Loading...
Note: File does not exist in v3.15.
1// SPDX-License-Identifier: GPL-2.0-only OR MIT
2/*
3 * Bluetooth HCI driver for Broadcom 4377/4378/4387/4388 devices attached via PCIe
4 *
5 * Copyright (C) The Asahi Linux Contributors
6 */
7
8#include <linux/async.h>
9#include <linux/bitfield.h>
10#include <linux/completion.h>
11#include <linux/dma-mapping.h>
12#include <linux/dmi.h>
13#include <linux/firmware.h>
14#include <linux/module.h>
15#include <linux/msi.h>
16#include <linux/of.h>
17#include <linux/pci.h>
18#include <linux/printk.h>
19
20#include <linux/unaligned.h>
21
22#include <net/bluetooth/bluetooth.h>
23#include <net/bluetooth/hci_core.h>
24
25enum bcm4377_chip {
26 BCM4377 = 0,
27 BCM4378,
28 BCM4387,
29 BCM4388,
30};
31
32#define BCM4377_DEVICE_ID 0x5fa0
33#define BCM4378_DEVICE_ID 0x5f69
34#define BCM4387_DEVICE_ID 0x5f71
35#define BCM4388_DEVICE_ID 0x5f72
36
37#define BCM4377_TIMEOUT msecs_to_jiffies(1000)
38#define BCM4377_BOOT_TIMEOUT msecs_to_jiffies(5000)
39
40/*
41 * These devices only support DMA transactions inside a 32bit window
42 * (possibly to avoid 64 bit arithmetic). The window size cannot exceed
43 * 0xffffffff but is always aligned down to the previous 0x200 byte boundary
44 * which effectively limits the window to [start, start+0xfffffe00].
45 * We just limit the DMA window to [0, 0xfffffe00] to make sure we don't
46 * run into this limitation.
47 */
48#define BCM4377_DMA_MASK 0xfffffe00
49
50#define BCM4377_PCIECFG_BAR0_WINDOW1 0x80
51#define BCM4377_PCIECFG_BAR0_WINDOW2 0x70
52#define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1 0x74
53#define BCM4377_PCIECFG_BAR0_CORE2_WINDOW2 0x78
54#define BCM4377_PCIECFG_BAR2_WINDOW 0x84
55
56#define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT 0x18011000
57#define BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT 0x19000000
58
59#define BCM4377_PCIECFG_SUBSYSTEM_CTRL 0x88
60
61#define BCM4377_BAR0_FW_DOORBELL 0x140
62#define BCM4377_BAR0_RTI_CONTROL 0x144
63
64#define BCM4377_BAR0_SLEEP_CONTROL 0x150
65#define BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE 0
66#define BCM4377_BAR0_SLEEP_CONTROL_AWAKE 2
67#define BCM4377_BAR0_SLEEP_CONTROL_QUIESCE 3
68
69#define BCM4377_BAR0_DOORBELL 0x174
70#define BCM4377_BAR0_DOORBELL_VALUE GENMASK(31, 16)
71#define BCM4377_BAR0_DOORBELL_IDX GENMASK(15, 8)
72#define BCM4377_BAR0_DOORBELL_RING BIT(5)
73
74#define BCM4377_BAR0_HOST_WINDOW_LO 0x590
75#define BCM4377_BAR0_HOST_WINDOW_HI 0x594
76#define BCM4377_BAR0_HOST_WINDOW_SIZE 0x598
77
78#define BCM4377_BAR2_BOOTSTAGE 0x200454
79
80#define BCM4377_BAR2_FW_LO 0x200478
81#define BCM4377_BAR2_FW_HI 0x20047c
82#define BCM4377_BAR2_FW_SIZE 0x200480
83
84#define BCM4377_BAR2_CONTEXT_ADDR_LO 0x20048c
85#define BCM4377_BAR2_CONTEXT_ADDR_HI 0x200450
86
87#define BCM4377_BAR2_RTI_STATUS 0x20045c
88#define BCM4377_BAR2_RTI_WINDOW_LO 0x200494
89#define BCM4377_BAR2_RTI_WINDOW_HI 0x200498
90#define BCM4377_BAR2_RTI_WINDOW_SIZE 0x20049c
91
92#define BCM4377_OTP_SIZE 0xe0
93#define BCM4377_OTP_SYS_VENDOR 0x15
94#define BCM4377_OTP_CIS 0x80
95#define BCM4377_OTP_VENDOR_HDR 0x00000008
96#define BCM4377_OTP_MAX_PARAM_LEN 16
97
98#define BCM4377_N_TRANSFER_RINGS 9
99#define BCM4377_N_COMPLETION_RINGS 6
100
101#define BCM4377_MAX_RING_SIZE 256
102
103#define BCM4377_MSGID_GENERATION GENMASK(15, 8)
104#define BCM4377_MSGID_ID GENMASK(7, 0)
105
106#define BCM4377_RING_N_ENTRIES 128
107
108#define BCM4377_CONTROL_MSG_SIZE 0x34
109#define BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE (4 * 0xff)
110
111#define MAX_ACL_PAYLOAD_SIZE (HCI_MAX_FRAME_SIZE + HCI_ACL_HDR_SIZE)
112#define MAX_SCO_PAYLOAD_SIZE (HCI_MAX_SCO_SIZE + HCI_SCO_HDR_SIZE)
113#define MAX_EVENT_PAYLOAD_SIZE (HCI_MAX_EVENT_SIZE + HCI_EVENT_HDR_SIZE)
114
115enum bcm4377_otp_params_type {
116 BCM4377_OTP_BOARD_PARAMS,
117 BCM4377_OTP_CHIP_PARAMS
118};
119
120enum bcm4377_transfer_ring_id {
121 BCM4377_XFER_RING_CONTROL = 0,
122 BCM4377_XFER_RING_HCI_H2D = 1,
123 BCM4377_XFER_RING_HCI_D2H = 2,
124 BCM4377_XFER_RING_SCO_H2D = 3,
125 BCM4377_XFER_RING_SCO_D2H = 4,
126 BCM4377_XFER_RING_ACL_H2D = 5,
127 BCM4377_XFER_RING_ACL_D2H = 6,
128};
129
130enum bcm4377_completion_ring_id {
131 BCM4377_ACK_RING_CONTROL = 0,
132 BCM4377_ACK_RING_HCI_ACL = 1,
133 BCM4377_EVENT_RING_HCI_ACL = 2,
134 BCM4377_ACK_RING_SCO = 3,
135 BCM4377_EVENT_RING_SCO = 4,
136};
137
138enum bcm4377_doorbell {
139 BCM4377_DOORBELL_CONTROL = 0,
140 BCM4377_DOORBELL_HCI_H2D = 1,
141 BCM4377_DOORBELL_HCI_D2H = 2,
142 BCM4377_DOORBELL_ACL_H2D = 3,
143 BCM4377_DOORBELL_ACL_D2H = 4,
144 BCM4377_DOORBELL_SCO = 6,
145};
146
147/*
148 * Transfer ring entry
149 *
150 * flags: Flags to indicate if the payload is appended or mapped
151 * len: Payload length
152 * payload: Optional payload DMA address
153 * id: Message id to recognize the answer in the completion ring entry
154 */
155struct bcm4377_xfer_ring_entry {
156#define BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED BIT(0)
157#define BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER BIT(1)
158 u8 flags;
159 __le16 len;
160 u8 _unk0;
161 __le64 payload;
162 __le16 id;
163 u8 _unk1[2];
164} __packed;
165static_assert(sizeof(struct bcm4377_xfer_ring_entry) == 0x10);
166
167/*
168 * Completion ring entry
169 *
170 * flags: Flags to indicate if the payload is appended or mapped. If the payload
171 * is mapped it can be found in the buffer of the corresponding transfer
172 * ring message.
173 * ring_id: Transfer ring ID which required this message
174 * msg_id: Message ID specified in transfer ring entry
175 * len: Payload length
176 */
177struct bcm4377_completion_ring_entry {
178 u8 flags;
179 u8 _unk0;
180 __le16 ring_id;
181 __le16 msg_id;
182 __le32 len;
183 u8 _unk1[6];
184} __packed;
185static_assert(sizeof(struct bcm4377_completion_ring_entry) == 0x10);
186
187enum bcm4377_control_message_type {
188 BCM4377_CONTROL_MSG_CREATE_XFER_RING = 1,
189 BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING = 2,
190 BCM4377_CONTROL_MSG_DESTROY_XFER_RING = 3,
191 BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING = 4,
192};
193
194/*
195 * Control message used to create a completion ring
196 *
197 * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING
198 * header_size: Unknown, but probably reserved space in front of the entry
199 * footer_size: Number of 32 bit words reserved for payloads after the entry
200 * id/id_again: Completion ring index
201 * ring_iova: DMA address of the ring buffer
202 * n_elements: Number of elements inside the ring buffer
203 * msi: MSI index, doesn't work for all rings though and should be zero
204 * intmod_delay: Unknown delay
205 * intmod_bytes: Unknown
206 */
207struct bcm4377_create_completion_ring_msg {
208 u8 msg_type;
209 u8 header_size;
210 u8 footer_size;
211 u8 _unk0;
212 __le16 id;
213 __le16 id_again;
214 __le64 ring_iova;
215 __le16 n_elements;
216 __le32 unk;
217 u8 _unk1[6];
218 __le16 msi;
219 __le16 intmod_delay;
220 __le32 intmod_bytes;
221 __le16 _unk2;
222 __le32 _unk3;
223 u8 _unk4[10];
224} __packed;
225static_assert(sizeof(struct bcm4377_create_completion_ring_msg) ==
226 BCM4377_CONTROL_MSG_SIZE);
227
228/*
229 * Control ring message used to destroy a completion ring
230 *
231 * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING
232 * ring_id: Completion ring to be destroyed
233 */
234struct bcm4377_destroy_completion_ring_msg {
235 u8 msg_type;
236 u8 _pad0;
237 __le16 ring_id;
238 u8 _pad1[48];
239} __packed;
240static_assert(sizeof(struct bcm4377_destroy_completion_ring_msg) ==
241 BCM4377_CONTROL_MSG_SIZE);
242
243/*
244 * Control message used to create a transfer ring
245 *
246 * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_XFER_RING
247 * header_size: Number of 32 bit words reserved for unknown content before the
248 * entry
249 * footer_size: Number of 32 bit words reserved for payloads after the entry
250 * ring_id/ring_id_again: Transfer ring index
251 * ring_iova: DMA address of the ring buffer
252 * n_elements: Number of elements inside the ring buffer
253 * completion_ring_id: Completion ring index for acknowledgements and events
254 * doorbell: Doorbell index used to notify device of new entries
255 * flags: Transfer ring flags
256 * - virtual: set if there is no associated shared memory and only the
257 * corresponding completion ring is used
258 * - sync: only set for the SCO rings
259 */
260struct bcm4377_create_transfer_ring_msg {
261 u8 msg_type;
262 u8 header_size;
263 u8 footer_size;
264 u8 _unk0;
265 __le16 ring_id;
266 __le16 ring_id_again;
267 __le64 ring_iova;
268 u8 _unk1[8];
269 __le16 n_elements;
270 __le16 completion_ring_id;
271 __le16 doorbell;
272#define BCM4377_XFER_RING_FLAG_VIRTUAL BIT(7)
273#define BCM4377_XFER_RING_FLAG_SYNC BIT(8)
274 __le16 flags;
275 u8 _unk2[20];
276} __packed;
277static_assert(sizeof(struct bcm4377_create_transfer_ring_msg) ==
278 BCM4377_CONTROL_MSG_SIZE);
279
280/*
281 * Control ring message used to destroy a transfer ring
282 *
283 * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_XFER_RING
284 * ring_id: Transfer ring to be destroyed
285 */
286struct bcm4377_destroy_transfer_ring_msg {
287 u8 msg_type;
288 u8 _pad0;
289 __le16 ring_id;
290 u8 _pad1[48];
291} __packed;
292static_assert(sizeof(struct bcm4377_destroy_transfer_ring_msg) ==
293 BCM4377_CONTROL_MSG_SIZE);
294
295/*
296 * "Converged IPC" context struct used to make the device aware of all other
297 * shared memory structures. A pointer to this structure is configured inside a
298 * MMIO register.
299 *
300 * version: Protocol version, must be 2.
301 * size: Size of this structure, must be 0x68.
302 * enabled_caps: Enabled capabilities. Unknown bitfield but should be 2.
303 * peripheral_info_addr: DMA address for a 0x20 buffer to which the device will
304 * write unknown contents
305 * {completion,xfer}_ring_{tails,heads}_addr: DMA pointers to ring heads/tails
306 * n_completion_rings: Number of completion rings, the firmware only works if
307 * this is set to BCM4377_N_COMPLETION_RINGS.
308 * n_xfer_rings: Number of transfer rings, the firmware only works if
309 * this is set to BCM4377_N_TRANSFER_RINGS.
310 * control_completion_ring_addr: Control completion ring buffer DMA address
311 * control_xfer_ring_addr: Control transfer ring buffer DMA address
312 * control_xfer_ring_n_entries: Number of control transfer ring entries
313 * control_completion_ring_n_entries: Number of control completion ring entries
314 * control_xfer_ring_doorbell: Control transfer ring doorbell
315 * control_completion_ring_doorbell: Control completion ring doorbell,
316 * must be set to 0xffff
317 * control_xfer_ring_msi: Control completion ring MSI index, must be 0
318 * control_completion_ring_msi: Control completion ring MSI index, must be 0.
319 * control_xfer_ring_header_size: Number of 32 bit words reserved in front of
320 * every control transfer ring entry
321 * control_xfer_ring_footer_size: Number of 32 bit words reserved after every
322 * control transfer ring entry
323 * control_completion_ring_header_size: Number of 32 bit words reserved in front
324 * of every control completion ring entry
325 * control_completion_ring_footer_size: Number of 32 bit words reserved after
326 * every control completion ring entry
327 * scratch_pad: Optional scratch pad DMA address
328 * scratch_pad_size: Scratch pad size
329 */
330struct bcm4377_context {
331 __le16 version;
332 __le16 size;
333 __le32 enabled_caps;
334
335 __le64 peripheral_info_addr;
336
337 /* ring heads and tails */
338 __le64 completion_ring_heads_addr;
339 __le64 xfer_ring_tails_addr;
340 __le64 completion_ring_tails_addr;
341 __le64 xfer_ring_heads_addr;
342 __le16 n_completion_rings;
343 __le16 n_xfer_rings;
344
345 /* control ring configuration */
346 __le64 control_completion_ring_addr;
347 __le64 control_xfer_ring_addr;
348 __le16 control_xfer_ring_n_entries;
349 __le16 control_completion_ring_n_entries;
350 __le16 control_xfer_ring_doorbell;
351 __le16 control_completion_ring_doorbell;
352 __le16 control_xfer_ring_msi;
353 __le16 control_completion_ring_msi;
354 u8 control_xfer_ring_header_size;
355 u8 control_xfer_ring_footer_size;
356 u8 control_completion_ring_header_size;
357 u8 control_completion_ring_footer_size;
358
359 __le16 _unk0;
360 __le16 _unk1;
361
362 __le64 scratch_pad;
363 __le32 scratch_pad_size;
364
365 __le32 _unk3;
366} __packed;
367static_assert(sizeof(struct bcm4377_context) == 0x68);
368
369#define BCM4378_CALIBRATION_CHUNK_SIZE 0xe6
370struct bcm4378_hci_send_calibration_cmd {
371 u8 unk;
372 __le16 blocks_left;
373 u8 data[BCM4378_CALIBRATION_CHUNK_SIZE];
374} __packed;
375
376#define BCM4378_PTB_CHUNK_SIZE 0xcf
377struct bcm4378_hci_send_ptb_cmd {
378 __le16 blocks_left;
379 u8 data[BCM4378_PTB_CHUNK_SIZE];
380} __packed;
381
382/*
383 * Shared memory structure used to store the ring head and tail pointers.
384 */
385struct bcm4377_ring_state {
386 __le16 completion_ring_head[BCM4377_N_COMPLETION_RINGS];
387 __le16 completion_ring_tail[BCM4377_N_COMPLETION_RINGS];
388 __le16 xfer_ring_head[BCM4377_N_TRANSFER_RINGS];
389 __le16 xfer_ring_tail[BCM4377_N_TRANSFER_RINGS];
390};
391
392/*
393 * A transfer ring can be used in two configurations:
394 * 1) Send control or HCI messages to the device which are then acknowledged
395 * in the corresponding completion ring
396 * 2) Receiving HCI frames from the devices. In this case the transfer ring
397 * itself contains empty messages that are acknowledged once data is
398 * available from the device. If the payloads fit inside the footers
399 * of the completion ring the transfer ring can be configured to be
400 * virtual such that it has no ring buffer.
401 *
402 * ring_id: ring index hardcoded in the firmware
403 * doorbell: doorbell index to notify device of new entries
404 * payload_size: optional in-place payload size
405 * mapped_payload_size: optional out-of-place payload size
406 * completion_ring: index of corresponding completion ring
407 * n_entries: number of entries inside this ring
408 * generation: ring generation; incremented on hci_open to detect stale messages
409 * sync: set to true for SCO rings
410 * virtual: set to true if this ring has no entries and is just required to
411 * setup a corresponding completion ring for device->host messages
412 * d2h_buffers_only: set to true if this ring is only used to provide large
413 * buffers used by device->host messages in the completion
414 * ring
415 * allow_wait: allow to wait for messages to be acknowledged
416 * enabled: true once the ring has been created and can be used
417 * ring: ring buffer for entries (struct bcm4377_xfer_ring_entry)
418 * ring_dma: DMA address for ring entry buffer
419 * payloads: payload buffer for mapped_payload_size payloads
420 * payloads_dma:DMA address for payload buffer
421 * events: pointer to array of completions if waiting is allowed
422 * msgids: bitmap to keep track of used message ids
423 * lock: Spinlock to protect access to ring structurs used in the irq handler
424 */
425struct bcm4377_transfer_ring {
426 enum bcm4377_transfer_ring_id ring_id;
427 enum bcm4377_doorbell doorbell;
428 size_t payload_size;
429 size_t mapped_payload_size;
430 u8 completion_ring;
431 u16 n_entries;
432 u8 generation;
433
434 bool sync;
435 bool virtual;
436 bool d2h_buffers_only;
437 bool allow_wait;
438 bool enabled;
439
440 void *ring;
441 dma_addr_t ring_dma;
442
443 void *payloads;
444 dma_addr_t payloads_dma;
445
446 struct completion **events;
447 DECLARE_BITMAP(msgids, BCM4377_MAX_RING_SIZE);
448 spinlock_t lock;
449};
450
451/*
452 * A completion ring can be either used to either acknowledge messages sent in
453 * the corresponding transfer ring or to receive messages associated with the
454 * transfer ring. When used to receive messages the transfer ring either
455 * has no ring buffer and is only advanced ("virtual transfer ring") or it
456 * only contains empty DMA buffers to be used for the payloads.
457 *
458 * ring_id: completion ring id, hardcoded in firmware
459 * payload_size: optional payload size after each entry
460 * delay: unknown delay
461 * n_entries: number of entries in this ring
462 * enabled: true once the ring has been created and can be used
463 * ring: ring buffer for entries (struct bcm4377_completion_ring_entry)
464 * ring_dma: DMA address of ring buffer
465 * transfer_rings: bitmap of corresponding transfer ring ids
466 */
467struct bcm4377_completion_ring {
468 enum bcm4377_completion_ring_id ring_id;
469 u16 payload_size;
470 u16 delay;
471 u16 n_entries;
472 bool enabled;
473
474 void *ring;
475 dma_addr_t ring_dma;
476
477 unsigned long transfer_rings;
478};
479
480struct bcm4377_data;
481
482/*
483 * Chip-specific configuration struct
484 *
485 * id: Chip id (e.g. 0x4377 for BCM4377)
486 * otp_offset: Offset to the start of the OTP inside BAR0
487 * bar0_window1: Backplane address mapped to the first window in BAR0
488 * bar0_window2: Backplane address mapped to the second window in BAR0
489 * bar0_core2_window2: Optional backplane address mapped to the second core's
490 * second window in BAR0
491 * has_bar0_core2_window2: Set to true if this chip requires the second core's
492 * second window to be configured
493 * bar2_offset: Offset to the start of the variables in BAR2
494 * clear_pciecfg_subsystem_ctrl_bit19: Set to true if bit 19 in the
495 * vendor-specific subsystem control
496 * register has to be cleared
497 * disable_aspm: Set to true if ASPM must be disabled due to hardware errata
498 * broken_ext_scan: Set to true if the chip erroneously claims to support
499 * extended scanning
500 * broken_mws_transport_config: Set to true if the chip erroneously claims to
501 * support MWS Transport Configuration
502 * broken_le_ext_adv_report_phy: Set to true if this chip stuffs flags inside
503 * reserved bits of Primary/Secondary_PHY inside
504 * LE Extended Advertising Report events which
505 * have to be ignored
506 * send_calibration: Optional callback to send calibration data
507 * send_ptb: Callback to send "PTB" regulatory/calibration data
508 */
509struct bcm4377_hw {
510 unsigned int id;
511
512 u32 otp_offset;
513
514 u32 bar0_window1;
515 u32 bar0_window2;
516 u32 bar0_core2_window2;
517 u32 bar2_offset;
518
519 unsigned long has_bar0_core2_window2 : 1;
520 unsigned long clear_pciecfg_subsystem_ctrl_bit19 : 1;
521 unsigned long disable_aspm : 1;
522 unsigned long broken_ext_scan : 1;
523 unsigned long broken_mws_transport_config : 1;
524 unsigned long broken_le_coded : 1;
525 unsigned long broken_le_ext_adv_report_phy : 1;
526
527 int (*send_calibration)(struct bcm4377_data *bcm4377);
528 int (*send_ptb)(struct bcm4377_data *bcm4377,
529 const struct firmware *fw);
530};
531
532static const struct bcm4377_hw bcm4377_hw_variants[];
533static const struct dmi_system_id bcm4377_dmi_board_table[];
534
535/*
536 * Private struct associated with each device containing global state
537 *
538 * pdev: Pointer to associated struct pci_dev
539 * hdev: Pointer to associated strucy hci_dev
540 * bar0: iomem pointing to BAR0
541 * bar1: iomem pointing to BAR2
542 * bootstage: Current value of the bootstage
543 * rti_status: Current "RTI" status value
544 * hw: Pointer to chip-specific struct bcm4377_hw
545 * taurus_cal_blob: "Taurus" calibration blob used for some chips
546 * taurus_cal_size: "Taurus" calibration blob size
547 * taurus_beamforming_cal_blob: "Taurus" beamforming calibration blob used for
548 * some chips
549 * taurus_beamforming_cal_size: "Taurus" beamforming calibration blob size
550 * stepping: Chip stepping read from OTP; used for firmware selection
551 * vendor: Antenna vendor read from OTP; used for firmware selection
552 * board_type: Board type from FDT or DMI match; used for firmware selection
553 * event: Event for changed bootstage or rti_status; used for booting firmware
554 * ctx: "Converged IPC" context
555 * ctx_dma: "Converged IPC" context DMA address
556 * ring_state: Shared memory buffer containing ring head and tail indexes
557 * ring_state_dma: DMA address for ring_state
558 * {control,hci_acl,sco}_ack_ring: Completion rings used to acknowledge messages
559 * {hci_acl,sco}_event_ring: Completion rings used for device->host messages
560 * control_h2d_ring: Transfer ring used for control messages
561 * {hci,sco,acl}_h2d_ring: Transfer ring used to transfer HCI frames
562 * {hci,sco,acl}_d2h_ring: Transfer ring used to receive HCI frames in the
563 * corresponding completion ring
564 */
565struct bcm4377_data {
566 struct pci_dev *pdev;
567 struct hci_dev *hdev;
568
569 void __iomem *bar0;
570 void __iomem *bar2;
571
572 u32 bootstage;
573 u32 rti_status;
574
575 const struct bcm4377_hw *hw;
576
577 const void *taurus_cal_blob;
578 int taurus_cal_size;
579 const void *taurus_beamforming_cal_blob;
580 int taurus_beamforming_cal_size;
581
582 char stepping[BCM4377_OTP_MAX_PARAM_LEN];
583 char vendor[BCM4377_OTP_MAX_PARAM_LEN];
584 const char *board_type;
585
586 struct completion event;
587
588 struct bcm4377_context *ctx;
589 dma_addr_t ctx_dma;
590
591 struct bcm4377_ring_state *ring_state;
592 dma_addr_t ring_state_dma;
593
594 /*
595 * The HCI and ACL rings have to be merged because this structure is
596 * hardcoded in the firmware.
597 */
598 struct bcm4377_completion_ring control_ack_ring;
599 struct bcm4377_completion_ring hci_acl_ack_ring;
600 struct bcm4377_completion_ring hci_acl_event_ring;
601 struct bcm4377_completion_ring sco_ack_ring;
602 struct bcm4377_completion_ring sco_event_ring;
603
604 struct bcm4377_transfer_ring control_h2d_ring;
605 struct bcm4377_transfer_ring hci_h2d_ring;
606 struct bcm4377_transfer_ring hci_d2h_ring;
607 struct bcm4377_transfer_ring sco_h2d_ring;
608 struct bcm4377_transfer_ring sco_d2h_ring;
609 struct bcm4377_transfer_ring acl_h2d_ring;
610 struct bcm4377_transfer_ring acl_d2h_ring;
611};
612
613static void bcm4377_ring_doorbell(struct bcm4377_data *bcm4377, u8 doorbell,
614 u16 val)
615{
616 u32 db = 0;
617
618 db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_VALUE, val);
619 db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_IDX, doorbell);
620 db |= BCM4377_BAR0_DOORBELL_RING;
621
622 dev_dbg(&bcm4377->pdev->dev, "write %d to doorbell #%d (0x%x)\n", val,
623 doorbell, db);
624 iowrite32(db, bcm4377->bar0 + BCM4377_BAR0_DOORBELL);
625}
626
627static int bcm4377_extract_msgid(struct bcm4377_data *bcm4377,
628 struct bcm4377_transfer_ring *ring,
629 u16 raw_msgid, u8 *msgid)
630{
631 u8 generation = FIELD_GET(BCM4377_MSGID_GENERATION, raw_msgid);
632 *msgid = FIELD_GET(BCM4377_MSGID_ID, raw_msgid);
633
634 if (generation != ring->generation) {
635 dev_warn(
636 &bcm4377->pdev->dev,
637 "invalid message generation %d should be %d in entry for ring %d\n",
638 generation, ring->generation, ring->ring_id);
639 return -EINVAL;
640 }
641
642 if (*msgid >= ring->n_entries) {
643 dev_warn(&bcm4377->pdev->dev,
644 "invalid message id in entry for ring %d: %d > %d\n",
645 ring->ring_id, *msgid, ring->n_entries);
646 return -EINVAL;
647 }
648
649 return 0;
650}
651
652static void bcm4377_handle_event(struct bcm4377_data *bcm4377,
653 struct bcm4377_transfer_ring *ring,
654 u16 raw_msgid, u8 entry_flags, u8 type,
655 void *payload, size_t len)
656{
657 struct sk_buff *skb;
658 u16 head;
659 u8 msgid;
660 unsigned long flags;
661
662 spin_lock_irqsave(&ring->lock, flags);
663 if (!ring->enabled) {
664 dev_warn(&bcm4377->pdev->dev,
665 "event for disabled transfer ring %d\n",
666 ring->ring_id);
667 goto out;
668 }
669
670 if (ring->d2h_buffers_only &&
671 entry_flags & BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED) {
672 if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
673 goto out;
674
675 if (len > ring->mapped_payload_size) {
676 dev_warn(
677 &bcm4377->pdev->dev,
678 "invalid payload len in event for ring %d: %zu > %zu\n",
679 ring->ring_id, len, ring->mapped_payload_size);
680 goto out;
681 }
682
683 payload = ring->payloads + msgid * ring->mapped_payload_size;
684 }
685
686 skb = bt_skb_alloc(len, GFP_ATOMIC);
687 if (!skb)
688 goto out;
689
690 memcpy(skb_put(skb, len), payload, len);
691 hci_skb_pkt_type(skb) = type;
692 hci_recv_frame(bcm4377->hdev, skb);
693
694out:
695 head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
696 head = (head + 1) % ring->n_entries;
697 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = cpu_to_le16(head);
698
699 bcm4377_ring_doorbell(bcm4377, ring->doorbell, head);
700
701 spin_unlock_irqrestore(&ring->lock, flags);
702}
703
704static void bcm4377_handle_ack(struct bcm4377_data *bcm4377,
705 struct bcm4377_transfer_ring *ring,
706 u16 raw_msgid)
707{
708 unsigned long flags;
709 u8 msgid;
710
711 spin_lock_irqsave(&ring->lock, flags);
712
713 if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
714 goto unlock;
715
716 if (!test_bit(msgid, ring->msgids)) {
717 dev_warn(
718 &bcm4377->pdev->dev,
719 "invalid message id in ack for ring %d: %d is not used\n",
720 ring->ring_id, msgid);
721 goto unlock;
722 }
723
724 if (ring->allow_wait && ring->events[msgid]) {
725 complete(ring->events[msgid]);
726 ring->events[msgid] = NULL;
727 }
728
729 bitmap_release_region(ring->msgids, msgid, 0);
730
731unlock:
732 spin_unlock_irqrestore(&ring->lock, flags);
733}
734
735static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738{
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
759 dev_warn(
760 &bcm4377->pdev->dev,
761 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
762 pos, transfer_ring, ring->ring_id);
763 return;
764 }
765
766 dev_dbg(&bcm4377->pdev->dev,
767 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
768 ring->ring_id, transfer_ring, msg_id);
769
770 switch (transfer_ring) {
771 case BCM4377_XFER_RING_CONTROL:
772 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
773 break;
774 case BCM4377_XFER_RING_HCI_H2D:
775 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
776 break;
777 case BCM4377_XFER_RING_SCO_H2D:
778 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
779 break;
780 case BCM4377_XFER_RING_ACL_H2D:
781 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
782 break;
783
784 case BCM4377_XFER_RING_HCI_D2H:
785 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
786 entry->flags, HCI_EVENT_PKT, data,
787 data_len);
788 break;
789 case BCM4377_XFER_RING_SCO_D2H:
790 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
791 entry->flags, HCI_SCODATA_PKT, data,
792 data_len);
793 break;
794 case BCM4377_XFER_RING_ACL_D2H:
795 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
796 entry->flags, HCI_ACLDATA_PKT, data,
797 data_len);
798 break;
799
800 default:
801 dev_warn(
802 &bcm4377->pdev->dev,
803 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
804 ring->ring_id, transfer_ring, msg_id);
805 }
806}
807
808static void bcm4377_poll_completion_ring(struct bcm4377_data *bcm4377,
809 struct bcm4377_completion_ring *ring)
810{
811 u16 tail;
812 __le16 *heads = bcm4377->ring_state->completion_ring_head;
813 __le16 *tails = bcm4377->ring_state->completion_ring_tail;
814
815 if (!ring->enabled)
816 return;
817
818 tail = le16_to_cpu(tails[ring->ring_id]);
819 dev_dbg(&bcm4377->pdev->dev,
820 "completion ring #%d: head: %d, tail: %d\n", ring->ring_id,
821 le16_to_cpu(heads[ring->ring_id]), tail);
822
823 while (tail != le16_to_cpu(READ_ONCE(heads[ring->ring_id]))) {
824 /*
825 * ensure the CPU doesn't speculate through the comparison.
826 * otherwise it might already read the (empty) queue entry
827 * before the updated head has been loaded and checked.
828 */
829 dma_rmb();
830
831 bcm4377_handle_completion(bcm4377, ring, tail);
832
833 tail = (tail + 1) % ring->n_entries;
834 tails[ring->ring_id] = cpu_to_le16(tail);
835 }
836}
837
838static irqreturn_t bcm4377_irq(int irq, void *data)
839{
840 struct bcm4377_data *bcm4377 = data;
841 u32 bootstage, rti_status;
842
843 bootstage = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_BOOTSTAGE);
844 rti_status = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_STATUS);
845
846 if (bootstage != bcm4377->bootstage ||
847 rti_status != bcm4377->rti_status) {
848 dev_dbg(&bcm4377->pdev->dev,
849 "bootstage = %d -> %d, rti state = %d -> %d\n",
850 bcm4377->bootstage, bootstage, bcm4377->rti_status,
851 rti_status);
852 complete(&bcm4377->event);
853 bcm4377->bootstage = bootstage;
854 bcm4377->rti_status = rti_status;
855 }
856
857 if (rti_status > 2)
858 dev_err(&bcm4377->pdev->dev, "RTI status is %d\n", rti_status);
859
860 bcm4377_poll_completion_ring(bcm4377, &bcm4377->control_ack_ring);
861 bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
862 bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
863 bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
864 bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_event_ring);
865
866 return IRQ_HANDLED;
867}
868
869static int bcm4377_enqueue(struct bcm4377_data *bcm4377,
870 struct bcm4377_transfer_ring *ring, void *data,
871 size_t len, bool wait)
872{
873 unsigned long flags;
874 struct bcm4377_xfer_ring_entry *entry;
875 void *payload;
876 size_t offset;
877 u16 head, tail, new_head;
878 u16 raw_msgid;
879 int ret, msgid;
880 DECLARE_COMPLETION_ONSTACK(event);
881
882 if (len > ring->payload_size && len > ring->mapped_payload_size) {
883 dev_warn(
884 &bcm4377->pdev->dev,
885 "payload len %zu is too large for ring %d (max is %zu or %zu)\n",
886 len, ring->ring_id, ring->payload_size,
887 ring->mapped_payload_size);
888 return -EINVAL;
889 }
890 if (wait && !ring->allow_wait)
891 return -EINVAL;
892 if (ring->virtual)
893 return -EINVAL;
894
895 spin_lock_irqsave(&ring->lock, flags);
896
897 head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
898 tail = le16_to_cpu(bcm4377->ring_state->xfer_ring_tail[ring->ring_id]);
899
900 new_head = (head + 1) % ring->n_entries;
901
902 if (new_head == tail) {
903 dev_warn(&bcm4377->pdev->dev,
904 "can't send message because ring %d is full\n",
905 ring->ring_id);
906 ret = -EINVAL;
907 goto out;
908 }
909
910 msgid = bitmap_find_free_region(ring->msgids, ring->n_entries, 0);
911 if (msgid < 0) {
912 dev_warn(&bcm4377->pdev->dev,
913 "can't find message id for ring %d\n", ring->ring_id);
914 ret = -EINVAL;
915 goto out;
916 }
917
918 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION, ring->generation);
919 raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, msgid);
920
921 offset = head * (sizeof(*entry) + ring->payload_size);
922 entry = ring->ring + offset;
923
924 memset(entry, 0, sizeof(*entry));
925 entry->id = cpu_to_le16(raw_msgid);
926 entry->len = cpu_to_le16(len);
927
928 if (len <= ring->payload_size) {
929 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER;
930 payload = ring->ring + offset + sizeof(*entry);
931 } else {
932 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
933 entry->payload = cpu_to_le64(ring->payloads_dma +
934 msgid * ring->mapped_payload_size);
935 payload = ring->payloads + msgid * ring->mapped_payload_size;
936 }
937
938 memcpy(payload, data, len);
939
940 if (wait)
941 ring->events[msgid] = &event;
942
943 /*
944 * The 4377 chips stop responding to any commands as soon as they
945 * have been idle for a while. Poking the sleep control register here
946 * makes them come alive again.
947 */
948 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_AWAKE,
949 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
950
951 dev_dbg(&bcm4377->pdev->dev,
952 "updating head for transfer queue #%d to %d\n", ring->ring_id,
953 new_head);
954 bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
955 cpu_to_le16(new_head);
956
957 if (!ring->sync)
958 bcm4377_ring_doorbell(bcm4377, ring->doorbell, new_head);
959 ret = 0;
960
961out:
962 spin_unlock_irqrestore(&ring->lock, flags);
963
964 if (ret == 0 && wait) {
965 ret = wait_for_completion_interruptible_timeout(
966 &event, BCM4377_TIMEOUT);
967 if (ret == 0)
968 ret = -ETIMEDOUT;
969 else if (ret > 0)
970 ret = 0;
971
972 spin_lock_irqsave(&ring->lock, flags);
973 ring->events[msgid] = NULL;
974 spin_unlock_irqrestore(&ring->lock, flags);
975 }
976
977 return ret;
978}
979
980static int bcm4377_create_completion_ring(struct bcm4377_data *bcm4377,
981 struct bcm4377_completion_ring *ring)
982{
983 struct bcm4377_create_completion_ring_msg msg;
984 int ret;
985
986 if (ring->enabled) {
987 dev_warn(&bcm4377->pdev->dev,
988 "completion ring %d already enabled\n", ring->ring_id);
989 return 0;
990 }
991
992 memset(ring->ring, 0,
993 ring->n_entries * (sizeof(struct bcm4377_completion_ring_entry) +
994 ring->payload_size));
995 memset(&msg, 0, sizeof(msg));
996 msg.msg_type = BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING;
997 msg.id = cpu_to_le16(ring->ring_id);
998 msg.id_again = cpu_to_le16(ring->ring_id);
999 msg.ring_iova = cpu_to_le64(ring->ring_dma);
1000 msg.n_elements = cpu_to_le16(ring->n_entries);
1001 msg.intmod_bytes = cpu_to_le32(0xffffffff);
1002 msg.unk = cpu_to_le32(0xffffffff);
1003 msg.intmod_delay = cpu_to_le16(ring->delay);
1004 msg.footer_size = ring->payload_size / 4;
1005
1006 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1007 sizeof(msg), true);
1008 if (!ret)
1009 ring->enabled = true;
1010
1011 return ret;
1012}
1013
1014static int bcm4377_destroy_completion_ring(struct bcm4377_data *bcm4377,
1015 struct bcm4377_completion_ring *ring)
1016{
1017 struct bcm4377_destroy_completion_ring_msg msg;
1018 int ret;
1019
1020 memset(&msg, 0, sizeof(msg));
1021 msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING;
1022 msg.ring_id = cpu_to_le16(ring->ring_id);
1023
1024 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1025 sizeof(msg), true);
1026 if (ret)
1027 dev_warn(&bcm4377->pdev->dev,
1028 "failed to destroy completion ring %d\n",
1029 ring->ring_id);
1030
1031 ring->enabled = false;
1032 return ret;
1033}
1034
1035static int bcm4377_create_transfer_ring(struct bcm4377_data *bcm4377,
1036 struct bcm4377_transfer_ring *ring)
1037{
1038 struct bcm4377_create_transfer_ring_msg msg;
1039 u16 flags = 0;
1040 int ret, i;
1041 unsigned long spinlock_flags;
1042
1043 if (ring->virtual)
1044 flags |= BCM4377_XFER_RING_FLAG_VIRTUAL;
1045 if (ring->sync)
1046 flags |= BCM4377_XFER_RING_FLAG_SYNC;
1047
1048 spin_lock_irqsave(&ring->lock, spinlock_flags);
1049 memset(&msg, 0, sizeof(msg));
1050 msg.msg_type = BCM4377_CONTROL_MSG_CREATE_XFER_RING;
1051 msg.ring_id = cpu_to_le16(ring->ring_id);
1052 msg.ring_id_again = cpu_to_le16(ring->ring_id);
1053 msg.ring_iova = cpu_to_le64(ring->ring_dma);
1054 msg.n_elements = cpu_to_le16(ring->n_entries);
1055 msg.completion_ring_id = cpu_to_le16(ring->completion_ring);
1056 msg.doorbell = cpu_to_le16(ring->doorbell);
1057 msg.flags = cpu_to_le16(flags);
1058 msg.footer_size = ring->payload_size / 4;
1059
1060 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 0;
1061 bcm4377->ring_state->xfer_ring_tail[ring->ring_id] = 0;
1062 ring->generation++;
1063 spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1064
1065 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1066 sizeof(msg), true);
1067
1068 spin_lock_irqsave(&ring->lock, spinlock_flags);
1069
1070 if (ring->d2h_buffers_only) {
1071 for (i = 0; i < ring->n_entries; ++i) {
1072 struct bcm4377_xfer_ring_entry *entry =
1073 ring->ring + i * sizeof(*entry);
1074 u16 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION,
1075 ring->generation);
1076 raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, i);
1077
1078 memset(entry, 0, sizeof(*entry));
1079 entry->id = cpu_to_le16(raw_msgid);
1080 entry->len = cpu_to_le16(ring->mapped_payload_size);
1081 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
1082 entry->payload =
1083 cpu_to_le64(ring->payloads_dma +
1084 i * ring->mapped_payload_size);
1085 }
1086 }
1087
1088 /*
1089 * send some messages if this is a device->host ring to allow the device
1090 * to reply by acknowledging them in the completion ring
1091 */
1092 if (ring->virtual || ring->d2h_buffers_only) {
1093 bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
1094 cpu_to_le16(0xf);
1095 bcm4377_ring_doorbell(bcm4377, ring->doorbell, 0xf);
1096 }
1097
1098 ring->enabled = true;
1099 spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1100
1101 return ret;
1102}
1103
1104static int bcm4377_destroy_transfer_ring(struct bcm4377_data *bcm4377,
1105 struct bcm4377_transfer_ring *ring)
1106{
1107 struct bcm4377_destroy_transfer_ring_msg msg;
1108 int ret;
1109
1110 memset(&msg, 0, sizeof(msg));
1111 msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_XFER_RING;
1112 msg.ring_id = cpu_to_le16(ring->ring_id);
1113
1114 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1115 sizeof(msg), true);
1116 if (ret)
1117 dev_warn(&bcm4377->pdev->dev,
1118 "failed to destroy transfer ring %d\n", ring->ring_id);
1119
1120 ring->enabled = false;
1121 return ret;
1122}
1123
1124static int __bcm4378_send_calibration_chunk(struct bcm4377_data *bcm4377,
1125 const void *data, size_t data_len,
1126 u16 blocks_left)
1127{
1128 struct bcm4378_hci_send_calibration_cmd cmd;
1129 struct sk_buff *skb;
1130
1131 if (data_len > sizeof(cmd.data))
1132 return -EINVAL;
1133
1134 memset(&cmd, 0, sizeof(cmd));
1135 cmd.unk = 0x03;
1136 cmd.blocks_left = cpu_to_le16(blocks_left);
1137 memcpy(cmd.data, data, data_len);
1138
1139 skb = __hci_cmd_sync(bcm4377->hdev, 0xfd97, sizeof(cmd), &cmd,
1140 HCI_INIT_TIMEOUT);
1141 if (IS_ERR(skb))
1142 return PTR_ERR(skb);
1143
1144 kfree_skb(skb);
1145 return 0;
1146}
1147
1148static int __bcm4378_send_calibration(struct bcm4377_data *bcm4377,
1149 const void *data, size_t data_size)
1150{
1151 int ret;
1152 size_t i, left, transfer_len;
1153 size_t blocks =
1154 DIV_ROUND_UP(data_size, (size_t)BCM4378_CALIBRATION_CHUNK_SIZE);
1155
1156 if (!data) {
1157 dev_err(&bcm4377->pdev->dev,
1158 "no calibration data available.\n");
1159 return -ENOENT;
1160 }
1161
1162 for (i = 0, left = data_size; i < blocks; ++i, left -= transfer_len) {
1163 transfer_len =
1164 min_t(size_t, left, BCM4378_CALIBRATION_CHUNK_SIZE);
1165
1166 ret = __bcm4378_send_calibration_chunk(
1167 bcm4377, data + i * BCM4378_CALIBRATION_CHUNK_SIZE,
1168 transfer_len, blocks - i - 1);
1169 if (ret) {
1170 dev_err(&bcm4377->pdev->dev,
1171 "send calibration chunk failed with %d\n", ret);
1172 return ret;
1173 }
1174 }
1175
1176 return 0;
1177}
1178
1179static int bcm4378_send_calibration(struct bcm4377_data *bcm4377)
1180{
1181 if ((strcmp(bcm4377->stepping, "b1") == 0) ||
1182 strcmp(bcm4377->stepping, "b3") == 0)
1183 return __bcm4378_send_calibration(
1184 bcm4377, bcm4377->taurus_beamforming_cal_blob,
1185 bcm4377->taurus_beamforming_cal_size);
1186 else
1187 return __bcm4378_send_calibration(bcm4377,
1188 bcm4377->taurus_cal_blob,
1189 bcm4377->taurus_cal_size);
1190}
1191
1192static int bcm4387_send_calibration(struct bcm4377_data *bcm4377)
1193{
1194 if (strcmp(bcm4377->stepping, "c2") == 0)
1195 return __bcm4378_send_calibration(
1196 bcm4377, bcm4377->taurus_beamforming_cal_blob,
1197 bcm4377->taurus_beamforming_cal_size);
1198 else
1199 return __bcm4378_send_calibration(bcm4377,
1200 bcm4377->taurus_cal_blob,
1201 bcm4377->taurus_cal_size);
1202}
1203
1204static int bcm4388_send_calibration(struct bcm4377_data *bcm4377)
1205{
1206 /* BCM4388 always uses beamforming */
1207 return __bcm4378_send_calibration(
1208 bcm4377, bcm4377->taurus_beamforming_cal_blob,
1209 bcm4377->taurus_beamforming_cal_size);
1210}
1211
1212static const struct firmware *bcm4377_request_blob(struct bcm4377_data *bcm4377,
1213 const char *suffix)
1214{
1215 const struct firmware *fw;
1216 char name0[64], name1[64];
1217 int ret;
1218
1219 snprintf(name0, sizeof(name0), "brcm/brcmbt%04x%s-%s-%s.%s",
1220 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1221 bcm4377->vendor, suffix);
1222 snprintf(name1, sizeof(name1), "brcm/brcmbt%04x%s-%s.%s",
1223 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1224 suffix);
1225 dev_dbg(&bcm4377->pdev->dev, "Trying to load firmware: '%s' or '%s'\n",
1226 name0, name1);
1227
1228 ret = firmware_request_nowarn(&fw, name0, &bcm4377->pdev->dev);
1229 if (!ret)
1230 return fw;
1231 ret = firmware_request_nowarn(&fw, name1, &bcm4377->pdev->dev);
1232 if (!ret)
1233 return fw;
1234
1235 dev_err(&bcm4377->pdev->dev,
1236 "Unable to load firmware; tried '%s' and '%s'\n", name0, name1);
1237 return NULL;
1238}
1239
1240static int bcm4377_send_ptb(struct bcm4377_data *bcm4377,
1241 const struct firmware *fw)
1242{
1243 struct sk_buff *skb;
1244
1245 skb = __hci_cmd_sync(bcm4377->hdev, 0xfd98, fw->size, fw->data,
1246 HCI_INIT_TIMEOUT);
1247 /*
1248 * This command seems to always fail on more recent firmware versions
1249 * (even in traces taken from the macOS driver). It's unclear why this
1250 * happens but because the PTB file contains calibration and/or
1251 * regulatory data and may be required on older firmware we still try to
1252 * send it here just in case and just ignore if it fails.
1253 */
1254 if (!IS_ERR(skb))
1255 kfree_skb(skb);
1256 return 0;
1257}
1258
1259static int bcm4378_send_ptb_chunk(struct bcm4377_data *bcm4377,
1260 const void *data, size_t data_len,
1261 u16 blocks_left)
1262{
1263 struct bcm4378_hci_send_ptb_cmd cmd;
1264 struct sk_buff *skb;
1265
1266 if (data_len > BCM4378_PTB_CHUNK_SIZE)
1267 return -EINVAL;
1268
1269 memset(&cmd, 0, sizeof(cmd));
1270 cmd.blocks_left = cpu_to_le16(blocks_left);
1271 memcpy(cmd.data, data, data_len);
1272
1273 skb = __hci_cmd_sync(bcm4377->hdev, 0xfe0d, sizeof(cmd), &cmd,
1274 HCI_INIT_TIMEOUT);
1275 if (IS_ERR(skb))
1276 return PTR_ERR(skb);
1277
1278 kfree_skb(skb);
1279 return 0;
1280}
1281
1282static int bcm4378_send_ptb(struct bcm4377_data *bcm4377,
1283 const struct firmware *fw)
1284{
1285 size_t chunks = DIV_ROUND_UP(fw->size, (size_t)BCM4378_PTB_CHUNK_SIZE);
1286 size_t i, left, transfer_len;
1287 int ret;
1288
1289 for (i = 0, left = fw->size; i < chunks; ++i, left -= transfer_len) {
1290 transfer_len = min_t(size_t, left, BCM4378_PTB_CHUNK_SIZE);
1291
1292 dev_dbg(&bcm4377->pdev->dev, "sending ptb chunk %zu/%zu\n",
1293 i + 1, chunks);
1294 ret = bcm4378_send_ptb_chunk(
1295 bcm4377, fw->data + i * BCM4378_PTB_CHUNK_SIZE,
1296 transfer_len, chunks - i - 1);
1297 if (ret) {
1298 dev_err(&bcm4377->pdev->dev,
1299 "sending ptb chunk %zu failed (%d)", i, ret);
1300 return ret;
1301 }
1302 }
1303
1304 return 0;
1305}
1306
1307static int bcm4377_hci_open(struct hci_dev *hdev)
1308{
1309 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1310 int ret;
1311
1312 dev_dbg(&bcm4377->pdev->dev, "creating rings\n");
1313
1314 ret = bcm4377_create_completion_ring(bcm4377,
1315 &bcm4377->hci_acl_ack_ring);
1316 if (ret)
1317 return ret;
1318 ret = bcm4377_create_completion_ring(bcm4377,
1319 &bcm4377->hci_acl_event_ring);
1320 if (ret)
1321 goto destroy_hci_acl_ack;
1322 ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1323 if (ret)
1324 goto destroy_hci_acl_event;
1325 ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1326 if (ret)
1327 goto destroy_sco_ack;
1328 dev_dbg(&bcm4377->pdev->dev,
1329 "all completion rings successfully created!\n");
1330
1331 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1332 if (ret)
1333 goto destroy_sco_event;
1334 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1335 if (ret)
1336 goto destroy_hci_h2d;
1337 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1338 if (ret)
1339 goto destroy_hci_d2h;
1340 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1341 if (ret)
1342 goto destroy_sco_h2d;
1343 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1344 if (ret)
1345 goto destroy_sco_d2h;
1346 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1347 if (ret)
1348 goto destroy_acl_h2d;
1349 dev_dbg(&bcm4377->pdev->dev,
1350 "all transfer rings successfully created!\n");
1351
1352 return 0;
1353
1354destroy_acl_h2d:
1355 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1356destroy_sco_d2h:
1357 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1358destroy_sco_h2d:
1359 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1360destroy_hci_d2h:
1361 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1362destroy_hci_h2d:
1363 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1364destroy_sco_event:
1365 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1366destroy_sco_ack:
1367 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1368destroy_hci_acl_event:
1369 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1370destroy_hci_acl_ack:
1371 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1372
1373 dev_err(&bcm4377->pdev->dev, "Creating rings failed with %d\n", ret);
1374 return ret;
1375}
1376
1377static int bcm4377_hci_close(struct hci_dev *hdev)
1378{
1379 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1380
1381 dev_dbg(&bcm4377->pdev->dev, "destroying rings in hci_close\n");
1382
1383 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1384 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1385 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1386 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1387 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1388 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1389
1390 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1391 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1392 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1393 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1394
1395 return 0;
1396}
1397
1398static bool bcm4377_is_valid_bdaddr(struct bcm4377_data *bcm4377,
1399 bdaddr_t *addr)
1400{
1401 if (addr->b[0] != 0x93)
1402 return true;
1403 if (addr->b[1] != 0x76)
1404 return true;
1405 if (addr->b[2] != 0x00)
1406 return true;
1407 if (addr->b[4] != (bcm4377->hw->id & 0xff))
1408 return true;
1409 if (addr->b[5] != (bcm4377->hw->id >> 8))
1410 return true;
1411 return false;
1412}
1413
1414static int bcm4377_check_bdaddr(struct bcm4377_data *bcm4377)
1415{
1416 struct hci_rp_read_bd_addr *bda;
1417 struct sk_buff *skb;
1418
1419 skb = __hci_cmd_sync(bcm4377->hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1420 HCI_INIT_TIMEOUT);
1421 if (IS_ERR(skb)) {
1422 int err = PTR_ERR(skb);
1423
1424 dev_err(&bcm4377->pdev->dev, "HCI_OP_READ_BD_ADDR failed (%d)",
1425 err);
1426 return err;
1427 }
1428
1429 if (skb->len != sizeof(*bda)) {
1430 dev_err(&bcm4377->pdev->dev,
1431 "HCI_OP_READ_BD_ADDR reply length invalid");
1432 kfree_skb(skb);
1433 return -EIO;
1434 }
1435
1436 bda = (struct hci_rp_read_bd_addr *)skb->data;
1437 if (!bcm4377_is_valid_bdaddr(bcm4377, &bda->bdaddr))
1438 set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &bcm4377->hdev->quirks);
1439
1440 kfree_skb(skb);
1441 return 0;
1442}
1443
1444static int bcm4377_hci_setup(struct hci_dev *hdev)
1445{
1446 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1447 const struct firmware *fw;
1448 int ret;
1449
1450 if (bcm4377->hw->send_calibration) {
1451 ret = bcm4377->hw->send_calibration(bcm4377);
1452 if (ret)
1453 return ret;
1454 }
1455
1456 fw = bcm4377_request_blob(bcm4377, "ptb");
1457 if (!fw) {
1458 dev_err(&bcm4377->pdev->dev, "failed to load PTB data");
1459 return -ENOENT;
1460 }
1461
1462 ret = bcm4377->hw->send_ptb(bcm4377, fw);
1463 release_firmware(fw);
1464 if (ret)
1465 return ret;
1466
1467 return bcm4377_check_bdaddr(bcm4377);
1468}
1469
1470static int bcm4377_hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1471{
1472 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1473 struct bcm4377_transfer_ring *ring;
1474 int ret;
1475
1476 switch (hci_skb_pkt_type(skb)) {
1477 case HCI_COMMAND_PKT:
1478 hdev->stat.cmd_tx++;
1479 ring = &bcm4377->hci_h2d_ring;
1480 break;
1481
1482 case HCI_ACLDATA_PKT:
1483 hdev->stat.acl_tx++;
1484 ring = &bcm4377->acl_h2d_ring;
1485 break;
1486
1487 case HCI_SCODATA_PKT:
1488 hdev->stat.sco_tx++;
1489 ring = &bcm4377->sco_h2d_ring;
1490 break;
1491
1492 default:
1493 return -EILSEQ;
1494 }
1495
1496 ret = bcm4377_enqueue(bcm4377, ring, skb->data, skb->len, false);
1497 if (ret < 0) {
1498 hdev->stat.err_tx++;
1499 return ret;
1500 }
1501
1502 hdev->stat.byte_tx += skb->len;
1503 kfree_skb(skb);
1504 return ret;
1505}
1506
1507static int bcm4377_hci_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1508{
1509 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1510 struct sk_buff *skb;
1511 int err;
1512
1513 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1514 if (IS_ERR(skb)) {
1515 err = PTR_ERR(skb);
1516 dev_err(&bcm4377->pdev->dev,
1517 "Change address command failed (%d)", err);
1518 return err;
1519 }
1520 kfree_skb(skb);
1521
1522 return 0;
1523}
1524
1525static int bcm4377_alloc_transfer_ring(struct bcm4377_data *bcm4377,
1526 struct bcm4377_transfer_ring *ring)
1527{
1528 size_t entry_size;
1529
1530 spin_lock_init(&ring->lock);
1531 ring->payload_size = ALIGN(ring->payload_size, 4);
1532 ring->mapped_payload_size = ALIGN(ring->mapped_payload_size, 4);
1533
1534 if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1535 return -EINVAL;
1536 if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1537 return -EINVAL;
1538 if (ring->virtual && ring->allow_wait)
1539 return -EINVAL;
1540
1541 if (ring->d2h_buffers_only) {
1542 if (ring->virtual)
1543 return -EINVAL;
1544 if (ring->payload_size)
1545 return -EINVAL;
1546 if (!ring->mapped_payload_size)
1547 return -EINVAL;
1548 }
1549 if (ring->virtual)
1550 return 0;
1551
1552 entry_size =
1553 ring->payload_size + sizeof(struct bcm4377_xfer_ring_entry);
1554 ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1555 ring->n_entries * entry_size,
1556 &ring->ring_dma, GFP_KERNEL);
1557 if (!ring->ring)
1558 return -ENOMEM;
1559
1560 if (ring->allow_wait) {
1561 ring->events = devm_kcalloc(&bcm4377->pdev->dev,
1562 ring->n_entries,
1563 sizeof(*ring->events), GFP_KERNEL);
1564 if (!ring->events)
1565 return -ENOMEM;
1566 }
1567
1568 if (ring->mapped_payload_size) {
1569 ring->payloads = dmam_alloc_coherent(
1570 &bcm4377->pdev->dev,
1571 ring->n_entries * ring->mapped_payload_size,
1572 &ring->payloads_dma, GFP_KERNEL);
1573 if (!ring->payloads)
1574 return -ENOMEM;
1575 }
1576
1577 return 0;
1578}
1579
1580static int bcm4377_alloc_completion_ring(struct bcm4377_data *bcm4377,
1581 struct bcm4377_completion_ring *ring)
1582{
1583 size_t entry_size;
1584
1585 ring->payload_size = ALIGN(ring->payload_size, 4);
1586 if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1587 return -EINVAL;
1588 if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1589 return -EINVAL;
1590
1591 entry_size = ring->payload_size +
1592 sizeof(struct bcm4377_completion_ring_entry);
1593
1594 ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1595 ring->n_entries * entry_size,
1596 &ring->ring_dma, GFP_KERNEL);
1597 if (!ring->ring)
1598 return -ENOMEM;
1599 return 0;
1600}
1601
1602static int bcm4377_init_context(struct bcm4377_data *bcm4377)
1603{
1604 struct device *dev = &bcm4377->pdev->dev;
1605 dma_addr_t peripheral_info_dma;
1606
1607 bcm4377->ctx = dmam_alloc_coherent(dev, sizeof(*bcm4377->ctx),
1608 &bcm4377->ctx_dma, GFP_KERNEL);
1609 if (!bcm4377->ctx)
1610 return -ENOMEM;
1611 memset(bcm4377->ctx, 0, sizeof(*bcm4377->ctx));
1612
1613 bcm4377->ring_state =
1614 dmam_alloc_coherent(dev, sizeof(*bcm4377->ring_state),
1615 &bcm4377->ring_state_dma, GFP_KERNEL);
1616 if (!bcm4377->ring_state)
1617 return -ENOMEM;
1618 memset(bcm4377->ring_state, 0, sizeof(*bcm4377->ring_state));
1619
1620 bcm4377->ctx->version = cpu_to_le16(1);
1621 bcm4377->ctx->size = cpu_to_le16(sizeof(*bcm4377->ctx));
1622 bcm4377->ctx->enabled_caps = cpu_to_le32(2);
1623
1624 /*
1625 * The BT device will write 0x20 bytes of data to this buffer but
1626 * the exact contents are unknown. It only needs to exist for BT
1627 * to work such that we can just allocate and then ignore it.
1628 */
1629 if (!dmam_alloc_coherent(&bcm4377->pdev->dev, 0x20,
1630 &peripheral_info_dma, GFP_KERNEL))
1631 return -ENOMEM;
1632 bcm4377->ctx->peripheral_info_addr = cpu_to_le64(peripheral_info_dma);
1633
1634 bcm4377->ctx->xfer_ring_heads_addr = cpu_to_le64(
1635 bcm4377->ring_state_dma +
1636 offsetof(struct bcm4377_ring_state, xfer_ring_head));
1637 bcm4377->ctx->xfer_ring_tails_addr = cpu_to_le64(
1638 bcm4377->ring_state_dma +
1639 offsetof(struct bcm4377_ring_state, xfer_ring_tail));
1640 bcm4377->ctx->completion_ring_heads_addr = cpu_to_le64(
1641 bcm4377->ring_state_dma +
1642 offsetof(struct bcm4377_ring_state, completion_ring_head));
1643 bcm4377->ctx->completion_ring_tails_addr = cpu_to_le64(
1644 bcm4377->ring_state_dma +
1645 offsetof(struct bcm4377_ring_state, completion_ring_tail));
1646
1647 bcm4377->ctx->n_completion_rings =
1648 cpu_to_le16(BCM4377_N_COMPLETION_RINGS);
1649 bcm4377->ctx->n_xfer_rings = cpu_to_le16(BCM4377_N_TRANSFER_RINGS);
1650
1651 bcm4377->ctx->control_completion_ring_addr =
1652 cpu_to_le64(bcm4377->control_ack_ring.ring_dma);
1653 bcm4377->ctx->control_completion_ring_n_entries =
1654 cpu_to_le16(bcm4377->control_ack_ring.n_entries);
1655 bcm4377->ctx->control_completion_ring_doorbell = cpu_to_le16(0xffff);
1656 bcm4377->ctx->control_completion_ring_msi = 0;
1657 bcm4377->ctx->control_completion_ring_header_size = 0;
1658 bcm4377->ctx->control_completion_ring_footer_size = 0;
1659
1660 bcm4377->ctx->control_xfer_ring_addr =
1661 cpu_to_le64(bcm4377->control_h2d_ring.ring_dma);
1662 bcm4377->ctx->control_xfer_ring_n_entries =
1663 cpu_to_le16(bcm4377->control_h2d_ring.n_entries);
1664 bcm4377->ctx->control_xfer_ring_doorbell =
1665 cpu_to_le16(bcm4377->control_h2d_ring.doorbell);
1666 bcm4377->ctx->control_xfer_ring_msi = 0;
1667 bcm4377->ctx->control_xfer_ring_header_size = 0;
1668 bcm4377->ctx->control_xfer_ring_footer_size =
1669 bcm4377->control_h2d_ring.payload_size / 4;
1670
1671 dev_dbg(&bcm4377->pdev->dev, "context initialized at IOVA %pad",
1672 &bcm4377->ctx_dma);
1673
1674 return 0;
1675}
1676
1677static int bcm4377_prepare_rings(struct bcm4377_data *bcm4377)
1678{
1679 int ret;
1680
1681 /*
1682 * Even though many of these settings appear to be configurable
1683 * when sending the "create ring" messages most of these are
1684 * actually hardcoded in some (and quite possibly all) firmware versions
1685 * and changing them on the host has no effect.
1686 * Specifically, this applies to at least the doorbells, the transfer
1687 * and completion ring ids and their mapping (e.g. both HCI and ACL
1688 * entries will always be queued in completion rings 1 and 2 no matter
1689 * what we configure here).
1690 */
1691 bcm4377->control_ack_ring.ring_id = BCM4377_ACK_RING_CONTROL;
1692 bcm4377->control_ack_ring.n_entries = 32;
1693 bcm4377->control_ack_ring.transfer_rings =
1694 BIT(BCM4377_XFER_RING_CONTROL);
1695
1696 bcm4377->hci_acl_ack_ring.ring_id = BCM4377_ACK_RING_HCI_ACL;
1697 bcm4377->hci_acl_ack_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1698 bcm4377->hci_acl_ack_ring.transfer_rings =
1699 BIT(BCM4377_XFER_RING_HCI_H2D) | BIT(BCM4377_XFER_RING_ACL_H2D);
1700 bcm4377->hci_acl_ack_ring.delay = 1000;
1701
1702 /*
1703 * A payload size of MAX_EVENT_PAYLOAD_SIZE is enough here since large
1704 * ACL packets will be transmitted inside buffers mapped via
1705 * acl_d2h_ring anyway.
1706 */
1707 bcm4377->hci_acl_event_ring.ring_id = BCM4377_EVENT_RING_HCI_ACL;
1708 bcm4377->hci_acl_event_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1709 bcm4377->hci_acl_event_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1710 bcm4377->hci_acl_event_ring.transfer_rings =
1711 BIT(BCM4377_XFER_RING_HCI_D2H) | BIT(BCM4377_XFER_RING_ACL_D2H);
1712 bcm4377->hci_acl_event_ring.delay = 1000;
1713
1714 bcm4377->sco_ack_ring.ring_id = BCM4377_ACK_RING_SCO;
1715 bcm4377->sco_ack_ring.n_entries = BCM4377_RING_N_ENTRIES;
1716 bcm4377->sco_ack_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_H2D);
1717
1718 bcm4377->sco_event_ring.ring_id = BCM4377_EVENT_RING_SCO;
1719 bcm4377->sco_event_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1720 bcm4377->sco_event_ring.n_entries = BCM4377_RING_N_ENTRIES;
1721 bcm4377->sco_event_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_D2H);
1722
1723 bcm4377->control_h2d_ring.ring_id = BCM4377_XFER_RING_CONTROL;
1724 bcm4377->control_h2d_ring.doorbell = BCM4377_DOORBELL_CONTROL;
1725 bcm4377->control_h2d_ring.payload_size = BCM4377_CONTROL_MSG_SIZE;
1726 bcm4377->control_h2d_ring.completion_ring = BCM4377_ACK_RING_CONTROL;
1727 bcm4377->control_h2d_ring.allow_wait = true;
1728 bcm4377->control_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1729
1730 bcm4377->hci_h2d_ring.ring_id = BCM4377_XFER_RING_HCI_H2D;
1731 bcm4377->hci_h2d_ring.doorbell = BCM4377_DOORBELL_HCI_H2D;
1732 bcm4377->hci_h2d_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1733 bcm4377->hci_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1734 bcm4377->hci_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1735
1736 bcm4377->hci_d2h_ring.ring_id = BCM4377_XFER_RING_HCI_D2H;
1737 bcm4377->hci_d2h_ring.doorbell = BCM4377_DOORBELL_HCI_D2H;
1738 bcm4377->hci_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1739 bcm4377->hci_d2h_ring.virtual = true;
1740 bcm4377->hci_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1741
1742 bcm4377->sco_h2d_ring.ring_id = BCM4377_XFER_RING_SCO_H2D;
1743 bcm4377->sco_h2d_ring.doorbell = BCM4377_DOORBELL_SCO;
1744 bcm4377->sco_h2d_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1745 bcm4377->sco_h2d_ring.completion_ring = BCM4377_ACK_RING_SCO;
1746 bcm4377->sco_h2d_ring.sync = true;
1747 bcm4377->sco_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1748
1749 bcm4377->sco_d2h_ring.ring_id = BCM4377_XFER_RING_SCO_D2H;
1750 bcm4377->sco_d2h_ring.doorbell = BCM4377_DOORBELL_SCO;
1751 bcm4377->sco_d2h_ring.completion_ring = BCM4377_EVENT_RING_SCO;
1752 bcm4377->sco_d2h_ring.virtual = true;
1753 bcm4377->sco_d2h_ring.sync = true;
1754 bcm4377->sco_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1755
1756 /*
1757 * This ring has to use mapped_payload_size because the largest ACL
1758 * packet doesn't fit inside the largest possible footer
1759 */
1760 bcm4377->acl_h2d_ring.ring_id = BCM4377_XFER_RING_ACL_H2D;
1761 bcm4377->acl_h2d_ring.doorbell = BCM4377_DOORBELL_ACL_H2D;
1762 bcm4377->acl_h2d_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1763 bcm4377->acl_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1764 bcm4377->acl_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1765
1766 /*
1767 * This ring only contains empty buffers to be used by incoming
1768 * ACL packets that do not fit inside the footer of hci_acl_event_ring
1769 */
1770 bcm4377->acl_d2h_ring.ring_id = BCM4377_XFER_RING_ACL_D2H;
1771 bcm4377->acl_d2h_ring.doorbell = BCM4377_DOORBELL_ACL_D2H;
1772 bcm4377->acl_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1773 bcm4377->acl_d2h_ring.d2h_buffers_only = true;
1774 bcm4377->acl_d2h_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1775 bcm4377->acl_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1776
1777 /*
1778 * no need for any cleanup since this is only called from _probe
1779 * and only devres-managed allocations are used
1780 */
1781 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->control_h2d_ring);
1782 if (ret)
1783 return ret;
1784 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1785 if (ret)
1786 return ret;
1787 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1788 if (ret)
1789 return ret;
1790 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1791 if (ret)
1792 return ret;
1793 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1794 if (ret)
1795 return ret;
1796 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1797 if (ret)
1798 return ret;
1799 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1800 if (ret)
1801 return ret;
1802
1803 ret = bcm4377_alloc_completion_ring(bcm4377,
1804 &bcm4377->control_ack_ring);
1805 if (ret)
1806 return ret;
1807 ret = bcm4377_alloc_completion_ring(bcm4377,
1808 &bcm4377->hci_acl_ack_ring);
1809 if (ret)
1810 return ret;
1811 ret = bcm4377_alloc_completion_ring(bcm4377,
1812 &bcm4377->hci_acl_event_ring);
1813 if (ret)
1814 return ret;
1815 ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1816 if (ret)
1817 return ret;
1818 ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1819 if (ret)
1820 return ret;
1821
1822 dev_dbg(&bcm4377->pdev->dev, "all rings allocated and prepared\n");
1823
1824 return 0;
1825}
1826
1827static int bcm4377_boot(struct bcm4377_data *bcm4377)
1828{
1829 const struct firmware *fw;
1830 void *bfr;
1831 dma_addr_t fw_dma;
1832 int ret = 0;
1833 u32 bootstage, rti_status;
1834
1835 bootstage = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_BOOTSTAGE);
1836 rti_status = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_STATUS);
1837
1838 if (bootstage != 0) {
1839 dev_err(&bcm4377->pdev->dev, "bootstage is %d and not 0\n",
1840 bootstage);
1841 return -EINVAL;
1842 }
1843
1844 if (rti_status != 0) {
1845 dev_err(&bcm4377->pdev->dev, "RTI status is %d and not 0\n",
1846 rti_status);
1847 return -EINVAL;
1848 }
1849
1850 fw = bcm4377_request_blob(bcm4377, "bin");
1851 if (!fw) {
1852 dev_err(&bcm4377->pdev->dev, "Failed to load firmware\n");
1853 return -ENOENT;
1854 }
1855
1856 bfr = dma_alloc_coherent(&bcm4377->pdev->dev, fw->size, &fw_dma,
1857 GFP_KERNEL);
1858 if (!bfr) {
1859 ret = -ENOMEM;
1860 goto out_release_fw;
1861 }
1862
1863 memcpy(bfr, fw->data, fw->size);
1864
1865 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_LO);
1866 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_HI);
1867 iowrite32(BCM4377_DMA_MASK,
1868 bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_SIZE);
1869
1870 iowrite32(lower_32_bits(fw_dma),
1871 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_LO);
1872 iowrite32(upper_32_bits(fw_dma),
1873 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_HI);
1874 iowrite32(fw->size,
1875 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_SIZE);
1876 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_FW_DOORBELL);
1877
1878 dev_dbg(&bcm4377->pdev->dev, "waiting for firmware to boot\n");
1879
1880 ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1881 BCM4377_BOOT_TIMEOUT);
1882 if (ret == 0) {
1883 ret = -ETIMEDOUT;
1884 goto out_dma_free;
1885 } else if (ret < 0) {
1886 goto out_dma_free;
1887 }
1888
1889 if (bcm4377->bootstage != 2) {
1890 dev_err(&bcm4377->pdev->dev, "boostage %d != 2\n",
1891 bcm4377->bootstage);
1892 ret = -ENXIO;
1893 goto out_dma_free;
1894 }
1895
1896 dev_dbg(&bcm4377->pdev->dev, "firmware has booted (stage = %x)\n",
1897 bcm4377->bootstage);
1898 ret = 0;
1899
1900out_dma_free:
1901 dma_free_coherent(&bcm4377->pdev->dev, fw->size, bfr, fw_dma);
1902out_release_fw:
1903 release_firmware(fw);
1904 return ret;
1905}
1906
1907static int bcm4377_setup_rti(struct bcm4377_data *bcm4377)
1908{
1909 int ret;
1910
1911 dev_dbg(&bcm4377->pdev->dev, "starting RTI\n");
1912 iowrite32(1, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1913
1914 ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1915 BCM4377_TIMEOUT);
1916 if (ret == 0) {
1917 dev_err(&bcm4377->pdev->dev,
1918 "timed out while waiting for RTI to transition to state 1");
1919 return -ETIMEDOUT;
1920 } else if (ret < 0) {
1921 return ret;
1922 }
1923
1924 if (bcm4377->rti_status != 1) {
1925 dev_err(&bcm4377->pdev->dev, "RTI did not ack state 1 (%d)\n",
1926 bcm4377->rti_status);
1927 return -ENODEV;
1928 }
1929 dev_dbg(&bcm4377->pdev->dev, "RTI is in state 1\n");
1930
1931 /* allow access to the entire IOVA space again */
1932 iowrite32(0, bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_LO);
1933 iowrite32(0, bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_HI);
1934 iowrite32(BCM4377_DMA_MASK,
1935 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_SIZE);
1936
1937 /* setup "Converged IPC" context */
1938 iowrite32(lower_32_bits(bcm4377->ctx_dma),
1939 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_CONTEXT_ADDR_LO);
1940 iowrite32(upper_32_bits(bcm4377->ctx_dma),
1941 bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_CONTEXT_ADDR_HI);
1942 iowrite32(2, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1943
1944 ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1945 BCM4377_TIMEOUT);
1946 if (ret == 0) {
1947 dev_err(&bcm4377->pdev->dev,
1948 "timed out while waiting for RTI to transition to state 2");
1949 return -ETIMEDOUT;
1950 } else if (ret < 0) {
1951 return ret;
1952 }
1953
1954 if (bcm4377->rti_status != 2) {
1955 dev_err(&bcm4377->pdev->dev, "RTI did not ack state 2 (%d)\n",
1956 bcm4377->rti_status);
1957 return -ENODEV;
1958 }
1959
1960 dev_dbg(&bcm4377->pdev->dev,
1961 "RTI is in state 2; control ring is ready\n");
1962 bcm4377->control_ack_ring.enabled = true;
1963
1964 return 0;
1965}
1966
1967static int bcm4377_parse_otp_board_params(struct bcm4377_data *bcm4377,
1968 char tag, const char *val, size_t len)
1969{
1970 if (tag != 'V')
1971 return 0;
1972 if (len >= sizeof(bcm4377->vendor))
1973 return -EINVAL;
1974
1975 strscpy(bcm4377->vendor, val, len + 1);
1976 return 0;
1977}
1978
1979static int bcm4377_parse_otp_chip_params(struct bcm4377_data *bcm4377, char tag,
1980 const char *val, size_t len)
1981{
1982 size_t idx = 0;
1983
1984 if (tag != 's')
1985 return 0;
1986 if (len >= sizeof(bcm4377->stepping))
1987 return -EINVAL;
1988
1989 while (len != 0) {
1990 bcm4377->stepping[idx] = tolower(val[idx]);
1991 if (val[idx] == '\0')
1992 return 0;
1993
1994 idx++;
1995 len--;
1996 }
1997
1998 bcm4377->stepping[idx] = '\0';
1999 return 0;
2000}
2001
2002static int bcm4377_parse_otp_str(struct bcm4377_data *bcm4377, const u8 *str,
2003 enum bcm4377_otp_params_type type)
2004{
2005 const char *p;
2006 int ret;
2007
2008 p = skip_spaces(str);
2009 while (*p) {
2010 char tag = *p++;
2011 const char *end;
2012 size_t len;
2013
2014 if (*p++ != '=') /* implicit NUL check */
2015 return -EINVAL;
2016
2017 /* *p might be NUL here, if so end == p and len == 0 */
2018 end = strchrnul(p, ' ');
2019 len = end - p;
2020
2021 /* leave 1 byte for NUL in destination string */
2022 if (len > (BCM4377_OTP_MAX_PARAM_LEN - 1))
2023 return -EINVAL;
2024
2025 switch (type) {
2026 case BCM4377_OTP_BOARD_PARAMS:
2027 ret = bcm4377_parse_otp_board_params(bcm4377, tag, p,
2028 len);
2029 break;
2030 case BCM4377_OTP_CHIP_PARAMS:
2031 ret = bcm4377_parse_otp_chip_params(bcm4377, tag, p,
2032 len);
2033 break;
2034 default:
2035 ret = -EINVAL;
2036 break;
2037 }
2038
2039 if (ret)
2040 return ret;
2041
2042 /* Skip to next arg, if any */
2043 p = skip_spaces(end);
2044 }
2045
2046 return 0;
2047}
2048
2049static int bcm4377_parse_otp_sys_vendor(struct bcm4377_data *bcm4377, u8 *otp,
2050 size_t size)
2051{
2052 int idx = 4;
2053 const char *chip_params;
2054 const char *board_params;
2055 int ret;
2056
2057 /* 4-byte header and two empty strings */
2058 if (size < 6)
2059 return -EINVAL;
2060
2061 if (get_unaligned_le32(otp) != BCM4377_OTP_VENDOR_HDR)
2062 return -EINVAL;
2063
2064 chip_params = &otp[idx];
2065
2066 /* Skip first string, including terminator */
2067 idx += strnlen(chip_params, size - idx) + 1;
2068 if (idx >= size)
2069 return -EINVAL;
2070
2071 board_params = &otp[idx];
2072
2073 /* Skip to terminator of second string */
2074 idx += strnlen(board_params, size - idx);
2075 if (idx >= size)
2076 return -EINVAL;
2077
2078 /* At this point both strings are guaranteed NUL-terminated */
2079 dev_dbg(&bcm4377->pdev->dev,
2080 "OTP: chip_params='%s' board_params='%s'\n", chip_params,
2081 board_params);
2082
2083 ret = bcm4377_parse_otp_str(bcm4377, chip_params,
2084 BCM4377_OTP_CHIP_PARAMS);
2085 if (ret)
2086 return ret;
2087
2088 ret = bcm4377_parse_otp_str(bcm4377, board_params,
2089 BCM4377_OTP_BOARD_PARAMS);
2090 if (ret)
2091 return ret;
2092
2093 if (!bcm4377->stepping[0] || !bcm4377->vendor[0])
2094 return -EINVAL;
2095
2096 dev_dbg(&bcm4377->pdev->dev, "OTP: stepping=%s, vendor=%s\n",
2097 bcm4377->stepping, bcm4377->vendor);
2098 return 0;
2099}
2100
2101static int bcm4377_parse_otp(struct bcm4377_data *bcm4377)
2102{
2103 u8 *otp;
2104 int i;
2105 int ret = -ENOENT;
2106
2107 otp = kzalloc(BCM4377_OTP_SIZE, GFP_KERNEL);
2108 if (!otp)
2109 return -ENOMEM;
2110
2111 for (i = 0; i < BCM4377_OTP_SIZE; ++i)
2112 otp[i] = ioread8(bcm4377->bar0 + bcm4377->hw->otp_offset + i);
2113
2114 i = 0;
2115 while (i < (BCM4377_OTP_SIZE - 1)) {
2116 u8 type = otp[i];
2117 u8 length = otp[i + 1];
2118
2119 if (type == 0)
2120 break;
2121
2122 if ((i + 2 + length) > BCM4377_OTP_SIZE)
2123 break;
2124
2125 switch (type) {
2126 case BCM4377_OTP_SYS_VENDOR:
2127 dev_dbg(&bcm4377->pdev->dev,
2128 "OTP @ 0x%x (%d): SYS_VENDOR", i, length);
2129 ret = bcm4377_parse_otp_sys_vendor(bcm4377, &otp[i + 2],
2130 length);
2131 break;
2132 case BCM4377_OTP_CIS:
2133 dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): CIS", i,
2134 length);
2135 break;
2136 default:
2137 dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): unknown",
2138 i, length);
2139 break;
2140 }
2141
2142 i += 2 + length;
2143 }
2144
2145 kfree(otp);
2146 return ret;
2147}
2148
2149static int bcm4377_init_cfg(struct bcm4377_data *bcm4377)
2150{
2151 int ret;
2152 u32 ctrl;
2153
2154 ret = pci_write_config_dword(bcm4377->pdev,
2155 BCM4377_PCIECFG_BAR0_WINDOW1,
2156 bcm4377->hw->bar0_window1);
2157 if (ret)
2158 return ret;
2159
2160 ret = pci_write_config_dword(bcm4377->pdev,
2161 BCM4377_PCIECFG_BAR0_WINDOW2,
2162 bcm4377->hw->bar0_window2);
2163 if (ret)
2164 return ret;
2165
2166 ret = pci_write_config_dword(
2167 bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1,
2168 BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT);
2169 if (ret)
2170 return ret;
2171
2172 if (bcm4377->hw->has_bar0_core2_window2) {
2173 ret = pci_write_config_dword(bcm4377->pdev,
2174 BCM4377_PCIECFG_BAR0_CORE2_WINDOW2,
2175 bcm4377->hw->bar0_core2_window2);
2176 if (ret)
2177 return ret;
2178 }
2179
2180 ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR2_WINDOW,
2181 BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT);
2182 if (ret)
2183 return ret;
2184
2185 ret = pci_read_config_dword(bcm4377->pdev,
2186 BCM4377_PCIECFG_SUBSYSTEM_CTRL, &ctrl);
2187 if (ret)
2188 return ret;
2189
2190 if (bcm4377->hw->clear_pciecfg_subsystem_ctrl_bit19)
2191 ctrl &= ~BIT(19);
2192 ctrl |= BIT(16);
2193
2194 return pci_write_config_dword(bcm4377->pdev,
2195 BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl);
2196}
2197
2198static int bcm4377_probe_dmi(struct bcm4377_data *bcm4377)
2199{
2200 const struct dmi_system_id *board_type_dmi_id;
2201
2202 board_type_dmi_id = dmi_first_match(bcm4377_dmi_board_table);
2203 if (board_type_dmi_id && board_type_dmi_id->driver_data) {
2204 bcm4377->board_type = board_type_dmi_id->driver_data;
2205 dev_dbg(&bcm4377->pdev->dev,
2206 "found board type via DMI match: %s\n",
2207 bcm4377->board_type);
2208 }
2209
2210 return 0;
2211}
2212
2213static int bcm4377_probe_of(struct bcm4377_data *bcm4377)
2214{
2215 struct device_node *np = bcm4377->pdev->dev.of_node;
2216 int ret;
2217
2218 if (!np)
2219 return 0;
2220
2221 ret = of_property_read_string(np, "brcm,board-type",
2222 &bcm4377->board_type);
2223 if (ret) {
2224 dev_err(&bcm4377->pdev->dev, "no brcm,board-type property\n");
2225 return ret;
2226 }
2227
2228 bcm4377->taurus_beamforming_cal_blob =
2229 of_get_property(np, "brcm,taurus-bf-cal-blob",
2230 &bcm4377->taurus_beamforming_cal_size);
2231 if (!bcm4377->taurus_beamforming_cal_blob) {
2232 dev_err(&bcm4377->pdev->dev,
2233 "no brcm,taurus-bf-cal-blob property\n");
2234 return -ENOENT;
2235 }
2236 bcm4377->taurus_cal_blob = of_get_property(np, "brcm,taurus-cal-blob",
2237 &bcm4377->taurus_cal_size);
2238 if (!bcm4377->taurus_cal_blob) {
2239 dev_err(&bcm4377->pdev->dev,
2240 "no brcm,taurus-cal-blob property\n");
2241 return -ENOENT;
2242 }
2243
2244 return 0;
2245}
2246
2247static void bcm4377_disable_aspm(struct bcm4377_data *bcm4377)
2248{
2249 pci_disable_link_state(bcm4377->pdev,
2250 PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1);
2251
2252 /*
2253 * pci_disable_link_state can fail if either CONFIG_PCIEASPM is disabled
2254 * or if the BIOS hasn't handed over control to us. We must *always*
2255 * disable ASPM for this device due to hardware errata though.
2256 */
2257 pcie_capability_clear_word(bcm4377->pdev, PCI_EXP_LNKCTL,
2258 PCI_EXP_LNKCTL_ASPMC);
2259}
2260
2261static void bcm4377_pci_free_irq_vectors(void *data)
2262{
2263 pci_free_irq_vectors(data);
2264}
2265
2266static void bcm4377_hci_free_dev(void *data)
2267{
2268 hci_free_dev(data);
2269}
2270
2271static void bcm4377_hci_unregister_dev(void *data)
2272{
2273 hci_unregister_dev(data);
2274}
2275
2276static int bcm4377_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2277{
2278 struct bcm4377_data *bcm4377;
2279 struct hci_dev *hdev;
2280 int ret, irq;
2281
2282 ret = dma_set_mask_and_coherent(&pdev->dev, BCM4377_DMA_MASK);
2283 if (ret)
2284 return ret;
2285
2286 bcm4377 = devm_kzalloc(&pdev->dev, sizeof(*bcm4377), GFP_KERNEL);
2287 if (!bcm4377)
2288 return -ENOMEM;
2289
2290 bcm4377->pdev = pdev;
2291 bcm4377->hw = &bcm4377_hw_variants[id->driver_data];
2292 init_completion(&bcm4377->event);
2293
2294 ret = bcm4377_prepare_rings(bcm4377);
2295 if (ret)
2296 return ret;
2297
2298 ret = bcm4377_init_context(bcm4377);
2299 if (ret)
2300 return ret;
2301
2302 ret = bcm4377_probe_dmi(bcm4377);
2303 if (ret)
2304 return ret;
2305 ret = bcm4377_probe_of(bcm4377);
2306 if (ret)
2307 return ret;
2308 if (!bcm4377->board_type) {
2309 dev_err(&pdev->dev, "unable to determine board type\n");
2310 return -ENODEV;
2311 }
2312
2313 if (bcm4377->hw->disable_aspm)
2314 bcm4377_disable_aspm(bcm4377);
2315
2316 ret = pci_reset_function_locked(pdev);
2317 if (ret)
2318 dev_warn(
2319 &pdev->dev,
2320 "function level reset failed with %d; trying to continue anyway\n",
2321 ret);
2322
2323 /*
2324 * If this number is too low and we try to access any BAR too
2325 * early the device will crash. Experiments have shown that
2326 * approximately 50 msec is the minimum amount we have to wait.
2327 * Let's double that to be safe.
2328 */
2329 msleep(100);
2330
2331 ret = pcim_enable_device(pdev);
2332 if (ret)
2333 return ret;
2334 pci_set_master(pdev);
2335
2336 ret = bcm4377_init_cfg(bcm4377);
2337 if (ret)
2338 return ret;
2339
2340 bcm4377->bar0 = pcim_iomap(pdev, 0, 0);
2341 if (!bcm4377->bar0)
2342 return -EBUSY;
2343 bcm4377->bar2 = pcim_iomap(pdev, 2, 0);
2344 if (!bcm4377->bar2)
2345 return -EBUSY;
2346
2347 ret = bcm4377_parse_otp(bcm4377);
2348 if (ret) {
2349 dev_err(&pdev->dev, "Reading OTP failed with %d\n", ret);
2350 return ret;
2351 }
2352
2353 /*
2354 * Legacy interrupts result in an IRQ storm because we don't know where
2355 * the interrupt mask and status registers for these chips are.
2356 * MSIs are acked automatically instead.
2357 */
2358 ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_MSI);
2359 if (ret < 0)
2360 return -ENODEV;
2361 ret = devm_add_action_or_reset(&pdev->dev, bcm4377_pci_free_irq_vectors,
2362 pdev);
2363 if (ret)
2364 return ret;
2365
2366 irq = pci_irq_vector(pdev, 0);
2367 if (irq <= 0)
2368 return -ENODEV;
2369
2370 ret = devm_request_irq(&pdev->dev, irq, bcm4377_irq, 0, "bcm4377",
2371 bcm4377);
2372 if (ret)
2373 return ret;
2374
2375 hdev = hci_alloc_dev();
2376 if (!hdev)
2377 return -ENOMEM;
2378 ret = devm_add_action_or_reset(&pdev->dev, bcm4377_hci_free_dev, hdev);
2379 if (ret)
2380 return ret;
2381
2382 bcm4377->hdev = hdev;
2383
2384 hdev->bus = HCI_PCI;
2385 hdev->open = bcm4377_hci_open;
2386 hdev->close = bcm4377_hci_close;
2387 hdev->send = bcm4377_hci_send_frame;
2388 hdev->set_bdaddr = bcm4377_hci_set_bdaddr;
2389 hdev->setup = bcm4377_hci_setup;
2390
2391 if (bcm4377->hw->broken_mws_transport_config)
2392 set_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &hdev->quirks);
2393 if (bcm4377->hw->broken_ext_scan)
2394 set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks);
2395 if (bcm4377->hw->broken_le_coded)
2396 set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2397 if (bcm4377->hw->broken_le_ext_adv_report_phy)
2398 set_bit(HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY, &hdev->quirks);
2399
2400 pci_set_drvdata(pdev, bcm4377);
2401 hci_set_drvdata(hdev, bcm4377);
2402 SET_HCIDEV_DEV(hdev, &pdev->dev);
2403
2404 ret = bcm4377_boot(bcm4377);
2405 if (ret)
2406 return ret;
2407
2408 ret = bcm4377_setup_rti(bcm4377);
2409 if (ret)
2410 return ret;
2411
2412 ret = hci_register_dev(hdev);
2413 if (ret)
2414 return ret;
2415 return devm_add_action_or_reset(&pdev->dev, bcm4377_hci_unregister_dev,
2416 hdev);
2417}
2418
2419static int bcm4377_suspend(struct pci_dev *pdev, pm_message_t state)
2420{
2421 struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2422 int ret;
2423
2424 ret = hci_suspend_dev(bcm4377->hdev);
2425 if (ret)
2426 return ret;
2427
2428 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_QUIESCE,
2429 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2430
2431 return 0;
2432}
2433
2434static int bcm4377_resume(struct pci_dev *pdev)
2435{
2436 struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2437
2438 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE,
2439 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2440
2441 return hci_resume_dev(bcm4377->hdev);
2442}
2443
2444static const struct dmi_system_id bcm4377_dmi_board_table[] = {
2445 {
2446 .matches = {
2447 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2448 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
2449 },
2450 .driver_data = "apple,formosa",
2451 },
2452 {
2453 .matches = {
2454 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2455 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,4"),
2456 },
2457 .driver_data = "apple,formosa",
2458 },
2459 {
2460 .matches = {
2461 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2462 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro16,3"),
2463 },
2464 .driver_data = "apple,formosa",
2465 },
2466 {}
2467};
2468
2469static const struct bcm4377_hw bcm4377_hw_variants[] = {
2470 [BCM4377] = {
2471 .id = 0x4377,
2472 .otp_offset = 0x4120,
2473 .bar0_window1 = 0x1800b000,
2474 .bar0_window2 = 0x1810c000,
2475 .disable_aspm = true,
2476 .broken_ext_scan = true,
2477 .send_ptb = bcm4377_send_ptb,
2478 },
2479
2480 [BCM4378] = {
2481 .id = 0x4378,
2482 .otp_offset = 0x4120,
2483 .bar0_window1 = 0x18002000,
2484 .bar0_window2 = 0x1810a000,
2485 .bar0_core2_window2 = 0x18107000,
2486 .has_bar0_core2_window2 = true,
2487 .broken_mws_transport_config = true,
2488 .broken_le_coded = true,
2489 .send_calibration = bcm4378_send_calibration,
2490 .send_ptb = bcm4378_send_ptb,
2491 },
2492
2493 [BCM4387] = {
2494 .id = 0x4387,
2495 .otp_offset = 0x413c,
2496 .bar0_window1 = 0x18002000,
2497 .bar0_window2 = 0x18109000,
2498 .bar0_core2_window2 = 0x18106000,
2499 .has_bar0_core2_window2 = true,
2500 .clear_pciecfg_subsystem_ctrl_bit19 = true,
2501 .broken_mws_transport_config = true,
2502 .broken_le_coded = true,
2503 .broken_le_ext_adv_report_phy = true,
2504 .send_calibration = bcm4387_send_calibration,
2505 .send_ptb = bcm4378_send_ptb,
2506 },
2507
2508 [BCM4388] = {
2509 .id = 0x4388,
2510 .otp_offset = 0x415c,
2511 .bar2_offset = 0x200000,
2512 .bar0_window1 = 0x18002000,
2513 .bar0_window2 = 0x18109000,
2514 .bar0_core2_window2 = 0x18106000,
2515 .has_bar0_core2_window2 = true,
2516 .broken_mws_transport_config = true,
2517 .broken_le_coded = true,
2518 .broken_le_ext_adv_report_phy = true,
2519 .send_calibration = bcm4388_send_calibration,
2520 .send_ptb = bcm4378_send_ptb,
2521 },
2522};
2523
2524#define BCM4377_DEVID_ENTRY(id) \
2525 { \
2526 PCI_VENDOR_ID_BROADCOM, BCM##id##_DEVICE_ID, PCI_ANY_ID, \
2527 PCI_ANY_ID, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, \
2528 BCM##id \
2529 }
2530
2531static const struct pci_device_id bcm4377_devid_table[] = {
2532 BCM4377_DEVID_ENTRY(4377),
2533 BCM4377_DEVID_ENTRY(4378),
2534 BCM4377_DEVID_ENTRY(4387),
2535 BCM4377_DEVID_ENTRY(4388),
2536 {},
2537};
2538MODULE_DEVICE_TABLE(pci, bcm4377_devid_table);
2539
2540static struct pci_driver bcm4377_pci_driver = {
2541 .name = "hci_bcm4377",
2542 .id_table = bcm4377_devid_table,
2543 .probe = bcm4377_probe,
2544 .suspend = bcm4377_suspend,
2545 .resume = bcm4377_resume,
2546};
2547module_pci_driver(bcm4377_pci_driver);
2548
2549MODULE_AUTHOR("Sven Peter <sven@svenpeter.dev>");
2550MODULE_DESCRIPTION("Bluetooth support for Broadcom 4377/4378/4387/4388 devices");
2551MODULE_LICENSE("Dual MIT/GPL");
2552MODULE_FIRMWARE("brcm/brcmbt4377*.bin");
2553MODULE_FIRMWARE("brcm/brcmbt4377*.ptb");
2554MODULE_FIRMWARE("brcm/brcmbt4378*.bin");
2555MODULE_FIRMWARE("brcm/brcmbt4378*.ptb");
2556MODULE_FIRMWARE("brcm/brcmbt4387*.bin");
2557MODULE_FIRMWARE("brcm/brcmbt4387*.ptb");
2558MODULE_FIRMWARE("brcm/brcmbt4388*.bin");
2559MODULE_FIRMWARE("brcm/brcmbt4388*.ptb");