xref: /illumos-gate/usr/src/uts/common/io/nvme/nvme.c (revision 1b863af9bc9a5c76ed773e129889fc19dbf9e41c)
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2018 Nexenta Systems, Inc.
14  * Copyright 2016 Tegile Systems, Inc. All rights reserved.
15  * Copyright (c) 2016 The MathWorks, Inc.  All rights reserved.
16  * Copyright 2020 Joyent, Inc.
17  * Copyright 2019 Western Digital Corporation.
18  * Copyright 2020 Racktop Systems.
19  * Copyright 2022 Oxide Computer Company.
20  */
21 
22 /*
23  * blkdev driver for NVMe compliant storage devices
24  *
25  * This driver targets and is designed to support all NVMe 1.x devices.
26  * Features are added to the driver as we encounter devices that require them
27  * and our needs, so some commands or log pages may not take advantage of newer
28  * features that devices support at this time. When you encounter such a case,
29  * it is generally fine to add that support to the driver as long as you take
30  * care to ensure that the requisite device version is met before using it.
31  *
32  * The driver has only been tested on x86 systems and will not work on big-
33  * endian systems without changes to the code accessing registers and data
34  * structures used by the hardware.
35  *
36  *
37  * Interrupt Usage:
38  *
39  * The driver will use a single interrupt while configuring the device as the
40  * specification requires, but contrary to the specification it will try to use
41  * a single-message MSI(-X) or FIXED interrupt. Later in the attach process it
42  * will switch to multiple-message MSI(-X) if supported. The driver wants to
43  * have one interrupt vector per CPU, but it will work correctly if less are
44  * available. Interrupts can be shared by queues, the interrupt handler will
45  * iterate through the I/O queue array by steps of n_intr_cnt. Usually only
46  * the admin queue will share an interrupt with one I/O queue. The interrupt
47  * handler will retrieve completed commands from all queues sharing an interrupt
48  * vector and will post them to a taskq for completion processing.
49  *
50  *
51  * Command Processing:
52  *
53  * NVMe devices can have up to 65535 I/O queue pairs, with each queue holding up
54  * to 65536 I/O commands. The driver will configure one I/O queue pair per
55  * available interrupt vector, with the queue length usually much smaller than
56  * the maximum of 65536. If the hardware doesn't provide enough queues, fewer
57  * interrupt vectors will be used.
58  *
59  * Additionally the hardware provides a single special admin queue pair that can
60  * hold up to 4096 admin commands.
61  *
62  * From the hardware perspective both queues of a queue pair are independent,
63  * but they share some driver state: the command array (holding pointers to
64  * commands currently being processed by the hardware) and the active command
65  * counter. Access to a submission queue and the shared state is protected by
66  * nq_mutex; completion queue is protected by ncq_mutex.
67  *
68  * When a command is submitted to a queue pair the active command counter is
69  * incremented and a pointer to the command is stored in the command array. The
70  * array index is used as command identifier (CID) in the submission queue
71  * entry. Some commands may take a very long time to complete, and if the queue
72  * wraps around in that time a submission may find the next array slot to still
73  * be used by a long-running command. In this case the array is sequentially
74  * searched for the next free slot. The length of the command array is the same
75  * as the configured queue length. Queue overrun is prevented by the semaphore,
76  * so a command submission may block if the queue is full.
77  *
78  *
79  * Polled I/O Support:
80  *
81  * For kernel core dump support the driver can do polled I/O. As interrupts are
82  * turned off while dumping the driver will just submit a command in the regular
83  * way, and then repeatedly attempt a command retrieval until it gets the
84  * command back.
85  *
86  *
87  * Namespace Support:
88  *
89  * NVMe devices can have multiple namespaces, each being a independent data
90  * store. The driver supports multiple namespaces and creates a blkdev interface
91  * for each namespace found. Namespaces can have various attributes to support
92  * protection information. This driver does not support any of this and ignores
93  * namespaces that have these attributes.
94  *
95  * As of NVMe 1.1 namespaces can have an 64bit Extended Unique Identifier
96  * (EUI64). This driver uses the EUI64 if present to generate the devid and
97  * passes it to blkdev to use it in the device node names. As this is currently
98  * untested namespaces with EUI64 are ignored by default.
99  *
100  * We currently support only (2 << NVME_MINOR_INST_SHIFT) - 2 namespaces in a
101  * single controller. This is an artificial limit imposed by the driver to be
102  * able to address a reasonable number of controllers and namespaces using a
103  * 32bit minor node number.
104  *
105  *
106  * Minor nodes:
107  *
108  * For each NVMe device the driver exposes one minor node for the controller and
109  * one minor node for each namespace. The only operations supported by those
110  * minor nodes are open(9E), close(9E), and ioctl(9E). This serves as the
111  * interface for the nvmeadm(1M) utility.
112  *
113  *
114  * Blkdev Interface:
115  *
116  * This driver uses blkdev to do all the heavy lifting involved with presenting
117  * a disk device to the system. As a result, the processing of I/O requests is
118  * relatively simple as blkdev takes care of partitioning, boundary checks, DMA
119  * setup, and splitting of transfers into manageable chunks.
120  *
121  * I/O requests coming in from blkdev are turned into NVM commands and posted to
122  * an I/O queue. The queue is selected by taking the CPU id modulo the number of
123  * queues. There is currently no timeout handling of I/O commands.
124  *
125  * Blkdev also supports querying device/media information and generating a
126  * devid. The driver reports the best block size as determined by the namespace
127  * format back to blkdev as physical block size to support partition and block
128  * alignment. The devid is either based on the namespace EUI64, if present, or
129  * composed using the device vendor ID, model number, serial number, and the
130  * namespace ID.
131  *
132  *
133  * Error Handling:
134  *
135  * Error handling is currently limited to detecting fatal hardware errors,
136  * either by asynchronous events, or synchronously through command status or
137  * admin command timeouts. In case of severe errors the device is fenced off,
138  * all further requests will return EIO. FMA is then called to fault the device.
139  *
140  * The hardware has a limit for outstanding asynchronous event requests. Before
141  * this limit is known the driver assumes it is at least 1 and posts a single
142  * asynchronous request. Later when the limit is known more asynchronous event
143  * requests are posted to allow quicker reception of error information. When an
144  * asynchronous event is posted by the hardware the driver will parse the error
145  * status fields and log information or fault the device, depending on the
146  * severity of the asynchronous event. The asynchronous event request is then
147  * reused and posted to the admin queue again.
148  *
149  * On command completion the command status is checked for errors. In case of
150  * errors indicating a driver bug the driver panics. Almost all other error
151  * status values just cause EIO to be returned.
152  *
153  * Command timeouts are currently detected for all admin commands except
154  * asynchronous event requests. If a command times out and the hardware appears
155  * to be healthy the driver attempts to abort the command. The original command
156  * timeout is also applied to the abort command. If the abort times out too the
157  * driver assumes the device to be dead, fences it off, and calls FMA to retire
158  * it. In all other cases the aborted command should return immediately with a
159  * status indicating it was aborted, and the driver will wait indefinitely for
160  * that to happen. No timeout handling of normal I/O commands is presently done.
161  *
162  * Any command that times out due to the controller dropping dead will be put on
163  * nvme_lost_cmds list if it references DMA memory. This will prevent the DMA
164  * memory being reused by the system and later be written to by a "dead" NVMe
165  * controller.
166  *
167  *
168  * Locking:
169  *
170  * Each queue pair has a nq_mutex and ncq_mutex. The nq_mutex must be held
171  * when accessing shared state and submission queue registers, ncq_mutex
172  * is held when accessing completion queue state and registers.
173  * Callers of nvme_unqueue_cmd() must make sure that nq_mutex is held, while
174  * nvme_submit_{admin,io}_cmd() and nvme_retrieve_cmd() take care of both
175  * mutexes themselves.
176  *
177  * Each command also has its own nc_mutex, which is associated with the
178  * condition variable nc_cv. It is only used on admin commands which are run
179  * synchronously. In that case it must be held across calls to
180  * nvme_submit_{admin,io}_cmd() and nvme_wait_cmd(), which is taken care of by
181  * nvme_admin_cmd(). It must also be held whenever the completion state of the
182  * command is changed or while a admin command timeout is handled.
183  *
184  * If both nc_mutex and nq_mutex must be held, nc_mutex must be acquired first.
185  * More than one nc_mutex may only be held when aborting commands. In this case,
186  * the nc_mutex of the command to be aborted must be held across the call to
187  * nvme_abort_cmd() to prevent the command from completing while the abort is in
188  * progress.
189  *
190  * If both nq_mutex and ncq_mutex need to be held, ncq_mutex must be
191  * acquired first. More than one nq_mutex is never held by a single thread.
192  * The ncq_mutex is only held by nvme_retrieve_cmd() and
193  * nvme_process_iocq(). nvme_process_iocq() is only called from the
194  * interrupt thread and nvme_retrieve_cmd() during polled I/O, so the
195  * mutex is non-contentious but is required for implementation completeness
196  * and safety.
197  *
198  * Each minor node has its own nm_mutex, which protects the open count nm_ocnt
199  * and exclusive-open flag nm_oexcl.
200  *
201  *
202  * Quiesce / Fast Reboot:
203  *
204  * The driver currently does not support fast reboot. A quiesce(9E) entry point
205  * is still provided which is used to send a shutdown notification to the
206  * device.
207  *
208  *
209  * NVMe Hotplug:
210  *
211  * The driver supports hot removal. The driver uses the NDI event framework
212  * to register a callback, nvme_remove_callback, to clean up when a disk is
213  * removed. In particular, the driver will unqueue outstanding I/O commands and
214  * set n_dead on the softstate to true so that other operations, such as ioctls
215  * and command submissions, fail as well.
216  *
217  * While the callback registration relies on the NDI event framework, the
218  * removal event itself is kicked off in the PCIe hotplug framework, when the
219  * PCIe bridge driver ("pcieb") gets a hotplug interrupt indicatating that a
220  * device was removed from the slot.
221  *
222  * The NVMe driver instance itself will remain until the final close of the
223  * device.
224  *
225  *
226  * DDI UFM Support
227  *
228  * The driver supports the DDI UFM framework for reporting information about
229  * the device's firmware image and slot configuration. This data can be
230  * queried by userland software via ioctls to the ufm driver. For more
231  * information, see ddi_ufm(9E).
232  *
233  *
234  * Driver Configuration:
235  *
236  * The following driver properties can be changed to control some aspects of the
237  * drivers operation:
238  * - strict-version: can be set to 0 to allow devices conforming to newer
239  *   major versions to be used
240  * - ignore-unknown-vendor-status: can be set to 1 to not handle any vendor
241  *   specific command status as a fatal error leading device faulting
242  * - admin-queue-len: the maximum length of the admin queue (16-4096)
243  * - io-squeue-len: the maximum length of the I/O submission queues (16-65536)
244  * - io-cqueue-len: the maximum length of the I/O completion queues (16-65536)
245  * - async-event-limit: the maximum number of asynchronous event requests to be
246  *   posted by the driver
247  * - volatile-write-cache-enable: can be set to 0 to disable the volatile write
248  *   cache
249  * - min-phys-block-size: the minimum physical block size to report to blkdev,
250  *   which is among other things the basis for ZFS vdev ashift
251  * - max-submission-queues: the maximum number of I/O submission queues.
252  * - max-completion-queues: the maximum number of I/O completion queues,
253  *   can be less than max-submission-queues, in which case the completion
254  *   queues are shared.
255  *
256  *
257  * TODO:
258  * - figure out sane default for I/O queue depth reported to blkdev
259  * - FMA handling of media errors
260  * - support for devices supporting very large I/O requests using chained PRPs
261  * - support for configuring hardware parameters like interrupt coalescing
262  * - support for media formatting and hard partitioning into namespaces
263  * - support for big-endian systems
264  * - support for fast reboot
265  * - support for NVMe Subsystem Reset (1.1)
266  * - support for Scatter/Gather lists (1.1)
267  * - support for Reservations (1.1)
268  * - support for power management
269  */
270 
271 #include <sys/byteorder.h>
272 #ifdef _BIG_ENDIAN
273 #error nvme driver needs porting for big-endian platforms
274 #endif
275 
276 #include <sys/modctl.h>
277 #include <sys/conf.h>
278 #include <sys/devops.h>
279 #include <sys/ddi.h>
280 #include <sys/ddi_ufm.h>
281 #include <sys/sunddi.h>
282 #include <sys/sunndi.h>
283 #include <sys/bitmap.h>
284 #include <sys/sysmacros.h>
285 #include <sys/param.h>
286 #include <sys/varargs.h>
287 #include <sys/cpuvar.h>
288 #include <sys/disp.h>
289 #include <sys/blkdev.h>
290 #include <sys/atomic.h>
291 #include <sys/archsystm.h>
292 #include <sys/sata/sata_hba.h>
293 #include <sys/stat.h>
294 #include <sys/policy.h>
295 #include <sys/list.h>
296 #include <sys/dkio.h>
297 
298 #include <sys/nvme.h>
299 
300 #ifdef __x86
301 #include <sys/x86_archext.h>
302 #endif
303 
304 #include "nvme_reg.h"
305 #include "nvme_var.h"
306 
307 /*
308  * Assertions to make sure that we've properly captured various aspects of the
309  * packed structures and haven't broken them during updates.
310  */
311 CTASSERT(sizeof (nvme_identify_ctrl_t) == 0x1000);
312 CTASSERT(offsetof(nvme_identify_ctrl_t, id_oacs) == 256);
313 CTASSERT(offsetof(nvme_identify_ctrl_t, id_sqes) == 512);
314 CTASSERT(offsetof(nvme_identify_ctrl_t, id_oncs) == 520);
315 CTASSERT(offsetof(nvme_identify_ctrl_t, id_subnqn) == 768);
316 CTASSERT(offsetof(nvme_identify_ctrl_t, id_nvmof) == 1792);
317 CTASSERT(offsetof(nvme_identify_ctrl_t, id_psd) == 2048);
318 CTASSERT(offsetof(nvme_identify_ctrl_t, id_vs) == 3072);
319 
320 CTASSERT(sizeof (nvme_identify_nsid_t) == 0x1000);
321 CTASSERT(offsetof(nvme_identify_nsid_t, id_fpi) == 32);
322 CTASSERT(offsetof(nvme_identify_nsid_t, id_anagrpid) == 92);
323 CTASSERT(offsetof(nvme_identify_nsid_t, id_nguid) == 104);
324 CTASSERT(offsetof(nvme_identify_nsid_t, id_lbaf) == 128);
325 CTASSERT(offsetof(nvme_identify_nsid_t, id_vs) == 384);
326 
327 CTASSERT(sizeof (nvme_identify_primary_caps_t) == 0x1000);
328 CTASSERT(offsetof(nvme_identify_primary_caps_t, nipc_vqfrt) == 32);
329 CTASSERT(offsetof(nvme_identify_primary_caps_t, nipc_vifrt) == 64);
330 
331 
332 /* NVMe spec version supported */
333 static const int nvme_version_major = 1;
334 
335 /* tunable for admin command timeout in seconds, default is 1s */
336 int nvme_admin_cmd_timeout = 1;
337 
338 /* tunable for FORMAT NVM command timeout in seconds, default is 600s */
339 int nvme_format_cmd_timeout = 600;
340 
341 /* tunable for firmware commit with NVME_FWC_SAVE, default is 15s */
342 int nvme_commit_save_cmd_timeout = 15;
343 
344 /*
345  * tunable for the size of arbitrary vendor specific admin commands,
346  * default is 16MiB
347  */
348 uint32_t nvme_vendor_specific_admin_cmd_size = 1 << 24;
349 
350 /*
351  * tunable for the max timeout of arbitary vendor specific admin commands,
352  * default is 60s.
353  */
354 uint_t nvme_vendor_specific_admin_cmd_max_timeout = 60;
355 
356 static int nvme_attach(dev_info_t *, ddi_attach_cmd_t);
357 static int nvme_detach(dev_info_t *, ddi_detach_cmd_t);
358 static int nvme_quiesce(dev_info_t *);
359 static int nvme_fm_errcb(dev_info_t *, ddi_fm_error_t *, const void *);
360 static int nvme_setup_interrupts(nvme_t *, int, int);
361 static void nvme_release_interrupts(nvme_t *);
362 static uint_t nvme_intr(caddr_t, caddr_t);
363 
364 static void nvme_shutdown(nvme_t *, int, boolean_t);
365 static boolean_t nvme_reset(nvme_t *, boolean_t);
366 static int nvme_init(nvme_t *);
367 static nvme_cmd_t *nvme_alloc_cmd(nvme_t *, int);
368 static void nvme_free_cmd(nvme_cmd_t *);
369 static nvme_cmd_t *nvme_create_nvm_cmd(nvme_namespace_t *, uint8_t,
370     bd_xfer_t *);
371 static void nvme_admin_cmd(nvme_cmd_t *, int);
372 static void nvme_submit_admin_cmd(nvme_qpair_t *, nvme_cmd_t *);
373 static int nvme_submit_io_cmd(nvme_qpair_t *, nvme_cmd_t *);
374 static void nvme_submit_cmd_common(nvme_qpair_t *, nvme_cmd_t *);
375 static nvme_cmd_t *nvme_unqueue_cmd(nvme_t *, nvme_qpair_t *, int);
376 static nvme_cmd_t *nvme_retrieve_cmd(nvme_t *, nvme_qpair_t *);
377 static void nvme_wait_cmd(nvme_cmd_t *, uint_t);
378 static void nvme_wakeup_cmd(void *);
379 static void nvme_async_event_task(void *);
380 
381 static int nvme_check_unknown_cmd_status(nvme_cmd_t *);
382 static int nvme_check_vendor_cmd_status(nvme_cmd_t *);
383 static int nvme_check_integrity_cmd_status(nvme_cmd_t *);
384 static int nvme_check_specific_cmd_status(nvme_cmd_t *);
385 static int nvme_check_generic_cmd_status(nvme_cmd_t *);
386 static inline int nvme_check_cmd_status(nvme_cmd_t *);
387 
388 static int nvme_abort_cmd(nvme_cmd_t *, uint_t);
389 static void nvme_async_event(nvme_t *);
390 static int nvme_format_nvm(nvme_t *, boolean_t, uint32_t, uint8_t, boolean_t,
391     uint8_t, boolean_t, uint8_t);
392 static int nvme_get_logpage(nvme_t *, boolean_t, void **, size_t *, uint8_t,
393     ...);
394 static int nvme_identify(nvme_t *, boolean_t, uint32_t, void **);
395 static int nvme_set_features(nvme_t *, boolean_t, uint32_t, uint8_t, uint32_t,
396     uint32_t *);
397 static int nvme_get_features(nvme_t *, boolean_t, uint32_t, uint8_t, uint32_t *,
398     void **, size_t *);
399 static int nvme_write_cache_set(nvme_t *, boolean_t);
400 static int nvme_set_nqueues(nvme_t *);
401 
402 static void nvme_free_dma(nvme_dma_t *);
403 static int nvme_zalloc_dma(nvme_t *, size_t, uint_t, ddi_dma_attr_t *,
404     nvme_dma_t **);
405 static int nvme_zalloc_queue_dma(nvme_t *, uint32_t, uint16_t, uint_t,
406     nvme_dma_t **);
407 static void nvme_free_qpair(nvme_qpair_t *);
408 static int nvme_alloc_qpair(nvme_t *, uint32_t, nvme_qpair_t **, uint_t);
409 static int nvme_create_io_qpair(nvme_t *, nvme_qpair_t *, uint16_t);
410 
411 static inline void nvme_put64(nvme_t *, uintptr_t, uint64_t);
412 static inline void nvme_put32(nvme_t *, uintptr_t, uint32_t);
413 static inline uint64_t nvme_get64(nvme_t *, uintptr_t);
414 static inline uint32_t nvme_get32(nvme_t *, uintptr_t);
415 
416 static boolean_t nvme_check_regs_hdl(nvme_t *);
417 static boolean_t nvme_check_dma_hdl(nvme_dma_t *);
418 
419 static int nvme_fill_prp(nvme_cmd_t *, ddi_dma_handle_t);
420 
421 static void nvme_bd_xfer_done(void *);
422 static void nvme_bd_driveinfo(void *, bd_drive_t *);
423 static int nvme_bd_mediainfo(void *, bd_media_t *);
424 static int nvme_bd_cmd(nvme_namespace_t *, bd_xfer_t *, uint8_t);
425 static int nvme_bd_read(void *, bd_xfer_t *);
426 static int nvme_bd_write(void *, bd_xfer_t *);
427 static int nvme_bd_sync(void *, bd_xfer_t *);
428 static int nvme_bd_devid(void *, dev_info_t *, ddi_devid_t *);
429 static int nvme_bd_free_space(void *, bd_xfer_t *);
430 
431 static int nvme_prp_dma_constructor(void *, void *, int);
432 static void nvme_prp_dma_destructor(void *, void *);
433 
434 static void nvme_prepare_devid(nvme_t *, uint32_t);
435 
436 /* DDI UFM callbacks */
437 static int nvme_ufm_fill_image(ddi_ufm_handle_t *, void *, uint_t,
438     ddi_ufm_image_t *);
439 static int nvme_ufm_fill_slot(ddi_ufm_handle_t *, void *, uint_t, uint_t,
440     ddi_ufm_slot_t *);
441 static int nvme_ufm_getcaps(ddi_ufm_handle_t *, void *, ddi_ufm_cap_t *);
442 
443 static int nvme_open(dev_t *, int, int, cred_t *);
444 static int nvme_close(dev_t, int, int, cred_t *);
445 static int nvme_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
446 
447 static ddi_ufm_ops_t nvme_ufm_ops = {
448 	NULL,
449 	nvme_ufm_fill_image,
450 	nvme_ufm_fill_slot,
451 	nvme_ufm_getcaps
452 };
453 
454 #define	NVME_MINOR_INST_SHIFT	9
455 #define	NVME_MINOR(inst, nsid)	(((inst) << NVME_MINOR_INST_SHIFT) | (nsid))
456 #define	NVME_MINOR_INST(minor)	((minor) >> NVME_MINOR_INST_SHIFT)
457 #define	NVME_MINOR_NSID(minor)	((minor) & ((1 << NVME_MINOR_INST_SHIFT) - 1))
458 #define	NVME_MINOR_MAX		(NVME_MINOR(1, 0) - 2)
459 #define	NVME_IS_VENDOR_UNIQUE_CMD(x)	(((x) >= 0xC0) && ((x) <= 0xFF))
460 
461 static void *nvme_state;
462 static kmem_cache_t *nvme_cmd_cache;
463 
464 /*
465  * DMA attributes for queue DMA memory
466  *
467  * Queue DMA memory must be page aligned. The maximum length of a queue is
468  * 65536 entries, and an entry can be 64 bytes long.
469  */
470 static ddi_dma_attr_t nvme_queue_dma_attr = {
471 	.dma_attr_version	= DMA_ATTR_V0,
472 	.dma_attr_addr_lo	= 0,
473 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
474 	.dma_attr_count_max	= (UINT16_MAX + 1) * sizeof (nvme_sqe_t) - 1,
475 	.dma_attr_align		= 0x1000,
476 	.dma_attr_burstsizes	= 0x7ff,
477 	.dma_attr_minxfer	= 0x1000,
478 	.dma_attr_maxxfer	= (UINT16_MAX + 1) * sizeof (nvme_sqe_t),
479 	.dma_attr_seg		= 0xffffffffffffffffULL,
480 	.dma_attr_sgllen	= 1,
481 	.dma_attr_granular	= 1,
482 	.dma_attr_flags		= 0,
483 };
484 
485 /*
486  * DMA attributes for transfers using Physical Region Page (PRP) entries
487  *
488  * A PRP entry describes one page of DMA memory using the page size specified
489  * in the controller configuration's memory page size register (CC.MPS). It uses
490  * a 64bit base address aligned to this page size. There is no limitation on
491  * chaining PRPs together for arbitrarily large DMA transfers.
492  */
493 static ddi_dma_attr_t nvme_prp_dma_attr = {
494 	.dma_attr_version	= DMA_ATTR_V0,
495 	.dma_attr_addr_lo	= 0,
496 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
497 	.dma_attr_count_max	= 0xfff,
498 	.dma_attr_align		= 0x1000,
499 	.dma_attr_burstsizes	= 0x7ff,
500 	.dma_attr_minxfer	= 0x1000,
501 	.dma_attr_maxxfer	= 0x1000,
502 	.dma_attr_seg		= 0xfff,
503 	.dma_attr_sgllen	= -1,
504 	.dma_attr_granular	= 1,
505 	.dma_attr_flags		= 0,
506 };
507 
508 /*
509  * DMA attributes for transfers using scatter/gather lists
510  *
511  * A SGL entry describes a chunk of DMA memory using a 64bit base address and a
512  * 32bit length field. SGL Segment and SGL Last Segment entries require the
513  * length to be a multiple of 16 bytes.
514  */
515 static ddi_dma_attr_t nvme_sgl_dma_attr = {
516 	.dma_attr_version	= DMA_ATTR_V0,
517 	.dma_attr_addr_lo	= 0,
518 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
519 	.dma_attr_count_max	= 0xffffffffUL,
520 	.dma_attr_align		= 1,
521 	.dma_attr_burstsizes	= 0x7ff,
522 	.dma_attr_minxfer	= 0x10,
523 	.dma_attr_maxxfer	= 0xfffffffffULL,
524 	.dma_attr_seg		= 0xffffffffffffffffULL,
525 	.dma_attr_sgllen	= -1,
526 	.dma_attr_granular	= 0x10,
527 	.dma_attr_flags		= 0
528 };
529 
530 static ddi_device_acc_attr_t nvme_reg_acc_attr = {
531 	.devacc_attr_version	= DDI_DEVICE_ATTR_V0,
532 	.devacc_attr_endian_flags = DDI_STRUCTURE_LE_ACC,
533 	.devacc_attr_dataorder	= DDI_STRICTORDER_ACC
534 };
535 
536 static struct cb_ops nvme_cb_ops = {
537 	.cb_open	= nvme_open,
538 	.cb_close	= nvme_close,
539 	.cb_strategy	= nodev,
540 	.cb_print	= nodev,
541 	.cb_dump	= nodev,
542 	.cb_read	= nodev,
543 	.cb_write	= nodev,
544 	.cb_ioctl	= nvme_ioctl,
545 	.cb_devmap	= nodev,
546 	.cb_mmap	= nodev,
547 	.cb_segmap	= nodev,
548 	.cb_chpoll	= nochpoll,
549 	.cb_prop_op	= ddi_prop_op,
550 	.cb_str		= 0,
551 	.cb_flag	= D_NEW | D_MP,
552 	.cb_rev		= CB_REV,
553 	.cb_aread	= nodev,
554 	.cb_awrite	= nodev
555 };
556 
557 static struct dev_ops nvme_dev_ops = {
558 	.devo_rev	= DEVO_REV,
559 	.devo_refcnt	= 0,
560 	.devo_getinfo	= ddi_no_info,
561 	.devo_identify	= nulldev,
562 	.devo_probe	= nulldev,
563 	.devo_attach	= nvme_attach,
564 	.devo_detach	= nvme_detach,
565 	.devo_reset	= nodev,
566 	.devo_cb_ops	= &nvme_cb_ops,
567 	.devo_bus_ops	= NULL,
568 	.devo_power	= NULL,
569 	.devo_quiesce	= nvme_quiesce,
570 };
571 
572 static struct modldrv nvme_modldrv = {
573 	.drv_modops	= &mod_driverops,
574 	.drv_linkinfo	= "NVMe v1.1b",
575 	.drv_dev_ops	= &nvme_dev_ops
576 };
577 
578 static struct modlinkage nvme_modlinkage = {
579 	.ml_rev		= MODREV_1,
580 	.ml_linkage	= { &nvme_modldrv, NULL }
581 };
582 
583 static bd_ops_t nvme_bd_ops = {
584 	.o_version	= BD_OPS_CURRENT_VERSION,
585 	.o_drive_info	= nvme_bd_driveinfo,
586 	.o_media_info	= nvme_bd_mediainfo,
587 	.o_devid_init	= nvme_bd_devid,
588 	.o_sync_cache	= nvme_bd_sync,
589 	.o_read		= nvme_bd_read,
590 	.o_write	= nvme_bd_write,
591 	.o_free_space	= nvme_bd_free_space,
592 };
593 
594 /*
595  * This list will hold commands that have timed out and couldn't be aborted.
596  * As we don't know what the hardware may still do with the DMA memory we can't
597  * free them, so we'll keep them forever on this list where we can easily look
598  * at them with mdb.
599  */
600 static struct list nvme_lost_cmds;
601 static kmutex_t nvme_lc_mutex;
602 
603 int
604 _init(void)
605 {
606 	int error;
607 
608 	error = ddi_soft_state_init(&nvme_state, sizeof (nvme_t), 1);
609 	if (error != DDI_SUCCESS)
610 		return (error);
611 
612 	nvme_cmd_cache = kmem_cache_create("nvme_cmd_cache",
613 	    sizeof (nvme_cmd_t), 64, NULL, NULL, NULL, NULL, NULL, 0);
614 
615 	mutex_init(&nvme_lc_mutex, NULL, MUTEX_DRIVER, NULL);
616 	list_create(&nvme_lost_cmds, sizeof (nvme_cmd_t),
617 	    offsetof(nvme_cmd_t, nc_list));
618 
619 	bd_mod_init(&nvme_dev_ops);
620 
621 	error = mod_install(&nvme_modlinkage);
622 	if (error != DDI_SUCCESS) {
623 		ddi_soft_state_fini(&nvme_state);
624 		mutex_destroy(&nvme_lc_mutex);
625 		list_destroy(&nvme_lost_cmds);
626 		bd_mod_fini(&nvme_dev_ops);
627 	}
628 
629 	return (error);
630 }
631 
632 int
633 _fini(void)
634 {
635 	int error;
636 
637 	if (!list_is_empty(&nvme_lost_cmds))
638 		return (DDI_FAILURE);
639 
640 	error = mod_remove(&nvme_modlinkage);
641 	if (error == DDI_SUCCESS) {
642 		ddi_soft_state_fini(&nvme_state);
643 		kmem_cache_destroy(nvme_cmd_cache);
644 		mutex_destroy(&nvme_lc_mutex);
645 		list_destroy(&nvme_lost_cmds);
646 		bd_mod_fini(&nvme_dev_ops);
647 	}
648 
649 	return (error);
650 }
651 
652 int
653 _info(struct modinfo *modinfop)
654 {
655 	return (mod_info(&nvme_modlinkage, modinfop));
656 }
657 
658 static inline void
659 nvme_put64(nvme_t *nvme, uintptr_t reg, uint64_t val)
660 {
661 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x7) == 0);
662 
663 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
664 	ddi_put64(nvme->n_regh, (uint64_t *)(nvme->n_regs + reg), val);
665 }
666 
667 static inline void
668 nvme_put32(nvme_t *nvme, uintptr_t reg, uint32_t val)
669 {
670 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x3) == 0);
671 
672 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
673 	ddi_put32(nvme->n_regh, (uint32_t *)(nvme->n_regs + reg), val);
674 }
675 
676 static inline uint64_t
677 nvme_get64(nvme_t *nvme, uintptr_t reg)
678 {
679 	uint64_t val;
680 
681 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x7) == 0);
682 
683 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
684 	val = ddi_get64(nvme->n_regh, (uint64_t *)(nvme->n_regs + reg));
685 
686 	return (val);
687 }
688 
689 static inline uint32_t
690 nvme_get32(nvme_t *nvme, uintptr_t reg)
691 {
692 	uint32_t val;
693 
694 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x3) == 0);
695 
696 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
697 	val = ddi_get32(nvme->n_regh, (uint32_t *)(nvme->n_regs + reg));
698 
699 	return (val);
700 }
701 
702 static boolean_t
703 nvme_check_regs_hdl(nvme_t *nvme)
704 {
705 	ddi_fm_error_t error;
706 
707 	ddi_fm_acc_err_get(nvme->n_regh, &error, DDI_FME_VERSION);
708 
709 	if (error.fme_status != DDI_FM_OK)
710 		return (B_TRUE);
711 
712 	return (B_FALSE);
713 }
714 
715 static boolean_t
716 nvme_check_dma_hdl(nvme_dma_t *dma)
717 {
718 	ddi_fm_error_t error;
719 
720 	if (dma == NULL)
721 		return (B_FALSE);
722 
723 	ddi_fm_dma_err_get(dma->nd_dmah, &error, DDI_FME_VERSION);
724 
725 	if (error.fme_status != DDI_FM_OK)
726 		return (B_TRUE);
727 
728 	return (B_FALSE);
729 }
730 
731 static void
732 nvme_free_dma_common(nvme_dma_t *dma)
733 {
734 	if (dma->nd_dmah != NULL)
735 		(void) ddi_dma_unbind_handle(dma->nd_dmah);
736 	if (dma->nd_acch != NULL)
737 		ddi_dma_mem_free(&dma->nd_acch);
738 	if (dma->nd_dmah != NULL)
739 		ddi_dma_free_handle(&dma->nd_dmah);
740 }
741 
742 static void
743 nvme_free_dma(nvme_dma_t *dma)
744 {
745 	nvme_free_dma_common(dma);
746 	kmem_free(dma, sizeof (*dma));
747 }
748 
749 /* ARGSUSED */
750 static void
751 nvme_prp_dma_destructor(void *buf, void *private)
752 {
753 	nvme_dma_t *dma = (nvme_dma_t *)buf;
754 
755 	nvme_free_dma_common(dma);
756 }
757 
758 static int
759 nvme_alloc_dma_common(nvme_t *nvme, nvme_dma_t *dma,
760     size_t len, uint_t flags, ddi_dma_attr_t *dma_attr)
761 {
762 	if (ddi_dma_alloc_handle(nvme->n_dip, dma_attr, DDI_DMA_SLEEP, NULL,
763 	    &dma->nd_dmah) != DDI_SUCCESS) {
764 		/*
765 		 * Due to DDI_DMA_SLEEP this can't be DDI_DMA_NORESOURCES, and
766 		 * the only other possible error is DDI_DMA_BADATTR which
767 		 * indicates a driver bug which should cause a panic.
768 		 */
769 		dev_err(nvme->n_dip, CE_PANIC,
770 		    "!failed to get DMA handle, check DMA attributes");
771 		return (DDI_FAILURE);
772 	}
773 
774 	/*
775 	 * ddi_dma_mem_alloc() can only fail when DDI_DMA_NOSLEEP is specified
776 	 * or the flags are conflicting, which isn't the case here.
777 	 */
778 	(void) ddi_dma_mem_alloc(dma->nd_dmah, len, &nvme->n_reg_acc_attr,
779 	    DDI_DMA_CONSISTENT, DDI_DMA_SLEEP, NULL, &dma->nd_memp,
780 	    &dma->nd_len, &dma->nd_acch);
781 
782 	if (ddi_dma_addr_bind_handle(dma->nd_dmah, NULL, dma->nd_memp,
783 	    dma->nd_len, flags | DDI_DMA_CONSISTENT, DDI_DMA_SLEEP, NULL,
784 	    &dma->nd_cookie, &dma->nd_ncookie) != DDI_DMA_MAPPED) {
785 		dev_err(nvme->n_dip, CE_WARN,
786 		    "!failed to bind DMA memory");
787 		atomic_inc_32(&nvme->n_dma_bind_err);
788 		nvme_free_dma_common(dma);
789 		return (DDI_FAILURE);
790 	}
791 
792 	return (DDI_SUCCESS);
793 }
794 
795 static int
796 nvme_zalloc_dma(nvme_t *nvme, size_t len, uint_t flags,
797     ddi_dma_attr_t *dma_attr, nvme_dma_t **ret)
798 {
799 	nvme_dma_t *dma = kmem_zalloc(sizeof (nvme_dma_t), KM_SLEEP);
800 
801 	if (nvme_alloc_dma_common(nvme, dma, len, flags, dma_attr) !=
802 	    DDI_SUCCESS) {
803 		*ret = NULL;
804 		kmem_free(dma, sizeof (nvme_dma_t));
805 		return (DDI_FAILURE);
806 	}
807 
808 	bzero(dma->nd_memp, dma->nd_len);
809 
810 	*ret = dma;
811 	return (DDI_SUCCESS);
812 }
813 
814 /* ARGSUSED */
815 static int
816 nvme_prp_dma_constructor(void *buf, void *private, int flags)
817 {
818 	nvme_dma_t *dma = (nvme_dma_t *)buf;
819 	nvme_t *nvme = (nvme_t *)private;
820 
821 	dma->nd_dmah = NULL;
822 	dma->nd_acch = NULL;
823 
824 	if (nvme_alloc_dma_common(nvme, dma, nvme->n_pagesize,
825 	    DDI_DMA_READ, &nvme->n_prp_dma_attr) != DDI_SUCCESS) {
826 		return (-1);
827 	}
828 
829 	ASSERT(dma->nd_ncookie == 1);
830 
831 	dma->nd_cached = B_TRUE;
832 
833 	return (0);
834 }
835 
836 static int
837 nvme_zalloc_queue_dma(nvme_t *nvme, uint32_t nentry, uint16_t qe_len,
838     uint_t flags, nvme_dma_t **dma)
839 {
840 	uint32_t len = nentry * qe_len;
841 	ddi_dma_attr_t q_dma_attr = nvme->n_queue_dma_attr;
842 
843 	len = roundup(len, nvme->n_pagesize);
844 
845 	if (nvme_zalloc_dma(nvme, len, flags, &q_dma_attr, dma)
846 	    != DDI_SUCCESS) {
847 		dev_err(nvme->n_dip, CE_WARN,
848 		    "!failed to get DMA memory for queue");
849 		goto fail;
850 	}
851 
852 	if ((*dma)->nd_ncookie != 1) {
853 		dev_err(nvme->n_dip, CE_WARN,
854 		    "!got too many cookies for queue DMA");
855 		goto fail;
856 	}
857 
858 	return (DDI_SUCCESS);
859 
860 fail:
861 	if (*dma) {
862 		nvme_free_dma(*dma);
863 		*dma = NULL;
864 	}
865 
866 	return (DDI_FAILURE);
867 }
868 
869 static void
870 nvme_free_cq(nvme_cq_t *cq)
871 {
872 	mutex_destroy(&cq->ncq_mutex);
873 
874 	if (cq->ncq_cmd_taskq != NULL)
875 		taskq_destroy(cq->ncq_cmd_taskq);
876 
877 	if (cq->ncq_dma != NULL)
878 		nvme_free_dma(cq->ncq_dma);
879 
880 	kmem_free(cq, sizeof (*cq));
881 }
882 
883 static void
884 nvme_free_qpair(nvme_qpair_t *qp)
885 {
886 	int i;
887 
888 	mutex_destroy(&qp->nq_mutex);
889 	sema_destroy(&qp->nq_sema);
890 
891 	if (qp->nq_sqdma != NULL)
892 		nvme_free_dma(qp->nq_sqdma);
893 
894 	if (qp->nq_active_cmds > 0)
895 		for (i = 0; i != qp->nq_nentry; i++)
896 			if (qp->nq_cmd[i] != NULL)
897 				nvme_free_cmd(qp->nq_cmd[i]);
898 
899 	if (qp->nq_cmd != NULL)
900 		kmem_free(qp->nq_cmd, sizeof (nvme_cmd_t *) * qp->nq_nentry);
901 
902 	kmem_free(qp, sizeof (nvme_qpair_t));
903 }
904 
905 /*
906  * Destroy the pre-allocated cq array, but only free individual completion
907  * queues from the given starting index.
908  */
909 static void
910 nvme_destroy_cq_array(nvme_t *nvme, uint_t start)
911 {
912 	uint_t i;
913 
914 	for (i = start; i < nvme->n_cq_count; i++)
915 		if (nvme->n_cq[i] != NULL)
916 			nvme_free_cq(nvme->n_cq[i]);
917 
918 	kmem_free(nvme->n_cq, sizeof (*nvme->n_cq) * nvme->n_cq_count);
919 }
920 
921 static int
922 nvme_alloc_cq(nvme_t *nvme, uint32_t nentry, nvme_cq_t **cqp, uint16_t idx,
923     uint_t nthr)
924 {
925 	nvme_cq_t *cq = kmem_zalloc(sizeof (*cq), KM_SLEEP);
926 	char name[64];		/* large enough for the taskq name */
927 
928 	mutex_init(&cq->ncq_mutex, NULL, MUTEX_DRIVER,
929 	    DDI_INTR_PRI(nvme->n_intr_pri));
930 
931 	if (nvme_zalloc_queue_dma(nvme, nentry, sizeof (nvme_cqe_t),
932 	    DDI_DMA_READ, &cq->ncq_dma) != DDI_SUCCESS)
933 		goto fail;
934 
935 	cq->ncq_cq = (nvme_cqe_t *)cq->ncq_dma->nd_memp;
936 	cq->ncq_nentry = nentry;
937 	cq->ncq_id = idx;
938 	cq->ncq_hdbl = NVME_REG_CQHDBL(nvme, idx);
939 
940 	/*
941 	 * Each completion queue has its own command taskq.
942 	 */
943 	(void) snprintf(name, sizeof (name), "%s%d_cmd_taskq%u",
944 	    ddi_driver_name(nvme->n_dip), ddi_get_instance(nvme->n_dip), idx);
945 
946 	cq->ncq_cmd_taskq = taskq_create(name, nthr, minclsyspri, 64, INT_MAX,
947 	    TASKQ_PREPOPULATE);
948 
949 	if (cq->ncq_cmd_taskq == NULL) {
950 		dev_err(nvme->n_dip, CE_WARN, "!failed to create cmd "
951 		    "taskq for cq %u", idx);
952 		goto fail;
953 	}
954 
955 	*cqp = cq;
956 	return (DDI_SUCCESS);
957 
958 fail:
959 	nvme_free_cq(cq);
960 	*cqp = NULL;
961 
962 	return (DDI_FAILURE);
963 }
964 
965 /*
966  * Create the n_cq array big enough to hold "ncq" completion queues.
967  * If the array already exists it will be re-sized (but only larger).
968  * The admin queue is included in this array, which boosts the
969  * max number of entries to UINT16_MAX + 1.
970  */
971 static int
972 nvme_create_cq_array(nvme_t *nvme, uint_t ncq, uint32_t nentry, uint_t nthr)
973 {
974 	nvme_cq_t **cq;
975 	uint_t i, cq_count;
976 
977 	ASSERT3U(ncq, >, nvme->n_cq_count);
978 
979 	cq = nvme->n_cq;
980 	cq_count = nvme->n_cq_count;
981 
982 	nvme->n_cq = kmem_zalloc(sizeof (*nvme->n_cq) * ncq, KM_SLEEP);
983 	nvme->n_cq_count = ncq;
984 
985 	for (i = 0; i < cq_count; i++)
986 		nvme->n_cq[i] = cq[i];
987 
988 	for (; i < nvme->n_cq_count; i++)
989 		if (nvme_alloc_cq(nvme, nentry, &nvme->n_cq[i], i, nthr) !=
990 		    DDI_SUCCESS)
991 			goto fail;
992 
993 	if (cq != NULL)
994 		kmem_free(cq, sizeof (*cq) * cq_count);
995 
996 	return (DDI_SUCCESS);
997 
998 fail:
999 	nvme_destroy_cq_array(nvme, cq_count);
1000 	/*
1001 	 * Restore the original array
1002 	 */
1003 	nvme->n_cq_count = cq_count;
1004 	nvme->n_cq = cq;
1005 
1006 	return (DDI_FAILURE);
1007 }
1008 
1009 static int
1010 nvme_alloc_qpair(nvme_t *nvme, uint32_t nentry, nvme_qpair_t **nqp,
1011     uint_t idx)
1012 {
1013 	nvme_qpair_t *qp = kmem_zalloc(sizeof (*qp), KM_SLEEP);
1014 	uint_t cq_idx;
1015 
1016 	mutex_init(&qp->nq_mutex, NULL, MUTEX_DRIVER,
1017 	    DDI_INTR_PRI(nvme->n_intr_pri));
1018 
1019 	/*
1020 	 * The NVMe spec defines that a full queue has one empty (unused) slot;
1021 	 * initialize the semaphore accordingly.
1022 	 */
1023 	sema_init(&qp->nq_sema, nentry - 1, NULL, SEMA_DRIVER, NULL);
1024 
1025 	if (nvme_zalloc_queue_dma(nvme, nentry, sizeof (nvme_sqe_t),
1026 	    DDI_DMA_WRITE, &qp->nq_sqdma) != DDI_SUCCESS)
1027 		goto fail;
1028 
1029 	/*
1030 	 * idx == 0 is adminq, those above 0 are shared io completion queues.
1031 	 */
1032 	cq_idx = idx == 0 ? 0 : 1 + (idx - 1) % (nvme->n_cq_count - 1);
1033 	qp->nq_cq = nvme->n_cq[cq_idx];
1034 	qp->nq_sq = (nvme_sqe_t *)qp->nq_sqdma->nd_memp;
1035 	qp->nq_nentry = nentry;
1036 
1037 	qp->nq_sqtdbl = NVME_REG_SQTDBL(nvme, idx);
1038 
1039 	qp->nq_cmd = kmem_zalloc(sizeof (nvme_cmd_t *) * nentry, KM_SLEEP);
1040 	qp->nq_next_cmd = 0;
1041 
1042 	*nqp = qp;
1043 	return (DDI_SUCCESS);
1044 
1045 fail:
1046 	nvme_free_qpair(qp);
1047 	*nqp = NULL;
1048 
1049 	return (DDI_FAILURE);
1050 }
1051 
1052 static nvme_cmd_t *
1053 nvme_alloc_cmd(nvme_t *nvme, int kmflag)
1054 {
1055 	nvme_cmd_t *cmd = kmem_cache_alloc(nvme_cmd_cache, kmflag);
1056 
1057 	if (cmd == NULL)
1058 		return (cmd);
1059 
1060 	bzero(cmd, sizeof (nvme_cmd_t));
1061 
1062 	cmd->nc_nvme = nvme;
1063 
1064 	mutex_init(&cmd->nc_mutex, NULL, MUTEX_DRIVER,
1065 	    DDI_INTR_PRI(nvme->n_intr_pri));
1066 	cv_init(&cmd->nc_cv, NULL, CV_DRIVER, NULL);
1067 
1068 	return (cmd);
1069 }
1070 
1071 static void
1072 nvme_free_cmd(nvme_cmd_t *cmd)
1073 {
1074 	/* Don't free commands on the lost commands list. */
1075 	if (list_link_active(&cmd->nc_list))
1076 		return;
1077 
1078 	if (cmd->nc_dma) {
1079 		nvme_free_dma(cmd->nc_dma);
1080 		cmd->nc_dma = NULL;
1081 	}
1082 
1083 	if (cmd->nc_prp) {
1084 		kmem_cache_free(cmd->nc_nvme->n_prp_cache, cmd->nc_prp);
1085 		cmd->nc_prp = NULL;
1086 	}
1087 
1088 	cv_destroy(&cmd->nc_cv);
1089 	mutex_destroy(&cmd->nc_mutex);
1090 
1091 	kmem_cache_free(nvme_cmd_cache, cmd);
1092 }
1093 
1094 static void
1095 nvme_submit_admin_cmd(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1096 {
1097 	sema_p(&qp->nq_sema);
1098 	nvme_submit_cmd_common(qp, cmd);
1099 }
1100 
1101 static int
1102 nvme_submit_io_cmd(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1103 {
1104 	if (cmd->nc_nvme->n_dead) {
1105 		return (EIO);
1106 	}
1107 
1108 	if (sema_tryp(&qp->nq_sema) == 0)
1109 		return (EAGAIN);
1110 
1111 	nvme_submit_cmd_common(qp, cmd);
1112 	return (0);
1113 }
1114 
1115 static void
1116 nvme_submit_cmd_common(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1117 {
1118 	nvme_reg_sqtdbl_t tail = { 0 };
1119 
1120 	mutex_enter(&qp->nq_mutex);
1121 	cmd->nc_completed = B_FALSE;
1122 
1123 	/*
1124 	 * Now that we hold the queue pair lock, we must check whether or not
1125 	 * the controller has been listed as dead (e.g. was removed due to
1126 	 * hotplug). This is necessary as otherwise we could race with
1127 	 * nvme_remove_callback(). Because this has not been enqueued, we don't
1128 	 * call nvme_unqueue_cmd(), which is why we must manually decrement the
1129 	 * semaphore.
1130 	 */
1131 	if (cmd->nc_nvme->n_dead) {
1132 		taskq_dispatch_ent(qp->nq_cq->ncq_cmd_taskq, cmd->nc_callback,
1133 		    cmd, TQ_NOSLEEP, &cmd->nc_tqent);
1134 		sema_v(&qp->nq_sema);
1135 		mutex_exit(&qp->nq_mutex);
1136 		return;
1137 	}
1138 
1139 	/*
1140 	 * Try to insert the cmd into the active cmd array at the nq_next_cmd
1141 	 * slot. If the slot is already occupied advance to the next slot and
1142 	 * try again. This can happen for long running commands like async event
1143 	 * requests.
1144 	 */
1145 	while (qp->nq_cmd[qp->nq_next_cmd] != NULL)
1146 		qp->nq_next_cmd = (qp->nq_next_cmd + 1) % qp->nq_nentry;
1147 	qp->nq_cmd[qp->nq_next_cmd] = cmd;
1148 
1149 	qp->nq_active_cmds++;
1150 
1151 	cmd->nc_sqe.sqe_cid = qp->nq_next_cmd;
1152 	bcopy(&cmd->nc_sqe, &qp->nq_sq[qp->nq_sqtail], sizeof (nvme_sqe_t));
1153 	(void) ddi_dma_sync(qp->nq_sqdma->nd_dmah,
1154 	    sizeof (nvme_sqe_t) * qp->nq_sqtail,
1155 	    sizeof (nvme_sqe_t), DDI_DMA_SYNC_FORDEV);
1156 	qp->nq_next_cmd = (qp->nq_next_cmd + 1) % qp->nq_nentry;
1157 
1158 	tail.b.sqtdbl_sqt = qp->nq_sqtail = (qp->nq_sqtail + 1) % qp->nq_nentry;
1159 	nvme_put32(cmd->nc_nvme, qp->nq_sqtdbl, tail.r);
1160 
1161 	mutex_exit(&qp->nq_mutex);
1162 }
1163 
1164 static nvme_cmd_t *
1165 nvme_unqueue_cmd(nvme_t *nvme, nvme_qpair_t *qp, int cid)
1166 {
1167 	nvme_cmd_t *cmd;
1168 
1169 	ASSERT(mutex_owned(&qp->nq_mutex));
1170 	ASSERT3S(cid, <, qp->nq_nentry);
1171 
1172 	cmd = qp->nq_cmd[cid];
1173 	qp->nq_cmd[cid] = NULL;
1174 	ASSERT3U(qp->nq_active_cmds, >, 0);
1175 	qp->nq_active_cmds--;
1176 	sema_v(&qp->nq_sema);
1177 
1178 	ASSERT3P(cmd, !=, NULL);
1179 	ASSERT3P(cmd->nc_nvme, ==, nvme);
1180 	ASSERT3S(cmd->nc_sqe.sqe_cid, ==, cid);
1181 
1182 	return (cmd);
1183 }
1184 
1185 /*
1186  * Get the command tied to the next completed cqe and bump along completion
1187  * queue head counter.
1188  */
1189 static nvme_cmd_t *
1190 nvme_get_completed(nvme_t *nvme, nvme_cq_t *cq)
1191 {
1192 	nvme_qpair_t *qp;
1193 	nvme_cqe_t *cqe;
1194 	nvme_cmd_t *cmd;
1195 
1196 	ASSERT(mutex_owned(&cq->ncq_mutex));
1197 
1198 	cqe = &cq->ncq_cq[cq->ncq_head];
1199 
1200 	/* Check phase tag of CQE. Hardware inverts it for new entries. */
1201 	if (cqe->cqe_sf.sf_p == cq->ncq_phase)
1202 		return (NULL);
1203 
1204 	qp = nvme->n_ioq[cqe->cqe_sqid];
1205 
1206 	mutex_enter(&qp->nq_mutex);
1207 	cmd = nvme_unqueue_cmd(nvme, qp, cqe->cqe_cid);
1208 	mutex_exit(&qp->nq_mutex);
1209 
1210 	ASSERT(cmd->nc_sqid == cqe->cqe_sqid);
1211 	bcopy(cqe, &cmd->nc_cqe, sizeof (nvme_cqe_t));
1212 
1213 	qp->nq_sqhead = cqe->cqe_sqhd;
1214 
1215 	cq->ncq_head = (cq->ncq_head + 1) % cq->ncq_nentry;
1216 
1217 	/* Toggle phase on wrap-around. */
1218 	if (cq->ncq_head == 0)
1219 		cq->ncq_phase = cq->ncq_phase ? 0 : 1;
1220 
1221 	return (cmd);
1222 }
1223 
1224 /*
1225  * Process all completed commands on the io completion queue.
1226  */
1227 static uint_t
1228 nvme_process_iocq(nvme_t *nvme, nvme_cq_t *cq)
1229 {
1230 	nvme_reg_cqhdbl_t head = { 0 };
1231 	nvme_cmd_t *cmd;
1232 	uint_t completed = 0;
1233 
1234 	if (ddi_dma_sync(cq->ncq_dma->nd_dmah, 0, 0, DDI_DMA_SYNC_FORKERNEL) !=
1235 	    DDI_SUCCESS)
1236 		dev_err(nvme->n_dip, CE_WARN, "!ddi_dma_sync() failed in %s",
1237 		    __func__);
1238 
1239 	mutex_enter(&cq->ncq_mutex);
1240 
1241 	while ((cmd = nvme_get_completed(nvme, cq)) != NULL) {
1242 		taskq_dispatch_ent(cq->ncq_cmd_taskq, cmd->nc_callback, cmd,
1243 		    TQ_NOSLEEP, &cmd->nc_tqent);
1244 
1245 		completed++;
1246 	}
1247 
1248 	if (completed > 0) {
1249 		/*
1250 		 * Update the completion queue head doorbell.
1251 		 */
1252 		head.b.cqhdbl_cqh = cq->ncq_head;
1253 		nvme_put32(nvme, cq->ncq_hdbl, head.r);
1254 	}
1255 
1256 	mutex_exit(&cq->ncq_mutex);
1257 
1258 	return (completed);
1259 }
1260 
1261 static nvme_cmd_t *
1262 nvme_retrieve_cmd(nvme_t *nvme, nvme_qpair_t *qp)
1263 {
1264 	nvme_cq_t *cq = qp->nq_cq;
1265 	nvme_reg_cqhdbl_t head = { 0 };
1266 	nvme_cmd_t *cmd;
1267 
1268 	if (ddi_dma_sync(cq->ncq_dma->nd_dmah, 0, 0, DDI_DMA_SYNC_FORKERNEL) !=
1269 	    DDI_SUCCESS)
1270 		dev_err(nvme->n_dip, CE_WARN, "!ddi_dma_sync() failed in %s",
1271 		    __func__);
1272 
1273 	mutex_enter(&cq->ncq_mutex);
1274 
1275 	if ((cmd = nvme_get_completed(nvme, cq)) != NULL) {
1276 		head.b.cqhdbl_cqh = cq->ncq_head;
1277 		nvme_put32(nvme, cq->ncq_hdbl, head.r);
1278 	}
1279 
1280 	mutex_exit(&cq->ncq_mutex);
1281 
1282 	return (cmd);
1283 }
1284 
1285 static int
1286 nvme_check_unknown_cmd_status(nvme_cmd_t *cmd)
1287 {
1288 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1289 
1290 	dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1291 	    "!unknown command status received: opc = %x, sqid = %d, cid = %d, "
1292 	    "sc = %x, sct = %x, dnr = %d, m = %d", cmd->nc_sqe.sqe_opc,
1293 	    cqe->cqe_sqid, cqe->cqe_cid, cqe->cqe_sf.sf_sc, cqe->cqe_sf.sf_sct,
1294 	    cqe->cqe_sf.sf_dnr, cqe->cqe_sf.sf_m);
1295 
1296 	if (cmd->nc_xfer != NULL)
1297 		bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1298 
1299 	if (cmd->nc_nvme->n_strict_version) {
1300 		cmd->nc_nvme->n_dead = B_TRUE;
1301 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1302 	}
1303 
1304 	return (EIO);
1305 }
1306 
1307 static int
1308 nvme_check_vendor_cmd_status(nvme_cmd_t *cmd)
1309 {
1310 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1311 
1312 	dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1313 	    "!unknown command status received: opc = %x, sqid = %d, cid = %d, "
1314 	    "sc = %x, sct = %x, dnr = %d, m = %d", cmd->nc_sqe.sqe_opc,
1315 	    cqe->cqe_sqid, cqe->cqe_cid, cqe->cqe_sf.sf_sc, cqe->cqe_sf.sf_sct,
1316 	    cqe->cqe_sf.sf_dnr, cqe->cqe_sf.sf_m);
1317 	if (!cmd->nc_nvme->n_ignore_unknown_vendor_status) {
1318 		cmd->nc_nvme->n_dead = B_TRUE;
1319 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1320 	}
1321 
1322 	return (EIO);
1323 }
1324 
1325 static int
1326 nvme_check_integrity_cmd_status(nvme_cmd_t *cmd)
1327 {
1328 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1329 
1330 	switch (cqe->cqe_sf.sf_sc) {
1331 	case NVME_CQE_SC_INT_NVM_WRITE:
1332 		/* write fail */
1333 		/* TODO: post ereport */
1334 		if (cmd->nc_xfer != NULL)
1335 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1336 		return (EIO);
1337 
1338 	case NVME_CQE_SC_INT_NVM_READ:
1339 		/* read fail */
1340 		/* TODO: post ereport */
1341 		if (cmd->nc_xfer != NULL)
1342 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1343 		return (EIO);
1344 
1345 	default:
1346 		return (nvme_check_unknown_cmd_status(cmd));
1347 	}
1348 }
1349 
1350 static int
1351 nvme_check_generic_cmd_status(nvme_cmd_t *cmd)
1352 {
1353 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1354 
1355 	switch (cqe->cqe_sf.sf_sc) {
1356 	case NVME_CQE_SC_GEN_SUCCESS:
1357 		return (0);
1358 
1359 	/*
1360 	 * Errors indicating a bug in the driver should cause a panic.
1361 	 */
1362 	case NVME_CQE_SC_GEN_INV_OPC:
1363 		/* Invalid Command Opcode */
1364 		if (!cmd->nc_dontpanic)
1365 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1366 			    "programming error: invalid opcode in cmd %p",
1367 			    (void *)cmd);
1368 		return (EINVAL);
1369 
1370 	case NVME_CQE_SC_GEN_INV_FLD:
1371 		/* Invalid Field in Command */
1372 		if (!cmd->nc_dontpanic)
1373 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1374 			    "programming error: invalid field in cmd %p",
1375 			    (void *)cmd);
1376 		return (EIO);
1377 
1378 	case NVME_CQE_SC_GEN_ID_CNFL:
1379 		/* Command ID Conflict */
1380 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1381 		    "cmd ID conflict in cmd %p", (void *)cmd);
1382 		return (0);
1383 
1384 	case NVME_CQE_SC_GEN_INV_NS:
1385 		/* Invalid Namespace or Format */
1386 		if (!cmd->nc_dontpanic)
1387 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1388 			    "programming error: invalid NS/format in cmd %p",
1389 			    (void *)cmd);
1390 		return (EINVAL);
1391 
1392 	case NVME_CQE_SC_GEN_NVM_LBA_RANGE:
1393 		/* LBA Out Of Range */
1394 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1395 		    "LBA out of range in cmd %p", (void *)cmd);
1396 		return (0);
1397 
1398 	/*
1399 	 * Non-fatal errors, handle gracefully.
1400 	 */
1401 	case NVME_CQE_SC_GEN_DATA_XFR_ERR:
1402 		/* Data Transfer Error (DMA) */
1403 		/* TODO: post ereport */
1404 		atomic_inc_32(&cmd->nc_nvme->n_data_xfr_err);
1405 		if (cmd->nc_xfer != NULL)
1406 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1407 		return (EIO);
1408 
1409 	case NVME_CQE_SC_GEN_INTERNAL_ERR:
1410 		/*
1411 		 * Internal Error. The spec (v1.0, section 4.5.1.2) says
1412 		 * detailed error information is returned as async event,
1413 		 * so we pretty much ignore the error here and handle it
1414 		 * in the async event handler.
1415 		 */
1416 		atomic_inc_32(&cmd->nc_nvme->n_internal_err);
1417 		if (cmd->nc_xfer != NULL)
1418 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1419 		return (EIO);
1420 
1421 	case NVME_CQE_SC_GEN_ABORT_REQUEST:
1422 		/*
1423 		 * Command Abort Requested. This normally happens only when a
1424 		 * command times out.
1425 		 */
1426 		/* TODO: post ereport or change blkdev to handle this? */
1427 		atomic_inc_32(&cmd->nc_nvme->n_abort_rq_err);
1428 		return (ECANCELED);
1429 
1430 	case NVME_CQE_SC_GEN_ABORT_PWRLOSS:
1431 		/* Command Aborted due to Power Loss Notification */
1432 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1433 		cmd->nc_nvme->n_dead = B_TRUE;
1434 		return (EIO);
1435 
1436 	case NVME_CQE_SC_GEN_ABORT_SQ_DEL:
1437 		/* Command Aborted due to SQ Deletion */
1438 		atomic_inc_32(&cmd->nc_nvme->n_abort_sq_del);
1439 		return (EIO);
1440 
1441 	case NVME_CQE_SC_GEN_NVM_CAP_EXC:
1442 		/* Capacity Exceeded */
1443 		atomic_inc_32(&cmd->nc_nvme->n_nvm_cap_exc);
1444 		if (cmd->nc_xfer != NULL)
1445 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1446 		return (EIO);
1447 
1448 	case NVME_CQE_SC_GEN_NVM_NS_NOTRDY:
1449 		/* Namespace Not Ready */
1450 		atomic_inc_32(&cmd->nc_nvme->n_nvm_ns_notrdy);
1451 		if (cmd->nc_xfer != NULL)
1452 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1453 		return (EIO);
1454 
1455 	default:
1456 		return (nvme_check_unknown_cmd_status(cmd));
1457 	}
1458 }
1459 
1460 static int
1461 nvme_check_specific_cmd_status(nvme_cmd_t *cmd)
1462 {
1463 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1464 
1465 	switch (cqe->cqe_sf.sf_sc) {
1466 	case NVME_CQE_SC_SPC_INV_CQ:
1467 		/* Completion Queue Invalid */
1468 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE);
1469 		atomic_inc_32(&cmd->nc_nvme->n_inv_cq_err);
1470 		return (EINVAL);
1471 
1472 	case NVME_CQE_SC_SPC_INV_QID:
1473 		/* Invalid Queue Identifier */
1474 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE ||
1475 		    cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_SQUEUE ||
1476 		    cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE ||
1477 		    cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_CQUEUE);
1478 		atomic_inc_32(&cmd->nc_nvme->n_inv_qid_err);
1479 		return (EINVAL);
1480 
1481 	case NVME_CQE_SC_SPC_MAX_QSZ_EXC:
1482 		/* Max Queue Size Exceeded */
1483 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE ||
1484 		    cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE);
1485 		atomic_inc_32(&cmd->nc_nvme->n_max_qsz_exc);
1486 		return (EINVAL);
1487 
1488 	case NVME_CQE_SC_SPC_ABRT_CMD_EXC:
1489 		/* Abort Command Limit Exceeded */
1490 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_ABORT);
1491 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1492 		    "abort command limit exceeded in cmd %p", (void *)cmd);
1493 		return (0);
1494 
1495 	case NVME_CQE_SC_SPC_ASYNC_EVREQ_EXC:
1496 		/* Async Event Request Limit Exceeded */
1497 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_ASYNC_EVENT);
1498 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1499 		    "async event request limit exceeded in cmd %p",
1500 		    (void *)cmd);
1501 		return (0);
1502 
1503 	case NVME_CQE_SC_SPC_INV_INT_VECT:
1504 		/* Invalid Interrupt Vector */
1505 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE);
1506 		atomic_inc_32(&cmd->nc_nvme->n_inv_int_vect);
1507 		return (EINVAL);
1508 
1509 	case NVME_CQE_SC_SPC_INV_LOG_PAGE:
1510 		/* Invalid Log Page */
1511 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_GET_LOG_PAGE);
1512 		atomic_inc_32(&cmd->nc_nvme->n_inv_log_page);
1513 		return (EINVAL);
1514 
1515 	case NVME_CQE_SC_SPC_INV_FORMAT:
1516 		/* Invalid Format */
1517 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_FORMAT);
1518 		atomic_inc_32(&cmd->nc_nvme->n_inv_format);
1519 		if (cmd->nc_xfer != NULL)
1520 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1521 		return (EINVAL);
1522 
1523 	case NVME_CQE_SC_SPC_INV_Q_DEL:
1524 		/* Invalid Queue Deletion */
1525 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_CQUEUE);
1526 		atomic_inc_32(&cmd->nc_nvme->n_inv_q_del);
1527 		return (EINVAL);
1528 
1529 	case NVME_CQE_SC_SPC_NVM_CNFL_ATTR:
1530 		/* Conflicting Attributes */
1531 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_DSET_MGMT ||
1532 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_READ ||
1533 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1534 		atomic_inc_32(&cmd->nc_nvme->n_cnfl_attr);
1535 		if (cmd->nc_xfer != NULL)
1536 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1537 		return (EINVAL);
1538 
1539 	case NVME_CQE_SC_SPC_NVM_INV_PROT:
1540 		/* Invalid Protection Information */
1541 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_COMPARE ||
1542 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_READ ||
1543 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1544 		atomic_inc_32(&cmd->nc_nvme->n_inv_prot);
1545 		if (cmd->nc_xfer != NULL)
1546 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1547 		return (EINVAL);
1548 
1549 	case NVME_CQE_SC_SPC_NVM_READONLY:
1550 		/* Write to Read Only Range */
1551 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1552 		atomic_inc_32(&cmd->nc_nvme->n_readonly);
1553 		if (cmd->nc_xfer != NULL)
1554 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1555 		return (EROFS);
1556 
1557 	case NVME_CQE_SC_SPC_INV_FW_SLOT:
1558 		/* Invalid Firmware Slot */
1559 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1560 		return (EINVAL);
1561 
1562 	case NVME_CQE_SC_SPC_INV_FW_IMG:
1563 		/* Invalid Firmware Image */
1564 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1565 		return (EINVAL);
1566 
1567 	case NVME_CQE_SC_SPC_FW_RESET:
1568 		/* Conventional Reset Required */
1569 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1570 		return (0);
1571 
1572 	case NVME_CQE_SC_SPC_FW_NSSR:
1573 		/* NVMe Subsystem Reset Required */
1574 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1575 		return (0);
1576 
1577 	case NVME_CQE_SC_SPC_FW_NEXT_RESET:
1578 		/* Activation Requires Reset */
1579 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1580 		return (0);
1581 
1582 	case NVME_CQE_SC_SPC_FW_MTFA:
1583 		/* Activation Requires Maximum Time Violation */
1584 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1585 		return (EAGAIN);
1586 
1587 	case NVME_CQE_SC_SPC_FW_PROHIBITED:
1588 		/* Activation Prohibited */
1589 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1590 		return (EINVAL);
1591 
1592 	case NVME_CQE_SC_SPC_FW_OVERLAP:
1593 		/* Overlapping Firmware Ranges */
1594 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_IMAGE_LOAD);
1595 		return (EINVAL);
1596 
1597 	default:
1598 		return (nvme_check_unknown_cmd_status(cmd));
1599 	}
1600 }
1601 
1602 static inline int
1603 nvme_check_cmd_status(nvme_cmd_t *cmd)
1604 {
1605 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1606 
1607 	/*
1608 	 * Take a shortcut if the controller is dead, or if
1609 	 * command status indicates no error.
1610 	 */
1611 	if (cmd->nc_nvme->n_dead)
1612 		return (EIO);
1613 
1614 	if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1615 	    cqe->cqe_sf.sf_sc == NVME_CQE_SC_GEN_SUCCESS)
1616 		return (0);
1617 
1618 	if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC)
1619 		return (nvme_check_generic_cmd_status(cmd));
1620 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_SPECIFIC)
1621 		return (nvme_check_specific_cmd_status(cmd));
1622 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_INTEGRITY)
1623 		return (nvme_check_integrity_cmd_status(cmd));
1624 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_VENDOR)
1625 		return (nvme_check_vendor_cmd_status(cmd));
1626 
1627 	return (nvme_check_unknown_cmd_status(cmd));
1628 }
1629 
1630 static int
1631 nvme_abort_cmd(nvme_cmd_t *abort_cmd, uint_t sec)
1632 {
1633 	nvme_t *nvme = abort_cmd->nc_nvme;
1634 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
1635 	nvme_abort_cmd_t ac = { 0 };
1636 	int ret = 0;
1637 
1638 	sema_p(&nvme->n_abort_sema);
1639 
1640 	ac.b.ac_cid = abort_cmd->nc_sqe.sqe_cid;
1641 	ac.b.ac_sqid = abort_cmd->nc_sqid;
1642 
1643 	cmd->nc_sqid = 0;
1644 	cmd->nc_sqe.sqe_opc = NVME_OPC_ABORT;
1645 	cmd->nc_callback = nvme_wakeup_cmd;
1646 	cmd->nc_sqe.sqe_cdw10 = ac.r;
1647 
1648 	/*
1649 	 * Send the ABORT to the hardware. The ABORT command will return _after_
1650 	 * the aborted command has completed (aborted or otherwise), but since
1651 	 * we still hold the aborted command's mutex its callback hasn't been
1652 	 * processed yet.
1653 	 */
1654 	nvme_admin_cmd(cmd, sec);
1655 	sema_v(&nvme->n_abort_sema);
1656 
1657 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
1658 		dev_err(nvme->n_dip, CE_WARN,
1659 		    "!ABORT failed with sct = %x, sc = %x",
1660 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
1661 		atomic_inc_32(&nvme->n_abort_failed);
1662 	} else {
1663 		dev_err(nvme->n_dip, CE_WARN,
1664 		    "!ABORT of command %d/%d %ssuccessful",
1665 		    abort_cmd->nc_sqe.sqe_cid, abort_cmd->nc_sqid,
1666 		    cmd->nc_cqe.cqe_dw0 & 1 ? "un" : "");
1667 		if ((cmd->nc_cqe.cqe_dw0 & 1) == 0)
1668 			atomic_inc_32(&nvme->n_cmd_aborted);
1669 	}
1670 
1671 	nvme_free_cmd(cmd);
1672 	return (ret);
1673 }
1674 
1675 /*
1676  * nvme_wait_cmd -- wait for command completion or timeout
1677  *
1678  * In case of a serious error or a timeout of the abort command the hardware
1679  * will be declared dead and FMA will be notified.
1680  */
1681 static void
1682 nvme_wait_cmd(nvme_cmd_t *cmd, uint_t sec)
1683 {
1684 	clock_t timeout = ddi_get_lbolt() + drv_usectohz(sec * MICROSEC);
1685 	nvme_t *nvme = cmd->nc_nvme;
1686 	nvme_reg_csts_t csts;
1687 	nvme_qpair_t *qp;
1688 
1689 	ASSERT(mutex_owned(&cmd->nc_mutex));
1690 
1691 	while (!cmd->nc_completed) {
1692 		if (cv_timedwait(&cmd->nc_cv, &cmd->nc_mutex, timeout) == -1)
1693 			break;
1694 	}
1695 
1696 	if (cmd->nc_completed)
1697 		return;
1698 
1699 	/*
1700 	 * The command timed out.
1701 	 *
1702 	 * Check controller for fatal status, any errors associated with the
1703 	 * register or DMA handle, or for a double timeout (abort command timed
1704 	 * out). If necessary log a warning and call FMA.
1705 	 */
1706 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
1707 	dev_err(nvme->n_dip, CE_WARN, "!command %d/%d timeout, "
1708 	    "OPC = %x, CFS = %d", cmd->nc_sqe.sqe_cid, cmd->nc_sqid,
1709 	    cmd->nc_sqe.sqe_opc, csts.b.csts_cfs);
1710 	atomic_inc_32(&nvme->n_cmd_timeout);
1711 
1712 	if (csts.b.csts_cfs ||
1713 	    nvme_check_regs_hdl(nvme) ||
1714 	    nvme_check_dma_hdl(cmd->nc_dma) ||
1715 	    cmd->nc_sqe.sqe_opc == NVME_OPC_ABORT) {
1716 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1717 		nvme->n_dead = B_TRUE;
1718 	} else if (nvme_abort_cmd(cmd, sec) == 0) {
1719 		/*
1720 		 * If the abort succeeded the command should complete
1721 		 * immediately with an appropriate status.
1722 		 */
1723 		while (!cmd->nc_completed)
1724 			cv_wait(&cmd->nc_cv, &cmd->nc_mutex);
1725 
1726 		return;
1727 	}
1728 
1729 	qp = nvme->n_ioq[cmd->nc_sqid];
1730 
1731 	mutex_enter(&qp->nq_mutex);
1732 	(void) nvme_unqueue_cmd(nvme, qp, cmd->nc_sqe.sqe_cid);
1733 	mutex_exit(&qp->nq_mutex);
1734 
1735 	/*
1736 	 * As we don't know what the presumed dead hardware might still do with
1737 	 * the DMA memory, we'll put the command on the lost commands list if it
1738 	 * has any DMA memory.
1739 	 */
1740 	if (cmd->nc_dma != NULL) {
1741 		mutex_enter(&nvme_lc_mutex);
1742 		list_insert_head(&nvme_lost_cmds, cmd);
1743 		mutex_exit(&nvme_lc_mutex);
1744 	}
1745 }
1746 
1747 static void
1748 nvme_wakeup_cmd(void *arg)
1749 {
1750 	nvme_cmd_t *cmd = arg;
1751 
1752 	mutex_enter(&cmd->nc_mutex);
1753 	cmd->nc_completed = B_TRUE;
1754 	cv_signal(&cmd->nc_cv);
1755 	mutex_exit(&cmd->nc_mutex);
1756 }
1757 
1758 static void
1759 nvme_async_event_task(void *arg)
1760 {
1761 	nvme_cmd_t *cmd = arg;
1762 	nvme_t *nvme = cmd->nc_nvme;
1763 	nvme_error_log_entry_t *error_log = NULL;
1764 	nvme_health_log_t *health_log = NULL;
1765 	size_t logsize = 0;
1766 	nvme_async_event_t event;
1767 
1768 	/*
1769 	 * Check for errors associated with the async request itself. The only
1770 	 * command-specific error is "async event limit exceeded", which
1771 	 * indicates a programming error in the driver and causes a panic in
1772 	 * nvme_check_cmd_status().
1773 	 *
1774 	 * Other possible errors are various scenarios where the async request
1775 	 * was aborted, or internal errors in the device. Internal errors are
1776 	 * reported to FMA, the command aborts need no special handling here.
1777 	 *
1778 	 * And finally, at least qemu nvme does not support async events,
1779 	 * and will return NVME_CQE_SC_GEN_INV_OPC | DNR. If so, we
1780 	 * will avoid posting async events.
1781 	 */
1782 
1783 	if (nvme_check_cmd_status(cmd) != 0) {
1784 		dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1785 		    "!async event request returned failure, sct = %x, "
1786 		    "sc = %x, dnr = %d, m = %d", cmd->nc_cqe.cqe_sf.sf_sct,
1787 		    cmd->nc_cqe.cqe_sf.sf_sc, cmd->nc_cqe.cqe_sf.sf_dnr,
1788 		    cmd->nc_cqe.cqe_sf.sf_m);
1789 
1790 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1791 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INTERNAL_ERR) {
1792 			cmd->nc_nvme->n_dead = B_TRUE;
1793 			ddi_fm_service_impact(cmd->nc_nvme->n_dip,
1794 			    DDI_SERVICE_LOST);
1795 		}
1796 
1797 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1798 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INV_OPC &&
1799 		    cmd->nc_cqe.cqe_sf.sf_dnr == 1) {
1800 			nvme->n_async_event_supported = B_FALSE;
1801 		}
1802 
1803 		nvme_free_cmd(cmd);
1804 		return;
1805 	}
1806 
1807 
1808 	event.r = cmd->nc_cqe.cqe_dw0;
1809 
1810 	/* Clear CQE and re-submit the async request. */
1811 	bzero(&cmd->nc_cqe, sizeof (nvme_cqe_t));
1812 	nvme_submit_admin_cmd(nvme->n_adminq, cmd);
1813 
1814 	switch (event.b.ae_type) {
1815 	case NVME_ASYNC_TYPE_ERROR:
1816 		if (event.b.ae_logpage == NVME_LOGPAGE_ERROR) {
1817 			(void) nvme_get_logpage(nvme, B_FALSE,
1818 			    (void **)&error_log, &logsize, event.b.ae_logpage);
1819 		} else {
1820 			dev_err(nvme->n_dip, CE_WARN, "!wrong logpage in "
1821 			    "async event reply: %d", event.b.ae_logpage);
1822 			atomic_inc_32(&nvme->n_wrong_logpage);
1823 		}
1824 
1825 		switch (event.b.ae_info) {
1826 		case NVME_ASYNC_ERROR_INV_SQ:
1827 			dev_err(nvme->n_dip, CE_PANIC, "programming error: "
1828 			    "invalid submission queue");
1829 			return;
1830 
1831 		case NVME_ASYNC_ERROR_INV_DBL:
1832 			dev_err(nvme->n_dip, CE_PANIC, "programming error: "
1833 			    "invalid doorbell write value");
1834 			return;
1835 
1836 		case NVME_ASYNC_ERROR_DIAGFAIL:
1837 			dev_err(nvme->n_dip, CE_WARN, "!diagnostic failure");
1838 			ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1839 			nvme->n_dead = B_TRUE;
1840 			atomic_inc_32(&nvme->n_diagfail_event);
1841 			break;
1842 
1843 		case NVME_ASYNC_ERROR_PERSISTENT:
1844 			dev_err(nvme->n_dip, CE_WARN, "!persistent internal "
1845 			    "device error");
1846 			ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1847 			nvme->n_dead = B_TRUE;
1848 			atomic_inc_32(&nvme->n_persistent_event);
1849 			break;
1850 
1851 		case NVME_ASYNC_ERROR_TRANSIENT:
1852 			dev_err(nvme->n_dip, CE_WARN, "!transient internal "
1853 			    "device error");
1854 			/* TODO: send ereport */
1855 			atomic_inc_32(&nvme->n_transient_event);
1856 			break;
1857 
1858 		case NVME_ASYNC_ERROR_FW_LOAD:
1859 			dev_err(nvme->n_dip, CE_WARN,
1860 			    "!firmware image load error");
1861 			atomic_inc_32(&nvme->n_fw_load_event);
1862 			break;
1863 		}
1864 		break;
1865 
1866 	case NVME_ASYNC_TYPE_HEALTH:
1867 		if (event.b.ae_logpage == NVME_LOGPAGE_HEALTH) {
1868 			(void) nvme_get_logpage(nvme, B_FALSE,
1869 			    (void **)&health_log, &logsize, event.b.ae_logpage,
1870 			    -1);
1871 		} else {
1872 			dev_err(nvme->n_dip, CE_WARN, "!wrong logpage in "
1873 			    "async event reply: %d", event.b.ae_logpage);
1874 			atomic_inc_32(&nvme->n_wrong_logpage);
1875 		}
1876 
1877 		switch (event.b.ae_info) {
1878 		case NVME_ASYNC_HEALTH_RELIABILITY:
1879 			dev_err(nvme->n_dip, CE_WARN,
1880 			    "!device reliability compromised");
1881 			/* TODO: send ereport */
1882 			atomic_inc_32(&nvme->n_reliability_event);
1883 			break;
1884 
1885 		case NVME_ASYNC_HEALTH_TEMPERATURE:
1886 			dev_err(nvme->n_dip, CE_WARN,
1887 			    "!temperature above threshold");
1888 			/* TODO: send ereport */
1889 			atomic_inc_32(&nvme->n_temperature_event);
1890 			break;
1891 
1892 		case NVME_ASYNC_HEALTH_SPARE:
1893 			dev_err(nvme->n_dip, CE_WARN,
1894 			    "!spare space below threshold");
1895 			/* TODO: send ereport */
1896 			atomic_inc_32(&nvme->n_spare_event);
1897 			break;
1898 		}
1899 		break;
1900 
1901 	case NVME_ASYNC_TYPE_VENDOR:
1902 		dev_err(nvme->n_dip, CE_WARN, "!vendor specific async event "
1903 		    "received, info = %x, logpage = %x", event.b.ae_info,
1904 		    event.b.ae_logpage);
1905 		atomic_inc_32(&nvme->n_vendor_event);
1906 		break;
1907 
1908 	default:
1909 		dev_err(nvme->n_dip, CE_WARN, "!unknown async event received, "
1910 		    "type = %x, info = %x, logpage = %x", event.b.ae_type,
1911 		    event.b.ae_info, event.b.ae_logpage);
1912 		atomic_inc_32(&nvme->n_unknown_event);
1913 		break;
1914 	}
1915 
1916 	if (error_log)
1917 		kmem_free(error_log, logsize);
1918 
1919 	if (health_log)
1920 		kmem_free(health_log, logsize);
1921 }
1922 
1923 static void
1924 nvme_admin_cmd(nvme_cmd_t *cmd, int sec)
1925 {
1926 	mutex_enter(&cmd->nc_mutex);
1927 	nvme_submit_admin_cmd(cmd->nc_nvme->n_adminq, cmd);
1928 	nvme_wait_cmd(cmd, sec);
1929 	mutex_exit(&cmd->nc_mutex);
1930 }
1931 
1932 static void
1933 nvme_async_event(nvme_t *nvme)
1934 {
1935 	nvme_cmd_t *cmd;
1936 
1937 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
1938 	cmd->nc_sqid = 0;
1939 	cmd->nc_sqe.sqe_opc = NVME_OPC_ASYNC_EVENT;
1940 	cmd->nc_callback = nvme_async_event_task;
1941 	cmd->nc_dontpanic = B_TRUE;
1942 
1943 	nvme_submit_admin_cmd(nvme->n_adminq, cmd);
1944 }
1945 
1946 static int
1947 nvme_format_nvm(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t lbaf,
1948     boolean_t ms, uint8_t pi, boolean_t pil, uint8_t ses)
1949 {
1950 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
1951 	nvme_format_nvm_t format_nvm = { 0 };
1952 	int ret;
1953 
1954 	format_nvm.b.fm_lbaf = lbaf & 0xf;
1955 	format_nvm.b.fm_ms = ms ? 1 : 0;
1956 	format_nvm.b.fm_pi = pi & 0x7;
1957 	format_nvm.b.fm_pil = pil ? 1 : 0;
1958 	format_nvm.b.fm_ses = ses & 0x7;
1959 
1960 	cmd->nc_sqid = 0;
1961 	cmd->nc_callback = nvme_wakeup_cmd;
1962 	cmd->nc_sqe.sqe_nsid = nsid;
1963 	cmd->nc_sqe.sqe_opc = NVME_OPC_NVM_FORMAT;
1964 	cmd->nc_sqe.sqe_cdw10 = format_nvm.r;
1965 
1966 	/*
1967 	 * Some devices like Samsung SM951 don't allow formatting of all
1968 	 * namespaces in one command. Handle that gracefully.
1969 	 */
1970 	if (nsid == (uint32_t)-1)
1971 		cmd->nc_dontpanic = B_TRUE;
1972 	/*
1973 	 * If this format request was initiated by the user, then don't allow a
1974 	 * programmer error to panic the system.
1975 	 */
1976 	if (user)
1977 		cmd->nc_dontpanic = B_TRUE;
1978 
1979 	nvme_admin_cmd(cmd, nvme_format_cmd_timeout);
1980 
1981 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
1982 		dev_err(nvme->n_dip, CE_WARN,
1983 		    "!FORMAT failed with sct = %x, sc = %x",
1984 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
1985 	}
1986 
1987 	nvme_free_cmd(cmd);
1988 	return (ret);
1989 }
1990 
1991 static int
1992 nvme_get_logpage(nvme_t *nvme, boolean_t user, void **buf, size_t *bufsize,
1993     uint8_t logpage, ...)
1994 {
1995 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
1996 	nvme_getlogpage_t getlogpage = { 0 };
1997 	va_list ap;
1998 	int ret;
1999 
2000 	va_start(ap, logpage);
2001 
2002 	cmd->nc_sqid = 0;
2003 	cmd->nc_callback = nvme_wakeup_cmd;
2004 	cmd->nc_sqe.sqe_opc = NVME_OPC_GET_LOG_PAGE;
2005 
2006 	if (user)
2007 		cmd->nc_dontpanic = B_TRUE;
2008 
2009 	getlogpage.b.lp_lid = logpage;
2010 
2011 	switch (logpage) {
2012 	case NVME_LOGPAGE_ERROR:
2013 		cmd->nc_sqe.sqe_nsid = (uint32_t)-1;
2014 		/*
2015 		 * The GET LOG PAGE command can use at most 2 pages to return
2016 		 * data, PRP lists are not supported.
2017 		 */
2018 		*bufsize = MIN(2 * nvme->n_pagesize,
2019 		    nvme->n_error_log_len * sizeof (nvme_error_log_entry_t));
2020 		break;
2021 
2022 	case NVME_LOGPAGE_HEALTH:
2023 		cmd->nc_sqe.sqe_nsid = va_arg(ap, uint32_t);
2024 		*bufsize = sizeof (nvme_health_log_t);
2025 		break;
2026 
2027 	case NVME_LOGPAGE_FWSLOT:
2028 		cmd->nc_sqe.sqe_nsid = (uint32_t)-1;
2029 		*bufsize = sizeof (nvme_fwslot_log_t);
2030 		break;
2031 
2032 	default:
2033 		dev_err(nvme->n_dip, CE_WARN, "!unknown log page requested: %d",
2034 		    logpage);
2035 		atomic_inc_32(&nvme->n_unknown_logpage);
2036 		ret = EINVAL;
2037 		goto fail;
2038 	}
2039 
2040 	va_end(ap);
2041 
2042 	getlogpage.b.lp_numd = *bufsize / sizeof (uint32_t) - 1;
2043 
2044 	cmd->nc_sqe.sqe_cdw10 = getlogpage.r;
2045 
2046 	if (nvme_zalloc_dma(nvme, *bufsize,
2047 	    DDI_DMA_READ, &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2048 		dev_err(nvme->n_dip, CE_WARN,
2049 		    "!nvme_zalloc_dma failed for GET LOG PAGE");
2050 		ret = ENOMEM;
2051 		goto fail;
2052 	}
2053 
2054 	if (cmd->nc_dma->nd_ncookie > 2) {
2055 		dev_err(nvme->n_dip, CE_WARN,
2056 		    "!too many DMA cookies for GET LOG PAGE");
2057 		atomic_inc_32(&nvme->n_too_many_cookies);
2058 		ret = ENOMEM;
2059 		goto fail;
2060 	}
2061 
2062 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cmd->nc_dma->nd_cookie.dmac_laddress;
2063 	if (cmd->nc_dma->nd_ncookie > 1) {
2064 		ddi_dma_nextcookie(cmd->nc_dma->nd_dmah,
2065 		    &cmd->nc_dma->nd_cookie);
2066 		cmd->nc_sqe.sqe_dptr.d_prp[1] =
2067 		    cmd->nc_dma->nd_cookie.dmac_laddress;
2068 	}
2069 
2070 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2071 
2072 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2073 		dev_err(nvme->n_dip, CE_WARN,
2074 		    "!GET LOG PAGE failed with sct = %x, sc = %x",
2075 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2076 		goto fail;
2077 	}
2078 
2079 	*buf = kmem_alloc(*bufsize, KM_SLEEP);
2080 	bcopy(cmd->nc_dma->nd_memp, *buf, *bufsize);
2081 
2082 fail:
2083 	nvme_free_cmd(cmd);
2084 
2085 	return (ret);
2086 }
2087 
2088 static int
2089 nvme_identify(nvme_t *nvme, boolean_t user, uint32_t nsid, void **buf)
2090 {
2091 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2092 	int ret;
2093 
2094 	if (buf == NULL)
2095 		return (EINVAL);
2096 
2097 	cmd->nc_sqid = 0;
2098 	cmd->nc_callback = nvme_wakeup_cmd;
2099 	cmd->nc_sqe.sqe_opc = NVME_OPC_IDENTIFY;
2100 	cmd->nc_sqe.sqe_nsid = nsid;
2101 	cmd->nc_sqe.sqe_cdw10 = nsid ? NVME_IDENTIFY_NSID : NVME_IDENTIFY_CTRL;
2102 
2103 	if (nvme_zalloc_dma(nvme, NVME_IDENTIFY_BUFSIZE, DDI_DMA_READ,
2104 	    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2105 		dev_err(nvme->n_dip, CE_WARN,
2106 		    "!nvme_zalloc_dma failed for IDENTIFY");
2107 		ret = ENOMEM;
2108 		goto fail;
2109 	}
2110 
2111 	if (cmd->nc_dma->nd_ncookie > 2) {
2112 		dev_err(nvme->n_dip, CE_WARN,
2113 		    "!too many DMA cookies for IDENTIFY");
2114 		atomic_inc_32(&nvme->n_too_many_cookies);
2115 		ret = ENOMEM;
2116 		goto fail;
2117 	}
2118 
2119 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cmd->nc_dma->nd_cookie.dmac_laddress;
2120 	if (cmd->nc_dma->nd_ncookie > 1) {
2121 		ddi_dma_nextcookie(cmd->nc_dma->nd_dmah,
2122 		    &cmd->nc_dma->nd_cookie);
2123 		cmd->nc_sqe.sqe_dptr.d_prp[1] =
2124 		    cmd->nc_dma->nd_cookie.dmac_laddress;
2125 	}
2126 
2127 	if (user)
2128 		cmd->nc_dontpanic = B_TRUE;
2129 
2130 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2131 
2132 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2133 		dev_err(nvme->n_dip, CE_WARN,
2134 		    "!IDENTIFY failed with sct = %x, sc = %x",
2135 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2136 		goto fail;
2137 	}
2138 
2139 	*buf = kmem_alloc(NVME_IDENTIFY_BUFSIZE, KM_SLEEP);
2140 	bcopy(cmd->nc_dma->nd_memp, *buf, NVME_IDENTIFY_BUFSIZE);
2141 
2142 fail:
2143 	nvme_free_cmd(cmd);
2144 
2145 	return (ret);
2146 }
2147 
2148 static int
2149 nvme_set_features(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t feature,
2150     uint32_t val, uint32_t *res)
2151 {
2152 	_NOTE(ARGUNUSED(nsid));
2153 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2154 	int ret = EINVAL;
2155 
2156 	ASSERT(res != NULL);
2157 
2158 	cmd->nc_sqid = 0;
2159 	cmd->nc_callback = nvme_wakeup_cmd;
2160 	cmd->nc_sqe.sqe_opc = NVME_OPC_SET_FEATURES;
2161 	cmd->nc_sqe.sqe_cdw10 = feature;
2162 	cmd->nc_sqe.sqe_cdw11 = val;
2163 
2164 	if (user)
2165 		cmd->nc_dontpanic = B_TRUE;
2166 
2167 	switch (feature) {
2168 	case NVME_FEAT_WRITE_CACHE:
2169 		if (!nvme->n_write_cache_present)
2170 			goto fail;
2171 		break;
2172 
2173 	case NVME_FEAT_NQUEUES:
2174 		break;
2175 
2176 	default:
2177 		goto fail;
2178 	}
2179 
2180 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2181 
2182 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2183 		dev_err(nvme->n_dip, CE_WARN,
2184 		    "!SET FEATURES %d failed with sct = %x, sc = %x",
2185 		    feature, cmd->nc_cqe.cqe_sf.sf_sct,
2186 		    cmd->nc_cqe.cqe_sf.sf_sc);
2187 		goto fail;
2188 	}
2189 
2190 	*res = cmd->nc_cqe.cqe_dw0;
2191 
2192 fail:
2193 	nvme_free_cmd(cmd);
2194 	return (ret);
2195 }
2196 
2197 static int
2198 nvme_get_features(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t feature,
2199     uint32_t *res, void **buf, size_t *bufsize)
2200 {
2201 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2202 	int ret = EINVAL;
2203 
2204 	ASSERT(res != NULL);
2205 
2206 	if (bufsize != NULL)
2207 		*bufsize = 0;
2208 
2209 	cmd->nc_sqid = 0;
2210 	cmd->nc_callback = nvme_wakeup_cmd;
2211 	cmd->nc_sqe.sqe_opc = NVME_OPC_GET_FEATURES;
2212 	cmd->nc_sqe.sqe_cdw10 = feature;
2213 	cmd->nc_sqe.sqe_cdw11 = *res;
2214 
2215 	/*
2216 	 * For some of the optional features there doesn't seem to be a method
2217 	 * of detecting whether it is supported other than using it.  This will
2218 	 * cause "Invalid Field in Command" error, which is normally considered
2219 	 * a programming error.  Set the nc_dontpanic flag to override the panic
2220 	 * in nvme_check_generic_cmd_status().
2221 	 */
2222 	switch (feature) {
2223 	case NVME_FEAT_ARBITRATION:
2224 	case NVME_FEAT_POWER_MGMT:
2225 	case NVME_FEAT_TEMPERATURE:
2226 	case NVME_FEAT_ERROR:
2227 	case NVME_FEAT_NQUEUES:
2228 	case NVME_FEAT_INTR_COAL:
2229 	case NVME_FEAT_INTR_VECT:
2230 	case NVME_FEAT_WRITE_ATOM:
2231 	case NVME_FEAT_ASYNC_EVENT:
2232 		break;
2233 
2234 	case NVME_FEAT_WRITE_CACHE:
2235 		if (!nvme->n_write_cache_present)
2236 			goto fail;
2237 		break;
2238 
2239 	case NVME_FEAT_LBA_RANGE:
2240 		if (!nvme->n_lba_range_supported)
2241 			goto fail;
2242 
2243 		cmd->nc_dontpanic = B_TRUE;
2244 		cmd->nc_sqe.sqe_nsid = nsid;
2245 		ASSERT(bufsize != NULL);
2246 		*bufsize = NVME_LBA_RANGE_BUFSIZE;
2247 		break;
2248 
2249 	case NVME_FEAT_AUTO_PST:
2250 		if (!nvme->n_auto_pst_supported)
2251 			goto fail;
2252 
2253 		ASSERT(bufsize != NULL);
2254 		*bufsize = NVME_AUTO_PST_BUFSIZE;
2255 		break;
2256 
2257 	case NVME_FEAT_PROGRESS:
2258 		if (!nvme->n_progress_supported)
2259 			goto fail;
2260 
2261 		cmd->nc_dontpanic = B_TRUE;
2262 		break;
2263 
2264 	default:
2265 		goto fail;
2266 	}
2267 
2268 	if (user)
2269 		cmd->nc_dontpanic = B_TRUE;
2270 
2271 	if (bufsize != NULL && *bufsize != 0) {
2272 		if (nvme_zalloc_dma(nvme, *bufsize, DDI_DMA_READ,
2273 		    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2274 			dev_err(nvme->n_dip, CE_WARN,
2275 			    "!nvme_zalloc_dma failed for GET FEATURES");
2276 			ret = ENOMEM;
2277 			goto fail;
2278 		}
2279 
2280 		if (cmd->nc_dma->nd_ncookie > 2) {
2281 			dev_err(nvme->n_dip, CE_WARN,
2282 			    "!too many DMA cookies for GET FEATURES");
2283 			atomic_inc_32(&nvme->n_too_many_cookies);
2284 			ret = ENOMEM;
2285 			goto fail;
2286 		}
2287 
2288 		cmd->nc_sqe.sqe_dptr.d_prp[0] =
2289 		    cmd->nc_dma->nd_cookie.dmac_laddress;
2290 		if (cmd->nc_dma->nd_ncookie > 1) {
2291 			ddi_dma_nextcookie(cmd->nc_dma->nd_dmah,
2292 			    &cmd->nc_dma->nd_cookie);
2293 			cmd->nc_sqe.sqe_dptr.d_prp[1] =
2294 			    cmd->nc_dma->nd_cookie.dmac_laddress;
2295 		}
2296 	}
2297 
2298 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2299 
2300 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2301 		boolean_t known = B_TRUE;
2302 
2303 		/* Check if this is unsupported optional feature */
2304 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
2305 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INV_FLD) {
2306 			switch (feature) {
2307 			case NVME_FEAT_LBA_RANGE:
2308 				nvme->n_lba_range_supported = B_FALSE;
2309 				break;
2310 			case NVME_FEAT_PROGRESS:
2311 				nvme->n_progress_supported = B_FALSE;
2312 				break;
2313 			default:
2314 				known = B_FALSE;
2315 				break;
2316 			}
2317 		} else {
2318 			known = B_FALSE;
2319 		}
2320 
2321 		/* Report the error otherwise */
2322 		if (!known) {
2323 			dev_err(nvme->n_dip, CE_WARN,
2324 			    "!GET FEATURES %d failed with sct = %x, sc = %x",
2325 			    feature, cmd->nc_cqe.cqe_sf.sf_sct,
2326 			    cmd->nc_cqe.cqe_sf.sf_sc);
2327 		}
2328 
2329 		goto fail;
2330 	}
2331 
2332 	if (bufsize != NULL && *bufsize != 0) {
2333 		ASSERT(buf != NULL);
2334 		*buf = kmem_alloc(*bufsize, KM_SLEEP);
2335 		bcopy(cmd->nc_dma->nd_memp, *buf, *bufsize);
2336 	}
2337 
2338 	*res = cmd->nc_cqe.cqe_dw0;
2339 
2340 fail:
2341 	nvme_free_cmd(cmd);
2342 	return (ret);
2343 }
2344 
2345 static int
2346 nvme_write_cache_set(nvme_t *nvme, boolean_t enable)
2347 {
2348 	nvme_write_cache_t nwc = { 0 };
2349 
2350 	if (enable)
2351 		nwc.b.wc_wce = 1;
2352 
2353 	return (nvme_set_features(nvme, B_FALSE, 0, NVME_FEAT_WRITE_CACHE,
2354 	    nwc.r, &nwc.r));
2355 }
2356 
2357 static int
2358 nvme_set_nqueues(nvme_t *nvme)
2359 {
2360 	nvme_nqueues_t nq = { 0 };
2361 	int ret;
2362 
2363 	/*
2364 	 * The default is to allocate one completion queue per vector.
2365 	 */
2366 	if (nvme->n_completion_queues == -1)
2367 		nvme->n_completion_queues = nvme->n_intr_cnt;
2368 
2369 	/*
2370 	 * There is no point in having more compeletion queues than
2371 	 * interrupt vectors.
2372 	 */
2373 	nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2374 	    nvme->n_intr_cnt);
2375 
2376 	/*
2377 	 * The default is to use one submission queue per completion queue.
2378 	 */
2379 	if (nvme->n_submission_queues == -1)
2380 		nvme->n_submission_queues = nvme->n_completion_queues;
2381 
2382 	/*
2383 	 * There is no point in having more compeletion queues than
2384 	 * submission queues.
2385 	 */
2386 	nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2387 	    nvme->n_submission_queues);
2388 
2389 	ASSERT(nvme->n_submission_queues > 0);
2390 	ASSERT(nvme->n_completion_queues > 0);
2391 
2392 	nq.b.nq_nsq = nvme->n_submission_queues - 1;
2393 	nq.b.nq_ncq = nvme->n_completion_queues - 1;
2394 
2395 	ret = nvme_set_features(nvme, B_FALSE, 0, NVME_FEAT_NQUEUES, nq.r,
2396 	    &nq.r);
2397 
2398 	if (ret == 0) {
2399 		/*
2400 		 * Never use more than the requested number of queues.
2401 		 */
2402 		nvme->n_submission_queues = MIN(nvme->n_submission_queues,
2403 		    nq.b.nq_nsq + 1);
2404 		nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2405 		    nq.b.nq_ncq + 1);
2406 	}
2407 
2408 	return (ret);
2409 }
2410 
2411 static int
2412 nvme_create_completion_queue(nvme_t *nvme, nvme_cq_t *cq)
2413 {
2414 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2415 	nvme_create_queue_dw10_t dw10 = { 0 };
2416 	nvme_create_cq_dw11_t c_dw11 = { 0 };
2417 	int ret;
2418 
2419 	dw10.b.q_qid = cq->ncq_id;
2420 	dw10.b.q_qsize = cq->ncq_nentry - 1;
2421 
2422 	c_dw11.b.cq_pc = 1;
2423 	c_dw11.b.cq_ien = 1;
2424 	c_dw11.b.cq_iv = cq->ncq_id % nvme->n_intr_cnt;
2425 
2426 	cmd->nc_sqid = 0;
2427 	cmd->nc_callback = nvme_wakeup_cmd;
2428 	cmd->nc_sqe.sqe_opc = NVME_OPC_CREATE_CQUEUE;
2429 	cmd->nc_sqe.sqe_cdw10 = dw10.r;
2430 	cmd->nc_sqe.sqe_cdw11 = c_dw11.r;
2431 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cq->ncq_dma->nd_cookie.dmac_laddress;
2432 
2433 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2434 
2435 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2436 		dev_err(nvme->n_dip, CE_WARN,
2437 		    "!CREATE CQUEUE failed with sct = %x, sc = %x",
2438 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2439 	}
2440 
2441 	nvme_free_cmd(cmd);
2442 
2443 	return (ret);
2444 }
2445 
2446 static int
2447 nvme_create_io_qpair(nvme_t *nvme, nvme_qpair_t *qp, uint16_t idx)
2448 {
2449 	nvme_cq_t *cq = qp->nq_cq;
2450 	nvme_cmd_t *cmd;
2451 	nvme_create_queue_dw10_t dw10 = { 0 };
2452 	nvme_create_sq_dw11_t s_dw11 = { 0 };
2453 	int ret;
2454 
2455 	/*
2456 	 * It is possible to have more qpairs than completion queues,
2457 	 * and when the idx > ncq_id, that completion queue is shared
2458 	 * and has already been created.
2459 	 */
2460 	if (idx <= cq->ncq_id &&
2461 	    nvme_create_completion_queue(nvme, cq) != DDI_SUCCESS)
2462 		return (DDI_FAILURE);
2463 
2464 	dw10.b.q_qid = idx;
2465 	dw10.b.q_qsize = qp->nq_nentry - 1;
2466 
2467 	s_dw11.b.sq_pc = 1;
2468 	s_dw11.b.sq_cqid = cq->ncq_id;
2469 
2470 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2471 	cmd->nc_sqid = 0;
2472 	cmd->nc_callback = nvme_wakeup_cmd;
2473 	cmd->nc_sqe.sqe_opc = NVME_OPC_CREATE_SQUEUE;
2474 	cmd->nc_sqe.sqe_cdw10 = dw10.r;
2475 	cmd->nc_sqe.sqe_cdw11 = s_dw11.r;
2476 	cmd->nc_sqe.sqe_dptr.d_prp[0] = qp->nq_sqdma->nd_cookie.dmac_laddress;
2477 
2478 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2479 
2480 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2481 		dev_err(nvme->n_dip, CE_WARN,
2482 		    "!CREATE SQUEUE failed with sct = %x, sc = %x",
2483 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2484 	}
2485 
2486 	nvme_free_cmd(cmd);
2487 
2488 	return (ret);
2489 }
2490 
2491 static boolean_t
2492 nvme_reset(nvme_t *nvme, boolean_t quiesce)
2493 {
2494 	nvme_reg_csts_t csts;
2495 	int i;
2496 
2497 	nvme_put32(nvme, NVME_REG_CC, 0);
2498 
2499 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2500 	if (csts.b.csts_rdy == 1) {
2501 		nvme_put32(nvme, NVME_REG_CC, 0);
2502 		for (i = 0; i != nvme->n_timeout * 10; i++) {
2503 			csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2504 			if (csts.b.csts_rdy == 0)
2505 				break;
2506 
2507 			if (quiesce)
2508 				drv_usecwait(50000);
2509 			else
2510 				delay(drv_usectohz(50000));
2511 		}
2512 	}
2513 
2514 	nvme_put32(nvme, NVME_REG_AQA, 0);
2515 	nvme_put32(nvme, NVME_REG_ASQ, 0);
2516 	nvme_put32(nvme, NVME_REG_ACQ, 0);
2517 
2518 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2519 	return (csts.b.csts_rdy == 0 ? B_TRUE : B_FALSE);
2520 }
2521 
2522 static void
2523 nvme_shutdown(nvme_t *nvme, int mode, boolean_t quiesce)
2524 {
2525 	nvme_reg_cc_t cc;
2526 	nvme_reg_csts_t csts;
2527 	int i;
2528 
2529 	ASSERT(mode == NVME_CC_SHN_NORMAL || mode == NVME_CC_SHN_ABRUPT);
2530 
2531 	cc.r = nvme_get32(nvme, NVME_REG_CC);
2532 	cc.b.cc_shn = mode & 0x3;
2533 	nvme_put32(nvme, NVME_REG_CC, cc.r);
2534 
2535 	for (i = 0; i != 10; i++) {
2536 		csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2537 		if (csts.b.csts_shst == NVME_CSTS_SHN_COMPLETE)
2538 			break;
2539 
2540 		if (quiesce)
2541 			drv_usecwait(100000);
2542 		else
2543 			delay(drv_usectohz(100000));
2544 	}
2545 }
2546 
2547 
2548 static void
2549 nvme_prepare_devid(nvme_t *nvme, uint32_t nsid)
2550 {
2551 	/*
2552 	 * Section 7.7 of the spec describes how to get a unique ID for
2553 	 * the controller: the vendor ID, the model name and the serial
2554 	 * number shall be unique when combined.
2555 	 *
2556 	 * If a namespace has no EUI64 we use the above and add the hex
2557 	 * namespace ID to get a unique ID for the namespace.
2558 	 */
2559 	char model[sizeof (nvme->n_idctl->id_model) + 1];
2560 	char serial[sizeof (nvme->n_idctl->id_serial) + 1];
2561 
2562 	bcopy(nvme->n_idctl->id_model, model, sizeof (nvme->n_idctl->id_model));
2563 	bcopy(nvme->n_idctl->id_serial, serial,
2564 	    sizeof (nvme->n_idctl->id_serial));
2565 
2566 	model[sizeof (nvme->n_idctl->id_model)] = '\0';
2567 	serial[sizeof (nvme->n_idctl->id_serial)] = '\0';
2568 
2569 	nvme->n_ns[nsid - 1].ns_devid = kmem_asprintf("%4X-%s-%s-%X",
2570 	    nvme->n_idctl->id_vid, model, serial, nsid);
2571 }
2572 
2573 static int
2574 nvme_init_ns(nvme_t *nvme, int nsid)
2575 {
2576 	nvme_namespace_t *ns = &nvme->n_ns[nsid - 1];
2577 	nvme_identify_nsid_t *idns;
2578 	boolean_t was_ignored;
2579 	int last_rp;
2580 
2581 	ns->ns_nvme = nvme;
2582 
2583 	if (nvme_identify(nvme, B_FALSE, nsid, (void **)&idns) != 0) {
2584 		dev_err(nvme->n_dip, CE_WARN,
2585 		    "!failed to identify namespace %d", nsid);
2586 		return (DDI_FAILURE);
2587 	}
2588 
2589 	ns->ns_idns = idns;
2590 	ns->ns_id = nsid;
2591 	ns->ns_block_count = idns->id_nsize;
2592 	ns->ns_block_size =
2593 	    1 << idns->id_lbaf[idns->id_flbas.lba_format].lbaf_lbads;
2594 	ns->ns_best_block_size = ns->ns_block_size;
2595 
2596 	/*
2597 	 * Get the EUI64 if present. Use it for devid and device node names.
2598 	 */
2599 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1))
2600 		bcopy(idns->id_eui64, ns->ns_eui64, sizeof (ns->ns_eui64));
2601 
2602 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
2603 	if (*(uint64_t *)ns->ns_eui64 != 0) {
2604 		uint8_t *eui64 = ns->ns_eui64;
2605 
2606 		(void) snprintf(ns->ns_name, sizeof (ns->ns_name),
2607 		    "%02x%02x%02x%02x%02x%02x%02x%02x",
2608 		    eui64[0], eui64[1], eui64[2], eui64[3],
2609 		    eui64[4], eui64[5], eui64[6], eui64[7]);
2610 	} else {
2611 		(void) snprintf(ns->ns_name, sizeof (ns->ns_name), "%d",
2612 		    ns->ns_id);
2613 
2614 		nvme_prepare_devid(nvme, ns->ns_id);
2615 	}
2616 
2617 	/*
2618 	 * Find the LBA format with no metadata and the best relative
2619 	 * performance. A value of 3 means "degraded", 0 is best.
2620 	 */
2621 	last_rp = 3;
2622 	for (int j = 0; j <= idns->id_nlbaf; j++) {
2623 		if (idns->id_lbaf[j].lbaf_lbads == 0)
2624 			break;
2625 		if (idns->id_lbaf[j].lbaf_ms != 0)
2626 			continue;
2627 		if (idns->id_lbaf[j].lbaf_rp >= last_rp)
2628 			continue;
2629 		last_rp = idns->id_lbaf[j].lbaf_rp;
2630 		ns->ns_best_block_size =
2631 		    1 << idns->id_lbaf[j].lbaf_lbads;
2632 	}
2633 
2634 	if (ns->ns_best_block_size < nvme->n_min_block_size)
2635 		ns->ns_best_block_size = nvme->n_min_block_size;
2636 
2637 	was_ignored = ns->ns_ignore;
2638 
2639 	/*
2640 	 * We currently don't support namespaces that use either:
2641 	 * - protection information
2642 	 * - illegal block size (< 512)
2643 	 */
2644 	if (idns->id_dps.dp_pinfo) {
2645 		dev_err(nvme->n_dip, CE_WARN,
2646 		    "!ignoring namespace %d, unsupported feature: "
2647 		    "pinfo = %d", nsid, idns->id_dps.dp_pinfo);
2648 		ns->ns_ignore = B_TRUE;
2649 	} else if (ns->ns_block_size < 512) {
2650 		dev_err(nvme->n_dip, CE_WARN,
2651 		    "!ignoring namespace %d, unsupported block size %"PRIu64,
2652 		    nsid, (uint64_t)ns->ns_block_size);
2653 		ns->ns_ignore = B_TRUE;
2654 	} else {
2655 		ns->ns_ignore = B_FALSE;
2656 	}
2657 
2658 	/*
2659 	 * Keep a count of namespaces which are attachable.
2660 	 * See comments in nvme_bd_driveinfo() to understand its effect.
2661 	 */
2662 	if (was_ignored) {
2663 		/*
2664 		 * Previously ignored, but now not. Count it.
2665 		 */
2666 		if (!ns->ns_ignore)
2667 			nvme->n_namespaces_attachable++;
2668 	} else {
2669 		/*
2670 		 * Wasn't ignored previously, but now needs to be.
2671 		 * Discount it.
2672 		 */
2673 		if (ns->ns_ignore)
2674 			nvme->n_namespaces_attachable--;
2675 	}
2676 
2677 	return (DDI_SUCCESS);
2678 }
2679 
2680 static int
2681 nvme_init(nvme_t *nvme)
2682 {
2683 	nvme_reg_cc_t cc = { 0 };
2684 	nvme_reg_aqa_t aqa = { 0 };
2685 	nvme_reg_asq_t asq = { 0 };
2686 	nvme_reg_acq_t acq = { 0 };
2687 	nvme_reg_cap_t cap;
2688 	nvme_reg_vs_t vs;
2689 	nvme_reg_csts_t csts;
2690 	int i = 0;
2691 	uint16_t nqueues;
2692 	uint_t tq_threads;
2693 	char model[sizeof (nvme->n_idctl->id_model) + 1];
2694 	char *vendor, *product;
2695 
2696 	/* Check controller version */
2697 	vs.r = nvme_get32(nvme, NVME_REG_VS);
2698 	nvme->n_version.v_major = vs.b.vs_mjr;
2699 	nvme->n_version.v_minor = vs.b.vs_mnr;
2700 	dev_err(nvme->n_dip, CE_CONT, "?NVMe spec version %d.%d",
2701 	    nvme->n_version.v_major, nvme->n_version.v_minor);
2702 
2703 	if (nvme->n_version.v_major > nvme_version_major) {
2704 		dev_err(nvme->n_dip, CE_WARN, "!no support for version > %d.x",
2705 		    nvme_version_major);
2706 		if (nvme->n_strict_version)
2707 			goto fail;
2708 	}
2709 
2710 	/* retrieve controller configuration */
2711 	cap.r = nvme_get64(nvme, NVME_REG_CAP);
2712 
2713 	if ((cap.b.cap_css & NVME_CAP_CSS_NVM) == 0) {
2714 		dev_err(nvme->n_dip, CE_WARN,
2715 		    "!NVM command set not supported by hardware");
2716 		goto fail;
2717 	}
2718 
2719 	nvme->n_nssr_supported = cap.b.cap_nssrs;
2720 	nvme->n_doorbell_stride = 4 << cap.b.cap_dstrd;
2721 	nvme->n_timeout = cap.b.cap_to;
2722 	nvme->n_arbitration_mechanisms = cap.b.cap_ams;
2723 	nvme->n_cont_queues_reqd = cap.b.cap_cqr;
2724 	nvme->n_max_queue_entries = cap.b.cap_mqes + 1;
2725 
2726 	/*
2727 	 * The MPSMIN and MPSMAX fields in the CAP register use 0 to specify
2728 	 * the base page size of 4k (1<<12), so add 12 here to get the real
2729 	 * page size value.
2730 	 */
2731 	nvme->n_pageshift = MIN(MAX(cap.b.cap_mpsmin + 12, PAGESHIFT),
2732 	    cap.b.cap_mpsmax + 12);
2733 	nvme->n_pagesize = 1UL << (nvme->n_pageshift);
2734 
2735 	/*
2736 	 * Set up Queue DMA to transfer at least 1 page-aligned page at a time.
2737 	 */
2738 	nvme->n_queue_dma_attr.dma_attr_align = nvme->n_pagesize;
2739 	nvme->n_queue_dma_attr.dma_attr_minxfer = nvme->n_pagesize;
2740 
2741 	/*
2742 	 * Set up PRP DMA to transfer 1 page-aligned page at a time.
2743 	 * Maxxfer may be increased after we identified the controller limits.
2744 	 */
2745 	nvme->n_prp_dma_attr.dma_attr_maxxfer = nvme->n_pagesize;
2746 	nvme->n_prp_dma_attr.dma_attr_minxfer = nvme->n_pagesize;
2747 	nvme->n_prp_dma_attr.dma_attr_align = nvme->n_pagesize;
2748 	nvme->n_prp_dma_attr.dma_attr_seg = nvme->n_pagesize - 1;
2749 
2750 	/*
2751 	 * Reset controller if it's still in ready state.
2752 	 */
2753 	if (nvme_reset(nvme, B_FALSE) == B_FALSE) {
2754 		dev_err(nvme->n_dip, CE_WARN, "!unable to reset controller");
2755 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
2756 		nvme->n_dead = B_TRUE;
2757 		goto fail;
2758 	}
2759 
2760 	/*
2761 	 * Create the cq array with one completion queue to be assigned
2762 	 * to the admin queue pair and a limited number of taskqs (4).
2763 	 */
2764 	if (nvme_create_cq_array(nvme, 1, nvme->n_admin_queue_len, 4) !=
2765 	    DDI_SUCCESS) {
2766 		dev_err(nvme->n_dip, CE_WARN,
2767 		    "!failed to pre-allocate admin completion queue");
2768 		goto fail;
2769 	}
2770 	/*
2771 	 * Create the admin queue pair.
2772 	 */
2773 	if (nvme_alloc_qpair(nvme, nvme->n_admin_queue_len, &nvme->n_adminq, 0)
2774 	    != DDI_SUCCESS) {
2775 		dev_err(nvme->n_dip, CE_WARN,
2776 		    "!unable to allocate admin qpair");
2777 		goto fail;
2778 	}
2779 	nvme->n_ioq = kmem_alloc(sizeof (nvme_qpair_t *), KM_SLEEP);
2780 	nvme->n_ioq[0] = nvme->n_adminq;
2781 
2782 	nvme->n_progress |= NVME_ADMIN_QUEUE;
2783 
2784 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
2785 	    "admin-queue-len", nvme->n_admin_queue_len);
2786 
2787 	aqa.b.aqa_asqs = aqa.b.aqa_acqs = nvme->n_admin_queue_len - 1;
2788 	asq = nvme->n_adminq->nq_sqdma->nd_cookie.dmac_laddress;
2789 	acq = nvme->n_adminq->nq_cq->ncq_dma->nd_cookie.dmac_laddress;
2790 
2791 	ASSERT((asq & (nvme->n_pagesize - 1)) == 0);
2792 	ASSERT((acq & (nvme->n_pagesize - 1)) == 0);
2793 
2794 	nvme_put32(nvme, NVME_REG_AQA, aqa.r);
2795 	nvme_put64(nvme, NVME_REG_ASQ, asq);
2796 	nvme_put64(nvme, NVME_REG_ACQ, acq);
2797 
2798 	cc.b.cc_ams = 0;	/* use Round-Robin arbitration */
2799 	cc.b.cc_css = 0;	/* use NVM command set */
2800 	cc.b.cc_mps = nvme->n_pageshift - 12;
2801 	cc.b.cc_shn = 0;	/* no shutdown in progress */
2802 	cc.b.cc_en = 1;		/* enable controller */
2803 	cc.b.cc_iosqes = 6;	/* submission queue entry is 2^6 bytes long */
2804 	cc.b.cc_iocqes = 4;	/* completion queue entry is 2^4 bytes long */
2805 
2806 	nvme_put32(nvme, NVME_REG_CC, cc.r);
2807 
2808 	/*
2809 	 * Wait for the controller to become ready.
2810 	 */
2811 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2812 	if (csts.b.csts_rdy == 0) {
2813 		for (i = 0; i != nvme->n_timeout * 10; i++) {
2814 			delay(drv_usectohz(50000));
2815 			csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2816 
2817 			if (csts.b.csts_cfs == 1) {
2818 				dev_err(nvme->n_dip, CE_WARN,
2819 				    "!controller fatal status at init");
2820 				ddi_fm_service_impact(nvme->n_dip,
2821 				    DDI_SERVICE_LOST);
2822 				nvme->n_dead = B_TRUE;
2823 				goto fail;
2824 			}
2825 
2826 			if (csts.b.csts_rdy == 1)
2827 				break;
2828 		}
2829 	}
2830 
2831 	if (csts.b.csts_rdy == 0) {
2832 		dev_err(nvme->n_dip, CE_WARN, "!controller not ready");
2833 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
2834 		nvme->n_dead = B_TRUE;
2835 		goto fail;
2836 	}
2837 
2838 	/*
2839 	 * Assume an abort command limit of 1. We'll destroy and re-init
2840 	 * that later when we know the true abort command limit.
2841 	 */
2842 	sema_init(&nvme->n_abort_sema, 1, NULL, SEMA_DRIVER, NULL);
2843 
2844 	/*
2845 	 * Setup initial interrupt for admin queue.
2846 	 */
2847 	if ((nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSIX, 1)
2848 	    != DDI_SUCCESS) &&
2849 	    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSI, 1)
2850 	    != DDI_SUCCESS) &&
2851 	    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_FIXED, 1)
2852 	    != DDI_SUCCESS)) {
2853 		dev_err(nvme->n_dip, CE_WARN,
2854 		    "!failed to setup initial interrupt");
2855 		goto fail;
2856 	}
2857 
2858 	/*
2859 	 * Post an asynchronous event command to catch errors.
2860 	 * We assume the asynchronous events are supported as required by
2861 	 * specification (Figure 40 in section 5 of NVMe 1.2).
2862 	 * However, since at least qemu does not follow the specification,
2863 	 * we need a mechanism to protect ourselves.
2864 	 */
2865 	nvme->n_async_event_supported = B_TRUE;
2866 	nvme_async_event(nvme);
2867 
2868 	/*
2869 	 * Identify Controller
2870 	 */
2871 	if (nvme_identify(nvme, B_FALSE, 0, (void **)&nvme->n_idctl) != 0) {
2872 		dev_err(nvme->n_dip, CE_WARN,
2873 		    "!failed to identify controller");
2874 		goto fail;
2875 	}
2876 
2877 	/*
2878 	 * Get Vendor & Product ID
2879 	 */
2880 	bcopy(nvme->n_idctl->id_model, model, sizeof (nvme->n_idctl->id_model));
2881 	model[sizeof (nvme->n_idctl->id_model)] = '\0';
2882 	sata_split_model(model, &vendor, &product);
2883 
2884 	if (vendor == NULL)
2885 		nvme->n_vendor = strdup("NVMe");
2886 	else
2887 		nvme->n_vendor = strdup(vendor);
2888 
2889 	nvme->n_product = strdup(product);
2890 
2891 	/*
2892 	 * Get controller limits.
2893 	 */
2894 	nvme->n_async_event_limit = MAX(NVME_MIN_ASYNC_EVENT_LIMIT,
2895 	    MIN(nvme->n_admin_queue_len / 10,
2896 	    MIN(nvme->n_idctl->id_aerl + 1, nvme->n_async_event_limit)));
2897 
2898 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
2899 	    "async-event-limit", nvme->n_async_event_limit);
2900 
2901 	nvme->n_abort_command_limit = nvme->n_idctl->id_acl + 1;
2902 
2903 	/*
2904 	 * Reinitialize the semaphore with the true abort command limit
2905 	 * supported by the hardware. It's not necessary to disable interrupts
2906 	 * as only command aborts use the semaphore, and no commands are
2907 	 * executed or aborted while we're here.
2908 	 */
2909 	sema_destroy(&nvme->n_abort_sema);
2910 	sema_init(&nvme->n_abort_sema, nvme->n_abort_command_limit - 1, NULL,
2911 	    SEMA_DRIVER, NULL);
2912 
2913 	nvme->n_progress |= NVME_CTRL_LIMITS;
2914 
2915 	if (nvme->n_idctl->id_mdts == 0)
2916 		nvme->n_max_data_transfer_size = nvme->n_pagesize * 65536;
2917 	else
2918 		nvme->n_max_data_transfer_size =
2919 		    1ull << (nvme->n_pageshift + nvme->n_idctl->id_mdts);
2920 
2921 	nvme->n_error_log_len = nvme->n_idctl->id_elpe + 1;
2922 
2923 	/*
2924 	 * Limit n_max_data_transfer_size to what we can handle in one PRP.
2925 	 * Chained PRPs are currently unsupported.
2926 	 *
2927 	 * This is a no-op on hardware which doesn't support a transfer size
2928 	 * big enough to require chained PRPs.
2929 	 */
2930 	nvme->n_max_data_transfer_size = MIN(nvme->n_max_data_transfer_size,
2931 	    (nvme->n_pagesize / sizeof (uint64_t) * nvme->n_pagesize));
2932 
2933 	nvme->n_prp_dma_attr.dma_attr_maxxfer = nvme->n_max_data_transfer_size;
2934 
2935 	/*
2936 	 * Make sure the minimum/maximum queue entry sizes are not
2937 	 * larger/smaller than the default.
2938 	 */
2939 
2940 	if (((1 << nvme->n_idctl->id_sqes.qes_min) > sizeof (nvme_sqe_t)) ||
2941 	    ((1 << nvme->n_idctl->id_sqes.qes_max) < sizeof (nvme_sqe_t)) ||
2942 	    ((1 << nvme->n_idctl->id_cqes.qes_min) > sizeof (nvme_cqe_t)) ||
2943 	    ((1 << nvme->n_idctl->id_cqes.qes_max) < sizeof (nvme_cqe_t)))
2944 		goto fail;
2945 
2946 	/*
2947 	 * Check for the presence of a Volatile Write Cache. If present,
2948 	 * enable or disable based on the value of the property
2949 	 * volatile-write-cache-enable (default is enabled).
2950 	 */
2951 	nvme->n_write_cache_present =
2952 	    nvme->n_idctl->id_vwc.vwc_present == 0 ? B_FALSE : B_TRUE;
2953 
2954 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
2955 	    "volatile-write-cache-present",
2956 	    nvme->n_write_cache_present ? 1 : 0);
2957 
2958 	if (!nvme->n_write_cache_present) {
2959 		nvme->n_write_cache_enabled = B_FALSE;
2960 	} else if (nvme_write_cache_set(nvme, nvme->n_write_cache_enabled)
2961 	    != 0) {
2962 		dev_err(nvme->n_dip, CE_WARN,
2963 		    "!failed to %sable volatile write cache",
2964 		    nvme->n_write_cache_enabled ? "en" : "dis");
2965 		/*
2966 		 * Assume the cache is (still) enabled.
2967 		 */
2968 		nvme->n_write_cache_enabled = B_TRUE;
2969 	}
2970 
2971 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
2972 	    "volatile-write-cache-enable",
2973 	    nvme->n_write_cache_enabled ? 1 : 0);
2974 
2975 	/*
2976 	 * Assume LBA Range Type feature is supported. If it isn't this
2977 	 * will be set to B_FALSE by nvme_get_features().
2978 	 */
2979 	nvme->n_lba_range_supported = B_TRUE;
2980 
2981 	/*
2982 	 * Check support for Autonomous Power State Transition.
2983 	 */
2984 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1))
2985 		nvme->n_auto_pst_supported =
2986 		    nvme->n_idctl->id_apsta.ap_sup == 0 ? B_FALSE : B_TRUE;
2987 
2988 	/*
2989 	 * Assume Software Progress Marker feature is supported.  If it isn't
2990 	 * this will be set to B_FALSE by nvme_get_features().
2991 	 */
2992 	nvme->n_progress_supported = B_TRUE;
2993 
2994 	/*
2995 	 * Identify Namespaces
2996 	 */
2997 	nvme->n_namespace_count = nvme->n_idctl->id_nn;
2998 
2999 	if (nvme->n_namespace_count == 0) {
3000 		dev_err(nvme->n_dip, CE_WARN,
3001 		    "!controllers without namespaces are not supported");
3002 		goto fail;
3003 	}
3004 
3005 	if (nvme->n_namespace_count > NVME_MINOR_MAX) {
3006 		dev_err(nvme->n_dip, CE_WARN,
3007 		    "!too many namespaces: %d, limiting to %d\n",
3008 		    nvme->n_namespace_count, NVME_MINOR_MAX);
3009 		nvme->n_namespace_count = NVME_MINOR_MAX;
3010 	}
3011 
3012 	nvme->n_ns = kmem_zalloc(sizeof (nvme_namespace_t) *
3013 	    nvme->n_namespace_count, KM_SLEEP);
3014 
3015 	for (i = 0; i != nvme->n_namespace_count; i++) {
3016 		mutex_init(&nvme->n_ns[i].ns_minor.nm_mutex, NULL, MUTEX_DRIVER,
3017 		    NULL);
3018 		nvme->n_ns[i].ns_ignore = B_TRUE;
3019 		if (nvme_init_ns(nvme, i + 1) != DDI_SUCCESS)
3020 			goto fail;
3021 	}
3022 
3023 	/*
3024 	 * Try to set up MSI/MSI-X interrupts.
3025 	 */
3026 	if ((nvme->n_intr_types & (DDI_INTR_TYPE_MSI | DDI_INTR_TYPE_MSIX))
3027 	    != 0) {
3028 		nvme_release_interrupts(nvme);
3029 
3030 		nqueues = MIN(UINT16_MAX, ncpus);
3031 
3032 		if ((nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSIX,
3033 		    nqueues) != DDI_SUCCESS) &&
3034 		    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSI,
3035 		    nqueues) != DDI_SUCCESS)) {
3036 			dev_err(nvme->n_dip, CE_WARN,
3037 			    "!failed to setup MSI/MSI-X interrupts");
3038 			goto fail;
3039 		}
3040 	}
3041 
3042 	/*
3043 	 * Create I/O queue pairs.
3044 	 */
3045 
3046 	if (nvme_set_nqueues(nvme) != 0) {
3047 		dev_err(nvme->n_dip, CE_WARN,
3048 		    "!failed to set number of I/O queues to %d",
3049 		    nvme->n_intr_cnt);
3050 		goto fail;
3051 	}
3052 
3053 	/*
3054 	 * Reallocate I/O queue array
3055 	 */
3056 	kmem_free(nvme->n_ioq, sizeof (nvme_qpair_t *));
3057 	nvme->n_ioq = kmem_zalloc(sizeof (nvme_qpair_t *) *
3058 	    (nvme->n_submission_queues + 1), KM_SLEEP);
3059 	nvme->n_ioq[0] = nvme->n_adminq;
3060 
3061 	/*
3062 	 * There should always be at least as many submission queues
3063 	 * as completion queues.
3064 	 */
3065 	ASSERT(nvme->n_submission_queues >= nvme->n_completion_queues);
3066 
3067 	nvme->n_ioq_count = nvme->n_submission_queues;
3068 
3069 	nvme->n_io_squeue_len =
3070 	    MIN(nvme->n_io_squeue_len, nvme->n_max_queue_entries);
3071 
3072 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip, "io-squeue-len",
3073 	    nvme->n_io_squeue_len);
3074 
3075 	/*
3076 	 * Pre-allocate completion queues.
3077 	 * When there are the same number of submission and completion
3078 	 * queues there is no value in having a larger completion
3079 	 * queue length.
3080 	 */
3081 	if (nvme->n_submission_queues == nvme->n_completion_queues)
3082 		nvme->n_io_cqueue_len = MIN(nvme->n_io_cqueue_len,
3083 		    nvme->n_io_squeue_len);
3084 
3085 	nvme->n_io_cqueue_len = MIN(nvme->n_io_cqueue_len,
3086 	    nvme->n_max_queue_entries);
3087 
3088 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip, "io-cqueue-len",
3089 	    nvme->n_io_cqueue_len);
3090 
3091 	/*
3092 	 * Assign the equal quantity of taskq threads to each completion
3093 	 * queue, capping the total number of threads to the number
3094 	 * of CPUs.
3095 	 */
3096 	tq_threads = MIN(UINT16_MAX, ncpus) / nvme->n_completion_queues;
3097 
3098 	/*
3099 	 * In case the calculation above is zero, we need at least one
3100 	 * thread per completion queue.
3101 	 */
3102 	tq_threads = MAX(1, tq_threads);
3103 
3104 	if (nvme_create_cq_array(nvme, nvme->n_completion_queues + 1,
3105 	    nvme->n_io_cqueue_len, tq_threads) != DDI_SUCCESS) {
3106 		dev_err(nvme->n_dip, CE_WARN,
3107 		    "!failed to pre-allocate completion queues");
3108 		goto fail;
3109 	}
3110 
3111 	/*
3112 	 * If we use less completion queues than interrupt vectors return
3113 	 * some of the interrupt vectors back to the system.
3114 	 */
3115 	if (nvme->n_completion_queues + 1 < nvme->n_intr_cnt) {
3116 		nvme_release_interrupts(nvme);
3117 
3118 		if (nvme_setup_interrupts(nvme, nvme->n_intr_type,
3119 		    nvme->n_completion_queues + 1) != DDI_SUCCESS) {
3120 			dev_err(nvme->n_dip, CE_WARN,
3121 			    "!failed to reduce number of interrupts");
3122 			goto fail;
3123 		}
3124 	}
3125 
3126 	/*
3127 	 * Alloc & register I/O queue pairs
3128 	 */
3129 
3130 	for (i = 1; i != nvme->n_ioq_count + 1; i++) {
3131 		if (nvme_alloc_qpair(nvme, nvme->n_io_squeue_len,
3132 		    &nvme->n_ioq[i], i) != DDI_SUCCESS) {
3133 			dev_err(nvme->n_dip, CE_WARN,
3134 			    "!unable to allocate I/O qpair %d", i);
3135 			goto fail;
3136 		}
3137 
3138 		if (nvme_create_io_qpair(nvme, nvme->n_ioq[i], i) != 0) {
3139 			dev_err(nvme->n_dip, CE_WARN,
3140 			    "!unable to create I/O qpair %d", i);
3141 			goto fail;
3142 		}
3143 	}
3144 
3145 	/*
3146 	 * Post more asynchronous events commands to reduce event reporting
3147 	 * latency as suggested by the spec.
3148 	 */
3149 	if (nvme->n_async_event_supported) {
3150 		for (i = 1; i != nvme->n_async_event_limit; i++)
3151 			nvme_async_event(nvme);
3152 	}
3153 
3154 	return (DDI_SUCCESS);
3155 
3156 fail:
3157 	(void) nvme_reset(nvme, B_FALSE);
3158 	return (DDI_FAILURE);
3159 }
3160 
3161 static uint_t
3162 nvme_intr(caddr_t arg1, caddr_t arg2)
3163 {
3164 	/*LINTED: E_PTR_BAD_CAST_ALIGN*/
3165 	nvme_t *nvme = (nvme_t *)arg1;
3166 	int inum = (int)(uintptr_t)arg2;
3167 	int ccnt = 0;
3168 	int qnum;
3169 
3170 	if (inum >= nvme->n_intr_cnt)
3171 		return (DDI_INTR_UNCLAIMED);
3172 
3173 	if (nvme->n_dead)
3174 		return (nvme->n_intr_type == DDI_INTR_TYPE_FIXED ?
3175 		    DDI_INTR_UNCLAIMED : DDI_INTR_CLAIMED);
3176 
3177 	/*
3178 	 * The interrupt vector a queue uses is calculated as queue_idx %
3179 	 * intr_cnt in nvme_create_io_qpair(). Iterate through the queue array
3180 	 * in steps of n_intr_cnt to process all queues using this vector.
3181 	 */
3182 	for (qnum = inum;
3183 	    qnum < nvme->n_cq_count && nvme->n_cq[qnum] != NULL;
3184 	    qnum += nvme->n_intr_cnt) {
3185 		ccnt += nvme_process_iocq(nvme, nvme->n_cq[qnum]);
3186 	}
3187 
3188 	return (ccnt > 0 ? DDI_INTR_CLAIMED : DDI_INTR_UNCLAIMED);
3189 }
3190 
3191 static void
3192 nvme_release_interrupts(nvme_t *nvme)
3193 {
3194 	int i;
3195 
3196 	for (i = 0; i < nvme->n_intr_cnt; i++) {
3197 		if (nvme->n_inth[i] == NULL)
3198 			break;
3199 
3200 		if (nvme->n_intr_cap & DDI_INTR_FLAG_BLOCK)
3201 			(void) ddi_intr_block_disable(&nvme->n_inth[i], 1);
3202 		else
3203 			(void) ddi_intr_disable(nvme->n_inth[i]);
3204 
3205 		(void) ddi_intr_remove_handler(nvme->n_inth[i]);
3206 		(void) ddi_intr_free(nvme->n_inth[i]);
3207 	}
3208 
3209 	kmem_free(nvme->n_inth, nvme->n_inth_sz);
3210 	nvme->n_inth = NULL;
3211 	nvme->n_inth_sz = 0;
3212 
3213 	nvme->n_progress &= ~NVME_INTERRUPTS;
3214 }
3215 
3216 static int
3217 nvme_setup_interrupts(nvme_t *nvme, int intr_type, int nqpairs)
3218 {
3219 	int nintrs, navail, count;
3220 	int ret;
3221 	int i;
3222 
3223 	if (nvme->n_intr_types == 0) {
3224 		ret = ddi_intr_get_supported_types(nvme->n_dip,
3225 		    &nvme->n_intr_types);
3226 		if (ret != DDI_SUCCESS) {
3227 			dev_err(nvme->n_dip, CE_WARN,
3228 			    "!%s: ddi_intr_get_supported types failed",
3229 			    __func__);
3230 			return (ret);
3231 		}
3232 #ifdef __x86
3233 		if (get_hwenv() == HW_VMWARE)
3234 			nvme->n_intr_types &= ~DDI_INTR_TYPE_MSIX;
3235 #endif
3236 	}
3237 
3238 	if ((nvme->n_intr_types & intr_type) == 0)
3239 		return (DDI_FAILURE);
3240 
3241 	ret = ddi_intr_get_nintrs(nvme->n_dip, intr_type, &nintrs);
3242 	if (ret != DDI_SUCCESS) {
3243 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_nintrs failed",
3244 		    __func__);
3245 		return (ret);
3246 	}
3247 
3248 	ret = ddi_intr_get_navail(nvme->n_dip, intr_type, &navail);
3249 	if (ret != DDI_SUCCESS) {
3250 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_navail failed",
3251 		    __func__);
3252 		return (ret);
3253 	}
3254 
3255 	/* We want at most one interrupt per queue pair. */
3256 	if (navail > nqpairs)
3257 		navail = nqpairs;
3258 
3259 	nvme->n_inth_sz = sizeof (ddi_intr_handle_t) * navail;
3260 	nvme->n_inth = kmem_zalloc(nvme->n_inth_sz, KM_SLEEP);
3261 
3262 	ret = ddi_intr_alloc(nvme->n_dip, nvme->n_inth, intr_type, 0, navail,
3263 	    &count, 0);
3264 	if (ret != DDI_SUCCESS) {
3265 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_alloc failed",
3266 		    __func__);
3267 		goto fail;
3268 	}
3269 
3270 	nvme->n_intr_cnt = count;
3271 
3272 	ret = ddi_intr_get_pri(nvme->n_inth[0], &nvme->n_intr_pri);
3273 	if (ret != DDI_SUCCESS) {
3274 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_pri failed",
3275 		    __func__);
3276 		goto fail;
3277 	}
3278 
3279 	for (i = 0; i < count; i++) {
3280 		ret = ddi_intr_add_handler(nvme->n_inth[i], nvme_intr,
3281 		    (void *)nvme, (void *)(uintptr_t)i);
3282 		if (ret != DDI_SUCCESS) {
3283 			dev_err(nvme->n_dip, CE_WARN,
3284 			    "!%s: ddi_intr_add_handler failed", __func__);
3285 			goto fail;
3286 		}
3287 	}
3288 
3289 	(void) ddi_intr_get_cap(nvme->n_inth[0], &nvme->n_intr_cap);
3290 
3291 	for (i = 0; i < count; i++) {
3292 		if (nvme->n_intr_cap & DDI_INTR_FLAG_BLOCK)
3293 			ret = ddi_intr_block_enable(&nvme->n_inth[i], 1);
3294 		else
3295 			ret = ddi_intr_enable(nvme->n_inth[i]);
3296 
3297 		if (ret != DDI_SUCCESS) {
3298 			dev_err(nvme->n_dip, CE_WARN,
3299 			    "!%s: enabling interrupt %d failed", __func__, i);
3300 			goto fail;
3301 		}
3302 	}
3303 
3304 	nvme->n_intr_type = intr_type;
3305 
3306 	nvme->n_progress |= NVME_INTERRUPTS;
3307 
3308 	return (DDI_SUCCESS);
3309 
3310 fail:
3311 	nvme_release_interrupts(nvme);
3312 
3313 	return (ret);
3314 }
3315 
3316 static int
3317 nvme_fm_errcb(dev_info_t *dip, ddi_fm_error_t *fm_error, const void *arg)
3318 {
3319 	_NOTE(ARGUNUSED(arg));
3320 
3321 	pci_ereport_post(dip, fm_error, NULL);
3322 	return (fm_error->fme_status);
3323 }
3324 
3325 static void
3326 nvme_remove_callback(dev_info_t *dip, ddi_eventcookie_t cookie, void *a,
3327     void *b)
3328 {
3329 	nvme_t *nvme = a;
3330 
3331 	nvme->n_dead = B_TRUE;
3332 
3333 	/*
3334 	 * Fail all outstanding commands, including those in the admin queue
3335 	 * (queue 0).
3336 	 */
3337 	for (uint_t i = 0; i < nvme->n_ioq_count + 1; i++) {
3338 		nvme_qpair_t *qp = nvme->n_ioq[i];
3339 
3340 		mutex_enter(&qp->nq_mutex);
3341 		for (size_t j = 0; j < qp->nq_nentry; j++) {
3342 			nvme_cmd_t *cmd = qp->nq_cmd[j];
3343 			nvme_cmd_t *u_cmd;
3344 
3345 			if (cmd == NULL) {
3346 				continue;
3347 			}
3348 
3349 			/*
3350 			 * Since we have the queue lock held the entire time we
3351 			 * iterate over it, it's not possible for the queue to
3352 			 * change underneath us. Thus, we don't need to check
3353 			 * that the return value of nvme_unqueue_cmd matches the
3354 			 * requested cmd to unqueue.
3355 			 */
3356 			u_cmd = nvme_unqueue_cmd(nvme, qp, cmd->nc_sqe.sqe_cid);
3357 			taskq_dispatch_ent(qp->nq_cq->ncq_cmd_taskq,
3358 			    cmd->nc_callback, cmd, TQ_NOSLEEP, &cmd->nc_tqent);
3359 
3360 			ASSERT3P(u_cmd, ==, cmd);
3361 		}
3362 		mutex_exit(&qp->nq_mutex);
3363 	}
3364 }
3365 
3366 static int
3367 nvme_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
3368 {
3369 	nvme_t *nvme;
3370 	int instance;
3371 	int nregs;
3372 	off_t regsize;
3373 	int i;
3374 	char name[32];
3375 	bd_ops_t ops = nvme_bd_ops;
3376 
3377 	if (cmd != DDI_ATTACH)
3378 		return (DDI_FAILURE);
3379 
3380 	instance = ddi_get_instance(dip);
3381 
3382 	if (ddi_soft_state_zalloc(nvme_state, instance) != DDI_SUCCESS)
3383 		return (DDI_FAILURE);
3384 
3385 	nvme = ddi_get_soft_state(nvme_state, instance);
3386 	ddi_set_driver_private(dip, nvme);
3387 	nvme->n_dip = dip;
3388 
3389 	/* Set up event handlers for hot removal. */
3390 	if (ddi_get_eventcookie(nvme->n_dip, DDI_DEVI_REMOVE_EVENT,
3391 	    &nvme->n_rm_cookie) != DDI_SUCCESS) {
3392 		goto fail;
3393 	}
3394 	if (ddi_add_event_handler(nvme->n_dip, nvme->n_rm_cookie,
3395 	    nvme_remove_callback, nvme, &nvme->n_ev_rm_cb_id) !=
3396 	    DDI_SUCCESS) {
3397 		goto fail;
3398 	}
3399 
3400 	mutex_init(&nvme->n_minor.nm_mutex, NULL, MUTEX_DRIVER, NULL);
3401 
3402 	nvme->n_strict_version = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3403 	    DDI_PROP_DONTPASS, "strict-version", 1) == 1 ? B_TRUE : B_FALSE;
3404 	nvme->n_ignore_unknown_vendor_status = ddi_prop_get_int(DDI_DEV_T_ANY,
3405 	    dip, DDI_PROP_DONTPASS, "ignore-unknown-vendor-status", 0) == 1 ?
3406 	    B_TRUE : B_FALSE;
3407 	nvme->n_admin_queue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3408 	    DDI_PROP_DONTPASS, "admin-queue-len", NVME_DEFAULT_ADMIN_QUEUE_LEN);
3409 	nvme->n_io_squeue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3410 	    DDI_PROP_DONTPASS, "io-squeue-len", NVME_DEFAULT_IO_QUEUE_LEN);
3411 	/*
3412 	 * Double up the default for completion queues in case of
3413 	 * queue sharing.
3414 	 */
3415 	nvme->n_io_cqueue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3416 	    DDI_PROP_DONTPASS, "io-cqueue-len", 2 * NVME_DEFAULT_IO_QUEUE_LEN);
3417 	nvme->n_async_event_limit = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3418 	    DDI_PROP_DONTPASS, "async-event-limit",
3419 	    NVME_DEFAULT_ASYNC_EVENT_LIMIT);
3420 	nvme->n_write_cache_enabled = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3421 	    DDI_PROP_DONTPASS, "volatile-write-cache-enable", 1) != 0 ?
3422 	    B_TRUE : B_FALSE;
3423 	nvme->n_min_block_size = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3424 	    DDI_PROP_DONTPASS, "min-phys-block-size",
3425 	    NVME_DEFAULT_MIN_BLOCK_SIZE);
3426 	nvme->n_submission_queues = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3427 	    DDI_PROP_DONTPASS, "max-submission-queues", -1);
3428 	nvme->n_completion_queues = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3429 	    DDI_PROP_DONTPASS, "max-completion-queues", -1);
3430 
3431 	if (!ISP2(nvme->n_min_block_size) ||
3432 	    (nvme->n_min_block_size < NVME_DEFAULT_MIN_BLOCK_SIZE)) {
3433 		dev_err(dip, CE_WARN, "!min-phys-block-size %s, "
3434 		    "using default %d", ISP2(nvme->n_min_block_size) ?
3435 		    "too low" : "not a power of 2",
3436 		    NVME_DEFAULT_MIN_BLOCK_SIZE);
3437 		nvme->n_min_block_size = NVME_DEFAULT_MIN_BLOCK_SIZE;
3438 	}
3439 
3440 	if (nvme->n_submission_queues != -1 &&
3441 	    (nvme->n_submission_queues < 1 ||
3442 	    nvme->n_submission_queues > UINT16_MAX)) {
3443 		dev_err(dip, CE_WARN, "!\"submission-queues\"=%d is not "
3444 		    "valid. Must be [1..%d]", nvme->n_submission_queues,
3445 		    UINT16_MAX);
3446 		nvme->n_submission_queues = -1;
3447 	}
3448 
3449 	if (nvme->n_completion_queues != -1 &&
3450 	    (nvme->n_completion_queues < 1 ||
3451 	    nvme->n_completion_queues > UINT16_MAX)) {
3452 		dev_err(dip, CE_WARN, "!\"completion-queues\"=%d is not "
3453 		    "valid. Must be [1..%d]", nvme->n_completion_queues,
3454 		    UINT16_MAX);
3455 		nvme->n_completion_queues = -1;
3456 	}
3457 
3458 	if (nvme->n_admin_queue_len < NVME_MIN_ADMIN_QUEUE_LEN)
3459 		nvme->n_admin_queue_len = NVME_MIN_ADMIN_QUEUE_LEN;
3460 	else if (nvme->n_admin_queue_len > NVME_MAX_ADMIN_QUEUE_LEN)
3461 		nvme->n_admin_queue_len = NVME_MAX_ADMIN_QUEUE_LEN;
3462 
3463 	if (nvme->n_io_squeue_len < NVME_MIN_IO_QUEUE_LEN)
3464 		nvme->n_io_squeue_len = NVME_MIN_IO_QUEUE_LEN;
3465 	if (nvme->n_io_cqueue_len < NVME_MIN_IO_QUEUE_LEN)
3466 		nvme->n_io_cqueue_len = NVME_MIN_IO_QUEUE_LEN;
3467 
3468 	if (nvme->n_async_event_limit < 1)
3469 		nvme->n_async_event_limit = NVME_DEFAULT_ASYNC_EVENT_LIMIT;
3470 
3471 	nvme->n_reg_acc_attr = nvme_reg_acc_attr;
3472 	nvme->n_queue_dma_attr = nvme_queue_dma_attr;
3473 	nvme->n_prp_dma_attr = nvme_prp_dma_attr;
3474 	nvme->n_sgl_dma_attr = nvme_sgl_dma_attr;
3475 
3476 	/*
3477 	 * Setup FMA support.
3478 	 */
3479 	nvme->n_fm_cap = ddi_getprop(DDI_DEV_T_ANY, dip,
3480 	    DDI_PROP_CANSLEEP | DDI_PROP_DONTPASS, "fm-capable",
3481 	    DDI_FM_EREPORT_CAPABLE | DDI_FM_ACCCHK_CAPABLE |
3482 	    DDI_FM_DMACHK_CAPABLE | DDI_FM_ERRCB_CAPABLE);
3483 
3484 	ddi_fm_init(dip, &nvme->n_fm_cap, &nvme->n_fm_ibc);
3485 
3486 	if (nvme->n_fm_cap) {
3487 		if (nvme->n_fm_cap & DDI_FM_ACCCHK_CAPABLE)
3488 			nvme->n_reg_acc_attr.devacc_attr_access =
3489 			    DDI_FLAGERR_ACC;
3490 
3491 		if (nvme->n_fm_cap & DDI_FM_DMACHK_CAPABLE) {
3492 			nvme->n_prp_dma_attr.dma_attr_flags |= DDI_DMA_FLAGERR;
3493 			nvme->n_sgl_dma_attr.dma_attr_flags |= DDI_DMA_FLAGERR;
3494 		}
3495 
3496 		if (DDI_FM_EREPORT_CAP(nvme->n_fm_cap) ||
3497 		    DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
3498 			pci_ereport_setup(dip);
3499 
3500 		if (DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
3501 			ddi_fm_handler_register(dip, nvme_fm_errcb,
3502 			    (void *)nvme);
3503 	}
3504 
3505 	nvme->n_progress |= NVME_FMA_INIT;
3506 
3507 	/*
3508 	 * The spec defines several register sets. Only the controller
3509 	 * registers (set 1) are currently used.
3510 	 */
3511 	if (ddi_dev_nregs(dip, &nregs) == DDI_FAILURE ||
3512 	    nregs < 2 ||
3513 	    ddi_dev_regsize(dip, 1, &regsize) == DDI_FAILURE)
3514 		goto fail;
3515 
3516 	if (ddi_regs_map_setup(dip, 1, &nvme->n_regs, 0, regsize,
3517 	    &nvme->n_reg_acc_attr, &nvme->n_regh) != DDI_SUCCESS) {
3518 		dev_err(dip, CE_WARN, "!failed to map regset 1");
3519 		goto fail;
3520 	}
3521 
3522 	nvme->n_progress |= NVME_REGS_MAPPED;
3523 
3524 	/*
3525 	 * Create PRP DMA cache
3526 	 */
3527 	(void) snprintf(name, sizeof (name), "%s%d_prp_cache",
3528 	    ddi_driver_name(dip), ddi_get_instance(dip));
3529 	nvme->n_prp_cache = kmem_cache_create(name, sizeof (nvme_dma_t),
3530 	    0, nvme_prp_dma_constructor, nvme_prp_dma_destructor,
3531 	    NULL, (void *)nvme, NULL, 0);
3532 
3533 	if (nvme_init(nvme) != DDI_SUCCESS)
3534 		goto fail;
3535 
3536 	if (!nvme->n_idctl->id_oncs.on_dset_mgmt)
3537 		ops.o_free_space = NULL;
3538 
3539 	/*
3540 	 * Initialize the driver with the UFM subsystem
3541 	 */
3542 	if (ddi_ufm_init(dip, DDI_UFM_CURRENT_VERSION, &nvme_ufm_ops,
3543 	    &nvme->n_ufmh, nvme) != 0) {
3544 		dev_err(dip, CE_WARN, "!failed to initialize UFM subsystem");
3545 		goto fail;
3546 	}
3547 	mutex_init(&nvme->n_fwslot_mutex, NULL, MUTEX_DRIVER, NULL);
3548 	ddi_ufm_update(nvme->n_ufmh);
3549 	nvme->n_progress |= NVME_UFM_INIT;
3550 
3551 	/*
3552 	 * Attach the blkdev driver for each namespace.
3553 	 */
3554 	for (i = 0; i != nvme->n_namespace_count; i++) {
3555 		if (ddi_create_minor_node(nvme->n_dip, nvme->n_ns[i].ns_name,
3556 		    S_IFCHR, NVME_MINOR(ddi_get_instance(nvme->n_dip), i + 1),
3557 		    DDI_NT_NVME_ATTACHMENT_POINT, 0) != DDI_SUCCESS) {
3558 			dev_err(dip, CE_WARN,
3559 			    "!failed to create minor node for namespace %d", i);
3560 			goto fail;
3561 		}
3562 
3563 		if (nvme->n_ns[i].ns_ignore)
3564 			continue;
3565 
3566 		nvme->n_ns[i].ns_bd_hdl = bd_alloc_handle(&nvme->n_ns[i],
3567 		    &ops, &nvme->n_prp_dma_attr, KM_SLEEP);
3568 
3569 		if (nvme->n_ns[i].ns_bd_hdl == NULL) {
3570 			dev_err(dip, CE_WARN,
3571 			    "!failed to get blkdev handle for namespace %d", i);
3572 			goto fail;
3573 		}
3574 
3575 		if (bd_attach_handle(dip, nvme->n_ns[i].ns_bd_hdl)
3576 		    != DDI_SUCCESS) {
3577 			dev_err(dip, CE_WARN,
3578 			    "!failed to attach blkdev handle for namespace %d",
3579 			    i);
3580 			goto fail;
3581 		}
3582 	}
3583 
3584 	if (ddi_create_minor_node(dip, "devctl", S_IFCHR,
3585 	    NVME_MINOR(ddi_get_instance(dip), 0), DDI_NT_NVME_NEXUS, 0)
3586 	    != DDI_SUCCESS) {
3587 		dev_err(dip, CE_WARN, "nvme_attach: "
3588 		    "cannot create devctl minor node");
3589 		goto fail;
3590 	}
3591 
3592 	return (DDI_SUCCESS);
3593 
3594 fail:
3595 	/* attach successful anyway so that FMA can retire the device */
3596 	if (nvme->n_dead)
3597 		return (DDI_SUCCESS);
3598 
3599 	(void) nvme_detach(dip, DDI_DETACH);
3600 
3601 	return (DDI_FAILURE);
3602 }
3603 
3604 static int
3605 nvme_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
3606 {
3607 	int instance, i;
3608 	nvme_t *nvme;
3609 
3610 	if (cmd != DDI_DETACH)
3611 		return (DDI_FAILURE);
3612 
3613 	instance = ddi_get_instance(dip);
3614 
3615 	nvme = ddi_get_soft_state(nvme_state, instance);
3616 
3617 	if (nvme == NULL)
3618 		return (DDI_FAILURE);
3619 
3620 	ddi_remove_minor_node(dip, "devctl");
3621 	mutex_destroy(&nvme->n_minor.nm_mutex);
3622 
3623 	if (nvme->n_ns) {
3624 		for (i = 0; i != nvme->n_namespace_count; i++) {
3625 			ddi_remove_minor_node(dip, nvme->n_ns[i].ns_name);
3626 			mutex_destroy(&nvme->n_ns[i].ns_minor.nm_mutex);
3627 
3628 			if (nvme->n_ns[i].ns_bd_hdl) {
3629 				(void) bd_detach_handle(
3630 				    nvme->n_ns[i].ns_bd_hdl);
3631 				bd_free_handle(nvme->n_ns[i].ns_bd_hdl);
3632 			}
3633 
3634 			if (nvme->n_ns[i].ns_idns)
3635 				kmem_free(nvme->n_ns[i].ns_idns,
3636 				    sizeof (nvme_identify_nsid_t));
3637 			if (nvme->n_ns[i].ns_devid)
3638 				strfree(nvme->n_ns[i].ns_devid);
3639 		}
3640 
3641 		kmem_free(nvme->n_ns, sizeof (nvme_namespace_t) *
3642 		    nvme->n_namespace_count);
3643 	}
3644 	if (nvme->n_progress & NVME_UFM_INIT) {
3645 		ddi_ufm_fini(nvme->n_ufmh);
3646 		mutex_destroy(&nvme->n_fwslot_mutex);
3647 	}
3648 
3649 	if (nvme->n_progress & NVME_INTERRUPTS)
3650 		nvme_release_interrupts(nvme);
3651 
3652 	for (i = 0; i < nvme->n_cq_count; i++) {
3653 		if (nvme->n_cq[i]->ncq_cmd_taskq != NULL)
3654 			taskq_wait(nvme->n_cq[i]->ncq_cmd_taskq);
3655 	}
3656 
3657 	if (nvme->n_ioq_count > 0) {
3658 		for (i = 1; i != nvme->n_ioq_count + 1; i++) {
3659 			if (nvme->n_ioq[i] != NULL) {
3660 				/* TODO: send destroy queue commands */
3661 				nvme_free_qpair(nvme->n_ioq[i]);
3662 			}
3663 		}
3664 
3665 		kmem_free(nvme->n_ioq, sizeof (nvme_qpair_t *) *
3666 		    (nvme->n_ioq_count + 1));
3667 	}
3668 
3669 	if (nvme->n_prp_cache != NULL) {
3670 		kmem_cache_destroy(nvme->n_prp_cache);
3671 	}
3672 
3673 	if (nvme->n_progress & NVME_REGS_MAPPED) {
3674 		nvme_shutdown(nvme, NVME_CC_SHN_NORMAL, B_FALSE);
3675 		(void) nvme_reset(nvme, B_FALSE);
3676 	}
3677 
3678 	if (nvme->n_progress & NVME_CTRL_LIMITS)
3679 		sema_destroy(&nvme->n_abort_sema);
3680 
3681 	if (nvme->n_progress & NVME_ADMIN_QUEUE)
3682 		nvme_free_qpair(nvme->n_adminq);
3683 
3684 	if (nvme->n_cq_count > 0) {
3685 		nvme_destroy_cq_array(nvme, 0);
3686 		nvme->n_cq = NULL;
3687 		nvme->n_cq_count = 0;
3688 	}
3689 
3690 	if (nvme->n_idctl)
3691 		kmem_free(nvme->n_idctl, NVME_IDENTIFY_BUFSIZE);
3692 
3693 	if (nvme->n_progress & NVME_REGS_MAPPED)
3694 		ddi_regs_map_free(&nvme->n_regh);
3695 
3696 	if (nvme->n_progress & NVME_FMA_INIT) {
3697 		if (DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
3698 			ddi_fm_handler_unregister(nvme->n_dip);
3699 
3700 		if (DDI_FM_EREPORT_CAP(nvme->n_fm_cap) ||
3701 		    DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
3702 			pci_ereport_teardown(nvme->n_dip);
3703 
3704 		ddi_fm_fini(nvme->n_dip);
3705 	}
3706 
3707 	if (nvme->n_vendor != NULL)
3708 		strfree(nvme->n_vendor);
3709 
3710 	if (nvme->n_product != NULL)
3711 		strfree(nvme->n_product);
3712 
3713 	/* Clean up hot removal event handler. */
3714 	if (nvme->n_ev_rm_cb_id != NULL) {
3715 		(void) ddi_remove_event_handler(nvme->n_ev_rm_cb_id);
3716 	}
3717 	nvme->n_ev_rm_cb_id = NULL;
3718 
3719 	ddi_soft_state_free(nvme_state, instance);
3720 
3721 	return (DDI_SUCCESS);
3722 }
3723 
3724 static int
3725 nvme_quiesce(dev_info_t *dip)
3726 {
3727 	int instance;
3728 	nvme_t *nvme;
3729 
3730 	instance = ddi_get_instance(dip);
3731 
3732 	nvme = ddi_get_soft_state(nvme_state, instance);
3733 
3734 	if (nvme == NULL)
3735 		return (DDI_FAILURE);
3736 
3737 	nvme_shutdown(nvme, NVME_CC_SHN_ABRUPT, B_TRUE);
3738 
3739 	(void) nvme_reset(nvme, B_TRUE);
3740 
3741 	return (DDI_FAILURE);
3742 }
3743 
3744 static int
3745 nvme_fill_prp(nvme_cmd_t *cmd, ddi_dma_handle_t dma)
3746 {
3747 	nvme_t *nvme = cmd->nc_nvme;
3748 	uint_t nprp_per_page, nprp;
3749 	uint64_t *prp;
3750 	const ddi_dma_cookie_t *cookie;
3751 	uint_t idx;
3752 	uint_t ncookies = ddi_dma_ncookies(dma);
3753 
3754 	if (ncookies == 0)
3755 		return (DDI_FAILURE);
3756 
3757 	if ((cookie = ddi_dma_cookie_get(dma, 0)) == NULL)
3758 		return (DDI_FAILURE);
3759 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cookie->dmac_laddress;
3760 
3761 	if (ncookies == 1) {
3762 		cmd->nc_sqe.sqe_dptr.d_prp[1] = 0;
3763 		return (DDI_SUCCESS);
3764 	} else if (ncookies == 2) {
3765 		if ((cookie = ddi_dma_cookie_get(dma, 1)) == NULL)
3766 			return (DDI_FAILURE);
3767 		cmd->nc_sqe.sqe_dptr.d_prp[1] = cookie->dmac_laddress;
3768 		return (DDI_SUCCESS);
3769 	}
3770 
3771 	/*
3772 	 * At this point, we're always operating on cookies at
3773 	 * index >= 1 and writing the addresses of those cookies
3774 	 * into a new page. The address of that page is stored
3775 	 * as the second PRP entry.
3776 	 */
3777 	nprp_per_page = nvme->n_pagesize / sizeof (uint64_t);
3778 	ASSERT(nprp_per_page > 0);
3779 
3780 	/*
3781 	 * We currently don't support chained PRPs and set up our DMA
3782 	 * attributes to reflect that. If we still get an I/O request
3783 	 * that needs a chained PRP something is very wrong. Account
3784 	 * for the first cookie here, which we've placed in d_prp[0].
3785 	 */
3786 	nprp = howmany(ncookies - 1, nprp_per_page);
3787 	VERIFY(nprp == 1);
3788 
3789 	/*
3790 	 * Allocate a page of pointers, in which we'll write the
3791 	 * addresses of cookies 1 to `ncookies`.
3792 	 */
3793 	cmd->nc_prp = kmem_cache_alloc(nvme->n_prp_cache, KM_SLEEP);
3794 	bzero(cmd->nc_prp->nd_memp, cmd->nc_prp->nd_len);
3795 	cmd->nc_sqe.sqe_dptr.d_prp[1] = cmd->nc_prp->nd_cookie.dmac_laddress;
3796 
3797 	prp = (uint64_t *)cmd->nc_prp->nd_memp;
3798 	for (idx = 1; idx < ncookies; idx++) {
3799 		if ((cookie = ddi_dma_cookie_get(dma, idx)) == NULL)
3800 			return (DDI_FAILURE);
3801 		*prp++ = cookie->dmac_laddress;
3802 	}
3803 
3804 	(void) ddi_dma_sync(cmd->nc_prp->nd_dmah, 0, cmd->nc_prp->nd_len,
3805 	    DDI_DMA_SYNC_FORDEV);
3806 	return (DDI_SUCCESS);
3807 }
3808 
3809 /*
3810  * The maximum number of requests supported for a deallocate request is
3811  * NVME_DSET_MGMT_MAX_RANGES (256) -- this is from the NVMe 1.1 spec (and
3812  * unchanged through at least 1.4a). The definition of nvme_range_t is also
3813  * from the NVMe 1.1 spec. Together, the result is that all of the ranges for
3814  * a deallocate request will fit into the smallest supported namespace page
3815  * (4k).
3816  */
3817 CTASSERT(sizeof (nvme_range_t) * NVME_DSET_MGMT_MAX_RANGES == 4096);
3818 
3819 static int
3820 nvme_fill_ranges(nvme_cmd_t *cmd, bd_xfer_t *xfer, uint64_t blocksize,
3821     int allocflag)
3822 {
3823 	const dkioc_free_list_t *dfl = xfer->x_dfl;
3824 	const dkioc_free_list_ext_t *exts = dfl->dfl_exts;
3825 	nvme_t *nvme = cmd->nc_nvme;
3826 	nvme_range_t *ranges = NULL;
3827 	uint_t i;
3828 
3829 	/*
3830 	 * The number of ranges in the request is 0s based (that is
3831 	 * word10 == 0 -> 1 range, word10 == 1 -> 2 ranges, ...,
3832 	 * word10 == 255 -> 256 ranges). Therefore the allowed values are
3833 	 * [1..NVME_DSET_MGMT_MAX_RANGES]. If blkdev gives us a bad request,
3834 	 * we either provided bad info in nvme_bd_driveinfo() or there is a bug
3835 	 * in blkdev.
3836 	 */
3837 	VERIFY3U(dfl->dfl_num_exts, >, 0);
3838 	VERIFY3U(dfl->dfl_num_exts, <=, NVME_DSET_MGMT_MAX_RANGES);
3839 	cmd->nc_sqe.sqe_cdw10 = (dfl->dfl_num_exts - 1) & 0xff;
3840 
3841 	cmd->nc_sqe.sqe_cdw11 = NVME_DSET_MGMT_ATTR_DEALLOCATE;
3842 
3843 	cmd->nc_prp = kmem_cache_alloc(nvme->n_prp_cache, allocflag);
3844 	if (cmd->nc_prp == NULL)
3845 		return (DDI_FAILURE);
3846 
3847 	bzero(cmd->nc_prp->nd_memp, cmd->nc_prp->nd_len);
3848 	ranges = (nvme_range_t *)cmd->nc_prp->nd_memp;
3849 
3850 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cmd->nc_prp->nd_cookie.dmac_laddress;
3851 	cmd->nc_sqe.sqe_dptr.d_prp[1] = 0;
3852 
3853 	for (i = 0; i < dfl->dfl_num_exts; i++) {
3854 		uint64_t lba, len;
3855 
3856 		lba = (dfl->dfl_offset + exts[i].dfle_start) / blocksize;
3857 		len = exts[i].dfle_length / blocksize;
3858 
3859 		VERIFY3U(len, <=, UINT32_MAX);
3860 
3861 		/* No context attributes for a deallocate request */
3862 		ranges[i].nr_ctxattr = 0;
3863 		ranges[i].nr_len = len;
3864 		ranges[i].nr_lba = lba;
3865 	}
3866 
3867 	(void) ddi_dma_sync(cmd->nc_prp->nd_dmah, 0, cmd->nc_prp->nd_len,
3868 	    DDI_DMA_SYNC_FORDEV);
3869 
3870 	return (DDI_SUCCESS);
3871 }
3872 
3873 static nvme_cmd_t *
3874 nvme_create_nvm_cmd(nvme_namespace_t *ns, uint8_t opc, bd_xfer_t *xfer)
3875 {
3876 	nvme_t *nvme = ns->ns_nvme;
3877 	nvme_cmd_t *cmd;
3878 	int allocflag;
3879 
3880 	/*
3881 	 * Blkdev only sets BD_XFER_POLL when dumping, so don't sleep.
3882 	 */
3883 	allocflag = (xfer->x_flags & BD_XFER_POLL) ? KM_NOSLEEP : KM_SLEEP;
3884 	cmd = nvme_alloc_cmd(nvme, allocflag);
3885 
3886 	if (cmd == NULL)
3887 		return (NULL);
3888 
3889 	cmd->nc_sqe.sqe_opc = opc;
3890 	cmd->nc_callback = nvme_bd_xfer_done;
3891 	cmd->nc_xfer = xfer;
3892 
3893 	switch (opc) {
3894 	case NVME_OPC_NVM_WRITE:
3895 	case NVME_OPC_NVM_READ:
3896 		VERIFY(xfer->x_nblks <= 0x10000);
3897 
3898 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
3899 
3900 		cmd->nc_sqe.sqe_cdw10 = xfer->x_blkno & 0xffffffffu;
3901 		cmd->nc_sqe.sqe_cdw11 = (xfer->x_blkno >> 32);
3902 		cmd->nc_sqe.sqe_cdw12 = (uint16_t)(xfer->x_nblks - 1);
3903 
3904 		if (nvme_fill_prp(cmd, xfer->x_dmah) != DDI_SUCCESS)
3905 			goto fail;
3906 		break;
3907 
3908 	case NVME_OPC_NVM_FLUSH:
3909 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
3910 		break;
3911 
3912 	case NVME_OPC_NVM_DSET_MGMT:
3913 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
3914 
3915 		if (nvme_fill_ranges(cmd, xfer,
3916 		    (uint64_t)ns->ns_block_size, allocflag) != DDI_SUCCESS)
3917 			goto fail;
3918 		break;
3919 
3920 	default:
3921 		goto fail;
3922 	}
3923 
3924 	return (cmd);
3925 
3926 fail:
3927 	nvme_free_cmd(cmd);
3928 	return (NULL);
3929 }
3930 
3931 static void
3932 nvme_bd_xfer_done(void *arg)
3933 {
3934 	nvme_cmd_t *cmd = arg;
3935 	bd_xfer_t *xfer = cmd->nc_xfer;
3936 	int error = 0;
3937 
3938 	error = nvme_check_cmd_status(cmd);
3939 	nvme_free_cmd(cmd);
3940 
3941 	bd_xfer_done(xfer, error);
3942 }
3943 
3944 static void
3945 nvme_bd_driveinfo(void *arg, bd_drive_t *drive)
3946 {
3947 	nvme_namespace_t *ns = arg;
3948 	nvme_t *nvme = ns->ns_nvme;
3949 	uint_t ns_count = MAX(1, nvme->n_namespaces_attachable);
3950 
3951 	/*
3952 	 * Set the blkdev qcount to the number of submission queues.
3953 	 * It will then create one waitq/runq pair for each submission
3954 	 * queue and spread I/O requests across the queues.
3955 	 */
3956 	drive->d_qcount = nvme->n_ioq_count;
3957 
3958 	/*
3959 	 * I/O activity to individual namespaces is distributed across
3960 	 * each of the d_qcount blkdev queues (which has been set to
3961 	 * the number of nvme submission queues). d_qsize is the number
3962 	 * of submitted and not completed I/Os within each queue that blkdev
3963 	 * will allow before it starts holding them in the waitq.
3964 	 *
3965 	 * Each namespace will create a child blkdev instance, for each one
3966 	 * we try and set the d_qsize so that each namespace gets an
3967 	 * equal portion of the submission queue.
3968 	 *
3969 	 * If post instantiation of the nvme drive, n_namespaces_attachable
3970 	 * changes and a namespace is attached it could calculate a
3971 	 * different d_qsize. It may even be that the sum of the d_qsizes is
3972 	 * now beyond the submission queue size. Should that be the case
3973 	 * and the I/O rate is such that blkdev attempts to submit more
3974 	 * I/Os than the size of the submission queue, the excess I/Os
3975 	 * will be held behind the semaphore nq_sema.
3976 	 */
3977 	drive->d_qsize = nvme->n_io_squeue_len / ns_count;
3978 
3979 	/*
3980 	 * Don't let the queue size drop below the minimum, though.
3981 	 */
3982 	drive->d_qsize = MAX(drive->d_qsize, NVME_MIN_IO_QUEUE_LEN);
3983 
3984 	/*
3985 	 * d_maxxfer is not set, which means the value is taken from the DMA
3986 	 * attributes specified to bd_alloc_handle.
3987 	 */
3988 
3989 	drive->d_removable = B_FALSE;
3990 	drive->d_hotpluggable = B_FALSE;
3991 
3992 	bcopy(ns->ns_eui64, drive->d_eui64, sizeof (drive->d_eui64));
3993 	drive->d_target = ns->ns_id;
3994 	drive->d_lun = 0;
3995 
3996 	drive->d_model = nvme->n_idctl->id_model;
3997 	drive->d_model_len = sizeof (nvme->n_idctl->id_model);
3998 	drive->d_vendor = nvme->n_vendor;
3999 	drive->d_vendor_len = strlen(nvme->n_vendor);
4000 	drive->d_product = nvme->n_product;
4001 	drive->d_product_len = strlen(nvme->n_product);
4002 	drive->d_serial = nvme->n_idctl->id_serial;
4003 	drive->d_serial_len = sizeof (nvme->n_idctl->id_serial);
4004 	drive->d_revision = nvme->n_idctl->id_fwrev;
4005 	drive->d_revision_len = sizeof (nvme->n_idctl->id_fwrev);
4006 
4007 	/*
4008 	 * If we support the dataset management command, the only restrictions
4009 	 * on a discard request are the maximum number of ranges (segments)
4010 	 * per single request.
4011 	 */
4012 	if (nvme->n_idctl->id_oncs.on_dset_mgmt)
4013 		drive->d_max_free_seg = NVME_DSET_MGMT_MAX_RANGES;
4014 }
4015 
4016 static int
4017 nvme_bd_mediainfo(void *arg, bd_media_t *media)
4018 {
4019 	nvme_namespace_t *ns = arg;
4020 	nvme_t *nvme = ns->ns_nvme;
4021 
4022 	if (nvme->n_dead) {
4023 		return (EIO);
4024 	}
4025 
4026 	media->m_nblks = ns->ns_block_count;
4027 	media->m_blksize = ns->ns_block_size;
4028 	media->m_readonly = B_FALSE;
4029 	media->m_solidstate = B_TRUE;
4030 
4031 	media->m_pblksize = ns->ns_best_block_size;
4032 
4033 	return (0);
4034 }
4035 
4036 static int
4037 nvme_bd_cmd(nvme_namespace_t *ns, bd_xfer_t *xfer, uint8_t opc)
4038 {
4039 	nvme_t *nvme = ns->ns_nvme;
4040 	nvme_cmd_t *cmd;
4041 	nvme_qpair_t *ioq;
4042 	boolean_t poll;
4043 	int ret;
4044 
4045 	if (nvme->n_dead) {
4046 		return (EIO);
4047 	}
4048 
4049 	cmd = nvme_create_nvm_cmd(ns, opc, xfer);
4050 	if (cmd == NULL)
4051 		return (ENOMEM);
4052 
4053 	cmd->nc_sqid = xfer->x_qnum + 1;
4054 	ASSERT(cmd->nc_sqid <= nvme->n_ioq_count);
4055 	ioq = nvme->n_ioq[cmd->nc_sqid];
4056 
4057 	/*
4058 	 * Get the polling flag before submitting the command. The command may
4059 	 * complete immediately after it was submitted, which means we must
4060 	 * treat both cmd and xfer as if they have been freed already.
4061 	 */
4062 	poll = (xfer->x_flags & BD_XFER_POLL) != 0;
4063 
4064 	ret = nvme_submit_io_cmd(ioq, cmd);
4065 
4066 	if (ret != 0)
4067 		return (ret);
4068 
4069 	if (!poll)
4070 		return (0);
4071 
4072 	do {
4073 		cmd = nvme_retrieve_cmd(nvme, ioq);
4074 		if (cmd != NULL)
4075 			cmd->nc_callback(cmd);
4076 		else
4077 			drv_usecwait(10);
4078 	} while (ioq->nq_active_cmds != 0);
4079 
4080 	return (0);
4081 }
4082 
4083 static int
4084 nvme_bd_read(void *arg, bd_xfer_t *xfer)
4085 {
4086 	nvme_namespace_t *ns = arg;
4087 
4088 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_READ));
4089 }
4090 
4091 static int
4092 nvme_bd_write(void *arg, bd_xfer_t *xfer)
4093 {
4094 	nvme_namespace_t *ns = arg;
4095 
4096 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_WRITE));
4097 }
4098 
4099 static int
4100 nvme_bd_sync(void *arg, bd_xfer_t *xfer)
4101 {
4102 	nvme_namespace_t *ns = arg;
4103 
4104 	if (ns->ns_nvme->n_dead)
4105 		return (EIO);
4106 
4107 	/*
4108 	 * If the volatile write cache is not present or not enabled the FLUSH
4109 	 * command is a no-op, so we can take a shortcut here.
4110 	 */
4111 	if (!ns->ns_nvme->n_write_cache_present) {
4112 		bd_xfer_done(xfer, ENOTSUP);
4113 		return (0);
4114 	}
4115 
4116 	if (!ns->ns_nvme->n_write_cache_enabled) {
4117 		bd_xfer_done(xfer, 0);
4118 		return (0);
4119 	}
4120 
4121 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_FLUSH));
4122 }
4123 
4124 static int
4125 nvme_bd_devid(void *arg, dev_info_t *devinfo, ddi_devid_t *devid)
4126 {
4127 	nvme_namespace_t *ns = arg;
4128 	nvme_t *nvme = ns->ns_nvme;
4129 
4130 	if (nvme->n_dead) {
4131 		return (EIO);
4132 	}
4133 
4134 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
4135 	if (*(uint64_t *)ns->ns_eui64 != 0) {
4136 		return (ddi_devid_init(devinfo, DEVID_SCSI3_WWN,
4137 		    sizeof (ns->ns_eui64), ns->ns_eui64, devid));
4138 	} else {
4139 		return (ddi_devid_init(devinfo, DEVID_ENCAP,
4140 		    strlen(ns->ns_devid), ns->ns_devid, devid));
4141 	}
4142 }
4143 
4144 static int
4145 nvme_bd_free_space(void *arg, bd_xfer_t *xfer)
4146 {
4147 	nvme_namespace_t *ns = arg;
4148 
4149 	if (xfer->x_dfl == NULL)
4150 		return (EINVAL);
4151 
4152 	if (!ns->ns_nvme->n_idctl->id_oncs.on_dset_mgmt)
4153 		return (ENOTSUP);
4154 
4155 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_DSET_MGMT));
4156 }
4157 
4158 static int
4159 nvme_open(dev_t *devp, int flag, int otyp, cred_t *cred_p)
4160 {
4161 #ifndef __lock_lint
4162 	_NOTE(ARGUNUSED(cred_p));
4163 #endif
4164 	minor_t minor = getminor(*devp);
4165 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
4166 	int nsid = NVME_MINOR_NSID(minor);
4167 	nvme_minor_state_t *nm;
4168 	int rv = 0;
4169 
4170 	if (otyp != OTYP_CHR)
4171 		return (EINVAL);
4172 
4173 	if (nvme == NULL)
4174 		return (ENXIO);
4175 
4176 	if (nsid > nvme->n_namespace_count)
4177 		return (ENXIO);
4178 
4179 	if (nvme->n_dead)
4180 		return (EIO);
4181 
4182 	nm = nsid == 0 ? &nvme->n_minor : &nvme->n_ns[nsid - 1].ns_minor;
4183 
4184 	mutex_enter(&nm->nm_mutex);
4185 	if (nm->nm_oexcl) {
4186 		rv = EBUSY;
4187 		goto out;
4188 	}
4189 
4190 	if (flag & FEXCL) {
4191 		if (nm->nm_ocnt != 0) {
4192 			rv = EBUSY;
4193 			goto out;
4194 		}
4195 		nm->nm_oexcl = B_TRUE;
4196 	}
4197 
4198 	nm->nm_ocnt++;
4199 
4200 out:
4201 	mutex_exit(&nm->nm_mutex);
4202 	return (rv);
4203 
4204 }
4205 
4206 static int
4207 nvme_close(dev_t dev, int flag, int otyp, cred_t *cred_p)
4208 {
4209 #ifndef __lock_lint
4210 	_NOTE(ARGUNUSED(cred_p));
4211 	_NOTE(ARGUNUSED(flag));
4212 #endif
4213 	minor_t minor = getminor(dev);
4214 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
4215 	int nsid = NVME_MINOR_NSID(minor);
4216 	nvme_minor_state_t *nm;
4217 
4218 	if (otyp != OTYP_CHR)
4219 		return (ENXIO);
4220 
4221 	if (nvme == NULL)
4222 		return (ENXIO);
4223 
4224 	if (nsid > nvme->n_namespace_count)
4225 		return (ENXIO);
4226 
4227 	nm = nsid == 0 ? &nvme->n_minor : &nvme->n_ns[nsid - 1].ns_minor;
4228 
4229 	mutex_enter(&nm->nm_mutex);
4230 	if (nm->nm_oexcl)
4231 		nm->nm_oexcl = B_FALSE;
4232 
4233 	ASSERT(nm->nm_ocnt > 0);
4234 	nm->nm_ocnt--;
4235 	mutex_exit(&nm->nm_mutex);
4236 
4237 	return (0);
4238 }
4239 
4240 static int
4241 nvme_ioctl_identify(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4242     cred_t *cred_p)
4243 {
4244 	_NOTE(ARGUNUSED(cred_p));
4245 	int rv = 0;
4246 	void *idctl;
4247 
4248 	if ((mode & FREAD) == 0)
4249 		return (EPERM);
4250 
4251 	if (nioc->n_len < NVME_IDENTIFY_BUFSIZE)
4252 		return (EINVAL);
4253 
4254 	if ((rv = nvme_identify(nvme, B_TRUE, nsid, (void **)&idctl)) != 0)
4255 		return (rv);
4256 
4257 	if (ddi_copyout(idctl, (void *)nioc->n_buf, NVME_IDENTIFY_BUFSIZE, mode)
4258 	    != 0)
4259 		rv = EFAULT;
4260 
4261 	kmem_free(idctl, NVME_IDENTIFY_BUFSIZE);
4262 
4263 	return (rv);
4264 }
4265 
4266 /*
4267  * Execute commands on behalf of the various ioctls.
4268  */
4269 static int
4270 nvme_ioc_cmd(nvme_t *nvme, nvme_sqe_t *sqe, boolean_t is_admin, void *data_addr,
4271     uint32_t data_len, int rwk, nvme_cqe_t *cqe, uint_t timeout)
4272 {
4273 	nvme_cmd_t *cmd;
4274 	nvme_qpair_t *ioq;
4275 	int rv = 0;
4276 
4277 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
4278 	if (is_admin) {
4279 		cmd->nc_sqid = 0;
4280 		ioq = nvme->n_adminq;
4281 	} else {
4282 		cmd->nc_sqid = (CPU->cpu_id % nvme->n_ioq_count) + 1;
4283 		ASSERT(cmd->nc_sqid <= nvme->n_ioq_count);
4284 		ioq = nvme->n_ioq[cmd->nc_sqid];
4285 	}
4286 
4287 	/*
4288 	 * This function is used to faciliate requests from
4289 	 * userspace, so don't panic if the command fails. This
4290 	 * is especially true for admin passthru commands, where
4291 	 * the actual command data structure is entirely defined
4292 	 * by userspace.
4293 	 */
4294 	cmd->nc_dontpanic = B_TRUE;
4295 
4296 	cmd->nc_callback = nvme_wakeup_cmd;
4297 	cmd->nc_sqe = *sqe;
4298 
4299 	if ((rwk & (FREAD | FWRITE)) != 0) {
4300 		if (data_addr == NULL) {
4301 			rv = EINVAL;
4302 			goto free_cmd;
4303 		}
4304 
4305 		if (nvme_zalloc_dma(nvme, data_len, DDI_DMA_READ,
4306 		    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
4307 			dev_err(nvme->n_dip, CE_WARN,
4308 			    "!nvme_zalloc_dma failed for nvme_ioc_cmd()");
4309 
4310 			rv = ENOMEM;
4311 			goto free_cmd;
4312 		}
4313 
4314 		if ((rv = nvme_fill_prp(cmd, cmd->nc_dma->nd_dmah)) != 0)
4315 			goto free_cmd;
4316 
4317 		if ((rwk & FWRITE) != 0) {
4318 			if (ddi_copyin(data_addr, cmd->nc_dma->nd_memp,
4319 			    data_len, rwk & FKIOCTL) != 0) {
4320 				rv = EFAULT;
4321 				goto free_cmd;
4322 			}
4323 		}
4324 	}
4325 
4326 	if (is_admin) {
4327 		nvme_admin_cmd(cmd, timeout);
4328 	} else {
4329 		mutex_enter(&cmd->nc_mutex);
4330 
4331 		rv = nvme_submit_io_cmd(ioq, cmd);
4332 
4333 		if (rv == EAGAIN) {
4334 			mutex_exit(&cmd->nc_mutex);
4335 			dev_err(cmd->nc_nvme->n_dip, CE_WARN,
4336 			    "!nvme_ioc_cmd() failed, I/O Q full");
4337 			goto free_cmd;
4338 		}
4339 
4340 		nvme_wait_cmd(cmd, timeout);
4341 
4342 		mutex_exit(&cmd->nc_mutex);
4343 	}
4344 
4345 	if (cqe != NULL)
4346 		*cqe = cmd->nc_cqe;
4347 
4348 	if ((rv = nvme_check_cmd_status(cmd)) != 0) {
4349 		dev_err(nvme->n_dip, CE_WARN,
4350 		    "!nvme_ioc_cmd() failed with sct = %x, sc = %x",
4351 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
4352 
4353 		goto free_cmd;
4354 	}
4355 
4356 	if ((rwk & FREAD) != 0) {
4357 		if (ddi_copyout(cmd->nc_dma->nd_memp,
4358 		    data_addr, data_len, rwk & FKIOCTL) != 0)
4359 			rv = EFAULT;
4360 	}
4361 
4362 free_cmd:
4363 	nvme_free_cmd(cmd);
4364 
4365 	return (rv);
4366 }
4367 
4368 static int
4369 nvme_ioctl_capabilities(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
4370     int mode, cred_t *cred_p)
4371 {
4372 	_NOTE(ARGUNUSED(nsid, cred_p));
4373 	int rv = 0;
4374 	nvme_reg_cap_t cap = { 0 };
4375 	nvme_capabilities_t nc;
4376 
4377 	if ((mode & FREAD) == 0)
4378 		return (EPERM);
4379 
4380 	if (nioc->n_len < sizeof (nc))
4381 		return (EINVAL);
4382 
4383 	cap.r = nvme_get64(nvme, NVME_REG_CAP);
4384 
4385 	/*
4386 	 * The MPSMIN and MPSMAX fields in the CAP register use 0 to
4387 	 * specify the base page size of 4k (1<<12), so add 12 here to
4388 	 * get the real page size value.
4389 	 */
4390 	nc.mpsmax = 1 << (12 + cap.b.cap_mpsmax);
4391 	nc.mpsmin = 1 << (12 + cap.b.cap_mpsmin);
4392 
4393 	if (ddi_copyout(&nc, (void *)nioc->n_buf, sizeof (nc), mode) != 0)
4394 		rv = EFAULT;
4395 
4396 	return (rv);
4397 }
4398 
4399 static int
4400 nvme_ioctl_get_logpage(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
4401     int mode, cred_t *cred_p)
4402 {
4403 	_NOTE(ARGUNUSED(cred_p));
4404 	void *log = NULL;
4405 	size_t bufsize = 0;
4406 	int rv = 0;
4407 
4408 	if ((mode & FREAD) == 0)
4409 		return (EPERM);
4410 
4411 	switch (nioc->n_arg) {
4412 	case NVME_LOGPAGE_ERROR:
4413 		if (nsid != 0)
4414 			return (EINVAL);
4415 		break;
4416 	case NVME_LOGPAGE_HEALTH:
4417 		if (nsid != 0 && nvme->n_idctl->id_lpa.lp_smart == 0)
4418 			return (EINVAL);
4419 
4420 		if (nsid == 0)
4421 			nsid = (uint32_t)-1;
4422 
4423 		break;
4424 	case NVME_LOGPAGE_FWSLOT:
4425 		if (nsid != 0)
4426 			return (EINVAL);
4427 		break;
4428 	default:
4429 		return (EINVAL);
4430 	}
4431 
4432 	if (nvme_get_logpage(nvme, B_TRUE, &log, &bufsize, nioc->n_arg, nsid)
4433 	    != DDI_SUCCESS)
4434 		return (EIO);
4435 
4436 	if (nioc->n_len < bufsize) {
4437 		kmem_free(log, bufsize);
4438 		return (EINVAL);
4439 	}
4440 
4441 	if (ddi_copyout(log, (void *)nioc->n_buf, bufsize, mode) != 0)
4442 		rv = EFAULT;
4443 
4444 	nioc->n_len = bufsize;
4445 	kmem_free(log, bufsize);
4446 
4447 	return (rv);
4448 }
4449 
4450 static int
4451 nvme_ioctl_get_features(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
4452     int mode, cred_t *cred_p)
4453 {
4454 	_NOTE(ARGUNUSED(cred_p));
4455 	void *buf = NULL;
4456 	size_t bufsize = 0;
4457 	uint32_t res = 0;
4458 	uint8_t feature;
4459 	int rv = 0;
4460 
4461 	if ((mode & FREAD) == 0)
4462 		return (EPERM);
4463 
4464 	if ((nioc->n_arg >> 32) > 0xff)
4465 		return (EINVAL);
4466 
4467 	feature = (uint8_t)(nioc->n_arg >> 32);
4468 
4469 	switch (feature) {
4470 	case NVME_FEAT_ARBITRATION:
4471 	case NVME_FEAT_POWER_MGMT:
4472 	case NVME_FEAT_ERROR:
4473 	case NVME_FEAT_NQUEUES:
4474 	case NVME_FEAT_INTR_COAL:
4475 	case NVME_FEAT_WRITE_ATOM:
4476 	case NVME_FEAT_ASYNC_EVENT:
4477 	case NVME_FEAT_PROGRESS:
4478 		if (nsid != 0)
4479 			return (EINVAL);
4480 		break;
4481 
4482 	case NVME_FEAT_TEMPERATURE:
4483 		if (nsid != 0)
4484 			return (EINVAL);
4485 		res = nioc->n_arg & 0xffffffffUL;
4486 		if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2)) {
4487 			nvme_temp_threshold_t tt;
4488 
4489 			tt.r = res;
4490 			if (tt.b.tt_thsel != NVME_TEMP_THRESH_OVER &&
4491 			    tt.b.tt_thsel != NVME_TEMP_THRESH_UNDER) {
4492 				return (EINVAL);
4493 			}
4494 
4495 			if (tt.b.tt_tmpsel > NVME_TEMP_THRESH_MAX_SENSOR) {
4496 				return (EINVAL);
4497 			}
4498 		} else if (res != 0) {
4499 			return (EINVAL);
4500 		}
4501 		break;
4502 
4503 	case NVME_FEAT_INTR_VECT:
4504 		if (nsid != 0)
4505 			return (EINVAL);
4506 
4507 		res = nioc->n_arg & 0xffffffffUL;
4508 		if (res >= nvme->n_intr_cnt)
4509 			return (EINVAL);
4510 		break;
4511 
4512 	case NVME_FEAT_LBA_RANGE:
4513 		if (nvme->n_lba_range_supported == B_FALSE)
4514 			return (EINVAL);
4515 
4516 		if (nsid == 0 ||
4517 		    nsid > nvme->n_namespace_count)
4518 			return (EINVAL);
4519 
4520 		break;
4521 
4522 	case NVME_FEAT_WRITE_CACHE:
4523 		if (nsid != 0)
4524 			return (EINVAL);
4525 
4526 		if (!nvme->n_write_cache_present)
4527 			return (EINVAL);
4528 
4529 		break;
4530 
4531 	case NVME_FEAT_AUTO_PST:
4532 		if (nsid != 0)
4533 			return (EINVAL);
4534 
4535 		if (!nvme->n_auto_pst_supported)
4536 			return (EINVAL);
4537 
4538 		break;
4539 
4540 	default:
4541 		return (EINVAL);
4542 	}
4543 
4544 	rv = nvme_get_features(nvme, B_TRUE, nsid, feature, &res, &buf,
4545 	    &bufsize);
4546 	if (rv != 0)
4547 		return (rv);
4548 
4549 	if (nioc->n_len < bufsize) {
4550 		kmem_free(buf, bufsize);
4551 		return (EINVAL);
4552 	}
4553 
4554 	if (buf && ddi_copyout(buf, (void*)nioc->n_buf, bufsize, mode) != 0)
4555 		rv = EFAULT;
4556 
4557 	kmem_free(buf, bufsize);
4558 	nioc->n_arg = res;
4559 	nioc->n_len = bufsize;
4560 
4561 	return (rv);
4562 }
4563 
4564 static int
4565 nvme_ioctl_intr_cnt(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4566     cred_t *cred_p)
4567 {
4568 	_NOTE(ARGUNUSED(nsid, mode, cred_p));
4569 
4570 	if ((mode & FREAD) == 0)
4571 		return (EPERM);
4572 
4573 	nioc->n_arg = nvme->n_intr_cnt;
4574 	return (0);
4575 }
4576 
4577 static int
4578 nvme_ioctl_version(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4579     cred_t *cred_p)
4580 {
4581 	_NOTE(ARGUNUSED(nsid, cred_p));
4582 	int rv = 0;
4583 
4584 	if ((mode & FREAD) == 0)
4585 		return (EPERM);
4586 
4587 	if (nioc->n_len < sizeof (nvme->n_version))
4588 		return (ENOMEM);
4589 
4590 	if (ddi_copyout(&nvme->n_version, (void *)nioc->n_buf,
4591 	    sizeof (nvme->n_version), mode) != 0)
4592 		rv = EFAULT;
4593 
4594 	return (rv);
4595 }
4596 
4597 static int
4598 nvme_ioctl_format(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4599     cred_t *cred_p)
4600 {
4601 	_NOTE(ARGUNUSED(mode));
4602 	nvme_format_nvm_t frmt = { 0 };
4603 	int c_nsid = nsid != 0 ? nsid - 1 : 0;
4604 
4605 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4606 		return (EPERM);
4607 
4608 	frmt.r = nioc->n_arg & 0xffffffff;
4609 
4610 	/*
4611 	 * Check whether the FORMAT NVM command is supported.
4612 	 */
4613 	if (nvme->n_idctl->id_oacs.oa_format == 0)
4614 		return (EINVAL);
4615 
4616 	/*
4617 	 * Don't allow format or secure erase of individual namespace if that
4618 	 * would cause a format or secure erase of all namespaces.
4619 	 */
4620 	if (nsid != 0 && nvme->n_idctl->id_fna.fn_format != 0)
4621 		return (EINVAL);
4622 
4623 	if (nsid != 0 && frmt.b.fm_ses != NVME_FRMT_SES_NONE &&
4624 	    nvme->n_idctl->id_fna.fn_sec_erase != 0)
4625 		return (EINVAL);
4626 
4627 	/*
4628 	 * Don't allow formatting with Protection Information.
4629 	 */
4630 	if (frmt.b.fm_pi != 0 || frmt.b.fm_pil != 0 || frmt.b.fm_ms != 0)
4631 		return (EINVAL);
4632 
4633 	/*
4634 	 * Don't allow formatting using an illegal LBA format, or any LBA format
4635 	 * that uses metadata.
4636 	 */
4637 	if (frmt.b.fm_lbaf > nvme->n_ns[c_nsid].ns_idns->id_nlbaf ||
4638 	    nvme->n_ns[c_nsid].ns_idns->id_lbaf[frmt.b.fm_lbaf].lbaf_ms != 0)
4639 		return (EINVAL);
4640 
4641 	/*
4642 	 * Don't allow formatting using an illegal Secure Erase setting.
4643 	 */
4644 	if (frmt.b.fm_ses > NVME_FRMT_MAX_SES ||
4645 	    (frmt.b.fm_ses == NVME_FRMT_SES_CRYPTO &&
4646 	    nvme->n_idctl->id_fna.fn_crypt_erase == 0))
4647 		return (EINVAL);
4648 
4649 	if (nsid == 0)
4650 		nsid = (uint32_t)-1;
4651 
4652 	return (nvme_format_nvm(nvme, B_TRUE, nsid, frmt.b.fm_lbaf, B_FALSE, 0,
4653 	    B_FALSE, frmt.b.fm_ses));
4654 }
4655 
4656 static int
4657 nvme_ioctl_detach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4658     cred_t *cred_p)
4659 {
4660 	_NOTE(ARGUNUSED(nioc, mode));
4661 	int rv = 0;
4662 
4663 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4664 		return (EPERM);
4665 
4666 	if (nsid == 0)
4667 		return (EINVAL);
4668 
4669 	if (nvme->n_ns[nsid - 1].ns_ignore)
4670 		return (0);
4671 
4672 	rv = bd_detach_handle(nvme->n_ns[nsid - 1].ns_bd_hdl);
4673 	if (rv != DDI_SUCCESS)
4674 		rv = EBUSY;
4675 
4676 	return (rv);
4677 }
4678 
4679 static int
4680 nvme_ioctl_attach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4681     cred_t *cred_p)
4682 {
4683 	_NOTE(ARGUNUSED(nioc, mode));
4684 	nvme_identify_nsid_t *idns;
4685 	int rv = 0;
4686 
4687 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4688 		return (EPERM);
4689 
4690 	if (nsid == 0)
4691 		return (EINVAL);
4692 
4693 	/*
4694 	 * Identify namespace again, free old identify data.
4695 	 */
4696 	idns = nvme->n_ns[nsid - 1].ns_idns;
4697 	if (nvme_init_ns(nvme, nsid) != DDI_SUCCESS)
4698 		return (EIO);
4699 
4700 	kmem_free(idns, sizeof (nvme_identify_nsid_t));
4701 
4702 	if (nvme->n_ns[nsid - 1].ns_ignore)
4703 		return (ENOTSUP);
4704 
4705 	if (nvme->n_ns[nsid - 1].ns_bd_hdl == NULL)
4706 		nvme->n_ns[nsid - 1].ns_bd_hdl = bd_alloc_handle(
4707 		    &nvme->n_ns[nsid - 1], &nvme_bd_ops, &nvme->n_prp_dma_attr,
4708 		    KM_SLEEP);
4709 
4710 	rv = bd_attach_handle(nvme->n_dip, nvme->n_ns[nsid - 1].ns_bd_hdl);
4711 	if (rv != DDI_SUCCESS)
4712 		rv = EBUSY;
4713 
4714 	return (rv);
4715 }
4716 
4717 static void
4718 nvme_ufm_update(nvme_t *nvme)
4719 {
4720 	mutex_enter(&nvme->n_fwslot_mutex);
4721 	ddi_ufm_update(nvme->n_ufmh);
4722 	if (nvme->n_fwslot != NULL) {
4723 		kmem_free(nvme->n_fwslot, sizeof (nvme_fwslot_log_t));
4724 		nvme->n_fwslot = NULL;
4725 	}
4726 	mutex_exit(&nvme->n_fwslot_mutex);
4727 }
4728 
4729 static int
4730 nvme_ioctl_firmware_download(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
4731     int mode, cred_t *cred_p)
4732 {
4733 	int rv = 0;
4734 	size_t len, copylen;
4735 	offset_t offset;
4736 	uintptr_t buf;
4737 	nvme_sqe_t sqe = {
4738 	    .sqe_opc	= NVME_OPC_FW_IMAGE_LOAD
4739 	};
4740 
4741 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4742 		return (EPERM);
4743 
4744 	if (nsid != 0)
4745 		return (EINVAL);
4746 
4747 	/*
4748 	 * The offset (in n_len) is restricted to the number of DWORDs in
4749 	 * 32 bits.
4750 	 */
4751 	if (nioc->n_len > NVME_FW_OFFSETB_MAX)
4752 		return (EINVAL);
4753 
4754 	/* Confirm that both offset and length are a multiple of DWORD bytes */
4755 	if ((nioc->n_len & NVME_DWORD_MASK) != 0 ||
4756 	    (nioc->n_arg & NVME_DWORD_MASK) != 0)
4757 		return (EINVAL);
4758 
4759 	len = nioc->n_len;
4760 	offset = nioc->n_arg;
4761 	buf = (uintptr_t)nioc->n_buf;
4762 	while (len > 0 && rv == 0) {
4763 		/*
4764 		 * nvme_ioc_cmd() does not use SGLs or PRP lists.
4765 		 * It is limited to 2 PRPs per NVM command, so limit
4766 		 * the size of the data to 2 pages.
4767 		 */
4768 		copylen = MIN(2 * nvme->n_pagesize, len);
4769 
4770 		sqe.sqe_cdw10 = (uint32_t)(copylen >> NVME_DWORD_SHIFT) - 1;
4771 		sqe.sqe_cdw11 = (uint32_t)(offset >> NVME_DWORD_SHIFT);
4772 
4773 		rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, (void *)buf, copylen,
4774 		    FWRITE, NULL, nvme_admin_cmd_timeout);
4775 
4776 		buf += copylen;
4777 		offset += copylen;
4778 		len -= copylen;
4779 	}
4780 
4781 	/*
4782 	 * Let the DDI UFM subsystem know that the firmware information for
4783 	 * this device has changed.
4784 	 */
4785 	nvme_ufm_update(nvme);
4786 
4787 	return (rv);
4788 }
4789 
4790 static int
4791 nvme_ioctl_firmware_commit(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
4792     int mode, cred_t *cred_p)
4793 {
4794 	nvme_firmware_commit_dw10_t fc_dw10 = { 0 };
4795 	uint32_t slot = nioc->n_arg & 0xffffffff;
4796 	uint32_t action = nioc->n_arg >> 32;
4797 	nvme_cqe_t cqe = { 0 };
4798 	nvme_sqe_t sqe = {
4799 	    .sqe_opc	= NVME_OPC_FW_ACTIVATE
4800 	};
4801 	int timeout;
4802 	int rv;
4803 
4804 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4805 		return (EPERM);
4806 
4807 	if (nsid != 0)
4808 		return (EINVAL);
4809 
4810 	/* Validate slot is in range. */
4811 	if (slot < NVME_FW_SLOT_MIN || slot > NVME_FW_SLOT_MAX)
4812 		return (EINVAL);
4813 
4814 	switch (action) {
4815 	case NVME_FWC_SAVE:
4816 	case NVME_FWC_SAVE_ACTIVATE:
4817 		timeout = nvme_commit_save_cmd_timeout;
4818 		break;
4819 	case NVME_FWC_ACTIVATE:
4820 	case NVME_FWC_ACTIVATE_IMMED:
4821 		timeout = nvme_admin_cmd_timeout;
4822 		break;
4823 	default:
4824 		return (EINVAL);
4825 	}
4826 
4827 	fc_dw10.b.fc_slot = slot;
4828 	fc_dw10.b.fc_action = action;
4829 	sqe.sqe_cdw10 = fc_dw10.r;
4830 
4831 	rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, NULL, 0, 0, &cqe, timeout);
4832 
4833 	nioc->n_arg = ((uint64_t)cqe.cqe_sf.sf_sct << 16) | cqe.cqe_sf.sf_sc;
4834 
4835 	/*
4836 	 * Let the DDI UFM subsystem know that the firmware information for
4837 	 * this device has changed.
4838 	 */
4839 	nvme_ufm_update(nvme);
4840 
4841 	return (rv);
4842 }
4843 
4844 /*
4845  * Helper to copy in a passthru command from userspace, handling
4846  * different data models.
4847  */
4848 static int
4849 nvme_passthru_copy_cmd_in(const void *buf, nvme_passthru_cmd_t *cmd, int mode)
4850 {
4851 #ifdef _MULTI_DATAMODEL
4852 	switch (ddi_model_convert_from(mode & FMODELS)) {
4853 	case DDI_MODEL_ILP32: {
4854 		nvme_passthru_cmd32_t cmd32;
4855 		if (ddi_copyin(buf, (void*)&cmd32, sizeof (cmd32), mode) != 0)
4856 			return (-1);
4857 		cmd->npc_opcode = cmd32.npc_opcode;
4858 		cmd->npc_timeout = cmd32.npc_timeout;
4859 		cmd->npc_flags = cmd32.npc_flags;
4860 		cmd->npc_cdw12 = cmd32.npc_cdw12;
4861 		cmd->npc_cdw13 = cmd32.npc_cdw13;
4862 		cmd->npc_cdw14 = cmd32.npc_cdw14;
4863 		cmd->npc_cdw15 = cmd32.npc_cdw15;
4864 		cmd->npc_buflen = cmd32.npc_buflen;
4865 		cmd->npc_buf = cmd32.npc_buf;
4866 		break;
4867 	}
4868 	case DDI_MODEL_NONE:
4869 #endif
4870 	if (ddi_copyin(buf, (void*)cmd, sizeof (nvme_passthru_cmd_t),
4871 	    mode) != 0)
4872 		return (-1);
4873 #ifdef _MULTI_DATAMODEL
4874 		break;
4875 	}
4876 #endif
4877 	return (0);
4878 }
4879 
4880 /*
4881  * Helper to copy out a passthru command result to userspace, handling
4882  * different data models.
4883  */
4884 static int
4885 nvme_passthru_copy_cmd_out(const nvme_passthru_cmd_t *cmd, void *buf, int mode)
4886 {
4887 #ifdef _MULTI_DATAMODEL
4888 	switch (ddi_model_convert_from(mode & FMODELS)) {
4889 	case DDI_MODEL_ILP32: {
4890 		nvme_passthru_cmd32_t cmd32;
4891 		bzero(&cmd32, sizeof (cmd32));
4892 		cmd32.npc_opcode = cmd->npc_opcode;
4893 		cmd32.npc_status = cmd->npc_status;
4894 		cmd32.npc_err = cmd->npc_err;
4895 		cmd32.npc_timeout = cmd->npc_timeout;
4896 		cmd32.npc_flags = cmd->npc_flags;
4897 		cmd32.npc_cdw0 = cmd->npc_cdw0;
4898 		cmd32.npc_cdw12 = cmd->npc_cdw12;
4899 		cmd32.npc_cdw13 = cmd->npc_cdw13;
4900 		cmd32.npc_cdw14 = cmd->npc_cdw14;
4901 		cmd32.npc_cdw15 = cmd->npc_cdw15;
4902 		cmd32.npc_buflen = (size32_t)cmd->npc_buflen;
4903 		cmd32.npc_buf = (uintptr32_t)cmd->npc_buf;
4904 		if (ddi_copyout(&cmd32, buf, sizeof (cmd32), mode) != 0)
4905 			return (-1);
4906 		break;
4907 	}
4908 	case DDI_MODEL_NONE:
4909 #endif
4910 		if (ddi_copyout(cmd, buf, sizeof (nvme_passthru_cmd_t),
4911 		    mode) != 0)
4912 			return (-1);
4913 #ifdef _MULTI_DATAMODEL
4914 		break;
4915 	}
4916 #endif
4917 	return (0);
4918 }
4919 
4920 /*
4921  * Run an arbitrary vendor-specific admin command on the device.
4922  */
4923 static int
4924 nvme_ioctl_passthru(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4925     cred_t *cred_p)
4926 {
4927 	int rv = 0;
4928 	uint_t timeout = 0;
4929 	int rwk = 0;
4930 	nvme_passthru_cmd_t cmd;
4931 	size_t expected_passthru_size = 0;
4932 	nvme_sqe_t sqe;
4933 	nvme_cqe_t cqe;
4934 
4935 	bzero(&cmd, sizeof (cmd));
4936 	bzero(&sqe, sizeof (sqe));
4937 	bzero(&cqe, sizeof (cqe));
4938 
4939 	/*
4940 	 * Basic checks: permissions, data model, argument size.
4941 	 */
4942 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
4943 		return (EPERM);
4944 
4945 	/*
4946 	 * Compute the expected size of the argument buffer
4947 	 */
4948 #ifdef _MULTI_DATAMODEL
4949 	switch (ddi_model_convert_from(mode & FMODELS)) {
4950 	case DDI_MODEL_ILP32:
4951 		expected_passthru_size = sizeof (nvme_passthru_cmd32_t);
4952 		break;
4953 	case DDI_MODEL_NONE:
4954 #endif
4955 		expected_passthru_size = sizeof (nvme_passthru_cmd_t);
4956 #ifdef _MULTI_DATAMODEL
4957 		break;
4958 	}
4959 #endif
4960 
4961 	if (nioc->n_len != expected_passthru_size) {
4962 		cmd.npc_err = NVME_PASSTHRU_ERR_CMD_SIZE;
4963 		rv = EINVAL;
4964 		goto out;
4965 	}
4966 
4967 	/*
4968 	 * Ensure the device supports the standard vendor specific
4969 	 * admin command format.
4970 	 */
4971 	if (!nvme->n_idctl->id_nvscc.nv_spec) {
4972 		cmd.npc_err = NVME_PASSTHRU_ERR_NOT_SUPPORTED;
4973 		rv = ENOTSUP;
4974 		goto out;
4975 	}
4976 
4977 	if (nvme_passthru_copy_cmd_in((const void*)nioc->n_buf, &cmd, mode))
4978 		return (EFAULT);
4979 
4980 	if (!NVME_IS_VENDOR_UNIQUE_CMD(cmd.npc_opcode)) {
4981 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_OPCODE;
4982 		rv = EINVAL;
4983 		goto out;
4984 	}
4985 
4986 	/*
4987 	 * This restriction is not mandated by the spec, so future work
4988 	 * could relax this if it's necessary to support commands that both
4989 	 * read and write.
4990 	 */
4991 	if ((cmd.npc_flags & NVME_PASSTHRU_READ) != 0 &&
4992 	    (cmd.npc_flags & NVME_PASSTHRU_WRITE) != 0) {
4993 		cmd.npc_err = NVME_PASSTHRU_ERR_READ_AND_WRITE;
4994 		rv = EINVAL;
4995 		goto out;
4996 	}
4997 	if (cmd.npc_timeout > nvme_vendor_specific_admin_cmd_max_timeout) {
4998 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_TIMEOUT;
4999 		rv = EINVAL;
5000 		goto out;
5001 	}
5002 	timeout = cmd.npc_timeout;
5003 
5004 	/*
5005 	 * Passed-thru command buffer verification:
5006 	 *  - Size is multiple of DWords
5007 	 *  - Non-null iff the length is non-zero
5008 	 *  - Null if neither reading nor writing data.
5009 	 *  - Non-null if reading or writing.
5010 	 *  - Maximum buffer size.
5011 	 */
5012 	if ((cmd.npc_buflen % sizeof (uint32_t)) != 0) {
5013 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5014 		rv = EINVAL;
5015 		goto out;
5016 	}
5017 	if (((void*)cmd.npc_buf != NULL && cmd.npc_buflen == 0) ||
5018 	    ((void*)cmd.npc_buf == NULL && cmd.npc_buflen != 0)) {
5019 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5020 		rv = EINVAL;
5021 		goto out;
5022 	}
5023 	if (cmd.npc_flags == 0 && (void*)cmd.npc_buf != NULL) {
5024 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5025 		rv = EINVAL;
5026 		goto out;
5027 	}
5028 	if ((cmd.npc_flags != 0) && ((void*)cmd.npc_buf == NULL)) {
5029 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5030 		rv = EINVAL;
5031 		goto out;
5032 	}
5033 	if (cmd.npc_buflen > nvme_vendor_specific_admin_cmd_size) {
5034 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5035 		rv = EINVAL;
5036 		goto out;
5037 	}
5038 	if ((cmd.npc_buflen >> NVME_DWORD_SHIFT) > UINT32_MAX) {
5039 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5040 		rv = EINVAL;
5041 		goto out;
5042 	}
5043 
5044 	sqe.sqe_opc = cmd.npc_opcode;
5045 	sqe.sqe_nsid = nsid;
5046 	sqe.sqe_cdw10 = (uint32_t)(cmd.npc_buflen >> NVME_DWORD_SHIFT);
5047 	sqe.sqe_cdw12 = cmd.npc_cdw12;
5048 	sqe.sqe_cdw13 = cmd.npc_cdw13;
5049 	sqe.sqe_cdw14 = cmd.npc_cdw14;
5050 	sqe.sqe_cdw15 = cmd.npc_cdw15;
5051 	if ((cmd.npc_flags & NVME_PASSTHRU_READ) != 0)
5052 		rwk = FREAD;
5053 	else if ((cmd.npc_flags & NVME_PASSTHRU_WRITE) != 0)
5054 		rwk = FWRITE;
5055 
5056 	rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, (void*)cmd.npc_buf,
5057 	    cmd.npc_buflen, rwk, &cqe, timeout);
5058 	cmd.npc_status = cqe.cqe_sf.sf_sc;
5059 	cmd.npc_cdw0 = cqe.cqe_dw0;
5060 
5061 out:
5062 	if (nvme_passthru_copy_cmd_out(&cmd, (void*)nioc->n_buf, mode))
5063 		rv = EFAULT;
5064 	return (rv);
5065 }
5066 
5067 static int
5068 nvme_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cred_p,
5069     int *rval_p)
5070 {
5071 #ifndef __lock_lint
5072 	_NOTE(ARGUNUSED(rval_p));
5073 #endif
5074 	minor_t minor = getminor(dev);
5075 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
5076 	int nsid = NVME_MINOR_NSID(minor);
5077 	int rv = 0;
5078 	nvme_ioctl_t nioc;
5079 
5080 	int (*nvme_ioctl[])(nvme_t *, int, nvme_ioctl_t *, int, cred_t *) = {
5081 		NULL,
5082 		nvme_ioctl_identify,
5083 		nvme_ioctl_identify,
5084 		nvme_ioctl_capabilities,
5085 		nvme_ioctl_get_logpage,
5086 		nvme_ioctl_get_features,
5087 		nvme_ioctl_intr_cnt,
5088 		nvme_ioctl_version,
5089 		nvme_ioctl_format,
5090 		nvme_ioctl_detach,
5091 		nvme_ioctl_attach,
5092 		nvme_ioctl_firmware_download,
5093 		nvme_ioctl_firmware_commit,
5094 		nvme_ioctl_passthru
5095 	};
5096 
5097 	if (nvme == NULL)
5098 		return (ENXIO);
5099 
5100 	if (nsid > nvme->n_namespace_count)
5101 		return (ENXIO);
5102 
5103 	if (IS_DEVCTL(cmd))
5104 		return (ndi_devctl_ioctl(nvme->n_dip, cmd, arg, mode, 0));
5105 
5106 #ifdef _MULTI_DATAMODEL
5107 	switch (ddi_model_convert_from(mode & FMODELS)) {
5108 	case DDI_MODEL_ILP32: {
5109 		nvme_ioctl32_t nioc32;
5110 		if (ddi_copyin((void*)arg, &nioc32, sizeof (nvme_ioctl32_t),
5111 		    mode) != 0)
5112 			return (EFAULT);
5113 		nioc.n_len = nioc32.n_len;
5114 		nioc.n_buf = nioc32.n_buf;
5115 		nioc.n_arg = nioc32.n_arg;
5116 		break;
5117 	}
5118 	case DDI_MODEL_NONE:
5119 #endif
5120 		if (ddi_copyin((void*)arg, &nioc, sizeof (nvme_ioctl_t), mode)
5121 		    != 0)
5122 			return (EFAULT);
5123 #ifdef _MULTI_DATAMODEL
5124 		break;
5125 	}
5126 #endif
5127 
5128 	if (nvme->n_dead && cmd != NVME_IOC_DETACH)
5129 		return (EIO);
5130 
5131 
5132 	if (cmd == NVME_IOC_IDENTIFY_CTRL) {
5133 		/*
5134 		 * This makes NVME_IOC_IDENTIFY_CTRL work the same on devctl and
5135 		 * attachment point nodes.
5136 		 */
5137 		nsid = 0;
5138 	} else if (cmd == NVME_IOC_IDENTIFY_NSID && nsid == 0) {
5139 		/*
5140 		 * This makes NVME_IOC_IDENTIFY_NSID work on a devctl node, it
5141 		 * will always return identify data for namespace 1.
5142 		 */
5143 		nsid = 1;
5144 	}
5145 
5146 	if (IS_NVME_IOC(cmd) && nvme_ioctl[NVME_IOC_CMD(cmd)] != NULL)
5147 		rv = nvme_ioctl[NVME_IOC_CMD(cmd)](nvme, nsid, &nioc, mode,
5148 		    cred_p);
5149 	else
5150 		rv = EINVAL;
5151 
5152 #ifdef _MULTI_DATAMODEL
5153 	switch (ddi_model_convert_from(mode & FMODELS)) {
5154 	case DDI_MODEL_ILP32: {
5155 		nvme_ioctl32_t nioc32;
5156 
5157 		nioc32.n_len = (size32_t)nioc.n_len;
5158 		nioc32.n_buf = (uintptr32_t)nioc.n_buf;
5159 		nioc32.n_arg = nioc.n_arg;
5160 
5161 		if (ddi_copyout(&nioc32, (void *)arg, sizeof (nvme_ioctl32_t),
5162 		    mode) != 0)
5163 			return (EFAULT);
5164 		break;
5165 	}
5166 	case DDI_MODEL_NONE:
5167 #endif
5168 		if (ddi_copyout(&nioc, (void *)arg, sizeof (nvme_ioctl_t), mode)
5169 		    != 0)
5170 			return (EFAULT);
5171 #ifdef _MULTI_DATAMODEL
5172 		break;
5173 	}
5174 #endif
5175 
5176 	return (rv);
5177 }
5178 
5179 /*
5180  * DDI UFM Callbacks
5181  */
5182 static int
5183 nvme_ufm_fill_image(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno,
5184     ddi_ufm_image_t *img)
5185 {
5186 	nvme_t *nvme = arg;
5187 
5188 	if (imgno != 0)
5189 		return (EINVAL);
5190 
5191 	ddi_ufm_image_set_desc(img, "Firmware");
5192 	ddi_ufm_image_set_nslots(img, nvme->n_idctl->id_frmw.fw_nslot);
5193 
5194 	return (0);
5195 }
5196 
5197 /*
5198  * Fill out firmware slot information for the requested slot.  The firmware
5199  * slot information is gathered by requesting the Firmware Slot Information log
5200  * page.  The format of the page is described in section 5.10.1.3.
5201  *
5202  * We lazily cache the log page on the first call and then invalidate the cache
5203  * data after a successful firmware download or firmware commit command.
5204  * The cached data is protected by a mutex as the state can change
5205  * asynchronous to this callback.
5206  */
5207 static int
5208 nvme_ufm_fill_slot(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno,
5209     uint_t slotno, ddi_ufm_slot_t *slot)
5210 {
5211 	nvme_t *nvme = arg;
5212 	void *log = NULL;
5213 	size_t bufsize;
5214 	ddi_ufm_attr_t attr = 0;
5215 	char fw_ver[NVME_FWVER_SZ + 1];
5216 	int ret;
5217 
5218 	if (imgno > 0 || slotno > (nvme->n_idctl->id_frmw.fw_nslot - 1))
5219 		return (EINVAL);
5220 
5221 	mutex_enter(&nvme->n_fwslot_mutex);
5222 	if (nvme->n_fwslot == NULL) {
5223 		ret = nvme_get_logpage(nvme, B_TRUE, &log, &bufsize,
5224 		    NVME_LOGPAGE_FWSLOT, 0);
5225 		if (ret != DDI_SUCCESS ||
5226 		    bufsize != sizeof (nvme_fwslot_log_t)) {
5227 			if (log != NULL)
5228 				kmem_free(log, bufsize);
5229 			mutex_exit(&nvme->n_fwslot_mutex);
5230 			return (EIO);
5231 		}
5232 		nvme->n_fwslot = (nvme_fwslot_log_t *)log;
5233 	}
5234 
5235 	/*
5236 	 * NVMe numbers firmware slots starting at 1
5237 	 */
5238 	if (slotno == (nvme->n_fwslot->fw_afi - 1))
5239 		attr |= DDI_UFM_ATTR_ACTIVE;
5240 
5241 	if (slotno != 0 || nvme->n_idctl->id_frmw.fw_readonly == 0)
5242 		attr |= DDI_UFM_ATTR_WRITEABLE;
5243 
5244 	if (nvme->n_fwslot->fw_frs[slotno][0] == '\0') {
5245 		attr |= DDI_UFM_ATTR_EMPTY;
5246 	} else {
5247 		(void) strncpy(fw_ver, nvme->n_fwslot->fw_frs[slotno],
5248 		    NVME_FWVER_SZ);
5249 		fw_ver[NVME_FWVER_SZ] = '\0';
5250 		ddi_ufm_slot_set_version(slot, fw_ver);
5251 	}
5252 	mutex_exit(&nvme->n_fwslot_mutex);
5253 
5254 	ddi_ufm_slot_set_attrs(slot, attr);
5255 
5256 	return (0);
5257 }
5258 
5259 static int
5260 nvme_ufm_getcaps(ddi_ufm_handle_t *ufmh, void *arg, ddi_ufm_cap_t *caps)
5261 {
5262 	*caps = DDI_UFM_CAP_REPORT;
5263 	return (0);
5264 }
5265