will not go back to
3419 	 * cam_periph.
3420 	 */
3421 	if ((done_ccb->ccb_h.status & CAM_DEV_QFRZN) ) {
3422         	done_ccb->ccb_h.status &= ~CAM_DEV_QFRZN;
3423 		xpt_release_devq(done_ccb->ccb_h.path,
3424 			       	/*count*/ 1, /*run_queue*/TRUE);
3425 	}
3426 
3427 	rcap_buf = (struct scsi_read_capacity_eedp *)done_ccb->csio.data_ptr;
3428 
3429 	/*
3430 	 * Get the LUN ID for the path and look it up in the LUN list for the
3431 	 * target.
3432 	 */
3433 	sassc = (struct mpssas_softc *)done_ccb->ccb_h.ppriv_ptr1;
3434 	KASSERT(done_ccb->ccb_h.target_id < sassc->maxtargets,
3435 	    ("Target %d out of bounds in mpssas_read_cap_done\n",
3436 	     done_ccb->ccb_h.target_id));
3437 	target = &sassc->targets[done_ccb->ccb_h.target_id];
3438 	SLIST_FOREACH(lun, &target->luns, lun_link) {
3439 		if (lun->lun_id != done_ccb->ccb_h.target_lun)
3440 			continue;
3441 
3442 		/*
3443 		 * Got the LUN in the target's LUN list.  Fill it in
3444 		 * with EEDP info.  If the READ CAP 16 command had some
3445 		 * SCSI error (common if command is not supported), mark
3446 		 * the lun as not supporting EEDP and set the block size
3447 		 * to 0.
3448 		 */
3449 		if ((mpssas_get_ccbstatus(done_ccb) != CAM_REQ_CMP)
3450 		 || (done_ccb->csio.scsi_status != SCSI_STATUS_OK)) {
3451 			lun->eedp_formatted = FALSE;
3452 			lun->eedp_block_size = 0;
3453 			break;
3454 		}
3455 
3456 		if (rcap_buf->protect & 0x01) {
3457 			mps_dprint(sassc->sc, MPS_INFO, "LUN %d for "
3458  			    "target ID %d is formatted for EEDP "
3459  			    "support.\n", done_ccb->ccb_h.target_lun,
3460  			    done_ccb->ccb_h.target_id);
3461 			lun->eedp_formatted = TRUE;
3462 			lun->eedp_block_size = scsi_4btoul(rcap_buf->length);
3463 		}
3464 		break;
3465 	}
3466 
3467 	// Finished with this CCB and path.
3468 	free(rcap_buf, M_MPT2);
3469 	xpt_free_path(done_ccb->ccb_h.path);
3470 	xpt_free_ccb(done_ccb);
3471 }
3472 #endif /* (__FreeBSD_version < 901503) || \
3473           ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006)) */
3474 
3475 /*
3476  * Set the INRESET flag for this target so that no I/O will be sent to
3477  * the target until the reset has completed.  If an I/O request does
3478  * happen, the devq will be frozen.  The CCB holds the path which is
3479  * used to release the devq.  The devq is released and the CCB is freed
3480  * when the TM completes.
3481  */
3482 void
3483 mpssas_prepare_for_tm(struct mps_softc *sc, struct mps_command *tm,
3484     struct mpssas_target *target, lun_id_t lun_id)
3485 {
3486 	union ccb *ccb;
3487 	path_id_t path_id;
3488 
3489 	ccb = xpt_alloc_ccb_nowait();
3490 	if (ccb) {
3491 		path_id = cam_sim_path(sc->sassc->sim);
3492 		if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, path_id,
3493 		    target->tid, lun_id) != CAM_REQ_CMP) {
3494 			xpt_free_ccb(ccb);
3495 		} else {
3496 			tm->cm_ccb = ccb;
3497 			tm->cm_targ = target;
3498 			target->flags |= MPSSAS_TARGET_INRESET;
3499 		}
3500 	}
3501 }
3502 
3503 int
3504 mpssas_startup(struct mps_softc *sc)
3505 {
3506 
3507 	/*
3508 	 * Send the port enable message and set the wait_for_port_enable flag.
3509 	 * This flag helps to keep the simq frozen until all discovery events
3510 	 * are processed.
3511 	 */
3512 	sc->wait_for_port_enable = 1;
3513 	mpssas_send_portenable(sc);
3514 	return (0);
3515 }
3516 
3517 static int
3518 mpssas_send_portenable(struct mps_softc *sc)
3519 {
3520 	MPI2_PORT_ENABLE_REQUEST *request;
3521 	struct mps_command *cm;
3522 
3523 	MPS_FUNCTRACE(sc);
3524 
3525 	if ((cm = mps_alloc_command(sc)) == NULL)
3526 		return (EBUSY);
3527 	request = (MPI2_PORT_ENABLE_REQUEST *)cm->cm_req;
3528 	request->Function = MPI2_FUNCTION_PORT_ENABLE;
3529 	request->MsgFlags = 0;
3530 	request->VP_ID = 0;
3531 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
3532 	cm->cm_complete = mpssas_portenable_complete;
3533 	cm->cm_data = NULL;
3534 	cm->cm_sge = NULL;
3535 
3536 	mps_map_command(sc, cm);
3537 	mps_dprint(sc, MPS_XINFO,
3538 	    "mps_send_portenable finished cm %p req %p complete %p\n",
3539 	    cm, cm->cm_req, cm->cm_complete);
3540 	return (0);
3541 }
3542 
3543 static void
3544 mpssas_portenable_complete(struct mps_softc *sc, struct mps_command *cm)
3545 {
3546 	MPI2_PORT_ENABLE_REPLY *reply;
3547 	struct mpssas_softc *sassc;
3548 
3549 	MPS_FUNCTRACE(sc);
3550 	sassc = sc->sassc;
3551 
3552 	/*
3553 	 * Currently there should be no way we can hit this case.  It only
3554 	 * happens when we have a failure to allocate chain frames, and
3555 	 * port enable commands don't have S/G lists.
3556 	 */
3557 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3558 		mps_dprint(sc, MPS_ERROR, "%s: cm_flags = %#x for port enable! "
3559 			   "This should not happen!\n", __func__, cm->cm_flags);
3560 	}
3561 
3562 	reply = (MPI2_PORT_ENABLE_REPLY *)cm->cm_reply;
3563 	if (reply == NULL)
3564 		mps_dprint(sc, MPS_FAULT, "Portenable NULL reply\n");
3565 	else if (le16toh(reply->IOCStatus & MPI2_IOCSTATUS_MASK) !=
3566 	    MPI2_IOCSTATUS_SUCCESS)
3567 		mps_dprint(sc, MPS_FAULT, "Portenable failed\n");
3568 
3569 	mps_free_command(sc, cm);
3570 
3571 	/*
3572 	 * Get WarpDrive info after discovery is complete but before the scan
3573 	 * starts.  At this point, all devices are ready to be exposed to the
3574 	 * OS.  If devices should be hidden instead, take them out of the
3575 	 * 'targets' array before the scan.  The devinfo for a disk will have
3576 	 * some info and a volume's will be 0.  Use that to remove disks.
3577 	 */
3578 	mps_wd_config_pages(sc);
3579 
3580 	/*
3581 	 * Done waiting for port enable to complete.  Decrement the refcount.
3582 	 * If refcount is 0, discovery is complete and a rescan of the bus can
3583 	 * take place.  Since the simq was explicitly frozen before port
3584 	 * enable, it must be explicitly released here to keep the
3585 	 * freeze/release count in sync.
3586 	 */
3587 	sc->wait_for_port_enable = 0;
3588 	sc->port_enable_complete = 1;
3589 	wakeup(&sc->port_enable_complete);
3590 	mpssas_startup_decrement(sassc);
3591 }
3592 
3593 int
3594 mpssas_check_id(struct mpssas_softc *sassc, int id)
3595 {
3596 	struct mps_softc *sc = sassc->sc;
3597 	char *ids;
3598 	char *name;
3599 
3600 	ids = &sc->exclude_ids[0];
3601 	while((name = strsep(&ids, ",")) != NULL) {
3602 		if (name[0] == '\0')
3603 			continue;
3604 		if (strtol(name, NULL, 0) == (long)id)
3605 			return (1);
3606 	}
3607 
3608 	return (0);
3609 }
3610 
3611 void
3612 mpssas_realloc_targets(struct mps_softc *sc, int maxtargets)
3613 {
3614 	struct mpssas_softc *sassc;
3615 	struct mpssas_lun *lun, *lun_tmp;
3616 	struct mpssas_target *targ;
3617 	int i;
3618 
3619 	sassc = sc->sassc;
3620 	/*
3621 	 * The number of targets is based on IOC Facts, so free all of
3622 	 * the allocated LUNs for each target and then the target buffer
3623 	 * itself.
3624 	 */
3625 	for (i=0; i< maxtargets; i++) {
3626 		targ = &sassc->targets[i];
3627 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
3628 			free(lun, M_MPT2);
3629 		}
3630 	}
3631 	free(sassc->targets, M_MPT2);
3632 
3633 	sassc->targets = malloc(sizeof(struct mpssas_target) * maxtargets,
3634 	    M_MPT2, M_WAITOK|M_ZERO);
3635 	if (!sassc->targets) {
3636 		panic("%s failed to alloc targets with error %d\n",
3637 		    __func__, ENOMEM);
3638 	}
3639 }
3640