1 /*        $NetBSD: dpti.c,v 1.51 2023/09/07 20:07:03 ad Exp $         */
2 
3 /*-
4  * Copyright (c) 2001, 2007, 2023 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This code is derived from software contributed to The NetBSD Foundation
8  * by Andrew Doran.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 /*
33  * Copyright (c) 1996-2000 Distributed Processing Technology Corporation
34  * Copyright (c) 2000 Adaptec Corporation
35  * All rights reserved.
36  *
37  * TERMS AND CONDITIONS OF USE
38  *
39  * Redistribution and use in source form, with or without modification, are
40  * permitted provided that redistributions of source code must retain the
41  * above copyright notice, this list of conditions and the following disclaimer.
42  *
43  * This software is provided `as is' by Adaptec and any express or implied
44  * warranties, including, but not limited to, the implied warranties of
45  * merchantability and fitness for a particular purpose, are disclaimed. In no
46  * event shall Adaptec be liable for any direct, indirect, incidental, special,
47  * exemplary or consequential damages (including, but not limited to,
48  * procurement of substitute goods or services; loss of use, data, or profits;
49  * or business interruptions) however caused and on any theory of liability,
50  * whether in contract, strict liability, or tort (including negligence or
51  * otherwise) arising in any way out of the use of this driver software, even
52  * if advised of the possibility of such damage.
53  */
54 
55 /*
56  * Adaptec/DPT I2O control interface.
57  */
58 
59 #include <sys/cdefs.h>
60 __KERNEL_RCSID(0, "$NetBSD: dpti.c,v 1.51 2023/09/07 20:07:03 ad Exp $");
61 
62 #include <sys/param.h>
63 #include <sys/systm.h>
64 #include <sys/kernel.h>
65 #include <sys/device.h>
66 #include <sys/queue.h>
67 #include <sys/proc.h>
68 #include <sys/endian.h>
69 #include <sys/kmem.h>
70 #include <sys/conf.h>
71 #include <sys/ioctl.h>
72 #include <sys/kauth.h>
73 
74 #include <sys/bus.h>
75 #ifdef __i386__
76 #include <machine/pio.h>
77 #include <machine/cputypes.h>
78 #endif
79 
80 #include <dev/i2o/i2o.h>
81 #include <dev/i2o/i2odpt.h>
82 #include <dev/i2o/iopio.h>
83 #include <dev/i2o/iopvar.h>
84 #include <dev/i2o/dptivar.h>
85 
86 #include "ioconf.h"
87 
88 #ifdef I2ODEBUG
89 #define   DPRINTF(x)                    printf x
90 #else
91 #define   DPRINTF(x)
92 #endif
93 
94 static struct dpt_sig dpti_sig = {
95           .dsSignature = { 'd', 'P', 't', 'S', 'i', 'G'},
96           .dsSigVersion = SIG_VERSION,
97 #if defined(__i386__)
98           .dsProcessorFamily = PROC_INTEL,
99 #elif defined(__powerpc__)
100           .dsProcessorFamily = PROC_POWERPC,
101 #elif defined(__alpha__)
102           .dsProcessorFamily = PROC_ALPHA,
103 #elif defined(__mips__)
104           .dsProcessorFamily = PROC_MIPS,
105 #elif defined(__sparc64__)
106           .dsProcessorFamily = PROC_ULTRASPARC,
107 #endif
108 #if defined(__i386__)
109           .dsProcessor = PROC_386 | PROC_486 | PROC_PENTIUM | PROC_SEXIUM,
110 #else
111           .dsProcessor = 0,
112 #endif
113           .dsFiletype = FT_HBADRVR,
114           .dsFiletypeFlags = 0,
115           .dsOEM = OEM_DPT,
116           .dsOS = (uint32_t)OS_FREE_BSD,          /* XXX */
117           .dsCapabilities = CAP_ABOVE16MB,
118           .dsDeviceSupp = DEV_ALL,
119           .dsAdapterSupp = ADF_ALL_SC5,
120           .dsApplication =  0,
121           .dsRequirements = 0,
122           .dsVersion = DPTI_VERSION,
123           .dsRevision = DPTI_REVISION,
124           .dsSubRevision = DPTI_SUBREVISION,
125           .dsMonth = DPTI_MONTH,
126           .dsDay = DPTI_DAY,
127           .dsYear = DPTI_YEAR,
128           .dsDescription = { '\0' },              /* Will be filled later */
129 };
130 
131 void      dpti_attach(device_t, device_t, void *);
132 int       dpti_blinkled(struct dpti_softc *);
133 int       dpti_ctlrinfo(struct dpti_softc *, int, void *);
134 int       dpti_match(device_t, cfdata_t, void *);
135 int       dpti_passthrough(struct dpti_softc *, void *, struct proc *);
136 int       dpti_sysinfo(struct dpti_softc *, int, void *);
137 
138 dev_type_open(dptiopen);
139 dev_type_ioctl(dptiioctl);
140 
141 const struct cdevsw dpti_cdevsw = {
142           .d_open = dptiopen,
143           .d_close = nullclose,
144           .d_read = noread,
145           .d_write = nowrite,
146           .d_ioctl = dptiioctl,
147           .d_stop = nostop,
148           .d_tty = notty,
149           .d_poll = nopoll,
150           .d_mmap = nommap,
151           .d_kqfilter = nokqfilter,
152           .d_discard = nodiscard,
153           .d_flag = D_OTHER | D_MPSAFE,
154 };
155 
156 CFATTACH_DECL_NEW(dpti, sizeof(struct dpti_softc),
157     dpti_match, dpti_attach, NULL, NULL);
158 
159 int
dpti_match(device_t parent,cfdata_t match,void * aux)160 dpti_match(device_t parent, cfdata_t match, void *aux)
161 {
162           struct iop_attach_args *ia;
163           struct iop_softc *iop;
164 
165           ia = aux;
166           iop = device_private(parent);
167 
168           if (ia->ia_class != I2O_CLASS_ANY || ia->ia_tid != I2O_TID_IOP)
169                     return (0);
170 
171           if (le16toh(iop->sc_status.orgid) != I2O_ORG_DPT)
172                     return (0);
173 
174           return (1);
175 }
176 
177 void
dpti_attach(device_t parent,device_t self,void * aux)178 dpti_attach(device_t parent, device_t self, void *aux)
179 {
180           struct iop_softc *iop;
181           struct dpti_softc *sc;
182           struct {
183                     struct    i2o_param_op_results pr;
184                     struct    i2o_param_read_results prr;
185                     struct    i2o_dpt_param_exec_iop_buffers dib;
186           } __packed param;
187           int rv;
188 
189           sc = device_private(self);
190           sc->sc_dev = self;
191           iop = device_private(parent);
192 
193           /*
194            * Tell the world what we are.  The description in the signature
195            * must be no more than 46 bytes long (see dptivar.h).
196            */
197           printf(": DPT/Adaptec RAID management interface\n");
198           snprintf(dpti_sig.dsDescription, sizeof(dpti_sig.dsDescription),
199               "NetBSD %s I2O OSM", osrelease);
200 
201           rv = iop_field_get_all(iop, I2O_TID_IOP,
202               I2O_DPT_PARAM_EXEC_IOP_BUFFERS, &param,
203               sizeof(param), NULL);
204           if (rv != 0)
205                     return;
206 
207           sc->sc_blinkled = le32toh(param.dib.serialoutputoff) + 8;
208 }
209 
210 int
dptiopen(dev_t dev,int flag,int mode,struct lwp * l)211 dptiopen(dev_t dev, int flag, int mode,
212     struct lwp *l)
213 {
214 
215           if (device_lookup(&dpti_cd, minor(dev)) == NULL)
216                     return (ENXIO);
217 
218           return (0);
219 }
220 
221 int
dptiioctl(dev_t dev,u_long cmd,void * data,int flag,struct lwp * l)222 dptiioctl(dev_t dev, u_long cmd, void *data, int flag, struct lwp *l)
223 {
224           struct iop_softc *iop;
225           struct dpti_softc *sc;
226           struct ioctl_pt *pt;
227           int i, size, rv, linux;
228 
229           sc = device_lookup_private(&dpti_cd, minor(dev));
230           iop = device_private(device_parent(sc->sc_dev));
231           rv = 0;
232 
233           if (cmd == PTIOCLINUX) {
234                     pt = (struct ioctl_pt *)data;
235                     size = IOCPARM_LEN(pt->com);
236                     cmd = pt->com & 0xffff;
237                     data = pt->data;
238                     linux = 1;
239           } else {
240                     size = IOCPARM_LEN(cmd);
241                     cmd = cmd & 0xffff;
242                     linux = 0;
243           }
244 
245           mutex_enter(&iop->sc_conflock);
246           switch (cmd) {
247           case DPT_SIGNATURE:
248                     if (size > sizeof(dpti_sig))
249                               size = sizeof(dpti_sig);
250                     memcpy(data, &dpti_sig, size);
251                     break;
252 
253           case DPT_CTRLINFO:
254                     rv = dpti_ctlrinfo(sc, size, data);
255                     break;
256 
257           case DPT_SYSINFO:
258                     rv = dpti_sysinfo(sc, size, data);
259                     break;
260 
261           case DPT_BLINKLED:
262                     if ((i = dpti_blinkled(sc)) == -1)
263                               i = 0;
264 
265                     if (size == 0) {
266                               rv = copyout(&i, *(void **)data, sizeof(i));
267                               break;
268                     }
269 
270                     *(int *)data = i;
271                     break;
272 
273           case DPT_TARGET_BUSY:
274                     /*
275                      * XXX This is here to stop linux_machdepioctl() from
276                      * whining about an unknown ioctl.
277                      */
278                     rv = EIO;
279                     break;
280 
281           case DPT_I2OUSRCMD:
282                     rv = kauth_authorize_device_passthru(l->l_cred, dev,
283                         KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
284                     if (rv)
285                               break;
286 
287                     if (linux) {
288                               rv = dpti_passthrough(sc, data, l->l_proc);
289                     } else {
290                               rv = dpti_passthrough(sc, *(void **)data, l->l_proc);
291                     }
292                     break;
293 
294           case DPT_I2ORESETCMD:
295                     printf("%s: I2ORESETCMD not implemented\n",
296                         device_xname(sc->sc_dev));
297                     rv = EOPNOTSUPP;
298                     break;
299 
300           case DPT_I2ORESCANCMD:
301                     rv = iop_reconfigure(iop, 0);
302                     break;
303 
304           default:
305                     rv = ENOTTY;
306                     break;
307           }
308           mutex_exit(&iop->sc_conflock);
309 
310           return (rv);
311 }
312 
313 int
dpti_blinkled(struct dpti_softc * sc)314 dpti_blinkled(struct dpti_softc *sc)
315 {
316           struct iop_softc *iop;
317           u_int v;
318 
319           iop = device_private(device_parent(sc->sc_dev));
320 
321           v = bus_space_read_1(iop->sc_iot, iop->sc_ioh, sc->sc_blinkled + 0);
322           if (v == 0xbc) {
323                     v = bus_space_read_1(iop->sc_iot, iop->sc_ioh,
324                         sc->sc_blinkled + 1);
325                     return (v);
326           }
327 
328           return (-1);
329 }
330 
331 int
dpti_ctlrinfo(struct dpti_softc * sc,int size,void * data)332 dpti_ctlrinfo(struct dpti_softc *sc, int size, void *data)
333 {
334           struct dpt_ctlrinfo info;
335           struct iop_softc *iop;
336           int rv, i;
337 
338           iop = device_private(device_parent(sc->sc_dev));
339 
340           memset(&info, 0, sizeof(info));
341 
342           info.length = sizeof(info) - sizeof(u_int16_t);
343           info.drvrHBAnum = device_unit(sc->sc_dev);
344           info.baseAddr = iop->sc_memaddr;
345           if ((i = dpti_blinkled(sc)) == -1)
346                     i = 0;
347           info.blinkState = i;
348           info.pciBusNum = iop->sc_pcibus;
349           info.pciDeviceNum = iop->sc_pcidev;
350           info.hbaFlags = FLG_OSD_PCI_VALID | FLG_OSD_DMA | FLG_OSD_I2O;
351           info.Interrupt = 10;                              /* XXX */
352 
353           if (size > sizeof(char)) {
354                     memcpy(data, &info, uimin(sizeof(info), size));
355                     rv = 0;
356           } else
357                     rv = copyout(&info, *(void **)data, sizeof(info));
358 
359           return (rv);
360 }
361 
362 int
dpti_sysinfo(struct dpti_softc * sc,int size,void * data)363 dpti_sysinfo(struct dpti_softc *sc, int size, void *data)
364 {
365           struct dpt_sysinfo info;
366           int rv;
367 #ifdef __i386__
368           int i, j;
369 #endif
370 
371           memset(&info, 0, sizeof(info));
372 
373 #ifdef __i386__
374           outb (0x70, 0x12);
375           i = inb(0x71);
376           j = i >> 4;
377           if (i == 0x0f) {
378                     outb (0x70, 0x19);
379                     j = inb (0x71);
380           }
381           info.drive0CMOS = j;
382 
383           j = i & 0x0f;
384           if (i == 0x0f) {
385                     outb (0x70, 0x1a);
386                     j = inb (0x71);
387           }
388           info.drive1CMOS = j;
389           info.processorFamily = dpti_sig.dsProcessorFamily;
390 
391           /*
392            * Get the conventional memory size from CMOS.
393            */
394           outb(0x70, 0x16);
395           j = inb(0x71);
396           j <<= 8;
397           outb(0x70, 0x15);
398           j |= inb(0x71);
399           info.conventionalMemSize = j;
400 
401           /*
402            * Get the extended memory size from CMOS.
403            */
404           outb(0x70, 0x31);
405           j = inb(0x71);
406           j <<= 8;
407           outb(0x70, 0x30);
408           j |= inb(0x71);
409           info.extendedMemSize = j;
410 
411           switch (cpu_class) {
412           case CPUCLASS_386:
413                     info.processorType = PROC_386;
414                     break;
415           case CPUCLASS_486:
416                     info.processorType = PROC_486;
417                     break;
418           case CPUCLASS_586:
419                     info.processorType = PROC_PENTIUM;
420                     break;
421           case CPUCLASS_686:
422           default:
423                     info.processorType = PROC_SEXIUM;
424                     break;
425           }
426 
427           info.flags = SI_CMOS_Valid | SI_BusTypeValid |
428               SI_MemorySizeValid | SI_NO_SmartROM;
429 #else
430           info.flags = SI_BusTypeValid | SI_NO_SmartROM;
431 #endif
432 
433           info.busType = SI_PCI_BUS;
434 
435           /*
436            * Copy out the info structure to the user.
437            */
438           if (size > sizeof(char)) {
439                     memcpy(data, &info, uimin(sizeof(info), size));
440                     rv = 0;
441           } else
442                     rv = copyout(&info, *(void **)data, sizeof(info));
443 
444           return (rv);
445 }
446 
447 int
dpti_passthrough(struct dpti_softc * sc,void * data,struct proc * proc)448 dpti_passthrough(struct dpti_softc *sc, void *data, struct proc *proc)
449 {
450           struct iop_softc *iop;
451           struct i2o_msg mh, *mf;
452           struct i2o_reply rh;
453           struct iop_msg *im;
454           struct dpti_ptbuf bufs[IOP_MAX_MSG_XFERS];
455           u_int32_t mbtmp[IOP_MAX_MSG_SIZE / sizeof(u_int32_t)];
456           u_int32_t rbtmp[IOP_MAX_MSG_SIZE / sizeof(u_int32_t)];
457           int rv, msgsize, repsize, sgoff, i, mapped, nbuf, nfrag, j, sz;
458           u_int32_t *p, *pmax;
459 
460           iop = device_private(device_parent(sc->sc_dev));
461           im = NULL;
462 
463           if ((rv = dpti_blinkled(sc)) != -1) {
464                     if (rv != 0) {
465                               aprint_error_dev(sc->sc_dev, "adapter blinkled = 0x%02x\n", rv);
466                               return (EIO);
467                     }
468           }
469 
470           /*
471            * Copy in the message frame header and determine the size of the
472            * full message frame.
473            */
474           if ((rv = copyin(data, &mh, sizeof(mh))) != 0) {
475                     DPRINTF(("%s: message copyin failed\n",
476                         device_xname(sc->sc_dev)));
477                     return (rv);
478           }
479 
480           msgsize = (mh.msgflags >> 14) & ~3;
481           if (msgsize < sizeof(mh) || msgsize >= IOP_MAX_MSG_SIZE) {
482                     DPRINTF(("%s: bad message frame size\n",
483                         device_xname(sc->sc_dev)));
484                     return (EINVAL);
485           }
486 
487           /*
488            * Handle special commands.
489            */
490           switch (mh.msgfunc >> 24) {
491           case I2O_EXEC_IOP_RESET:
492                     printf("%s: I2O_EXEC_IOP_RESET not implemented\n",
493                         device_xname(sc->sc_dev));
494                     return (EOPNOTSUPP);
495 
496           case I2O_EXEC_OUTBOUND_INIT:
497                     printf("%s: I2O_EXEC_OUTBOUND_INIT not implemented\n",
498                         device_xname(sc->sc_dev));
499                     return (EOPNOTSUPP);
500 
501           case I2O_EXEC_SYS_TAB_SET:
502                     printf("%s: I2O_EXEC_SYS_TAB_SET not implemented\n",
503                         device_xname(sc->sc_dev));
504                     return (EOPNOTSUPP);
505 
506           case I2O_EXEC_STATUS_GET:
507                     if ((rv = iop_status_get(iop, 0)) == 0)
508                               rv = copyout(&iop->sc_status, (char *)data + msgsize,
509                                   sizeof(iop->sc_status));
510                     return (rv);
511           }
512 
513           /*
514            * Copy in the full message frame.
515            */
516           if ((rv = copyin(data, mbtmp, msgsize)) != 0) {
517                     DPRINTF(("%s: full message copyin failed\n",
518                         device_xname(sc->sc_dev)));
519                     return (rv);
520           }
521 
522           /*
523            * Determine the size of the reply frame, and copy it in.
524            */
525           if ((rv = copyin((char *)data + msgsize, &rh, sizeof(rh))) != 0) {
526                     DPRINTF(("%s: reply copyin failed\n",
527                         device_xname(sc->sc_dev)));
528                     return (rv);
529           }
530 
531           repsize = (rh.msgflags >> 14) & ~3;
532           if (repsize < sizeof(rh) || repsize >= IOP_MAX_MSG_SIZE) {
533                     DPRINTF(("%s: bad reply header size\n",
534                         device_xname(sc->sc_dev)));
535                     return (EINVAL);
536           }
537 
538           if ((rv = copyin((char *)data + msgsize, rbtmp, repsize)) != 0) {
539                     DPRINTF(("%s: reply too large\n", device_xname(sc->sc_dev)));
540                     return (rv);
541           }
542 
543           /*
544            * If the message has a scatter gather list, it must be comprised of
545            * simple elements.  If any one transfer contains multiple segments,
546            * we allocate a temporary buffer for it; otherwise, the buffer will
547            * be mapped directly.
548            */
549           mapped = 0;
550           if ((sgoff = ((mh.msgflags >> 4) & 15)) != 0) {
551                     if ((sgoff + 2) > (msgsize >> 2)) {
552                               DPRINTF(("%s: invalid message size fields\n",
553                                   device_xname(sc->sc_dev)));
554                               return (EINVAL);
555                     }
556 
557                     memset(bufs, 0, sizeof(bufs));
558 
559                     p = mbtmp + sgoff;
560                     pmax = mbtmp + (msgsize >> 2) - 2;
561 
562                     for (nbuf = 0; nbuf < IOP_MAX_MSG_XFERS; nbuf++, p += 2) {
563                               if (p > pmax) {
564                                         DPRINTF(("%s: invalid SGL (1)\n",
565                                             device_xname(sc->sc_dev)));
566                                         goto bad;
567                               }
568 
569                               if ((p[0] & 0x30000000) != I2O_SGL_SIMPLE) {
570                                         DPRINTF(("%s: invalid SGL (2)\n",
571                                             device_xname(sc->sc_dev)));
572                                         goto bad;
573                               }
574 
575                               bufs[nbuf].db_out = (p[0] & I2O_SGL_DATA_OUT) != 0;
576                               bufs[nbuf].db_ptr = NULL;
577 
578                               if ((p[0] & I2O_SGL_END_BUFFER) != 0) {
579                                         if ((p[0] & 0x00ffffff) > IOP_MAX_XFER) {
580                                                   DPRINTF(("%s: buffer too large\n",
581                                                       device_xname(sc->sc_dev)));
582                                                   goto bad;
583                                         }
584 
585                                         // XXX: 32 bits
586                                         bufs[nbuf].db_ptr = (void *)(intptr_t)p[1];
587                                         bufs[nbuf].db_proc = proc;
588                                         bufs[nbuf].db_size = p[0] & 0x00ffffff;
589 
590                                         if ((p[0] & I2O_SGL_END) != 0)
591                                                   break;
592 
593                                         continue;
594                               }
595 
596                               /*
597                                * The buffer has multiple segments.  Determine the
598                                * total size.
599                                */
600                               nfrag = 0;
601                               sz = 0;
602                               for (; p <= pmax; p += 2) {
603                                         if (nfrag == DPTI_MAX_SEGS) {
604                                                   DPRINTF(("%s: too many segments\n",
605                                                       device_xname(sc->sc_dev)));
606                                                   goto bad;
607                                         }
608 
609                                         bufs[nbuf].db_frags[nfrag].iov_len =
610                                             p[0] & 0x00ffffff;
611                                         // XXX: 32 bits
612                                         bufs[nbuf].db_frags[nfrag].iov_base =
613                                             (void *)(intptr_t)p[1];
614 
615                                         sz += p[0] & 0x00ffffff;
616                                         nfrag++;
617 
618                                         if ((p[0] & I2O_SGL_END) != 0) {
619                                                   if ((p[0] & I2O_SGL_END_BUFFER) == 0) {
620                                                             DPRINTF((
621                                                                 "%s: invalid SGL (3)\n",
622                                                                 device_xname(sc->sc_dev)));
623                                                             goto bad;
624                                                   }
625                                                   break;
626                                         }
627                                         if ((p[0] & I2O_SGL_END_BUFFER) != 0)
628                                                   break;
629                               }
630                               bufs[nbuf].db_nfrag = nfrag;
631 
632                               if (p > pmax) {
633                                         DPRINTF(("%s: invalid SGL (4)\n",
634                                             device_xname(sc->sc_dev)));
635                                         goto bad;
636                               }
637 
638                               if (sz > IOP_MAX_XFER) {
639                                         DPRINTF(("%s: buffer too large\n",
640                                             device_xname(sc->sc_dev)));
641                                         goto bad;
642                               }
643 
644                               bufs[nbuf].db_size = sz;
645                               bufs[nbuf].db_ptr = kmem_zalloc(sz, KM_SLEEP);
646 
647                               for (i = 0, sz = 0; i < bufs[nbuf].db_nfrag; i++) {
648                                         rv = copyin(bufs[nbuf].db_frags[i].iov_base,
649                                             (char *)bufs[nbuf].db_ptr + sz,
650                                             bufs[nbuf].db_frags[i].iov_len);
651                                         if (rv != 0) {
652                                                   DPRINTF(("%s: frag copyin\n",
653                                                       device_xname(sc->sc_dev)));
654                                                   goto bad;
655                                         }
656                                         sz += bufs[nbuf].db_frags[i].iov_len;
657                               }
658 
659                               if ((p[0] & I2O_SGL_END) != 0)
660                                         break;
661                     }
662 
663                     if (nbuf == IOP_MAX_MSG_XFERS) {
664                               DPRINTF(("%s: too many transfers\n",
665                                   device_xname(sc->sc_dev)));
666                               goto bad;
667                     }
668           } else
669                     nbuf = -1;
670 
671           /*
672            * Allocate a wrapper, and adjust the message header fields to
673            * indicate that no scatter-gather list is currently present.
674            */
675 
676           im = iop_msg_alloc(iop, IM_WAIT | IM_NOSTATUS);
677           im->im_rb = (struct i2o_reply *)rbtmp;
678           mf = (struct i2o_msg *)mbtmp;
679           mf->msgictx = IOP_ICTX;
680           mf->msgtctx = im->im_tctx;
681 
682           if (sgoff != 0)
683                     mf->msgflags = (mf->msgflags & 0xff0f) | (sgoff << 16);
684 
685           /*
686            * Map the data transfer(s).
687            */
688           for (i = 0; i <= nbuf; i++) {
689                     rv = iop_msg_map(iop, im, mbtmp, bufs[i].db_ptr,
690                         bufs[i].db_size, bufs[i].db_out, bufs[i].db_proc);
691                     if (rv != 0) {
692                               DPRINTF(("%s: msg_map failed, rv = %d\n",
693                                   device_xname(sc->sc_dev), rv));
694                               goto bad;
695                     }
696                     mapped = 1;
697           }
698 
699           /*
700            * Start the command and sleep until it completes.
701            */
702           if ((rv = iop_msg_post(iop, im, mbtmp, 5*60*1000)) != 0)
703                     goto bad;
704 
705           /*
706            * Copy out the reply frame.
707            */
708           if ((rv = copyout(rbtmp, (char *)data + msgsize, repsize)) != 0) {
709                     DPRINTF(("%s: reply copyout() failed\n",
710                         device_xname(sc->sc_dev)));
711           }
712 
713  bad:
714           /*
715            * Free resources and return to the caller.
716            */
717           if (im != NULL) {
718                     if (mapped)
719                               iop_msg_unmap(iop, im);
720                     iop_msg_free(iop, im);
721           }
722 
723           for (i = 0; i <= nbuf; i++) {
724                     if (bufs[i].db_proc != NULL)
725                               continue;
726 
727                     if (!bufs[i].db_out && rv == 0) {
728                               for (j = 0, sz = 0; j < bufs[i].db_nfrag; j++) {
729                                         rv = copyout((char *)bufs[i].db_ptr + sz,
730                                             bufs[i].db_frags[j].iov_base,
731                                             bufs[i].db_frags[j].iov_len);
732                                         if (rv != 0)
733                                                   break;
734                                         sz += bufs[i].db_frags[j].iov_len;
735                               }
736                     }
737 
738                     if (bufs[i].db_ptr != NULL)
739                               kmem_free(bufs[i].db_ptr, bufs[i].db_size);
740           }
741 
742           return (rv);
743 }
744