xref: /illumos-gate/usr/src/uts/common/io/nvme/nvme.c (revision d48be21240dfd051b689384ce2b23479d757f2d8)
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright (c) 2016 The MathWorks, Inc.  All rights reserved.
14  * Copyright 2019 Unix Software Ltd.
15  * Copyright 2020 Joyent, Inc.
16  * Copyright 2020 Racktop Systems.
17  * Copyright 2023 Oxide Computer Company.
18  * Copyright 2022 OmniOS Community Edition (OmniOSce) Association.
19  * Copyright 2022 Tintri by DDN, Inc. All rights reserved.
20  */
21 
22 /*
23  * blkdev driver for NVMe compliant storage devices
24  *
25  * This driver targets and is designed to support all NVMe 1.x devices.
26  * Features are added to the driver as we encounter devices that require them
27  * and our needs, so some commands or log pages may not take advantage of newer
28  * features that devices support at this time. When you encounter such a case,
29  * it is generally fine to add that support to the driver as long as you take
30  * care to ensure that the requisite device version is met before using it.
31  *
32  * The driver has only been tested on x86 systems and will not work on big-
33  * endian systems without changes to the code accessing registers and data
34  * structures used by the hardware.
35  *
36  *
37  * Interrupt Usage:
38  *
39  * The driver will use a single interrupt while configuring the device as the
40  * specification requires, but contrary to the specification it will try to use
41  * a single-message MSI(-X) or FIXED interrupt. Later in the attach process it
42  * will switch to multiple-message MSI(-X) if supported. The driver wants to
43  * have one interrupt vector per CPU, but it will work correctly if less are
44  * available. Interrupts can be shared by queues, the interrupt handler will
45  * iterate through the I/O queue array by steps of n_intr_cnt. Usually only
46  * the admin queue will share an interrupt with one I/O queue. The interrupt
47  * handler will retrieve completed commands from all queues sharing an interrupt
48  * vector and will post them to a taskq for completion processing.
49  *
50  *
51  * Command Processing:
52  *
53  * NVMe devices can have up to 65535 I/O queue pairs, with each queue holding up
54  * to 65536 I/O commands. The driver will configure one I/O queue pair per
55  * available interrupt vector, with the queue length usually much smaller than
56  * the maximum of 65536. If the hardware doesn't provide enough queues, fewer
57  * interrupt vectors will be used.
58  *
59  * Additionally the hardware provides a single special admin queue pair that can
60  * hold up to 4096 admin commands.
61  *
62  * From the hardware perspective both queues of a queue pair are independent,
63  * but they share some driver state: the command array (holding pointers to
64  * commands currently being processed by the hardware) and the active command
65  * counter. Access to a submission queue and the shared state is protected by
66  * nq_mutex; completion queue is protected by ncq_mutex.
67  *
68  * When a command is submitted to a queue pair the active command counter is
69  * incremented and a pointer to the command is stored in the command array. The
70  * array index is used as command identifier (CID) in the submission queue
71  * entry. Some commands may take a very long time to complete, and if the queue
72  * wraps around in that time a submission may find the next array slot to still
73  * be used by a long-running command. In this case the array is sequentially
74  * searched for the next free slot. The length of the command array is the same
75  * as the configured queue length. Queue overrun is prevented by the semaphore,
76  * so a command submission may block if the queue is full.
77  *
78  *
79  * Polled I/O Support:
80  *
81  * For kernel core dump support the driver can do polled I/O. As interrupts are
82  * turned off while dumping the driver will just submit a command in the regular
83  * way, and then repeatedly attempt a command retrieval until it gets the
84  * command back.
85  *
86  *
87  * Namespace Support:
88  *
89  * NVMe devices can have multiple namespaces, each being a independent data
90  * store. The driver supports multiple namespaces and creates a blkdev interface
91  * for each namespace found. Namespaces can have various attributes to support
92  * protection information. This driver does not support any of this and ignores
93  * namespaces that have these attributes.
94  *
95  * As of NVMe 1.1 namespaces can have an 64bit Extended Unique Identifier
96  * (EUI64), and NVMe 1.2 introduced an additional 128bit Namespace Globally
97  * Unique Identifier (NGUID). This driver uses either the NGUID or the EUI64
98  * if present to generate the devid, and passes the EUI64 to blkdev to use it
99  * in the device node names.
100  *
101  * We currently support only (2 << NVME_MINOR_INST_SHIFT) - 2 namespaces in a
102  * single controller. This is an artificial limit imposed by the driver to be
103  * able to address a reasonable number of controllers and namespaces using a
104  * 32bit minor node number.
105  *
106  *
107  * Minor nodes:
108  *
109  * For each NVMe device the driver exposes one minor node for the controller and
110  * one minor node for each namespace. The only operations supported by those
111  * minor nodes are open(9E), close(9E), and ioctl(9E). This serves as the
112  * interface for the nvmeadm(8) utility.
113  *
114  * Exclusive opens are required for certain ioctl(9E) operations that alter
115  * controller and/or namespace state. While different namespaces may be opened
116  * exclusively in parallel, an exclusive open of the controller minor node
117  * requires that no namespaces are currently open (exclusive or otherwise).
118  * Opening any namespace minor node (exclusive or otherwise) will fail while
119  * the controller minor node is opened exclusively by any other thread. Thus it
120  * is possible for one thread at a time to open the controller minor node
121  * exclusively, and keep it open while opening any namespace minor node of the
122  * same controller, exclusively or otherwise.
123  *
124  *
125  *
126  * Blkdev Interface:
127  *
128  * This driver uses blkdev to do all the heavy lifting involved with presenting
129  * a disk device to the system. As a result, the processing of I/O requests is
130  * relatively simple as blkdev takes care of partitioning, boundary checks, DMA
131  * setup, and splitting of transfers into manageable chunks.
132  *
133  * I/O requests coming in from blkdev are turned into NVM commands and posted to
134  * an I/O queue. The queue is selected by taking the CPU id modulo the number of
135  * queues. There is currently no timeout handling of I/O commands.
136  *
137  * Blkdev also supports querying device/media information and generating a
138  * devid. The driver reports the best block size as determined by the namespace
139  * format back to blkdev as physical block size to support partition and block
140  * alignment. The devid is either based on the namespace GUID or EUI64, if
141  * present, or composed using the device vendor ID, model number, serial number,
142  * and the namespace ID.
143  *
144  *
145  * Error Handling:
146  *
147  * Error handling is currently limited to detecting fatal hardware errors,
148  * either by asynchronous events, or synchronously through command status or
149  * admin command timeouts. In case of severe errors the device is fenced off,
150  * all further requests will return EIO. FMA is then called to fault the device.
151  *
152  * The hardware has a limit for outstanding asynchronous event requests. Before
153  * this limit is known the driver assumes it is at least 1 and posts a single
154  * asynchronous request. Later when the limit is known more asynchronous event
155  * requests are posted to allow quicker reception of error information. When an
156  * asynchronous event is posted by the hardware the driver will parse the error
157  * status fields and log information or fault the device, depending on the
158  * severity of the asynchronous event. The asynchronous event request is then
159  * reused and posted to the admin queue again.
160  *
161  * On command completion the command status is checked for errors. In case of
162  * errors indicating a driver bug the driver panics. Almost all other error
163  * status values just cause EIO to be returned.
164  *
165  * Command timeouts are currently detected for all admin commands except
166  * asynchronous event requests. If a command times out and the hardware appears
167  * to be healthy the driver attempts to abort the command. The original command
168  * timeout is also applied to the abort command. If the abort times out too the
169  * driver assumes the device to be dead, fences it off, and calls FMA to retire
170  * it. In all other cases the aborted command should return immediately with a
171  * status indicating it was aborted, and the driver will wait indefinitely for
172  * that to happen. No timeout handling of normal I/O commands is presently done.
173  *
174  * Any command that times out due to the controller dropping dead will be put on
175  * nvme_lost_cmds list if it references DMA memory. This will prevent the DMA
176  * memory being reused by the system and later be written to by a "dead" NVMe
177  * controller.
178  *
179  *
180  * Locking:
181  *
182  * Each queue pair has a nq_mutex and ncq_mutex. The nq_mutex must be held
183  * when accessing shared state and submission queue registers, ncq_mutex
184  * is held when accessing completion queue state and registers.
185  * Callers of nvme_unqueue_cmd() must make sure that nq_mutex is held, while
186  * nvme_submit_{admin,io}_cmd() and nvme_retrieve_cmd() take care of both
187  * mutexes themselves.
188  *
189  * Each command also has its own nc_mutex, which is associated with the
190  * condition variable nc_cv. It is only used on admin commands which are run
191  * synchronously. In that case it must be held across calls to
192  * nvme_submit_{admin,io}_cmd() and nvme_wait_cmd(), which is taken care of by
193  * nvme_admin_cmd(). It must also be held whenever the completion state of the
194  * command is changed or while a admin command timeout is handled.
195  *
196  * If both nc_mutex and nq_mutex must be held, nc_mutex must be acquired first.
197  * More than one nc_mutex may only be held when aborting commands. In this case,
198  * the nc_mutex of the command to be aborted must be held across the call to
199  * nvme_abort_cmd() to prevent the command from completing while the abort is in
200  * progress.
201  *
202  * If both nq_mutex and ncq_mutex need to be held, ncq_mutex must be
203  * acquired first. More than one nq_mutex is never held by a single thread.
204  * The ncq_mutex is only held by nvme_retrieve_cmd() and
205  * nvme_process_iocq(). nvme_process_iocq() is only called from the
206  * interrupt thread and nvme_retrieve_cmd() during polled I/O, so the
207  * mutex is non-contentious but is required for implementation completeness
208  * and safety.
209  *
210  * There is one mutex n_minor_mutex which protects all open flags nm_open and
211  * exclusive-open thread pointers nm_oexcl of each minor node associated with a
212  * controller and its namespaces.
213  *
214  * In addition, there is one mutex n_mgmt_mutex which must be held whenever the
215  * driver state for any namespace is changed, especially across calls to
216  * nvme_init_ns(), nvme_attach_ns() and nvme_detach_ns(). Except when detaching
217  * nvme, it should also be held across calls that modify the blkdev handle of a
218  * namespace. Command and queue mutexes may be acquired and released while
219  * n_mgmt_mutex is held, n_minor_mutex should not.
220  *
221  *
222  * Quiesce / Fast Reboot:
223  *
224  * The driver currently does not support fast reboot. A quiesce(9E) entry point
225  * is still provided which is used to send a shutdown notification to the
226  * device.
227  *
228  *
229  * NVMe Hotplug:
230  *
231  * The driver supports hot removal. The driver uses the NDI event framework
232  * to register a callback, nvme_remove_callback, to clean up when a disk is
233  * removed. In particular, the driver will unqueue outstanding I/O commands and
234  * set n_dead on the softstate to true so that other operations, such as ioctls
235  * and command submissions, fail as well.
236  *
237  * While the callback registration relies on the NDI event framework, the
238  * removal event itself is kicked off in the PCIe hotplug framework, when the
239  * PCIe bridge driver ("pcieb") gets a hotplug interrupt indicating that a
240  * device was removed from the slot.
241  *
242  * The NVMe driver instance itself will remain until the final close of the
243  * device.
244  *
245  *
246  * DDI UFM Support
247  *
248  * The driver supports the DDI UFM framework for reporting information about
249  * the device's firmware image and slot configuration. This data can be
250  * queried by userland software via ioctls to the ufm driver. For more
251  * information, see ddi_ufm(9E).
252  *
253  *
254  * Driver Configuration:
255  *
256  * The following driver properties can be changed to control some aspects of the
257  * drivers operation:
258  * - strict-version: can be set to 0 to allow devices conforming to newer
259  *   major versions to be used
260  * - ignore-unknown-vendor-status: can be set to 1 to not handle any vendor
261  *   specific command status as a fatal error leading device faulting
262  * - admin-queue-len: the maximum length of the admin queue (16-4096)
263  * - io-squeue-len: the maximum length of the I/O submission queues (16-65536)
264  * - io-cqueue-len: the maximum length of the I/O completion queues (16-65536)
265  * - async-event-limit: the maximum number of asynchronous event requests to be
266  *   posted by the driver
267  * - volatile-write-cache-enable: can be set to 0 to disable the volatile write
268  *   cache
269  * - min-phys-block-size: the minimum physical block size to report to blkdev,
270  *   which is among other things the basis for ZFS vdev ashift
271  * - max-submission-queues: the maximum number of I/O submission queues.
272  * - max-completion-queues: the maximum number of I/O completion queues,
273  *   can be less than max-submission-queues, in which case the completion
274  *   queues are shared.
275  *
276  * In addition to the above properties, some device-specific tunables can be
277  * configured using the nvme-config-list global property. The value of this
278  * property is a list of triplets. The formal syntax is:
279  *
280  *   nvme-config-list ::= <triplet> [, <triplet>]* ;
281  *   <triplet>        ::= "<model>" , "<rev-list>" , "<tuple-list>"
282  *   <rev-list>       ::= [ <fwrev> [, <fwrev>]*]
283  *   <tuple-list>     ::= <tunable> [, <tunable>]*
284  *   <tunable>        ::= <name> : <value>
285  *
286  * The <model> and <fwrev> are the strings in nvme_identify_ctrl_t`id_model and
287  * nvme_identify_ctrl_t`id_fwrev, respectively. The remainder of <tuple-list>
288  * contains one or more tunables to apply to all controllers that match the
289  * specified model number and optionally firmware revision. Each <tunable> is a
290  * <name> : <value> pair.  Supported tunables are:
291  *
292  * - ignore-unknown-vendor-status:  can be set to "on" to not handle any vendor
293  *   specific command status as a fatal error leading device faulting
294  *
295  * - min-phys-block-size: the minimum physical block size to report to blkdev,
296  *   which is among other things the basis for ZFS vdev ashift
297  *
298  * - volatile-write-cache: can be set to "on" or "off" to enable or disable the
299  *   volatile write cache, if present
300  *
301  *
302  * TODO:
303  * - figure out sane default for I/O queue depth reported to blkdev
304  * - FMA handling of media errors
305  * - support for devices supporting very large I/O requests using chained PRPs
306  * - support for configuring hardware parameters like interrupt coalescing
307  * - support for media formatting and hard partitioning into namespaces
308  * - support for big-endian systems
309  * - support for fast reboot
310  * - support for NVMe Subsystem Reset (1.1)
311  * - support for Scatter/Gather lists (1.1)
312  * - support for Reservations (1.1)
313  * - support for power management
314  */
315 
316 #include <sys/byteorder.h>
317 #ifdef _BIG_ENDIAN
318 #error nvme driver needs porting for big-endian platforms
319 #endif
320 
321 #include <sys/modctl.h>
322 #include <sys/conf.h>
323 #include <sys/devops.h>
324 #include <sys/ddi.h>
325 #include <sys/ddi_ufm.h>
326 #include <sys/sunddi.h>
327 #include <sys/sunndi.h>
328 #include <sys/bitmap.h>
329 #include <sys/sysmacros.h>
330 #include <sys/param.h>
331 #include <sys/varargs.h>
332 #include <sys/cpuvar.h>
333 #include <sys/disp.h>
334 #include <sys/blkdev.h>
335 #include <sys/atomic.h>
336 #include <sys/archsystm.h>
337 #include <sys/sata/sata_hba.h>
338 #include <sys/stat.h>
339 #include <sys/policy.h>
340 #include <sys/list.h>
341 #include <sys/dkio.h>
342 
343 #include <sys/nvme.h>
344 
345 #ifdef __x86
346 #include <sys/x86_archext.h>
347 #endif
348 
349 #include "nvme_reg.h"
350 #include "nvme_var.h"
351 
352 /*
353  * Assertions to make sure that we've properly captured various aspects of the
354  * packed structures and haven't broken them during updates.
355  */
356 CTASSERT(sizeof (nvme_identify_ctrl_t) == NVME_IDENTIFY_BUFSIZE);
357 CTASSERT(offsetof(nvme_identify_ctrl_t, id_oacs) == 256);
358 CTASSERT(offsetof(nvme_identify_ctrl_t, id_sqes) == 512);
359 CTASSERT(offsetof(nvme_identify_ctrl_t, id_oncs) == 520);
360 CTASSERT(offsetof(nvme_identify_ctrl_t, id_subnqn) == 768);
361 CTASSERT(offsetof(nvme_identify_ctrl_t, id_nvmof) == 1792);
362 CTASSERT(offsetof(nvme_identify_ctrl_t, id_psd) == 2048);
363 CTASSERT(offsetof(nvme_identify_ctrl_t, id_vs) == 3072);
364 
365 CTASSERT(sizeof (nvme_identify_nsid_t) == NVME_IDENTIFY_BUFSIZE);
366 CTASSERT(offsetof(nvme_identify_nsid_t, id_fpi) == 32);
367 CTASSERT(offsetof(nvme_identify_nsid_t, id_anagrpid) == 92);
368 CTASSERT(offsetof(nvme_identify_nsid_t, id_nguid) == 104);
369 CTASSERT(offsetof(nvme_identify_nsid_t, id_lbaf) == 128);
370 CTASSERT(offsetof(nvme_identify_nsid_t, id_vs) == 384);
371 
372 CTASSERT(sizeof (nvme_identify_nsid_list_t) == NVME_IDENTIFY_BUFSIZE);
373 CTASSERT(sizeof (nvme_identify_ctrl_list_t) == NVME_IDENTIFY_BUFSIZE);
374 
375 CTASSERT(sizeof (nvme_identify_primary_caps_t) == NVME_IDENTIFY_BUFSIZE);
376 CTASSERT(offsetof(nvme_identify_primary_caps_t, nipc_vqfrt) == 32);
377 CTASSERT(offsetof(nvme_identify_primary_caps_t, nipc_vifrt) == 64);
378 
379 CTASSERT(sizeof (nvme_nschange_list_t) == 4096);
380 
381 
382 /* NVMe spec version supported */
383 static const int nvme_version_major = 1;
384 
385 /* tunable for admin command timeout in seconds, default is 1s */
386 int nvme_admin_cmd_timeout = 1;
387 
388 /* tunable for FORMAT NVM command timeout in seconds, default is 600s */
389 int nvme_format_cmd_timeout = 600;
390 
391 /* tunable for firmware commit with NVME_FWC_SAVE, default is 15s */
392 int nvme_commit_save_cmd_timeout = 15;
393 
394 /*
395  * tunable for the size of arbitrary vendor specific admin commands,
396  * default is 16MiB.
397  */
398 uint32_t nvme_vendor_specific_admin_cmd_size = 1 << 24;
399 
400 /*
401  * tunable for the max timeout of arbitary vendor specific admin commands,
402  * default is 60s.
403  */
404 uint_t nvme_vendor_specific_admin_cmd_max_timeout = 60;
405 
406 static int nvme_attach(dev_info_t *, ddi_attach_cmd_t);
407 static int nvme_detach(dev_info_t *, ddi_detach_cmd_t);
408 static int nvme_quiesce(dev_info_t *);
409 static int nvme_fm_errcb(dev_info_t *, ddi_fm_error_t *, const void *);
410 static int nvme_setup_interrupts(nvme_t *, int, int);
411 static void nvme_release_interrupts(nvme_t *);
412 static uint_t nvme_intr(caddr_t, caddr_t);
413 
414 static void nvme_shutdown(nvme_t *, boolean_t);
415 static boolean_t nvme_reset(nvme_t *, boolean_t);
416 static int nvme_init(nvme_t *);
417 static nvme_cmd_t *nvme_alloc_cmd(nvme_t *, int);
418 static void nvme_free_cmd(nvme_cmd_t *);
419 static nvme_cmd_t *nvme_create_nvm_cmd(nvme_namespace_t *, uint8_t,
420     bd_xfer_t *);
421 static void nvme_admin_cmd(nvme_cmd_t *, int);
422 static void nvme_submit_admin_cmd(nvme_qpair_t *, nvme_cmd_t *);
423 static int nvme_submit_io_cmd(nvme_qpair_t *, nvme_cmd_t *);
424 static void nvme_submit_cmd_common(nvme_qpair_t *, nvme_cmd_t *);
425 static nvme_cmd_t *nvme_unqueue_cmd(nvme_t *, nvme_qpair_t *, int);
426 static nvme_cmd_t *nvme_retrieve_cmd(nvme_t *, nvme_qpair_t *);
427 static void nvme_wait_cmd(nvme_cmd_t *, uint_t);
428 static void nvme_wakeup_cmd(void *);
429 static void nvme_async_event_task(void *);
430 
431 static int nvme_check_unknown_cmd_status(nvme_cmd_t *);
432 static int nvme_check_vendor_cmd_status(nvme_cmd_t *);
433 static int nvme_check_integrity_cmd_status(nvme_cmd_t *);
434 static int nvme_check_specific_cmd_status(nvme_cmd_t *);
435 static int nvme_check_generic_cmd_status(nvme_cmd_t *);
436 static inline int nvme_check_cmd_status(nvme_cmd_t *);
437 
438 static int nvme_abort_cmd(nvme_cmd_t *, uint_t);
439 static void nvme_async_event(nvme_t *);
440 static int nvme_format_nvm(nvme_t *, boolean_t, uint32_t, uint8_t, boolean_t,
441     uint8_t, boolean_t, uint8_t);
442 static int nvme_get_logpage(nvme_t *, boolean_t, void **, size_t *, uint8_t,
443     ...);
444 static int nvme_identify(nvme_t *, boolean_t, uint32_t, uint8_t, void **);
445 static int nvme_set_features(nvme_t *, boolean_t, uint32_t, uint8_t, uint32_t,
446     uint32_t *);
447 static int nvme_get_features(nvme_t *, boolean_t, uint32_t, uint8_t, uint32_t *,
448     void **, size_t *);
449 static int nvme_write_cache_set(nvme_t *, boolean_t);
450 static int nvme_set_nqueues(nvme_t *);
451 
452 static void nvme_free_dma(nvme_dma_t *);
453 static int nvme_zalloc_dma(nvme_t *, size_t, uint_t, ddi_dma_attr_t *,
454     nvme_dma_t **);
455 static int nvme_zalloc_queue_dma(nvme_t *, uint32_t, uint16_t, uint_t,
456     nvme_dma_t **);
457 static void nvme_free_qpair(nvme_qpair_t *);
458 static int nvme_alloc_qpair(nvme_t *, uint32_t, nvme_qpair_t **, uint_t);
459 static int nvme_create_io_qpair(nvme_t *, nvme_qpair_t *, uint16_t);
460 
461 static inline void nvme_put64(nvme_t *, uintptr_t, uint64_t);
462 static inline void nvme_put32(nvme_t *, uintptr_t, uint32_t);
463 static inline uint64_t nvme_get64(nvme_t *, uintptr_t);
464 static inline uint32_t nvme_get32(nvme_t *, uintptr_t);
465 
466 static boolean_t nvme_check_regs_hdl(nvme_t *);
467 static boolean_t nvme_check_dma_hdl(nvme_dma_t *);
468 
469 static int nvme_fill_prp(nvme_cmd_t *, ddi_dma_handle_t);
470 
471 static void nvme_bd_xfer_done(void *);
472 static void nvme_bd_driveinfo(void *, bd_drive_t *);
473 static int nvme_bd_mediainfo(void *, bd_media_t *);
474 static int nvme_bd_cmd(nvme_namespace_t *, bd_xfer_t *, uint8_t);
475 static int nvme_bd_read(void *, bd_xfer_t *);
476 static int nvme_bd_write(void *, bd_xfer_t *);
477 static int nvme_bd_sync(void *, bd_xfer_t *);
478 static int nvme_bd_devid(void *, dev_info_t *, ddi_devid_t *);
479 static int nvme_bd_free_space(void *, bd_xfer_t *);
480 
481 static int nvme_prp_dma_constructor(void *, void *, int);
482 static void nvme_prp_dma_destructor(void *, void *);
483 
484 static void nvme_prepare_devid(nvme_t *, uint32_t);
485 
486 /* DDI UFM callbacks */
487 static int nvme_ufm_fill_image(ddi_ufm_handle_t *, void *, uint_t,
488     ddi_ufm_image_t *);
489 static int nvme_ufm_fill_slot(ddi_ufm_handle_t *, void *, uint_t, uint_t,
490     ddi_ufm_slot_t *);
491 static int nvme_ufm_getcaps(ddi_ufm_handle_t *, void *, ddi_ufm_cap_t *);
492 
493 static int nvme_open(dev_t *, int, int, cred_t *);
494 static int nvme_close(dev_t, int, int, cred_t *);
495 static int nvme_ioctl(dev_t, int, intptr_t, int, cred_t *, int *);
496 
497 static int nvme_init_ns(nvme_t *, int);
498 static int nvme_attach_ns(nvme_t *, int);
499 static int nvme_detach_ns(nvme_t *, int);
500 
501 #define	NVME_NSID2NS(nvme, nsid)	(&((nvme)->n_ns[(nsid) - 1]))
502 
503 static ddi_ufm_ops_t nvme_ufm_ops = {
504 	NULL,
505 	nvme_ufm_fill_image,
506 	nvme_ufm_fill_slot,
507 	nvme_ufm_getcaps
508 };
509 
510 #define	NVME_MINOR_INST_SHIFT	9
511 #define	NVME_MINOR(inst, nsid)	(((inst) << NVME_MINOR_INST_SHIFT) | (nsid))
512 #define	NVME_MINOR_INST(minor)	((minor) >> NVME_MINOR_INST_SHIFT)
513 #define	NVME_MINOR_NSID(minor)	((minor) & ((1 << NVME_MINOR_INST_SHIFT) - 1))
514 #define	NVME_MINOR_MAX		(NVME_MINOR(1, 0) - 2)
515 #define	NVME_IS_VENDOR_SPECIFIC_CMD(x)	(((x) >= 0xC0) && ((x) <= 0xFF))
516 #define	NVME_VENDOR_SPECIFIC_LOGPAGE_MIN	0xC0
517 #define	NVME_VENDOR_SPECIFIC_LOGPAGE_MAX	0xFF
518 #define	NVME_IS_VENDOR_SPECIFIC_LOGPAGE(x)	\
519 		(((x) >= NVME_VENDOR_SPECIFIC_LOGPAGE_MIN) && \
520 		((x) <= NVME_VENDOR_SPECIFIC_LOGPAGE_MAX))
521 
522 /*
523  * NVMe versions 1.3 and later actually support log pages up to UINT32_MAX
524  * DWords in size. However, revision 1.3 also modified the layout of the Get Log
525  * Page command significantly relative to version 1.2, including changing
526  * reserved bits, adding new bitfields, and requiring the use of command DWord
527  * 11 to fully specify the size of the log page (the lower and upper 16 bits of
528  * the number of DWords in the page are split between DWord 10 and DWord 11,
529  * respectively).
530  *
531  * All of these impose significantly different layout requirements on the
532  * `nvme_getlogpage_t` type. This could be solved with two different types, or a
533  * complicated/nested union with the two versions as the overlying members. Both
534  * of these are reasonable, if a bit convoluted. However, these is no current
535  * need for such large pages, or a way to test them, as most log pages actually
536  * fit within the current size limit. So for simplicity, we retain the size cap
537  * from version 1.2.
538  *
539  * Note that the number of DWords is zero-based, so we add 1. It is subtracted
540  * to form a zero-based value in `nvme_get_logpage`.
541  */
542 #define	NVME_VENDOR_SPECIFIC_LOGPAGE_MAX_SIZE	\
543 		(((1 << 12) + 1) * sizeof (uint32_t))
544 
545 static void *nvme_state;
546 static kmem_cache_t *nvme_cmd_cache;
547 
548 /*
549  * DMA attributes for queue DMA memory
550  *
551  * Queue DMA memory must be page aligned. The maximum length of a queue is
552  * 65536 entries, and an entry can be 64 bytes long.
553  */
554 static ddi_dma_attr_t nvme_queue_dma_attr = {
555 	.dma_attr_version	= DMA_ATTR_V0,
556 	.dma_attr_addr_lo	= 0,
557 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
558 	.dma_attr_count_max	= (UINT16_MAX + 1) * sizeof (nvme_sqe_t) - 1,
559 	.dma_attr_align		= 0x1000,
560 	.dma_attr_burstsizes	= 0x7ff,
561 	.dma_attr_minxfer	= 0x1000,
562 	.dma_attr_maxxfer	= (UINT16_MAX + 1) * sizeof (nvme_sqe_t),
563 	.dma_attr_seg		= 0xffffffffffffffffULL,
564 	.dma_attr_sgllen	= 1,
565 	.dma_attr_granular	= 1,
566 	.dma_attr_flags		= 0,
567 };
568 
569 /*
570  * DMA attributes for transfers using Physical Region Page (PRP) entries
571  *
572  * A PRP entry describes one page of DMA memory using the page size specified
573  * in the controller configuration's memory page size register (CC.MPS). It uses
574  * a 64bit base address aligned to this page size. There is no limitation on
575  * chaining PRPs together for arbitrarily large DMA transfers.
576  */
577 static ddi_dma_attr_t nvme_prp_dma_attr = {
578 	.dma_attr_version	= DMA_ATTR_V0,
579 	.dma_attr_addr_lo	= 0,
580 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
581 	.dma_attr_count_max	= 0xfff,
582 	.dma_attr_align		= 0x1000,
583 	.dma_attr_burstsizes	= 0x7ff,
584 	.dma_attr_minxfer	= 0x1000,
585 	.dma_attr_maxxfer	= 0x1000,
586 	.dma_attr_seg		= 0xfff,
587 	.dma_attr_sgllen	= -1,
588 	.dma_attr_granular	= 1,
589 	.dma_attr_flags		= 0,
590 };
591 
592 /*
593  * DMA attributes for transfers using scatter/gather lists
594  *
595  * A SGL entry describes a chunk of DMA memory using a 64bit base address and a
596  * 32bit length field. SGL Segment and SGL Last Segment entries require the
597  * length to be a multiple of 16 bytes.
598  */
599 static ddi_dma_attr_t nvme_sgl_dma_attr = {
600 	.dma_attr_version	= DMA_ATTR_V0,
601 	.dma_attr_addr_lo	= 0,
602 	.dma_attr_addr_hi	= 0xffffffffffffffffULL,
603 	.dma_attr_count_max	= 0xffffffffUL,
604 	.dma_attr_align		= 1,
605 	.dma_attr_burstsizes	= 0x7ff,
606 	.dma_attr_minxfer	= 0x10,
607 	.dma_attr_maxxfer	= 0xfffffffffULL,
608 	.dma_attr_seg		= 0xffffffffffffffffULL,
609 	.dma_attr_sgllen	= -1,
610 	.dma_attr_granular	= 0x10,
611 	.dma_attr_flags		= 0
612 };
613 
614 static ddi_device_acc_attr_t nvme_reg_acc_attr = {
615 	.devacc_attr_version	= DDI_DEVICE_ATTR_V0,
616 	.devacc_attr_endian_flags = DDI_STRUCTURE_LE_ACC,
617 	.devacc_attr_dataorder	= DDI_STRICTORDER_ACC
618 };
619 
620 static struct cb_ops nvme_cb_ops = {
621 	.cb_open	= nvme_open,
622 	.cb_close	= nvme_close,
623 	.cb_strategy	= nodev,
624 	.cb_print	= nodev,
625 	.cb_dump	= nodev,
626 	.cb_read	= nodev,
627 	.cb_write	= nodev,
628 	.cb_ioctl	= nvme_ioctl,
629 	.cb_devmap	= nodev,
630 	.cb_mmap	= nodev,
631 	.cb_segmap	= nodev,
632 	.cb_chpoll	= nochpoll,
633 	.cb_prop_op	= ddi_prop_op,
634 	.cb_str		= 0,
635 	.cb_flag	= D_NEW | D_MP,
636 	.cb_rev		= CB_REV,
637 	.cb_aread	= nodev,
638 	.cb_awrite	= nodev
639 };
640 
641 static struct dev_ops nvme_dev_ops = {
642 	.devo_rev	= DEVO_REV,
643 	.devo_refcnt	= 0,
644 	.devo_getinfo	= ddi_no_info,
645 	.devo_identify	= nulldev,
646 	.devo_probe	= nulldev,
647 	.devo_attach	= nvme_attach,
648 	.devo_detach	= nvme_detach,
649 	.devo_reset	= nodev,
650 	.devo_cb_ops	= &nvme_cb_ops,
651 	.devo_bus_ops	= NULL,
652 	.devo_power	= NULL,
653 	.devo_quiesce	= nvme_quiesce,
654 };
655 
656 static struct modldrv nvme_modldrv = {
657 	.drv_modops	= &mod_driverops,
658 	.drv_linkinfo	= "NVMe v1.1b",
659 	.drv_dev_ops	= &nvme_dev_ops
660 };
661 
662 static struct modlinkage nvme_modlinkage = {
663 	.ml_rev		= MODREV_1,
664 	.ml_linkage	= { &nvme_modldrv, NULL }
665 };
666 
667 static bd_ops_t nvme_bd_ops = {
668 	.o_version	= BD_OPS_CURRENT_VERSION,
669 	.o_drive_info	= nvme_bd_driveinfo,
670 	.o_media_info	= nvme_bd_mediainfo,
671 	.o_devid_init	= nvme_bd_devid,
672 	.o_sync_cache	= nvme_bd_sync,
673 	.o_read		= nvme_bd_read,
674 	.o_write	= nvme_bd_write,
675 	.o_free_space	= nvme_bd_free_space,
676 };
677 
678 /*
679  * This list will hold commands that have timed out and couldn't be aborted.
680  * As we don't know what the hardware may still do with the DMA memory we can't
681  * free them, so we'll keep them forever on this list where we can easily look
682  * at them with mdb.
683  */
684 static struct list nvme_lost_cmds;
685 static kmutex_t nvme_lc_mutex;
686 
687 int
688 _init(void)
689 {
690 	int error;
691 
692 	error = ddi_soft_state_init(&nvme_state, sizeof (nvme_t), 1);
693 	if (error != DDI_SUCCESS)
694 		return (error);
695 
696 	nvme_cmd_cache = kmem_cache_create("nvme_cmd_cache",
697 	    sizeof (nvme_cmd_t), 64, NULL, NULL, NULL, NULL, NULL, 0);
698 
699 	mutex_init(&nvme_lc_mutex, NULL, MUTEX_DRIVER, NULL);
700 	list_create(&nvme_lost_cmds, sizeof (nvme_cmd_t),
701 	    offsetof(nvme_cmd_t, nc_list));
702 
703 	bd_mod_init(&nvme_dev_ops);
704 
705 	error = mod_install(&nvme_modlinkage);
706 	if (error != DDI_SUCCESS) {
707 		ddi_soft_state_fini(&nvme_state);
708 		mutex_destroy(&nvme_lc_mutex);
709 		list_destroy(&nvme_lost_cmds);
710 		bd_mod_fini(&nvme_dev_ops);
711 	}
712 
713 	return (error);
714 }
715 
716 int
717 _fini(void)
718 {
719 	int error;
720 
721 	if (!list_is_empty(&nvme_lost_cmds))
722 		return (DDI_FAILURE);
723 
724 	error = mod_remove(&nvme_modlinkage);
725 	if (error == DDI_SUCCESS) {
726 		ddi_soft_state_fini(&nvme_state);
727 		kmem_cache_destroy(nvme_cmd_cache);
728 		mutex_destroy(&nvme_lc_mutex);
729 		list_destroy(&nvme_lost_cmds);
730 		bd_mod_fini(&nvme_dev_ops);
731 	}
732 
733 	return (error);
734 }
735 
736 int
737 _info(struct modinfo *modinfop)
738 {
739 	return (mod_info(&nvme_modlinkage, modinfop));
740 }
741 
742 static inline void
743 nvme_put64(nvme_t *nvme, uintptr_t reg, uint64_t val)
744 {
745 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x7) == 0);
746 
747 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
748 	ddi_put64(nvme->n_regh, (uint64_t *)(nvme->n_regs + reg), val);
749 }
750 
751 static inline void
752 nvme_put32(nvme_t *nvme, uintptr_t reg, uint32_t val)
753 {
754 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x3) == 0);
755 
756 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
757 	ddi_put32(nvme->n_regh, (uint32_t *)(nvme->n_regs + reg), val);
758 }
759 
760 static inline uint64_t
761 nvme_get64(nvme_t *nvme, uintptr_t reg)
762 {
763 	uint64_t val;
764 
765 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x7) == 0);
766 
767 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
768 	val = ddi_get64(nvme->n_regh, (uint64_t *)(nvme->n_regs + reg));
769 
770 	return (val);
771 }
772 
773 static inline uint32_t
774 nvme_get32(nvme_t *nvme, uintptr_t reg)
775 {
776 	uint32_t val;
777 
778 	ASSERT(((uintptr_t)(nvme->n_regs + reg) & 0x3) == 0);
779 
780 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
781 	val = ddi_get32(nvme->n_regh, (uint32_t *)(nvme->n_regs + reg));
782 
783 	return (val);
784 }
785 
786 static boolean_t
787 nvme_check_regs_hdl(nvme_t *nvme)
788 {
789 	ddi_fm_error_t error;
790 
791 	ddi_fm_acc_err_get(nvme->n_regh, &error, DDI_FME_VERSION);
792 
793 	if (error.fme_status != DDI_FM_OK)
794 		return (B_TRUE);
795 
796 	return (B_FALSE);
797 }
798 
799 static boolean_t
800 nvme_check_dma_hdl(nvme_dma_t *dma)
801 {
802 	ddi_fm_error_t error;
803 
804 	if (dma == NULL)
805 		return (B_FALSE);
806 
807 	ddi_fm_dma_err_get(dma->nd_dmah, &error, DDI_FME_VERSION);
808 
809 	if (error.fme_status != DDI_FM_OK)
810 		return (B_TRUE);
811 
812 	return (B_FALSE);
813 }
814 
815 static void
816 nvme_free_dma_common(nvme_dma_t *dma)
817 {
818 	if (dma->nd_dmah != NULL)
819 		(void) ddi_dma_unbind_handle(dma->nd_dmah);
820 	if (dma->nd_acch != NULL)
821 		ddi_dma_mem_free(&dma->nd_acch);
822 	if (dma->nd_dmah != NULL)
823 		ddi_dma_free_handle(&dma->nd_dmah);
824 }
825 
826 static void
827 nvme_free_dma(nvme_dma_t *dma)
828 {
829 	nvme_free_dma_common(dma);
830 	kmem_free(dma, sizeof (*dma));
831 }
832 
833 /* ARGSUSED */
834 static void
835 nvme_prp_dma_destructor(void *buf, void *private)
836 {
837 	nvme_dma_t *dma = (nvme_dma_t *)buf;
838 
839 	nvme_free_dma_common(dma);
840 }
841 
842 static int
843 nvme_alloc_dma_common(nvme_t *nvme, nvme_dma_t *dma,
844     size_t len, uint_t flags, ddi_dma_attr_t *dma_attr)
845 {
846 	if (ddi_dma_alloc_handle(nvme->n_dip, dma_attr, DDI_DMA_SLEEP, NULL,
847 	    &dma->nd_dmah) != DDI_SUCCESS) {
848 		/*
849 		 * Due to DDI_DMA_SLEEP this can't be DDI_DMA_NORESOURCES, and
850 		 * the only other possible error is DDI_DMA_BADATTR which
851 		 * indicates a driver bug which should cause a panic.
852 		 */
853 		dev_err(nvme->n_dip, CE_PANIC,
854 		    "!failed to get DMA handle, check DMA attributes");
855 		return (DDI_FAILURE);
856 	}
857 
858 	/*
859 	 * ddi_dma_mem_alloc() can only fail when DDI_DMA_NOSLEEP is specified
860 	 * or the flags are conflicting, which isn't the case here.
861 	 */
862 	(void) ddi_dma_mem_alloc(dma->nd_dmah, len, &nvme->n_reg_acc_attr,
863 	    DDI_DMA_CONSISTENT, DDI_DMA_SLEEP, NULL, &dma->nd_memp,
864 	    &dma->nd_len, &dma->nd_acch);
865 
866 	if (ddi_dma_addr_bind_handle(dma->nd_dmah, NULL, dma->nd_memp,
867 	    dma->nd_len, flags | DDI_DMA_CONSISTENT, DDI_DMA_SLEEP, NULL,
868 	    &dma->nd_cookie, &dma->nd_ncookie) != DDI_DMA_MAPPED) {
869 		dev_err(nvme->n_dip, CE_WARN,
870 		    "!failed to bind DMA memory");
871 		atomic_inc_32(&nvme->n_dma_bind_err);
872 		nvme_free_dma_common(dma);
873 		return (DDI_FAILURE);
874 	}
875 
876 	return (DDI_SUCCESS);
877 }
878 
879 static int
880 nvme_zalloc_dma(nvme_t *nvme, size_t len, uint_t flags,
881     ddi_dma_attr_t *dma_attr, nvme_dma_t **ret)
882 {
883 	nvme_dma_t *dma = kmem_zalloc(sizeof (nvme_dma_t), KM_SLEEP);
884 
885 	if (nvme_alloc_dma_common(nvme, dma, len, flags, dma_attr) !=
886 	    DDI_SUCCESS) {
887 		*ret = NULL;
888 		kmem_free(dma, sizeof (nvme_dma_t));
889 		return (DDI_FAILURE);
890 	}
891 
892 	bzero(dma->nd_memp, dma->nd_len);
893 
894 	*ret = dma;
895 	return (DDI_SUCCESS);
896 }
897 
898 /* ARGSUSED */
899 static int
900 nvme_prp_dma_constructor(void *buf, void *private, int flags)
901 {
902 	nvme_dma_t *dma = (nvme_dma_t *)buf;
903 	nvme_t *nvme = (nvme_t *)private;
904 
905 	dma->nd_dmah = NULL;
906 	dma->nd_acch = NULL;
907 
908 	if (nvme_alloc_dma_common(nvme, dma, nvme->n_pagesize,
909 	    DDI_DMA_READ, &nvme->n_prp_dma_attr) != DDI_SUCCESS) {
910 		return (-1);
911 	}
912 
913 	ASSERT(dma->nd_ncookie == 1);
914 
915 	dma->nd_cached = B_TRUE;
916 
917 	return (0);
918 }
919 
920 static int
921 nvme_zalloc_queue_dma(nvme_t *nvme, uint32_t nentry, uint16_t qe_len,
922     uint_t flags, nvme_dma_t **dma)
923 {
924 	uint32_t len = nentry * qe_len;
925 	ddi_dma_attr_t q_dma_attr = nvme->n_queue_dma_attr;
926 
927 	len = roundup(len, nvme->n_pagesize);
928 
929 	if (nvme_zalloc_dma(nvme, len, flags, &q_dma_attr, dma)
930 	    != DDI_SUCCESS) {
931 		dev_err(nvme->n_dip, CE_WARN,
932 		    "!failed to get DMA memory for queue");
933 		goto fail;
934 	}
935 
936 	if ((*dma)->nd_ncookie != 1) {
937 		dev_err(nvme->n_dip, CE_WARN,
938 		    "!got too many cookies for queue DMA");
939 		goto fail;
940 	}
941 
942 	return (DDI_SUCCESS);
943 
944 fail:
945 	if (*dma) {
946 		nvme_free_dma(*dma);
947 		*dma = NULL;
948 	}
949 
950 	return (DDI_FAILURE);
951 }
952 
953 static void
954 nvme_free_cq(nvme_cq_t *cq)
955 {
956 	mutex_destroy(&cq->ncq_mutex);
957 
958 	if (cq->ncq_cmd_taskq != NULL)
959 		taskq_destroy(cq->ncq_cmd_taskq);
960 
961 	if (cq->ncq_dma != NULL)
962 		nvme_free_dma(cq->ncq_dma);
963 
964 	kmem_free(cq, sizeof (*cq));
965 }
966 
967 static void
968 nvme_free_qpair(nvme_qpair_t *qp)
969 {
970 	int i;
971 
972 	mutex_destroy(&qp->nq_mutex);
973 	sema_destroy(&qp->nq_sema);
974 
975 	if (qp->nq_sqdma != NULL)
976 		nvme_free_dma(qp->nq_sqdma);
977 
978 	if (qp->nq_active_cmds > 0)
979 		for (i = 0; i != qp->nq_nentry; i++)
980 			if (qp->nq_cmd[i] != NULL)
981 				nvme_free_cmd(qp->nq_cmd[i]);
982 
983 	if (qp->nq_cmd != NULL)
984 		kmem_free(qp->nq_cmd, sizeof (nvme_cmd_t *) * qp->nq_nentry);
985 
986 	kmem_free(qp, sizeof (nvme_qpair_t));
987 }
988 
989 /*
990  * Destroy the pre-allocated cq array, but only free individual completion
991  * queues from the given starting index.
992  */
993 static void
994 nvme_destroy_cq_array(nvme_t *nvme, uint_t start)
995 {
996 	uint_t i;
997 
998 	for (i = start; i < nvme->n_cq_count; i++)
999 		if (nvme->n_cq[i] != NULL)
1000 			nvme_free_cq(nvme->n_cq[i]);
1001 
1002 	kmem_free(nvme->n_cq, sizeof (*nvme->n_cq) * nvme->n_cq_count);
1003 }
1004 
1005 static int
1006 nvme_alloc_cq(nvme_t *nvme, uint32_t nentry, nvme_cq_t **cqp, uint16_t idx,
1007     uint_t nthr)
1008 {
1009 	nvme_cq_t *cq = kmem_zalloc(sizeof (*cq), KM_SLEEP);
1010 	char name[64];		/* large enough for the taskq name */
1011 
1012 	mutex_init(&cq->ncq_mutex, NULL, MUTEX_DRIVER,
1013 	    DDI_INTR_PRI(nvme->n_intr_pri));
1014 
1015 	if (nvme_zalloc_queue_dma(nvme, nentry, sizeof (nvme_cqe_t),
1016 	    DDI_DMA_READ, &cq->ncq_dma) != DDI_SUCCESS)
1017 		goto fail;
1018 
1019 	cq->ncq_cq = (nvme_cqe_t *)cq->ncq_dma->nd_memp;
1020 	cq->ncq_nentry = nentry;
1021 	cq->ncq_id = idx;
1022 	cq->ncq_hdbl = NVME_REG_CQHDBL(nvme, idx);
1023 
1024 	/*
1025 	 * Each completion queue has its own command taskq.
1026 	 */
1027 	(void) snprintf(name, sizeof (name), "%s%d_cmd_taskq%u",
1028 	    ddi_driver_name(nvme->n_dip), ddi_get_instance(nvme->n_dip), idx);
1029 
1030 	cq->ncq_cmd_taskq = taskq_create(name, nthr, minclsyspri, 64, INT_MAX,
1031 	    TASKQ_PREPOPULATE);
1032 
1033 	if (cq->ncq_cmd_taskq == NULL) {
1034 		dev_err(nvme->n_dip, CE_WARN, "!failed to create cmd "
1035 		    "taskq for cq %u", idx);
1036 		goto fail;
1037 	}
1038 
1039 	*cqp = cq;
1040 	return (DDI_SUCCESS);
1041 
1042 fail:
1043 	nvme_free_cq(cq);
1044 	*cqp = NULL;
1045 
1046 	return (DDI_FAILURE);
1047 }
1048 
1049 /*
1050  * Create the n_cq array big enough to hold "ncq" completion queues.
1051  * If the array already exists it will be re-sized (but only larger).
1052  * The admin queue is included in this array, which boosts the
1053  * max number of entries to UINT16_MAX + 1.
1054  */
1055 static int
1056 nvme_create_cq_array(nvme_t *nvme, uint_t ncq, uint32_t nentry, uint_t nthr)
1057 {
1058 	nvme_cq_t **cq;
1059 	uint_t i, cq_count;
1060 
1061 	ASSERT3U(ncq, >, nvme->n_cq_count);
1062 
1063 	cq = nvme->n_cq;
1064 	cq_count = nvme->n_cq_count;
1065 
1066 	nvme->n_cq = kmem_zalloc(sizeof (*nvme->n_cq) * ncq, KM_SLEEP);
1067 	nvme->n_cq_count = ncq;
1068 
1069 	for (i = 0; i < cq_count; i++)
1070 		nvme->n_cq[i] = cq[i];
1071 
1072 	for (; i < nvme->n_cq_count; i++)
1073 		if (nvme_alloc_cq(nvme, nentry, &nvme->n_cq[i], i, nthr) !=
1074 		    DDI_SUCCESS)
1075 			goto fail;
1076 
1077 	if (cq != NULL)
1078 		kmem_free(cq, sizeof (*cq) * cq_count);
1079 
1080 	return (DDI_SUCCESS);
1081 
1082 fail:
1083 	nvme_destroy_cq_array(nvme, cq_count);
1084 	/*
1085 	 * Restore the original array
1086 	 */
1087 	nvme->n_cq_count = cq_count;
1088 	nvme->n_cq = cq;
1089 
1090 	return (DDI_FAILURE);
1091 }
1092 
1093 static int
1094 nvme_alloc_qpair(nvme_t *nvme, uint32_t nentry, nvme_qpair_t **nqp,
1095     uint_t idx)
1096 {
1097 	nvme_qpair_t *qp = kmem_zalloc(sizeof (*qp), KM_SLEEP);
1098 	uint_t cq_idx;
1099 
1100 	mutex_init(&qp->nq_mutex, NULL, MUTEX_DRIVER,
1101 	    DDI_INTR_PRI(nvme->n_intr_pri));
1102 
1103 	/*
1104 	 * The NVMe spec defines that a full queue has one empty (unused) slot;
1105 	 * initialize the semaphore accordingly.
1106 	 */
1107 	sema_init(&qp->nq_sema, nentry - 1, NULL, SEMA_DRIVER, NULL);
1108 
1109 	if (nvme_zalloc_queue_dma(nvme, nentry, sizeof (nvme_sqe_t),
1110 	    DDI_DMA_WRITE, &qp->nq_sqdma) != DDI_SUCCESS)
1111 		goto fail;
1112 
1113 	/*
1114 	 * idx == 0 is adminq, those above 0 are shared io completion queues.
1115 	 */
1116 	cq_idx = idx == 0 ? 0 : 1 + (idx - 1) % (nvme->n_cq_count - 1);
1117 	qp->nq_cq = nvme->n_cq[cq_idx];
1118 	qp->nq_sq = (nvme_sqe_t *)qp->nq_sqdma->nd_memp;
1119 	qp->nq_nentry = nentry;
1120 
1121 	qp->nq_sqtdbl = NVME_REG_SQTDBL(nvme, idx);
1122 
1123 	qp->nq_cmd = kmem_zalloc(sizeof (nvme_cmd_t *) * nentry, KM_SLEEP);
1124 	qp->nq_next_cmd = 0;
1125 
1126 	*nqp = qp;
1127 	return (DDI_SUCCESS);
1128 
1129 fail:
1130 	nvme_free_qpair(qp);
1131 	*nqp = NULL;
1132 
1133 	return (DDI_FAILURE);
1134 }
1135 
1136 static nvme_cmd_t *
1137 nvme_alloc_cmd(nvme_t *nvme, int kmflag)
1138 {
1139 	nvme_cmd_t *cmd = kmem_cache_alloc(nvme_cmd_cache, kmflag);
1140 
1141 	if (cmd == NULL)
1142 		return (cmd);
1143 
1144 	bzero(cmd, sizeof (nvme_cmd_t));
1145 
1146 	cmd->nc_nvme = nvme;
1147 
1148 	mutex_init(&cmd->nc_mutex, NULL, MUTEX_DRIVER,
1149 	    DDI_INTR_PRI(nvme->n_intr_pri));
1150 	cv_init(&cmd->nc_cv, NULL, CV_DRIVER, NULL);
1151 
1152 	return (cmd);
1153 }
1154 
1155 static void
1156 nvme_free_cmd(nvme_cmd_t *cmd)
1157 {
1158 	/* Don't free commands on the lost commands list. */
1159 	if (list_link_active(&cmd->nc_list))
1160 		return;
1161 
1162 	if (cmd->nc_dma) {
1163 		nvme_free_dma(cmd->nc_dma);
1164 		cmd->nc_dma = NULL;
1165 	}
1166 
1167 	if (cmd->nc_prp) {
1168 		kmem_cache_free(cmd->nc_nvme->n_prp_cache, cmd->nc_prp);
1169 		cmd->nc_prp = NULL;
1170 	}
1171 
1172 	cv_destroy(&cmd->nc_cv);
1173 	mutex_destroy(&cmd->nc_mutex);
1174 
1175 	kmem_cache_free(nvme_cmd_cache, cmd);
1176 }
1177 
1178 static void
1179 nvme_submit_admin_cmd(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1180 {
1181 	sema_p(&qp->nq_sema);
1182 	nvme_submit_cmd_common(qp, cmd);
1183 }
1184 
1185 static int
1186 nvme_submit_io_cmd(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1187 {
1188 	if (cmd->nc_nvme->n_dead) {
1189 		return (EIO);
1190 	}
1191 
1192 	if (sema_tryp(&qp->nq_sema) == 0)
1193 		return (EAGAIN);
1194 
1195 	nvme_submit_cmd_common(qp, cmd);
1196 	return (0);
1197 }
1198 
1199 static void
1200 nvme_submit_cmd_common(nvme_qpair_t *qp, nvme_cmd_t *cmd)
1201 {
1202 	nvme_reg_sqtdbl_t tail = { 0 };
1203 
1204 	mutex_enter(&qp->nq_mutex);
1205 	cmd->nc_completed = B_FALSE;
1206 
1207 	/*
1208 	 * Now that we hold the queue pair lock, we must check whether or not
1209 	 * the controller has been listed as dead (e.g. was removed due to
1210 	 * hotplug). This is necessary as otherwise we could race with
1211 	 * nvme_remove_callback(). Because this has not been enqueued, we don't
1212 	 * call nvme_unqueue_cmd(), which is why we must manually decrement the
1213 	 * semaphore.
1214 	 */
1215 	if (cmd->nc_nvme->n_dead) {
1216 		taskq_dispatch_ent(qp->nq_cq->ncq_cmd_taskq, cmd->nc_callback,
1217 		    cmd, TQ_NOSLEEP, &cmd->nc_tqent);
1218 		sema_v(&qp->nq_sema);
1219 		mutex_exit(&qp->nq_mutex);
1220 		return;
1221 	}
1222 
1223 	/*
1224 	 * Try to insert the cmd into the active cmd array at the nq_next_cmd
1225 	 * slot. If the slot is already occupied advance to the next slot and
1226 	 * try again. This can happen for long running commands like async event
1227 	 * requests.
1228 	 */
1229 	while (qp->nq_cmd[qp->nq_next_cmd] != NULL)
1230 		qp->nq_next_cmd = (qp->nq_next_cmd + 1) % qp->nq_nentry;
1231 	qp->nq_cmd[qp->nq_next_cmd] = cmd;
1232 
1233 	qp->nq_active_cmds++;
1234 
1235 	cmd->nc_sqe.sqe_cid = qp->nq_next_cmd;
1236 	bcopy(&cmd->nc_sqe, &qp->nq_sq[qp->nq_sqtail], sizeof (nvme_sqe_t));
1237 	(void) ddi_dma_sync(qp->nq_sqdma->nd_dmah,
1238 	    sizeof (nvme_sqe_t) * qp->nq_sqtail,
1239 	    sizeof (nvme_sqe_t), DDI_DMA_SYNC_FORDEV);
1240 	qp->nq_next_cmd = (qp->nq_next_cmd + 1) % qp->nq_nentry;
1241 
1242 	tail.b.sqtdbl_sqt = qp->nq_sqtail = (qp->nq_sqtail + 1) % qp->nq_nentry;
1243 	nvme_put32(cmd->nc_nvme, qp->nq_sqtdbl, tail.r);
1244 
1245 	mutex_exit(&qp->nq_mutex);
1246 }
1247 
1248 static nvme_cmd_t *
1249 nvme_unqueue_cmd(nvme_t *nvme, nvme_qpair_t *qp, int cid)
1250 {
1251 	nvme_cmd_t *cmd;
1252 
1253 	ASSERT(mutex_owned(&qp->nq_mutex));
1254 	ASSERT3S(cid, <, qp->nq_nentry);
1255 
1256 	cmd = qp->nq_cmd[cid];
1257 	qp->nq_cmd[cid] = NULL;
1258 	ASSERT3U(qp->nq_active_cmds, >, 0);
1259 	qp->nq_active_cmds--;
1260 	sema_v(&qp->nq_sema);
1261 
1262 	ASSERT3P(cmd, !=, NULL);
1263 	ASSERT3P(cmd->nc_nvme, ==, nvme);
1264 	ASSERT3S(cmd->nc_sqe.sqe_cid, ==, cid);
1265 
1266 	return (cmd);
1267 }
1268 
1269 /*
1270  * Get the command tied to the next completed cqe and bump along completion
1271  * queue head counter.
1272  */
1273 static nvme_cmd_t *
1274 nvme_get_completed(nvme_t *nvme, nvme_cq_t *cq)
1275 {
1276 	nvme_qpair_t *qp;
1277 	nvme_cqe_t *cqe;
1278 	nvme_cmd_t *cmd;
1279 
1280 	ASSERT(mutex_owned(&cq->ncq_mutex));
1281 
1282 	cqe = &cq->ncq_cq[cq->ncq_head];
1283 
1284 	/* Check phase tag of CQE. Hardware inverts it for new entries. */
1285 	if (cqe->cqe_sf.sf_p == cq->ncq_phase)
1286 		return (NULL);
1287 
1288 	qp = nvme->n_ioq[cqe->cqe_sqid];
1289 
1290 	mutex_enter(&qp->nq_mutex);
1291 	cmd = nvme_unqueue_cmd(nvme, qp, cqe->cqe_cid);
1292 	mutex_exit(&qp->nq_mutex);
1293 
1294 	ASSERT(cmd->nc_sqid == cqe->cqe_sqid);
1295 	bcopy(cqe, &cmd->nc_cqe, sizeof (nvme_cqe_t));
1296 
1297 	qp->nq_sqhead = cqe->cqe_sqhd;
1298 
1299 	cq->ncq_head = (cq->ncq_head + 1) % cq->ncq_nentry;
1300 
1301 	/* Toggle phase on wrap-around. */
1302 	if (cq->ncq_head == 0)
1303 		cq->ncq_phase = cq->ncq_phase ? 0 : 1;
1304 
1305 	return (cmd);
1306 }
1307 
1308 /*
1309  * Process all completed commands on the io completion queue.
1310  */
1311 static uint_t
1312 nvme_process_iocq(nvme_t *nvme, nvme_cq_t *cq)
1313 {
1314 	nvme_reg_cqhdbl_t head = { 0 };
1315 	nvme_cmd_t *cmd;
1316 	uint_t completed = 0;
1317 
1318 	if (ddi_dma_sync(cq->ncq_dma->nd_dmah, 0, 0, DDI_DMA_SYNC_FORKERNEL) !=
1319 	    DDI_SUCCESS)
1320 		dev_err(nvme->n_dip, CE_WARN, "!ddi_dma_sync() failed in %s",
1321 		    __func__);
1322 
1323 	mutex_enter(&cq->ncq_mutex);
1324 
1325 	while ((cmd = nvme_get_completed(nvme, cq)) != NULL) {
1326 		taskq_dispatch_ent(cq->ncq_cmd_taskq, cmd->nc_callback, cmd,
1327 		    TQ_NOSLEEP, &cmd->nc_tqent);
1328 
1329 		completed++;
1330 	}
1331 
1332 	if (completed > 0) {
1333 		/*
1334 		 * Update the completion queue head doorbell.
1335 		 */
1336 		head.b.cqhdbl_cqh = cq->ncq_head;
1337 		nvme_put32(nvme, cq->ncq_hdbl, head.r);
1338 	}
1339 
1340 	mutex_exit(&cq->ncq_mutex);
1341 
1342 	return (completed);
1343 }
1344 
1345 static nvme_cmd_t *
1346 nvme_retrieve_cmd(nvme_t *nvme, nvme_qpair_t *qp)
1347 {
1348 	nvme_cq_t *cq = qp->nq_cq;
1349 	nvme_reg_cqhdbl_t head = { 0 };
1350 	nvme_cmd_t *cmd;
1351 
1352 	if (ddi_dma_sync(cq->ncq_dma->nd_dmah, 0, 0, DDI_DMA_SYNC_FORKERNEL) !=
1353 	    DDI_SUCCESS)
1354 		dev_err(nvme->n_dip, CE_WARN, "!ddi_dma_sync() failed in %s",
1355 		    __func__);
1356 
1357 	mutex_enter(&cq->ncq_mutex);
1358 
1359 	if ((cmd = nvme_get_completed(nvme, cq)) != NULL) {
1360 		head.b.cqhdbl_cqh = cq->ncq_head;
1361 		nvme_put32(nvme, cq->ncq_hdbl, head.r);
1362 	}
1363 
1364 	mutex_exit(&cq->ncq_mutex);
1365 
1366 	return (cmd);
1367 }
1368 
1369 static int
1370 nvme_check_unknown_cmd_status(nvme_cmd_t *cmd)
1371 {
1372 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1373 
1374 	dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1375 	    "!unknown command status received: opc = %x, sqid = %d, cid = %d, "
1376 	    "sc = %x, sct = %x, dnr = %d, m = %d", cmd->nc_sqe.sqe_opc,
1377 	    cqe->cqe_sqid, cqe->cqe_cid, cqe->cqe_sf.sf_sc, cqe->cqe_sf.sf_sct,
1378 	    cqe->cqe_sf.sf_dnr, cqe->cqe_sf.sf_m);
1379 
1380 	if (cmd->nc_xfer != NULL)
1381 		bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1382 
1383 	if (cmd->nc_nvme->n_strict_version) {
1384 		cmd->nc_nvme->n_dead = B_TRUE;
1385 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1386 	}
1387 
1388 	return (EIO);
1389 }
1390 
1391 static int
1392 nvme_check_vendor_cmd_status(nvme_cmd_t *cmd)
1393 {
1394 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1395 
1396 	dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1397 	    "!unknown command status received: opc = %x, sqid = %d, cid = %d, "
1398 	    "sc = %x, sct = %x, dnr = %d, m = %d", cmd->nc_sqe.sqe_opc,
1399 	    cqe->cqe_sqid, cqe->cqe_cid, cqe->cqe_sf.sf_sc, cqe->cqe_sf.sf_sct,
1400 	    cqe->cqe_sf.sf_dnr, cqe->cqe_sf.sf_m);
1401 	if (!cmd->nc_nvme->n_ignore_unknown_vendor_status) {
1402 		cmd->nc_nvme->n_dead = B_TRUE;
1403 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1404 	}
1405 
1406 	return (EIO);
1407 }
1408 
1409 static int
1410 nvme_check_integrity_cmd_status(nvme_cmd_t *cmd)
1411 {
1412 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1413 
1414 	switch (cqe->cqe_sf.sf_sc) {
1415 	case NVME_CQE_SC_INT_NVM_WRITE:
1416 		/* write fail */
1417 		/* TODO: post ereport */
1418 		if (cmd->nc_xfer != NULL)
1419 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1420 		return (EIO);
1421 
1422 	case NVME_CQE_SC_INT_NVM_READ:
1423 		/* read fail */
1424 		/* TODO: post ereport */
1425 		if (cmd->nc_xfer != NULL)
1426 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1427 		return (EIO);
1428 
1429 	default:
1430 		return (nvme_check_unknown_cmd_status(cmd));
1431 	}
1432 }
1433 
1434 static int
1435 nvme_check_generic_cmd_status(nvme_cmd_t *cmd)
1436 {
1437 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1438 
1439 	switch (cqe->cqe_sf.sf_sc) {
1440 	case NVME_CQE_SC_GEN_SUCCESS:
1441 		return (0);
1442 
1443 	/*
1444 	 * Errors indicating a bug in the driver should cause a panic.
1445 	 */
1446 	case NVME_CQE_SC_GEN_INV_OPC:
1447 		/* Invalid Command Opcode */
1448 		if (!cmd->nc_dontpanic)
1449 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1450 			    "programming error: invalid opcode in cmd %p",
1451 			    (void *)cmd);
1452 		return (EINVAL);
1453 
1454 	case NVME_CQE_SC_GEN_INV_FLD:
1455 		/* Invalid Field in Command */
1456 		if (!cmd->nc_dontpanic)
1457 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1458 			    "programming error: invalid field in cmd %p",
1459 			    (void *)cmd);
1460 		return (EIO);
1461 
1462 	case NVME_CQE_SC_GEN_ID_CNFL:
1463 		/* Command ID Conflict */
1464 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1465 		    "cmd ID conflict in cmd %p", (void *)cmd);
1466 		return (0);
1467 
1468 	case NVME_CQE_SC_GEN_INV_NS:
1469 		/* Invalid Namespace or Format */
1470 		if (!cmd->nc_dontpanic)
1471 			dev_err(cmd->nc_nvme->n_dip, CE_PANIC,
1472 			    "programming error: invalid NS/format in cmd %p",
1473 			    (void *)cmd);
1474 		return (EINVAL);
1475 
1476 	case NVME_CQE_SC_GEN_NVM_LBA_RANGE:
1477 		/* LBA Out Of Range */
1478 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1479 		    "LBA out of range in cmd %p", (void *)cmd);
1480 		return (0);
1481 
1482 	/*
1483 	 * Non-fatal errors, handle gracefully.
1484 	 */
1485 	case NVME_CQE_SC_GEN_DATA_XFR_ERR:
1486 		/* Data Transfer Error (DMA) */
1487 		/* TODO: post ereport */
1488 		atomic_inc_32(&cmd->nc_nvme->n_data_xfr_err);
1489 		if (cmd->nc_xfer != NULL)
1490 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1491 		return (EIO);
1492 
1493 	case NVME_CQE_SC_GEN_INTERNAL_ERR:
1494 		/*
1495 		 * Internal Error. The spec (v1.0, section 4.5.1.2) says
1496 		 * detailed error information is returned as async event,
1497 		 * so we pretty much ignore the error here and handle it
1498 		 * in the async event handler.
1499 		 */
1500 		atomic_inc_32(&cmd->nc_nvme->n_internal_err);
1501 		if (cmd->nc_xfer != NULL)
1502 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1503 		return (EIO);
1504 
1505 	case NVME_CQE_SC_GEN_ABORT_REQUEST:
1506 		/*
1507 		 * Command Abort Requested. This normally happens only when a
1508 		 * command times out.
1509 		 */
1510 		/* TODO: post ereport or change blkdev to handle this? */
1511 		atomic_inc_32(&cmd->nc_nvme->n_abort_rq_err);
1512 		return (ECANCELED);
1513 
1514 	case NVME_CQE_SC_GEN_ABORT_PWRLOSS:
1515 		/* Command Aborted due to Power Loss Notification */
1516 		ddi_fm_service_impact(cmd->nc_nvme->n_dip, DDI_SERVICE_LOST);
1517 		cmd->nc_nvme->n_dead = B_TRUE;
1518 		return (EIO);
1519 
1520 	case NVME_CQE_SC_GEN_ABORT_SQ_DEL:
1521 		/* Command Aborted due to SQ Deletion */
1522 		atomic_inc_32(&cmd->nc_nvme->n_abort_sq_del);
1523 		return (EIO);
1524 
1525 	case NVME_CQE_SC_GEN_NVM_CAP_EXC:
1526 		/* Capacity Exceeded */
1527 		atomic_inc_32(&cmd->nc_nvme->n_nvm_cap_exc);
1528 		if (cmd->nc_xfer != NULL)
1529 			bd_error(cmd->nc_xfer, BD_ERR_MEDIA);
1530 		return (EIO);
1531 
1532 	case NVME_CQE_SC_GEN_NVM_NS_NOTRDY:
1533 		/* Namespace Not Ready */
1534 		atomic_inc_32(&cmd->nc_nvme->n_nvm_ns_notrdy);
1535 		if (cmd->nc_xfer != NULL)
1536 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1537 		return (EIO);
1538 
1539 	case NVME_CQE_SC_GEN_NVM_FORMATTING:
1540 		/* Format in progress (1.2) */
1541 		if (!NVME_VERSION_ATLEAST(&cmd->nc_nvme->n_version, 1, 2))
1542 			return (nvme_check_unknown_cmd_status(cmd));
1543 		atomic_inc_32(&cmd->nc_nvme->n_nvm_ns_formatting);
1544 		if (cmd->nc_xfer != NULL)
1545 			bd_error(cmd->nc_xfer, BD_ERR_NTRDY);
1546 		return (EIO);
1547 
1548 	default:
1549 		return (nvme_check_unknown_cmd_status(cmd));
1550 	}
1551 }
1552 
1553 static int
1554 nvme_check_specific_cmd_status(nvme_cmd_t *cmd)
1555 {
1556 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1557 
1558 	switch (cqe->cqe_sf.sf_sc) {
1559 	case NVME_CQE_SC_SPC_INV_CQ:
1560 		/* Completion Queue Invalid */
1561 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE);
1562 		atomic_inc_32(&cmd->nc_nvme->n_inv_cq_err);
1563 		return (EINVAL);
1564 
1565 	case NVME_CQE_SC_SPC_INV_QID:
1566 		/* Invalid Queue Identifier */
1567 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE ||
1568 		    cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_SQUEUE ||
1569 		    cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE ||
1570 		    cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_CQUEUE);
1571 		atomic_inc_32(&cmd->nc_nvme->n_inv_qid_err);
1572 		return (EINVAL);
1573 
1574 	case NVME_CQE_SC_SPC_MAX_QSZ_EXC:
1575 		/* Max Queue Size Exceeded */
1576 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_SQUEUE ||
1577 		    cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE);
1578 		atomic_inc_32(&cmd->nc_nvme->n_max_qsz_exc);
1579 		return (EINVAL);
1580 
1581 	case NVME_CQE_SC_SPC_ABRT_CMD_EXC:
1582 		/* Abort Command Limit Exceeded */
1583 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_ABORT);
1584 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1585 		    "abort command limit exceeded in cmd %p", (void *)cmd);
1586 		return (0);
1587 
1588 	case NVME_CQE_SC_SPC_ASYNC_EVREQ_EXC:
1589 		/* Async Event Request Limit Exceeded */
1590 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_ASYNC_EVENT);
1591 		dev_err(cmd->nc_nvme->n_dip, CE_PANIC, "programming error: "
1592 		    "async event request limit exceeded in cmd %p",
1593 		    (void *)cmd);
1594 		return (0);
1595 
1596 	case NVME_CQE_SC_SPC_INV_INT_VECT:
1597 		/* Invalid Interrupt Vector */
1598 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_CREATE_CQUEUE);
1599 		atomic_inc_32(&cmd->nc_nvme->n_inv_int_vect);
1600 		return (EINVAL);
1601 
1602 	case NVME_CQE_SC_SPC_INV_LOG_PAGE:
1603 		/* Invalid Log Page */
1604 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_GET_LOG_PAGE);
1605 		atomic_inc_32(&cmd->nc_nvme->n_inv_log_page);
1606 		return (EINVAL);
1607 
1608 	case NVME_CQE_SC_SPC_INV_FORMAT:
1609 		/* Invalid Format */
1610 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_FORMAT);
1611 		atomic_inc_32(&cmd->nc_nvme->n_inv_format);
1612 		if (cmd->nc_xfer != NULL)
1613 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1614 		return (EINVAL);
1615 
1616 	case NVME_CQE_SC_SPC_INV_Q_DEL:
1617 		/* Invalid Queue Deletion */
1618 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_DELETE_CQUEUE);
1619 		atomic_inc_32(&cmd->nc_nvme->n_inv_q_del);
1620 		return (EINVAL);
1621 
1622 	case NVME_CQE_SC_SPC_NVM_CNFL_ATTR:
1623 		/* Conflicting Attributes */
1624 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_DSET_MGMT ||
1625 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_READ ||
1626 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1627 		atomic_inc_32(&cmd->nc_nvme->n_cnfl_attr);
1628 		if (cmd->nc_xfer != NULL)
1629 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1630 		return (EINVAL);
1631 
1632 	case NVME_CQE_SC_SPC_NVM_INV_PROT:
1633 		/* Invalid Protection Information */
1634 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_COMPARE ||
1635 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_READ ||
1636 		    cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1637 		atomic_inc_32(&cmd->nc_nvme->n_inv_prot);
1638 		if (cmd->nc_xfer != NULL)
1639 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1640 		return (EINVAL);
1641 
1642 	case NVME_CQE_SC_SPC_NVM_READONLY:
1643 		/* Write to Read Only Range */
1644 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_NVM_WRITE);
1645 		atomic_inc_32(&cmd->nc_nvme->n_readonly);
1646 		if (cmd->nc_xfer != NULL)
1647 			bd_error(cmd->nc_xfer, BD_ERR_ILLRQ);
1648 		return (EROFS);
1649 
1650 	case NVME_CQE_SC_SPC_INV_FW_SLOT:
1651 		/* Invalid Firmware Slot */
1652 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1653 		return (EINVAL);
1654 
1655 	case NVME_CQE_SC_SPC_INV_FW_IMG:
1656 		/* Invalid Firmware Image */
1657 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1658 		return (EINVAL);
1659 
1660 	case NVME_CQE_SC_SPC_FW_RESET:
1661 		/* Conventional Reset Required */
1662 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1663 		return (0);
1664 
1665 	case NVME_CQE_SC_SPC_FW_NSSR:
1666 		/* NVMe Subsystem Reset Required */
1667 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1668 		return (0);
1669 
1670 	case NVME_CQE_SC_SPC_FW_NEXT_RESET:
1671 		/* Activation Requires Reset */
1672 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1673 		return (0);
1674 
1675 	case NVME_CQE_SC_SPC_FW_MTFA:
1676 		/* Activation Requires Maximum Time Violation */
1677 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1678 		return (EAGAIN);
1679 
1680 	case NVME_CQE_SC_SPC_FW_PROHIBITED:
1681 		/* Activation Prohibited */
1682 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_ACTIVATE);
1683 		return (EINVAL);
1684 
1685 	case NVME_CQE_SC_SPC_FW_OVERLAP:
1686 		/* Overlapping Firmware Ranges */
1687 		ASSERT(cmd->nc_sqe.sqe_opc == NVME_OPC_FW_IMAGE_LOAD);
1688 		return (EINVAL);
1689 
1690 	default:
1691 		return (nvme_check_unknown_cmd_status(cmd));
1692 	}
1693 }
1694 
1695 static inline int
1696 nvme_check_cmd_status(nvme_cmd_t *cmd)
1697 {
1698 	nvme_cqe_t *cqe = &cmd->nc_cqe;
1699 
1700 	/*
1701 	 * Take a shortcut if the controller is dead, or if
1702 	 * command status indicates no error.
1703 	 */
1704 	if (cmd->nc_nvme->n_dead)
1705 		return (EIO);
1706 
1707 	if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1708 	    cqe->cqe_sf.sf_sc == NVME_CQE_SC_GEN_SUCCESS)
1709 		return (0);
1710 
1711 	if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC)
1712 		return (nvme_check_generic_cmd_status(cmd));
1713 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_SPECIFIC)
1714 		return (nvme_check_specific_cmd_status(cmd));
1715 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_INTEGRITY)
1716 		return (nvme_check_integrity_cmd_status(cmd));
1717 	else if (cqe->cqe_sf.sf_sct == NVME_CQE_SCT_VENDOR)
1718 		return (nvme_check_vendor_cmd_status(cmd));
1719 
1720 	return (nvme_check_unknown_cmd_status(cmd));
1721 }
1722 
1723 static int
1724 nvme_abort_cmd(nvme_cmd_t *abort_cmd, uint_t sec)
1725 {
1726 	nvme_t *nvme = abort_cmd->nc_nvme;
1727 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
1728 	nvme_abort_cmd_t ac = { 0 };
1729 	int ret = 0;
1730 
1731 	sema_p(&nvme->n_abort_sema);
1732 
1733 	ac.b.ac_cid = abort_cmd->nc_sqe.sqe_cid;
1734 	ac.b.ac_sqid = abort_cmd->nc_sqid;
1735 
1736 	cmd->nc_sqid = 0;
1737 	cmd->nc_sqe.sqe_opc = NVME_OPC_ABORT;
1738 	cmd->nc_callback = nvme_wakeup_cmd;
1739 	cmd->nc_sqe.sqe_cdw10 = ac.r;
1740 
1741 	/*
1742 	 * Send the ABORT to the hardware. The ABORT command will return _after_
1743 	 * the aborted command has completed (aborted or otherwise), but since
1744 	 * we still hold the aborted command's mutex its callback hasn't been
1745 	 * processed yet.
1746 	 */
1747 	nvme_admin_cmd(cmd, sec);
1748 	sema_v(&nvme->n_abort_sema);
1749 
1750 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
1751 		dev_err(nvme->n_dip, CE_WARN,
1752 		    "!ABORT failed with sct = %x, sc = %x",
1753 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
1754 		atomic_inc_32(&nvme->n_abort_failed);
1755 	} else {
1756 		dev_err(nvme->n_dip, CE_WARN,
1757 		    "!ABORT of command %d/%d %ssuccessful",
1758 		    abort_cmd->nc_sqe.sqe_cid, abort_cmd->nc_sqid,
1759 		    cmd->nc_cqe.cqe_dw0 & 1 ? "un" : "");
1760 		if ((cmd->nc_cqe.cqe_dw0 & 1) == 0)
1761 			atomic_inc_32(&nvme->n_cmd_aborted);
1762 	}
1763 
1764 	nvme_free_cmd(cmd);
1765 	return (ret);
1766 }
1767 
1768 /*
1769  * nvme_wait_cmd -- wait for command completion or timeout
1770  *
1771  * In case of a serious error or a timeout of the abort command the hardware
1772  * will be declared dead and FMA will be notified.
1773  */
1774 static void
1775 nvme_wait_cmd(nvme_cmd_t *cmd, uint_t sec)
1776 {
1777 	clock_t timeout = ddi_get_lbolt() + drv_usectohz(sec * MICROSEC);
1778 	nvme_t *nvme = cmd->nc_nvme;
1779 	nvme_reg_csts_t csts;
1780 	nvme_qpair_t *qp;
1781 
1782 	ASSERT(mutex_owned(&cmd->nc_mutex));
1783 
1784 	while (!cmd->nc_completed) {
1785 		if (cv_timedwait(&cmd->nc_cv, &cmd->nc_mutex, timeout) == -1)
1786 			break;
1787 	}
1788 
1789 	if (cmd->nc_completed)
1790 		return;
1791 
1792 	/*
1793 	 * The command timed out.
1794 	 *
1795 	 * Check controller for fatal status, any errors associated with the
1796 	 * register or DMA handle, or for a double timeout (abort command timed
1797 	 * out). If necessary log a warning and call FMA.
1798 	 */
1799 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
1800 	dev_err(nvme->n_dip, CE_WARN, "!command %d/%d timeout, "
1801 	    "OPC = %x, CFS = %d", cmd->nc_sqe.sqe_cid, cmd->nc_sqid,
1802 	    cmd->nc_sqe.sqe_opc, csts.b.csts_cfs);
1803 	atomic_inc_32(&nvme->n_cmd_timeout);
1804 
1805 	if (csts.b.csts_cfs ||
1806 	    nvme_check_regs_hdl(nvme) ||
1807 	    nvme_check_dma_hdl(cmd->nc_dma) ||
1808 	    cmd->nc_sqe.sqe_opc == NVME_OPC_ABORT) {
1809 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1810 		nvme->n_dead = B_TRUE;
1811 	} else if (nvme_abort_cmd(cmd, sec) == 0) {
1812 		/*
1813 		 * If the abort succeeded the command should complete
1814 		 * immediately with an appropriate status.
1815 		 */
1816 		while (!cmd->nc_completed)
1817 			cv_wait(&cmd->nc_cv, &cmd->nc_mutex);
1818 
1819 		return;
1820 	}
1821 
1822 	qp = nvme->n_ioq[cmd->nc_sqid];
1823 
1824 	mutex_enter(&qp->nq_mutex);
1825 	(void) nvme_unqueue_cmd(nvme, qp, cmd->nc_sqe.sqe_cid);
1826 	mutex_exit(&qp->nq_mutex);
1827 
1828 	/*
1829 	 * As we don't know what the presumed dead hardware might still do with
1830 	 * the DMA memory, we'll put the command on the lost commands list if it
1831 	 * has any DMA memory.
1832 	 */
1833 	if (cmd->nc_dma != NULL) {
1834 		mutex_enter(&nvme_lc_mutex);
1835 		list_insert_head(&nvme_lost_cmds, cmd);
1836 		mutex_exit(&nvme_lc_mutex);
1837 	}
1838 }
1839 
1840 static void
1841 nvme_wakeup_cmd(void *arg)
1842 {
1843 	nvme_cmd_t *cmd = arg;
1844 
1845 	mutex_enter(&cmd->nc_mutex);
1846 	cmd->nc_completed = B_TRUE;
1847 	cv_signal(&cmd->nc_cv);
1848 	mutex_exit(&cmd->nc_mutex);
1849 }
1850 
1851 static void
1852 nvme_async_event_task(void *arg)
1853 {
1854 	nvme_cmd_t *cmd = arg;
1855 	nvme_t *nvme = cmd->nc_nvme;
1856 	nvme_error_log_entry_t *error_log = NULL;
1857 	nvme_health_log_t *health_log = NULL;
1858 	nvme_nschange_list_t *nslist = NULL;
1859 	size_t logsize = 0;
1860 	nvme_async_event_t event;
1861 
1862 	/*
1863 	 * Check for errors associated with the async request itself. The only
1864 	 * command-specific error is "async event limit exceeded", which
1865 	 * indicates a programming error in the driver and causes a panic in
1866 	 * nvme_check_cmd_status().
1867 	 *
1868 	 * Other possible errors are various scenarios where the async request
1869 	 * was aborted, or internal errors in the device. Internal errors are
1870 	 * reported to FMA, the command aborts need no special handling here.
1871 	 *
1872 	 * And finally, at least qemu nvme does not support async events,
1873 	 * and will return NVME_CQE_SC_GEN_INV_OPC | DNR. If so, we
1874 	 * will avoid posting async events.
1875 	 */
1876 
1877 	if (nvme_check_cmd_status(cmd) != 0) {
1878 		dev_err(cmd->nc_nvme->n_dip, CE_WARN,
1879 		    "!async event request returned failure, sct = %x, "
1880 		    "sc = %x, dnr = %d, m = %d", cmd->nc_cqe.cqe_sf.sf_sct,
1881 		    cmd->nc_cqe.cqe_sf.sf_sc, cmd->nc_cqe.cqe_sf.sf_dnr,
1882 		    cmd->nc_cqe.cqe_sf.sf_m);
1883 
1884 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1885 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INTERNAL_ERR) {
1886 			cmd->nc_nvme->n_dead = B_TRUE;
1887 			ddi_fm_service_impact(cmd->nc_nvme->n_dip,
1888 			    DDI_SERVICE_LOST);
1889 		}
1890 
1891 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
1892 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INV_OPC &&
1893 		    cmd->nc_cqe.cqe_sf.sf_dnr == 1) {
1894 			nvme->n_async_event_supported = B_FALSE;
1895 		}
1896 
1897 		nvme_free_cmd(cmd);
1898 		return;
1899 	}
1900 
1901 	event.r = cmd->nc_cqe.cqe_dw0;
1902 
1903 	/* Clear CQE and re-submit the async request. */
1904 	bzero(&cmd->nc_cqe, sizeof (nvme_cqe_t));
1905 	nvme_submit_admin_cmd(nvme->n_adminq, cmd);
1906 
1907 	switch (event.b.ae_type) {
1908 	case NVME_ASYNC_TYPE_ERROR:
1909 		if (event.b.ae_logpage == NVME_LOGPAGE_ERROR) {
1910 			(void) nvme_get_logpage(nvme, B_FALSE,
1911 			    (void **)&error_log, &logsize, event.b.ae_logpage);
1912 		} else {
1913 			dev_err(nvme->n_dip, CE_WARN, "!wrong logpage in "
1914 			    "async event reply: %d", event.b.ae_logpage);
1915 			atomic_inc_32(&nvme->n_wrong_logpage);
1916 		}
1917 
1918 		switch (event.b.ae_info) {
1919 		case NVME_ASYNC_ERROR_INV_SQ:
1920 			dev_err(nvme->n_dip, CE_PANIC, "programming error: "
1921 			    "invalid submission queue");
1922 			return;
1923 
1924 		case NVME_ASYNC_ERROR_INV_DBL:
1925 			dev_err(nvme->n_dip, CE_PANIC, "programming error: "
1926 			    "invalid doorbell write value");
1927 			return;
1928 
1929 		case NVME_ASYNC_ERROR_DIAGFAIL:
1930 			dev_err(nvme->n_dip, CE_WARN, "!diagnostic failure");
1931 			ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1932 			nvme->n_dead = B_TRUE;
1933 			atomic_inc_32(&nvme->n_diagfail_event);
1934 			break;
1935 
1936 		case NVME_ASYNC_ERROR_PERSISTENT:
1937 			dev_err(nvme->n_dip, CE_WARN, "!persistent internal "
1938 			    "device error");
1939 			ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
1940 			nvme->n_dead = B_TRUE;
1941 			atomic_inc_32(&nvme->n_persistent_event);
1942 			break;
1943 
1944 		case NVME_ASYNC_ERROR_TRANSIENT:
1945 			dev_err(nvme->n_dip, CE_WARN, "!transient internal "
1946 			    "device error");
1947 			/* TODO: send ereport */
1948 			atomic_inc_32(&nvme->n_transient_event);
1949 			break;
1950 
1951 		case NVME_ASYNC_ERROR_FW_LOAD:
1952 			dev_err(nvme->n_dip, CE_WARN,
1953 			    "!firmware image load error");
1954 			atomic_inc_32(&nvme->n_fw_load_event);
1955 			break;
1956 		}
1957 		break;
1958 
1959 	case NVME_ASYNC_TYPE_HEALTH:
1960 		if (event.b.ae_logpage == NVME_LOGPAGE_HEALTH) {
1961 			(void) nvme_get_logpage(nvme, B_FALSE,
1962 			    (void **)&health_log, &logsize, event.b.ae_logpage,
1963 			    -1);
1964 		} else {
1965 			dev_err(nvme->n_dip, CE_WARN, "!wrong logpage in "
1966 			    "async event reply: %d", event.b.ae_logpage);
1967 			atomic_inc_32(&nvme->n_wrong_logpage);
1968 		}
1969 
1970 		switch (event.b.ae_info) {
1971 		case NVME_ASYNC_HEALTH_RELIABILITY:
1972 			dev_err(nvme->n_dip, CE_WARN,
1973 			    "!device reliability compromised");
1974 			/* TODO: send ereport */
1975 			atomic_inc_32(&nvme->n_reliability_event);
1976 			break;
1977 
1978 		case NVME_ASYNC_HEALTH_TEMPERATURE:
1979 			dev_err(nvme->n_dip, CE_WARN,
1980 			    "!temperature above threshold");
1981 			/* TODO: send ereport */
1982 			atomic_inc_32(&nvme->n_temperature_event);
1983 			break;
1984 
1985 		case NVME_ASYNC_HEALTH_SPARE:
1986 			dev_err(nvme->n_dip, CE_WARN,
1987 			    "!spare space below threshold");
1988 			/* TODO: send ereport */
1989 			atomic_inc_32(&nvme->n_spare_event);
1990 			break;
1991 		}
1992 		break;
1993 
1994 	case NVME_ASYNC_TYPE_NOTICE:
1995 		switch (event.b.ae_info) {
1996 		case NVME_ASYNC_NOTICE_NS_CHANGE:
1997 			dev_err(nvme->n_dip, CE_NOTE,
1998 			    "namespace attribute change event, "
1999 			    "logpage = %x", event.b.ae_logpage);
2000 			atomic_inc_32(&nvme->n_notice_event);
2001 
2002 			if (event.b.ae_logpage != NVME_LOGPAGE_NSCHANGE)
2003 				break;
2004 
2005 			if (nvme_get_logpage(nvme, B_FALSE, (void **)&nslist,
2006 			    &logsize, event.b.ae_logpage, -1) != 0) {
2007 				break;
2008 			}
2009 
2010 			if (nslist->nscl_ns[0] == UINT32_MAX) {
2011 				dev_err(nvme->n_dip, CE_CONT,
2012 				    "more than %u namespaces have changed.\n",
2013 				    NVME_NSCHANGE_LIST_SIZE);
2014 				break;
2015 			}
2016 
2017 			mutex_enter(&nvme->n_mgmt_mutex);
2018 			for (uint_t i = 0; i < NVME_NSCHANGE_LIST_SIZE; i++) {
2019 				uint32_t nsid = nslist->nscl_ns[i];
2020 
2021 				if (nsid == 0)	/* end of list */
2022 					break;
2023 
2024 				dev_err(nvme->n_dip, CE_NOTE,
2025 				    "!namespace nvme%d/%u has changed.",
2026 				    ddi_get_instance(nvme->n_dip), nsid);
2027 
2028 
2029 				if (nvme_init_ns(nvme, nsid) != DDI_SUCCESS)
2030 					continue;
2031 
2032 				bd_state_change(
2033 				    NVME_NSID2NS(nvme, nsid)->ns_bd_hdl);
2034 			}
2035 			mutex_exit(&nvme->n_mgmt_mutex);
2036 
2037 			break;
2038 
2039 		case NVME_ASYNC_NOTICE_FW_ACTIVATE:
2040 			dev_err(nvme->n_dip, CE_NOTE,
2041 			    "firmware activation starting, "
2042 			    "logpage = %x", event.b.ae_logpage);
2043 			atomic_inc_32(&nvme->n_notice_event);
2044 			break;
2045 
2046 		case NVME_ASYNC_NOTICE_TELEMETRY:
2047 			dev_err(nvme->n_dip, CE_NOTE,
2048 			    "telemetry log changed, "
2049 			    "logpage = %x", event.b.ae_logpage);
2050 			atomic_inc_32(&nvme->n_notice_event);
2051 			break;
2052 
2053 		case NVME_ASYNC_NOTICE_NS_ASYMM:
2054 			dev_err(nvme->n_dip, CE_NOTE,
2055 			    "asymmetric namespace access change, "
2056 			    "logpage = %x", event.b.ae_logpage);
2057 			atomic_inc_32(&nvme->n_notice_event);
2058 			break;
2059 
2060 		case NVME_ASYNC_NOTICE_LATENCYLOG:
2061 			dev_err(nvme->n_dip, CE_NOTE,
2062 			    "predictable latency event aggregate log change, "
2063 			    "logpage = %x", event.b.ae_logpage);
2064 			atomic_inc_32(&nvme->n_notice_event);
2065 			break;
2066 
2067 		case NVME_ASYNC_NOTICE_LBASTATUS:
2068 			dev_err(nvme->n_dip, CE_NOTE,
2069 			    "LBA status information alert, "
2070 			    "logpage = %x", event.b.ae_logpage);
2071 			atomic_inc_32(&nvme->n_notice_event);
2072 			break;
2073 
2074 		case NVME_ASYNC_NOTICE_ENDURANCELOG:
2075 			dev_err(nvme->n_dip, CE_NOTE,
2076 			    "endurance group event aggregate log page change, "
2077 			    "logpage = %x", event.b.ae_logpage);
2078 			atomic_inc_32(&nvme->n_notice_event);
2079 			break;
2080 
2081 		default:
2082 			dev_err(nvme->n_dip, CE_WARN,
2083 			    "!unknown notice async event received, "
2084 			    "info = %x, logpage = %x", event.b.ae_info,
2085 			    event.b.ae_logpage);
2086 			atomic_inc_32(&nvme->n_unknown_event);
2087 			break;
2088 		}
2089 		break;
2090 
2091 	case NVME_ASYNC_TYPE_VENDOR:
2092 		dev_err(nvme->n_dip, CE_WARN, "!vendor specific async event "
2093 		    "received, info = %x, logpage = %x", event.b.ae_info,
2094 		    event.b.ae_logpage);
2095 		atomic_inc_32(&nvme->n_vendor_event);
2096 		break;
2097 
2098 	default:
2099 		dev_err(nvme->n_dip, CE_WARN, "!unknown async event received, "
2100 		    "type = %x, info = %x, logpage = %x", event.b.ae_type,
2101 		    event.b.ae_info, event.b.ae_logpage);
2102 		atomic_inc_32(&nvme->n_unknown_event);
2103 		break;
2104 	}
2105 
2106 	if (error_log != NULL)
2107 		kmem_free(error_log, logsize);
2108 
2109 	if (health_log != NULL)
2110 		kmem_free(health_log, logsize);
2111 
2112 	if (nslist != NULL)
2113 		kmem_free(nslist, logsize);
2114 }
2115 
2116 static void
2117 nvme_admin_cmd(nvme_cmd_t *cmd, int sec)
2118 {
2119 	mutex_enter(&cmd->nc_mutex);
2120 	nvme_submit_admin_cmd(cmd->nc_nvme->n_adminq, cmd);
2121 	nvme_wait_cmd(cmd, sec);
2122 	mutex_exit(&cmd->nc_mutex);
2123 }
2124 
2125 static void
2126 nvme_async_event(nvme_t *nvme)
2127 {
2128 	nvme_cmd_t *cmd;
2129 
2130 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2131 	cmd->nc_sqid = 0;
2132 	cmd->nc_sqe.sqe_opc = NVME_OPC_ASYNC_EVENT;
2133 	cmd->nc_callback = nvme_async_event_task;
2134 	cmd->nc_dontpanic = B_TRUE;
2135 
2136 	nvme_submit_admin_cmd(nvme->n_adminq, cmd);
2137 }
2138 
2139 static int
2140 nvme_format_nvm(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t lbaf,
2141     boolean_t ms, uint8_t pi, boolean_t pil, uint8_t ses)
2142 {
2143 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2144 	nvme_format_nvm_t format_nvm = { 0 };
2145 	int ret;
2146 
2147 	format_nvm.b.fm_lbaf = lbaf & 0xf;
2148 	format_nvm.b.fm_ms = ms ? 1 : 0;
2149 	format_nvm.b.fm_pi = pi & 0x7;
2150 	format_nvm.b.fm_pil = pil ? 1 : 0;
2151 	format_nvm.b.fm_ses = ses & 0x7;
2152 
2153 	cmd->nc_sqid = 0;
2154 	cmd->nc_callback = nvme_wakeup_cmd;
2155 	cmd->nc_sqe.sqe_nsid = nsid;
2156 	cmd->nc_sqe.sqe_opc = NVME_OPC_NVM_FORMAT;
2157 	cmd->nc_sqe.sqe_cdw10 = format_nvm.r;
2158 
2159 	/*
2160 	 * Some devices like Samsung SM951 don't allow formatting of all
2161 	 * namespaces in one command. Handle that gracefully.
2162 	 */
2163 	if (nsid == (uint32_t)-1)
2164 		cmd->nc_dontpanic = B_TRUE;
2165 	/*
2166 	 * If this format request was initiated by the user, then don't allow a
2167 	 * programmer error to panic the system.
2168 	 */
2169 	if (user)
2170 		cmd->nc_dontpanic = B_TRUE;
2171 
2172 	nvme_admin_cmd(cmd, nvme_format_cmd_timeout);
2173 
2174 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2175 		dev_err(nvme->n_dip, CE_WARN,
2176 		    "!FORMAT failed with sct = %x, sc = %x",
2177 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2178 	}
2179 
2180 	nvme_free_cmd(cmd);
2181 	return (ret);
2182 }
2183 
2184 /*
2185  * The `bufsize` parameter is usually an output parameter, set by this routine
2186  * when filling in the supported types of logpages from the device. However, for
2187  * vendor-specific pages, it is an input parameter, and must be set
2188  * appropriately by callers.
2189  */
2190 static int
2191 nvme_get_logpage(nvme_t *nvme, boolean_t user, void **buf, size_t *bufsize,
2192     uint8_t logpage, ...)
2193 {
2194 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2195 	nvme_getlogpage_t getlogpage = { 0 };
2196 	va_list ap;
2197 	int ret;
2198 
2199 	va_start(ap, logpage);
2200 
2201 	cmd->nc_sqid = 0;
2202 	cmd->nc_callback = nvme_wakeup_cmd;
2203 	cmd->nc_sqe.sqe_opc = NVME_OPC_GET_LOG_PAGE;
2204 
2205 	if (user)
2206 		cmd->nc_dontpanic = B_TRUE;
2207 
2208 	getlogpage.b.lp_lid = logpage;
2209 
2210 	switch (logpage) {
2211 	case NVME_LOGPAGE_ERROR:
2212 		cmd->nc_sqe.sqe_nsid = (uint32_t)-1;
2213 		*bufsize = MIN(NVME_VENDOR_SPECIFIC_LOGPAGE_MAX_SIZE,
2214 		    nvme->n_error_log_len * sizeof (nvme_error_log_entry_t));
2215 		break;
2216 
2217 	case NVME_LOGPAGE_HEALTH:
2218 		cmd->nc_sqe.sqe_nsid = va_arg(ap, uint32_t);
2219 		*bufsize = sizeof (nvme_health_log_t);
2220 		break;
2221 
2222 	case NVME_LOGPAGE_FWSLOT:
2223 		cmd->nc_sqe.sqe_nsid = (uint32_t)-1;
2224 		*bufsize = sizeof (nvme_fwslot_log_t);
2225 		break;
2226 
2227 	case NVME_LOGPAGE_NSCHANGE:
2228 		cmd->nc_sqe.sqe_nsid = (uint32_t)-1;
2229 		*bufsize = sizeof (nvme_nschange_list_t);
2230 		break;
2231 
2232 	default:
2233 		/*
2234 		 * This intentionally only checks against the minimum valid
2235 		 * log page ID. `logpage` is a uint8_t, and `0xFF` is a valid
2236 		 * page ID, so this one-sided check avoids a compiler error
2237 		 * about a check that's always true.
2238 		 */
2239 		if (logpage < NVME_VENDOR_SPECIFIC_LOGPAGE_MIN) {
2240 			dev_err(nvme->n_dip, CE_WARN,
2241 			    "!unknown log page requested: %d", logpage);
2242 			atomic_inc_32(&nvme->n_unknown_logpage);
2243 			ret = EINVAL;
2244 			goto fail;
2245 		}
2246 		cmd->nc_sqe.sqe_nsid = va_arg(ap, uint32_t);
2247 	}
2248 
2249 	va_end(ap);
2250 
2251 	getlogpage.b.lp_numd = *bufsize / sizeof (uint32_t) - 1;
2252 
2253 	cmd->nc_sqe.sqe_cdw10 = getlogpage.r;
2254 
2255 	if (nvme_zalloc_dma(nvme, *bufsize,
2256 	    DDI_DMA_READ, &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2257 		dev_err(nvme->n_dip, CE_WARN,
2258 		    "!nvme_zalloc_dma failed for GET LOG PAGE");
2259 		ret = ENOMEM;
2260 		goto fail;
2261 	}
2262 
2263 	if ((ret = nvme_fill_prp(cmd, cmd->nc_dma->nd_dmah)) != 0)
2264 		goto fail;
2265 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2266 
2267 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2268 		dev_err(nvme->n_dip, CE_WARN,
2269 		    "!GET LOG PAGE failed with sct = %x, sc = %x",
2270 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2271 		goto fail;
2272 	}
2273 
2274 	*buf = kmem_alloc(*bufsize, KM_SLEEP);
2275 	bcopy(cmd->nc_dma->nd_memp, *buf, *bufsize);
2276 
2277 fail:
2278 	nvme_free_cmd(cmd);
2279 
2280 	return (ret);
2281 }
2282 
2283 static int
2284 nvme_identify(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t cns,
2285     void **buf)
2286 {
2287 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2288 	int ret;
2289 
2290 	if (buf == NULL)
2291 		return (EINVAL);
2292 
2293 	cmd->nc_sqid = 0;
2294 	cmd->nc_callback = nvme_wakeup_cmd;
2295 	cmd->nc_sqe.sqe_opc = NVME_OPC_IDENTIFY;
2296 	cmd->nc_sqe.sqe_nsid = nsid;
2297 	cmd->nc_sqe.sqe_cdw10 = cns;
2298 
2299 	if (nvme_zalloc_dma(nvme, NVME_IDENTIFY_BUFSIZE, DDI_DMA_READ,
2300 	    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2301 		dev_err(nvme->n_dip, CE_WARN,
2302 		    "!nvme_zalloc_dma failed for IDENTIFY");
2303 		ret = ENOMEM;
2304 		goto fail;
2305 	}
2306 
2307 	if (cmd->nc_dma->nd_ncookie > 2) {
2308 		dev_err(nvme->n_dip, CE_WARN,
2309 		    "!too many DMA cookies for IDENTIFY");
2310 		atomic_inc_32(&nvme->n_too_many_cookies);
2311 		ret = ENOMEM;
2312 		goto fail;
2313 	}
2314 
2315 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cmd->nc_dma->nd_cookie.dmac_laddress;
2316 	if (cmd->nc_dma->nd_ncookie > 1) {
2317 		ddi_dma_nextcookie(cmd->nc_dma->nd_dmah,
2318 		    &cmd->nc_dma->nd_cookie);
2319 		cmd->nc_sqe.sqe_dptr.d_prp[1] =
2320 		    cmd->nc_dma->nd_cookie.dmac_laddress;
2321 	}
2322 
2323 	if (user)
2324 		cmd->nc_dontpanic = B_TRUE;
2325 
2326 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2327 
2328 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2329 		dev_err(nvme->n_dip, CE_WARN,
2330 		    "!IDENTIFY failed with sct = %x, sc = %x",
2331 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2332 		goto fail;
2333 	}
2334 
2335 	*buf = kmem_alloc(NVME_IDENTIFY_BUFSIZE, KM_SLEEP);
2336 	bcopy(cmd->nc_dma->nd_memp, *buf, NVME_IDENTIFY_BUFSIZE);
2337 
2338 fail:
2339 	nvme_free_cmd(cmd);
2340 
2341 	return (ret);
2342 }
2343 
2344 static int
2345 nvme_set_features(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t feature,
2346     uint32_t val, uint32_t *res)
2347 {
2348 	_NOTE(ARGUNUSED(nsid));
2349 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2350 	int ret = EINVAL;
2351 
2352 	ASSERT(res != NULL);
2353 
2354 	cmd->nc_sqid = 0;
2355 	cmd->nc_callback = nvme_wakeup_cmd;
2356 	cmd->nc_sqe.sqe_opc = NVME_OPC_SET_FEATURES;
2357 	cmd->nc_sqe.sqe_cdw10 = feature;
2358 	cmd->nc_sqe.sqe_cdw11 = val;
2359 
2360 	if (user)
2361 		cmd->nc_dontpanic = B_TRUE;
2362 
2363 	switch (feature) {
2364 	case NVME_FEAT_WRITE_CACHE:
2365 		if (!nvme->n_write_cache_present)
2366 			goto fail;
2367 		break;
2368 
2369 	case NVME_FEAT_NQUEUES:
2370 		break;
2371 
2372 	default:
2373 		goto fail;
2374 	}
2375 
2376 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2377 
2378 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2379 		dev_err(nvme->n_dip, CE_WARN,
2380 		    "!SET FEATURES %d failed with sct = %x, sc = %x",
2381 		    feature, cmd->nc_cqe.cqe_sf.sf_sct,
2382 		    cmd->nc_cqe.cqe_sf.sf_sc);
2383 		goto fail;
2384 	}
2385 
2386 	*res = cmd->nc_cqe.cqe_dw0;
2387 
2388 fail:
2389 	nvme_free_cmd(cmd);
2390 	return (ret);
2391 }
2392 
2393 static int
2394 nvme_get_features(nvme_t *nvme, boolean_t user, uint32_t nsid, uint8_t feature,
2395     uint32_t *res, void **buf, size_t *bufsize)
2396 {
2397 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2398 	int ret = EINVAL;
2399 
2400 	ASSERT(res != NULL);
2401 
2402 	if (bufsize != NULL)
2403 		*bufsize = 0;
2404 
2405 	cmd->nc_sqid = 0;
2406 	cmd->nc_callback = nvme_wakeup_cmd;
2407 	cmd->nc_sqe.sqe_opc = NVME_OPC_GET_FEATURES;
2408 	cmd->nc_sqe.sqe_cdw10 = feature;
2409 	cmd->nc_sqe.sqe_cdw11 = *res;
2410 
2411 	/*
2412 	 * For some of the optional features there doesn't seem to be a method
2413 	 * of detecting whether it is supported other than using it.  This will
2414 	 * cause "Invalid Field in Command" error, which is normally considered
2415 	 * a programming error.  Set the nc_dontpanic flag to override the panic
2416 	 * in nvme_check_generic_cmd_status().
2417 	 */
2418 	switch (feature) {
2419 	case NVME_FEAT_ARBITRATION:
2420 	case NVME_FEAT_POWER_MGMT:
2421 	case NVME_FEAT_TEMPERATURE:
2422 	case NVME_FEAT_ERROR:
2423 	case NVME_FEAT_NQUEUES:
2424 	case NVME_FEAT_INTR_COAL:
2425 	case NVME_FEAT_INTR_VECT:
2426 	case NVME_FEAT_WRITE_ATOM:
2427 	case NVME_FEAT_ASYNC_EVENT:
2428 		break;
2429 
2430 	case NVME_FEAT_WRITE_CACHE:
2431 		if (!nvme->n_write_cache_present)
2432 			goto fail;
2433 		break;
2434 
2435 	case NVME_FEAT_LBA_RANGE:
2436 		if (!nvme->n_lba_range_supported)
2437 			goto fail;
2438 
2439 		cmd->nc_dontpanic = B_TRUE;
2440 		cmd->nc_sqe.sqe_nsid = nsid;
2441 		ASSERT(bufsize != NULL);
2442 		*bufsize = NVME_LBA_RANGE_BUFSIZE;
2443 		break;
2444 
2445 	case NVME_FEAT_AUTO_PST:
2446 		if (!nvme->n_auto_pst_supported)
2447 			goto fail;
2448 
2449 		ASSERT(bufsize != NULL);
2450 		*bufsize = NVME_AUTO_PST_BUFSIZE;
2451 		break;
2452 
2453 	case NVME_FEAT_PROGRESS:
2454 		if (!nvme->n_progress_supported)
2455 			goto fail;
2456 
2457 		cmd->nc_dontpanic = B_TRUE;
2458 		break;
2459 
2460 	default:
2461 		goto fail;
2462 	}
2463 
2464 	if (user)
2465 		cmd->nc_dontpanic = B_TRUE;
2466 
2467 	if (bufsize != NULL && *bufsize != 0) {
2468 		if (nvme_zalloc_dma(nvme, *bufsize, DDI_DMA_READ,
2469 		    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
2470 			dev_err(nvme->n_dip, CE_WARN,
2471 			    "!nvme_zalloc_dma failed for GET FEATURES");
2472 			ret = ENOMEM;
2473 			goto fail;
2474 		}
2475 
2476 		if (cmd->nc_dma->nd_ncookie > 2) {
2477 			dev_err(nvme->n_dip, CE_WARN,
2478 			    "!too many DMA cookies for GET FEATURES");
2479 			atomic_inc_32(&nvme->n_too_many_cookies);
2480 			ret = ENOMEM;
2481 			goto fail;
2482 		}
2483 
2484 		cmd->nc_sqe.sqe_dptr.d_prp[0] =
2485 		    cmd->nc_dma->nd_cookie.dmac_laddress;
2486 		if (cmd->nc_dma->nd_ncookie > 1) {
2487 			ddi_dma_nextcookie(cmd->nc_dma->nd_dmah,
2488 			    &cmd->nc_dma->nd_cookie);
2489 			cmd->nc_sqe.sqe_dptr.d_prp[1] =
2490 			    cmd->nc_dma->nd_cookie.dmac_laddress;
2491 		}
2492 	}
2493 
2494 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2495 
2496 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2497 		boolean_t known = B_TRUE;
2498 
2499 		/* Check if this is unsupported optional feature */
2500 		if (cmd->nc_cqe.cqe_sf.sf_sct == NVME_CQE_SCT_GENERIC &&
2501 		    cmd->nc_cqe.cqe_sf.sf_sc == NVME_CQE_SC_GEN_INV_FLD) {
2502 			switch (feature) {
2503 			case NVME_FEAT_LBA_RANGE:
2504 				nvme->n_lba_range_supported = B_FALSE;
2505 				break;
2506 			case NVME_FEAT_PROGRESS:
2507 				nvme->n_progress_supported = B_FALSE;
2508 				break;
2509 			default:
2510 				known = B_FALSE;
2511 				break;
2512 			}
2513 		} else {
2514 			known = B_FALSE;
2515 		}
2516 
2517 		/* Report the error otherwise */
2518 		if (!known) {
2519 			dev_err(nvme->n_dip, CE_WARN,
2520 			    "!GET FEATURES %d failed with sct = %x, sc = %x",
2521 			    feature, cmd->nc_cqe.cqe_sf.sf_sct,
2522 			    cmd->nc_cqe.cqe_sf.sf_sc);
2523 		}
2524 
2525 		goto fail;
2526 	}
2527 
2528 	if (bufsize != NULL && *bufsize != 0) {
2529 		ASSERT(buf != NULL);
2530 		*buf = kmem_alloc(*bufsize, KM_SLEEP);
2531 		bcopy(cmd->nc_dma->nd_memp, *buf, *bufsize);
2532 	}
2533 
2534 	*res = cmd->nc_cqe.cqe_dw0;
2535 
2536 fail:
2537 	nvme_free_cmd(cmd);
2538 	return (ret);
2539 }
2540 
2541 static int
2542 nvme_write_cache_set(nvme_t *nvme, boolean_t enable)
2543 {
2544 	nvme_write_cache_t nwc = { 0 };
2545 
2546 	if (enable)
2547 		nwc.b.wc_wce = 1;
2548 
2549 	return (nvme_set_features(nvme, B_FALSE, 0, NVME_FEAT_WRITE_CACHE,
2550 	    nwc.r, &nwc.r));
2551 }
2552 
2553 static int
2554 nvme_set_nqueues(nvme_t *nvme)
2555 {
2556 	nvme_nqueues_t nq = { 0 };
2557 	int ret;
2558 
2559 	/*
2560 	 * The default is to allocate one completion queue per vector.
2561 	 */
2562 	if (nvme->n_completion_queues == -1)
2563 		nvme->n_completion_queues = nvme->n_intr_cnt;
2564 
2565 	/*
2566 	 * There is no point in having more completion queues than
2567 	 * interrupt vectors.
2568 	 */
2569 	nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2570 	    nvme->n_intr_cnt);
2571 
2572 	/*
2573 	 * The default is to use one submission queue per completion queue.
2574 	 */
2575 	if (nvme->n_submission_queues == -1)
2576 		nvme->n_submission_queues = nvme->n_completion_queues;
2577 
2578 	/*
2579 	 * There is no point in having more compeletion queues than
2580 	 * submission queues.
2581 	 */
2582 	nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2583 	    nvme->n_submission_queues);
2584 
2585 	ASSERT(nvme->n_submission_queues > 0);
2586 	ASSERT(nvme->n_completion_queues > 0);
2587 
2588 	nq.b.nq_nsq = nvme->n_submission_queues - 1;
2589 	nq.b.nq_ncq = nvme->n_completion_queues - 1;
2590 
2591 	ret = nvme_set_features(nvme, B_FALSE, 0, NVME_FEAT_NQUEUES, nq.r,
2592 	    &nq.r);
2593 
2594 	if (ret == 0) {
2595 		/*
2596 		 * Never use more than the requested number of queues.
2597 		 */
2598 		nvme->n_submission_queues = MIN(nvme->n_submission_queues,
2599 		    nq.b.nq_nsq + 1);
2600 		nvme->n_completion_queues = MIN(nvme->n_completion_queues,
2601 		    nq.b.nq_ncq + 1);
2602 	}
2603 
2604 	return (ret);
2605 }
2606 
2607 static int
2608 nvme_create_completion_queue(nvme_t *nvme, nvme_cq_t *cq)
2609 {
2610 	nvme_cmd_t *cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2611 	nvme_create_queue_dw10_t dw10 = { 0 };
2612 	nvme_create_cq_dw11_t c_dw11 = { 0 };
2613 	int ret;
2614 
2615 	dw10.b.q_qid = cq->ncq_id;
2616 	dw10.b.q_qsize = cq->ncq_nentry - 1;
2617 
2618 	c_dw11.b.cq_pc = 1;
2619 	c_dw11.b.cq_ien = 1;
2620 	c_dw11.b.cq_iv = cq->ncq_id % nvme->n_intr_cnt;
2621 
2622 	cmd->nc_sqid = 0;
2623 	cmd->nc_callback = nvme_wakeup_cmd;
2624 	cmd->nc_sqe.sqe_opc = NVME_OPC_CREATE_CQUEUE;
2625 	cmd->nc_sqe.sqe_cdw10 = dw10.r;
2626 	cmd->nc_sqe.sqe_cdw11 = c_dw11.r;
2627 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cq->ncq_dma->nd_cookie.dmac_laddress;
2628 
2629 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2630 
2631 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2632 		dev_err(nvme->n_dip, CE_WARN,
2633 		    "!CREATE CQUEUE failed with sct = %x, sc = %x",
2634 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2635 	}
2636 
2637 	nvme_free_cmd(cmd);
2638 
2639 	return (ret);
2640 }
2641 
2642 static int
2643 nvme_create_io_qpair(nvme_t *nvme, nvme_qpair_t *qp, uint16_t idx)
2644 {
2645 	nvme_cq_t *cq = qp->nq_cq;
2646 	nvme_cmd_t *cmd;
2647 	nvme_create_queue_dw10_t dw10 = { 0 };
2648 	nvme_create_sq_dw11_t s_dw11 = { 0 };
2649 	int ret;
2650 
2651 	/*
2652 	 * It is possible to have more qpairs than completion queues,
2653 	 * and when the idx > ncq_id, that completion queue is shared
2654 	 * and has already been created.
2655 	 */
2656 	if (idx <= cq->ncq_id &&
2657 	    nvme_create_completion_queue(nvme, cq) != DDI_SUCCESS)
2658 		return (DDI_FAILURE);
2659 
2660 	dw10.b.q_qid = idx;
2661 	dw10.b.q_qsize = qp->nq_nentry - 1;
2662 
2663 	s_dw11.b.sq_pc = 1;
2664 	s_dw11.b.sq_cqid = cq->ncq_id;
2665 
2666 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
2667 	cmd->nc_sqid = 0;
2668 	cmd->nc_callback = nvme_wakeup_cmd;
2669 	cmd->nc_sqe.sqe_opc = NVME_OPC_CREATE_SQUEUE;
2670 	cmd->nc_sqe.sqe_cdw10 = dw10.r;
2671 	cmd->nc_sqe.sqe_cdw11 = s_dw11.r;
2672 	cmd->nc_sqe.sqe_dptr.d_prp[0] = qp->nq_sqdma->nd_cookie.dmac_laddress;
2673 
2674 	nvme_admin_cmd(cmd, nvme_admin_cmd_timeout);
2675 
2676 	if ((ret = nvme_check_cmd_status(cmd)) != 0) {
2677 		dev_err(nvme->n_dip, CE_WARN,
2678 		    "!CREATE SQUEUE failed with sct = %x, sc = %x",
2679 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
2680 	}
2681 
2682 	nvme_free_cmd(cmd);
2683 
2684 	return (ret);
2685 }
2686 
2687 static boolean_t
2688 nvme_reset(nvme_t *nvme, boolean_t quiesce)
2689 {
2690 	nvme_reg_csts_t csts;
2691 	int i;
2692 
2693 	nvme_put32(nvme, NVME_REG_CC, 0);
2694 
2695 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2696 	if (csts.b.csts_rdy == 1) {
2697 		nvme_put32(nvme, NVME_REG_CC, 0);
2698 
2699 		/*
2700 		 * The timeout value is from the Controller Capabilities
2701 		 * register (CAP.TO, section 3.1.1). This is the worst case
2702 		 * time to wait for CSTS.RDY to transition from 1 to 0 after
2703 		 * CC.EN transitions from 1 to 0.
2704 		 *
2705 		 * The timeout units are in 500 ms units, and we are delaying
2706 		 * in 50ms chunks, hence counting to n_timeout * 10.
2707 		 */
2708 		for (i = 0; i < nvme->n_timeout * 10; i++) {
2709 			csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2710 			if (csts.b.csts_rdy == 0)
2711 				break;
2712 
2713 			/*
2714 			 * Quiescing drivers should not use locks or timeouts,
2715 			 * so if this is the quiesce path, use a quiesce-safe
2716 			 * delay.
2717 			 */
2718 			if (quiesce) {
2719 				drv_usecwait(50000);
2720 			} else {
2721 				delay(drv_usectohz(50000));
2722 			}
2723 		}
2724 	}
2725 
2726 	nvme_put32(nvme, NVME_REG_AQA, 0);
2727 	nvme_put32(nvme, NVME_REG_ASQ, 0);
2728 	nvme_put32(nvme, NVME_REG_ACQ, 0);
2729 
2730 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2731 	return (csts.b.csts_rdy == 0 ? B_TRUE : B_FALSE);
2732 }
2733 
2734 static void
2735 nvme_shutdown(nvme_t *nvme, boolean_t quiesce)
2736 {
2737 	nvme_reg_cc_t cc;
2738 	nvme_reg_csts_t csts;
2739 	int i;
2740 
2741 	cc.r = nvme_get32(nvme, NVME_REG_CC);
2742 	cc.b.cc_shn = NVME_CC_SHN_NORMAL;
2743 	nvme_put32(nvme, NVME_REG_CC, cc.r);
2744 
2745 	for (i = 0; i < 10; i++) {
2746 		csts.r = nvme_get32(nvme, NVME_REG_CSTS);
2747 		if (csts.b.csts_shst == NVME_CSTS_SHN_COMPLETE)
2748 			break;
2749 
2750 		if (quiesce) {
2751 			drv_usecwait(100000);
2752 		} else {
2753 			delay(drv_usectohz(100000));
2754 		}
2755 	}
2756 }
2757 
2758 /*
2759  * Return length of string without trailing spaces.
2760  */
2761 static int
2762 nvme_strlen(const char *str, int len)
2763 {
2764 	if (len <= 0)
2765 		return (0);
2766 
2767 	while (str[--len] == ' ')
2768 		;
2769 
2770 	return (++len);
2771 }
2772 
2773 static void
2774 nvme_config_min_block_size(nvme_t *nvme, char *model, char *val)
2775 {
2776 	ulong_t bsize = 0;
2777 	char *msg = "";
2778 
2779 	if (ddi_strtoul(val, NULL, 0, &bsize) != 0)
2780 		goto err;
2781 
2782 	if (!ISP2(bsize)) {
2783 		msg = ": not a power of 2";
2784 		goto err;
2785 	}
2786 
2787 	if (bsize < NVME_DEFAULT_MIN_BLOCK_SIZE) {
2788 		msg = ": too low";
2789 		goto err;
2790 	}
2791 
2792 	nvme->n_min_block_size = bsize;
2793 	return;
2794 
2795 err:
2796 	dev_err(nvme->n_dip, CE_WARN,
2797 	    "!nvme-config-list: ignoring invalid min-phys-block-size '%s' "
2798 	    "for model '%s'%s", val, model, msg);
2799 
2800 	nvme->n_min_block_size = NVME_DEFAULT_MIN_BLOCK_SIZE;
2801 }
2802 
2803 static void
2804 nvme_config_boolean(nvme_t *nvme, char *model, char *name, char *val,
2805     boolean_t *b)
2806 {
2807 	if (strcmp(val, "on") == 0 ||
2808 	    strcmp(val, "true") == 0)
2809 		*b = B_TRUE;
2810 	else if (strcmp(val, "off") == 0 ||
2811 	    strcmp(val, "false") == 0)
2812 		*b = B_FALSE;
2813 	else
2814 		dev_err(nvme->n_dip, CE_WARN,
2815 		    "!nvme-config-list: invalid value for %s '%s'"
2816 		    " for model '%s', ignoring", name, val, model);
2817 }
2818 
2819 static void
2820 nvme_config_list(nvme_t *nvme)
2821 {
2822 	char	**config_list;
2823 	uint_t	nelem;
2824 	int	rv, i;
2825 
2826 	/*
2827 	 * We're following the pattern of 'sd-config-list' here, but extend it.
2828 	 * Instead of two we have three separate strings for "model", "fwrev",
2829 	 * and "name-value-list".
2830 	 */
2831 	rv = ddi_prop_lookup_string_array(DDI_DEV_T_ANY, nvme->n_dip,
2832 	    DDI_PROP_DONTPASS, "nvme-config-list", &config_list, &nelem);
2833 
2834 	if (rv != DDI_PROP_SUCCESS) {
2835 		if (rv == DDI_PROP_CANNOT_DECODE) {
2836 			dev_err(nvme->n_dip, CE_WARN,
2837 			    "!nvme-config-list: cannot be decoded");
2838 		}
2839 
2840 		return;
2841 	}
2842 
2843 	if ((nelem % 3) != 0) {
2844 		dev_err(nvme->n_dip, CE_WARN, "!nvme-config-list: must be "
2845 		    "triplets of <model>/<fwrev>/<name-value-list> strings ");
2846 		goto out;
2847 	}
2848 
2849 	for (i = 0; i < nelem; i += 3) {
2850 		char	*model = config_list[i];
2851 		char	*fwrev = config_list[i + 1];
2852 		char	*nvp, *save_nv;
2853 		int	id_model_len, id_fwrev_len;
2854 
2855 		id_model_len = nvme_strlen(nvme->n_idctl->id_model,
2856 		    sizeof (nvme->n_idctl->id_model));
2857 
2858 		if (strlen(model) != id_model_len)
2859 			continue;
2860 
2861 		if (strncmp(model, nvme->n_idctl->id_model, id_model_len) != 0)
2862 			continue;
2863 
2864 		id_fwrev_len = nvme_strlen(nvme->n_idctl->id_fwrev,
2865 		    sizeof (nvme->n_idctl->id_fwrev));
2866 
2867 		if (strlen(fwrev) != 0) {
2868 			boolean_t match = B_FALSE;
2869 			char *fwr, *last_fw;
2870 
2871 			for (fwr = strtok_r(fwrev, ",", &last_fw);
2872 			    fwr != NULL;
2873 			    fwr = strtok_r(NULL, ",", &last_fw)) {
2874 				if (strlen(fwr) != id_fwrev_len)
2875 					continue;
2876 
2877 				if (strncmp(fwr, nvme->n_idctl->id_fwrev,
2878 				    id_fwrev_len) == 0)
2879 					match = B_TRUE;
2880 			}
2881 
2882 			if (!match)
2883 				continue;
2884 		}
2885 
2886 		/*
2887 		 * We should now have a comma-separated list of name:value
2888 		 * pairs.
2889 		 */
2890 		for (nvp = strtok_r(config_list[i + 2], ",", &save_nv);
2891 		    nvp != NULL; nvp = strtok_r(NULL, ",", &save_nv)) {
2892 			char	*name = nvp;
2893 			char	*val = strchr(nvp, ':');
2894 
2895 			if (val == NULL || name == val) {
2896 				dev_err(nvme->n_dip, CE_WARN,
2897 				    "!nvme-config-list: <name-value-list> "
2898 				    "for model '%s' is malformed", model);
2899 				goto out;
2900 			}
2901 
2902 			/*
2903 			 * Null-terminate 'name', move 'val' past ':' sep.
2904 			 */
2905 			*val++ = '\0';
2906 
2907 			/*
2908 			 * Process the name:val pairs that we know about.
2909 			 */
2910 			if (strcmp(name, "ignore-unknown-vendor-status") == 0) {
2911 				nvme_config_boolean(nvme, model, name, val,
2912 				    &nvme->n_ignore_unknown_vendor_status);
2913 			} else if (strcmp(name, "min-phys-block-size") == 0) {
2914 				nvme_config_min_block_size(nvme, model, val);
2915 			} else if (strcmp(name, "volatile-write-cache") == 0) {
2916 				nvme_config_boolean(nvme, model, name, val,
2917 				    &nvme->n_write_cache_enabled);
2918 			} else {
2919 				/*
2920 				 * Unknown 'name'.
2921 				 */
2922 				dev_err(nvme->n_dip, CE_WARN,
2923 				    "!nvme-config-list: unknown config '%s' "
2924 				    "for model '%s', ignoring", name, model);
2925 			}
2926 		}
2927 	}
2928 
2929 out:
2930 	ddi_prop_free(config_list);
2931 }
2932 
2933 static void
2934 nvme_prepare_devid(nvme_t *nvme, uint32_t nsid)
2935 {
2936 	/*
2937 	 * Section 7.7 of the spec describes how to get a unique ID for
2938 	 * the controller: the vendor ID, the model name and the serial
2939 	 * number shall be unique when combined.
2940 	 *
2941 	 * If a namespace has no EUI64 we use the above and add the hex
2942 	 * namespace ID to get a unique ID for the namespace.
2943 	 */
2944 	char model[sizeof (nvme->n_idctl->id_model) + 1];
2945 	char serial[sizeof (nvme->n_idctl->id_serial) + 1];
2946 
2947 	bcopy(nvme->n_idctl->id_model, model, sizeof (nvme->n_idctl->id_model));
2948 	bcopy(nvme->n_idctl->id_serial, serial,
2949 	    sizeof (nvme->n_idctl->id_serial));
2950 
2951 	model[sizeof (nvme->n_idctl->id_model)] = '\0';
2952 	serial[sizeof (nvme->n_idctl->id_serial)] = '\0';
2953 
2954 	NVME_NSID2NS(nvme, nsid)->ns_devid = kmem_asprintf("%4X-%s-%s-%X",
2955 	    nvme->n_idctl->id_vid, model, serial, nsid);
2956 }
2957 
2958 static nvme_identify_nsid_list_t *
2959 nvme_update_nsid_list(nvme_t *nvme, int cns)
2960 {
2961 	nvme_identify_nsid_list_t *nslist;
2962 
2963 	/*
2964 	 * We currently don't handle cases where there are more than
2965 	 * 1024 active namespaces, requiring several IDENTIFY commands.
2966 	 */
2967 	if (nvme_identify(nvme, B_FALSE, 0, cns, (void **)&nslist) == 0)
2968 		return (nslist);
2969 
2970 	return (NULL);
2971 }
2972 
2973 static boolean_t
2974 nvme_allocated_ns(nvme_namespace_t *ns)
2975 {
2976 	nvme_t *nvme = ns->ns_nvme;
2977 	uint32_t i;
2978 
2979 	ASSERT(MUTEX_HELD(&nvme->n_mgmt_mutex));
2980 
2981 	/*
2982 	 * If supported, update the list of allocated namespace IDs.
2983 	 */
2984 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2) &&
2985 	    nvme->n_idctl->id_oacs.oa_nsmgmt != 0) {
2986 		nvme_identify_nsid_list_t *nslist = nvme_update_nsid_list(nvme,
2987 		    NVME_IDENTIFY_NSID_ALLOC_LIST);
2988 		boolean_t found = B_FALSE;
2989 
2990 		/*
2991 		 * When namespace management is supported, this really shouldn't
2992 		 * be NULL. Treat all namespaces as allocated if it is.
2993 		 */
2994 		if (nslist == NULL)
2995 			return (B_TRUE);
2996 
2997 		for (i = 0; i < ARRAY_SIZE(nslist->nl_nsid); i++) {
2998 			if (ns->ns_id == 0)
2999 				break;
3000 
3001 			if (ns->ns_id == nslist->nl_nsid[i])
3002 				found = B_TRUE;
3003 		}
3004 
3005 		kmem_free(nslist, NVME_IDENTIFY_BUFSIZE);
3006 		return (found);
3007 	} else {
3008 		/*
3009 		 * If namespace management isn't supported, report all
3010 		 * namespaces as allocated.
3011 		 */
3012 		return (B_TRUE);
3013 	}
3014 }
3015 
3016 static boolean_t
3017 nvme_active_ns(nvme_namespace_t *ns)
3018 {
3019 	nvme_t *nvme = ns->ns_nvme;
3020 	uint64_t *ptr;
3021 	uint32_t i;
3022 
3023 	ASSERT(MUTEX_HELD(&nvme->n_mgmt_mutex));
3024 
3025 	/*
3026 	 * If supported, update the list of active namespace IDs.
3027 	 */
3028 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1)) {
3029 		nvme_identify_nsid_list_t *nslist = nvme_update_nsid_list(nvme,
3030 		    NVME_IDENTIFY_NSID_LIST);
3031 		boolean_t found = B_FALSE;
3032 
3033 		/*
3034 		 * When namespace management is supported, this really shouldn't
3035 		 * be NULL. Treat all namespaces as allocated if it is.
3036 		 */
3037 		if (nslist == NULL)
3038 			return (B_TRUE);
3039 
3040 		for (i = 0; i < ARRAY_SIZE(nslist->nl_nsid); i++) {
3041 			if (ns->ns_id == 0)
3042 				break;
3043 
3044 			if (ns->ns_id == nslist->nl_nsid[i])
3045 				found = B_TRUE;
3046 		}
3047 
3048 		kmem_free(nslist, NVME_IDENTIFY_BUFSIZE);
3049 		return (found);
3050 	}
3051 
3052 	/*
3053 	 * Workaround for revision 1.0:
3054 	 * Check whether the IDENTIFY NAMESPACE data is zero-filled.
3055 	 */
3056 	for (ptr = (uint64_t *)ns->ns_idns;
3057 	    ptr != (uint64_t *)(ns->ns_idns + 1);
3058 	    ptr++) {
3059 		if (*ptr != 0) {
3060 			return (B_TRUE);
3061 		}
3062 	}
3063 
3064 	return (B_FALSE);
3065 }
3066 
3067 static int
3068 nvme_init_ns(nvme_t *nvme, int nsid)
3069 {
3070 	nvme_namespace_t *ns = NVME_NSID2NS(nvme, nsid);
3071 	nvme_identify_nsid_t *idns;
3072 	boolean_t was_ignored;
3073 	int last_rp;
3074 
3075 	ns->ns_nvme = nvme;
3076 
3077 	ASSERT(MUTEX_HELD(&nvme->n_mgmt_mutex));
3078 
3079 	if (nvme_identify(nvme, B_FALSE, nsid, NVME_IDENTIFY_NSID,
3080 	    (void **)&idns) != 0) {
3081 		dev_err(nvme->n_dip, CE_WARN,
3082 		    "!failed to identify namespace %d", nsid);
3083 		return (DDI_FAILURE);
3084 	}
3085 
3086 	if (ns->ns_idns != NULL)
3087 		kmem_free(ns->ns_idns, sizeof (nvme_identify_nsid_t));
3088 
3089 	ns->ns_idns = idns;
3090 	ns->ns_id = nsid;
3091 
3092 	was_ignored = ns->ns_ignore;
3093 
3094 	ns->ns_allocated = nvme_allocated_ns(ns);
3095 	ns->ns_active = nvme_active_ns(ns);
3096 
3097 	ns->ns_block_count = idns->id_nsize;
3098 	ns->ns_block_size =
3099 	    1 << idns->id_lbaf[idns->id_flbas.lba_format].lbaf_lbads;
3100 	ns->ns_best_block_size = ns->ns_block_size;
3101 
3102 	/*
3103 	 * Get the EUI64 if present.
3104 	 */
3105 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1))
3106 		bcopy(idns->id_eui64, ns->ns_eui64, sizeof (ns->ns_eui64));
3107 
3108 	/*
3109 	 * Get the NGUID if present.
3110 	 */
3111 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2))
3112 		bcopy(idns->id_nguid, ns->ns_nguid, sizeof (ns->ns_nguid));
3113 
3114 	/*LINTED: E_BAD_PTR_CAST_ALIGN*/
3115 	if (*(uint64_t *)ns->ns_eui64 == 0)
3116 		nvme_prepare_devid(nvme, ns->ns_id);
3117 
3118 	(void) snprintf(ns->ns_name, sizeof (ns->ns_name), "%u", ns->ns_id);
3119 
3120 	/*
3121 	 * Find the LBA format with no metadata and the best relative
3122 	 * performance. A value of 3 means "degraded", 0 is best.
3123 	 */
3124 	last_rp = 3;
3125 	for (int j = 0; j <= idns->id_nlbaf; j++) {
3126 		if (idns->id_lbaf[j].lbaf_lbads == 0)
3127 			break;
3128 		if (idns->id_lbaf[j].lbaf_ms != 0)
3129 			continue;
3130 		if (idns->id_lbaf[j].lbaf_rp >= last_rp)
3131 			continue;
3132 		last_rp = idns->id_lbaf[j].lbaf_rp;
3133 		ns->ns_best_block_size =
3134 		    1 << idns->id_lbaf[j].lbaf_lbads;
3135 	}
3136 
3137 	if (ns->ns_best_block_size < nvme->n_min_block_size)
3138 		ns->ns_best_block_size = nvme->n_min_block_size;
3139 
3140 	was_ignored = ns->ns_ignore;
3141 
3142 	/*
3143 	 * We currently don't support namespaces that are inactive, or use
3144 	 * either:
3145 	 * - protection information
3146 	 * - illegal block size (< 512)
3147 	 */
3148 	if (!ns->ns_active) {
3149 		ns->ns_ignore = B_TRUE;
3150 	} else if (idns->id_dps.dp_pinfo) {
3151 		dev_err(nvme->n_dip, CE_WARN,
3152 		    "!ignoring namespace %d, unsupported feature: "
3153 		    "pinfo = %d", nsid, idns->id_dps.dp_pinfo);
3154 		ns->ns_ignore = B_TRUE;
3155 	} else if (ns->ns_block_size < 512) {
3156 		dev_err(nvme->n_dip, CE_WARN,
3157 		    "!ignoring namespace %d, unsupported block size %"PRIu64,
3158 		    nsid, (uint64_t)ns->ns_block_size);
3159 		ns->ns_ignore = B_TRUE;
3160 	} else {
3161 		ns->ns_ignore = B_FALSE;
3162 	}
3163 
3164 	/*
3165 	 * Keep a count of namespaces which are attachable.
3166 	 * See comments in nvme_bd_driveinfo() to understand its effect.
3167 	 */
3168 	if (was_ignored) {
3169 		/*
3170 		 * Previously ignored, but now not. Count it.
3171 		 */
3172 		if (!ns->ns_ignore)
3173 			nvme->n_namespaces_attachable++;
3174 	} else {
3175 		/*
3176 		 * Wasn't ignored previously, but now needs to be.
3177 		 * Discount it.
3178 		 */
3179 		if (ns->ns_ignore)
3180 			nvme->n_namespaces_attachable--;
3181 	}
3182 
3183 	return (DDI_SUCCESS);
3184 }
3185 
3186 static int
3187 nvme_attach_ns(nvme_t *nvme, int nsid)
3188 {
3189 	nvme_namespace_t *ns = NVME_NSID2NS(nvme, nsid);
3190 
3191 	ASSERT(MUTEX_HELD(&nvme->n_mgmt_mutex));
3192 
3193 	if (ns->ns_ignore)
3194 		return (ENOTSUP);
3195 
3196 	if (ns->ns_bd_hdl == NULL) {
3197 		bd_ops_t ops = nvme_bd_ops;
3198 
3199 		if (!nvme->n_idctl->id_oncs.on_dset_mgmt)
3200 			ops.o_free_space = NULL;
3201 
3202 		ns->ns_bd_hdl = bd_alloc_handle(ns, &ops, &nvme->n_prp_dma_attr,
3203 		    KM_SLEEP);
3204 
3205 		if (ns->ns_bd_hdl == NULL) {
3206 			dev_err(nvme->n_dip, CE_WARN, "!Failed to get blkdev "
3207 			    "handle for namespace id %d", nsid);
3208 			return (EINVAL);
3209 		}
3210 	}
3211 
3212 	if (bd_attach_handle(nvme->n_dip, ns->ns_bd_hdl) != DDI_SUCCESS)
3213 		return (EBUSY);
3214 
3215 	ns->ns_attached = B_TRUE;
3216 
3217 	return (0);
3218 }
3219 
3220 static int
3221 nvme_detach_ns(nvme_t *nvme, int nsid)
3222 {
3223 	nvme_namespace_t *ns = NVME_NSID2NS(nvme, nsid);
3224 	int rv;
3225 
3226 	ASSERT(MUTEX_HELD(&nvme->n_mgmt_mutex));
3227 
3228 	if (ns->ns_ignore || !ns->ns_attached)
3229 		return (0);
3230 
3231 	ASSERT(ns->ns_bd_hdl != NULL);
3232 	rv = bd_detach_handle(ns->ns_bd_hdl);
3233 	if (rv != DDI_SUCCESS)
3234 		return (EBUSY);
3235 	else
3236 		ns->ns_attached = B_FALSE;
3237 
3238 	return (0);
3239 }
3240 
3241 static int
3242 nvme_init(nvme_t *nvme)
3243 {
3244 	nvme_reg_cc_t cc = { 0 };
3245 	nvme_reg_aqa_t aqa = { 0 };
3246 	nvme_reg_asq_t asq = { 0 };
3247 	nvme_reg_acq_t acq = { 0 };
3248 	nvme_reg_cap_t cap;
3249 	nvme_reg_vs_t vs;
3250 	nvme_reg_csts_t csts;
3251 	int i = 0;
3252 	uint16_t nqueues;
3253 	uint_t tq_threads;
3254 	char model[sizeof (nvme->n_idctl->id_model) + 1];
3255 	char *vendor, *product;
3256 
3257 	/* Check controller version */
3258 	vs.r = nvme_get32(nvme, NVME_REG_VS);
3259 	nvme->n_version.v_major = vs.b.vs_mjr;
3260 	nvme->n_version.v_minor = vs.b.vs_mnr;
3261 	dev_err(nvme->n_dip, CE_CONT, "?NVMe spec version %d.%d",
3262 	    nvme->n_version.v_major, nvme->n_version.v_minor);
3263 
3264 	if (nvme->n_version.v_major > nvme_version_major) {
3265 		dev_err(nvme->n_dip, CE_WARN, "!no support for version > %d.x",
3266 		    nvme_version_major);
3267 		if (nvme->n_strict_version)
3268 			goto fail;
3269 	}
3270 
3271 	/* retrieve controller configuration */
3272 	cap.r = nvme_get64(nvme, NVME_REG_CAP);
3273 
3274 	if ((cap.b.cap_css & NVME_CAP_CSS_NVM) == 0) {
3275 		dev_err(nvme->n_dip, CE_WARN,
3276 		    "!NVM command set not supported by hardware");
3277 		goto fail;
3278 	}
3279 
3280 	nvme->n_nssr_supported = cap.b.cap_nssrs;
3281 	nvme->n_doorbell_stride = 4 << cap.b.cap_dstrd;
3282 	nvme->n_timeout = cap.b.cap_to;
3283 	nvme->n_arbitration_mechanisms = cap.b.cap_ams;
3284 	nvme->n_cont_queues_reqd = cap.b.cap_cqr;
3285 	nvme->n_max_queue_entries = cap.b.cap_mqes + 1;
3286 
3287 	/*
3288 	 * The MPSMIN and MPSMAX fields in the CAP register use 0 to specify
3289 	 * the base page size of 4k (1<<12), so add 12 here to get the real
3290 	 * page size value.
3291 	 */
3292 	nvme->n_pageshift = MIN(MAX(cap.b.cap_mpsmin + 12, PAGESHIFT),
3293 	    cap.b.cap_mpsmax + 12);
3294 	nvme->n_pagesize = 1UL << (nvme->n_pageshift);
3295 
3296 	/*
3297 	 * Set up Queue DMA to transfer at least 1 page-aligned page at a time.
3298 	 */
3299 	nvme->n_queue_dma_attr.dma_attr_align = nvme->n_pagesize;
3300 	nvme->n_queue_dma_attr.dma_attr_minxfer = nvme->n_pagesize;
3301 
3302 	/*
3303 	 * Set up PRP DMA to transfer 1 page-aligned page at a time.
3304 	 * Maxxfer may be increased after we identified the controller limits.
3305 	 */
3306 	nvme->n_prp_dma_attr.dma_attr_maxxfer = nvme->n_pagesize;
3307 	nvme->n_prp_dma_attr.dma_attr_minxfer = nvme->n_pagesize;
3308 	nvme->n_prp_dma_attr.dma_attr_align = nvme->n_pagesize;
3309 	nvme->n_prp_dma_attr.dma_attr_seg = nvme->n_pagesize - 1;
3310 
3311 	/*
3312 	 * Reset controller if it's still in ready state.
3313 	 */
3314 	if (nvme_reset(nvme, B_FALSE) == B_FALSE) {
3315 		dev_err(nvme->n_dip, CE_WARN, "!unable to reset controller");
3316 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
3317 		nvme->n_dead = B_TRUE;
3318 		goto fail;
3319 	}
3320 
3321 	/*
3322 	 * Create the cq array with one completion queue to be assigned
3323 	 * to the admin queue pair and a limited number of taskqs (4).
3324 	 */
3325 	if (nvme_create_cq_array(nvme, 1, nvme->n_admin_queue_len, 4) !=
3326 	    DDI_SUCCESS) {
3327 		dev_err(nvme->n_dip, CE_WARN,
3328 		    "!failed to pre-allocate admin completion queue");
3329 		goto fail;
3330 	}
3331 	/*
3332 	 * Create the admin queue pair.
3333 	 */
3334 	if (nvme_alloc_qpair(nvme, nvme->n_admin_queue_len, &nvme->n_adminq, 0)
3335 	    != DDI_SUCCESS) {
3336 		dev_err(nvme->n_dip, CE_WARN,
3337 		    "!unable to allocate admin qpair");
3338 		goto fail;
3339 	}
3340 	nvme->n_ioq = kmem_alloc(sizeof (nvme_qpair_t *), KM_SLEEP);
3341 	nvme->n_ioq[0] = nvme->n_adminq;
3342 
3343 	nvme->n_progress |= NVME_ADMIN_QUEUE;
3344 
3345 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
3346 	    "admin-queue-len", nvme->n_admin_queue_len);
3347 
3348 	aqa.b.aqa_asqs = aqa.b.aqa_acqs = nvme->n_admin_queue_len - 1;
3349 	asq = nvme->n_adminq->nq_sqdma->nd_cookie.dmac_laddress;
3350 	acq = nvme->n_adminq->nq_cq->ncq_dma->nd_cookie.dmac_laddress;
3351 
3352 	ASSERT((asq & (nvme->n_pagesize - 1)) == 0);
3353 	ASSERT((acq & (nvme->n_pagesize - 1)) == 0);
3354 
3355 	nvme_put32(nvme, NVME_REG_AQA, aqa.r);
3356 	nvme_put64(nvme, NVME_REG_ASQ, asq);
3357 	nvme_put64(nvme, NVME_REG_ACQ, acq);
3358 
3359 	cc.b.cc_ams = 0;	/* use Round-Robin arbitration */
3360 	cc.b.cc_css = 0;	/* use NVM command set */
3361 	cc.b.cc_mps = nvme->n_pageshift - 12;
3362 	cc.b.cc_shn = 0;	/* no shutdown in progress */
3363 	cc.b.cc_en = 1;		/* enable controller */
3364 	cc.b.cc_iosqes = 6;	/* submission queue entry is 2^6 bytes long */
3365 	cc.b.cc_iocqes = 4;	/* completion queue entry is 2^4 bytes long */
3366 
3367 	nvme_put32(nvme, NVME_REG_CC, cc.r);
3368 
3369 	/*
3370 	 * Wait for the controller to become ready.
3371 	 */
3372 	csts.r = nvme_get32(nvme, NVME_REG_CSTS);
3373 	if (csts.b.csts_rdy == 0) {
3374 		for (i = 0; i != nvme->n_timeout * 10; i++) {
3375 			delay(drv_usectohz(50000));
3376 			csts.r = nvme_get32(nvme, NVME_REG_CSTS);
3377 
3378 			if (csts.b.csts_cfs == 1) {
3379 				dev_err(nvme->n_dip, CE_WARN,
3380 				    "!controller fatal status at init");
3381 				ddi_fm_service_impact(nvme->n_dip,
3382 				    DDI_SERVICE_LOST);
3383 				nvme->n_dead = B_TRUE;
3384 				goto fail;
3385 			}
3386 
3387 			if (csts.b.csts_rdy == 1)
3388 				break;
3389 		}
3390 	}
3391 
3392 	if (csts.b.csts_rdy == 0) {
3393 		dev_err(nvme->n_dip, CE_WARN, "!controller not ready");
3394 		ddi_fm_service_impact(nvme->n_dip, DDI_SERVICE_LOST);
3395 		nvme->n_dead = B_TRUE;
3396 		goto fail;
3397 	}
3398 
3399 	/*
3400 	 * Assume an abort command limit of 1. We'll destroy and re-init
3401 	 * that later when we know the true abort command limit.
3402 	 */
3403 	sema_init(&nvme->n_abort_sema, 1, NULL, SEMA_DRIVER, NULL);
3404 
3405 	/*
3406 	 * Set up initial interrupt for admin queue.
3407 	 */
3408 	if ((nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSIX, 1)
3409 	    != DDI_SUCCESS) &&
3410 	    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSI, 1)
3411 	    != DDI_SUCCESS) &&
3412 	    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_FIXED, 1)
3413 	    != DDI_SUCCESS)) {
3414 		dev_err(nvme->n_dip, CE_WARN,
3415 		    "!failed to setup initial interrupt");
3416 		goto fail;
3417 	}
3418 
3419 	/*
3420 	 * Post an asynchronous event command to catch errors.
3421 	 * We assume the asynchronous events are supported as required by
3422 	 * specification (Figure 40 in section 5 of NVMe 1.2).
3423 	 * However, since at least qemu does not follow the specification,
3424 	 * we need a mechanism to protect ourselves.
3425 	 */
3426 	nvme->n_async_event_supported = B_TRUE;
3427 	nvme_async_event(nvme);
3428 
3429 	/*
3430 	 * Identify Controller
3431 	 */
3432 	if (nvme_identify(nvme, B_FALSE, 0, NVME_IDENTIFY_CTRL,
3433 	    (void **)&nvme->n_idctl) != 0) {
3434 		dev_err(nvme->n_dip, CE_WARN,
3435 		    "!failed to identify controller");
3436 		goto fail;
3437 	}
3438 
3439 	/*
3440 	 * Process nvme-config-list (if present) in nvme.conf.
3441 	 */
3442 	nvme_config_list(nvme);
3443 
3444 	/*
3445 	 * Get Vendor & Product ID
3446 	 */
3447 	bcopy(nvme->n_idctl->id_model, model, sizeof (nvme->n_idctl->id_model));
3448 	model[sizeof (nvme->n_idctl->id_model)] = '\0';
3449 	sata_split_model(model, &vendor, &product);
3450 
3451 	if (vendor == NULL)
3452 		nvme->n_vendor = strdup("NVMe");
3453 	else
3454 		nvme->n_vendor = strdup(vendor);
3455 
3456 	nvme->n_product = strdup(product);
3457 
3458 	/*
3459 	 * Get controller limits.
3460 	 */
3461 	nvme->n_async_event_limit = MAX(NVME_MIN_ASYNC_EVENT_LIMIT,
3462 	    MIN(nvme->n_admin_queue_len / 10,
3463 	    MIN(nvme->n_idctl->id_aerl + 1, nvme->n_async_event_limit)));
3464 
3465 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
3466 	    "async-event-limit", nvme->n_async_event_limit);
3467 
3468 	nvme->n_abort_command_limit = nvme->n_idctl->id_acl + 1;
3469 
3470 	/*
3471 	 * Reinitialize the semaphore with the true abort command limit
3472 	 * supported by the hardware. It's not necessary to disable interrupts
3473 	 * as only command aborts use the semaphore, and no commands are
3474 	 * executed or aborted while we're here.
3475 	 */
3476 	sema_destroy(&nvme->n_abort_sema);
3477 	sema_init(&nvme->n_abort_sema, nvme->n_abort_command_limit - 1, NULL,
3478 	    SEMA_DRIVER, NULL);
3479 
3480 	nvme->n_progress |= NVME_CTRL_LIMITS;
3481 
3482 	if (nvme->n_idctl->id_mdts == 0)
3483 		nvme->n_max_data_transfer_size = nvme->n_pagesize * 65536;
3484 	else
3485 		nvme->n_max_data_transfer_size =
3486 		    1ull << (nvme->n_pageshift + nvme->n_idctl->id_mdts);
3487 
3488 	nvme->n_error_log_len = nvme->n_idctl->id_elpe + 1;
3489 
3490 	/*
3491 	 * Limit n_max_data_transfer_size to what we can handle in one PRP.
3492 	 * Chained PRPs are currently unsupported.
3493 	 *
3494 	 * This is a no-op on hardware which doesn't support a transfer size
3495 	 * big enough to require chained PRPs.
3496 	 */
3497 	nvme->n_max_data_transfer_size = MIN(nvme->n_max_data_transfer_size,
3498 	    (nvme->n_pagesize / sizeof (uint64_t) * nvme->n_pagesize));
3499 
3500 	nvme->n_prp_dma_attr.dma_attr_maxxfer = nvme->n_max_data_transfer_size;
3501 
3502 	/*
3503 	 * Make sure the minimum/maximum queue entry sizes are not
3504 	 * larger/smaller than the default.
3505 	 */
3506 
3507 	if (((1 << nvme->n_idctl->id_sqes.qes_min) > sizeof (nvme_sqe_t)) ||
3508 	    ((1 << nvme->n_idctl->id_sqes.qes_max) < sizeof (nvme_sqe_t)) ||
3509 	    ((1 << nvme->n_idctl->id_cqes.qes_min) > sizeof (nvme_cqe_t)) ||
3510 	    ((1 << nvme->n_idctl->id_cqes.qes_max) < sizeof (nvme_cqe_t)))
3511 		goto fail;
3512 
3513 	/*
3514 	 * Check for the presence of a Volatile Write Cache. If present,
3515 	 * enable or disable based on the value of the property
3516 	 * volatile-write-cache-enable (default is enabled).
3517 	 */
3518 	nvme->n_write_cache_present =
3519 	    nvme->n_idctl->id_vwc.vwc_present == 0 ? B_FALSE : B_TRUE;
3520 
3521 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
3522 	    "volatile-write-cache-present",
3523 	    nvme->n_write_cache_present ? 1 : 0);
3524 
3525 	if (!nvme->n_write_cache_present) {
3526 		nvme->n_write_cache_enabled = B_FALSE;
3527 	} else if (nvme_write_cache_set(nvme, nvme->n_write_cache_enabled)
3528 	    != 0) {
3529 		dev_err(nvme->n_dip, CE_WARN,
3530 		    "!failed to %sable volatile write cache",
3531 		    nvme->n_write_cache_enabled ? "en" : "dis");
3532 		/*
3533 		 * Assume the cache is (still) enabled.
3534 		 */
3535 		nvme->n_write_cache_enabled = B_TRUE;
3536 	}
3537 
3538 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip,
3539 	    "volatile-write-cache-enable",
3540 	    nvme->n_write_cache_enabled ? 1 : 0);
3541 
3542 	/*
3543 	 * Assume LBA Range Type feature is supported. If it isn't this
3544 	 * will be set to B_FALSE by nvme_get_features().
3545 	 */
3546 	nvme->n_lba_range_supported = B_TRUE;
3547 
3548 	/*
3549 	 * Check support for Autonomous Power State Transition.
3550 	 */
3551 	if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1))
3552 		nvme->n_auto_pst_supported =
3553 		    nvme->n_idctl->id_apsta.ap_sup == 0 ? B_FALSE : B_TRUE;
3554 
3555 	/*
3556 	 * Assume Software Progress Marker feature is supported.  If it isn't
3557 	 * this will be set to B_FALSE by nvme_get_features().
3558 	 */
3559 	nvme->n_progress_supported = B_TRUE;
3560 
3561 	/*
3562 	 * Get number of supported namespaces and allocate namespace array.
3563 	 */
3564 	nvme->n_namespace_count = nvme->n_idctl->id_nn;
3565 
3566 	if (nvme->n_namespace_count == 0) {
3567 		dev_err(nvme->n_dip, CE_WARN,
3568 		    "!controllers without namespaces are not supported");
3569 		goto fail;
3570 	}
3571 
3572 	if (nvme->n_namespace_count > NVME_MINOR_MAX) {
3573 		dev_err(nvme->n_dip, CE_WARN,
3574 		    "!too many namespaces: %d, limiting to %d\n",
3575 		    nvme->n_namespace_count, NVME_MINOR_MAX);
3576 		nvme->n_namespace_count = NVME_MINOR_MAX;
3577 	}
3578 
3579 	nvme->n_ns = kmem_zalloc(sizeof (nvme_namespace_t) *
3580 	    nvme->n_namespace_count, KM_SLEEP);
3581 
3582 	/*
3583 	 * Try to set up MSI/MSI-X interrupts.
3584 	 */
3585 	if ((nvme->n_intr_types & (DDI_INTR_TYPE_MSI | DDI_INTR_TYPE_MSIX))
3586 	    != 0) {
3587 		nvme_release_interrupts(nvme);
3588 
3589 		nqueues = MIN(UINT16_MAX, ncpus);
3590 
3591 		if ((nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSIX,
3592 		    nqueues) != DDI_SUCCESS) &&
3593 		    (nvme_setup_interrupts(nvme, DDI_INTR_TYPE_MSI,
3594 		    nqueues) != DDI_SUCCESS)) {
3595 			dev_err(nvme->n_dip, CE_WARN,
3596 			    "!failed to setup MSI/MSI-X interrupts");
3597 			goto fail;
3598 		}
3599 	}
3600 
3601 	/*
3602 	 * Create I/O queue pairs.
3603 	 */
3604 
3605 	if (nvme_set_nqueues(nvme) != 0) {
3606 		dev_err(nvme->n_dip, CE_WARN,
3607 		    "!failed to set number of I/O queues to %d",
3608 		    nvme->n_intr_cnt);
3609 		goto fail;
3610 	}
3611 
3612 	/*
3613 	 * Reallocate I/O queue array
3614 	 */
3615 	kmem_free(nvme->n_ioq, sizeof (nvme_qpair_t *));
3616 	nvme->n_ioq = kmem_zalloc(sizeof (nvme_qpair_t *) *
3617 	    (nvme->n_submission_queues + 1), KM_SLEEP);
3618 	nvme->n_ioq[0] = nvme->n_adminq;
3619 
3620 	/*
3621 	 * There should always be at least as many submission queues
3622 	 * as completion queues.
3623 	 */
3624 	ASSERT(nvme->n_submission_queues >= nvme->n_completion_queues);
3625 
3626 	nvme->n_ioq_count = nvme->n_submission_queues;
3627 
3628 	nvme->n_io_squeue_len =
3629 	    MIN(nvme->n_io_squeue_len, nvme->n_max_queue_entries);
3630 
3631 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip, "io-squeue-len",
3632 	    nvme->n_io_squeue_len);
3633 
3634 	/*
3635 	 * Pre-allocate completion queues.
3636 	 * When there are the same number of submission and completion
3637 	 * queues there is no value in having a larger completion
3638 	 * queue length.
3639 	 */
3640 	if (nvme->n_submission_queues == nvme->n_completion_queues)
3641 		nvme->n_io_cqueue_len = MIN(nvme->n_io_cqueue_len,
3642 		    nvme->n_io_squeue_len);
3643 
3644 	nvme->n_io_cqueue_len = MIN(nvme->n_io_cqueue_len,
3645 	    nvme->n_max_queue_entries);
3646 
3647 	(void) ddi_prop_update_int(DDI_DEV_T_NONE, nvme->n_dip, "io-cqueue-len",
3648 	    nvme->n_io_cqueue_len);
3649 
3650 	/*
3651 	 * Assign the equal quantity of taskq threads to each completion
3652 	 * queue, capping the total number of threads to the number
3653 	 * of CPUs.
3654 	 */
3655 	tq_threads = MIN(UINT16_MAX, ncpus) / nvme->n_completion_queues;
3656 
3657 	/*
3658 	 * In case the calculation above is zero, we need at least one
3659 	 * thread per completion queue.
3660 	 */
3661 	tq_threads = MAX(1, tq_threads);
3662 
3663 	if (nvme_create_cq_array(nvme, nvme->n_completion_queues + 1,
3664 	    nvme->n_io_cqueue_len, tq_threads) != DDI_SUCCESS) {
3665 		dev_err(nvme->n_dip, CE_WARN,
3666 		    "!failed to pre-allocate completion queues");
3667 		goto fail;
3668 	}
3669 
3670 	/*
3671 	 * If we use less completion queues than interrupt vectors return
3672 	 * some of the interrupt vectors back to the system.
3673 	 */
3674 	if (nvme->n_completion_queues + 1 < nvme->n_intr_cnt) {
3675 		nvme_release_interrupts(nvme);
3676 
3677 		if (nvme_setup_interrupts(nvme, nvme->n_intr_type,
3678 		    nvme->n_completion_queues + 1) != DDI_SUCCESS) {
3679 			dev_err(nvme->n_dip, CE_WARN,
3680 			    "!failed to reduce number of interrupts");
3681 			goto fail;
3682 		}
3683 	}
3684 
3685 	/*
3686 	 * Alloc & register I/O queue pairs
3687 	 */
3688 
3689 	for (i = 1; i != nvme->n_ioq_count + 1; i++) {
3690 		if (nvme_alloc_qpair(nvme, nvme->n_io_squeue_len,
3691 		    &nvme->n_ioq[i], i) != DDI_SUCCESS) {
3692 			dev_err(nvme->n_dip, CE_WARN,
3693 			    "!unable to allocate I/O qpair %d", i);
3694 			goto fail;
3695 		}
3696 
3697 		if (nvme_create_io_qpair(nvme, nvme->n_ioq[i], i) != 0) {
3698 			dev_err(nvme->n_dip, CE_WARN,
3699 			    "!unable to create I/O qpair %d", i);
3700 			goto fail;
3701 		}
3702 	}
3703 
3704 	/*
3705 	 * Post more asynchronous events commands to reduce event reporting
3706 	 * latency as suggested by the spec.
3707 	 */
3708 	if (nvme->n_async_event_supported) {
3709 		for (i = 1; i != nvme->n_async_event_limit; i++)
3710 			nvme_async_event(nvme);
3711 	}
3712 
3713 	return (DDI_SUCCESS);
3714 
3715 fail:
3716 	(void) nvme_reset(nvme, B_FALSE);
3717 	return (DDI_FAILURE);
3718 }
3719 
3720 static uint_t
3721 nvme_intr(caddr_t arg1, caddr_t arg2)
3722 {
3723 	/*LINTED: E_PTR_BAD_CAST_ALIGN*/
3724 	nvme_t *nvme = (nvme_t *)arg1;
3725 	int inum = (int)(uintptr_t)arg2;
3726 	int ccnt = 0;
3727 	int qnum;
3728 
3729 	if (inum >= nvme->n_intr_cnt)
3730 		return (DDI_INTR_UNCLAIMED);
3731 
3732 	if (nvme->n_dead)
3733 		return (nvme->n_intr_type == DDI_INTR_TYPE_FIXED ?
3734 		    DDI_INTR_UNCLAIMED : DDI_INTR_CLAIMED);
3735 
3736 	/*
3737 	 * The interrupt vector a queue uses is calculated as queue_idx %
3738 	 * intr_cnt in nvme_create_io_qpair(). Iterate through the queue array
3739 	 * in steps of n_intr_cnt to process all queues using this vector.
3740 	 */
3741 	for (qnum = inum;
3742 	    qnum < nvme->n_cq_count && nvme->n_cq[qnum] != NULL;
3743 	    qnum += nvme->n_intr_cnt) {
3744 		ccnt += nvme_process_iocq(nvme, nvme->n_cq[qnum]);
3745 	}
3746 
3747 	return (ccnt > 0 ? DDI_INTR_CLAIMED : DDI_INTR_UNCLAIMED);
3748 }
3749 
3750 static void
3751 nvme_release_interrupts(nvme_t *nvme)
3752 {
3753 	int i;
3754 
3755 	for (i = 0; i < nvme->n_intr_cnt; i++) {
3756 		if (nvme->n_inth[i] == NULL)
3757 			break;
3758 
3759 		if (nvme->n_intr_cap & DDI_INTR_FLAG_BLOCK)
3760 			(void) ddi_intr_block_disable(&nvme->n_inth[i], 1);
3761 		else
3762 			(void) ddi_intr_disable(nvme->n_inth[i]);
3763 
3764 		(void) ddi_intr_remove_handler(nvme->n_inth[i]);
3765 		(void) ddi_intr_free(nvme->n_inth[i]);
3766 	}
3767 
3768 	kmem_free(nvme->n_inth, nvme->n_inth_sz);
3769 	nvme->n_inth = NULL;
3770 	nvme->n_inth_sz = 0;
3771 
3772 	nvme->n_progress &= ~NVME_INTERRUPTS;
3773 }
3774 
3775 static int
3776 nvme_setup_interrupts(nvme_t *nvme, int intr_type, int nqpairs)
3777 {
3778 	int nintrs, navail, count;
3779 	int ret;
3780 	int i;
3781 
3782 	if (nvme->n_intr_types == 0) {
3783 		ret = ddi_intr_get_supported_types(nvme->n_dip,
3784 		    &nvme->n_intr_types);
3785 		if (ret != DDI_SUCCESS) {
3786 			dev_err(nvme->n_dip, CE_WARN,
3787 			    "!%s: ddi_intr_get_supported types failed",
3788 			    __func__);
3789 			return (ret);
3790 		}
3791 #ifdef __x86
3792 		if (get_hwenv() == HW_VMWARE)
3793 			nvme->n_intr_types &= ~DDI_INTR_TYPE_MSIX;
3794 #endif
3795 	}
3796 
3797 	if ((nvme->n_intr_types & intr_type) == 0)
3798 		return (DDI_FAILURE);
3799 
3800 	ret = ddi_intr_get_nintrs(nvme->n_dip, intr_type, &nintrs);
3801 	if (ret != DDI_SUCCESS) {
3802 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_nintrs failed",
3803 		    __func__);
3804 		return (ret);
3805 	}
3806 
3807 	ret = ddi_intr_get_navail(nvme->n_dip, intr_type, &navail);
3808 	if (ret != DDI_SUCCESS) {
3809 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_navail failed",
3810 		    __func__);
3811 		return (ret);
3812 	}
3813 
3814 	/* We want at most one interrupt per queue pair. */
3815 	if (navail > nqpairs)
3816 		navail = nqpairs;
3817 
3818 	nvme->n_inth_sz = sizeof (ddi_intr_handle_t) * navail;
3819 	nvme->n_inth = kmem_zalloc(nvme->n_inth_sz, KM_SLEEP);
3820 
3821 	ret = ddi_intr_alloc(nvme->n_dip, nvme->n_inth, intr_type, 0, navail,
3822 	    &count, 0);
3823 	if (ret != DDI_SUCCESS) {
3824 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_alloc failed",
3825 		    __func__);
3826 		goto fail;
3827 	}
3828 
3829 	nvme->n_intr_cnt = count;
3830 
3831 	ret = ddi_intr_get_pri(nvme->n_inth[0], &nvme->n_intr_pri);
3832 	if (ret != DDI_SUCCESS) {
3833 		dev_err(nvme->n_dip, CE_WARN, "!%s: ddi_intr_get_pri failed",
3834 		    __func__);
3835 		goto fail;
3836 	}
3837 
3838 	for (i = 0; i < count; i++) {
3839 		ret = ddi_intr_add_handler(nvme->n_inth[i], nvme_intr,
3840 		    (void *)nvme, (void *)(uintptr_t)i);
3841 		if (ret != DDI_SUCCESS) {
3842 			dev_err(nvme->n_dip, CE_WARN,
3843 			    "!%s: ddi_intr_add_handler failed", __func__);
3844 			goto fail;
3845 		}
3846 	}
3847 
3848 	(void) ddi_intr_get_cap(nvme->n_inth[0], &nvme->n_intr_cap);
3849 
3850 	for (i = 0; i < count; i++) {
3851 		if (nvme->n_intr_cap & DDI_INTR_FLAG_BLOCK)
3852 			ret = ddi_intr_block_enable(&nvme->n_inth[i], 1);
3853 		else
3854 			ret = ddi_intr_enable(nvme->n_inth[i]);
3855 
3856 		if (ret != DDI_SUCCESS) {
3857 			dev_err(nvme->n_dip, CE_WARN,
3858 			    "!%s: enabling interrupt %d failed", __func__, i);
3859 			goto fail;
3860 		}
3861 	}
3862 
3863 	nvme->n_intr_type = intr_type;
3864 
3865 	nvme->n_progress |= NVME_INTERRUPTS;
3866 
3867 	return (DDI_SUCCESS);
3868 
3869 fail:
3870 	nvme_release_interrupts(nvme);
3871 
3872 	return (ret);
3873 }
3874 
3875 static int
3876 nvme_fm_errcb(dev_info_t *dip, ddi_fm_error_t *fm_error, const void *arg)
3877 {
3878 	_NOTE(ARGUNUSED(arg));
3879 
3880 	pci_ereport_post(dip, fm_error, NULL);
3881 	return (fm_error->fme_status);
3882 }
3883 
3884 static void
3885 nvme_remove_callback(dev_info_t *dip, ddi_eventcookie_t cookie, void *a,
3886     void *b)
3887 {
3888 	nvme_t *nvme = a;
3889 
3890 	nvme->n_dead = B_TRUE;
3891 
3892 	/*
3893 	 * Fail all outstanding commands, including those in the admin queue
3894 	 * (queue 0).
3895 	 */
3896 	for (uint_t i = 0; i < nvme->n_ioq_count + 1; i++) {
3897 		nvme_qpair_t *qp = nvme->n_ioq[i];
3898 
3899 		mutex_enter(&qp->nq_mutex);
3900 		for (size_t j = 0; j < qp->nq_nentry; j++) {
3901 			nvme_cmd_t *cmd = qp->nq_cmd[j];
3902 			nvme_cmd_t *u_cmd;
3903 
3904 			if (cmd == NULL) {
3905 				continue;
3906 			}
3907 
3908 			/*
3909 			 * Since we have the queue lock held the entire time we
3910 			 * iterate over it, it's not possible for the queue to
3911 			 * change underneath us. Thus, we don't need to check
3912 			 * that the return value of nvme_unqueue_cmd matches the
3913 			 * requested cmd to unqueue.
3914 			 */
3915 			u_cmd = nvme_unqueue_cmd(nvme, qp, cmd->nc_sqe.sqe_cid);
3916 			taskq_dispatch_ent(qp->nq_cq->ncq_cmd_taskq,
3917 			    cmd->nc_callback, cmd, TQ_NOSLEEP, &cmd->nc_tqent);
3918 
3919 			ASSERT3P(u_cmd, ==, cmd);
3920 		}
3921 		mutex_exit(&qp->nq_mutex);
3922 	}
3923 }
3924 
3925 static int
3926 nvme_attach(dev_info_t *dip, ddi_attach_cmd_t cmd)
3927 {
3928 	nvme_t *nvme;
3929 	int instance;
3930 	int nregs;
3931 	off_t regsize;
3932 	int i;
3933 	char name[32];
3934 	boolean_t attached_ns;
3935 
3936 	if (cmd != DDI_ATTACH)
3937 		return (DDI_FAILURE);
3938 
3939 	instance = ddi_get_instance(dip);
3940 
3941 	if (ddi_soft_state_zalloc(nvme_state, instance) != DDI_SUCCESS)
3942 		return (DDI_FAILURE);
3943 
3944 	nvme = ddi_get_soft_state(nvme_state, instance);
3945 	ddi_set_driver_private(dip, nvme);
3946 	nvme->n_dip = dip;
3947 
3948 	/* Set up event handlers for hot removal. */
3949 	if (ddi_get_eventcookie(nvme->n_dip, DDI_DEVI_REMOVE_EVENT,
3950 	    &nvme->n_rm_cookie) != DDI_SUCCESS) {
3951 		goto fail;
3952 	}
3953 	if (ddi_add_event_handler(nvme->n_dip, nvme->n_rm_cookie,
3954 	    nvme_remove_callback, nvme, &nvme->n_ev_rm_cb_id) !=
3955 	    DDI_SUCCESS) {
3956 		goto fail;
3957 	}
3958 
3959 	mutex_init(&nvme->n_minor_mutex, NULL, MUTEX_DRIVER, NULL);
3960 	nvme->n_progress |= NVME_MUTEX_INIT;
3961 
3962 	nvme->n_strict_version = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3963 	    DDI_PROP_DONTPASS, "strict-version", 1) == 1 ? B_TRUE : B_FALSE;
3964 	nvme->n_ignore_unknown_vendor_status = ddi_prop_get_int(DDI_DEV_T_ANY,
3965 	    dip, DDI_PROP_DONTPASS, "ignore-unknown-vendor-status", 0) == 1 ?
3966 	    B_TRUE : B_FALSE;
3967 	nvme->n_admin_queue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3968 	    DDI_PROP_DONTPASS, "admin-queue-len", NVME_DEFAULT_ADMIN_QUEUE_LEN);
3969 	nvme->n_io_squeue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3970 	    DDI_PROP_DONTPASS, "io-squeue-len", NVME_DEFAULT_IO_QUEUE_LEN);
3971 	/*
3972 	 * Double up the default for completion queues in case of
3973 	 * queue sharing.
3974 	 */
3975 	nvme->n_io_cqueue_len = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3976 	    DDI_PROP_DONTPASS, "io-cqueue-len", 2 * NVME_DEFAULT_IO_QUEUE_LEN);
3977 	nvme->n_async_event_limit = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3978 	    DDI_PROP_DONTPASS, "async-event-limit",
3979 	    NVME_DEFAULT_ASYNC_EVENT_LIMIT);
3980 	nvme->n_write_cache_enabled = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3981 	    DDI_PROP_DONTPASS, "volatile-write-cache-enable", 1) != 0 ?
3982 	    B_TRUE : B_FALSE;
3983 	nvme->n_min_block_size = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3984 	    DDI_PROP_DONTPASS, "min-phys-block-size",
3985 	    NVME_DEFAULT_MIN_BLOCK_SIZE);
3986 	nvme->n_submission_queues = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3987 	    DDI_PROP_DONTPASS, "max-submission-queues", -1);
3988 	nvme->n_completion_queues = ddi_prop_get_int(DDI_DEV_T_ANY, dip,
3989 	    DDI_PROP_DONTPASS, "max-completion-queues", -1);
3990 
3991 	if (!ISP2(nvme->n_min_block_size) ||
3992 	    (nvme->n_min_block_size < NVME_DEFAULT_MIN_BLOCK_SIZE)) {
3993 		dev_err(dip, CE_WARN, "!min-phys-block-size %s, "
3994 		    "using default %d", ISP2(nvme->n_min_block_size) ?
3995 		    "too low" : "not a power of 2",
3996 		    NVME_DEFAULT_MIN_BLOCK_SIZE);
3997 		nvme->n_min_block_size = NVME_DEFAULT_MIN_BLOCK_SIZE;
3998 	}
3999 
4000 	if (nvme->n_submission_queues != -1 &&
4001 	    (nvme->n_submission_queues < 1 ||
4002 	    nvme->n_submission_queues > UINT16_MAX)) {
4003 		dev_err(dip, CE_WARN, "!\"submission-queues\"=%d is not "
4004 		    "valid. Must be [1..%d]", nvme->n_submission_queues,
4005 		    UINT16_MAX);
4006 		nvme->n_submission_queues = -1;
4007 	}
4008 
4009 	if (nvme->n_completion_queues != -1 &&
4010 	    (nvme->n_completion_queues < 1 ||
4011 	    nvme->n_completion_queues > UINT16_MAX)) {
4012 		dev_err(dip, CE_WARN, "!\"completion-queues\"=%d is not "
4013 		    "valid. Must be [1..%d]", nvme->n_completion_queues,
4014 		    UINT16_MAX);
4015 		nvme->n_completion_queues = -1;
4016 	}
4017 
4018 	if (nvme->n_admin_queue_len < NVME_MIN_ADMIN_QUEUE_LEN)
4019 		nvme->n_admin_queue_len = NVME_MIN_ADMIN_QUEUE_LEN;
4020 	else if (nvme->n_admin_queue_len > NVME_MAX_ADMIN_QUEUE_LEN)
4021 		nvme->n_admin_queue_len = NVME_MAX_ADMIN_QUEUE_LEN;
4022 
4023 	if (nvme->n_io_squeue_len < NVME_MIN_IO_QUEUE_LEN)
4024 		nvme->n_io_squeue_len = NVME_MIN_IO_QUEUE_LEN;
4025 	if (nvme->n_io_cqueue_len < NVME_MIN_IO_QUEUE_LEN)
4026 		nvme->n_io_cqueue_len = NVME_MIN_IO_QUEUE_LEN;
4027 
4028 	if (nvme->n_async_event_limit < 1)
4029 		nvme->n_async_event_limit = NVME_DEFAULT_ASYNC_EVENT_LIMIT;
4030 
4031 	nvme->n_reg_acc_attr = nvme_reg_acc_attr;
4032 	nvme->n_queue_dma_attr = nvme_queue_dma_attr;
4033 	nvme->n_prp_dma_attr = nvme_prp_dma_attr;
4034 	nvme->n_sgl_dma_attr = nvme_sgl_dma_attr;
4035 
4036 	/*
4037 	 * Set up FMA support.
4038 	 */
4039 	nvme->n_fm_cap = ddi_getprop(DDI_DEV_T_ANY, dip,
4040 	    DDI_PROP_CANSLEEP | DDI_PROP_DONTPASS, "fm-capable",
4041 	    DDI_FM_EREPORT_CAPABLE | DDI_FM_ACCCHK_CAPABLE |
4042 	    DDI_FM_DMACHK_CAPABLE | DDI_FM_ERRCB_CAPABLE);
4043 
4044 	ddi_fm_init(dip, &nvme->n_fm_cap, &nvme->n_fm_ibc);
4045 
4046 	if (nvme->n_fm_cap) {
4047 		if (nvme->n_fm_cap & DDI_FM_ACCCHK_CAPABLE)
4048 			nvme->n_reg_acc_attr.devacc_attr_access =
4049 			    DDI_FLAGERR_ACC;
4050 
4051 		if (nvme->n_fm_cap & DDI_FM_DMACHK_CAPABLE) {
4052 			nvme->n_prp_dma_attr.dma_attr_flags |= DDI_DMA_FLAGERR;
4053 			nvme->n_sgl_dma_attr.dma_attr_flags |= DDI_DMA_FLAGERR;
4054 		}
4055 
4056 		if (DDI_FM_EREPORT_CAP(nvme->n_fm_cap) ||
4057 		    DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
4058 			pci_ereport_setup(dip);
4059 
4060 		if (DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
4061 			ddi_fm_handler_register(dip, nvme_fm_errcb,
4062 			    (void *)nvme);
4063 	}
4064 
4065 	nvme->n_progress |= NVME_FMA_INIT;
4066 
4067 	/*
4068 	 * The spec defines several register sets. Only the controller
4069 	 * registers (set 1) are currently used.
4070 	 */
4071 	if (ddi_dev_nregs(dip, &nregs) == DDI_FAILURE ||
4072 	    nregs < 2 ||
4073 	    ddi_dev_regsize(dip, 1, &regsize) == DDI_FAILURE)
4074 		goto fail;
4075 
4076 	if (ddi_regs_map_setup(dip, 1, &nvme->n_regs, 0, regsize,
4077 	    &nvme->n_reg_acc_attr, &nvme->n_regh) != DDI_SUCCESS) {
4078 		dev_err(dip, CE_WARN, "!failed to map regset 1");
4079 		goto fail;
4080 	}
4081 
4082 	nvme->n_progress |= NVME_REGS_MAPPED;
4083 
4084 	/*
4085 	 * Create PRP DMA cache
4086 	 */
4087 	(void) snprintf(name, sizeof (name), "%s%d_prp_cache",
4088 	    ddi_driver_name(dip), ddi_get_instance(dip));
4089 	nvme->n_prp_cache = kmem_cache_create(name, sizeof (nvme_dma_t),
4090 	    0, nvme_prp_dma_constructor, nvme_prp_dma_destructor,
4091 	    NULL, (void *)nvme, NULL, 0);
4092 
4093 	if (nvme_init(nvme) != DDI_SUCCESS)
4094 		goto fail;
4095 
4096 	/*
4097 	 * Initialize the driver with the UFM subsystem
4098 	 */
4099 	if (ddi_ufm_init(dip, DDI_UFM_CURRENT_VERSION, &nvme_ufm_ops,
4100 	    &nvme->n_ufmh, nvme) != 0) {
4101 		dev_err(dip, CE_WARN, "!failed to initialize UFM subsystem");
4102 		goto fail;
4103 	}
4104 	mutex_init(&nvme->n_fwslot_mutex, NULL, MUTEX_DRIVER, NULL);
4105 	ddi_ufm_update(nvme->n_ufmh);
4106 	nvme->n_progress |= NVME_UFM_INIT;
4107 
4108 	mutex_init(&nvme->n_mgmt_mutex, NULL, MUTEX_DRIVER, NULL);
4109 	nvme->n_progress |= NVME_MGMT_INIT;
4110 
4111 	/*
4112 	 * Identify namespaces.
4113 	 */
4114 	mutex_enter(&nvme->n_mgmt_mutex);
4115 
4116 	for (i = 1; i <= nvme->n_namespace_count; i++) {
4117 		nvme_namespace_t *ns = NVME_NSID2NS(nvme, i);
4118 
4119 		/*
4120 		 * Namespaces start out ignored. When nvme_init_ns() checks
4121 		 * their properties and finds they can be used, it will set
4122 		 * ns_ignore to B_FALSE. It will also use this state change
4123 		 * to keep an accurate count of attachable namespaces.
4124 		 */
4125 		ns->ns_ignore = B_TRUE;
4126 		if (nvme_init_ns(nvme, i) != 0) {
4127 			mutex_exit(&nvme->n_mgmt_mutex);
4128 			goto fail;
4129 		}
4130 
4131 		if (ddi_create_minor_node(nvme->n_dip, ns->ns_name, S_IFCHR,
4132 		    NVME_MINOR(ddi_get_instance(nvme->n_dip), i),
4133 		    DDI_NT_NVME_ATTACHMENT_POINT, 0) != DDI_SUCCESS) {
4134 			mutex_exit(&nvme->n_mgmt_mutex);
4135 			dev_err(dip, CE_WARN,
4136 			    "!failed to create minor node for namespace %d", i);
4137 			goto fail;
4138 		}
4139 	}
4140 
4141 	if (ddi_create_minor_node(dip, "devctl", S_IFCHR,
4142 	    NVME_MINOR(ddi_get_instance(dip), 0), DDI_NT_NVME_NEXUS, 0)
4143 	    != DDI_SUCCESS) {
4144 		mutex_exit(&nvme->n_mgmt_mutex);
4145 		dev_err(dip, CE_WARN, "nvme_attach: "
4146 		    "cannot create devctl minor node");
4147 		goto fail;
4148 	}
4149 
4150 	attached_ns = B_FALSE;
4151 	for (i = 1; i <= nvme->n_namespace_count; i++) {
4152 		int rv;
4153 
4154 		rv = nvme_attach_ns(nvme, i);
4155 		if (rv == 0) {
4156 			attached_ns = B_TRUE;
4157 		} else if (rv != ENOTSUP) {
4158 			dev_err(nvme->n_dip, CE_WARN,
4159 			    "!failed to attach namespace %d: %d", i, rv);
4160 			/*
4161 			 * Once we have successfully attached a namespace we
4162 			 * can no longer fail the driver attach as there is now
4163 			 * a blkdev child node linked to this device, and
4164 			 * our node is not yet in the attached state.
4165 			 */
4166 			if (!attached_ns) {
4167 				mutex_exit(&nvme->n_mgmt_mutex);
4168 				goto fail;
4169 			}
4170 		}
4171 	}
4172 
4173 	mutex_exit(&nvme->n_mgmt_mutex);
4174 
4175 	return (DDI_SUCCESS);
4176 
4177 fail:
4178 	/* attach successful anyway so that FMA can retire the device */
4179 	if (nvme->n_dead)
4180 		return (DDI_SUCCESS);
4181 
4182 	(void) nvme_detach(dip, DDI_DETACH);
4183 
4184 	return (DDI_FAILURE);
4185 }
4186 
4187 static int
4188 nvme_detach(dev_info_t *dip, ddi_detach_cmd_t cmd)
4189 {
4190 	int instance, i;
4191 	nvme_t *nvme;
4192 
4193 	if (cmd != DDI_DETACH)
4194 		return (DDI_FAILURE);
4195 
4196 	instance = ddi_get_instance(dip);
4197 
4198 	nvme = ddi_get_soft_state(nvme_state, instance);
4199 
4200 	if (nvme == NULL)
4201 		return (DDI_FAILURE);
4202 
4203 	ddi_remove_minor_node(dip, "devctl");
4204 
4205 	if (nvme->n_ns) {
4206 		for (i = 1; i <= nvme->n_namespace_count; i++) {
4207 			nvme_namespace_t *ns = NVME_NSID2NS(nvme, i);
4208 
4209 			ddi_remove_minor_node(dip, ns->ns_name);
4210 
4211 			if (ns->ns_bd_hdl) {
4212 				(void) bd_detach_handle(ns->ns_bd_hdl);
4213 				bd_free_handle(ns->ns_bd_hdl);
4214 			}
4215 
4216 			if (ns->ns_idns)
4217 				kmem_free(ns->ns_idns,
4218 				    sizeof (nvme_identify_nsid_t));
4219 			if (ns->ns_devid)
4220 				strfree(ns->ns_devid);
4221 		}
4222 
4223 		kmem_free(nvme->n_ns, sizeof (nvme_namespace_t) *
4224 		    nvme->n_namespace_count);
4225 	}
4226 
4227 	if (nvme->n_progress & NVME_MGMT_INIT) {
4228 		mutex_destroy(&nvme->n_mgmt_mutex);
4229 	}
4230 
4231 	if (nvme->n_progress & NVME_UFM_INIT) {
4232 		ddi_ufm_fini(nvme->n_ufmh);
4233 		mutex_destroy(&nvme->n_fwslot_mutex);
4234 	}
4235 
4236 	if (nvme->n_progress & NVME_INTERRUPTS)
4237 		nvme_release_interrupts(nvme);
4238 
4239 	for (i = 0; i < nvme->n_cq_count; i++) {
4240 		if (nvme->n_cq[i]->ncq_cmd_taskq != NULL)
4241 			taskq_wait(nvme->n_cq[i]->ncq_cmd_taskq);
4242 	}
4243 
4244 	if (nvme->n_progress & NVME_MUTEX_INIT) {
4245 		mutex_destroy(&nvme->n_minor_mutex);
4246 	}
4247 
4248 	if (nvme->n_ioq_count > 0) {
4249 		for (i = 1; i != nvme->n_ioq_count + 1; i++) {
4250 			if (nvme->n_ioq[i] != NULL) {
4251 				/* TODO: send destroy queue commands */
4252 				nvme_free_qpair(nvme->n_ioq[i]);
4253 			}
4254 		}
4255 
4256 		kmem_free(nvme->n_ioq, sizeof (nvme_qpair_t *) *
4257 		    (nvme->n_ioq_count + 1));
4258 	}
4259 
4260 	if (nvme->n_prp_cache != NULL) {
4261 		kmem_cache_destroy(nvme->n_prp_cache);
4262 	}
4263 
4264 	if (nvme->n_progress & NVME_REGS_MAPPED) {
4265 		nvme_shutdown(nvme, B_FALSE);
4266 		(void) nvme_reset(nvme, B_FALSE);
4267 	}
4268 
4269 	if (nvme->n_progress & NVME_CTRL_LIMITS)
4270 		sema_destroy(&nvme->n_abort_sema);
4271 
4272 	if (nvme->n_progress & NVME_ADMIN_QUEUE)
4273 		nvme_free_qpair(nvme->n_adminq);
4274 
4275 	if (nvme->n_cq_count > 0) {
4276 		nvme_destroy_cq_array(nvme, 0);
4277 		nvme->n_cq = NULL;
4278 		nvme->n_cq_count = 0;
4279 	}
4280 
4281 	if (nvme->n_idctl)
4282 		kmem_free(nvme->n_idctl, NVME_IDENTIFY_BUFSIZE);
4283 
4284 	if (nvme->n_progress & NVME_REGS_MAPPED)
4285 		ddi_regs_map_free(&nvme->n_regh);
4286 
4287 	if (nvme->n_progress & NVME_FMA_INIT) {
4288 		if (DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
4289 			ddi_fm_handler_unregister(nvme->n_dip);
4290 
4291 		if (DDI_FM_EREPORT_CAP(nvme->n_fm_cap) ||
4292 		    DDI_FM_ERRCB_CAP(nvme->n_fm_cap))
4293 			pci_ereport_teardown(nvme->n_dip);
4294 
4295 		ddi_fm_fini(nvme->n_dip);
4296 	}
4297 
4298 	if (nvme->n_vendor != NULL)
4299 		strfree(nvme->n_vendor);
4300 
4301 	if (nvme->n_product != NULL)
4302 		strfree(nvme->n_product);
4303 
4304 	/* Clean up hot removal event handler. */
4305 	if (nvme->n_ev_rm_cb_id != NULL) {
4306 		(void) ddi_remove_event_handler(nvme->n_ev_rm_cb_id);
4307 	}
4308 	nvme->n_ev_rm_cb_id = NULL;
4309 
4310 	ddi_soft_state_free(nvme_state, instance);
4311 
4312 	return (DDI_SUCCESS);
4313 }
4314 
4315 static int
4316 nvme_quiesce(dev_info_t *dip)
4317 {
4318 	int instance;
4319 	nvme_t *nvme;
4320 
4321 	instance = ddi_get_instance(dip);
4322 
4323 	nvme = ddi_get_soft_state(nvme_state, instance);
4324 
4325 	if (nvme == NULL)
4326 		return (DDI_FAILURE);
4327 
4328 	nvme_shutdown(nvme, B_TRUE);
4329 
4330 	(void) nvme_reset(nvme, B_TRUE);
4331 
4332 	return (DDI_SUCCESS);
4333 }
4334 
4335 static int
4336 nvme_fill_prp(nvme_cmd_t *cmd, ddi_dma_handle_t dma)
4337 {
4338 	nvme_t *nvme = cmd->nc_nvme;
4339 	uint_t nprp_per_page, nprp;
4340 	uint64_t *prp;
4341 	const ddi_dma_cookie_t *cookie;
4342 	uint_t idx;
4343 	uint_t ncookies = ddi_dma_ncookies(dma);
4344 
4345 	if (ncookies == 0)
4346 		return (DDI_FAILURE);
4347 
4348 	if ((cookie = ddi_dma_cookie_get(dma, 0)) == NULL)
4349 		return (DDI_FAILURE);
4350 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cookie->dmac_laddress;
4351 
4352 	if (ncookies == 1) {
4353 		cmd->nc_sqe.sqe_dptr.d_prp[1] = 0;
4354 		return (DDI_SUCCESS);
4355 	} else if (ncookies == 2) {
4356 		if ((cookie = ddi_dma_cookie_get(dma, 1)) == NULL)
4357 			return (DDI_FAILURE);
4358 		cmd->nc_sqe.sqe_dptr.d_prp[1] = cookie->dmac_laddress;
4359 		return (DDI_SUCCESS);
4360 	}
4361 
4362 	/*
4363 	 * At this point, we're always operating on cookies at
4364 	 * index >= 1 and writing the addresses of those cookies
4365 	 * into a new page. The address of that page is stored
4366 	 * as the second PRP entry.
4367 	 */
4368 	nprp_per_page = nvme->n_pagesize / sizeof (uint64_t);
4369 	ASSERT(nprp_per_page > 0);
4370 
4371 	/*
4372 	 * We currently don't support chained PRPs and set up our DMA
4373 	 * attributes to reflect that. If we still get an I/O request
4374 	 * that needs a chained PRP something is very wrong. Account
4375 	 * for the first cookie here, which we've placed in d_prp[0].
4376 	 */
4377 	nprp = howmany(ncookies - 1, nprp_per_page);
4378 	VERIFY(nprp == 1);
4379 
4380 	/*
4381 	 * Allocate a page of pointers, in which we'll write the
4382 	 * addresses of cookies 1 to `ncookies`.
4383 	 */
4384 	cmd->nc_prp = kmem_cache_alloc(nvme->n_prp_cache, KM_SLEEP);
4385 	bzero(cmd->nc_prp->nd_memp, cmd->nc_prp->nd_len);
4386 	cmd->nc_sqe.sqe_dptr.d_prp[1] = cmd->nc_prp->nd_cookie.dmac_laddress;
4387 
4388 	prp = (uint64_t *)cmd->nc_prp->nd_memp;
4389 	for (idx = 1; idx < ncookies; idx++) {
4390 		if ((cookie = ddi_dma_cookie_get(dma, idx)) == NULL)
4391 			return (DDI_FAILURE);
4392 		*prp++ = cookie->dmac_laddress;
4393 	}
4394 
4395 	(void) ddi_dma_sync(cmd->nc_prp->nd_dmah, 0, cmd->nc_prp->nd_len,
4396 	    DDI_DMA_SYNC_FORDEV);
4397 	return (DDI_SUCCESS);
4398 }
4399 
4400 /*
4401  * The maximum number of requests supported for a deallocate request is
4402  * NVME_DSET_MGMT_MAX_RANGES (256) -- this is from the NVMe 1.1 spec (and
4403  * unchanged through at least 1.4a). The definition of nvme_range_t is also
4404  * from the NVMe 1.1 spec. Together, the result is that all of the ranges for
4405  * a deallocate request will fit into the smallest supported namespace page
4406  * (4k).
4407  */
4408 CTASSERT(sizeof (nvme_range_t) * NVME_DSET_MGMT_MAX_RANGES == 4096);
4409 
4410 static int
4411 nvme_fill_ranges(nvme_cmd_t *cmd, bd_xfer_t *xfer, uint64_t blocksize,
4412     int allocflag)
4413 {
4414 	const dkioc_free_list_t *dfl = xfer->x_dfl;
4415 	const dkioc_free_list_ext_t *exts = dfl->dfl_exts;
4416 	nvme_t *nvme = cmd->nc_nvme;
4417 	nvme_range_t *ranges = NULL;
4418 	uint_t i;
4419 
4420 	/*
4421 	 * The number of ranges in the request is 0s based (that is
4422 	 * word10 == 0 -> 1 range, word10 == 1 -> 2 ranges, ...,
4423 	 * word10 == 255 -> 256 ranges). Therefore the allowed values are
4424 	 * [1..NVME_DSET_MGMT_MAX_RANGES]. If blkdev gives us a bad request,
4425 	 * we either provided bad info in nvme_bd_driveinfo() or there is a bug
4426 	 * in blkdev.
4427 	 */
4428 	VERIFY3U(dfl->dfl_num_exts, >, 0);
4429 	VERIFY3U(dfl->dfl_num_exts, <=, NVME_DSET_MGMT_MAX_RANGES);
4430 	cmd->nc_sqe.sqe_cdw10 = (dfl->dfl_num_exts - 1) & 0xff;
4431 
4432 	cmd->nc_sqe.sqe_cdw11 = NVME_DSET_MGMT_ATTR_DEALLOCATE;
4433 
4434 	cmd->nc_prp = kmem_cache_alloc(nvme->n_prp_cache, allocflag);
4435 	if (cmd->nc_prp == NULL)
4436 		return (DDI_FAILURE);
4437 
4438 	bzero(cmd->nc_prp->nd_memp, cmd->nc_prp->nd_len);
4439 	ranges = (nvme_range_t *)cmd->nc_prp->nd_memp;
4440 
4441 	cmd->nc_sqe.sqe_dptr.d_prp[0] = cmd->nc_prp->nd_cookie.dmac_laddress;
4442 	cmd->nc_sqe.sqe_dptr.d_prp[1] = 0;
4443 
4444 	for (i = 0; i < dfl->dfl_num_exts; i++) {
4445 		uint64_t lba, len;
4446 
4447 		lba = (dfl->dfl_offset + exts[i].dfle_start) / blocksize;
4448 		len = exts[i].dfle_length / blocksize;
4449 
4450 		VERIFY3U(len, <=, UINT32_MAX);
4451 
4452 		/* No context attributes for a deallocate request */
4453 		ranges[i].nr_ctxattr = 0;
4454 		ranges[i].nr_len = len;
4455 		ranges[i].nr_lba = lba;
4456 	}
4457 
4458 	(void) ddi_dma_sync(cmd->nc_prp->nd_dmah, 0, cmd->nc_prp->nd_len,
4459 	    DDI_DMA_SYNC_FORDEV);
4460 
4461 	return (DDI_SUCCESS);
4462 }
4463 
4464 static nvme_cmd_t *
4465 nvme_create_nvm_cmd(nvme_namespace_t *ns, uint8_t opc, bd_xfer_t *xfer)
4466 {
4467 	nvme_t *nvme = ns->ns_nvme;
4468 	nvme_cmd_t *cmd;
4469 	int allocflag;
4470 
4471 	/*
4472 	 * Blkdev only sets BD_XFER_POLL when dumping, so don't sleep.
4473 	 */
4474 	allocflag = (xfer->x_flags & BD_XFER_POLL) ? KM_NOSLEEP : KM_SLEEP;
4475 	cmd = nvme_alloc_cmd(nvme, allocflag);
4476 
4477 	if (cmd == NULL)
4478 		return (NULL);
4479 
4480 	cmd->nc_sqe.sqe_opc = opc;
4481 	cmd->nc_callback = nvme_bd_xfer_done;
4482 	cmd->nc_xfer = xfer;
4483 
4484 	switch (opc) {
4485 	case NVME_OPC_NVM_WRITE:
4486 	case NVME_OPC_NVM_READ:
4487 		VERIFY(xfer->x_nblks <= 0x10000);
4488 
4489 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
4490 
4491 		cmd->nc_sqe.sqe_cdw10 = xfer->x_blkno & 0xffffffffu;
4492 		cmd->nc_sqe.sqe_cdw11 = (xfer->x_blkno >> 32);
4493 		cmd->nc_sqe.sqe_cdw12 = (uint16_t)(xfer->x_nblks - 1);
4494 
4495 		if (nvme_fill_prp(cmd, xfer->x_dmah) != DDI_SUCCESS)
4496 			goto fail;
4497 		break;
4498 
4499 	case NVME_OPC_NVM_FLUSH:
4500 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
4501 		break;
4502 
4503 	case NVME_OPC_NVM_DSET_MGMT:
4504 		cmd->nc_sqe.sqe_nsid = ns->ns_id;
4505 
4506 		if (nvme_fill_ranges(cmd, xfer,
4507 		    (uint64_t)ns->ns_block_size, allocflag) != DDI_SUCCESS)
4508 			goto fail;
4509 		break;
4510 
4511 	default:
4512 		goto fail;
4513 	}
4514 
4515 	return (cmd);
4516 
4517 fail:
4518 	nvme_free_cmd(cmd);
4519 	return (NULL);
4520 }
4521 
4522 static void
4523 nvme_bd_xfer_done(void *arg)
4524 {
4525 	nvme_cmd_t *cmd = arg;
4526 	bd_xfer_t *xfer = cmd->nc_xfer;
4527 	int error = 0;
4528 
4529 	error = nvme_check_cmd_status(cmd);
4530 	nvme_free_cmd(cmd);
4531 
4532 	bd_xfer_done(xfer, error);
4533 }
4534 
4535 static void
4536 nvme_bd_driveinfo(void *arg, bd_drive_t *drive)
4537 {
4538 	nvme_namespace_t *ns = arg;
4539 	nvme_t *nvme = ns->ns_nvme;
4540 	uint_t ns_count = MAX(1, nvme->n_namespaces_attachable);
4541 	boolean_t mutex_exit_needed = B_TRUE;
4542 
4543 	/*
4544 	 * nvme_bd_driveinfo is called by blkdev in two situations:
4545 	 * - during bd_attach_handle(), which we call with the mutex held
4546 	 * - during bd_attach(), which may be called with or without the
4547 	 *   mutex held
4548 	 */
4549 	if (mutex_owned(&nvme->n_mgmt_mutex))
4550 		mutex_exit_needed = B_FALSE;
4551 	else
4552 		mutex_enter(&nvme->n_mgmt_mutex);
4553 
4554 	/*
4555 	 * Set the blkdev qcount to the number of submission queues.
4556 	 * It will then create one waitq/runq pair for each submission
4557 	 * queue and spread I/O requests across the queues.
4558 	 */
4559 	drive->d_qcount = nvme->n_ioq_count;
4560 
4561 	/*
4562 	 * I/O activity to individual namespaces is distributed across
4563 	 * each of the d_qcount blkdev queues (which has been set to
4564 	 * the number of nvme submission queues). d_qsize is the number
4565 	 * of submitted and not completed I/Os within each queue that blkdev
4566 	 * will allow before it starts holding them in the waitq.
4567 	 *
4568 	 * Each namespace will create a child blkdev instance, for each one
4569 	 * we try and set the d_qsize so that each namespace gets an
4570 	 * equal portion of the submission queue.
4571 	 *
4572 	 * If post instantiation of the nvme drive, n_namespaces_attachable
4573 	 * changes and a namespace is attached it could calculate a
4574 	 * different d_qsize. It may even be that the sum of the d_qsizes is
4575 	 * now beyond the submission queue size. Should that be the case
4576 	 * and the I/O rate is such that blkdev attempts to submit more
4577 	 * I/Os than the size of the submission queue, the excess I/Os
4578 	 * will be held behind the semaphore nq_sema.
4579 	 */
4580 	drive->d_qsize = nvme->n_io_squeue_len / ns_count;
4581 
4582 	/*
4583 	 * Don't let the queue size drop below the minimum, though.
4584 	 */
4585 	drive->d_qsize = MAX(drive->d_qsize, NVME_MIN_IO_QUEUE_LEN);
4586 
4587 	/*
4588 	 * d_maxxfer is not set, which means the value is taken from the DMA
4589 	 * attributes specified to bd_alloc_handle.
4590 	 */
4591 
4592 	drive->d_removable = B_FALSE;
4593 	drive->d_hotpluggable = B_FALSE;
4594 
4595 	bcopy(ns->ns_eui64, drive->d_eui64, sizeof (drive->d_eui64));
4596 	drive->d_target = ns->ns_id;
4597 	drive->d_lun = 0;
4598 
4599 	drive->d_model = nvme->n_idctl->id_model;
4600 	drive->d_model_len = sizeof (nvme->n_idctl->id_model);
4601 	drive->d_vendor = nvme->n_vendor;
4602 	drive->d_vendor_len = strlen(nvme->n_vendor);
4603 	drive->d_product = nvme->n_product;
4604 	drive->d_product_len = strlen(nvme->n_product);
4605 	drive->d_serial = nvme->n_idctl->id_serial;
4606 	drive->d_serial_len = sizeof (nvme->n_idctl->id_serial);
4607 	drive->d_revision = nvme->n_idctl->id_fwrev;
4608 	drive->d_revision_len = sizeof (nvme->n_idctl->id_fwrev);
4609 
4610 	/*
4611 	 * If we support the dataset management command, the only restrictions
4612 	 * on a discard request are the maximum number of ranges (segments)
4613 	 * per single request.
4614 	 */
4615 	if (nvme->n_idctl->id_oncs.on_dset_mgmt)
4616 		drive->d_max_free_seg = NVME_DSET_MGMT_MAX_RANGES;
4617 
4618 	if (mutex_exit_needed)
4619 		mutex_exit(&nvme->n_mgmt_mutex);
4620 }
4621 
4622 static int
4623 nvme_bd_mediainfo(void *arg, bd_media_t *media)
4624 {
4625 	nvme_namespace_t *ns = arg;
4626 	nvme_t *nvme = ns->ns_nvme;
4627 	boolean_t mutex_exit_needed = B_TRUE;
4628 
4629 	if (nvme->n_dead) {
4630 		return (EIO);
4631 	}
4632 
4633 	/*
4634 	 * nvme_bd_mediainfo is called by blkdev in various situations,
4635 	 * most of them out of our control. There's one exception though:
4636 	 * When we call bd_state_change() in response to "namespace change"
4637 	 * notification, where the mutex is already being held by us.
4638 	 */
4639 	if (mutex_owned(&nvme->n_mgmt_mutex))
4640 		mutex_exit_needed = B_FALSE;
4641 	else
4642 		mutex_enter(&nvme->n_mgmt_mutex);
4643 
4644 	media->m_nblks = ns->ns_block_count;
4645 	media->m_blksize = ns->ns_block_size;
4646 	media->m_readonly = B_FALSE;
4647 	media->m_solidstate = B_TRUE;
4648 
4649 	media->m_pblksize = ns->ns_best_block_size;
4650 
4651 	if (mutex_exit_needed)
4652 		mutex_exit(&nvme->n_mgmt_mutex);
4653 
4654 	return (0);
4655 }
4656 
4657 static int
4658 nvme_bd_cmd(nvme_namespace_t *ns, bd_xfer_t *xfer, uint8_t opc)
4659 {
4660 	nvme_t *nvme = ns->ns_nvme;
4661 	nvme_cmd_t *cmd;
4662 	nvme_qpair_t *ioq;
4663 	boolean_t poll;
4664 	int ret;
4665 
4666 	if (nvme->n_dead) {
4667 		return (EIO);
4668 	}
4669 
4670 	cmd = nvme_create_nvm_cmd(ns, opc, xfer);
4671 	if (cmd == NULL)
4672 		return (ENOMEM);
4673 
4674 	cmd->nc_sqid = xfer->x_qnum + 1;
4675 	ASSERT(cmd->nc_sqid <= nvme->n_ioq_count);
4676 	ioq = nvme->n_ioq[cmd->nc_sqid];
4677 
4678 	/*
4679 	 * Get the polling flag before submitting the command. The command may
4680 	 * complete immediately after it was submitted, which means we must
4681 	 * treat both cmd and xfer as if they have been freed already.
4682 	 */
4683 	poll = (xfer->x_flags & BD_XFER_POLL) != 0;
4684 
4685 	ret = nvme_submit_io_cmd(ioq, cmd);
4686 
4687 	if (ret != 0)
4688 		return (ret);
4689 
4690 	if (!poll)
4691 		return (0);
4692 
4693 	do {
4694 		cmd = nvme_retrieve_cmd(nvme, ioq);
4695 		if (cmd != NULL)
4696 			cmd->nc_callback(cmd);
4697 		else
4698 			drv_usecwait(10);
4699 	} while (ioq->nq_active_cmds != 0);
4700 
4701 	return (0);
4702 }
4703 
4704 static int
4705 nvme_bd_read(void *arg, bd_xfer_t *xfer)
4706 {
4707 	nvme_namespace_t *ns = arg;
4708 
4709 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_READ));
4710 }
4711 
4712 static int
4713 nvme_bd_write(void *arg, bd_xfer_t *xfer)
4714 {
4715 	nvme_namespace_t *ns = arg;
4716 
4717 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_WRITE));
4718 }
4719 
4720 static int
4721 nvme_bd_sync(void *arg, bd_xfer_t *xfer)
4722 {
4723 	nvme_namespace_t *ns = arg;
4724 
4725 	if (ns->ns_nvme->n_dead)
4726 		return (EIO);
4727 
4728 	/*
4729 	 * If the volatile write cache is not present or not enabled the FLUSH
4730 	 * command is a no-op, so we can take a shortcut here.
4731 	 */
4732 	if (!ns->ns_nvme->n_write_cache_present) {
4733 		bd_xfer_done(xfer, ENOTSUP);
4734 		return (0);
4735 	}
4736 
4737 	if (!ns->ns_nvme->n_write_cache_enabled) {
4738 		bd_xfer_done(xfer, 0);
4739 		return (0);
4740 	}
4741 
4742 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_FLUSH));
4743 }
4744 
4745 static int
4746 nvme_bd_devid(void *arg, dev_info_t *devinfo, ddi_devid_t *devid)
4747 {
4748 	nvme_namespace_t *ns = arg;
4749 	nvme_t *nvme = ns->ns_nvme;
4750 
4751 	if (nvme->n_dead) {
4752 		return (EIO);
4753 	}
4754 
4755 	if (*(uint64_t *)ns->ns_nguid != 0 ||
4756 	    *(uint64_t *)(ns->ns_nguid + 8) != 0) {
4757 		return (ddi_devid_init(devinfo, DEVID_NVME_NGUID,
4758 		    sizeof (ns->ns_nguid), ns->ns_nguid, devid));
4759 	} else if (*(uint64_t *)ns->ns_eui64 != 0) {
4760 		return (ddi_devid_init(devinfo, DEVID_NVME_EUI64,
4761 		    sizeof (ns->ns_eui64), ns->ns_eui64, devid));
4762 	} else {
4763 		return (ddi_devid_init(devinfo, DEVID_NVME_NSID,
4764 		    strlen(ns->ns_devid), ns->ns_devid, devid));
4765 	}
4766 }
4767 
4768 static int
4769 nvme_bd_free_space(void *arg, bd_xfer_t *xfer)
4770 {
4771 	nvme_namespace_t *ns = arg;
4772 
4773 	if (xfer->x_dfl == NULL)
4774 		return (EINVAL);
4775 
4776 	if (!ns->ns_nvme->n_idctl->id_oncs.on_dset_mgmt)
4777 		return (ENOTSUP);
4778 
4779 	return (nvme_bd_cmd(ns, xfer, NVME_OPC_NVM_DSET_MGMT));
4780 }
4781 
4782 static int
4783 nvme_open(dev_t *devp, int flag, int otyp, cred_t *cred_p)
4784 {
4785 #ifndef __lock_lint
4786 	_NOTE(ARGUNUSED(cred_p));
4787 #endif
4788 	minor_t minor = getminor(*devp);
4789 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
4790 	int nsid = NVME_MINOR_NSID(minor);
4791 	nvme_minor_state_t *nm;
4792 	int rv = 0;
4793 
4794 	if (otyp != OTYP_CHR)
4795 		return (EINVAL);
4796 
4797 	if (nvme == NULL)
4798 		return (ENXIO);
4799 
4800 	if (nsid > nvme->n_namespace_count)
4801 		return (ENXIO);
4802 
4803 	if (nvme->n_dead)
4804 		return (EIO);
4805 
4806 	mutex_enter(&nvme->n_minor_mutex);
4807 
4808 	/*
4809 	 * First check the devctl node and error out if it's been opened
4810 	 * exclusively already by any other thread.
4811 	 */
4812 	if (nvme->n_minor.nm_oexcl != NULL &&
4813 	    nvme->n_minor.nm_oexcl != curthread) {
4814 		rv = EBUSY;
4815 		goto out;
4816 	}
4817 
4818 	nm = nsid == 0 ? &nvme->n_minor : &(NVME_NSID2NS(nvme, nsid)->ns_minor);
4819 
4820 	if (flag & FEXCL) {
4821 		if (nm->nm_oexcl != NULL || nm->nm_open) {
4822 			rv = EBUSY;
4823 			goto out;
4824 		}
4825 
4826 		/*
4827 		 * If at least one namespace is already open, fail the
4828 		 * exclusive open of the devctl node.
4829 		 */
4830 		if (nsid == 0) {
4831 			for (int i = 1; i <= nvme->n_namespace_count; i++) {
4832 				if (NVME_NSID2NS(nvme, i)->ns_minor.nm_open) {
4833 					rv = EBUSY;
4834 					goto out;
4835 				}
4836 			}
4837 		}
4838 
4839 		nm->nm_oexcl = curthread;
4840 	}
4841 
4842 	nm->nm_open = B_TRUE;
4843 
4844 out:
4845 	mutex_exit(&nvme->n_minor_mutex);
4846 	return (rv);
4847 
4848 }
4849 
4850 static int
4851 nvme_close(dev_t dev, int flag, int otyp, cred_t *cred_p)
4852 {
4853 #ifndef __lock_lint
4854 	_NOTE(ARGUNUSED(cred_p));
4855 	_NOTE(ARGUNUSED(flag));
4856 #endif
4857 	minor_t minor = getminor(dev);
4858 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
4859 	int nsid = NVME_MINOR_NSID(minor);
4860 	nvme_minor_state_t *nm;
4861 
4862 	if (otyp != OTYP_CHR)
4863 		return (ENXIO);
4864 
4865 	if (nvme == NULL)
4866 		return (ENXIO);
4867 
4868 	if (nsid > nvme->n_namespace_count)
4869 		return (ENXIO);
4870 
4871 	nm = nsid == 0 ? &nvme->n_minor : &(NVME_NSID2NS(nvme, nsid)->ns_minor);
4872 
4873 	mutex_enter(&nvme->n_minor_mutex);
4874 	if (nm->nm_oexcl != NULL) {
4875 		ASSERT(nm->nm_oexcl == curthread);
4876 		nm->nm_oexcl = NULL;
4877 	}
4878 
4879 	ASSERT(nm->nm_open);
4880 	nm->nm_open = B_FALSE;
4881 	mutex_exit(&nvme->n_minor_mutex);
4882 
4883 	return (0);
4884 }
4885 
4886 static int
4887 nvme_ioctl_identify(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
4888     cred_t *cred_p)
4889 {
4890 	_NOTE(ARGUNUSED(cred_p));
4891 	int rv = 0;
4892 	void *idctl;
4893 
4894 	if ((mode & FREAD) == 0)
4895 		return (EPERM);
4896 
4897 	if (nioc->n_len < NVME_IDENTIFY_BUFSIZE)
4898 		return (EINVAL);
4899 
4900 	switch (nioc->n_arg) {
4901 	case NVME_IDENTIFY_NSID:
4902 		/*
4903 		 * If we support namespace management, set the nsid to -1 to
4904 		 * retrieve the common namespace capabilities. Otherwise
4905 		 * have a best guess by returning identify data for namespace 1.
4906 		 */
4907 		if (nsid == 0)
4908 			nsid = nvme->n_idctl->id_oacs.oa_nsmgmt == 1 ? -1 : 1;
4909 		break;
4910 
4911 	case NVME_IDENTIFY_CTRL:
4912 		/*
4913 		 * Let NVME_IDENTIFY_CTRL work the same on devctl and attachment
4914 		 * point nodes.
4915 		 */
4916 		nsid = 0;
4917 		break;
4918 
4919 	case NVME_IDENTIFY_NSID_LIST:
4920 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 1))
4921 			return (ENOTSUP);
4922 
4923 		/*
4924 		 * For now, always try to get the list of active NSIDs starting
4925 		 * at the first namespace. This will have to be revisited should
4926 		 * the need arise to support more than 1024 namespaces.
4927 		 */
4928 		nsid = 0;
4929 		break;
4930 
4931 	case NVME_IDENTIFY_NSID_DESC:
4932 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 3))
4933 			return (ENOTSUP);
4934 		break;
4935 
4936 	case NVME_IDENTIFY_NSID_ALLOC:
4937 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2) ||
4938 		    (nvme->n_idctl->id_oacs.oa_nsmgmt == 0))
4939 			return (ENOTSUP);
4940 
4941 		/*
4942 		 * To make this work on a devctl node, make this return the
4943 		 * identify data for namespace 1. We assume that any NVMe
4944 		 * device supports at least one namespace, which has ID 1.
4945 		 */
4946 		if (nsid == 0)
4947 			nsid = 1;
4948 		break;
4949 
4950 	case NVME_IDENTIFY_NSID_ALLOC_LIST:
4951 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2) ||
4952 		    (nvme->n_idctl->id_oacs.oa_nsmgmt == 0))
4953 			return (ENOTSUP);
4954 
4955 		/*
4956 		 * For now, always try to get the list of allocated NSIDs
4957 		 * starting at the first namespace. This will have to be
4958 		 * revisited should the need arise to support more than 1024
4959 		 * namespaces.
4960 		 */
4961 		nsid = 0;
4962 		break;
4963 
4964 	case NVME_IDENTIFY_NSID_CTRL_LIST:
4965 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2) ||
4966 		    (nvme->n_idctl->id_oacs.oa_nsmgmt == 0))
4967 			return (ENOTSUP);
4968 
4969 		if (nsid == 0)
4970 			return (EINVAL);
4971 		break;
4972 
4973 	case NVME_IDENTIFY_CTRL_LIST:
4974 		if (!NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2) ||
4975 		    (nvme->n_idctl->id_oacs.oa_nsmgmt == 0))
4976 			return (ENOTSUP);
4977 
4978 		if (nsid != 0)
4979 			return (EINVAL);
4980 		break;
4981 
4982 	default:
4983 		return (EINVAL);
4984 	}
4985 
4986 	if ((rv = nvme_identify(nvme, B_TRUE, nsid, nioc->n_arg & 0xff,
4987 	    (void **)&idctl)) != 0)
4988 		return (rv);
4989 
4990 	if (ddi_copyout(idctl, (void *)nioc->n_buf, NVME_IDENTIFY_BUFSIZE, mode)
4991 	    != 0)
4992 		rv = EFAULT;
4993 
4994 	kmem_free(idctl, NVME_IDENTIFY_BUFSIZE);
4995 
4996 	return (rv);
4997 }
4998 
4999 /*
5000  * Execute commands on behalf of the various ioctls.
5001  */
5002 static int
5003 nvme_ioc_cmd(nvme_t *nvme, nvme_sqe_t *sqe, boolean_t is_admin, void *data_addr,
5004     uint32_t data_len, int rwk, nvme_cqe_t *cqe, uint_t timeout)
5005 {
5006 	nvme_cmd_t *cmd;
5007 	nvme_qpair_t *ioq;
5008 	int rv = 0;
5009 
5010 	cmd = nvme_alloc_cmd(nvme, KM_SLEEP);
5011 	if (is_admin) {
5012 		cmd->nc_sqid = 0;
5013 		ioq = nvme->n_adminq;
5014 	} else {
5015 		cmd->nc_sqid = (CPU->cpu_id % nvme->n_ioq_count) + 1;
5016 		ASSERT(cmd->nc_sqid <= nvme->n_ioq_count);
5017 		ioq = nvme->n_ioq[cmd->nc_sqid];
5018 	}
5019 
5020 	/*
5021 	 * This function is used to facilitate requests from
5022 	 * userspace, so don't panic if the command fails. This
5023 	 * is especially true for admin passthru commands, where
5024 	 * the actual command data structure is entirely defined
5025 	 * by userspace.
5026 	 */
5027 	cmd->nc_dontpanic = B_TRUE;
5028 
5029 	cmd->nc_callback = nvme_wakeup_cmd;
5030 	cmd->nc_sqe = *sqe;
5031 
5032 	if ((rwk & (FREAD | FWRITE)) != 0) {
5033 		if (data_addr == NULL) {
5034 			rv = EINVAL;
5035 			goto free_cmd;
5036 		}
5037 
5038 		if (nvme_zalloc_dma(nvme, data_len, DDI_DMA_READ,
5039 		    &nvme->n_prp_dma_attr, &cmd->nc_dma) != DDI_SUCCESS) {
5040 			dev_err(nvme->n_dip, CE_WARN,
5041 			    "!nvme_zalloc_dma failed for nvme_ioc_cmd()");
5042 
5043 			rv = ENOMEM;
5044 			goto free_cmd;
5045 		}
5046 
5047 		if ((rv = nvme_fill_prp(cmd, cmd->nc_dma->nd_dmah)) != 0)
5048 			goto free_cmd;
5049 
5050 		if ((rwk & FWRITE) != 0) {
5051 			if (ddi_copyin(data_addr, cmd->nc_dma->nd_memp,
5052 			    data_len, rwk & FKIOCTL) != 0) {
5053 				rv = EFAULT;
5054 				goto free_cmd;
5055 			}
5056 		}
5057 	}
5058 
5059 	if (is_admin) {
5060 		nvme_admin_cmd(cmd, timeout);
5061 	} else {
5062 		mutex_enter(&cmd->nc_mutex);
5063 
5064 		rv = nvme_submit_io_cmd(ioq, cmd);
5065 
5066 		if (rv == EAGAIN) {
5067 			mutex_exit(&cmd->nc_mutex);
5068 			dev_err(cmd->nc_nvme->n_dip, CE_WARN,
5069 			    "!nvme_ioc_cmd() failed, I/O Q full");
5070 			goto free_cmd;
5071 		}
5072 
5073 		nvme_wait_cmd(cmd, timeout);
5074 
5075 		mutex_exit(&cmd->nc_mutex);
5076 	}
5077 
5078 	if (cqe != NULL)
5079 		*cqe = cmd->nc_cqe;
5080 
5081 	if ((rv = nvme_check_cmd_status(cmd)) != 0) {
5082 		dev_err(nvme->n_dip, CE_WARN,
5083 		    "!nvme_ioc_cmd() failed with sct = %x, sc = %x",
5084 		    cmd->nc_cqe.cqe_sf.sf_sct, cmd->nc_cqe.cqe_sf.sf_sc);
5085 
5086 		goto free_cmd;
5087 	}
5088 
5089 	if ((rwk & FREAD) != 0) {
5090 		if (ddi_copyout(cmd->nc_dma->nd_memp,
5091 		    data_addr, data_len, rwk & FKIOCTL) != 0)
5092 			rv = EFAULT;
5093 	}
5094 
5095 free_cmd:
5096 	nvme_free_cmd(cmd);
5097 
5098 	return (rv);
5099 }
5100 
5101 static int
5102 nvme_ioctl_capabilities(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
5103     int mode, cred_t *cred_p)
5104 {
5105 	_NOTE(ARGUNUSED(nsid, cred_p));
5106 	int rv = 0;
5107 	nvme_reg_cap_t cap = { 0 };
5108 	nvme_capabilities_t nc;
5109 
5110 	if ((mode & FREAD) == 0)
5111 		return (EPERM);
5112 
5113 	if (nioc->n_len < sizeof (nc))
5114 		return (EINVAL);
5115 
5116 	cap.r = nvme_get64(nvme, NVME_REG_CAP);
5117 
5118 	/*
5119 	 * The MPSMIN and MPSMAX fields in the CAP register use 0 to
5120 	 * specify the base page size of 4k (1<<12), so add 12 here to
5121 	 * get the real page size value.
5122 	 */
5123 	nc.mpsmax = 1 << (12 + cap.b.cap_mpsmax);
5124 	nc.mpsmin = 1 << (12 + cap.b.cap_mpsmin);
5125 
5126 	if (ddi_copyout(&nc, (void *)nioc->n_buf, sizeof (nc), mode) != 0)
5127 		rv = EFAULT;
5128 
5129 	return (rv);
5130 }
5131 
5132 static int
5133 nvme_ioctl_get_logpage(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
5134     int mode, cred_t *cred_p)
5135 {
5136 	_NOTE(ARGUNUSED(cred_p));
5137 	void *log = NULL;
5138 	size_t bufsize = 0;
5139 	int rv = 0;
5140 
5141 	if ((mode & FREAD) == 0)
5142 		return (EPERM);
5143 
5144 	if (nsid > 0 && !NVME_NSID2NS(nvme, nsid)->ns_active)
5145 		return (EINVAL);
5146 
5147 	switch (nioc->n_arg) {
5148 	case NVME_LOGPAGE_ERROR:
5149 		if (nsid != 0)
5150 			return (EINVAL);
5151 		break;
5152 	case NVME_LOGPAGE_HEALTH:
5153 		if (nsid != 0 && nvme->n_idctl->id_lpa.lp_smart == 0)
5154 			return (EINVAL);
5155 
5156 		if (nsid == 0)
5157 			nsid = (uint32_t)-1;
5158 
5159 		break;
5160 	case NVME_LOGPAGE_FWSLOT:
5161 		if (nsid != 0)
5162 			return (EINVAL);
5163 		break;
5164 	default:
5165 		if (!NVME_IS_VENDOR_SPECIFIC_LOGPAGE(nioc->n_arg))
5166 			return (EINVAL);
5167 		if (nioc->n_len > NVME_VENDOR_SPECIFIC_LOGPAGE_MAX_SIZE) {
5168 			dev_err(nvme->n_dip, CE_NOTE, "!Vendor-specific log "
5169 			    "page size exceeds device maximum supported size: "
5170 			    "%lu", NVME_VENDOR_SPECIFIC_LOGPAGE_MAX_SIZE);
5171 			return (EINVAL);
5172 		}
5173 		if (nioc->n_len == 0)
5174 			return (EINVAL);
5175 		bufsize = nioc->n_len;
5176 		if (nsid == 0)
5177 			nsid = (uint32_t)-1;
5178 	}
5179 
5180 	if (nvme_get_logpage(nvme, B_TRUE, &log, &bufsize, nioc->n_arg, nsid)
5181 	    != DDI_SUCCESS)
5182 		return (EIO);
5183 
5184 	if (nioc->n_len < bufsize) {
5185 		kmem_free(log, bufsize);
5186 		return (EINVAL);
5187 	}
5188 
5189 	if (ddi_copyout(log, (void *)nioc->n_buf, bufsize, mode) != 0)
5190 		rv = EFAULT;
5191 
5192 	nioc->n_len = bufsize;
5193 	kmem_free(log, bufsize);
5194 
5195 	return (rv);
5196 }
5197 
5198 static int
5199 nvme_ioctl_get_features(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
5200     int mode, cred_t *cred_p)
5201 {
5202 	_NOTE(ARGUNUSED(cred_p));
5203 	void *buf = NULL;
5204 	size_t bufsize = 0;
5205 	uint32_t res = 0;
5206 	uint8_t feature;
5207 	int rv = 0;
5208 
5209 	if ((mode & FREAD) == 0)
5210 		return (EPERM);
5211 
5212 	if (nsid > 0 && !NVME_NSID2NS(nvme, nsid)->ns_active)
5213 		return (EINVAL);
5214 
5215 	if ((nioc->n_arg >> 32) > 0xff)
5216 		return (EINVAL);
5217 
5218 	feature = (uint8_t)(nioc->n_arg >> 32);
5219 
5220 	switch (feature) {
5221 	case NVME_FEAT_ARBITRATION:
5222 	case NVME_FEAT_POWER_MGMT:
5223 	case NVME_FEAT_ERROR:
5224 	case NVME_FEAT_NQUEUES:
5225 	case NVME_FEAT_INTR_COAL:
5226 	case NVME_FEAT_WRITE_ATOM:
5227 	case NVME_FEAT_ASYNC_EVENT:
5228 	case NVME_FEAT_PROGRESS:
5229 		if (nsid != 0)
5230 			return (EINVAL);
5231 		break;
5232 
5233 	case NVME_FEAT_TEMPERATURE:
5234 		if (nsid != 0)
5235 			return (EINVAL);
5236 		res = nioc->n_arg & 0xffffffffUL;
5237 		if (NVME_VERSION_ATLEAST(&nvme->n_version, 1, 2)) {
5238 			nvme_temp_threshold_t tt;
5239 
5240 			tt.r = res;
5241 			if (tt.b.tt_thsel != NVME_TEMP_THRESH_OVER &&
5242 			    tt.b.tt_thsel != NVME_TEMP_THRESH_UNDER) {
5243 				return (EINVAL);
5244 			}
5245 
5246 			if (tt.b.tt_tmpsel > NVME_TEMP_THRESH_MAX_SENSOR) {
5247 				return (EINVAL);
5248 			}
5249 		} else if (res != 0) {
5250 			return (ENOTSUP);
5251 		}
5252 		break;
5253 
5254 	case NVME_FEAT_INTR_VECT:
5255 		if (nsid != 0)
5256 			return (EINVAL);
5257 
5258 		res = nioc->n_arg & 0xffffffffUL;
5259 		if (res >= nvme->n_intr_cnt)
5260 			return (EINVAL);
5261 		break;
5262 
5263 	case NVME_FEAT_LBA_RANGE:
5264 		if (nvme->n_lba_range_supported == B_FALSE)
5265 			return (EINVAL);
5266 
5267 		if (nsid == 0 ||
5268 		    nsid > nvme->n_namespace_count)
5269 			return (EINVAL);
5270 
5271 		break;
5272 
5273 	case NVME_FEAT_WRITE_CACHE:
5274 		if (nsid != 0)
5275 			return (EINVAL);
5276 
5277 		if (!nvme->n_write_cache_present)
5278 			return (EINVAL);
5279 
5280 		break;
5281 
5282 	case NVME_FEAT_AUTO_PST:
5283 		if (nsid != 0)
5284 			return (EINVAL);
5285 
5286 		if (!nvme->n_auto_pst_supported)
5287 			return (EINVAL);
5288 
5289 		break;
5290 
5291 	default:
5292 		return (EINVAL);
5293 	}
5294 
5295 	rv = nvme_get_features(nvme, B_TRUE, nsid, feature, &res, &buf,
5296 	    &bufsize);
5297 	if (rv != 0)
5298 		return (rv);
5299 
5300 	if (nioc->n_len < bufsize) {
5301 		kmem_free(buf, bufsize);
5302 		return (EINVAL);
5303 	}
5304 
5305 	if (buf && ddi_copyout(buf, (void*)nioc->n_buf, bufsize, mode) != 0)
5306 		rv = EFAULT;
5307 
5308 	kmem_free(buf, bufsize);
5309 	nioc->n_arg = res;
5310 	nioc->n_len = bufsize;
5311 
5312 	return (rv);
5313 }
5314 
5315 static int
5316 nvme_ioctl_intr_cnt(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5317     cred_t *cred_p)
5318 {
5319 	_NOTE(ARGUNUSED(nsid, mode, cred_p));
5320 
5321 	if ((mode & FREAD) == 0)
5322 		return (EPERM);
5323 
5324 	nioc->n_arg = nvme->n_intr_cnt;
5325 	return (0);
5326 }
5327 
5328 static int
5329 nvme_ioctl_version(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5330     cred_t *cred_p)
5331 {
5332 	_NOTE(ARGUNUSED(nsid, cred_p));
5333 	int rv = 0;
5334 
5335 	if ((mode & FREAD) == 0)
5336 		return (EPERM);
5337 
5338 	if (nioc->n_len < sizeof (nvme->n_version))
5339 		return (ENOMEM);
5340 
5341 	if (ddi_copyout(&nvme->n_version, (void *)nioc->n_buf,
5342 	    sizeof (nvme->n_version), mode) != 0)
5343 		rv = EFAULT;
5344 
5345 	return (rv);
5346 }
5347 
5348 static int
5349 nvme_ioctl_format(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5350     cred_t *cred_p)
5351 {
5352 	_NOTE(ARGUNUSED(mode));
5353 	nvme_format_nvm_t frmt = { 0 };
5354 	int c_nsid = nsid != 0 ? nsid : 1;
5355 	nvme_identify_nsid_t *idns;
5356 	nvme_minor_state_t *nm;
5357 
5358 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5359 		return (EPERM);
5360 
5361 	nm = nsid == 0 ? &nvme->n_minor : &(NVME_NSID2NS(nvme, nsid)->ns_minor);
5362 	if (nm->nm_oexcl != curthread)
5363 		return (EACCES);
5364 
5365 	if (nsid != 0) {
5366 		if (NVME_NSID2NS(nvme, nsid)->ns_attached)
5367 			return (EBUSY);
5368 		else if (!NVME_NSID2NS(nvme, nsid)->ns_active)
5369 			return (EINVAL);
5370 	}
5371 
5372 	frmt.r = nioc->n_arg & 0xffffffff;
5373 
5374 	/*
5375 	 * Check whether the FORMAT NVM command is supported.
5376 	 */
5377 	if (nvme->n_idctl->id_oacs.oa_format == 0)
5378 		return (ENOTSUP);
5379 
5380 	/*
5381 	 * Don't allow format or secure erase of individual namespace if that
5382 	 * would cause a format or secure erase of all namespaces.
5383 	 */
5384 	if (nsid != 0 && nvme->n_idctl->id_fna.fn_format != 0)
5385 		return (EINVAL);
5386 
5387 	if (nsid != 0 && frmt.b.fm_ses != NVME_FRMT_SES_NONE &&
5388 	    nvme->n_idctl->id_fna.fn_sec_erase != 0)
5389 		return (EINVAL);
5390 
5391 	/*
5392 	 * Don't allow formatting with Protection Information.
5393 	 */
5394 	if (frmt.b.fm_pi != 0 || frmt.b.fm_pil != 0 || frmt.b.fm_ms != 0)
5395 		return (EINVAL);
5396 
5397 	/*
5398 	 * Don't allow formatting using an illegal LBA format, or any LBA format
5399 	 * that uses metadata.
5400 	 */
5401 	idns = NVME_NSID2NS(nvme, c_nsid)->ns_idns;
5402 	if (frmt.b.fm_lbaf > idns->id_nlbaf ||
5403 	    idns->id_lbaf[frmt.b.fm_lbaf].lbaf_ms != 0)
5404 		return (EINVAL);
5405 
5406 	/*
5407 	 * Don't allow formatting using an illegal Secure Erase setting.
5408 	 */
5409 	if (frmt.b.fm_ses > NVME_FRMT_MAX_SES ||
5410 	    (frmt.b.fm_ses == NVME_FRMT_SES_CRYPTO &&
5411 	    nvme->n_idctl->id_fna.fn_crypt_erase == 0))
5412 		return (EINVAL);
5413 
5414 	if (nsid == 0)
5415 		nsid = (uint32_t)-1;
5416 
5417 	return (nvme_format_nvm(nvme, B_TRUE, nsid, frmt.b.fm_lbaf, B_FALSE, 0,
5418 	    B_FALSE, frmt.b.fm_ses));
5419 }
5420 
5421 static int
5422 nvme_ioctl_detach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5423     cred_t *cred_p)
5424 {
5425 	_NOTE(ARGUNUSED(nioc, mode));
5426 	int rv;
5427 
5428 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5429 		return (EPERM);
5430 
5431 	if (nsid == 0)
5432 		return (EINVAL);
5433 
5434 	if (NVME_NSID2NS(nvme, nsid)->ns_minor.nm_oexcl != curthread)
5435 		return (EACCES);
5436 
5437 	mutex_enter(&nvme->n_mgmt_mutex);
5438 
5439 	rv = nvme_detach_ns(nvme, nsid);
5440 
5441 	mutex_exit(&nvme->n_mgmt_mutex);
5442 
5443 	return (rv);
5444 }
5445 
5446 static int
5447 nvme_ioctl_attach(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5448     cred_t *cred_p)
5449 {
5450 	_NOTE(ARGUNUSED(nioc, mode));
5451 	int rv;
5452 
5453 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5454 		return (EPERM);
5455 
5456 	if (nsid == 0)
5457 		return (EINVAL);
5458 
5459 	if (NVME_NSID2NS(nvme, nsid)->ns_minor.nm_oexcl != curthread)
5460 		return (EACCES);
5461 
5462 	mutex_enter(&nvme->n_mgmt_mutex);
5463 
5464 	if (nvme_init_ns(nvme, nsid) != DDI_SUCCESS) {
5465 		mutex_exit(&nvme->n_mgmt_mutex);
5466 		return (EIO);
5467 	}
5468 
5469 	rv = nvme_attach_ns(nvme, nsid);
5470 
5471 	mutex_exit(&nvme->n_mgmt_mutex);
5472 	return (rv);
5473 }
5474 
5475 static void
5476 nvme_ufm_update(nvme_t *nvme)
5477 {
5478 	mutex_enter(&nvme->n_fwslot_mutex);
5479 	ddi_ufm_update(nvme->n_ufmh);
5480 	if (nvme->n_fwslot != NULL) {
5481 		kmem_free(nvme->n_fwslot, sizeof (nvme_fwslot_log_t));
5482 		nvme->n_fwslot = NULL;
5483 	}
5484 	mutex_exit(&nvme->n_fwslot_mutex);
5485 }
5486 
5487 static int
5488 nvme_ioctl_firmware_download(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
5489     int mode, cred_t *cred_p)
5490 {
5491 	int rv = 0;
5492 	size_t len, copylen;
5493 	offset_t offset;
5494 	uintptr_t buf;
5495 	nvme_cqe_t cqe = { 0 };
5496 	nvme_sqe_t sqe = {
5497 	    .sqe_opc	= NVME_OPC_FW_IMAGE_LOAD
5498 	};
5499 
5500 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5501 		return (EPERM);
5502 
5503 	if (nvme->n_idctl->id_oacs.oa_firmware == 0)
5504 		return (ENOTSUP);
5505 
5506 	if (nsid != 0)
5507 		return (EINVAL);
5508 
5509 	/*
5510 	 * The offset (in n_len) is restricted to the number of DWORDs in
5511 	 * 32 bits.
5512 	 */
5513 	if (nioc->n_len > NVME_FW_OFFSETB_MAX)
5514 		return (EINVAL);
5515 
5516 	/* Confirm that both offset and length are a multiple of DWORD bytes */
5517 	if ((nioc->n_len & NVME_DWORD_MASK) != 0 ||
5518 	    (nioc->n_arg & NVME_DWORD_MASK) != 0)
5519 		return (EINVAL);
5520 
5521 	len = nioc->n_len;
5522 	offset = nioc->n_arg;
5523 	buf = (uintptr_t)nioc->n_buf;
5524 
5525 	nioc->n_arg = 0;
5526 
5527 	while (len > 0 && rv == 0) {
5528 		/*
5529 		 * nvme_ioc_cmd() does not use SGLs or PRP lists.
5530 		 * It is limited to 2 PRPs per NVM command, so limit
5531 		 * the size of the data to 2 pages.
5532 		 */
5533 		copylen = MIN(2 * nvme->n_pagesize, len);
5534 
5535 		sqe.sqe_cdw10 = (uint32_t)(copylen >> NVME_DWORD_SHIFT) - 1;
5536 		sqe.sqe_cdw11 = (uint32_t)(offset >> NVME_DWORD_SHIFT);
5537 
5538 		rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, (void *)buf, copylen,
5539 		    FWRITE, &cqe, nvme_admin_cmd_timeout);
5540 
5541 		/*
5542 		 * Regardless of whether the command succeeded or not, whether
5543 		 * there's an errno in rv to be returned, we'll return any
5544 		 * command-specific status code in n_arg.
5545 		 *
5546 		 * As n_arg isn't cleared in all other possible code paths
5547 		 * returning an error, we return the status code as a negative
5548 		 * value so it can be distinguished easily from whatever value
5549 		 * was passed in n_arg originally. This of course only works as
5550 		 * long as arguments passed in n_arg are less than INT64_MAX,
5551 		 * which they currently are.
5552 		 */
5553 		if (cqe.cqe_sf.sf_sct == NVME_CQE_SCT_SPECIFIC)
5554 			nioc->n_arg = (uint64_t)-cqe.cqe_sf.sf_sc;
5555 
5556 		buf += copylen;
5557 		offset += copylen;
5558 		len -= copylen;
5559 	}
5560 
5561 	/*
5562 	 * Let the DDI UFM subsystem know that the firmware information for
5563 	 * this device has changed.
5564 	 */
5565 	nvme_ufm_update(nvme);
5566 
5567 	return (rv);
5568 }
5569 
5570 static int
5571 nvme_ioctl_firmware_commit(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc,
5572     int mode, cred_t *cred_p)
5573 {
5574 	nvme_firmware_commit_dw10_t fc_dw10 = { 0 };
5575 	uint32_t slot = nioc->n_arg & 0xffffffff;
5576 	uint32_t action = nioc->n_arg >> 32;
5577 	nvme_cqe_t cqe = { 0 };
5578 	nvme_sqe_t sqe = {
5579 	    .sqe_opc	= NVME_OPC_FW_ACTIVATE
5580 	};
5581 	int timeout;
5582 	int rv;
5583 
5584 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5585 		return (EPERM);
5586 
5587 	if (nvme->n_idctl->id_oacs.oa_firmware == 0)
5588 		return (ENOTSUP);
5589 
5590 	if (nsid != 0)
5591 		return (EINVAL);
5592 
5593 	/* Validate slot is in range. */
5594 	if (slot < NVME_FW_SLOT_MIN || slot > NVME_FW_SLOT_MAX)
5595 		return (EINVAL);
5596 
5597 	switch (action) {
5598 	case NVME_FWC_SAVE:
5599 	case NVME_FWC_SAVE_ACTIVATE:
5600 		timeout = nvme_commit_save_cmd_timeout;
5601 		if (slot == 1 && nvme->n_idctl->id_frmw.fw_readonly)
5602 			return (EROFS);
5603 		break;
5604 	case NVME_FWC_ACTIVATE:
5605 	case NVME_FWC_ACTIVATE_IMMED:
5606 		timeout = nvme_admin_cmd_timeout;
5607 		break;
5608 	default:
5609 		return (EINVAL);
5610 	}
5611 
5612 	fc_dw10.b.fc_slot = slot;
5613 	fc_dw10.b.fc_action = action;
5614 	sqe.sqe_cdw10 = fc_dw10.r;
5615 
5616 	nioc->n_arg = 0;
5617 	rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, NULL, 0, 0, &cqe, timeout);
5618 
5619 	/*
5620 	 * Regardless of whether the command succeeded or not, whether
5621 	 * there's an errno in rv to be returned, we'll return any
5622 	 * command-specific status code in n_arg.
5623 	 *
5624 	 * As n_arg isn't cleared in all other possible code paths
5625 	 * returning an error, we return the status code as a negative
5626 	 * value so it can be distinguished easily from whatever value
5627 	 * was passed in n_arg originally. This of course only works as
5628 	 * long as arguments passed in n_arg are less than INT64_MAX,
5629 	 * which they currently are.
5630 	 */
5631 	if (cqe.cqe_sf.sf_sct == NVME_CQE_SCT_SPECIFIC)
5632 		nioc->n_arg = (uint64_t)-cqe.cqe_sf.sf_sc;
5633 
5634 	/*
5635 	 * Let the DDI UFM subsystem know that the firmware information for
5636 	 * this device has changed.
5637 	 */
5638 	nvme_ufm_update(nvme);
5639 
5640 	return (rv);
5641 }
5642 
5643 /*
5644  * Helper to copy in a passthru command from userspace, handling
5645  * different data models.
5646  */
5647 static int
5648 nvme_passthru_copy_cmd_in(const void *buf, nvme_passthru_cmd_t *cmd, int mode)
5649 {
5650 #ifdef _MULTI_DATAMODEL
5651 	switch (ddi_model_convert_from(mode & FMODELS)) {
5652 	case DDI_MODEL_ILP32: {
5653 		nvme_passthru_cmd32_t cmd32;
5654 		if (ddi_copyin(buf, (void*)&cmd32, sizeof (cmd32), mode) != 0)
5655 			return (-1);
5656 		cmd->npc_opcode = cmd32.npc_opcode;
5657 		cmd->npc_timeout = cmd32.npc_timeout;
5658 		cmd->npc_flags = cmd32.npc_flags;
5659 		cmd->npc_cdw12 = cmd32.npc_cdw12;
5660 		cmd->npc_cdw13 = cmd32.npc_cdw13;
5661 		cmd->npc_cdw14 = cmd32.npc_cdw14;
5662 		cmd->npc_cdw15 = cmd32.npc_cdw15;
5663 		cmd->npc_buflen = cmd32.npc_buflen;
5664 		cmd->npc_buf = cmd32.npc_buf;
5665 		break;
5666 	}
5667 	case DDI_MODEL_NONE:
5668 #endif
5669 	if (ddi_copyin(buf, (void*)cmd, sizeof (nvme_passthru_cmd_t),
5670 	    mode) != 0)
5671 		return (-1);
5672 #ifdef _MULTI_DATAMODEL
5673 		break;
5674 	}
5675 #endif
5676 	return (0);
5677 }
5678 
5679 /*
5680  * Helper to copy out a passthru command result to userspace, handling
5681  * different data models.
5682  */
5683 static int
5684 nvme_passthru_copy_cmd_out(const nvme_passthru_cmd_t *cmd, void *buf, int mode)
5685 {
5686 #ifdef _MULTI_DATAMODEL
5687 	switch (ddi_model_convert_from(mode & FMODELS)) {
5688 	case DDI_MODEL_ILP32: {
5689 		nvme_passthru_cmd32_t cmd32;
5690 		bzero(&cmd32, sizeof (cmd32));
5691 		cmd32.npc_opcode = cmd->npc_opcode;
5692 		cmd32.npc_status = cmd->npc_status;
5693 		cmd32.npc_err = cmd->npc_err;
5694 		cmd32.npc_timeout = cmd->npc_timeout;
5695 		cmd32.npc_flags = cmd->npc_flags;
5696 		cmd32.npc_cdw0 = cmd->npc_cdw0;
5697 		cmd32.npc_cdw12 = cmd->npc_cdw12;
5698 		cmd32.npc_cdw13 = cmd->npc_cdw13;
5699 		cmd32.npc_cdw14 = cmd->npc_cdw14;
5700 		cmd32.npc_cdw15 = cmd->npc_cdw15;
5701 		cmd32.npc_buflen = (size32_t)cmd->npc_buflen;
5702 		cmd32.npc_buf = (uintptr32_t)cmd->npc_buf;
5703 		if (ddi_copyout(&cmd32, buf, sizeof (cmd32), mode) != 0)
5704 			return (-1);
5705 		break;
5706 	}
5707 	case DDI_MODEL_NONE:
5708 #endif
5709 		if (ddi_copyout(cmd, buf, sizeof (nvme_passthru_cmd_t),
5710 		    mode) != 0)
5711 			return (-1);
5712 #ifdef _MULTI_DATAMODEL
5713 		break;
5714 	}
5715 #endif
5716 	return (0);
5717 }
5718 
5719 /*
5720  * Run an arbitrary vendor-specific admin command on the device.
5721  */
5722 static int
5723 nvme_ioctl_passthru(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5724     cred_t *cred_p)
5725 {
5726 	int rv = 0;
5727 	uint_t timeout = 0;
5728 	int rwk = 0;
5729 	nvme_passthru_cmd_t cmd;
5730 	size_t expected_passthru_size = 0;
5731 	nvme_sqe_t sqe;
5732 	nvme_cqe_t cqe;
5733 
5734 	bzero(&cmd, sizeof (cmd));
5735 	bzero(&sqe, sizeof (sqe));
5736 	bzero(&cqe, sizeof (cqe));
5737 
5738 	/*
5739 	 * Basic checks: permissions, data model, argument size.
5740 	 */
5741 	if ((mode & FWRITE) == 0 || secpolicy_sys_config(cred_p, B_FALSE) != 0)
5742 		return (EPERM);
5743 
5744 	/*
5745 	 * Compute the expected size of the argument buffer
5746 	 */
5747 #ifdef _MULTI_DATAMODEL
5748 	switch (ddi_model_convert_from(mode & FMODELS)) {
5749 	case DDI_MODEL_ILP32:
5750 		expected_passthru_size = sizeof (nvme_passthru_cmd32_t);
5751 		break;
5752 	case DDI_MODEL_NONE:
5753 #endif
5754 		expected_passthru_size = sizeof (nvme_passthru_cmd_t);
5755 #ifdef _MULTI_DATAMODEL
5756 		break;
5757 	}
5758 #endif
5759 
5760 	if (nioc->n_len != expected_passthru_size) {
5761 		cmd.npc_err = NVME_PASSTHRU_ERR_CMD_SIZE;
5762 		rv = EINVAL;
5763 		goto out;
5764 	}
5765 
5766 	/*
5767 	 * Ensure the device supports the standard vendor specific
5768 	 * admin command format.
5769 	 */
5770 	if (!nvme->n_idctl->id_nvscc.nv_spec) {
5771 		cmd.npc_err = NVME_PASSTHRU_ERR_NOT_SUPPORTED;
5772 		rv = ENOTSUP;
5773 		goto out;
5774 	}
5775 
5776 	if (nvme_passthru_copy_cmd_in((const void*)nioc->n_buf, &cmd, mode))
5777 		return (EFAULT);
5778 
5779 	if (!NVME_IS_VENDOR_SPECIFIC_CMD(cmd.npc_opcode)) {
5780 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_OPCODE;
5781 		rv = EINVAL;
5782 		goto out;
5783 	}
5784 
5785 	/*
5786 	 * This restriction is not mandated by the spec, so future work
5787 	 * could relax this if it's necessary to support commands that both
5788 	 * read and write.
5789 	 */
5790 	if ((cmd.npc_flags & NVME_PASSTHRU_READ) != 0 &&
5791 	    (cmd.npc_flags & NVME_PASSTHRU_WRITE) != 0) {
5792 		cmd.npc_err = NVME_PASSTHRU_ERR_READ_AND_WRITE;
5793 		rv = EINVAL;
5794 		goto out;
5795 	}
5796 	if (cmd.npc_timeout > nvme_vendor_specific_admin_cmd_max_timeout) {
5797 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_TIMEOUT;
5798 		rv = EINVAL;
5799 		goto out;
5800 	}
5801 	timeout = cmd.npc_timeout;
5802 
5803 	/*
5804 	 * Passed-thru command buffer verification:
5805 	 *  - Size is multiple of DWords
5806 	 *  - Non-null iff the length is non-zero
5807 	 *  - Null if neither reading nor writing data.
5808 	 *  - Non-null if reading or writing.
5809 	 *  - Maximum buffer size.
5810 	 */
5811 	if ((cmd.npc_buflen % sizeof (uint32_t)) != 0) {
5812 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5813 		rv = EINVAL;
5814 		goto out;
5815 	}
5816 	if (((void*)cmd.npc_buf != NULL && cmd.npc_buflen == 0) ||
5817 	    ((void*)cmd.npc_buf == NULL && cmd.npc_buflen != 0)) {
5818 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5819 		rv = EINVAL;
5820 		goto out;
5821 	}
5822 	if (cmd.npc_flags == 0 && (void*)cmd.npc_buf != NULL) {
5823 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5824 		rv = EINVAL;
5825 		goto out;
5826 	}
5827 	if ((cmd.npc_flags != 0) && ((void*)cmd.npc_buf == NULL)) {
5828 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5829 		rv = EINVAL;
5830 		goto out;
5831 	}
5832 	if (cmd.npc_buflen > nvme_vendor_specific_admin_cmd_size) {
5833 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5834 		rv = EINVAL;
5835 		goto out;
5836 	}
5837 	if ((cmd.npc_buflen >> NVME_DWORD_SHIFT) > UINT32_MAX) {
5838 		cmd.npc_err = NVME_PASSTHRU_ERR_INVALID_BUFFER;
5839 		rv = EINVAL;
5840 		goto out;
5841 	}
5842 
5843 	sqe.sqe_opc = cmd.npc_opcode;
5844 	sqe.sqe_nsid = nsid;
5845 	sqe.sqe_cdw10 = (uint32_t)(cmd.npc_buflen >> NVME_DWORD_SHIFT);
5846 	sqe.sqe_cdw12 = cmd.npc_cdw12;
5847 	sqe.sqe_cdw13 = cmd.npc_cdw13;
5848 	sqe.sqe_cdw14 = cmd.npc_cdw14;
5849 	sqe.sqe_cdw15 = cmd.npc_cdw15;
5850 	if ((cmd.npc_flags & NVME_PASSTHRU_READ) != 0)
5851 		rwk = FREAD;
5852 	else if ((cmd.npc_flags & NVME_PASSTHRU_WRITE) != 0)
5853 		rwk = FWRITE;
5854 
5855 	rv = nvme_ioc_cmd(nvme, &sqe, B_TRUE, (void*)cmd.npc_buf,
5856 	    cmd.npc_buflen, rwk, &cqe, timeout);
5857 	cmd.npc_status = cqe.cqe_sf.sf_sc;
5858 	cmd.npc_cdw0 = cqe.cqe_dw0;
5859 
5860 out:
5861 	if (nvme_passthru_copy_cmd_out(&cmd, (void*)nioc->n_buf, mode))
5862 		rv = EFAULT;
5863 	return (rv);
5864 }
5865 
5866 static int
5867 nvme_ioctl_ns_state(nvme_t *nvme, int nsid, nvme_ioctl_t *nioc, int mode,
5868     cred_t *cred_p)
5869 {
5870 	_NOTE(ARGUNUSED(cred_p));
5871 	nvme_namespace_t *ns = NVME_NSID2NS(nvme, nsid);
5872 
5873 	if ((mode & FREAD) == 0)
5874 		return (EPERM);
5875 
5876 	if (nsid == 0)
5877 		return (EINVAL);
5878 
5879 	nioc->n_arg = 0;
5880 
5881 	mutex_enter(&nvme->n_mgmt_mutex);
5882 
5883 	if (ns->ns_allocated)
5884 		nioc->n_arg |= NVME_NS_STATE_ALLOCATED;
5885 
5886 	if (ns->ns_active)
5887 		nioc->n_arg |= NVME_NS_STATE_ACTIVE;
5888 
5889 	if (ns->ns_attached)
5890 		nioc->n_arg |= NVME_NS_STATE_ATTACHED;
5891 
5892 	if (ns->ns_ignore)
5893 		nioc->n_arg |= NVME_NS_STATE_IGNORED;
5894 
5895 	mutex_exit(&nvme->n_mgmt_mutex);
5896 
5897 	return (0);
5898 }
5899 
5900 static int
5901 nvme_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cred_p,
5902     int *rval_p)
5903 {
5904 #ifndef __lock_lint
5905 	_NOTE(ARGUNUSED(rval_p));
5906 #endif
5907 	minor_t minor = getminor(dev);
5908 	nvme_t *nvme = ddi_get_soft_state(nvme_state, NVME_MINOR_INST(minor));
5909 	int nsid = NVME_MINOR_NSID(minor);
5910 	int rv = 0;
5911 	nvme_ioctl_t nioc;
5912 
5913 	int (*nvme_ioctl[])(nvme_t *, int, nvme_ioctl_t *, int, cred_t *) = {
5914 		NULL,
5915 		nvme_ioctl_identify,
5916 		NULL,
5917 		nvme_ioctl_capabilities,
5918 		nvme_ioctl_get_logpage,
5919 		nvme_ioctl_get_features,
5920 		nvme_ioctl_intr_cnt,
5921 		nvme_ioctl_version,
5922 		nvme_ioctl_format,
5923 		nvme_ioctl_detach,
5924 		nvme_ioctl_attach,
5925 		nvme_ioctl_firmware_download,
5926 		nvme_ioctl_firmware_commit,
5927 		nvme_ioctl_passthru,
5928 		nvme_ioctl_ns_state
5929 	};
5930 
5931 	if (nvme == NULL)
5932 		return (ENXIO);
5933 
5934 	if (nsid > nvme->n_namespace_count)
5935 		return (ENXIO);
5936 
5937 	if (IS_DEVCTL(cmd))
5938 		return (ndi_devctl_ioctl(nvme->n_dip, cmd, arg, mode, 0));
5939 
5940 #ifdef _MULTI_DATAMODEL
5941 	switch (ddi_model_convert_from(mode & FMODELS)) {
5942 	case DDI_MODEL_ILP32: {
5943 		nvme_ioctl32_t nioc32;
5944 		if (ddi_copyin((void*)arg, &nioc32, sizeof (nvme_ioctl32_t),
5945 		    mode) != 0)
5946 			return (EFAULT);
5947 		nioc.n_len = nioc32.n_len;
5948 		nioc.n_buf = nioc32.n_buf;
5949 		nioc.n_arg = nioc32.n_arg;
5950 		break;
5951 	}
5952 	case DDI_MODEL_NONE:
5953 #endif
5954 		if (ddi_copyin((void*)arg, &nioc, sizeof (nvme_ioctl_t), mode)
5955 		    != 0)
5956 			return (EFAULT);
5957 #ifdef _MULTI_DATAMODEL
5958 		break;
5959 	}
5960 #endif
5961 
5962 	if (nvme->n_dead && cmd != NVME_IOC_DETACH)
5963 		return (EIO);
5964 
5965 	if (IS_NVME_IOC(cmd) && nvme_ioctl[NVME_IOC_CMD(cmd)] != NULL)
5966 		rv = nvme_ioctl[NVME_IOC_CMD(cmd)](nvme, nsid, &nioc, mode,
5967 		    cred_p);
5968 	else
5969 		rv = EINVAL;
5970 
5971 #ifdef _MULTI_DATAMODEL
5972 	switch (ddi_model_convert_from(mode & FMODELS)) {
5973 	case DDI_MODEL_ILP32: {
5974 		nvme_ioctl32_t nioc32;
5975 
5976 		nioc32.n_len = (size32_t)nioc.n_len;
5977 		nioc32.n_buf = (uintptr32_t)nioc.n_buf;
5978 		nioc32.n_arg = nioc.n_arg;
5979 
5980 		if (ddi_copyout(&nioc32, (void *)arg, sizeof (nvme_ioctl32_t),
5981 		    mode) != 0)
5982 			return (EFAULT);
5983 		break;
5984 	}
5985 	case DDI_MODEL_NONE:
5986 #endif
5987 		if (ddi_copyout(&nioc, (void *)arg, sizeof (nvme_ioctl_t), mode)
5988 		    != 0)
5989 			return (EFAULT);
5990 #ifdef _MULTI_DATAMODEL
5991 		break;
5992 	}
5993 #endif
5994 
5995 	return (rv);
5996 }
5997 
5998 /*
5999  * DDI UFM Callbacks
6000  */
6001 static int
6002 nvme_ufm_fill_image(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno,
6003     ddi_ufm_image_t *img)
6004 {
6005 	nvme_t *nvme = arg;
6006 
6007 	if (imgno != 0)
6008 		return (EINVAL);
6009 
6010 	ddi_ufm_image_set_desc(img, "Firmware");
6011 	ddi_ufm_image_set_nslots(img, nvme->n_idctl->id_frmw.fw_nslot);
6012 
6013 	return (0);
6014 }
6015 
6016 /*
6017  * Fill out firmware slot information for the requested slot.  The firmware
6018  * slot information is gathered by requesting the Firmware Slot Information log
6019  * page.  The format of the page is described in section 5.10.1.3.
6020  *
6021  * We lazily cache the log page on the first call and then invalidate the cache
6022  * data after a successful firmware download or firmware commit command.
6023  * The cached data is protected by a mutex as the state can change
6024  * asynchronous to this callback.
6025  */
6026 static int
6027 nvme_ufm_fill_slot(ddi_ufm_handle_t *ufmh, void *arg, uint_t imgno,
6028     uint_t slotno, ddi_ufm_slot_t *slot)
6029 {
6030 	nvme_t *nvme = arg;
6031 	void *log = NULL;
6032 	size_t bufsize;
6033 	ddi_ufm_attr_t attr = 0;
6034 	char fw_ver[NVME_FWVER_SZ + 1];
6035 	int ret;
6036 
6037 	if (imgno > 0 || slotno > (nvme->n_idctl->id_frmw.fw_nslot - 1))
6038 		return (EINVAL);
6039 
6040 	mutex_enter(&nvme->n_fwslot_mutex);
6041 	if (nvme->n_fwslot == NULL) {
6042 		ret = nvme_get_logpage(nvme, B_TRUE, &log, &bufsize,
6043 		    NVME_LOGPAGE_FWSLOT, 0);
6044 		if (ret != DDI_SUCCESS ||
6045 		    bufsize != sizeof (nvme_fwslot_log_t)) {
6046 			if (log != NULL)
6047 				kmem_free(log, bufsize);
6048 			mutex_exit(&nvme->n_fwslot_mutex);
6049 			return (EIO);
6050 		}
6051 		nvme->n_fwslot = (nvme_fwslot_log_t *)log;
6052 	}
6053 
6054 	/*
6055 	 * NVMe numbers firmware slots starting at 1
6056 	 */
6057 	if (slotno == (nvme->n_fwslot->fw_afi - 1))
6058 		attr |= DDI_UFM_ATTR_ACTIVE;
6059 
6060 	if (slotno != 0 || nvme->n_idctl->id_frmw.fw_readonly == 0)
6061 		attr |= DDI_UFM_ATTR_WRITEABLE;
6062 
6063 	if (nvme->n_fwslot->fw_frs[slotno][0] == '\0') {
6064 		attr |= DDI_UFM_ATTR_EMPTY;
6065 	} else {
6066 		(void) strncpy(fw_ver, nvme->n_fwslot->fw_frs[slotno],
6067 		    NVME_FWVER_SZ);
6068 		fw_ver[NVME_FWVER_SZ] = '\0';
6069 		ddi_ufm_slot_set_version(slot, fw_ver);
6070 	}
6071 	mutex_exit(&nvme->n_fwslot_mutex);
6072 
6073 	ddi_ufm_slot_set_attrs(slot, attr);
6074 
6075 	return (0);
6076 }
6077 
6078 static int
6079 nvme_ufm_getcaps(ddi_ufm_handle_t *ufmh, void *arg, ddi_ufm_cap_t *caps)
6080 {
6081 	*caps = DDI_UFM_CAP_REPORT;
6082 	return (0);
6083 }
6084