xref: /freebsd/sys/dev/mps/mps_sas.c (revision 852ba100814e41898dc6e673fe0af017084e411d)
1 /*-
2  * Copyright (c) 2009 Yahoo! Inc.
3  * Copyright (c) 2011-2015 LSI Corp.
4  * Copyright (c) 2013-2015 Avago Technologies
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  *
28  * Avago Technologies (LSI) MPT-Fusion Host Adapter FreeBSD
29  *
30  * $FreeBSD$
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 /* Communications core for Avago Technologies (LSI) MPT2 */
37 
38 /* TODO Move headers to mpsvar */
39 #include <sys/types.h>
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/kernel.h>
43 #include <sys/selinfo.h>
44 #include <sys/module.h>
45 #include <sys/bus.h>
46 #include <sys/conf.h>
47 #include <sys/bio.h>
48 #include <sys/malloc.h>
49 #include <sys/uio.h>
50 #include <sys/sysctl.h>
51 #include <sys/endian.h>
52 #include <sys/queue.h>
53 #include <sys/kthread.h>
54 #include <sys/taskqueue.h>
55 #include <sys/sbuf.h>
56 
57 #include <machine/bus.h>
58 #include <machine/resource.h>
59 #include <sys/rman.h>
60 
61 #include <machine/stdarg.h>
62 
63 #include <cam/cam.h>
64 #include <cam/cam_ccb.h>
65 #include <cam/cam_xpt.h>
66 #include <cam/cam_debug.h>
67 #include <cam/cam_sim.h>
68 #include <cam/cam_xpt_sim.h>
69 #include <cam/cam_xpt_periph.h>
70 #include <cam/cam_periph.h>
71 #include <cam/scsi/scsi_all.h>
72 #include <cam/scsi/scsi_message.h>
73 #if __FreeBSD_version >= 900026
74 #include <cam/scsi/smp_all.h>
75 #endif
76 
77 #include <dev/mps/mpi/mpi2_type.h>
78 #include <dev/mps/mpi/mpi2.h>
79 #include <dev/mps/mpi/mpi2_ioc.h>
80 #include <dev/mps/mpi/mpi2_sas.h>
81 #include <dev/mps/mpi/mpi2_cnfg.h>
82 #include <dev/mps/mpi/mpi2_init.h>
83 #include <dev/mps/mpi/mpi2_tool.h>
84 #include <dev/mps/mps_ioctl.h>
85 #include <dev/mps/mpsvar.h>
86 #include <dev/mps/mps_table.h>
87 #include <dev/mps/mps_sas.h>
88 
89 #define MPSSAS_DISCOVERY_TIMEOUT	20
90 #define MPSSAS_MAX_DISCOVERY_TIMEOUTS	10 /* 200 seconds */
91 
92 /*
93  * static array to check SCSI OpCode for EEDP protection bits
94  */
95 #define	PRO_R MPI2_SCSIIO_EEDPFLAGS_CHECK_REMOVE_OP
96 #define	PRO_W MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
97 #define	PRO_V MPI2_SCSIIO_EEDPFLAGS_INSERT_OP
98 static uint8_t op_code_prot[256] = {
99 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
100 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
101 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
102 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
103 	0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
104 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
105 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
106 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
107 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
108 	0, 0, 0, PRO_W, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
109 	0, 0, 0, 0, 0, 0, 0, 0, PRO_R, 0, PRO_W, 0, 0, 0, PRO_W, PRO_V,
110 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
111 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
112 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
113 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
114 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
115 };
116 
117 MALLOC_DEFINE(M_MPSSAS, "MPSSAS", "MPS SAS memory");
118 
119 static void mpssas_remove_device(struct mps_softc *, struct mps_command *);
120 static void mpssas_remove_complete(struct mps_softc *, struct mps_command *);
121 static void mpssas_action(struct cam_sim *sim, union ccb *ccb);
122 static void mpssas_poll(struct cam_sim *sim);
123 static int mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm,
124     struct mps_command *cm);
125 static void mpssas_scsiio_timeout(void *data);
126 static void mpssas_abort_complete(struct mps_softc *sc, struct mps_command *cm);
127 static void mpssas_direct_drive_io(struct mpssas_softc *sassc,
128     struct mps_command *cm, union ccb *ccb);
129 static void mpssas_action_scsiio(struct mpssas_softc *, union ccb *);
130 static void mpssas_scsiio_complete(struct mps_softc *, struct mps_command *);
131 static void mpssas_action_resetdev(struct mpssas_softc *, union ccb *);
132 #if __FreeBSD_version >= 900026
133 static void mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm);
134 static void mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb,
135 			       uint64_t sasaddr);
136 static void mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb);
137 #endif //FreeBSD_version >= 900026
138 static void mpssas_resetdev_complete(struct mps_softc *, struct mps_command *);
139 static void mpssas_async(void *callback_arg, uint32_t code,
140 			 struct cam_path *path, void *arg);
141 #if (__FreeBSD_version < 901503) || \
142     ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006))
143 static void mpssas_check_eedp(struct mps_softc *sc, struct cam_path *path,
144 			      struct ccb_getdev *cgd);
145 static void mpssas_read_cap_done(struct cam_periph *periph, union ccb *done_ccb);
146 #endif
147 static int mpssas_send_portenable(struct mps_softc *sc);
148 static void mpssas_portenable_complete(struct mps_softc *sc,
149     struct mps_command *cm);
150 
151 struct mpssas_target *
152 mpssas_find_target_by_handle(struct mpssas_softc *sassc, int start, uint16_t handle)
153 {
154 	struct mpssas_target *target;
155 	int i;
156 
157 	for (i = start; i < sassc->maxtargets; i++) {
158 		target = &sassc->targets[i];
159 		if (target->handle == handle)
160 			return (target);
161 	}
162 
163 	return (NULL);
164 }
165 
166 /* we need to freeze the simq during attach and diag reset, to avoid failing
167  * commands before device handles have been found by discovery.  Since
168  * discovery involves reading config pages and possibly sending commands,
169  * discovery actions may continue even after we receive the end of discovery
170  * event, so refcount discovery actions instead of assuming we can unfreeze
171  * the simq when we get the event.
172  */
173 void
174 mpssas_startup_increment(struct mpssas_softc *sassc)
175 {
176 	MPS_FUNCTRACE(sassc->sc);
177 
178 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
179 		if (sassc->startup_refcount++ == 0) {
180 			/* just starting, freeze the simq */
181 			mps_dprint(sassc->sc, MPS_INIT,
182 			    "%s freezing simq\n", __func__);
183 #if __FreeBSD_version >= 1000039
184 			xpt_hold_boot();
185 #endif
186 			xpt_freeze_simq(sassc->sim, 1);
187 		}
188 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
189 		    sassc->startup_refcount);
190 	}
191 }
192 
193 void
194 mpssas_release_simq_reinit(struct mpssas_softc *sassc)
195 {
196 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
197 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
198 		xpt_release_simq(sassc->sim, 1);
199 		mps_dprint(sassc->sc, MPS_INFO, "Unfreezing SIM queue\n");
200 	}
201 }
202 
203 void
204 mpssas_startup_decrement(struct mpssas_softc *sassc)
205 {
206 	MPS_FUNCTRACE(sassc->sc);
207 
208 	if ((sassc->flags & MPSSAS_IN_STARTUP) != 0) {
209 		if (--sassc->startup_refcount == 0) {
210 			/* finished all discovery-related actions, release
211 			 * the simq and rescan for the latest topology.
212 			 */
213 			mps_dprint(sassc->sc, MPS_INIT,
214 			    "%s releasing simq\n", __func__);
215 			sassc->flags &= ~MPSSAS_IN_STARTUP;
216 			xpt_release_simq(sassc->sim, 1);
217 #if __FreeBSD_version >= 1000039
218 			xpt_release_boot();
219 #else
220 			mpssas_rescan_target(sassc->sc, NULL);
221 #endif
222 		}
223 		mps_dprint(sassc->sc, MPS_INIT, "%s refcount %u\n", __func__,
224 		    sassc->startup_refcount);
225 	}
226 }
227 
228 /* The firmware requires us to stop sending commands when we're doing task
229  * management, so refcount the TMs and keep the simq frozen when any are in
230  * use.
231  */
232 struct mps_command *
233 mpssas_alloc_tm(struct mps_softc *sc)
234 {
235 	struct mps_command *tm;
236 
237 	tm = mps_alloc_high_priority_command(sc);
238 	return tm;
239 }
240 
241 void
242 mpssas_free_tm(struct mps_softc *sc, struct mps_command *tm)
243 {
244 	int target_id = 0xFFFFFFFF;
245 
246 	if (tm == NULL)
247 		return;
248 
249 	/*
250 	 * For TM's the devq is frozen for the device.  Unfreeze it here and
251 	 * free the resources used for freezing the devq.  Must clear the
252 	 * INRESET flag as well or scsi I/O will not work.
253 	 */
254 	if (tm->cm_targ != NULL) {
255 		tm->cm_targ->flags &= ~MPSSAS_TARGET_INRESET;
256 		target_id = tm->cm_targ->tid;
257 	}
258 	if (tm->cm_ccb) {
259 		mps_dprint(sc, MPS_INFO, "Unfreezing devq for target ID %d\n",
260 		    target_id);
261 		xpt_release_devq(tm->cm_ccb->ccb_h.path, 1, TRUE);
262 		xpt_free_path(tm->cm_ccb->ccb_h.path);
263 		xpt_free_ccb(tm->cm_ccb);
264 	}
265 
266 	mps_free_high_priority_command(sc, tm);
267 }
268 
269 void
270 mpssas_rescan_target(struct mps_softc *sc, struct mpssas_target *targ)
271 {
272 	struct mpssas_softc *sassc = sc->sassc;
273 	path_id_t pathid;
274 	target_id_t targetid;
275 	union ccb *ccb;
276 
277 	MPS_FUNCTRACE(sc);
278 	pathid = cam_sim_path(sassc->sim);
279 	if (targ == NULL)
280 		targetid = CAM_TARGET_WILDCARD;
281 	else
282 		targetid = targ - sassc->targets;
283 
284 	/*
285 	 * Allocate a CCB and schedule a rescan.
286 	 */
287 	ccb = xpt_alloc_ccb_nowait();
288 	if (ccb == NULL) {
289 		mps_dprint(sc, MPS_ERROR, "unable to alloc CCB for rescan\n");
290 		return;
291 	}
292 
293 	if (xpt_create_path(&ccb->ccb_h.path, NULL, pathid,
294 	    targetid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
295 		mps_dprint(sc, MPS_ERROR, "unable to create path for rescan\n");
296 		xpt_free_ccb(ccb);
297 		return;
298 	}
299 
300 	if (targetid == CAM_TARGET_WILDCARD)
301 		ccb->ccb_h.func_code = XPT_SCAN_BUS;
302 	else
303 		ccb->ccb_h.func_code = XPT_SCAN_TGT;
304 
305 	mps_dprint(sc, MPS_TRACE, "%s targetid %u\n", __func__, targetid);
306 	xpt_rescan(ccb);
307 }
308 
309 static void
310 mpssas_log_command(struct mps_command *cm, u_int level, const char *fmt, ...)
311 {
312 	struct sbuf sb;
313 	va_list ap;
314 	char str[192];
315 	char path_str[64];
316 
317 	if (cm == NULL)
318 		return;
319 
320 	/* No need to be in here if debugging isn't enabled */
321 	if ((cm->cm_sc->mps_debug & level) == 0)
322 		return;
323 
324 	sbuf_new(&sb, str, sizeof(str), 0);
325 
326 	va_start(ap, fmt);
327 
328 	if (cm->cm_ccb != NULL) {
329 		xpt_path_string(cm->cm_ccb->csio.ccb_h.path, path_str,
330 				sizeof(path_str));
331 		sbuf_cat(&sb, path_str);
332 		if (cm->cm_ccb->ccb_h.func_code == XPT_SCSI_IO) {
333 			scsi_command_string(&cm->cm_ccb->csio, &sb);
334 			sbuf_printf(&sb, "length %d ",
335 				    cm->cm_ccb->csio.dxfer_len);
336 		}
337 	}
338 	else {
339 		sbuf_printf(&sb, "(noperiph:%s%d:%u:%u:%u): ",
340 		    cam_sim_name(cm->cm_sc->sassc->sim),
341 		    cam_sim_unit(cm->cm_sc->sassc->sim),
342 		    cam_sim_bus(cm->cm_sc->sassc->sim),
343 		    cm->cm_targ ? cm->cm_targ->tid : 0xFFFFFFFF,
344 		    cm->cm_lun);
345 	}
346 
347 	sbuf_printf(&sb, "SMID %u ", cm->cm_desc.Default.SMID);
348 	sbuf_vprintf(&sb, fmt, ap);
349 	sbuf_finish(&sb);
350 	mps_print_field(cm->cm_sc, "%s", sbuf_data(&sb));
351 
352 	va_end(ap);
353 }
354 
355 
356 static void
357 mpssas_remove_volume(struct mps_softc *sc, struct mps_command *tm)
358 {
359 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
360 	struct mpssas_target *targ;
361 	uint16_t handle;
362 
363 	MPS_FUNCTRACE(sc);
364 
365 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
366 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
367 	targ = tm->cm_targ;
368 
369 	if (reply == NULL) {
370 		/* XXX retry the remove after the diag reset completes? */
371 		mps_dprint(sc, MPS_FAULT,
372 		    "%s NULL reply resetting device 0x%04x\n", __func__,
373 		    handle);
374 		mpssas_free_tm(sc, tm);
375 		return;
376 	}
377 
378 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
379 	    MPI2_IOCSTATUS_SUCCESS) {
380 		mps_dprint(sc, MPS_ERROR,
381 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
382 		   le16toh(reply->IOCStatus), handle);
383 	}
384 
385 	mps_dprint(sc, MPS_XINFO,
386 	    "Reset aborted %u commands\n", reply->TerminationCount);
387 	mps_free_reply(sc, tm->cm_reply_data);
388 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
389 
390 	mps_dprint(sc, MPS_XINFO,
391 	    "clearing target %u handle 0x%04x\n", targ->tid, handle);
392 
393 	/*
394 	 * Don't clear target if remove fails because things will get confusing.
395 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
396 	 * this target id if possible, and so we can assign the same target id
397 	 * to this device if it comes back in the future.
398 	 */
399 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
400 	    MPI2_IOCSTATUS_SUCCESS) {
401 		targ = tm->cm_targ;
402 		targ->handle = 0x0;
403 		targ->encl_handle = 0x0;
404 		targ->encl_slot = 0x0;
405 		targ->exp_dev_handle = 0x0;
406 		targ->phy_num = 0x0;
407 		targ->linkrate = 0x0;
408 		targ->devinfo = 0x0;
409 		targ->flags = 0x0;
410 	}
411 
412 	mpssas_free_tm(sc, tm);
413 }
414 
415 
416 /*
417  * No Need to call "MPI2_SAS_OP_REMOVE_DEVICE" For Volume removal.
418  * Otherwise Volume Delete is same as Bare Drive Removal.
419  */
420 void
421 mpssas_prepare_volume_remove(struct mpssas_softc *sassc, uint16_t handle)
422 {
423 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
424 	struct mps_softc *sc;
425 	struct mps_command *cm;
426 	struct mpssas_target *targ = NULL;
427 
428 	MPS_FUNCTRACE(sassc->sc);
429 	sc = sassc->sc;
430 
431 #ifdef WD_SUPPORT
432 	/*
433 	 * If this is a WD controller, determine if the disk should be exposed
434 	 * to the OS or not.  If disk should be exposed, return from this
435 	 * function without doing anything.
436 	 */
437 	if (sc->WD_available && (sc->WD_hide_expose ==
438 	    MPS_WD_EXPOSE_ALWAYS)) {
439 		return;
440 	}
441 #endif //WD_SUPPORT
442 
443 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
444 	if (targ == NULL) {
445 		/* FIXME: what is the action? */
446 		/* We don't know about this device? */
447 		mps_dprint(sc, MPS_ERROR,
448 		   "%s %d : invalid handle 0x%x \n", __func__,__LINE__, handle);
449 		return;
450 	}
451 
452 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
453 
454 	cm = mpssas_alloc_tm(sc);
455 	if (cm == NULL) {
456 		mps_dprint(sc, MPS_ERROR,
457 		    "%s: command alloc failure\n", __func__);
458 		return;
459 	}
460 
461 	mpssas_rescan_target(sc, targ);
462 
463 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
464 	req->DevHandle = targ->handle;
465 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
466 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
467 
468 	/* SAS Hard Link Reset / SATA Link Reset */
469 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
470 
471 	cm->cm_targ = targ;
472 	cm->cm_data = NULL;
473 	cm->cm_desc.HighPriority.RequestFlags =
474 	    MPI2_REQ_DESCRIPT_FLAGS_HIGH_PRIORITY;
475 	cm->cm_complete = mpssas_remove_volume;
476 	cm->cm_complete_data = (void *)(uintptr_t)handle;
477 
478 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
479 	    __func__, targ->tid);
480 	mpssas_prepare_for_tm(sc, cm, targ, CAM_LUN_WILDCARD);
481 
482 	mps_map_command(sc, cm);
483 }
484 
485 /*
486  * The MPT2 firmware performs debounce on the link to avoid transient link
487  * errors and false removals.  When it does decide that link has been lost
488  * and a device need to go away, it expects that the host will perform a
489  * target reset and then an op remove.  The reset has the side-effect of
490  * aborting any outstanding requests for the device, which is required for
491  * the op-remove to succeed.  It's not clear if the host should check for
492  * the device coming back alive after the reset.
493  */
494 void
495 mpssas_prepare_remove(struct mpssas_softc *sassc, uint16_t handle)
496 {
497 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
498 	struct mps_softc *sc;
499 	struct mps_command *cm;
500 	struct mpssas_target *targ = NULL;
501 
502 	MPS_FUNCTRACE(sassc->sc);
503 
504 	sc = sassc->sc;
505 
506 	targ = mpssas_find_target_by_handle(sassc, 0, handle);
507 	if (targ == NULL) {
508 		/* FIXME: what is the action? */
509 		/* We don't know about this device? */
510 		mps_dprint(sc, MPS_ERROR,
511 		    "%s : invalid handle 0x%x \n", __func__, handle);
512 		return;
513 	}
514 
515 	targ->flags |= MPSSAS_TARGET_INREMOVAL;
516 
517 	cm = mpssas_alloc_tm(sc);
518 	if (cm == NULL) {
519 		mps_dprint(sc, MPS_ERROR,
520 		    "%s: command alloc failure\n", __func__);
521 		return;
522 	}
523 
524 	mpssas_rescan_target(sc, targ);
525 
526 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
527 	memset(req, 0, sizeof(*req));
528 	req->DevHandle = htole16(targ->handle);
529 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
530 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
531 
532 	/* SAS Hard Link Reset / SATA Link Reset */
533 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
534 
535 	cm->cm_targ = targ;
536 	cm->cm_data = NULL;
537 	cm->cm_desc.HighPriority.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_HIGH_PRIORITY;
538 	cm->cm_complete = mpssas_remove_device;
539 	cm->cm_complete_data = (void *)(uintptr_t)handle;
540 
541 	mps_dprint(sc, MPS_INFO, "%s: Sending reset for target ID %d\n",
542 	    __func__, targ->tid);
543 	mpssas_prepare_for_tm(sc, cm, targ, CAM_LUN_WILDCARD);
544 
545 	mps_map_command(sc, cm);
546 }
547 
548 static void
549 mpssas_remove_device(struct mps_softc *sc, struct mps_command *tm)
550 {
551 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
552 	MPI2_SAS_IOUNIT_CONTROL_REQUEST *req;
553 	struct mpssas_target *targ;
554 	struct mps_command *next_cm;
555 	uint16_t handle;
556 
557 	MPS_FUNCTRACE(sc);
558 
559 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
560 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
561 	targ = tm->cm_targ;
562 
563 	/*
564 	 * Currently there should be no way we can hit this case.  It only
565 	 * happens when we have a failure to allocate chain frames, and
566 	 * task management commands don't have S/G lists.
567 	 */
568 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
569 		mps_dprint(sc, MPS_ERROR,
570 		    "%s: cm_flags = %#x for remove of handle %#04x! "
571 		    "This should not happen!\n", __func__, tm->cm_flags,
572 		    handle);
573 	}
574 
575 	if (reply == NULL) {
576 		/* XXX retry the remove after the diag reset completes? */
577 		mps_dprint(sc, MPS_FAULT,
578 		    "%s NULL reply resetting device 0x%04x\n", __func__,
579 		    handle);
580 		mpssas_free_tm(sc, tm);
581 		return;
582 	}
583 
584 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
585 	    MPI2_IOCSTATUS_SUCCESS) {
586 		mps_dprint(sc, MPS_ERROR,
587 		   "IOCStatus = 0x%x while resetting device 0x%x\n",
588 		   le16toh(reply->IOCStatus), handle);
589 	}
590 
591 	mps_dprint(sc, MPS_XINFO, "Reset aborted %u commands\n",
592 	    le32toh(reply->TerminationCount));
593 	mps_free_reply(sc, tm->cm_reply_data);
594 	tm->cm_reply = NULL;	/* Ensures the reply won't get re-freed */
595 
596 	/* Reuse the existing command */
597 	req = (MPI2_SAS_IOUNIT_CONTROL_REQUEST *)tm->cm_req;
598 	memset(req, 0, sizeof(*req));
599 	req->Function = MPI2_FUNCTION_SAS_IO_UNIT_CONTROL;
600 	req->Operation = MPI2_SAS_OP_REMOVE_DEVICE;
601 	req->DevHandle = htole16(handle);
602 	tm->cm_data = NULL;
603 	tm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
604 	tm->cm_complete = mpssas_remove_complete;
605 	tm->cm_complete_data = (void *)(uintptr_t)handle;
606 
607 	mps_map_command(sc, tm);
608 
609 	mps_dprint(sc, MPS_XINFO, "clearing target %u handle 0x%04x\n",
610 		   targ->tid, handle);
611 	TAILQ_FOREACH_SAFE(tm, &targ->commands, cm_link, next_cm) {
612 		union ccb *ccb;
613 
614 		mps_dprint(sc, MPS_XINFO, "Completing missed command %p\n", tm);
615 		ccb = tm->cm_complete_data;
616 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
617 		mpssas_scsiio_complete(sc, tm);
618 	}
619 }
620 
621 static void
622 mpssas_remove_complete(struct mps_softc *sc, struct mps_command *tm)
623 {
624 	MPI2_SAS_IOUNIT_CONTROL_REPLY *reply;
625 	uint16_t handle;
626 	struct mpssas_target *targ;
627 	struct mpssas_lun *lun;
628 
629 	MPS_FUNCTRACE(sc);
630 
631 	reply = (MPI2_SAS_IOUNIT_CONTROL_REPLY *)tm->cm_reply;
632 	handle = (uint16_t)(uintptr_t)tm->cm_complete_data;
633 
634 	/*
635 	 * Currently there should be no way we can hit this case.  It only
636 	 * happens when we have a failure to allocate chain frames, and
637 	 * task management commands don't have S/G lists.
638 	 */
639 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
640 		mps_dprint(sc, MPS_XINFO,
641 			   "%s: cm_flags = %#x for remove of handle %#04x! "
642 			   "This should not happen!\n", __func__, tm->cm_flags,
643 			   handle);
644 		mpssas_free_tm(sc, tm);
645 		return;
646 	}
647 
648 	if (reply == NULL) {
649 		/* most likely a chip reset */
650 		mps_dprint(sc, MPS_FAULT,
651 		    "%s NULL reply removing device 0x%04x\n", __func__, handle);
652 		mpssas_free_tm(sc, tm);
653 		return;
654 	}
655 
656 	mps_dprint(sc, MPS_XINFO,
657 	    "%s on handle 0x%04x, IOCStatus= 0x%x\n", __func__,
658 	    handle, le16toh(reply->IOCStatus));
659 
660 	/*
661 	 * Don't clear target if remove fails because things will get confusing.
662 	 * Leave the devname and sasaddr intact so that we know to avoid reusing
663 	 * this target id if possible, and so we can assign the same target id
664 	 * to this device if it comes back in the future.
665 	 */
666 	if ((le16toh(reply->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
667 	    MPI2_IOCSTATUS_SUCCESS) {
668 		targ = tm->cm_targ;
669 		targ->handle = 0x0;
670 		targ->encl_handle = 0x0;
671 		targ->encl_slot = 0x0;
672 		targ->exp_dev_handle = 0x0;
673 		targ->phy_num = 0x0;
674 		targ->linkrate = 0x0;
675 		targ->devinfo = 0x0;
676 		targ->flags = 0x0;
677 
678 		while(!SLIST_EMPTY(&targ->luns)) {
679 			lun = SLIST_FIRST(&targ->luns);
680 			SLIST_REMOVE_HEAD(&targ->luns, lun_link);
681 			free(lun, M_MPT2);
682 		}
683 	}
684 
685 
686 	mpssas_free_tm(sc, tm);
687 }
688 
689 static int
690 mpssas_register_events(struct mps_softc *sc)
691 {
692 	u32 events[MPI2_EVENT_NOTIFY_EVENTMASK_WORDS];
693 
694 	bzero(events, 16);
695 	setbit(events, MPI2_EVENT_SAS_DEVICE_STATUS_CHANGE);
696 	setbit(events, MPI2_EVENT_SAS_DISCOVERY);
697 	setbit(events, MPI2_EVENT_SAS_BROADCAST_PRIMITIVE);
698 	setbit(events, MPI2_EVENT_SAS_INIT_DEVICE_STATUS_CHANGE);
699 	setbit(events, MPI2_EVENT_SAS_INIT_TABLE_OVERFLOW);
700 	setbit(events, MPI2_EVENT_SAS_TOPOLOGY_CHANGE_LIST);
701 	setbit(events, MPI2_EVENT_SAS_ENCL_DEVICE_STATUS_CHANGE);
702 	setbit(events, MPI2_EVENT_IR_CONFIGURATION_CHANGE_LIST);
703 	setbit(events, MPI2_EVENT_IR_VOLUME);
704 	setbit(events, MPI2_EVENT_IR_PHYSICAL_DISK);
705 	setbit(events, MPI2_EVENT_IR_OPERATION_STATUS);
706 	setbit(events, MPI2_EVENT_LOG_ENTRY_ADDED);
707 
708 	mps_register_events(sc, events, mpssas_evt_handler, NULL,
709 	    &sc->sassc->mpssas_eh);
710 
711 	return (0);
712 }
713 
714 int
715 mps_attach_sas(struct mps_softc *sc)
716 {
717 	struct mpssas_softc *sassc;
718 	cam_status status;
719 	int unit, error = 0;
720 
721 	MPS_FUNCTRACE(sc);
722 	mps_dprint(sc, MPS_INIT, "%s entered\n", __func__);
723 
724 	sassc = malloc(sizeof(struct mpssas_softc), M_MPT2, M_WAITOK|M_ZERO);
725 	if(!sassc) {
726 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
727 		    "Cannot allocate SAS controller memory\n");
728 		return (ENOMEM);
729 	}
730 
731 	/*
732 	 * XXX MaxTargets could change during a reinit.  Since we don't
733 	 * resize the targets[] array during such an event, cache the value
734 	 * of MaxTargets here so that we don't get into trouble later.  This
735 	 * should move into the reinit logic.
736 	 */
737 	sassc->maxtargets = sc->facts->MaxTargets + sc->facts->MaxVolumes;
738 	sassc->targets = malloc(sizeof(struct mpssas_target) *
739 	    sassc->maxtargets, M_MPT2, M_WAITOK|M_ZERO);
740 	if(!sassc->targets) {
741 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
742 		    "Cannot allocate SAS target memory\n");
743 		free(sassc, M_MPT2);
744 		return (ENOMEM);
745 	}
746 	sc->sassc = sassc;
747 	sassc->sc = sc;
748 
749 	if ((sassc->devq = cam_simq_alloc(sc->num_reqs)) == NULL) {
750 		mps_dprint(sc, MPS_ERROR, "Cannot allocate SIMQ\n");
751 		error = ENOMEM;
752 		goto out;
753 	}
754 
755 	unit = device_get_unit(sc->mps_dev);
756 	sassc->sim = cam_sim_alloc(mpssas_action, mpssas_poll, "mps", sassc,
757 	    unit, &sc->mps_mtx, sc->num_reqs, sc->num_reqs, sassc->devq);
758 	if (sassc->sim == NULL) {
759 		mps_dprint(sc, MPS_INIT|MPS_ERROR, "Cannot allocate SIM\n");
760 		error = EINVAL;
761 		goto out;
762 	}
763 
764 	TAILQ_INIT(&sassc->ev_queue);
765 
766 	/* Initialize taskqueue for Event Handling */
767 	TASK_INIT(&sassc->ev_task, 0, mpssas_firmware_event_work, sc);
768 	sassc->ev_tq = taskqueue_create("mps_taskq", M_NOWAIT | M_ZERO,
769 	    taskqueue_thread_enqueue, &sassc->ev_tq);
770 	taskqueue_start_threads(&sassc->ev_tq, 1, PRIBIO, "%s taskq",
771 	    device_get_nameunit(sc->mps_dev));
772 
773 	mps_lock(sc);
774 
775 	/*
776 	 * XXX There should be a bus for every port on the adapter, but since
777 	 * we're just going to fake the topology for now, we'll pretend that
778 	 * everything is just a target on a single bus.
779 	 */
780 	if ((error = xpt_bus_register(sassc->sim, sc->mps_dev, 0)) != 0) {
781 		mps_dprint(sc, MPS_INIT|MPS_ERROR,
782 		    "Error %d registering SCSI bus\n", error);
783 		mps_unlock(sc);
784 		goto out;
785 	}
786 
787 	/*
788 	 * Assume that discovery events will start right away.
789 	 *
790 	 * Hold off boot until discovery is complete.
791 	 */
792 	sassc->flags |= MPSSAS_IN_STARTUP | MPSSAS_IN_DISCOVERY;
793 	sc->sassc->startup_refcount = 0;
794 	mpssas_startup_increment(sassc);
795 
796 	callout_init(&sassc->discovery_callout, 1 /*mpsafe*/);
797 
798 	/*
799 	 * Register for async events so we can determine the EEDP
800 	 * capabilities of devices.
801 	 */
802 	status = xpt_create_path(&sassc->path, /*periph*/NULL,
803 	    cam_sim_path(sc->sassc->sim), CAM_TARGET_WILDCARD,
804 	    CAM_LUN_WILDCARD);
805 	if (status != CAM_REQ_CMP) {
806 		mps_dprint(sc, MPS_ERROR|MPS_INIT,
807 		    "Error %#x creating sim path\n", status);
808 		sassc->path = NULL;
809 	} else {
810 		int event;
811 
812 #if (__FreeBSD_version >= 1000006) || \
813     ((__FreeBSD_version >= 901503) && (__FreeBSD_version < 1000000))
814 		event = AC_ADVINFO_CHANGED;
815 #else
816 		event = AC_FOUND_DEVICE;
817 #endif
818 		status = xpt_register_async(event, mpssas_async, sc,
819 					    sassc->path);
820 		if (status != CAM_REQ_CMP) {
821 			mps_dprint(sc, MPS_ERROR,
822 			    "Error %#x registering async handler for "
823 			    "AC_ADVINFO_CHANGED events\n", status);
824 			xpt_free_path(sassc->path);
825 			sassc->path = NULL;
826 		}
827 	}
828 	if (status != CAM_REQ_CMP) {
829 		/*
830 		 * EEDP use is the exception, not the rule.
831 		 * Warn the user, but do not fail to attach.
832 		 */
833 		mps_printf(sc, "EEDP capabilities disabled.\n");
834 	}
835 
836 	mps_unlock(sc);
837 
838 	mpssas_register_events(sc);
839 out:
840 	if (error)
841 		mps_detach_sas(sc);
842 
843 	mps_dprint(sc, MPS_INIT, "%s exit error= %d\n", __func__, error);
844 	return (error);
845 }
846 
847 int
848 mps_detach_sas(struct mps_softc *sc)
849 {
850 	struct mpssas_softc *sassc;
851 	struct mpssas_lun *lun, *lun_tmp;
852 	struct mpssas_target *targ;
853 	int i;
854 
855 	MPS_FUNCTRACE(sc);
856 
857 	if (sc->sassc == NULL)
858 		return (0);
859 
860 	sassc = sc->sassc;
861 	mps_deregister_events(sc, sassc->mpssas_eh);
862 
863 	/*
864 	 * Drain and free the event handling taskqueue with the lock
865 	 * unheld so that any parallel processing tasks drain properly
866 	 * without deadlocking.
867 	 */
868 	if (sassc->ev_tq != NULL)
869 		taskqueue_free(sassc->ev_tq);
870 
871 	/* Make sure CAM doesn't wedge if we had to bail out early. */
872 	mps_lock(sc);
873 
874 	while (sassc->startup_refcount != 0)
875 		mpssas_startup_decrement(sassc);
876 
877 	/* Deregister our async handler */
878 	if (sassc->path != NULL) {
879 		xpt_register_async(0, mpssas_async, sc, sassc->path);
880 		xpt_free_path(sassc->path);
881 		sassc->path = NULL;
882 	}
883 
884 	if (sassc->flags & MPSSAS_IN_STARTUP)
885 		xpt_release_simq(sassc->sim, 1);
886 
887 	if (sassc->sim != NULL) {
888 		xpt_bus_deregister(cam_sim_path(sassc->sim));
889 		cam_sim_free(sassc->sim, FALSE);
890 	}
891 
892 	mps_unlock(sc);
893 
894 	if (sassc->devq != NULL)
895 		cam_simq_free(sassc->devq);
896 
897 	for(i=0; i< sassc->maxtargets ;i++) {
898 		targ = &sassc->targets[i];
899 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
900 			free(lun, M_MPT2);
901 		}
902 	}
903 	free(sassc->targets, M_MPT2);
904 	free(sassc, M_MPT2);
905 	sc->sassc = NULL;
906 
907 	return (0);
908 }
909 
910 void
911 mpssas_discovery_end(struct mpssas_softc *sassc)
912 {
913 	struct mps_softc *sc = sassc->sc;
914 
915 	MPS_FUNCTRACE(sc);
916 
917 	if (sassc->flags & MPSSAS_DISCOVERY_TIMEOUT_PENDING)
918 		callout_stop(&sassc->discovery_callout);
919 
920 	/*
921 	 * After discovery has completed, check the mapping table for any
922 	 * missing devices and update their missing counts. Only do this once
923 	 * whenever the driver is initialized so that missing counts aren't
924 	 * updated unnecessarily. Note that just because discovery has
925 	 * completed doesn't mean that events have been processed yet. The
926 	 * check_devices function is a callout timer that checks if ALL devices
927 	 * are missing. If so, it will wait a little longer for events to
928 	 * complete and keep resetting itself until some device in the mapping
929 	 * table is not missing, meaning that event processing has started.
930 	 */
931 	if (sc->track_mapping_events) {
932 		mps_dprint(sc, MPS_XINFO | MPS_MAPPING, "Discovery has "
933 		    "completed. Check for missing devices in the mapping "
934 		    "table.\n");
935 		callout_reset(&sc->device_check_callout,
936 		    MPS_MISSING_CHECK_DELAY * hz, mps_mapping_check_devices,
937 		    sc);
938 	}
939 }
940 
941 static void
942 mpssas_action(struct cam_sim *sim, union ccb *ccb)
943 {
944 	struct mpssas_softc *sassc;
945 
946 	sassc = cam_sim_softc(sim);
947 
948 	MPS_FUNCTRACE(sassc->sc);
949 	mps_dprint(sassc->sc, MPS_TRACE, "ccb func_code 0x%x\n",
950 	    ccb->ccb_h.func_code);
951 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
952 
953 	switch (ccb->ccb_h.func_code) {
954 	case XPT_PATH_INQ:
955 	{
956 		struct ccb_pathinq *cpi = &ccb->cpi;
957 		struct mps_softc *sc = sassc->sc;
958 		uint8_t sges_per_frame;
959 
960 		cpi->version_num = 1;
961 		cpi->hba_inquiry = PI_SDTR_ABLE|PI_TAG_ABLE|PI_WIDE_16;
962 		cpi->target_sprt = 0;
963 #if __FreeBSD_version >= 1000039
964 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED | PIM_NOSCAN;
965 #else
966 		cpi->hba_misc = PIM_NOBUSRESET | PIM_UNMAPPED;
967 #endif
968 		cpi->hba_eng_cnt = 0;
969 		cpi->max_target = sassc->maxtargets - 1;
970 		cpi->max_lun = 255;
971 
972 		/*
973 		 * initiator_id is set here to an ID outside the set of valid
974 		 * target IDs (including volumes).
975 		 */
976 		cpi->initiator_id = sassc->maxtargets;
977 		strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
978 		strlcpy(cpi->hba_vid, "Avago Tech", HBA_IDLEN);
979 		strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
980 		cpi->unit_number = cam_sim_unit(sim);
981 		cpi->bus_id = cam_sim_bus(sim);
982 		cpi->base_transfer_speed = 150000;
983 		cpi->transport = XPORT_SAS;
984 		cpi->transport_version = 0;
985 		cpi->protocol = PROTO_SCSI;
986 		cpi->protocol_version = SCSI_REV_SPC;
987 
988 		/*
989 		 * Max IO Size is Page Size * the following:
990 		 * ((SGEs per frame - 1 for chain element) *
991 		 * Max Chain Depth) + 1 for no chain needed in last frame
992 		 *
993 		 * If user suggests a Max IO size to use, use the smaller of the
994 		 * user's value and the calculated value as long as the user's
995 		 * value is larger than 0. The user's value is in pages.
996 		 */
997 		sges_per_frame = ((sc->facts->IOCRequestFrameSize * 4) /
998 		    sizeof(MPI2_SGE_SIMPLE64)) - 1;
999 		cpi->maxio = (sges_per_frame * sc->facts->MaxChainDepth) + 1;
1000 		cpi->maxio *= PAGE_SIZE;
1001 		if ((sc->max_io_pages > 0) && (sc->max_io_pages * PAGE_SIZE <
1002 		    cpi->maxio))
1003 			cpi->maxio = sc->max_io_pages * PAGE_SIZE;
1004 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1005 		break;
1006 	}
1007 	case XPT_GET_TRAN_SETTINGS:
1008 	{
1009 		struct ccb_trans_settings	*cts;
1010 		struct ccb_trans_settings_sas	*sas;
1011 		struct ccb_trans_settings_scsi	*scsi;
1012 		struct mpssas_target *targ;
1013 
1014 		cts = &ccb->cts;
1015 		sas = &cts->xport_specific.sas;
1016 		scsi = &cts->proto_specific.scsi;
1017 
1018 		KASSERT(cts->ccb_h.target_id < sassc->maxtargets,
1019 		    ("Target %d out of bounds in XPT_GET_TRANS_SETTINGS\n",
1020 		    cts->ccb_h.target_id));
1021 		targ = &sassc->targets[cts->ccb_h.target_id];
1022 		if (targ->handle == 0x0) {
1023 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1024 			break;
1025 		}
1026 
1027 		cts->protocol_version = SCSI_REV_SPC2;
1028 		cts->transport = XPORT_SAS;
1029 		cts->transport_version = 0;
1030 
1031 		sas->valid = CTS_SAS_VALID_SPEED;
1032 		switch (targ->linkrate) {
1033 		case 0x08:
1034 			sas->bitrate = 150000;
1035 			break;
1036 		case 0x09:
1037 			sas->bitrate = 300000;
1038 			break;
1039 		case 0x0a:
1040 			sas->bitrate = 600000;
1041 			break;
1042 		default:
1043 			sas->valid = 0;
1044 		}
1045 
1046 		cts->protocol = PROTO_SCSI;
1047 		scsi->valid = CTS_SCSI_VALID_TQ;
1048 		scsi->flags = CTS_SCSI_FLAGS_TAG_ENB;
1049 
1050 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1051 		break;
1052 	}
1053 	case XPT_CALC_GEOMETRY:
1054 		cam_calc_geometry(&ccb->ccg, /*extended*/1);
1055 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1056 		break;
1057 	case XPT_RESET_DEV:
1058 		mps_dprint(sassc->sc, MPS_XINFO, "mpssas_action XPT_RESET_DEV\n");
1059 		mpssas_action_resetdev(sassc, ccb);
1060 		return;
1061 	case XPT_RESET_BUS:
1062 	case XPT_ABORT:
1063 	case XPT_TERM_IO:
1064 		mps_dprint(sassc->sc, MPS_XINFO,
1065 		    "mpssas_action faking success for abort or reset\n");
1066 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1067 		break;
1068 	case XPT_SCSI_IO:
1069 		mpssas_action_scsiio(sassc, ccb);
1070 		return;
1071 #if __FreeBSD_version >= 900026
1072 	case XPT_SMP_IO:
1073 		mpssas_action_smpio(sassc, ccb);
1074 		return;
1075 #endif
1076 	default:
1077 		mpssas_set_ccbstatus(ccb, CAM_FUNC_NOTAVAIL);
1078 		break;
1079 	}
1080 	xpt_done(ccb);
1081 
1082 }
1083 
1084 static void
1085 mpssas_announce_reset(struct mps_softc *sc, uint32_t ac_code,
1086     target_id_t target_id, lun_id_t lun_id)
1087 {
1088 	path_id_t path_id = cam_sim_path(sc->sassc->sim);
1089 	struct cam_path *path;
1090 
1091 	mps_dprint(sc, MPS_XINFO, "%s code %x target %d lun %jx\n", __func__,
1092 	    ac_code, target_id, (uintmax_t)lun_id);
1093 
1094 	if (xpt_create_path(&path, NULL,
1095 		path_id, target_id, lun_id) != CAM_REQ_CMP) {
1096 		mps_dprint(sc, MPS_ERROR, "unable to create path for reset "
1097 			   "notification\n");
1098 		return;
1099 	}
1100 
1101 	xpt_async(ac_code, path, NULL);
1102 	xpt_free_path(path);
1103 }
1104 
1105 static void
1106 mpssas_complete_all_commands(struct mps_softc *sc)
1107 {
1108 	struct mps_command *cm;
1109 	int i;
1110 	int completed;
1111 
1112 	MPS_FUNCTRACE(sc);
1113 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1114 
1115 	/* complete all commands with a NULL reply */
1116 	for (i = 1; i < sc->num_reqs; i++) {
1117 		cm = &sc->commands[i];
1118 		cm->cm_reply = NULL;
1119 		completed = 0;
1120 
1121 		if (cm->cm_flags & MPS_CM_FLAGS_POLLED)
1122 			cm->cm_flags |= MPS_CM_FLAGS_COMPLETE;
1123 
1124 		if (cm->cm_complete != NULL) {
1125 			mpssas_log_command(cm, MPS_RECOVERY,
1126 			    "completing cm %p state %x ccb %p for diag reset\n",
1127 			    cm, cm->cm_state, cm->cm_ccb);
1128 
1129 			cm->cm_complete(sc, cm);
1130 			completed = 1;
1131 		}
1132 
1133 		if (cm->cm_flags & MPS_CM_FLAGS_WAKEUP) {
1134 			mpssas_log_command(cm, MPS_RECOVERY,
1135 			    "waking up cm %p state %x ccb %p for diag reset\n",
1136 			    cm, cm->cm_state, cm->cm_ccb);
1137 			wakeup(cm);
1138 			completed = 1;
1139 		}
1140 
1141 		if (cm->cm_sc->io_cmds_active != 0)
1142 			cm->cm_sc->io_cmds_active--;
1143 
1144 		if ((completed == 0) && (cm->cm_state != MPS_CM_STATE_FREE)) {
1145 			/* this should never happen, but if it does, log */
1146 			mpssas_log_command(cm, MPS_RECOVERY,
1147 			    "cm %p state %x flags 0x%x ccb %p during diag "
1148 			    "reset\n", cm, cm->cm_state, cm->cm_flags,
1149 			    cm->cm_ccb);
1150 		}
1151 	}
1152 }
1153 
1154 void
1155 mpssas_handle_reinit(struct mps_softc *sc)
1156 {
1157 	int i;
1158 
1159 	/* Go back into startup mode and freeze the simq, so that CAM
1160 	 * doesn't send any commands until after we've rediscovered all
1161 	 * targets and found the proper device handles for them.
1162 	 *
1163 	 * After the reset, portenable will trigger discovery, and after all
1164 	 * discovery-related activities have finished, the simq will be
1165 	 * released.
1166 	 */
1167 	mps_dprint(sc, MPS_INIT, "%s startup\n", __func__);
1168 	sc->sassc->flags |= MPSSAS_IN_STARTUP;
1169 	sc->sassc->flags |= MPSSAS_IN_DISCOVERY;
1170 	mpssas_startup_increment(sc->sassc);
1171 
1172 	/* notify CAM of a bus reset */
1173 	mpssas_announce_reset(sc, AC_BUS_RESET, CAM_TARGET_WILDCARD,
1174 	    CAM_LUN_WILDCARD);
1175 
1176 	/* complete and cleanup after all outstanding commands */
1177 	mpssas_complete_all_commands(sc);
1178 
1179 	mps_dprint(sc, MPS_INIT,
1180 	    "%s startup %u after command completion\n", __func__,
1181 	    sc->sassc->startup_refcount);
1182 
1183 	/* zero all the target handles, since they may change after the
1184 	 * reset, and we have to rediscover all the targets and use the new
1185 	 * handles.
1186 	 */
1187 	for (i = 0; i < sc->sassc->maxtargets; i++) {
1188 		if (sc->sassc->targets[i].outstanding != 0)
1189 			mps_dprint(sc, MPS_INIT, "target %u outstanding %u\n",
1190 			    i, sc->sassc->targets[i].outstanding);
1191 		sc->sassc->targets[i].handle = 0x0;
1192 		sc->sassc->targets[i].exp_dev_handle = 0x0;
1193 		sc->sassc->targets[i].outstanding = 0;
1194 		sc->sassc->targets[i].flags = MPSSAS_TARGET_INDIAGRESET;
1195 	}
1196 }
1197 
1198 static void
1199 mpssas_tm_timeout(void *data)
1200 {
1201 	struct mps_command *tm = data;
1202 	struct mps_softc *sc = tm->cm_sc;
1203 
1204 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1205 
1206 	mpssas_log_command(tm, MPS_INFO|MPS_RECOVERY,
1207 	    "task mgmt %p timed out\n", tm);
1208 	mps_reinit(sc);
1209 }
1210 
1211 static void
1212 mpssas_logical_unit_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1213 {
1214 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1215 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1216 	unsigned int cm_count = 0;
1217 	struct mps_command *cm;
1218 	struct mpssas_target *targ;
1219 
1220 	callout_stop(&tm->cm_callout);
1221 
1222 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1223 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1224 	targ = tm->cm_targ;
1225 
1226 	/*
1227 	 * Currently there should be no way we can hit this case.  It only
1228 	 * happens when we have a failure to allocate chain frames, and
1229 	 * task management commands don't have S/G lists.
1230 	 * XXXSL So should it be an assertion?
1231 	 */
1232 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1233 		mps_dprint(sc, MPS_RECOVERY|MPS_ERROR,
1234 		    "%s: cm_flags = %#x for LUN reset! "
1235 		   "This should not happen!\n", __func__, tm->cm_flags);
1236 		mpssas_free_tm(sc, tm);
1237 		return;
1238 	}
1239 
1240 	if (reply == NULL) {
1241 		mps_dprint(sc, MPS_RECOVERY, "NULL reset reply for tm %p\n",
1242 		    tm);
1243 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1244 			/* this completion was due to a reset, just cleanup */
1245 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1246 			    "reset, ignoring NULL LUN reset reply\n");
1247 			targ->tm = NULL;
1248 			mpssas_free_tm(sc, tm);
1249 		}
1250 		else {
1251 			/* we should have gotten a reply. */
1252 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1253 			    "LUN reset attempt, resetting controller\n");
1254 			mps_reinit(sc);
1255 		}
1256 		return;
1257 	}
1258 
1259 	mps_dprint(sc, MPS_RECOVERY,
1260 	    "logical unit reset status 0x%x code 0x%x count %u\n",
1261 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1262 	    le32toh(reply->TerminationCount));
1263 
1264 	/*
1265 	 * See if there are any outstanding commands for this LUN.
1266 	 * This could be made more efficient by using a per-LU data
1267 	 * structure of some sort.
1268 	 */
1269 	TAILQ_FOREACH(cm, &targ->commands, cm_link) {
1270 		if (cm->cm_lun == tm->cm_lun)
1271 			cm_count++;
1272 	}
1273 
1274 	if (cm_count == 0) {
1275 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1276 		    "Finished recovery after LUN reset for target %u\n",
1277 		    targ->tid);
1278 
1279 		mpssas_announce_reset(sc, AC_SENT_BDR, targ->tid, tm->cm_lun);
1280 
1281 		/*
1282 		 * We've finished recovery for this logical unit.  check and
1283 		 * see if some other logical unit has a timedout command
1284 		 * that needs to be processed.
1285 		 */
1286 		cm = TAILQ_FIRST(&targ->timedout_commands);
1287 		if (cm) {
1288 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1289 			    "More commands to abort for target %u\n",
1290 			    targ->tid);
1291 			mpssas_send_abort(sc, tm, cm);
1292 		} else {
1293 			targ->tm = NULL;
1294 			mpssas_free_tm(sc, tm);
1295 		}
1296 	} else {
1297 		/*
1298 		 * If we still have commands for this LUN, the reset
1299 		 * effectively failed, regardless of the status reported.
1300 		 * Escalate to a target reset.
1301 		 */
1302 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1303 		    "logical unit reset complete for target %u, but still "
1304 		    "have %u command(s), sending target reset\n", targ->tid,
1305 		    cm_count);
1306 		mpssas_send_reset(sc, tm,
1307 		    MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET);
1308 	}
1309 }
1310 
1311 static void
1312 mpssas_target_reset_complete(struct mps_softc *sc, struct mps_command *tm)
1313 {
1314 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1315 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1316 	struct mpssas_target *targ;
1317 
1318 	callout_stop(&tm->cm_callout);
1319 
1320 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1321 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1322 	targ = tm->cm_targ;
1323 
1324 	/*
1325 	 * Currently there should be no way we can hit this case.  It only
1326 	 * happens when we have a failure to allocate chain frames, and
1327 	 * task management commands don't have S/G lists.
1328 	 */
1329 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1330 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x for target reset! "
1331 			   "This should not happen!\n", __func__, tm->cm_flags);
1332 		mpssas_free_tm(sc, tm);
1333 		return;
1334 	}
1335 
1336 	if (reply == NULL) {
1337 		mps_dprint(sc, MPS_RECOVERY,
1338 		    "NULL target reset reply for tm %pi TaskMID %u\n",
1339 		    tm, le16toh(req->TaskMID));
1340 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1341 			/* this completion was due to a reset, just cleanup */
1342 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1343 			    "reset, ignoring NULL target reset reply\n");
1344 			targ->tm = NULL;
1345 			mpssas_free_tm(sc, tm);
1346 		} else {
1347 			/* we should have gotten a reply. */
1348 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1349 			    "target reset attempt, resetting controller\n");
1350 			mps_reinit(sc);
1351 		}
1352 		return;
1353 	}
1354 
1355 	mps_dprint(sc, MPS_RECOVERY,
1356 	    "target reset status 0x%x code 0x%x count %u\n",
1357 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1358 	    le32toh(reply->TerminationCount));
1359 
1360 	if (targ->outstanding == 0) {
1361 		/* we've finished recovery for this target and all
1362 		 * of its logical units.
1363 		 */
1364 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1365 		    "Finished reset recovery for target %u\n", targ->tid);
1366 
1367 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
1368 		    CAM_LUN_WILDCARD);
1369 
1370 		targ->tm = NULL;
1371 		mpssas_free_tm(sc, tm);
1372 	} else {
1373 		/*
1374 		 * After a target reset, if this target still has
1375 		 * outstanding commands, the reset effectively failed,
1376 		 * regardless of the status reported.  escalate.
1377 		 */
1378 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1379 		    "Target reset complete for target %u, but still have %u "
1380 		    "command(s), resetting controller\n", targ->tid,
1381 		    targ->outstanding);
1382 		mps_reinit(sc);
1383 	}
1384 }
1385 
1386 #define MPS_RESET_TIMEOUT 30
1387 
1388 int
1389 mpssas_send_reset(struct mps_softc *sc, struct mps_command *tm, uint8_t type)
1390 {
1391 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1392 	struct mpssas_target *target;
1393 	int err;
1394 
1395 	target = tm->cm_targ;
1396 	if (target->handle == 0) {
1397 		mps_dprint(sc, MPS_ERROR,"%s null devhandle for target_id %d\n",
1398 		    __func__, target->tid);
1399 		return -1;
1400 	}
1401 
1402 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1403 	req->DevHandle = htole16(target->handle);
1404 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
1405 	req->TaskType = type;
1406 
1407 	if (type == MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET) {
1408 		/* XXX Need to handle invalid LUNs */
1409 		MPS_SET_LUN(req->LUN, tm->cm_lun);
1410 		tm->cm_targ->logical_unit_resets++;
1411 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1412 		    "Sending logical unit reset to target %u lun %d\n",
1413 		    target->tid, tm->cm_lun);
1414 		tm->cm_complete = mpssas_logical_unit_reset_complete;
1415 		mpssas_prepare_for_tm(sc, tm, target, tm->cm_lun);
1416 	} else if (type == MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET) {
1417 		/*
1418 		 * Target reset method =
1419 		 * 	SAS Hard Link Reset / SATA Link Reset
1420 		 */
1421 		req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
1422 		tm->cm_targ->target_resets++;
1423 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1424 		    "Sending target reset to target %u\n", target->tid);
1425 		tm->cm_complete = mpssas_target_reset_complete;
1426 		mpssas_prepare_for_tm(sc, tm, target, CAM_LUN_WILDCARD);
1427 	} else {
1428 		mps_dprint(sc, MPS_ERROR, "unexpected reset type 0x%x\n", type);
1429 		return -1;
1430 	}
1431 
1432 	tm->cm_data = NULL;
1433 	tm->cm_desc.HighPriority.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_HIGH_PRIORITY;
1434 	tm->cm_complete_data = (void *)tm;
1435 
1436 	callout_reset(&tm->cm_callout, MPS_RESET_TIMEOUT * hz,
1437 	    mpssas_tm_timeout, tm);
1438 
1439 	err = mps_map_command(sc, tm);
1440 	if (err)
1441 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1442 		    "error %d sending reset type %u\n",
1443 		    err, type);
1444 
1445 	return err;
1446 }
1447 
1448 
1449 static void
1450 mpssas_abort_complete(struct mps_softc *sc, struct mps_command *tm)
1451 {
1452 	struct mps_command *cm;
1453 	MPI2_SCSI_TASK_MANAGE_REPLY *reply;
1454 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1455 	struct mpssas_target *targ;
1456 
1457 	callout_stop(&tm->cm_callout);
1458 
1459 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1460 	reply = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
1461 	targ = tm->cm_targ;
1462 
1463 	/*
1464 	 * Currently there should be no way we can hit this case.  It only
1465 	 * happens when we have a failure to allocate chain frames, and
1466 	 * task management commands don't have S/G lists.
1467 	 */
1468 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
1469 		mps_dprint(sc, MPS_RECOVERY,
1470 		    "cm_flags = %#x for abort %p TaskMID %u!\n",
1471 		    tm->cm_flags, tm, le16toh(req->TaskMID));
1472 		mpssas_free_tm(sc, tm);
1473 		return;
1474 	}
1475 
1476 	if (reply == NULL) {
1477 		mps_dprint(sc, MPS_RECOVERY,
1478 		    "NULL abort reply for tm %p TaskMID %u\n",
1479 		    tm, le16toh(req->TaskMID));
1480 		if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
1481 			/* this completion was due to a reset, just cleanup */
1482 			mps_dprint(sc, MPS_RECOVERY, "Hardware undergoing "
1483 			    "reset, ignoring NULL abort reply\n");
1484 			targ->tm = NULL;
1485 			mpssas_free_tm(sc, tm);
1486 		} else {
1487 			/* we should have gotten a reply. */
1488 			mps_dprint(sc, MPS_INFO|MPS_RECOVERY, "NULL reply on "
1489 			    "abort attempt, resetting controller\n");
1490 			mps_reinit(sc);
1491 		}
1492 		return;
1493 	}
1494 
1495 	mps_dprint(sc, MPS_RECOVERY,
1496 	    "abort TaskMID %u status 0x%x code 0x%x count %u\n",
1497 	    le16toh(req->TaskMID),
1498 	    le16toh(reply->IOCStatus), le32toh(reply->ResponseCode),
1499 	    le32toh(reply->TerminationCount));
1500 
1501 	cm = TAILQ_FIRST(&tm->cm_targ->timedout_commands);
1502 	if (cm == NULL) {
1503 		/*
1504 		 * If there are no more timedout commands, we're done with
1505 		 * error recovery for this target.
1506 		 */
1507 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1508 		    "Finished abort recovery for target %u\n", targ->tid);
1509 
1510 		targ->tm = NULL;
1511 		mpssas_free_tm(sc, tm);
1512 	} else if (le16toh(req->TaskMID) != cm->cm_desc.Default.SMID) {
1513 		/* abort success, but we have more timedout commands to abort */
1514 		mps_dprint(sc, MPS_INFO|MPS_RECOVERY,
1515 		    "Continuing abort recovery for target %u\n", targ->tid);
1516 
1517 		mpssas_send_abort(sc, tm, cm);
1518 	} else {
1519 		/* we didn't get a command completion, so the abort
1520 		 * failed as far as we're concerned.  escalate.
1521 		 */
1522 		mps_dprint(sc, MPS_RECOVERY,
1523 		    "Abort failed for target %u, sending logical unit reset\n",
1524 		    targ->tid);
1525 
1526 		mpssas_send_reset(sc, tm,
1527 		    MPI2_SCSITASKMGMT_TASKTYPE_LOGICAL_UNIT_RESET);
1528 	}
1529 }
1530 
1531 #define MPS_ABORT_TIMEOUT 5
1532 
1533 static int
1534 mpssas_send_abort(struct mps_softc *sc, struct mps_command *tm, struct mps_command *cm)
1535 {
1536 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
1537 	struct mpssas_target *targ;
1538 	int err;
1539 
1540 	targ = cm->cm_targ;
1541 	if (targ->handle == 0) {
1542 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1543 		    "%s null devhandle for target_id %d\n",
1544 		    __func__, cm->cm_ccb->ccb_h.target_id);
1545 		return -1;
1546 	}
1547 
1548 	mpssas_log_command(cm, MPS_RECOVERY|MPS_INFO,
1549 	    "Aborting command %p\n", cm);
1550 
1551 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
1552 	req->DevHandle = htole16(targ->handle);
1553 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
1554 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_ABORT_TASK;
1555 
1556 	/* XXX Need to handle invalid LUNs */
1557 	MPS_SET_LUN(req->LUN, cm->cm_ccb->ccb_h.target_lun);
1558 
1559 	req->TaskMID = htole16(cm->cm_desc.Default.SMID);
1560 
1561 	tm->cm_data = NULL;
1562 	tm->cm_desc.HighPriority.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_HIGH_PRIORITY;
1563 	tm->cm_complete = mpssas_abort_complete;
1564 	tm->cm_complete_data = (void *)tm;
1565 	tm->cm_targ = cm->cm_targ;
1566 	tm->cm_lun = cm->cm_lun;
1567 
1568 	callout_reset(&tm->cm_callout, MPS_ABORT_TIMEOUT * hz,
1569 	    mpssas_tm_timeout, tm);
1570 
1571 	targ->aborts++;
1572 
1573 	mpssas_prepare_for_tm(sc, tm, targ, tm->cm_lun);
1574 
1575 	err = mps_map_command(sc, tm);
1576 	if (err)
1577 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1578 		    "error %d sending abort for cm %p SMID %u\n",
1579 		    err, cm, req->TaskMID);
1580 	return err;
1581 }
1582 
1583 static void
1584 mpssas_scsiio_timeout(void *data)
1585 {
1586 	sbintime_t elapsed, now;
1587 	union ccb *ccb;
1588 	struct mps_softc *sc;
1589 	struct mps_command *cm;
1590 	struct mpssas_target *targ;
1591 
1592 	cm = (struct mps_command *)data;
1593 	sc = cm->cm_sc;
1594 	ccb = cm->cm_ccb;
1595 	now = sbinuptime();
1596 
1597 	MPS_FUNCTRACE(sc);
1598 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1599 
1600 	mps_dprint(sc, MPS_XINFO|MPS_RECOVERY, "Timeout checking cm %p\n", sc);
1601 
1602 	/*
1603 	 * Run the interrupt handler to make sure it's not pending.  This
1604 	 * isn't perfect because the command could have already completed
1605 	 * and been re-used, though this is unlikely.
1606 	 */
1607 	mps_intr_locked(sc);
1608 	if (cm->cm_state == MPS_CM_STATE_FREE) {
1609 		mpssas_log_command(cm, MPS_XINFO,
1610 		    "SCSI command %p almost timed out\n", cm);
1611 		return;
1612 	}
1613 
1614 	if (cm->cm_ccb == NULL) {
1615 		mps_dprint(sc, MPS_ERROR, "command timeout with NULL ccb\n");
1616 		return;
1617 	}
1618 
1619 	targ = cm->cm_targ;
1620 	targ->timeouts++;
1621 
1622 	elapsed = now - ccb->ccb_h.qos.sim_data;
1623 	mpssas_log_command(cm, MPS_INFO|MPS_RECOVERY,
1624 	    "Command timeout on target %u(0x%04x) %d set, %d.%d elapsed\n",
1625 	    targ->tid, targ->handle, ccb->ccb_h.timeout,
1626 	    sbintime_getsec(elapsed), elapsed & 0xffffffff);
1627 
1628 	/* XXX first, check the firmware state, to see if it's still
1629 	 * operational.  if not, do a diag reset.
1630 	 */
1631 	mpssas_set_ccbstatus(cm->cm_ccb, CAM_CMD_TIMEOUT);
1632 	cm->cm_state = MPS_CM_STATE_TIMEDOUT;
1633 	TAILQ_INSERT_TAIL(&targ->timedout_commands, cm, cm_recovery);
1634 
1635 	if (targ->tm != NULL) {
1636 		/* target already in recovery, just queue up another
1637 		 * timedout command to be processed later.
1638 		 */
1639 		mps_dprint(sc, MPS_RECOVERY,
1640 		    "queued timedout cm %p for processing by tm %p\n",
1641 		    cm, targ->tm);
1642 	} else if ((targ->tm = mpssas_alloc_tm(sc)) != NULL) {
1643 		mps_dprint(sc, MPS_RECOVERY|MPS_INFO,
1644 		    "Sending abort to target %u for SMID %d\n", targ->tid,
1645 		    cm->cm_desc.Default.SMID);
1646 		mps_dprint(sc, MPS_RECOVERY, "timedout cm %p allocated tm %p\n",
1647 		    cm, targ->tm);
1648 
1649 		/* start recovery by aborting the first timedout command */
1650 		mpssas_send_abort(sc, targ->tm, cm);
1651 	} else {
1652 		/* XXX queue this target up for recovery once a TM becomes
1653 		 * available.  The firmware only has a limited number of
1654 		 * HighPriority credits for the high priority requests used
1655 		 * for task management, and we ran out.
1656 		 *
1657 		 * Isilon: don't worry about this for now, since we have
1658 		 * more credits than disks in an enclosure, and limit
1659 		 * ourselves to one TM per target for recovery.
1660 		 */
1661 		mps_dprint(sc, MPS_ERROR|MPS_RECOVERY,
1662 		    "timedout cm %p failed to allocate a tm\n", cm);
1663 	}
1664 
1665 }
1666 
1667 static void
1668 mpssas_action_scsiio(struct mpssas_softc *sassc, union ccb *ccb)
1669 {
1670 	MPI2_SCSI_IO_REQUEST *req;
1671 	struct ccb_scsiio *csio;
1672 	struct mps_softc *sc;
1673 	struct mpssas_target *targ;
1674 	struct mpssas_lun *lun;
1675 	struct mps_command *cm;
1676 	uint8_t i, lba_byte, *ref_tag_addr;
1677 	uint16_t eedp_flags;
1678 	uint32_t mpi_control;
1679 
1680 	sc = sassc->sc;
1681 	MPS_FUNCTRACE(sc);
1682 	mtx_assert(&sc->mps_mtx, MA_OWNED);
1683 
1684 	csio = &ccb->csio;
1685 	KASSERT(csio->ccb_h.target_id < sassc->maxtargets,
1686 	    ("Target %d out of bounds in XPT_SCSI_IO\n",
1687 	     csio->ccb_h.target_id));
1688 	targ = &sassc->targets[csio->ccb_h.target_id];
1689 	mps_dprint(sc, MPS_TRACE, "ccb %p target flag %x\n", ccb, targ->flags);
1690 	if (targ->handle == 0x0) {
1691 		mps_dprint(sc, MPS_ERROR, "%s NULL handle for target %u\n",
1692 		    __func__, csio->ccb_h.target_id);
1693 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1694 		xpt_done(ccb);
1695 		return;
1696 	}
1697 	if (targ->flags & MPS_TARGET_FLAGS_RAID_COMPONENT) {
1698 		mps_dprint(sc, MPS_ERROR, "%s Raid component no SCSI IO "
1699 		    "supported %u\n", __func__, csio->ccb_h.target_id);
1700 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1701 		xpt_done(ccb);
1702 		return;
1703 	}
1704 	/*
1705 	 * Sometimes, it is possible to get a command that is not "In
1706 	 * Progress" and was actually aborted by the upper layer.  Check for
1707 	 * this here and complete the command without error.
1708 	 */
1709 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_INPROG) {
1710 		mps_dprint(sc, MPS_TRACE, "%s Command is not in progress for "
1711 		    "target %u\n", __func__, csio->ccb_h.target_id);
1712 		xpt_done(ccb);
1713 		return;
1714 	}
1715 	/*
1716 	 * If devinfo is 0 this will be a volume.  In that case don't tell CAM
1717 	 * that the volume has timed out.  We want volumes to be enumerated
1718 	 * until they are deleted/removed, not just failed.
1719 	 */
1720 	if (targ->flags & MPSSAS_TARGET_INREMOVAL) {
1721 		if (targ->devinfo == 0)
1722 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
1723 		else
1724 			mpssas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
1725 		xpt_done(ccb);
1726 		return;
1727 	}
1728 
1729 	if ((sc->mps_flags & MPS_FLAGS_SHUTDOWN) != 0) {
1730 		mps_dprint(sc, MPS_INFO, "%s shutting down\n", __func__);
1731 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
1732 		xpt_done(ccb);
1733 		return;
1734 	}
1735 
1736 	/*
1737 	 * If target has a reset in progress, freeze the devq and return.  The
1738 	 * devq will be released when the TM reset is finished.
1739 	 */
1740 	if (targ->flags & MPSSAS_TARGET_INRESET) {
1741 		ccb->ccb_h.status = CAM_BUSY | CAM_DEV_QFRZN;
1742 		mps_dprint(sc, MPS_INFO, "%s: Freezing devq for target ID %d\n",
1743 		    __func__, targ->tid);
1744 		xpt_freeze_devq(ccb->ccb_h.path, 1);
1745 		xpt_done(ccb);
1746 		return;
1747 	}
1748 
1749 	cm = mps_alloc_command(sc);
1750 	if (cm == NULL || (sc->mps_flags & MPS_FLAGS_DIAGRESET)) {
1751 		if (cm != NULL) {
1752 			mps_free_command(sc, cm);
1753 		}
1754 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
1755 			xpt_freeze_simq(sassc->sim, 1);
1756 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
1757 		}
1758 		ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
1759 		ccb->ccb_h.status |= CAM_REQUEUE_REQ;
1760 		xpt_done(ccb);
1761 		return;
1762 	}
1763 
1764 	req = (MPI2_SCSI_IO_REQUEST *)cm->cm_req;
1765 	bzero(req, sizeof(*req));
1766 	req->DevHandle = htole16(targ->handle);
1767 	req->Function = MPI2_FUNCTION_SCSI_IO_REQUEST;
1768 	req->MsgFlags = 0;
1769 	req->SenseBufferLowAddress = htole32(cm->cm_sense_busaddr);
1770 	req->SenseBufferLength = MPS_SENSE_LEN;
1771 	req->SGLFlags = 0;
1772 	req->ChainOffset = 0;
1773 	req->SGLOffset0 = 24;	/* 32bit word offset to the SGL */
1774 	req->SGLOffset1= 0;
1775 	req->SGLOffset2= 0;
1776 	req->SGLOffset3= 0;
1777 	req->SkipCount = 0;
1778 	req->DataLength = htole32(csio->dxfer_len);
1779 	req->BidirectionalDataLength = 0;
1780 	req->IoFlags = htole16(csio->cdb_len);
1781 	req->EEDPFlags = 0;
1782 
1783 	/* Note: BiDirectional transfers are not supported */
1784 	switch (csio->ccb_h.flags & CAM_DIR_MASK) {
1785 	case CAM_DIR_IN:
1786 		mpi_control = MPI2_SCSIIO_CONTROL_READ;
1787 		cm->cm_flags |= MPS_CM_FLAGS_DATAIN;
1788 		break;
1789 	case CAM_DIR_OUT:
1790 		mpi_control = MPI2_SCSIIO_CONTROL_WRITE;
1791 		cm->cm_flags |= MPS_CM_FLAGS_DATAOUT;
1792 		break;
1793 	case CAM_DIR_NONE:
1794 	default:
1795 		mpi_control = MPI2_SCSIIO_CONTROL_NODATATRANSFER;
1796 		break;
1797 	}
1798 
1799 	if (csio->cdb_len == 32)
1800                 mpi_control |= 4 << MPI2_SCSIIO_CONTROL_ADDCDBLEN_SHIFT;
1801 	/*
1802 	 * It looks like the hardware doesn't require an explicit tag
1803 	 * number for each transaction.  SAM Task Management not supported
1804 	 * at the moment.
1805 	 */
1806 	switch (csio->tag_action) {
1807 	case MSG_HEAD_OF_Q_TAG:
1808 		mpi_control |= MPI2_SCSIIO_CONTROL_HEADOFQ;
1809 		break;
1810 	case MSG_ORDERED_Q_TAG:
1811 		mpi_control |= MPI2_SCSIIO_CONTROL_ORDEREDQ;
1812 		break;
1813 	case MSG_ACA_TASK:
1814 		mpi_control |= MPI2_SCSIIO_CONTROL_ACAQ;
1815 		break;
1816 	case CAM_TAG_ACTION_NONE:
1817 	case MSG_SIMPLE_Q_TAG:
1818 	default:
1819 		mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
1820 		break;
1821 	}
1822 	mpi_control |= sc->mapping_table[csio->ccb_h.target_id].TLR_bits;
1823 	req->Control = htole32(mpi_control);
1824 	if (MPS_SET_LUN(req->LUN, csio->ccb_h.target_lun) != 0) {
1825 		mps_free_command(sc, cm);
1826 		mpssas_set_ccbstatus(ccb, CAM_LUN_INVALID);
1827 		xpt_done(ccb);
1828 		return;
1829 	}
1830 
1831 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
1832 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
1833 	else
1834 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
1835 	req->IoFlags = htole16(csio->cdb_len);
1836 
1837 	/*
1838 	 * Check if EEDP is supported and enabled.  If it is then check if the
1839 	 * SCSI opcode could be using EEDP.  If so, make sure the LUN exists and
1840 	 * is formatted for EEDP support.  If all of this is true, set CDB up
1841 	 * for EEDP transfer.
1842 	 */
1843 	eedp_flags = op_code_prot[req->CDB.CDB32[0]];
1844 	if (sc->eedp_enabled && eedp_flags) {
1845 		SLIST_FOREACH(lun, &targ->luns, lun_link) {
1846 			if (lun->lun_id == csio->ccb_h.target_lun) {
1847 				break;
1848 			}
1849 		}
1850 
1851 		if ((lun != NULL) && (lun->eedp_formatted)) {
1852 			req->EEDPBlockSize = htole16(lun->eedp_block_size);
1853 			eedp_flags |= (MPI2_SCSIIO_EEDPFLAGS_INC_PRI_REFTAG |
1854 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_REFTAG |
1855 			    MPI2_SCSIIO_EEDPFLAGS_CHECK_GUARD);
1856 			req->EEDPFlags = htole16(eedp_flags);
1857 
1858 			/*
1859 			 * If CDB less than 32, fill in Primary Ref Tag with
1860 			 * low 4 bytes of LBA.  If CDB is 32, tag stuff is
1861 			 * already there.  Also, set protection bit.  FreeBSD
1862 			 * currently does not support CDBs bigger than 16, but
1863 			 * the code doesn't hurt, and will be here for the
1864 			 * future.
1865 			 */
1866 			if (csio->cdb_len != 32) {
1867 				lba_byte = (csio->cdb_len == 16) ? 6 : 2;
1868 				ref_tag_addr = (uint8_t *)&req->CDB.EEDP32.
1869 				    PrimaryReferenceTag;
1870 				for (i = 0; i < 4; i++) {
1871 					*ref_tag_addr =
1872 					    req->CDB.CDB32[lba_byte + i];
1873 					ref_tag_addr++;
1874 				}
1875 				req->CDB.EEDP32.PrimaryReferenceTag =
1876 					htole32(req->CDB.EEDP32.PrimaryReferenceTag);
1877 				req->CDB.EEDP32.PrimaryApplicationTagMask =
1878 				    0xFFFF;
1879 				req->CDB.CDB32[1] = (req->CDB.CDB32[1] & 0x1F) |
1880 				    0x20;
1881 			} else {
1882 				eedp_flags |=
1883 				    MPI2_SCSIIO_EEDPFLAGS_INC_PRI_APPTAG;
1884 				req->EEDPFlags = htole16(eedp_flags);
1885 				req->CDB.CDB32[10] = (req->CDB.CDB32[10] &
1886 				    0x1F) | 0x20;
1887 			}
1888 		}
1889 	}
1890 
1891 	cm->cm_length = csio->dxfer_len;
1892 	if (cm->cm_length != 0) {
1893 		cm->cm_data = ccb;
1894 		cm->cm_flags |= MPS_CM_FLAGS_USE_CCB;
1895 	} else {
1896 		cm->cm_data = NULL;
1897 	}
1898 	cm->cm_sge = &req->SGL;
1899 	cm->cm_sglsize = (32 - 24) * 4;
1900 	cm->cm_desc.SCSIIO.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_SCSI_IO;
1901 	cm->cm_desc.SCSIIO.DevHandle = htole16(targ->handle);
1902 	cm->cm_complete = mpssas_scsiio_complete;
1903 	cm->cm_complete_data = ccb;
1904 	cm->cm_targ = targ;
1905 	cm->cm_lun = csio->ccb_h.target_lun;
1906 	cm->cm_ccb = ccb;
1907 
1908 	/*
1909 	 * If HBA is a WD and the command is not for a retry, try to build a
1910 	 * direct I/O message. If failed, or the command is for a retry, send
1911 	 * the I/O to the IR volume itself.
1912 	 */
1913 	if (sc->WD_valid_config) {
1914 		if (ccb->ccb_h.sim_priv.entries[0].field == MPS_WD_RETRY) {
1915 			mpssas_direct_drive_io(sassc, cm, ccb);
1916 		} else {
1917 			mpssas_set_ccbstatus(ccb, CAM_REQ_INPROG);
1918 		}
1919 	}
1920 
1921 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
1922 	if (csio->bio != NULL)
1923 		biotrack(csio->bio, __func__);
1924 #endif
1925 	csio->ccb_h.qos.sim_data = sbinuptime();
1926 	callout_reset_sbt(&cm->cm_callout, SBT_1MS * ccb->ccb_h.timeout, 0,
1927 	    mpssas_scsiio_timeout, cm, 0);
1928 
1929 	targ->issued++;
1930 	targ->outstanding++;
1931 	TAILQ_INSERT_TAIL(&targ->commands, cm, cm_link);
1932 	ccb->ccb_h.status |= CAM_SIM_QUEUED;
1933 
1934 	mpssas_log_command(cm, MPS_XINFO, "%s cm %p ccb %p outstanding %u\n",
1935 	    __func__, cm, ccb, targ->outstanding);
1936 
1937 	mps_map_command(sc, cm);
1938 	return;
1939 }
1940 
1941 /**
1942  * mps_sc_failed_io_info - translated non-succesfull SCSI_IO request
1943  */
1944 static void
1945 mps_sc_failed_io_info(struct mps_softc *sc, struct ccb_scsiio *csio,
1946     Mpi2SCSIIOReply_t *mpi_reply)
1947 {
1948 	u32 response_info;
1949 	u8 *response_bytes;
1950 	u16 ioc_status = le16toh(mpi_reply->IOCStatus) &
1951 	    MPI2_IOCSTATUS_MASK;
1952 	u8 scsi_state = mpi_reply->SCSIState;
1953 	u8 scsi_status = mpi_reply->SCSIStatus;
1954 	u32 log_info = le32toh(mpi_reply->IOCLogInfo);
1955 	const char *desc_ioc_state, *desc_scsi_status;
1956 
1957 	if (log_info == 0x31170000)
1958 		return;
1959 
1960 	desc_ioc_state = mps_describe_table(mps_iocstatus_string,
1961 	    ioc_status);
1962 	desc_scsi_status = mps_describe_table(mps_scsi_status_string,
1963 	    scsi_status);
1964 
1965 	mps_dprint(sc, MPS_XINFO, "\thandle(0x%04x), ioc_status(%s)(0x%04x)\n",
1966 	    le16toh(mpi_reply->DevHandle), desc_ioc_state, ioc_status);
1967 
1968 	/*
1969 	 *We can add more detail about underflow data here
1970 	 * TO-DO
1971 	 */
1972 	mps_dprint(sc, MPS_XINFO, "\tscsi_status(%s)(0x%02x), "
1973 	    "scsi_state %b\n", desc_scsi_status, scsi_status,
1974 	    scsi_state, "\20" "\1AutosenseValid" "\2AutosenseFailed"
1975 	    "\3NoScsiStatus" "\4Terminated" "\5Response InfoValid");
1976 
1977 	if (sc->mps_debug & MPS_XINFO &&
1978 		scsi_state & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
1979 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : Start :\n");
1980 		scsi_sense_print(csio);
1981 		mps_dprint(sc, MPS_XINFO, "-> Sense Buffer Data : End :\n");
1982 	}
1983 
1984 	if (scsi_state & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) {
1985 		response_info = le32toh(mpi_reply->ResponseInfo);
1986 		response_bytes = (u8 *)&response_info;
1987 		mps_dprint(sc, MPS_XINFO, "response code(0x%1x): %s\n",
1988 		    response_bytes[0],
1989 		    mps_describe_table(mps_scsi_taskmgmt_string,
1990 		    response_bytes[0]));
1991 	}
1992 }
1993 
1994 static void
1995 mpssas_scsiio_complete(struct mps_softc *sc, struct mps_command *cm)
1996 {
1997 	MPI2_SCSI_IO_REPLY *rep;
1998 	union ccb *ccb;
1999 	struct ccb_scsiio *csio;
2000 	struct mpssas_softc *sassc;
2001 	struct scsi_vpd_supported_page_list *vpd_list = NULL;
2002 	u8 *TLR_bits, TLR_on;
2003 	int dir = 0, i;
2004 	u16 alloc_len;
2005 	struct mpssas_target *target;
2006 	target_id_t target_id;
2007 
2008 	MPS_FUNCTRACE(sc);
2009 	mps_dprint(sc, MPS_TRACE,
2010 	    "cm %p SMID %u ccb %p reply %p outstanding %u\n", cm,
2011 	    cm->cm_desc.Default.SMID, cm->cm_ccb, cm->cm_reply,
2012 	    cm->cm_targ->outstanding);
2013 
2014 	callout_stop(&cm->cm_callout);
2015 	mtx_assert(&sc->mps_mtx, MA_OWNED);
2016 
2017 	sassc = sc->sassc;
2018 	ccb = cm->cm_complete_data;
2019 	csio = &ccb->csio;
2020 	target_id = csio->ccb_h.target_id;
2021 	rep = (MPI2_SCSI_IO_REPLY *)cm->cm_reply;
2022 	/*
2023 	 * XXX KDM if the chain allocation fails, does it matter if we do
2024 	 * the sync and unload here?  It is simpler to do it in every case,
2025 	 * assuming it doesn't cause problems.
2026 	 */
2027 	if (cm->cm_data != NULL) {
2028 		if (cm->cm_flags & MPS_CM_FLAGS_DATAIN)
2029 			dir = BUS_DMASYNC_POSTREAD;
2030 		else if (cm->cm_flags & MPS_CM_FLAGS_DATAOUT)
2031 			dir = BUS_DMASYNC_POSTWRITE;
2032 		bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap, dir);
2033 		bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2034 	}
2035 
2036 	cm->cm_targ->completed++;
2037 	cm->cm_targ->outstanding--;
2038 	TAILQ_REMOVE(&cm->cm_targ->commands, cm, cm_link);
2039 	ccb->ccb_h.status &= ~(CAM_STATUS_MASK | CAM_SIM_QUEUED);
2040 
2041 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
2042 	if (ccb->csio.bio != NULL)
2043 		biotrack(ccb->csio.bio, __func__);
2044 #endif
2045 
2046 	if (cm->cm_state == MPS_CM_STATE_TIMEDOUT) {
2047 		TAILQ_REMOVE(&cm->cm_targ->timedout_commands, cm, cm_recovery);
2048 		if (cm->cm_reply != NULL)
2049 			mpssas_log_command(cm, MPS_RECOVERY,
2050 			    "completed timedout cm %p ccb %p during recovery "
2051 			    "ioc %x scsi %x state %x xfer %u\n",
2052 			    cm, cm->cm_ccb,
2053 			    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2054 			    le32toh(rep->TransferCount));
2055 		else
2056 			mpssas_log_command(cm, MPS_RECOVERY,
2057 			    "completed timedout cm %p ccb %p during recovery\n",
2058 			    cm, cm->cm_ccb);
2059 	} else if (cm->cm_targ->tm != NULL) {
2060 		if (cm->cm_reply != NULL)
2061 			mpssas_log_command(cm, MPS_RECOVERY,
2062 			    "completed cm %p ccb %p during recovery "
2063 			    "ioc %x scsi %x state %x xfer %u\n",
2064 			    cm, cm->cm_ccb,
2065 			    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2066 			    le32toh(rep->TransferCount));
2067 		else
2068 			mpssas_log_command(cm, MPS_RECOVERY,
2069 			    "completed cm %p ccb %p during recovery\n",
2070 			    cm, cm->cm_ccb);
2071 	} else if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0) {
2072 		mpssas_log_command(cm, MPS_RECOVERY,
2073 		    "reset completed cm %p ccb %p\n",
2074 		    cm, cm->cm_ccb);
2075 	}
2076 
2077 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2078 		/*
2079 		 * We ran into an error after we tried to map the command,
2080 		 * so we're getting a callback without queueing the command
2081 		 * to the hardware.  So we set the status here, and it will
2082 		 * be retained below.  We'll go through the "fast path",
2083 		 * because there can be no reply when we haven't actually
2084 		 * gone out to the hardware.
2085 		 */
2086 		mpssas_set_ccbstatus(ccb, CAM_REQUEUE_REQ);
2087 
2088 		/*
2089 		 * Currently the only error included in the mask is
2090 		 * MPS_CM_FLAGS_CHAIN_FAILED, which means we're out of
2091 		 * chain frames.  We need to freeze the queue until we get
2092 		 * a command that completed without this error, which will
2093 		 * hopefully have some chain frames attached that we can
2094 		 * use.  If we wanted to get smarter about it, we would
2095 		 * only unfreeze the queue in this condition when we're
2096 		 * sure that we're getting some chain frames back.  That's
2097 		 * probably unnecessary.
2098 		 */
2099 		if ((sassc->flags & MPSSAS_QUEUE_FROZEN) == 0) {
2100 			xpt_freeze_simq(sassc->sim, 1);
2101 			sassc->flags |= MPSSAS_QUEUE_FROZEN;
2102 			mps_dprint(sc, MPS_XINFO, "Error sending command, "
2103 				   "freezing SIM queue\n");
2104 		}
2105 	}
2106 
2107 	/*
2108 	 * If this is a Start Stop Unit command and it was issued by the driver
2109 	 * during shutdown, decrement the refcount to account for all of the
2110 	 * commands that were sent.  All SSU commands should be completed before
2111 	 * shutdown completes, meaning SSU_refcount will be 0 after SSU_started
2112 	 * is TRUE.
2113 	 */
2114 	if (sc->SSU_started && (csio->cdb_io.cdb_bytes[0] == START_STOP_UNIT)) {
2115 		mps_dprint(sc, MPS_INFO, "Decrementing SSU count.\n");
2116 		sc->SSU_refcount--;
2117 	}
2118 
2119 	/* Take the fast path to completion */
2120 	if (cm->cm_reply == NULL) {
2121 		if (mpssas_get_ccbstatus(ccb) == CAM_REQ_INPROG) {
2122 			if ((sc->mps_flags & MPS_FLAGS_DIAGRESET) != 0)
2123 				mpssas_set_ccbstatus(ccb, CAM_SCSI_BUS_RESET);
2124 			else {
2125 				mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2126 				ccb->csio.scsi_status = SCSI_STATUS_OK;
2127 			}
2128 			if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2129 				ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2130 				sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2131 				mps_dprint(sc, MPS_XINFO,
2132 				    "Unfreezing SIM queue\n");
2133 			}
2134 		}
2135 
2136 		/*
2137 		 * There are two scenarios where the status won't be
2138 		 * CAM_REQ_CMP.  The first is if MPS_CM_FLAGS_ERROR_MASK is
2139 		 * set, the second is in the MPS_FLAGS_DIAGRESET above.
2140 		 */
2141 		if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2142 			/*
2143 			 * Freeze the dev queue so that commands are
2144 			 * executed in the correct order after error
2145 			 * recovery.
2146 			 */
2147 			ccb->ccb_h.status |= CAM_DEV_QFRZN;
2148 			xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2149 		}
2150 		mps_free_command(sc, cm);
2151 		xpt_done(ccb);
2152 		return;
2153 	}
2154 
2155 	mpssas_log_command(cm, MPS_XINFO,
2156 	    "ioc %x scsi %x state %x xfer %u\n",
2157 	    le16toh(rep->IOCStatus), rep->SCSIStatus, rep->SCSIState,
2158 	    le32toh(rep->TransferCount));
2159 
2160 	/*
2161 	 * If this is a Direct Drive I/O, reissue the I/O to the original IR
2162 	 * Volume if an error occurred (normal I/O retry).  Use the original
2163 	 * CCB, but set a flag that this will be a retry so that it's sent to
2164 	 * the original volume.  Free the command but reuse the CCB.
2165 	 */
2166 	if (cm->cm_flags & MPS_CM_FLAGS_DD_IO) {
2167 		mps_free_command(sc, cm);
2168 		ccb->ccb_h.sim_priv.entries[0].field = MPS_WD_RETRY;
2169 		mpssas_action_scsiio(sassc, ccb);
2170 		return;
2171 	} else
2172 		ccb->ccb_h.sim_priv.entries[0].field = 0;
2173 
2174 	switch (le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) {
2175 	case MPI2_IOCSTATUS_SCSI_DATA_UNDERRUN:
2176 		csio->resid = cm->cm_length - le32toh(rep->TransferCount);
2177 		/* FALLTHROUGH */
2178 	case MPI2_IOCSTATUS_SUCCESS:
2179 	case MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR:
2180 
2181 		if ((le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK) ==
2182 		    MPI2_IOCSTATUS_SCSI_RECOVERED_ERROR)
2183 			mpssas_log_command(cm, MPS_XINFO, "recovered error\n");
2184 
2185 		/* Completion failed at the transport level. */
2186 		if (rep->SCSIState & (MPI2_SCSI_STATE_NO_SCSI_STATUS |
2187 		    MPI2_SCSI_STATE_TERMINATED)) {
2188 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2189 			break;
2190 		}
2191 
2192 		/* In a modern packetized environment, an autosense failure
2193 		 * implies that there's not much else that can be done to
2194 		 * recover the command.
2195 		 */
2196 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_FAILED) {
2197 			mpssas_set_ccbstatus(ccb, CAM_AUTOSENSE_FAIL);
2198 			break;
2199 		}
2200 
2201 		/*
2202 		 * CAM doesn't care about SAS Response Info data, but if this is
2203 		 * the state check if TLR should be done.  If not, clear the
2204 		 * TLR_bits for the target.
2205 		 */
2206 		if ((rep->SCSIState & MPI2_SCSI_STATE_RESPONSE_INFO_VALID) &&
2207 		    ((le32toh(rep->ResponseInfo) &
2208 		    MPI2_SCSI_RI_MASK_REASONCODE) ==
2209 		    MPS_SCSI_RI_INVALID_FRAME)) {
2210 			sc->mapping_table[target_id].TLR_bits =
2211 			    (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2212 		}
2213 
2214 		/*
2215 		 * Intentionally override the normal SCSI status reporting
2216 		 * for these two cases.  These are likely to happen in a
2217 		 * multi-initiator environment, and we want to make sure that
2218 		 * CAM retries these commands rather than fail them.
2219 		 */
2220 		if ((rep->SCSIStatus == MPI2_SCSI_STATUS_COMMAND_TERMINATED) ||
2221 		    (rep->SCSIStatus == MPI2_SCSI_STATUS_TASK_ABORTED)) {
2222 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2223 			break;
2224 		}
2225 
2226 		/* Handle normal status and sense */
2227 		csio->scsi_status = rep->SCSIStatus;
2228 		if (rep->SCSIStatus == MPI2_SCSI_STATUS_GOOD)
2229 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2230 		else
2231 			mpssas_set_ccbstatus(ccb, CAM_SCSI_STATUS_ERROR);
2232 
2233 		if (rep->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_VALID) {
2234 			int sense_len, returned_sense_len;
2235 
2236 			returned_sense_len = min(le32toh(rep->SenseCount),
2237 			    sizeof(struct scsi_sense_data));
2238 			if (returned_sense_len < ccb->csio.sense_len)
2239 				ccb->csio.sense_resid = ccb->csio.sense_len -
2240 					returned_sense_len;
2241 			else
2242 				ccb->csio.sense_resid = 0;
2243 
2244 			sense_len = min(returned_sense_len,
2245 			    ccb->csio.sense_len - ccb->csio.sense_resid);
2246 			bzero(&ccb->csio.sense_data,
2247 			      sizeof(ccb->csio.sense_data));
2248 			bcopy(cm->cm_sense, &ccb->csio.sense_data, sense_len);
2249 			ccb->ccb_h.status |= CAM_AUTOSNS_VALID;
2250 		}
2251 
2252 		/*
2253 		 * Check if this is an INQUIRY command.  If it's a VPD inquiry,
2254 		 * and it's page code 0 (Supported Page List), and there is
2255 		 * inquiry data, and this is for a sequential access device, and
2256 		 * the device is an SSP target, and TLR is supported by the
2257 		 * controller, turn the TLR_bits value ON if page 0x90 is
2258 		 * supported.
2259 		 */
2260 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2261 		    (csio->cdb_io.cdb_bytes[1] & SI_EVPD) &&
2262 		    (csio->cdb_io.cdb_bytes[2] == SVPD_SUPPORTED_PAGE_LIST) &&
2263 		    ((csio->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) &&
2264 		    (csio->data_ptr != NULL) &&
2265 		    ((csio->data_ptr[0] & 0x1f) == T_SEQUENTIAL) &&
2266 		    (sc->control_TLR) &&
2267 		    (sc->mapping_table[target_id].device_info &
2268 		    MPI2_SAS_DEVICE_INFO_SSP_TARGET)) {
2269 			vpd_list = (struct scsi_vpd_supported_page_list *)
2270 			    csio->data_ptr;
2271 			TLR_bits = &sc->mapping_table[target_id].TLR_bits;
2272 			*TLR_bits = (u8)MPI2_SCSIIO_CONTROL_NO_TLR;
2273 			TLR_on = (u8)MPI2_SCSIIO_CONTROL_TLR_ON;
2274 			alloc_len = ((u16)csio->cdb_io.cdb_bytes[3] << 8) +
2275 			    csio->cdb_io.cdb_bytes[4];
2276 			alloc_len -= csio->resid;
2277 			for (i = 0; i < MIN(vpd_list->length, alloc_len); i++) {
2278 				if (vpd_list->list[i] == 0x90) {
2279 					*TLR_bits = TLR_on;
2280 					break;
2281 				}
2282 			}
2283 		}
2284 
2285 		/*
2286 		 * If this is a SATA direct-access end device, mark it so that
2287 		 * a SCSI StartStopUnit command will be sent to it when the
2288 		 * driver is being shutdown.
2289 		 */
2290 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
2291 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
2292 		    (sc->mapping_table[target_id].device_info &
2293 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&
2294 		    ((sc->mapping_table[target_id].device_info &
2295 		    MPI2_SAS_DEVICE_INFO_MASK_DEVICE_TYPE) ==
2296 		    MPI2_SAS_DEVICE_INFO_END_DEVICE)) {
2297 			target = &sassc->targets[target_id];
2298 			target->supports_SSU = TRUE;
2299 			mps_dprint(sc, MPS_XINFO, "Target %d supports SSU\n",
2300 			    target_id);
2301 		}
2302 		break;
2303 	case MPI2_IOCSTATUS_SCSI_INVALID_DEVHANDLE:
2304 	case MPI2_IOCSTATUS_SCSI_DEVICE_NOT_THERE:
2305 		/*
2306 		 * If devinfo is 0 this will be a volume.  In that case don't
2307 		 * tell CAM that the volume is not there.  We want volumes to
2308 		 * be enumerated until they are deleted/removed, not just
2309 		 * failed.
2310 		 */
2311 		if (cm->cm_targ->devinfo == 0)
2312 			mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2313 		else
2314 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2315 		break;
2316 	case MPI2_IOCSTATUS_INVALID_SGL:
2317 		mps_print_scsiio_cmd(sc, cm);
2318 		mpssas_set_ccbstatus(ccb, CAM_UNREC_HBA_ERROR);
2319 		break;
2320 	case MPI2_IOCSTATUS_SCSI_TASK_TERMINATED:
2321 		/*
2322 		 * This is one of the responses that comes back when an I/O
2323 		 * has been aborted.  If it is because of a timeout that we
2324 		 * initiated, just set the status to CAM_CMD_TIMEOUT.
2325 		 * Otherwise set it to CAM_REQ_ABORTED.  The effect on the
2326 		 * command is the same (it gets retried, subject to the
2327 		 * retry counter), the only difference is what gets printed
2328 		 * on the console.
2329 		 */
2330 		if (cm->cm_state == MPS_CM_STATE_TIMEDOUT)
2331 			mpssas_set_ccbstatus(ccb, CAM_CMD_TIMEOUT);
2332 		else
2333 			mpssas_set_ccbstatus(ccb, CAM_REQ_ABORTED);
2334 		break;
2335 	case MPI2_IOCSTATUS_SCSI_DATA_OVERRUN:
2336 		/* resid is ignored for this condition */
2337 		csio->resid = 0;
2338 		mpssas_set_ccbstatus(ccb, CAM_DATA_RUN_ERR);
2339 		break;
2340 	case MPI2_IOCSTATUS_SCSI_IOC_TERMINATED:
2341 	case MPI2_IOCSTATUS_SCSI_EXT_TERMINATED:
2342 		/*
2343 		 * These can sometimes be transient transport-related
2344 		 * errors, and sometimes persistent drive-related errors.
2345 		 * We used to retry these without decrementing the retry
2346 		 * count by returning CAM_REQUEUE_REQ.  Unfortunately, if
2347 		 * we hit a persistent drive problem that returns one of
2348 		 * these error codes, we would retry indefinitely.  So,
2349 		 * return CAM_REQ_CMP_ERROR so that we decrement the retry
2350 		 * count and avoid infinite retries.  We're taking the
2351 		 * potential risk of flagging false failures in the event
2352 		 * of a topology-related error (e.g. a SAS expander problem
2353 		 * causes a command addressed to a drive to fail), but
2354 		 * avoiding getting into an infinite retry loop.
2355 		 */
2356 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2357 		mps_dprint(sc, MPS_INFO,
2358 		    "Controller reported %s tgt %u SMID %u loginfo %x\n",
2359 		    mps_describe_table(mps_iocstatus_string,
2360 		    le16toh(rep->IOCStatus) & MPI2_IOCSTATUS_MASK),
2361 		    target_id, cm->cm_desc.Default.SMID,
2362 		    le32toh(rep->IOCLogInfo));
2363 		mps_dprint(sc, MPS_XINFO,
2364 		    "SCSIStatus %x SCSIState %x xfercount %u\n",
2365 		    rep->SCSIStatus, rep->SCSIState,
2366 		    le32toh(rep->TransferCount));
2367 		break;
2368 	case MPI2_IOCSTATUS_INVALID_FUNCTION:
2369 	case MPI2_IOCSTATUS_INTERNAL_ERROR:
2370 	case MPI2_IOCSTATUS_INVALID_VPID:
2371 	case MPI2_IOCSTATUS_INVALID_FIELD:
2372 	case MPI2_IOCSTATUS_INVALID_STATE:
2373 	case MPI2_IOCSTATUS_OP_STATE_NOT_SUPPORTED:
2374 	case MPI2_IOCSTATUS_SCSI_IO_DATA_ERROR:
2375 	case MPI2_IOCSTATUS_SCSI_PROTOCOL_ERROR:
2376 	case MPI2_IOCSTATUS_SCSI_RESIDUAL_MISMATCH:
2377 	case MPI2_IOCSTATUS_SCSI_TASK_MGMT_FAILED:
2378 	default:
2379 		mpssas_log_command(cm, MPS_XINFO,
2380 		    "completed ioc %x loginfo %x scsi %x state %x xfer %u\n",
2381 		    le16toh(rep->IOCStatus), le32toh(rep->IOCLogInfo),
2382 		    rep->SCSIStatus, rep->SCSIState,
2383 		    le32toh(rep->TransferCount));
2384 		csio->resid = cm->cm_length;
2385 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2386 		break;
2387 	}
2388 
2389 	mps_sc_failed_io_info(sc,csio,rep);
2390 
2391 	if (sassc->flags & MPSSAS_QUEUE_FROZEN) {
2392 		ccb->ccb_h.status |= CAM_RELEASE_SIMQ;
2393 		sassc->flags &= ~MPSSAS_QUEUE_FROZEN;
2394 		mps_dprint(sc, MPS_XINFO, "Command completed, "
2395 		    "unfreezing SIM queue\n");
2396 	}
2397 
2398 	if (mpssas_get_ccbstatus(ccb) != CAM_REQ_CMP) {
2399 		ccb->ccb_h.status |= CAM_DEV_QFRZN;
2400 		xpt_freeze_devq(ccb->ccb_h.path, /*count*/ 1);
2401 	}
2402 
2403 	mps_free_command(sc, cm);
2404 	xpt_done(ccb);
2405 }
2406 
2407 /* All Request reached here are Endian safe */
2408 static void
2409 mpssas_direct_drive_io(struct mpssas_softc *sassc, struct mps_command *cm,
2410     union ccb *ccb) {
2411 	pMpi2SCSIIORequest_t	pIO_req;
2412 	struct mps_softc	*sc = sassc->sc;
2413 	uint64_t		virtLBA;
2414 	uint32_t		physLBA, stripe_offset, stripe_unit;
2415 	uint32_t		io_size, column;
2416 	uint8_t			*ptrLBA, lba_idx, physLBA_byte, *CDB;
2417 
2418 	/*
2419 	 * If this is a valid SCSI command (Read6, Read10, Read16, Write6,
2420 	 * Write10, or Write16), build a direct I/O message.  Otherwise, the I/O
2421 	 * will be sent to the IR volume itself.  Since Read6 and Write6 are a
2422 	 * bit different than the 10/16 CDBs, handle them separately.
2423 	 */
2424 	pIO_req = (pMpi2SCSIIORequest_t)cm->cm_req;
2425 	CDB = pIO_req->CDB.CDB32;
2426 
2427 	/*
2428 	 * Handle 6 byte CDBs.
2429 	 */
2430 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_6) ||
2431 	    (CDB[0] == WRITE_6))) {
2432 		/*
2433 		 * Get the transfer size in blocks.
2434 		 */
2435 		io_size = (cm->cm_length >> sc->DD_block_exponent);
2436 
2437 		/*
2438 		 * Get virtual LBA given in the CDB.
2439 		 */
2440 		virtLBA = ((uint64_t)(CDB[1] & 0x1F) << 16) |
2441 		    ((uint64_t)CDB[2] << 8) | (uint64_t)CDB[3];
2442 
2443 		/*
2444 		 * Check that LBA range for I/O does not exceed volume's
2445 		 * MaxLBA.
2446 		 */
2447 		if ((virtLBA + (uint64_t)io_size - 1) <=
2448 		    sc->DD_max_lba) {
2449 			/*
2450 			 * Check if the I/O crosses a stripe boundary.  If not,
2451 			 * translate the virtual LBA to a physical LBA and set
2452 			 * the DevHandle for the PhysDisk to be used.  If it
2453 			 * does cross a boundary, do normal I/O.  To get the
2454 			 * right DevHandle to use, get the map number for the
2455 			 * column, then use that map number to look up the
2456 			 * DevHandle of the PhysDisk.
2457 			 */
2458 			stripe_offset = (uint32_t)virtLBA &
2459 			    (sc->DD_stripe_size - 1);
2460 			if ((stripe_offset + io_size) <= sc->DD_stripe_size) {
2461 				physLBA = (uint32_t)virtLBA >>
2462 				    sc->DD_stripe_exponent;
2463 				stripe_unit = physLBA / sc->DD_num_phys_disks;
2464 				column = physLBA % sc->DD_num_phys_disks;
2465 				pIO_req->DevHandle =
2466 				    htole16(sc->DD_column_map[column].dev_handle);
2467 				/* ???? Is this endian safe*/
2468 				cm->cm_desc.SCSIIO.DevHandle =
2469 				    pIO_req->DevHandle;
2470 
2471 				physLBA = (stripe_unit <<
2472 				    sc->DD_stripe_exponent) + stripe_offset;
2473 				ptrLBA = &pIO_req->CDB.CDB32[1];
2474 				physLBA_byte = (uint8_t)(physLBA >> 16);
2475 				*ptrLBA = physLBA_byte;
2476 				ptrLBA = &pIO_req->CDB.CDB32[2];
2477 				physLBA_byte = (uint8_t)(physLBA >> 8);
2478 				*ptrLBA = physLBA_byte;
2479 				ptrLBA = &pIO_req->CDB.CDB32[3];
2480 				physLBA_byte = (uint8_t)physLBA;
2481 				*ptrLBA = physLBA_byte;
2482 
2483 				/*
2484 				 * Set flag that Direct Drive I/O is
2485 				 * being done.
2486 				 */
2487 				cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2488 			}
2489 		}
2490 		return;
2491 	}
2492 
2493 	/*
2494 	 * Handle 10, 12 or 16 byte CDBs.
2495 	 */
2496 	if ((pIO_req->DevHandle == sc->DD_dev_handle) && ((CDB[0] == READ_10) ||
2497 	    (CDB[0] == WRITE_10) || (CDB[0] == READ_16) ||
2498 	    (CDB[0] == WRITE_16) || (CDB[0] == READ_12) ||
2499 	    (CDB[0] == WRITE_12))) {
2500 		/*
2501 		 * For 16-byte CDB's, verify that the upper 4 bytes of the CDB
2502 		 * are 0.  If not, this is accessing beyond 2TB so handle it in
2503 		 * the else section.  10-byte and 12-byte CDB's are OK.
2504 		 * FreeBSD sends very rare 12 byte READ/WRITE, but driver is
2505 		 * ready to accept 12byte CDB for Direct IOs.
2506 		 */
2507 		if ((CDB[0] == READ_10 || CDB[0] == WRITE_10) ||
2508 		    (CDB[0] == READ_12 || CDB[0] == WRITE_12) ||
2509 		    !(CDB[2] | CDB[3] | CDB[4] | CDB[5])) {
2510 			/*
2511 			 * Get the transfer size in blocks.
2512 			 */
2513 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2514 
2515 			/*
2516 			 * Get virtual LBA.  Point to correct lower 4 bytes of
2517 			 * LBA in the CDB depending on command.
2518 			 */
2519 			lba_idx = ((CDB[0] == READ_12) ||
2520 				(CDB[0] == WRITE_12) ||
2521 				(CDB[0] == READ_10) ||
2522 				(CDB[0] == WRITE_10))? 2 : 6;
2523 			virtLBA = ((uint64_t)CDB[lba_idx] << 24) |
2524 			    ((uint64_t)CDB[lba_idx + 1] << 16) |
2525 			    ((uint64_t)CDB[lba_idx + 2] << 8) |
2526 			    (uint64_t)CDB[lba_idx + 3];
2527 
2528 			/*
2529 			 * Check that LBA range for I/O does not exceed volume's
2530 			 * MaxLBA.
2531 			 */
2532 			if ((virtLBA + (uint64_t)io_size - 1) <=
2533 			    sc->DD_max_lba) {
2534 				/*
2535 				 * Check if the I/O crosses a stripe boundary.
2536 				 * If not, translate the virtual LBA to a
2537 				 * physical LBA and set the DevHandle for the
2538 				 * PhysDisk to be used.  If it does cross a
2539 				 * boundary, do normal I/O.  To get the right
2540 				 * DevHandle to use, get the map number for the
2541 				 * column, then use that map number to look up
2542 				 * the DevHandle of the PhysDisk.
2543 				 */
2544 				stripe_offset = (uint32_t)virtLBA &
2545 				    (sc->DD_stripe_size - 1);
2546 				if ((stripe_offset + io_size) <=
2547 				    sc->DD_stripe_size) {
2548 					physLBA = (uint32_t)virtLBA >>
2549 					    sc->DD_stripe_exponent;
2550 					stripe_unit = physLBA /
2551 					    sc->DD_num_phys_disks;
2552 					column = physLBA %
2553 					    sc->DD_num_phys_disks;
2554 					pIO_req->DevHandle =
2555 					    htole16(sc->DD_column_map[column].
2556 					    dev_handle);
2557 					cm->cm_desc.SCSIIO.DevHandle =
2558 					    pIO_req->DevHandle;
2559 
2560 					physLBA = (stripe_unit <<
2561 					    sc->DD_stripe_exponent) +
2562 					    stripe_offset;
2563 					ptrLBA =
2564 					    &pIO_req->CDB.CDB32[lba_idx];
2565 					physLBA_byte = (uint8_t)(physLBA >> 24);
2566 					*ptrLBA = physLBA_byte;
2567 					ptrLBA =
2568 					    &pIO_req->CDB.CDB32[lba_idx + 1];
2569 					physLBA_byte = (uint8_t)(physLBA >> 16);
2570 					*ptrLBA = physLBA_byte;
2571 					ptrLBA =
2572 					    &pIO_req->CDB.CDB32[lba_idx + 2];
2573 					physLBA_byte = (uint8_t)(physLBA >> 8);
2574 					*ptrLBA = physLBA_byte;
2575 					ptrLBA =
2576 					    &pIO_req->CDB.CDB32[lba_idx + 3];
2577 					physLBA_byte = (uint8_t)physLBA;
2578 					*ptrLBA = physLBA_byte;
2579 
2580 					/*
2581 					 * Set flag that Direct Drive I/O is
2582 					 * being done.
2583 					 */
2584 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2585 				}
2586 			}
2587 		} else {
2588 			/*
2589 			 * 16-byte CDB and the upper 4 bytes of the CDB are not
2590 			 * 0.  Get the transfer size in blocks.
2591 			 */
2592 			io_size = (cm->cm_length >> sc->DD_block_exponent);
2593 
2594 			/*
2595 			 * Get virtual LBA.
2596 			 */
2597 			virtLBA = ((uint64_t)CDB[2] << 54) |
2598 			    ((uint64_t)CDB[3] << 48) |
2599 			    ((uint64_t)CDB[4] << 40) |
2600 			    ((uint64_t)CDB[5] << 32) |
2601 			    ((uint64_t)CDB[6] << 24) |
2602 			    ((uint64_t)CDB[7] << 16) |
2603 			    ((uint64_t)CDB[8] << 8) |
2604 			    (uint64_t)CDB[9];
2605 
2606 			/*
2607 			 * Check that LBA range for I/O does not exceed volume's
2608 			 * MaxLBA.
2609 			 */
2610 			if ((virtLBA + (uint64_t)io_size - 1) <=
2611 			    sc->DD_max_lba) {
2612 				/*
2613 				 * Check if the I/O crosses a stripe boundary.
2614 				 * If not, translate the virtual LBA to a
2615 				 * physical LBA and set the DevHandle for the
2616 				 * PhysDisk to be used.  If it does cross a
2617 				 * boundary, do normal I/O.  To get the right
2618 				 * DevHandle to use, get the map number for the
2619 				 * column, then use that map number to look up
2620 				 * the DevHandle of the PhysDisk.
2621 				 */
2622 				stripe_offset = (uint32_t)virtLBA &
2623 				    (sc->DD_stripe_size - 1);
2624 				if ((stripe_offset + io_size) <=
2625 				    sc->DD_stripe_size) {
2626 					physLBA = (uint32_t)(virtLBA >>
2627 					    sc->DD_stripe_exponent);
2628 					stripe_unit = physLBA /
2629 					    sc->DD_num_phys_disks;
2630 					column = physLBA %
2631 					    sc->DD_num_phys_disks;
2632 					pIO_req->DevHandle =
2633 					    htole16(sc->DD_column_map[column].
2634 					    dev_handle);
2635 					cm->cm_desc.SCSIIO.DevHandle =
2636 					    pIO_req->DevHandle;
2637 
2638 					physLBA = (stripe_unit <<
2639 					    sc->DD_stripe_exponent) +
2640 					    stripe_offset;
2641 
2642 					/*
2643 					 * Set upper 4 bytes of LBA to 0.  We
2644 					 * assume that the phys disks are less
2645 					 * than 2 TB's in size.  Then, set the
2646 					 * lower 4 bytes.
2647 					 */
2648 					pIO_req->CDB.CDB32[2] = 0;
2649 					pIO_req->CDB.CDB32[3] = 0;
2650 					pIO_req->CDB.CDB32[4] = 0;
2651 					pIO_req->CDB.CDB32[5] = 0;
2652 					ptrLBA = &pIO_req->CDB.CDB32[6];
2653 					physLBA_byte = (uint8_t)(physLBA >> 24);
2654 					*ptrLBA = physLBA_byte;
2655 					ptrLBA = &pIO_req->CDB.CDB32[7];
2656 					physLBA_byte = (uint8_t)(physLBA >> 16);
2657 					*ptrLBA = physLBA_byte;
2658 					ptrLBA = &pIO_req->CDB.CDB32[8];
2659 					physLBA_byte = (uint8_t)(physLBA >> 8);
2660 					*ptrLBA = physLBA_byte;
2661 					ptrLBA = &pIO_req->CDB.CDB32[9];
2662 					physLBA_byte = (uint8_t)physLBA;
2663 					*ptrLBA = physLBA_byte;
2664 
2665 					/*
2666 					 * Set flag that Direct Drive I/O is
2667 					 * being done.
2668 					 */
2669 					cm->cm_flags |= MPS_CM_FLAGS_DD_IO;
2670 				}
2671 			}
2672 		}
2673 	}
2674 }
2675 
2676 #if __FreeBSD_version >= 900026
2677 static void
2678 mpssas_smpio_complete(struct mps_softc *sc, struct mps_command *cm)
2679 {
2680 	MPI2_SMP_PASSTHROUGH_REPLY *rpl;
2681 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2682 	uint64_t sasaddr;
2683 	union ccb *ccb;
2684 
2685 	ccb = cm->cm_complete_data;
2686 
2687 	/*
2688 	 * Currently there should be no way we can hit this case.  It only
2689 	 * happens when we have a failure to allocate chain frames, and SMP
2690 	 * commands require two S/G elements only.  That should be handled
2691 	 * in the standard request size.
2692 	 */
2693 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
2694 		mps_dprint(sc, MPS_ERROR,"%s: cm_flags = %#x on SMP request!\n",
2695 			   __func__, cm->cm_flags);
2696 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2697 		goto bailout;
2698         }
2699 
2700 	rpl = (MPI2_SMP_PASSTHROUGH_REPLY *)cm->cm_reply;
2701 	if (rpl == NULL) {
2702 		mps_dprint(sc, MPS_ERROR, "%s: NULL cm_reply!\n", __func__);
2703 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2704 		goto bailout;
2705 	}
2706 
2707 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2708 	sasaddr = le32toh(req->SASAddress.Low);
2709 	sasaddr |= ((uint64_t)(le32toh(req->SASAddress.High))) << 32;
2710 
2711 	if ((le16toh(rpl->IOCStatus) & MPI2_IOCSTATUS_MASK) !=
2712 	    MPI2_IOCSTATUS_SUCCESS ||
2713 	    rpl->SASStatus != MPI2_SASSTATUS_SUCCESS) {
2714 		mps_dprint(sc, MPS_XINFO, "%s: IOCStatus %04x SASStatus %02x\n",
2715 		    __func__, le16toh(rpl->IOCStatus), rpl->SASStatus);
2716 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
2717 		goto bailout;
2718 	}
2719 
2720 	mps_dprint(sc, MPS_XINFO, "%s: SMP request to SAS address "
2721 		   "%#jx completed successfully\n", __func__,
2722 		   (uintmax_t)sasaddr);
2723 
2724 	if (ccb->smpio.smp_response[2] == SMP_FR_ACCEPTED)
2725 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
2726 	else
2727 		mpssas_set_ccbstatus(ccb, CAM_SMP_STATUS_ERROR);
2728 
2729 bailout:
2730 	/*
2731 	 * We sync in both directions because we had DMAs in the S/G list
2732 	 * in both directions.
2733 	 */
2734 	bus_dmamap_sync(sc->buffer_dmat, cm->cm_dmamap,
2735 			BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
2736 	bus_dmamap_unload(sc->buffer_dmat, cm->cm_dmamap);
2737 	mps_free_command(sc, cm);
2738 	xpt_done(ccb);
2739 }
2740 
2741 static void
2742 mpssas_send_smpcmd(struct mpssas_softc *sassc, union ccb *ccb, uint64_t sasaddr)
2743 {
2744 	struct mps_command *cm;
2745 	uint8_t *request, *response;
2746 	MPI2_SMP_PASSTHROUGH_REQUEST *req;
2747 	struct mps_softc *sc;
2748 	int error;
2749 
2750 	sc = sassc->sc;
2751 	error = 0;
2752 
2753 	/*
2754 	 * XXX We don't yet support physical addresses here.
2755 	 */
2756 	switch ((ccb->ccb_h.flags & CAM_DATA_MASK)) {
2757 	case CAM_DATA_PADDR:
2758 	case CAM_DATA_SG_PADDR:
2759 		mps_dprint(sc, MPS_ERROR,
2760 			   "%s: physical addresses not supported\n", __func__);
2761 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2762 		xpt_done(ccb);
2763 		return;
2764 	case CAM_DATA_SG:
2765 		/*
2766 		 * The chip does not support more than one buffer for the
2767 		 * request or response.
2768 		 */
2769 	 	if ((ccb->smpio.smp_request_sglist_cnt > 1)
2770 		  || (ccb->smpio.smp_response_sglist_cnt > 1)) {
2771 			mps_dprint(sc, MPS_ERROR,
2772 				   "%s: multiple request or response "
2773 				   "buffer segments not supported for SMP\n",
2774 				   __func__);
2775 			mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2776 			xpt_done(ccb);
2777 			return;
2778 		}
2779 
2780 		/*
2781 		 * The CAM_SCATTER_VALID flag was originally implemented
2782 		 * for the XPT_SCSI_IO CCB, which only has one data pointer.
2783 		 * We have two.  So, just take that flag to mean that we
2784 		 * might have S/G lists, and look at the S/G segment count
2785 		 * to figure out whether that is the case for each individual
2786 		 * buffer.
2787 		 */
2788 		if (ccb->smpio.smp_request_sglist_cnt != 0) {
2789 			bus_dma_segment_t *req_sg;
2790 
2791 			req_sg = (bus_dma_segment_t *)ccb->smpio.smp_request;
2792 			request = (uint8_t *)(uintptr_t)req_sg[0].ds_addr;
2793 		} else
2794 			request = ccb->smpio.smp_request;
2795 
2796 		if (ccb->smpio.smp_response_sglist_cnt != 0) {
2797 			bus_dma_segment_t *rsp_sg;
2798 
2799 			rsp_sg = (bus_dma_segment_t *)ccb->smpio.smp_response;
2800 			response = (uint8_t *)(uintptr_t)rsp_sg[0].ds_addr;
2801 		} else
2802 			response = ccb->smpio.smp_response;
2803 		break;
2804 	case CAM_DATA_VADDR:
2805 		request = ccb->smpio.smp_request;
2806 		response = ccb->smpio.smp_response;
2807 		break;
2808 	default:
2809 		mpssas_set_ccbstatus(ccb, CAM_REQ_INVALID);
2810 		xpt_done(ccb);
2811 		return;
2812 	}
2813 
2814 	cm = mps_alloc_command(sc);
2815 	if (cm == NULL) {
2816 		mps_dprint(sc, MPS_ERROR,
2817 		    "%s: cannot allocate command\n", __func__);
2818 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2819 		xpt_done(ccb);
2820 		return;
2821 	}
2822 
2823 	req = (MPI2_SMP_PASSTHROUGH_REQUEST *)cm->cm_req;
2824 	bzero(req, sizeof(*req));
2825 	req->Function = MPI2_FUNCTION_SMP_PASSTHROUGH;
2826 
2827 	/* Allow the chip to use any route to this SAS address. */
2828 	req->PhysicalPort = 0xff;
2829 
2830 	req->RequestDataLength = htole16(ccb->smpio.smp_request_len);
2831 	req->SGLFlags =
2832 	    MPI2_SGLFLAGS_SYSTEM_ADDRESS_SPACE | MPI2_SGLFLAGS_SGL_TYPE_MPI;
2833 
2834 	mps_dprint(sc, MPS_XINFO, "%s: sending SMP request to SAS "
2835 	    "address %#jx\n", __func__, (uintmax_t)sasaddr);
2836 
2837 	mpi_init_sge(cm, req, &req->SGL);
2838 
2839 	/*
2840 	 * Set up a uio to pass into mps_map_command().  This allows us to
2841 	 * do one map command, and one busdma call in there.
2842 	 */
2843 	cm->cm_uio.uio_iov = cm->cm_iovec;
2844 	cm->cm_uio.uio_iovcnt = 2;
2845 	cm->cm_uio.uio_segflg = UIO_SYSSPACE;
2846 
2847 	/*
2848 	 * The read/write flag isn't used by busdma, but set it just in
2849 	 * case.  This isn't exactly accurate, either, since we're going in
2850 	 * both directions.
2851 	 */
2852 	cm->cm_uio.uio_rw = UIO_WRITE;
2853 
2854 	cm->cm_iovec[0].iov_base = request;
2855 	cm->cm_iovec[0].iov_len = le16toh(req->RequestDataLength);
2856 	cm->cm_iovec[1].iov_base = response;
2857 	cm->cm_iovec[1].iov_len = ccb->smpio.smp_response_len;
2858 
2859 	cm->cm_uio.uio_resid = cm->cm_iovec[0].iov_len +
2860 			       cm->cm_iovec[1].iov_len;
2861 
2862 	/*
2863 	 * Trigger a warning message in mps_data_cb() for the user if we
2864 	 * wind up exceeding two S/G segments.  The chip expects one
2865 	 * segment for the request and another for the response.
2866 	 */
2867 	cm->cm_max_segs = 2;
2868 
2869 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
2870 	cm->cm_complete = mpssas_smpio_complete;
2871 	cm->cm_complete_data = ccb;
2872 
2873 	/*
2874 	 * Tell the mapping code that we're using a uio, and that this is
2875 	 * an SMP passthrough request.  There is a little special-case
2876 	 * logic there (in mps_data_cb()) to handle the bidirectional
2877 	 * transfer.
2878 	 */
2879 	cm->cm_flags |= MPS_CM_FLAGS_USE_UIO | MPS_CM_FLAGS_SMP_PASS |
2880 			MPS_CM_FLAGS_DATAIN | MPS_CM_FLAGS_DATAOUT;
2881 
2882 	/* The chip data format is little endian. */
2883 	req->SASAddress.High = htole32(sasaddr >> 32);
2884 	req->SASAddress.Low = htole32(sasaddr);
2885 
2886 	/*
2887 	 * XXX Note that we don't have a timeout/abort mechanism here.
2888 	 * From the manual, it looks like task management requests only
2889 	 * work for SCSI IO and SATA passthrough requests.  We may need to
2890 	 * have a mechanism to retry requests in the event of a chip reset
2891 	 * at least.  Hopefully the chip will insure that any errors short
2892 	 * of that are relayed back to the driver.
2893 	 */
2894 	error = mps_map_command(sc, cm);
2895 	if ((error != 0) && (error != EINPROGRESS)) {
2896 		mps_dprint(sc, MPS_ERROR,
2897 			   "%s: error %d returned from mps_map_command()\n",
2898 			   __func__, error);
2899 		goto bailout_error;
2900 	}
2901 
2902 	return;
2903 
2904 bailout_error:
2905 	mps_free_command(sc, cm);
2906 	mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
2907 	xpt_done(ccb);
2908 	return;
2909 
2910 }
2911 
2912 static void
2913 mpssas_action_smpio(struct mpssas_softc *sassc, union ccb *ccb)
2914 {
2915 	struct mps_softc *sc;
2916 	struct mpssas_target *targ;
2917 	uint64_t sasaddr = 0;
2918 
2919 	sc = sassc->sc;
2920 
2921 	/*
2922 	 * Make sure the target exists.
2923 	 */
2924 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
2925 	    ("Target %d out of bounds in XPT_SMP_IO\n", ccb->ccb_h.target_id));
2926 	targ = &sassc->targets[ccb->ccb_h.target_id];
2927 	if (targ->handle == 0x0) {
2928 		mps_dprint(sc, MPS_ERROR,
2929 			   "%s: target %d does not exist!\n", __func__,
2930 			   ccb->ccb_h.target_id);
2931 		mpssas_set_ccbstatus(ccb, CAM_SEL_TIMEOUT);
2932 		xpt_done(ccb);
2933 		return;
2934 	}
2935 
2936 	/*
2937 	 * If this device has an embedded SMP target, we'll talk to it
2938 	 * directly.
2939 	 * figure out what the expander's address is.
2940 	 */
2941 	if ((targ->devinfo & MPI2_SAS_DEVICE_INFO_SMP_TARGET) != 0)
2942 		sasaddr = targ->sasaddr;
2943 
2944 	/*
2945 	 * If we don't have a SAS address for the expander yet, try
2946 	 * grabbing it from the page 0x83 information cached in the
2947 	 * transport layer for this target.  LSI expanders report the
2948 	 * expander SAS address as the port-associated SAS address in
2949 	 * Inquiry VPD page 0x83.  Maxim expanders don't report it in page
2950 	 * 0x83.
2951 	 *
2952 	 * XXX KDM disable this for now, but leave it commented out so that
2953 	 * it is obvious that this is another possible way to get the SAS
2954 	 * address.
2955 	 *
2956 	 * The parent handle method below is a little more reliable, and
2957 	 * the other benefit is that it works for devices other than SES
2958 	 * devices.  So you can send a SMP request to a da(4) device and it
2959 	 * will get routed to the expander that device is attached to.
2960 	 * (Assuming the da(4) device doesn't contain an SMP target...)
2961 	 */
2962 #if 0
2963 	if (sasaddr == 0)
2964 		sasaddr = xpt_path_sas_addr(ccb->ccb_h.path);
2965 #endif
2966 
2967 	/*
2968 	 * If we still don't have a SAS address for the expander, look for
2969 	 * the parent device of this device, which is probably the expander.
2970 	 */
2971 	if (sasaddr == 0) {
2972 #ifdef OLD_MPS_PROBE
2973 		struct mpssas_target *parent_target;
2974 #endif
2975 
2976 		if (targ->parent_handle == 0x0) {
2977 			mps_dprint(sc, MPS_ERROR,
2978 				   "%s: handle %d does not have a valid "
2979 				   "parent handle!\n", __func__, targ->handle);
2980 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2981 			goto bailout;
2982 		}
2983 #ifdef OLD_MPS_PROBE
2984 		parent_target = mpssas_find_target_by_handle(sassc, 0,
2985 			targ->parent_handle);
2986 
2987 		if (parent_target == NULL) {
2988 			mps_dprint(sc, MPS_ERROR,
2989 				   "%s: handle %d does not have a valid "
2990 				   "parent target!\n", __func__, targ->handle);
2991 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
2992 			goto bailout;
2993 		}
2994 
2995 		if ((parent_target->devinfo &
2996 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
2997 			mps_dprint(sc, MPS_ERROR,
2998 				   "%s: handle %d parent %d does not "
2999 				   "have an SMP target!\n", __func__,
3000 				   targ->handle, parent_target->handle);
3001 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3002 			goto bailout;
3003 
3004 		}
3005 
3006 		sasaddr = parent_target->sasaddr;
3007 #else /* OLD_MPS_PROBE */
3008 		if ((targ->parent_devinfo &
3009 		     MPI2_SAS_DEVICE_INFO_SMP_TARGET) == 0) {
3010 			mps_dprint(sc, MPS_ERROR,
3011 				   "%s: handle %d parent %d does not "
3012 				   "have an SMP target!\n", __func__,
3013 				   targ->handle, targ->parent_handle);
3014 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3015 			goto bailout;
3016 
3017 		}
3018 		if (targ->parent_sasaddr == 0x0) {
3019 			mps_dprint(sc, MPS_ERROR,
3020 				   "%s: handle %d parent handle %d does "
3021 				   "not have a valid SAS address!\n",
3022 				   __func__, targ->handle, targ->parent_handle);
3023 			mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3024 			goto bailout;
3025 		}
3026 
3027 		sasaddr = targ->parent_sasaddr;
3028 #endif /* OLD_MPS_PROBE */
3029 
3030 	}
3031 
3032 	if (sasaddr == 0) {
3033 		mps_dprint(sc, MPS_INFO,
3034 			   "%s: unable to find SAS address for handle %d\n",
3035 			   __func__, targ->handle);
3036 		mpssas_set_ccbstatus(ccb, CAM_DEV_NOT_THERE);
3037 		goto bailout;
3038 	}
3039 	mpssas_send_smpcmd(sassc, ccb, sasaddr);
3040 
3041 	return;
3042 
3043 bailout:
3044 	xpt_done(ccb);
3045 
3046 }
3047 #endif //__FreeBSD_version >= 900026
3048 
3049 static void
3050 mpssas_action_resetdev(struct mpssas_softc *sassc, union ccb *ccb)
3051 {
3052 	MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3053 	struct mps_softc *sc;
3054 	struct mps_command *tm;
3055 	struct mpssas_target *targ;
3056 
3057 	MPS_FUNCTRACE(sassc->sc);
3058 	mtx_assert(&sassc->sc->mps_mtx, MA_OWNED);
3059 
3060 	KASSERT(ccb->ccb_h.target_id < sassc->maxtargets,
3061 	    ("Target %d out of bounds in XPT_RESET_DEV\n",
3062 	     ccb->ccb_h.target_id));
3063 	sc = sassc->sc;
3064 	tm = mps_alloc_command(sc);
3065 	if (tm == NULL) {
3066 		mps_dprint(sc, MPS_ERROR,
3067 		    "command alloc failure in mpssas_action_resetdev\n");
3068 		mpssas_set_ccbstatus(ccb, CAM_RESRC_UNAVAIL);
3069 		xpt_done(ccb);
3070 		return;
3071 	}
3072 
3073 	targ = &sassc->targets[ccb->ccb_h.target_id];
3074 	req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3075 	req->DevHandle = htole16(targ->handle);
3076 	req->Function = MPI2_FUNCTION_SCSI_TASK_MGMT;
3077 	req->TaskType = MPI2_SCSITASKMGMT_TASKTYPE_TARGET_RESET;
3078 
3079 	/* SAS Hard Link Reset / SATA Link Reset */
3080 	req->MsgFlags = MPI2_SCSITASKMGMT_MSGFLAGS_LINK_RESET;
3081 
3082 	tm->cm_data = NULL;
3083 	tm->cm_desc.HighPriority.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_HIGH_PRIORITY;
3084 	tm->cm_complete = mpssas_resetdev_complete;
3085 	tm->cm_complete_data = ccb;
3086 	tm->cm_targ = targ;
3087 	targ->flags |= MPSSAS_TARGET_INRESET;
3088 
3089 	mps_map_command(sc, tm);
3090 }
3091 
3092 static void
3093 mpssas_resetdev_complete(struct mps_softc *sc, struct mps_command *tm)
3094 {
3095 	MPI2_SCSI_TASK_MANAGE_REPLY *resp;
3096 	union ccb *ccb;
3097 
3098 	MPS_FUNCTRACE(sc);
3099 	mtx_assert(&sc->mps_mtx, MA_OWNED);
3100 
3101 	resp = (MPI2_SCSI_TASK_MANAGE_REPLY *)tm->cm_reply;
3102 	ccb = tm->cm_complete_data;
3103 
3104 	/*
3105 	 * Currently there should be no way we can hit this case.  It only
3106 	 * happens when we have a failure to allocate chain frames, and
3107 	 * task management commands don't have S/G lists.
3108 	 */
3109 	if ((tm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3110 		MPI2_SCSI_TASK_MANAGE_REQUEST *req;
3111 
3112 		req = (MPI2_SCSI_TASK_MANAGE_REQUEST *)tm->cm_req;
3113 
3114 		mps_dprint(sc, MPS_ERROR,
3115 			   "%s: cm_flags = %#x for reset of handle %#04x! "
3116 			   "This should not happen!\n", __func__, tm->cm_flags,
3117 			   req->DevHandle);
3118 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3119 		goto bailout;
3120 	}
3121 
3122 	mps_dprint(sc, MPS_XINFO,
3123 	    "%s: IOCStatus = 0x%x ResponseCode = 0x%x\n", __func__,
3124 	    le16toh(resp->IOCStatus), le32toh(resp->ResponseCode));
3125 
3126 	if (le32toh(resp->ResponseCode) == MPI2_SCSITASKMGMT_RSP_TM_COMPLETE) {
3127 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP);
3128 		mpssas_announce_reset(sc, AC_SENT_BDR, tm->cm_targ->tid,
3129 		    CAM_LUN_WILDCARD);
3130 	}
3131 	else
3132 		mpssas_set_ccbstatus(ccb, CAM_REQ_CMP_ERR);
3133 
3134 bailout:
3135 
3136 	mpssas_free_tm(sc, tm);
3137 	xpt_done(ccb);
3138 }
3139 
3140 static void
3141 mpssas_poll(struct cam_sim *sim)
3142 {
3143 	struct mpssas_softc *sassc;
3144 
3145 	sassc = cam_sim_softc(sim);
3146 
3147 	if (sassc->sc->mps_debug & MPS_TRACE) {
3148 		/* frequent debug messages during a panic just slow
3149 		 * everything down too much.
3150 		 */
3151 		mps_printf(sassc->sc, "%s clearing MPS_TRACE\n", __func__);
3152 		sassc->sc->mps_debug &= ~MPS_TRACE;
3153 	}
3154 
3155 	mps_intr_locked(sassc->sc);
3156 }
3157 
3158 static void
3159 mpssas_async(void *callback_arg, uint32_t code, struct cam_path *path,
3160 	     void *arg)
3161 {
3162 	struct mps_softc *sc;
3163 
3164 	sc = (struct mps_softc *)callback_arg;
3165 
3166 	switch (code) {
3167 #if (__FreeBSD_version >= 1000006) || \
3168     ((__FreeBSD_version >= 901503) && (__FreeBSD_version < 1000000))
3169 	case AC_ADVINFO_CHANGED: {
3170 		struct mpssas_target *target;
3171 		struct mpssas_softc *sassc;
3172 		struct scsi_read_capacity_data_long rcap_buf;
3173 		struct ccb_dev_advinfo cdai;
3174 		struct mpssas_lun *lun;
3175 		lun_id_t lunid;
3176 		int found_lun;
3177 		uintptr_t buftype;
3178 
3179 		buftype = (uintptr_t)arg;
3180 
3181 		found_lun = 0;
3182 		sassc = sc->sassc;
3183 
3184 		/*
3185 		 * We're only interested in read capacity data changes.
3186 		 */
3187 		if (buftype != CDAI_TYPE_RCAPLONG)
3188 			break;
3189 
3190 		/*
3191 		 * We should have a handle for this, but check to make sure.
3192 		 */
3193 		KASSERT(xpt_path_target_id(path) < sassc->maxtargets,
3194 		    ("Target %d out of bounds in mpssas_async\n",
3195 		    xpt_path_target_id(path)));
3196 		target = &sassc->targets[xpt_path_target_id(path)];
3197 		if (target->handle == 0)
3198 			break;
3199 
3200 		lunid = xpt_path_lun_id(path);
3201 
3202 		SLIST_FOREACH(lun, &target->luns, lun_link) {
3203 			if (lun->lun_id == lunid) {
3204 				found_lun = 1;
3205 				break;
3206 			}
3207 		}
3208 
3209 		if (found_lun == 0) {
3210 			lun = malloc(sizeof(struct mpssas_lun), M_MPT2,
3211 				     M_NOWAIT | M_ZERO);
3212 			if (lun == NULL) {
3213 				mps_dprint(sc, MPS_ERROR, "Unable to alloc "
3214 					   "LUN for EEDP support.\n");
3215 				break;
3216 			}
3217 			lun->lun_id = lunid;
3218 			SLIST_INSERT_HEAD(&target->luns, lun, lun_link);
3219 		}
3220 
3221 		bzero(&rcap_buf, sizeof(rcap_buf));
3222 		xpt_setup_ccb(&cdai.ccb_h, path, CAM_PRIORITY_NORMAL);
3223 		cdai.ccb_h.func_code = XPT_DEV_ADVINFO;
3224 		cdai.ccb_h.flags = CAM_DIR_IN;
3225 		cdai.buftype = CDAI_TYPE_RCAPLONG;
3226 #if (__FreeBSD_version >= 1100061) || \
3227     ((__FreeBSD_version >= 1001510) && (__FreeBSD_version < 1100000))
3228 		cdai.flags = CDAI_FLAG_NONE;
3229 #else
3230 		cdai.flags = 0;
3231 #endif
3232 		cdai.bufsiz = sizeof(rcap_buf);
3233 		cdai.buf = (uint8_t *)&rcap_buf;
3234 		xpt_action((union ccb *)&cdai);
3235 		if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
3236 			cam_release_devq(cdai.ccb_h.path,
3237 					 0, 0, 0, FALSE);
3238 
3239 		if ((mpssas_get_ccbstatus((union ccb *)&cdai) == CAM_REQ_CMP)
3240 		 && (rcap_buf.prot & SRC16_PROT_EN)) {
3241 			lun->eedp_formatted = TRUE;
3242 			lun->eedp_block_size = scsi_4btoul(rcap_buf.length);
3243 		} else {
3244 			lun->eedp_formatted = FALSE;
3245 			lun->eedp_block_size = 0;
3246 		}
3247 		break;
3248 	}
3249 #else
3250 	case AC_FOUND_DEVICE: {
3251 		struct ccb_getdev *cgd;
3252 
3253 		cgd = arg;
3254 		mpssas_check_eedp(sc, path, cgd);
3255 		break;
3256 	}
3257 #endif
3258 	default:
3259 		break;
3260 	}
3261 }
3262 
3263 #if (__FreeBSD_version < 901503) || \
3264     ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006))
3265 static void
3266 mpssas_check_eedp(struct mps_softc *sc, struct cam_path *path,
3267 		  struct ccb_getdev *cgd)
3268 {
3269 	struct mpssas_softc *sassc = sc->sassc;
3270 	struct ccb_scsiio *csio;
3271 	struct scsi_read_capacity_16 *scsi_cmd;
3272 	struct scsi_read_capacity_eedp *rcap_buf;
3273 	path_id_t pathid;
3274 	target_id_t targetid;
3275 	lun_id_t lunid;
3276 	union ccb *ccb;
3277 	struct cam_path *local_path;
3278 	struct mpssas_target *target;
3279 	struct mpssas_lun *lun;
3280 	uint8_t	found_lun;
3281 	char path_str[64];
3282 
3283 	sassc = sc->sassc;
3284 	pathid = cam_sim_path(sassc->sim);
3285 	targetid = xpt_path_target_id(path);
3286 	lunid = xpt_path_lun_id(path);
3287 
3288 	KASSERT(targetid < sassc->maxtargets,
3289 	    ("Target %d out of bounds in mpssas_check_eedp\n",
3290 	     targetid));
3291 	target = &sassc->targets[targetid];
3292 	if (target->handle == 0x0)
3293 		return;
3294 
3295 	/*
3296 	 * Determine if the device is EEDP capable.
3297 	 *
3298 	 * If this flag is set in the inquiry data,
3299 	 * the device supports protection information,
3300 	 * and must support the 16 byte read
3301 	 * capacity command, otherwise continue without
3302 	 * sending read cap 16
3303 	 */
3304 	if ((cgd->inq_data.spc3_flags & SPC3_SID_PROTECT) == 0)
3305 		return;
3306 
3307 	/*
3308 	 * Issue a READ CAPACITY 16 command.  This info
3309 	 * is used to determine if the LUN is formatted
3310 	 * for EEDP support.
3311 	 */
3312 	ccb = xpt_alloc_ccb_nowait();
3313 	if (ccb == NULL) {
3314 		mps_dprint(sc, MPS_ERROR, "Unable to alloc CCB "
3315 		    "for EEDP support.\n");
3316 		return;
3317 	}
3318 
3319 	if (xpt_create_path(&local_path, xpt_periph,
3320 	    pathid, targetid, lunid) != CAM_REQ_CMP) {
3321 		mps_dprint(sc, MPS_ERROR, "Unable to create "
3322 		    "path for EEDP support\n");
3323 		xpt_free_ccb(ccb);
3324 		return;
3325 	}
3326 
3327 	/*
3328 	 * If LUN is already in list, don't create a new
3329 	 * one.
3330 	 */
3331 	found_lun = FALSE;
3332 	SLIST_FOREACH(lun, &target->luns, lun_link) {
3333 		if (lun->lun_id == lunid) {
3334 			found_lun = TRUE;
3335 			break;
3336 		}
3337 	}
3338 	if (!found_lun) {
3339 		lun = malloc(sizeof(struct mpssas_lun), M_MPT2,
3340 		    M_NOWAIT | M_ZERO);
3341 		if (lun == NULL) {
3342 			mps_dprint(sc, MPS_ERROR,
3343 			    "Unable to alloc LUN for EEDP support.\n");
3344 			xpt_free_path(local_path);
3345 			xpt_free_ccb(ccb);
3346 			return;
3347 		}
3348 		lun->lun_id = lunid;
3349 		SLIST_INSERT_HEAD(&target->luns, lun,
3350 		    lun_link);
3351 	}
3352 
3353 	xpt_path_string(local_path, path_str, sizeof(path_str));
3354 
3355 	mps_dprint(sc, MPS_INFO, "Sending read cap: path %s handle %d\n",
3356 	    path_str, target->handle);
3357 
3358 	/*
3359 	 * Issue a READ CAPACITY 16 command for the LUN.
3360 	 * The mpssas_read_cap_done function will load
3361 	 * the read cap info into the LUN struct.
3362 	 */
3363 	rcap_buf = malloc(sizeof(struct scsi_read_capacity_eedp),
3364 	    M_MPT2, M_NOWAIT | M_ZERO);
3365 	if (rcap_buf == NULL) {
3366 		mps_dprint(sc, MPS_FAULT,
3367 		    "Unable to alloc read capacity buffer for EEDP support.\n");
3368 		xpt_free_path(ccb->ccb_h.path);
3369 		xpt_free_ccb(ccb);
3370 		return;
3371 	}
3372 	xpt_setup_ccb(&ccb->ccb_h, local_path, CAM_PRIORITY_XPT);
3373 	csio = &ccb->csio;
3374 	csio->ccb_h.func_code = XPT_SCSI_IO;
3375 	csio->ccb_h.flags = CAM_DIR_IN;
3376 	csio->ccb_h.retry_count = 4;
3377 	csio->ccb_h.cbfcnp = mpssas_read_cap_done;
3378 	csio->ccb_h.timeout = 60000;
3379 	csio->data_ptr = (uint8_t *)rcap_buf;
3380 	csio->dxfer_len = sizeof(struct scsi_read_capacity_eedp);
3381 	csio->sense_len = MPS_SENSE_LEN;
3382 	csio->cdb_len = sizeof(*scsi_cmd);
3383 	csio->tag_action = MSG_SIMPLE_Q_TAG;
3384 
3385 	scsi_cmd = (struct scsi_read_capacity_16 *)&csio->cdb_io.cdb_bytes;
3386 	bzero(scsi_cmd, sizeof(*scsi_cmd));
3387 	scsi_cmd->opcode = 0x9E;
3388 	scsi_cmd->service_action = SRC16_SERVICE_ACTION;
3389 	((uint8_t *)scsi_cmd)[13] = sizeof(struct scsi_read_capacity_eedp);
3390 
3391 	ccb->ccb_h.ppriv_ptr1 = sassc;
3392 	xpt_action(ccb);
3393 }
3394 
3395 static void
3396 mpssas_read_cap_done(struct cam_periph *periph, union ccb *done_ccb)
3397 {
3398 	struct mpssas_softc *sassc;
3399 	struct mpssas_target *target;
3400 	struct mpssas_lun *lun;
3401 	struct scsi_read_capacity_eedp *rcap_buf;
3402 
3403 	if (done_ccb == NULL)
3404 		return;
3405 
3406 	/* Driver need to release devq, it Scsi command is
3407 	 * generated by driver internally.
3408 	 * Currently there is a single place where driver
3409 	 * calls scsi command internally. In future if driver
3410 	 * calls more scsi command internally, it needs to release
3411 	 * devq internally, since those command will not go back to
3412 	 * cam_periph.
3413 	 */
3414 	if ((done_ccb->ccb_h.status & CAM_DEV_QFRZN) ) {
3415         	done_ccb->ccb_h.status &= ~CAM_DEV_QFRZN;
3416 		xpt_release_devq(done_ccb->ccb_h.path,
3417 			       	/*count*/ 1, /*run_queue*/TRUE);
3418 	}
3419 
3420 	rcap_buf = (struct scsi_read_capacity_eedp *)done_ccb->csio.data_ptr;
3421 
3422 	/*
3423 	 * Get the LUN ID for the path and look it up in the LUN list for the
3424 	 * target.
3425 	 */
3426 	sassc = (struct mpssas_softc *)done_ccb->ccb_h.ppriv_ptr1;
3427 	KASSERT(done_ccb->ccb_h.target_id < sassc->maxtargets,
3428 	    ("Target %d out of bounds in mpssas_read_cap_done\n",
3429 	     done_ccb->ccb_h.target_id));
3430 	target = &sassc->targets[done_ccb->ccb_h.target_id];
3431 	SLIST_FOREACH(lun, &target->luns, lun_link) {
3432 		if (lun->lun_id != done_ccb->ccb_h.target_lun)
3433 			continue;
3434 
3435 		/*
3436 		 * Got the LUN in the target's LUN list.  Fill it in
3437 		 * with EEDP info.  If the READ CAP 16 command had some
3438 		 * SCSI error (common if command is not supported), mark
3439 		 * the lun as not supporting EEDP and set the block size
3440 		 * to 0.
3441 		 */
3442 		if ((mpssas_get_ccbstatus(done_ccb) != CAM_REQ_CMP)
3443 		 || (done_ccb->csio.scsi_status != SCSI_STATUS_OK)) {
3444 			lun->eedp_formatted = FALSE;
3445 			lun->eedp_block_size = 0;
3446 			break;
3447 		}
3448 
3449 		if (rcap_buf->protect & 0x01) {
3450 			mps_dprint(sassc->sc, MPS_INFO, "LUN %d for "
3451  			    "target ID %d is formatted for EEDP "
3452  			    "support.\n", done_ccb->ccb_h.target_lun,
3453  			    done_ccb->ccb_h.target_id);
3454 			lun->eedp_formatted = TRUE;
3455 			lun->eedp_block_size = scsi_4btoul(rcap_buf->length);
3456 		}
3457 		break;
3458 	}
3459 
3460 	// Finished with this CCB and path.
3461 	free(rcap_buf, M_MPT2);
3462 	xpt_free_path(done_ccb->ccb_h.path);
3463 	xpt_free_ccb(done_ccb);
3464 }
3465 #endif /* (__FreeBSD_version < 901503) || \
3466           ((__FreeBSD_version >= 1000000) && (__FreeBSD_version < 1000006)) */
3467 
3468 void
3469 mpssas_prepare_for_tm(struct mps_softc *sc, struct mps_command *tm,
3470     struct mpssas_target *target, lun_id_t lun_id)
3471 {
3472 	union ccb *ccb;
3473 	path_id_t path_id;
3474 
3475 	/*
3476 	 * Set the INRESET flag for this target so that no I/O will be sent to
3477 	 * the target until the reset has completed.  If an I/O request does
3478 	 * happen, the devq will be frozen.  The CCB holds the path which is
3479 	 * used to release the devq.  The devq is released and the CCB is freed
3480 	 * when the TM completes.
3481 	 */
3482 	ccb = xpt_alloc_ccb_nowait();
3483 	if (ccb) {
3484 		path_id = cam_sim_path(sc->sassc->sim);
3485 		if (xpt_create_path(&ccb->ccb_h.path, xpt_periph, path_id,
3486 		    target->tid, lun_id) != CAM_REQ_CMP) {
3487 			xpt_free_ccb(ccb);
3488 		} else {
3489 			tm->cm_ccb = ccb;
3490 			tm->cm_targ = target;
3491 			target->flags |= MPSSAS_TARGET_INRESET;
3492 		}
3493 	}
3494 }
3495 
3496 int
3497 mpssas_startup(struct mps_softc *sc)
3498 {
3499 
3500 	/*
3501 	 * Send the port enable message and set the wait_for_port_enable flag.
3502 	 * This flag helps to keep the simq frozen until all discovery events
3503 	 * are processed.
3504 	 */
3505 	sc->wait_for_port_enable = 1;
3506 	mpssas_send_portenable(sc);
3507 	return (0);
3508 }
3509 
3510 static int
3511 mpssas_send_portenable(struct mps_softc *sc)
3512 {
3513 	MPI2_PORT_ENABLE_REQUEST *request;
3514 	struct mps_command *cm;
3515 
3516 	MPS_FUNCTRACE(sc);
3517 
3518 	if ((cm = mps_alloc_command(sc)) == NULL)
3519 		return (EBUSY);
3520 	request = (MPI2_PORT_ENABLE_REQUEST *)cm->cm_req;
3521 	request->Function = MPI2_FUNCTION_PORT_ENABLE;
3522 	request->MsgFlags = 0;
3523 	request->VP_ID = 0;
3524 	cm->cm_desc.Default.RequestFlags = MPI2_REQ_DESCRIPT_FLAGS_DEFAULT_TYPE;
3525 	cm->cm_complete = mpssas_portenable_complete;
3526 	cm->cm_data = NULL;
3527 	cm->cm_sge = NULL;
3528 
3529 	mps_map_command(sc, cm);
3530 	mps_dprint(sc, MPS_XINFO,
3531 	    "mps_send_portenable finished cm %p req %p complete %p\n",
3532 	    cm, cm->cm_req, cm->cm_complete);
3533 	return (0);
3534 }
3535 
3536 static void
3537 mpssas_portenable_complete(struct mps_softc *sc, struct mps_command *cm)
3538 {
3539 	MPI2_PORT_ENABLE_REPLY *reply;
3540 	struct mpssas_softc *sassc;
3541 
3542 	MPS_FUNCTRACE(sc);
3543 	sassc = sc->sassc;
3544 
3545 	/*
3546 	 * Currently there should be no way we can hit this case.  It only
3547 	 * happens when we have a failure to allocate chain frames, and
3548 	 * port enable commands don't have S/G lists.
3549 	 */
3550 	if ((cm->cm_flags & MPS_CM_FLAGS_ERROR_MASK) != 0) {
3551 		mps_dprint(sc, MPS_ERROR, "%s: cm_flags = %#x for port enable! "
3552 			   "This should not happen!\n", __func__, cm->cm_flags);
3553 	}
3554 
3555 	reply = (MPI2_PORT_ENABLE_REPLY *)cm->cm_reply;
3556 	if (reply == NULL)
3557 		mps_dprint(sc, MPS_FAULT, "Portenable NULL reply\n");
3558 	else if (le16toh(reply->IOCStatus & MPI2_IOCSTATUS_MASK) !=
3559 	    MPI2_IOCSTATUS_SUCCESS)
3560 		mps_dprint(sc, MPS_FAULT, "Portenable failed\n");
3561 
3562 	mps_free_command(sc, cm);
3563 
3564 	/*
3565 	 * Get WarpDrive info after discovery is complete but before the scan
3566 	 * starts.  At this point, all devices are ready to be exposed to the
3567 	 * OS.  If devices should be hidden instead, take them out of the
3568 	 * 'targets' array before the scan.  The devinfo for a disk will have
3569 	 * some info and a volume's will be 0.  Use that to remove disks.
3570 	 */
3571 	mps_wd_config_pages(sc);
3572 
3573 	/*
3574 	 * Done waiting for port enable to complete.  Decrement the refcount.
3575 	 * If refcount is 0, discovery is complete and a rescan of the bus can
3576 	 * take place.  Since the simq was explicitly frozen before port
3577 	 * enable, it must be explicitly released here to keep the
3578 	 * freeze/release count in sync.
3579 	 */
3580 	sc->wait_for_port_enable = 0;
3581 	sc->port_enable_complete = 1;
3582 	wakeup(&sc->port_enable_complete);
3583 	mpssas_startup_decrement(sassc);
3584 }
3585 
3586 int
3587 mpssas_check_id(struct mpssas_softc *sassc, int id)
3588 {
3589 	struct mps_softc *sc = sassc->sc;
3590 	char *ids;
3591 	char *name;
3592 
3593 	ids = &sc->exclude_ids[0];
3594 	while((name = strsep(&ids, ",")) != NULL) {
3595 		if (name[0] == '\0')
3596 			continue;
3597 		if (strtol(name, NULL, 0) == (long)id)
3598 			return (1);
3599 	}
3600 
3601 	return (0);
3602 }
3603 
3604 void
3605 mpssas_realloc_targets(struct mps_softc *sc, int maxtargets)
3606 {
3607 	struct mpssas_softc *sassc;
3608 	struct mpssas_lun *lun, *lun_tmp;
3609 	struct mpssas_target *targ;
3610 	int i;
3611 
3612 	sassc = sc->sassc;
3613 	/*
3614 	 * The number of targets is based on IOC Facts, so free all of
3615 	 * the allocated LUNs for each target and then the target buffer
3616 	 * itself.
3617 	 */
3618 	for (i=0; i< maxtargets; i++) {
3619 		targ = &sassc->targets[i];
3620 		SLIST_FOREACH_SAFE(lun, &targ->luns, lun_link, lun_tmp) {
3621 			free(lun, M_MPT2);
3622 		}
3623 	}
3624 	free(sassc->targets, M_MPT2);
3625 
3626 	sassc->targets = malloc(sizeof(struct mpssas_target) * maxtargets,
3627 	    M_MPT2, M_WAITOK|M_ZERO);
3628 	if (!sassc->targets) {
3629 		panic("%s failed to alloc targets with error %d\n",
3630 		    __func__, ENOMEM);
3631 	}
3632 }
3633