Index: sys/cam/cam_ccb.h
===================================================================
--- sys/cam/cam_ccb.h
+++ sys/cam/cam_ccb.h
@@ -723,6 +723,13 @@
 	u_int	   init_id;		/* initiator id of who selected */
 };
 
+static __inline uint8_t *
+scsiio_cdb_ptr(struct ccb_scsiio *ccb)
+{
+	return ((ccb->ccb_h.flags & CAM_CDB_POINTER) ?
+	    ccb->cdb_io.cdb_ptr : ccb->cdb_io.cdb_bytes);
+}
+
 /*
  * ATA I/O Request CCB used for the XPT_ATA_IO function code.
  */
Index: sys/dev/arcmsr/arcmsr.c
===================================================================
--- sys/dev/arcmsr/arcmsr.c
+++ sys/dev/arcmsr/arcmsr.c
@@ -872,7 +872,7 @@
 	ARCMSR_LOCK_ACQUIRE(&acb->isr_lock);
 	if(srb->srb_state == ARCMSR_SRB_START)
 	{
-		cmd = srb->pccb->csio.cdb_io.cdb_bytes[0];
+		cmd = scsiio_cdb_ptr(&srb->pccb->csio)[0];
 		srb->srb_state = ARCMSR_SRB_TIMEOUT;
 		srb->pccb->ccb_h.status |= CAM_CMD_TIMEOUT;
 		arcmsr_srb_complete(srb, 1);
@@ -997,7 +997,7 @@
 	arcmsr_cdb->LUN = pccb->ccb_h.target_lun;
 	arcmsr_cdb->Function = 1;
 	arcmsr_cdb->CdbLength = (u_int8_t)pcsio->cdb_len;
-	bcopy(pcsio->cdb_io.cdb_bytes, arcmsr_cdb->Cdb, pcsio->cdb_len);
+	bcopy(scsiio_cdb_ptr(pcsio), arcmsr_cdb->Cdb, pcsio->cdb_len);
 	if(nseg != 0) {
 		struct AdapterControlBlock *acb = srb->acb;
 		bus_dmasync_op_t op;	
@@ -2453,10 +2453,11 @@
 	struct CMD_MESSAGE_FIELD *pcmdmessagefld;
 	int retvalue = 0, transfer_len = 0;
 	char *buffer;
-	u_int32_t controlcode = (u_int32_t ) pccb->csio.cdb_io.cdb_bytes[5] << 24 |
-				(u_int32_t ) pccb->csio.cdb_io.cdb_bytes[6] << 16 |
-				(u_int32_t ) pccb->csio.cdb_io.cdb_bytes[7] << 8  |
-				(u_int32_t ) pccb->csio.cdb_io.cdb_bytes[8];
+	uint8_t *ptr = scsiio_cdb_ptr(&pccb->csio);
+	u_int32_t controlcode = (u_int32_t ) ptr[5] << 24 |
+				(u_int32_t ) ptr[6] << 16 |
+				(u_int32_t ) ptr[7] << 8  |
+				(u_int32_t ) ptr[8];
 					/* 4 bytes: Areca io control code */
 	if ((pccb->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_VADDR) {
 		buffer = pccb->csio.data_ptr;
@@ -2683,7 +2684,7 @@
 	if(acb->devstate[target][lun] == ARECA_RAID_GONE) {
 		u_int8_t block_cmd, cmd;
 
-		cmd = pccb->csio.cdb_io.cdb_bytes[0];
+		cmd = scsiio_cdb_ptr(&pccb->csio)[0];
 		block_cmd = cmd & 0x0f;
 		if(block_cmd == 0x08 || block_cmd == 0x0a) {
 			printf("arcmsr%d:block 'read/write' command "
@@ -2800,7 +2801,7 @@
 		return;
 	}
 	pccb->ccb_h.status |= CAM_REQ_CMP;
-	switch (pccb->csio.cdb_io.cdb_bytes[0]) {
+	switch (scsiio_cdb_ptr(&pccb->csio)[0]) {
 	case INQUIRY: {
 		unsigned char inqdata[36];
 		char *buffer = pccb->csio.data_ptr;
@@ -2853,6 +2854,12 @@
 			int target = pccb->ccb_h.target_id;
 			int error;
 
+			if (pccb->ccb_h.flags & CAM_CDB_PHYS) {
+				pccb->ccb_h.status = CAM_REQ_INVALID;
+				xpt_done(pccb);
+				return;
+			}
+
 			if(target == 16) {
 				/* virtual device for iop message transfer */
 				arcmsr_handle_virtual_command(acb, pccb);
Index: sys/dev/iir/iir.c
===================================================================
--- sys/dev/iir/iir.c
+++ sys/dev/iir/iir.c
@@ -744,9 +744,9 @@
                                   ccb->ccb_h.flags));
         csio = &ccb->csio;
         ccbh = &ccb->ccb_h;
-        cmd  = csio->cdb_io.cdb_bytes[0];
-        /* Max CDB length is 12 bytes */
-        if (csio->cdb_len > 12) { 
+        cmd  = scsiio_cdb_ptr(csio);
+        /* Max CDB length is 12 bytes, can't be phys addr */
+        if (csio->cdb_len > 12 || (cdbh->flags & CAM_CDB_PHYS)) { 
             ccbh->status = CAM_REQ_INVALID;
             --gdt_stat.io_count_act;
             xpt_done(ccb);
Index: sys/dev/isci/isci_controller.c
===================================================================
--- sys/dev/isci/isci_controller.c
+++ sys/dev/isci/isci_controller.c
@@ -740,6 +740,12 @@
 		}
 		break;
 	case XPT_SCSI_IO:
+		if ((ccb->ccb_h.flags & CAM_CDB_POINTER) &&
+		    (ccb->ccb_h.flags & CAM_CDB_PHYS)) {
+			ccb->ccb_h.status = CAM_REQ_INVALID;
+			xpt_done(ccb);
+			break;
+		}
 		isci_io_request_execute_scsi_io(ccb, controller);
 		break;
 #if __FreeBSD_version >= 900026
@@ -802,6 +808,7 @@
 {
 	struct ISCI_REMOTE_DEVICE *dev;
 	struct ccb_hdr *ccb_h;
+	uint8_t *ptr;
 	int dev_idx;
 
 	KASSERT(mtx_owned(&controller->lock), ("controller lock not owned"));
@@ -821,8 +828,8 @@
 			if (ccb_h == NULL)
 				continue;
 
-			isci_log_message(1, "ISCI", "release %p %x\n", ccb_h,
-			    ((union ccb *)ccb_h)->csio.cdb_io.cdb_bytes[0]);
+			ptr = scsiio_cdb_ptr(&((union ccb *)ccb_h)->csio);
+			isci_log_message(1, "ISCI", "release %p %x\n", ccb_h, *ptr);
 
 			dev->queued_ccb_in_progress = (union ccb *)ccb_h;
 			isci_io_request_execute_scsi_io(
Index: sys/dev/isci/isci_io_request.c
===================================================================
--- sys/dev/isci/isci_io_request.c
+++ sys/dev/isci/isci_io_request.c
@@ -86,6 +86,7 @@
 	struct ISCI_REMOTE_DEVICE *isci_remote_device;
 	union ccb *ccb;
 	BOOL complete_ccb;
+	struct ccb_scsiio *csio;
 
 	complete_ccb = TRUE;
 	isci_controller = (struct ISCI_CONTROLLER *) sci_object_get_association(scif_controller);
@@ -93,7 +94,7 @@
 		(struct ISCI_REMOTE_DEVICE *) sci_object_get_association(remote_device);
 
 	ccb = isci_request->ccb;
-
+	csio = &ccb->csio;
 	ccb->ccb_h.status &= ~CAM_STATUS_MASK;
 
 	switch (completion_status) {
@@ -124,7 +125,6 @@
 		SCI_SSP_RESPONSE_IU_T * response_buffer;
 		uint32_t sense_length;
 		int error_code, sense_key, asc, ascq;
-		struct ccb_scsiio *csio = &ccb->csio;
 
 		response_buffer = (SCI_SSP_RESPONSE_IU_T *)
 		    scif_io_request_get_response_iu_address(
@@ -146,7 +146,7 @@
 		isci_log_message(1, "ISCI",
 		    "isci: bus=%x target=%x lun=%x cdb[0]=%x status=%x key=%x asc=%x ascq=%x\n",
 		    ccb->ccb_h.path_id, ccb->ccb_h.target_id,
-		    ccb->ccb_h.target_lun, csio->cdb_io.cdb_bytes[0],
+		    ccb->ccb_h.target_lun, scsiio_cdb_ptr(csio),
 		    csio->scsi_status, sense_key, asc, ascq);
 		break;
 	}
@@ -157,7 +157,7 @@
 		isci_log_message(0, "ISCI",
 		    "isci: bus=%x target=%x lun=%x cdb[0]=%x remote device reset required\n",
 		    ccb->ccb_h.path_id, ccb->ccb_h.target_id,
-		    ccb->ccb_h.target_lun, ccb->csio.cdb_io.cdb_bytes[0]);
+		    ccb->ccb_h.target_lun, scsiio_cdb_ptr(csio));
 		break;
 
 	case SCI_IO_FAILURE_TERMINATED:
@@ -165,7 +165,7 @@
 		isci_log_message(0, "ISCI",
 		    "isci: bus=%x target=%x lun=%x cdb[0]=%x terminated\n",
 		    ccb->ccb_h.path_id, ccb->ccb_h.target_id,
-		    ccb->ccb_h.target_lun, ccb->csio.cdb_io.cdb_bytes[0]);
+		    ccb->ccb_h.target_lun, scsiio_cdb_ptr(csio));
 		break;
 
 	case SCI_IO_FAILURE_INVALID_STATE:
@@ -208,7 +208,7 @@
 		isci_log_message(1, "ISCI",
 		    "isci: bus=%x target=%x lun=%x cdb[0]=%x completion status=%x\n",
 		    ccb->ccb_h.path_id, ccb->ccb_h.target_id,
-		    ccb->ccb_h.target_lun, ccb->csio.cdb_io.cdb_bytes[0],
+		    ccb->ccb_h.target_lun, scsiio_cdb_ptr(csio),
 		    completion_status);
 		ccb->ccb_h.status |= CAM_REQ_CMP_ERR;
 		break;
@@ -285,13 +285,13 @@
 			 *   get a ready notification for this device.
 			 */
 			isci_log_message(1, "ISCI", "already queued %p %x\n",
-			    ccb, ccb->csio.cdb_io.cdb_bytes[0]);
+			    ccb, scsiio_cdb_ptr(csio));
 
 			isci_remote_device->queued_ccb_in_progress = NULL;
 
 		} else {
 			isci_log_message(1, "ISCI", "queue %p %x\n", ccb,
-			    ccb->csio.cdb_io.cdb_bytes[0]);
+			    scsiio_cdb_ptr(csio));
 			ccb->ccb_h.status |= CAM_SIM_QUEUED;
 
 			TAILQ_INSERT_TAIL(&isci_remote_device->queued_ccbs,
@@ -373,7 +373,7 @@
 	struct ISCI_IO_REQUEST *isci_request =
 	    (struct ISCI_IO_REQUEST *)scif_user_io_request;
 
-	return (isci_request->ccb->csio.cdb_io.cdb_bytes);
+	return (scsiio_cdb_ptr(&isci_request->ccb->csio));
 }
 
 /**
Index: sys/dev/ncr/ncr.c
===================================================================
--- sys/dev/ncr/ncr.c
+++ sys/dev/ncr/ncr.c
@@ -3860,6 +3860,16 @@
 		csio = &ccb->csio;
 
 		/*
+		 * Make sure we support this request. We can't do
+		 * PHYS pointers.
+		 */
+		if ((ccb->ccb_h.flags & CAM_CDB_POINTER) &&
+		    (ccb->ccb_h.flags & CAM_CDB_PHYS)) {
+			ccb->ccb_h.status = CAM_REQ_INVALID;
+			xpt_done(ccb);
+			return;
+		}
+		/*
 		 * Last time we need to check if this CCB needs to
 		 * be aborted.
 		 */
@@ -4070,8 +4080,7 @@
 		/*
 		**	command
 		*/
-		/* XXX JGibbs - Support other command types */
-		cp->phys.cmd.addr		= vtophys (csio->cdb_io.cdb_bytes);
+		cp->phys.cmd.addr		= vtophys (scsiio_cdb_ptr(csio));
 		cp->phys.cmd.size		= csio->cdb_len;
 		/*
 		**	sense command
@@ -4083,7 +4092,6 @@
 		*/
 		cp->sensecmd[0]			= 0x03;
 		cp->sensecmd[1]			= ccb->ccb_h.target_lun << 5;
-		cp->sensecmd[4]			= sizeof(struct scsi_sense_data);
 		cp->sensecmd[4]			= csio->sense_len;
 		/*
 		**	sense data
Index: sys/dev/ppbus/vpo.c
===================================================================
--- sys/dev/ppbus/vpo.c
+++ sys/dev/ppbus/vpo.c
@@ -187,17 +187,22 @@
 #ifdef VP0_DEBUG
 	int i;
 #endif
+	uint8_t *ptr;
 
+	ptr = scsiio_cdb_ptr(csio);
+#ifdef VP0_DEBUG
+	device_printf(vpo->vpo_dev, "XPT_SCSI_IO (0x%x) request\n", ptr[0]);
+#endif
 	if (vpo->vpo_isplus) {
 		errno = imm_do_scsi(&vpo->vpo_io, VP0_INITIATOR,
 			csio->ccb_h.target_id,
-			(char *)&csio->cdb_io.cdb_bytes, csio->cdb_len,
+			ptr, csio->cdb_len,
 			(char *)csio->data_ptr, csio->dxfer_len,
 			&vpo->vpo_stat, &vpo->vpo_count, &vpo->vpo_error);
 	} else {
 		errno = vpoio_do_scsi(&vpo->vpo_io, VP0_INITIATOR,
 			csio->ccb_h.target_id,
-			(char *)&csio->cdb_io.cdb_bytes, csio->cdb_len,
+			ptr, csio->cdb_len,
 			(char *)csio->data_ptr, csio->dxfer_len,
 			&vpo->vpo_stat, &vpo->vpo_count, &vpo->vpo_error);
 	}
@@ -208,7 +213,7 @@
 
 	/* dump of command */
 	for (i=0; i<csio->cdb_len; i++)
-		printf("%x ", ((char *)&csio->cdb_io.cdb_bytes)[i]);
+		printf("%x ", ((char *)ptr)[i]);
 
 	printf("\n");
 #endif
@@ -307,11 +312,11 @@
 
 		csio = &ccb->csio;
 
-#ifdef VP0_DEBUG
-		device_printf(vpo->vpo_dev, "XPT_SCSI_IO (0x%x) request\n",
-			csio->cdb_io.cdb_bytes[0]);
-#endif
-
+		if (ccb->ccb_h.flags & CAM_CDB_PHYS) {
+			ccb->ccb_h.status = CAM_REQ_INVALID;
+			xpt_done(ccb);
+			break;
+		}
 		vpo_intr(vpo, csio);
 
 		xpt_done(ccb);