1 // SPDX-License-Identifier: GPL-2.0-only OR MIT 2 /* 3 * Bluetooth HCI driver for Broadcom 4377/4378/4387 devices attached via PCIe 4 * 5 * Copyright (C) The Asahi Linux Contributors 6 */ 7 8 #include <linux/async.h> 9 #include <linux/bitfield.h> 10 #include <linux/completion.h> 11 #include <linux/dma-mapping.h> 12 #include <linux/dmi.h> 13 #include <linux/firmware.h> 14 #include <linux/module.h> 15 #include <linux/msi.h> 16 #include <linux/of.h> 17 #include <linux/pci.h> 18 #include <linux/printk.h> 19 20 #include <asm/unaligned.h> 21 22 #include <net/bluetooth/bluetooth.h> 23 #include <net/bluetooth/hci_core.h> 24 25 enum bcm4377_chip { 26 BCM4377 = 0, 27 BCM4378, 28 BCM4387, 29 }; 30 31 #define BCM4377_DEVICE_ID 0x5fa0 32 #define BCM4378_DEVICE_ID 0x5f69 33 #define BCM4387_DEVICE_ID 0x5f71 34 35 #define BCM4377_TIMEOUT 1000 36 37 /* 38 * These devices only support DMA transactions inside a 32bit window 39 * (possibly to avoid 64 bit arithmetic). The window size cannot exceed 40 * 0xffffffff but is always aligned down to the previous 0x200 byte boundary 41 * which effectively limits the window to [start, start+0xfffffe00]. 42 * We just limit the DMA window to [0, 0xfffffe00] to make sure we don't 43 * run into this limitation. 44 */ 45 #define BCM4377_DMA_MASK 0xfffffe00 46 47 #define BCM4377_PCIECFG_BAR0_WINDOW1 0x80 48 #define BCM4377_PCIECFG_BAR0_WINDOW2 0x70 49 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1 0x74 50 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW2 0x78 51 #define BCM4377_PCIECFG_BAR2_WINDOW 0x84 52 53 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT 0x18011000 54 #define BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT 0x19000000 55 56 #define BCM4377_PCIECFG_SUBSYSTEM_CTRL 0x88 57 58 #define BCM4377_BAR0_FW_DOORBELL 0x140 59 #define BCM4377_BAR0_RTI_CONTROL 0x144 60 61 #define BCM4377_BAR0_SLEEP_CONTROL 0x150 62 #define BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE 0 63 #define BCM4377_BAR0_SLEEP_CONTROL_AWAKE 2 64 #define BCM4377_BAR0_SLEEP_CONTROL_QUIESCE 3 65 66 #define BCM4377_BAR0_DOORBELL 0x174 67 #define BCM4377_BAR0_DOORBELL_VALUE GENMASK(31, 16) 68 #define BCM4377_BAR0_DOORBELL_IDX GENMASK(15, 8) 69 #define BCM4377_BAR0_DOORBELL_RING BIT(5) 70 71 #define BCM4377_BAR0_HOST_WINDOW_LO 0x590 72 #define BCM4377_BAR0_HOST_WINDOW_HI 0x594 73 #define BCM4377_BAR0_HOST_WINDOW_SIZE 0x598 74 75 #define BCM4377_BAR2_BOOTSTAGE 0x200454 76 77 #define BCM4377_BAR2_FW_LO 0x200478 78 #define BCM4377_BAR2_FW_HI 0x20047c 79 #define BCM4377_BAR2_FW_SIZE 0x200480 80 81 #define BCM4377_BAR2_CONTEXT_ADDR_LO 0x20048c 82 #define BCM4377_BAR2_CONTEXT_ADDR_HI 0x200450 83 84 #define BCM4377_BAR2_RTI_STATUS 0x20045c 85 #define BCM4377_BAR2_RTI_WINDOW_LO 0x200494 86 #define BCM4377_BAR2_RTI_WINDOW_HI 0x200498 87 #define BCM4377_BAR2_RTI_WINDOW_SIZE 0x20049c 88 89 #define BCM4377_OTP_SIZE 0xe0 90 #define BCM4377_OTP_SYS_VENDOR 0x15 91 #define BCM4377_OTP_CIS 0x80 92 #define BCM4377_OTP_VENDOR_HDR 0x00000008 93 #define BCM4377_OTP_MAX_PARAM_LEN 16 94 95 #define BCM4377_N_TRANSFER_RINGS 9 96 #define BCM4377_N_COMPLETION_RINGS 6 97 98 #define BCM4377_MAX_RING_SIZE 256 99 100 #define BCM4377_MSGID_GENERATION GENMASK(15, 8) 101 #define BCM4377_MSGID_ID GENMASK(7, 0) 102 103 #define BCM4377_RING_N_ENTRIES 128 104 105 #define BCM4377_CONTROL_MSG_SIZE 0x34 106 #define BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE (4 * 0xff) 107 108 #define MAX_ACL_PAYLOAD_SIZE (HCI_MAX_FRAME_SIZE + HCI_ACL_HDR_SIZE) 109 #define MAX_SCO_PAYLOAD_SIZE (HCI_MAX_SCO_SIZE + HCI_SCO_HDR_SIZE) 110 #define MAX_EVENT_PAYLOAD_SIZE (HCI_MAX_EVENT_SIZE + HCI_EVENT_HDR_SIZE) 111 112 enum bcm4377_otp_params_type { 113 BCM4377_OTP_BOARD_PARAMS, 114 BCM4377_OTP_CHIP_PARAMS 115 }; 116 117 enum bcm4377_transfer_ring_id { 118 BCM4377_XFER_RING_CONTROL = 0, 119 BCM4377_XFER_RING_HCI_H2D = 1, 120 BCM4377_XFER_RING_HCI_D2H = 2, 121 BCM4377_XFER_RING_SCO_H2D = 3, 122 BCM4377_XFER_RING_SCO_D2H = 4, 123 BCM4377_XFER_RING_ACL_H2D = 5, 124 BCM4377_XFER_RING_ACL_D2H = 6, 125 }; 126 127 enum bcm4377_completion_ring_id { 128 BCM4377_ACK_RING_CONTROL = 0, 129 BCM4377_ACK_RING_HCI_ACL = 1, 130 BCM4377_EVENT_RING_HCI_ACL = 2, 131 BCM4377_ACK_RING_SCO = 3, 132 BCM4377_EVENT_RING_SCO = 4, 133 }; 134 135 enum bcm4377_doorbell { 136 BCM4377_DOORBELL_CONTROL = 0, 137 BCM4377_DOORBELL_HCI_H2D = 1, 138 BCM4377_DOORBELL_HCI_D2H = 2, 139 BCM4377_DOORBELL_ACL_H2D = 3, 140 BCM4377_DOORBELL_ACL_D2H = 4, 141 BCM4377_DOORBELL_SCO = 6, 142 }; 143 144 /* 145 * Transfer ring entry 146 * 147 * flags: Flags to indicate if the payload is appended or mapped 148 * len: Payload length 149 * payload: Optional payload DMA address 150 * id: Message id to recognize the answer in the completion ring entry 151 */ 152 struct bcm4377_xfer_ring_entry { 153 #define BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED BIT(0) 154 #define BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER BIT(1) 155 u8 flags; 156 __le16 len; 157 u8 _unk0; 158 __le64 payload; 159 __le16 id; 160 u8 _unk1[2]; 161 } __packed; 162 static_assert(sizeof(struct bcm4377_xfer_ring_entry) == 0x10); 163 164 /* 165 * Completion ring entry 166 * 167 * flags: Flags to indicate if the payload is appended or mapped. If the payload 168 * is mapped it can be found in the buffer of the corresponding transfer 169 * ring message. 170 * ring_id: Transfer ring ID which required this message 171 * msg_id: Message ID specified in transfer ring entry 172 * len: Payload length 173 */ 174 struct bcm4377_completion_ring_entry { 175 u8 flags; 176 u8 _unk0; 177 __le16 ring_id; 178 __le16 msg_id; 179 __le32 len; 180 u8 _unk1[6]; 181 } __packed; 182 static_assert(sizeof(struct bcm4377_completion_ring_entry) == 0x10); 183 184 enum bcm4377_control_message_type { 185 BCM4377_CONTROL_MSG_CREATE_XFER_RING = 1, 186 BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING = 2, 187 BCM4377_CONTROL_MSG_DESTROY_XFER_RING = 3, 188 BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING = 4, 189 }; 190 191 /* 192 * Control message used to create a completion ring 193 * 194 * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING 195 * header_size: Unknown, but probably reserved space in front of the entry 196 * footer_size: Number of 32 bit words reserved for payloads after the entry 197 * id/id_again: Completion ring index 198 * ring_iova: DMA address of the ring buffer 199 * n_elements: Number of elements inside the ring buffer 200 * msi: MSI index, doesn't work for all rings though and should be zero 201 * intmod_delay: Unknown delay 202 * intmod_bytes: Unknown 203 */ 204 struct bcm4377_create_completion_ring_msg { 205 u8 msg_type; 206 u8 header_size; 207 u8 footer_size; 208 u8 _unk0; 209 __le16 id; 210 __le16 id_again; 211 __le64 ring_iova; 212 __le16 n_elements; 213 __le32 unk; 214 u8 _unk1[6]; 215 __le16 msi; 216 __le16 intmod_delay; 217 __le32 intmod_bytes; 218 __le16 _unk2; 219 __le32 _unk3; 220 u8 _unk4[10]; 221 } __packed; 222 static_assert(sizeof(struct bcm4377_create_completion_ring_msg) == 223 BCM4377_CONTROL_MSG_SIZE); 224 225 /* 226 * Control ring message used to destroy a completion ring 227 * 228 * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING 229 * ring_id: Completion ring to be destroyed 230 */ 231 struct bcm4377_destroy_completion_ring_msg { 232 u8 msg_type; 233 u8 _pad0; 234 __le16 ring_id; 235 u8 _pad1[48]; 236 } __packed; 237 static_assert(sizeof(struct bcm4377_destroy_completion_ring_msg) == 238 BCM4377_CONTROL_MSG_SIZE); 239 240 /* 241 * Control message used to create a transfer ring 242 * 243 * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_XFER_RING 244 * header_size: Number of 32 bit words reserved for unknown content before the 245 * entry 246 * footer_size: Number of 32 bit words reserved for payloads after the entry 247 * ring_id/ring_id_again: Transfer ring index 248 * ring_iova: DMA address of the ring buffer 249 * n_elements: Number of elements inside the ring buffer 250 * completion_ring_id: Completion ring index for acknowledgements and events 251 * doorbell: Doorbell index used to notify device of new entries 252 * flags: Transfer ring flags 253 * - virtual: set if there is no associated shared memory and only the 254 * corresponding completion ring is used 255 * - sync: only set for the SCO rings 256 */ 257 struct bcm4377_create_transfer_ring_msg { 258 u8 msg_type; 259 u8 header_size; 260 u8 footer_size; 261 u8 _unk0; 262 __le16 ring_id; 263 __le16 ring_id_again; 264 __le64 ring_iova; 265 u8 _unk1[8]; 266 __le16 n_elements; 267 __le16 completion_ring_id; 268 __le16 doorbell; 269 #define BCM4377_XFER_RING_FLAG_VIRTUAL BIT(7) 270 #define BCM4377_XFER_RING_FLAG_SYNC BIT(8) 271 __le16 flags; 272 u8 _unk2[20]; 273 } __packed; 274 static_assert(sizeof(struct bcm4377_create_transfer_ring_msg) == 275 BCM4377_CONTROL_MSG_SIZE); 276 277 /* 278 * Control ring message used to destroy a transfer ring 279 * 280 * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_XFER_RING 281 * ring_id: Transfer ring to be destroyed 282 */ 283 struct bcm4377_destroy_transfer_ring_msg { 284 u8 msg_type; 285 u8 _pad0; 286 __le16 ring_id; 287 u8 _pad1[48]; 288 } __packed; 289 static_assert(sizeof(struct bcm4377_destroy_transfer_ring_msg) == 290 BCM4377_CONTROL_MSG_SIZE); 291 292 /* 293 * "Converged IPC" context struct used to make the device aware of all other 294 * shared memory structures. A pointer to this structure is configured inside a 295 * MMIO register. 296 * 297 * version: Protocol version, must be 2. 298 * size: Size of this structure, must be 0x68. 299 * enabled_caps: Enabled capabilities. Unknown bitfield but should be 2. 300 * peripheral_info_addr: DMA address for a 0x20 buffer to which the device will 301 * write unknown contents 302 * {completion,xfer}_ring_{tails,heads}_addr: DMA pointers to ring heads/tails 303 * n_completion_rings: Number of completion rings, the firmware only works if 304 * this is set to BCM4377_N_COMPLETION_RINGS. 305 * n_xfer_rings: Number of transfer rings, the firmware only works if 306 * this is set to BCM4377_N_TRANSFER_RINGS. 307 * control_completion_ring_addr: Control completion ring buffer DMA address 308 * control_xfer_ring_addr: Control transfer ring buffer DMA address 309 * control_xfer_ring_n_entries: Number of control transfer ring entries 310 * control_completion_ring_n_entries: Number of control completion ring entries 311 * control_xfer_ring_doorbell: Control transfer ring doorbell 312 * control_completion_ring_doorbell: Control completion ring doorbell, 313 * must be set to 0xffff 314 * control_xfer_ring_msi: Control completion ring MSI index, must be 0 315 * control_completion_ring_msi: Control completion ring MSI index, must be 0. 316 * control_xfer_ring_header_size: Number of 32 bit words reserved in front of 317 * every control transfer ring entry 318 * control_xfer_ring_footer_size: Number of 32 bit words reserved after every 319 * control transfer ring entry 320 * control_completion_ring_header_size: Number of 32 bit words reserved in front 321 * of every control completion ring entry 322 * control_completion_ring_footer_size: Number of 32 bit words reserved after 323 * every control completion ring entry 324 * scratch_pad: Optional scratch pad DMA address 325 * scratch_pad_size: Scratch pad size 326 */ 327 struct bcm4377_context { 328 __le16 version; 329 __le16 size; 330 __le32 enabled_caps; 331 332 __le64 peripheral_info_addr; 333 334 /* ring heads and tails */ 335 __le64 completion_ring_heads_addr; 336 __le64 xfer_ring_tails_addr; 337 __le64 completion_ring_tails_addr; 338 __le64 xfer_ring_heads_addr; 339 __le16 n_completion_rings; 340 __le16 n_xfer_rings; 341 342 /* control ring configuration */ 343 __le64 control_completion_ring_addr; 344 __le64 control_xfer_ring_addr; 345 __le16 control_xfer_ring_n_entries; 346 __le16 control_completion_ring_n_entries; 347 __le16 control_xfer_ring_doorbell; 348 __le16 control_completion_ring_doorbell; 349 __le16 control_xfer_ring_msi; 350 __le16 control_completion_ring_msi; 351 u8 control_xfer_ring_header_size; 352 u8 control_xfer_ring_footer_size; 353 u8 control_completion_ring_header_size; 354 u8 control_completion_ring_footer_size; 355 356 __le16 _unk0; 357 __le16 _unk1; 358 359 __le64 scratch_pad; 360 __le32 scratch_pad_size; 361 362 __le32 _unk3; 363 } __packed; 364 static_assert(sizeof(struct bcm4377_context) == 0x68); 365 366 #define BCM4378_CALIBRATION_CHUNK_SIZE 0xe6 367 struct bcm4378_hci_send_calibration_cmd { 368 u8 unk; 369 __le16 blocks_left; 370 u8 data[BCM4378_CALIBRATION_CHUNK_SIZE]; 371 } __packed; 372 373 #define BCM4378_PTB_CHUNK_SIZE 0xcf 374 struct bcm4378_hci_send_ptb_cmd { 375 __le16 blocks_left; 376 u8 data[BCM4378_PTB_CHUNK_SIZE]; 377 } __packed; 378 379 /* 380 * Shared memory structure used to store the ring head and tail pointers. 381 */ 382 struct bcm4377_ring_state { 383 __le16 completion_ring_head[BCM4377_N_COMPLETION_RINGS]; 384 __le16 completion_ring_tail[BCM4377_N_COMPLETION_RINGS]; 385 __le16 xfer_ring_head[BCM4377_N_TRANSFER_RINGS]; 386 __le16 xfer_ring_tail[BCM4377_N_TRANSFER_RINGS]; 387 }; 388 389 /* 390 * A transfer ring can be used in two configurations: 391 * 1) Send control or HCI messages to the device which are then acknowledged 392 * in the corresponding completion ring 393 * 2) Receiving HCI frames from the devices. In this case the transfer ring 394 * itself contains empty messages that are acknowledged once data is 395 * available from the device. If the payloads fit inside the footers 396 * of the completion ring the transfer ring can be configured to be 397 * virtual such that it has no ring buffer. 398 * 399 * ring_id: ring index hardcoded in the firmware 400 * doorbell: doorbell index to notify device of new entries 401 * payload_size: optional in-place payload size 402 * mapped_payload_size: optional out-of-place payload size 403 * completion_ring: index of corresponding completion ring 404 * n_entries: number of entries inside this ring 405 * generation: ring generation; incremented on hci_open to detect stale messages 406 * sync: set to true for SCO rings 407 * virtual: set to true if this ring has no entries and is just required to 408 * setup a corresponding completion ring for device->host messages 409 * d2h_buffers_only: set to true if this ring is only used to provide large 410 * buffers used by device->host messages in the completion 411 * ring 412 * allow_wait: allow to wait for messages to be acknowledged 413 * enabled: true once the ring has been created and can be used 414 * ring: ring buffer for entries (struct bcm4377_xfer_ring_entry) 415 * ring_dma: DMA address for ring entry buffer 416 * payloads: payload buffer for mapped_payload_size payloads 417 * payloads_dma:DMA address for payload buffer 418 * events: pointer to array of completions if waiting is allowed 419 * msgids: bitmap to keep track of used message ids 420 * lock: Spinlock to protect access to ring structurs used in the irq handler 421 */ 422 struct bcm4377_transfer_ring { 423 enum bcm4377_transfer_ring_id ring_id; 424 enum bcm4377_doorbell doorbell; 425 size_t payload_size; 426 size_t mapped_payload_size; 427 u8 completion_ring; 428 u16 n_entries; 429 u8 generation; 430 431 bool sync; 432 bool virtual; 433 bool d2h_buffers_only; 434 bool allow_wait; 435 bool enabled; 436 437 void *ring; 438 dma_addr_t ring_dma; 439 440 void *payloads; 441 dma_addr_t payloads_dma; 442 443 struct completion **events; 444 DECLARE_BITMAP(msgids, BCM4377_MAX_RING_SIZE); 445 spinlock_t lock; 446 }; 447 448 /* 449 * A completion ring can be either used to either acknowledge messages sent in 450 * the corresponding transfer ring or to receive messages associated with the 451 * transfer ring. When used to receive messages the transfer ring either 452 * has no ring buffer and is only advanced ("virtual transfer ring") or it 453 * only contains empty DMA buffers to be used for the payloads. 454 * 455 * ring_id: completion ring id, hardcoded in firmware 456 * payload_size: optional payload size after each entry 457 * delay: unknown delay 458 * n_entries: number of entries in this ring 459 * enabled: true once the ring has been created and can be used 460 * ring: ring buffer for entries (struct bcm4377_completion_ring_entry) 461 * ring_dma: DMA address of ring buffer 462 * transfer_rings: bitmap of corresponding transfer ring ids 463 */ 464 struct bcm4377_completion_ring { 465 enum bcm4377_completion_ring_id ring_id; 466 u16 payload_size; 467 u16 delay; 468 u16 n_entries; 469 bool enabled; 470 471 void *ring; 472 dma_addr_t ring_dma; 473 474 unsigned long transfer_rings; 475 }; 476 477 struct bcm4377_data; 478 479 /* 480 * Chip-specific configuration struct 481 * 482 * id: Chip id (e.g. 0x4377 for BCM4377) 483 * otp_offset: Offset to the start of the OTP inside BAR0 484 * bar0_window1: Backplane address mapped to the first window in BAR0 485 * bar0_window2: Backplane address mapped to the second window in BAR0 486 * bar0_core2_window2: Optional backplane address mapped to the second core's 487 * second window in BAR0 488 * has_bar0_core2_window2: Set to true if this chip requires the second core's 489 * second window to be configured 490 * clear_pciecfg_subsystem_ctrl_bit19: Set to true if bit 19 in the 491 * vendor-specific subsystem control 492 * register has to be cleared 493 * disable_aspm: Set to true if ASPM must be disabled due to hardware errata 494 * broken_ext_scan: Set to true if the chip erroneously claims to support 495 * extended scanning 496 * broken_mws_transport_config: Set to true if the chip erroneously claims to 497 * support MWS Transport Configuration 498 * send_calibration: Optional callback to send calibration data 499 * send_ptb: Callback to send "PTB" regulatory/calibration data 500 */ 501 struct bcm4377_hw { 502 unsigned int id; 503 504 u32 otp_offset; 505 506 u32 bar0_window1; 507 u32 bar0_window2; 508 u32 bar0_core2_window2; 509 510 unsigned long has_bar0_core2_window2 : 1; 511 unsigned long clear_pciecfg_subsystem_ctrl_bit19 : 1; 512 unsigned long disable_aspm : 1; 513 unsigned long broken_ext_scan : 1; 514 unsigned long broken_mws_transport_config : 1; 515 516 int (*send_calibration)(struct bcm4377_data *bcm4377); 517 int (*send_ptb)(struct bcm4377_data *bcm4377, 518 const struct firmware *fw); 519 }; 520 521 static const struct bcm4377_hw bcm4377_hw_variants[]; 522 static const struct dmi_system_id bcm4377_dmi_board_table[]; 523 524 /* 525 * Private struct associated with each device containing global state 526 * 527 * pdev: Pointer to associated struct pci_dev 528 * hdev: Pointer to associated strucy hci_dev 529 * bar0: iomem pointing to BAR0 530 * bar1: iomem pointing to BAR2 531 * bootstage: Current value of the bootstage 532 * rti_status: Current "RTI" status value 533 * hw: Pointer to chip-specific struct bcm4377_hw 534 * taurus_cal_blob: "Taurus" calibration blob used for some chips 535 * taurus_cal_size: "Taurus" calibration blob size 536 * taurus_beamforming_cal_blob: "Taurus" beamforming calibration blob used for 537 * some chips 538 * taurus_beamforming_cal_size: "Taurus" beamforming calibration blob size 539 * stepping: Chip stepping read from OTP; used for firmware selection 540 * vendor: Antenna vendor read from OTP; used for firmware selection 541 * board_type: Board type from FDT or DMI match; used for firmware selection 542 * event: Event for changed bootstage or rti_status; used for booting firmware 543 * ctx: "Converged IPC" context 544 * ctx_dma: "Converged IPC" context DMA address 545 * ring_state: Shared memory buffer containing ring head and tail indexes 546 * ring_state_dma: DMA address for ring_state 547 * {control,hci_acl,sco}_ack_ring: Completion rings used to acknowledge messages 548 * {hci_acl,sco}_event_ring: Completion rings used for device->host messages 549 * control_h2d_ring: Transfer ring used for control messages 550 * {hci,sco,acl}_h2d_ring: Transfer ring used to transfer HCI frames 551 * {hci,sco,acl}_d2h_ring: Transfer ring used to receive HCI frames in the 552 * corresponding completion ring 553 */ 554 struct bcm4377_data { 555 struct pci_dev *pdev; 556 struct hci_dev *hdev; 557 558 void __iomem *bar0; 559 void __iomem *bar2; 560 561 u32 bootstage; 562 u32 rti_status; 563 564 const struct bcm4377_hw *hw; 565 566 const void *taurus_cal_blob; 567 int taurus_cal_size; 568 const void *taurus_beamforming_cal_blob; 569 int taurus_beamforming_cal_size; 570 571 char stepping[BCM4377_OTP_MAX_PARAM_LEN]; 572 char vendor[BCM4377_OTP_MAX_PARAM_LEN]; 573 const char *board_type; 574 575 struct completion event; 576 577 struct bcm4377_context *ctx; 578 dma_addr_t ctx_dma; 579 580 struct bcm4377_ring_state *ring_state; 581 dma_addr_t ring_state_dma; 582 583 /* 584 * The HCI and ACL rings have to be merged because this structure is 585 * hardcoded in the firmware. 586 */ 587 struct bcm4377_completion_ring control_ack_ring; 588 struct bcm4377_completion_ring hci_acl_ack_ring; 589 struct bcm4377_completion_ring hci_acl_event_ring; 590 struct bcm4377_completion_ring sco_ack_ring; 591 struct bcm4377_completion_ring sco_event_ring; 592 593 struct bcm4377_transfer_ring control_h2d_ring; 594 struct bcm4377_transfer_ring hci_h2d_ring; 595 struct bcm4377_transfer_ring hci_d2h_ring; 596 struct bcm4377_transfer_ring sco_h2d_ring; 597 struct bcm4377_transfer_ring sco_d2h_ring; 598 struct bcm4377_transfer_ring acl_h2d_ring; 599 struct bcm4377_transfer_ring acl_d2h_ring; 600 }; 601 bcm4377_ring_doorbell(struct bcm4377_data * bcm4377,u8 doorbell,u16 val)602 static void bcm4377_ring_doorbell(struct bcm4377_data *bcm4377, u8 doorbell, 603 u16 val) 604 { 605 u32 db = 0; 606 607 db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_VALUE, val); 608 db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_IDX, doorbell); 609 db |= BCM4377_BAR0_DOORBELL_RING; 610 611 dev_dbg(&bcm4377->pdev->dev, "write %d to doorbell #%d (0x%x)\n", val, 612 doorbell, db); 613 iowrite32(db, bcm4377->bar0 + BCM4377_BAR0_DOORBELL); 614 } 615 bcm4377_extract_msgid(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring,u16 raw_msgid,u8 * msgid)616 static int bcm4377_extract_msgid(struct bcm4377_data *bcm4377, 617 struct bcm4377_transfer_ring *ring, 618 u16 raw_msgid, u8 *msgid) 619 { 620 u8 generation = FIELD_GET(BCM4377_MSGID_GENERATION, raw_msgid); 621 *msgid = FIELD_GET(BCM4377_MSGID_ID, raw_msgid); 622 623 if (generation != ring->generation) { 624 dev_warn( 625 &bcm4377->pdev->dev, 626 "invalid message generation %d should be %d in entry for ring %d\n", 627 generation, ring->generation, ring->ring_id); 628 return -EINVAL; 629 } 630 631 if (*msgid >= ring->n_entries) { 632 dev_warn(&bcm4377->pdev->dev, 633 "invalid message id in entry for ring %d: %d > %d\n", 634 ring->ring_id, *msgid, ring->n_entries); 635 return -EINVAL; 636 } 637 638 return 0; 639 } 640 bcm4377_handle_event(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring,u16 raw_msgid,u8 entry_flags,u8 type,void * payload,size_t len)641 static void bcm4377_handle_event(struct bcm4377_data *bcm4377, 642 struct bcm4377_transfer_ring *ring, 643 u16 raw_msgid, u8 entry_flags, u8 type, 644 void *payload, size_t len) 645 { 646 struct sk_buff *skb; 647 u16 head; 648 u8 msgid; 649 unsigned long flags; 650 651 spin_lock_irqsave(&ring->lock, flags); 652 if (!ring->enabled) { 653 dev_warn(&bcm4377->pdev->dev, 654 "event for disabled transfer ring %d\n", 655 ring->ring_id); 656 goto out; 657 } 658 659 if (ring->d2h_buffers_only && 660 entry_flags & BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED) { 661 if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid)) 662 goto out; 663 664 if (len > ring->mapped_payload_size) { 665 dev_warn( 666 &bcm4377->pdev->dev, 667 "invalid payload len in event for ring %d: %zu > %zu\n", 668 ring->ring_id, len, ring->mapped_payload_size); 669 goto out; 670 } 671 672 payload = ring->payloads + msgid * ring->mapped_payload_size; 673 } 674 675 skb = bt_skb_alloc(len, GFP_ATOMIC); 676 if (!skb) 677 goto out; 678 679 memcpy(skb_put(skb, len), payload, len); 680 hci_skb_pkt_type(skb) = type; 681 hci_recv_frame(bcm4377->hdev, skb); 682 683 out: 684 head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]); 685 head = (head + 1) % ring->n_entries; 686 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = cpu_to_le16(head); 687 688 bcm4377_ring_doorbell(bcm4377, ring->doorbell, head); 689 690 spin_unlock_irqrestore(&ring->lock, flags); 691 } 692 bcm4377_handle_ack(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring,u16 raw_msgid)693 static void bcm4377_handle_ack(struct bcm4377_data *bcm4377, 694 struct bcm4377_transfer_ring *ring, 695 u16 raw_msgid) 696 { 697 unsigned long flags; 698 u8 msgid; 699 700 spin_lock_irqsave(&ring->lock, flags); 701 702 if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid)) 703 goto unlock; 704 705 if (!test_bit(msgid, ring->msgids)) { 706 dev_warn( 707 &bcm4377->pdev->dev, 708 "invalid message id in ack for ring %d: %d is not used\n", 709 ring->ring_id, msgid); 710 goto unlock; 711 } 712 713 if (ring->allow_wait && ring->events[msgid]) { 714 complete(ring->events[msgid]); 715 ring->events[msgid] = NULL; 716 } 717 718 bitmap_release_region(ring->msgids, msgid, ring->n_entries); 719 720 unlock: 721 spin_unlock_irqrestore(&ring->lock, flags); 722 } 723 bcm4377_handle_completion(struct bcm4377_data * bcm4377,struct bcm4377_completion_ring * ring,u16 pos)724 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377, 725 struct bcm4377_completion_ring *ring, 726 u16 pos) 727 { 728 struct bcm4377_completion_ring_entry *entry; 729 u16 msg_id, transfer_ring; 730 size_t entry_size, data_len; 731 void *data; 732 733 if (pos >= ring->n_entries) { 734 dev_warn(&bcm4377->pdev->dev, 735 "invalid offset %d for completion ring %d\n", pos, 736 ring->ring_id); 737 return; 738 } 739 740 entry_size = sizeof(*entry) + ring->payload_size; 741 entry = ring->ring + pos * entry_size; 742 data = ring->ring + pos * entry_size + sizeof(*entry); 743 data_len = le32_to_cpu(entry->len); 744 msg_id = le16_to_cpu(entry->msg_id); 745 transfer_ring = le16_to_cpu(entry->ring_id); 746 747 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) { 748 dev_warn( 749 &bcm4377->pdev->dev, 750 "invalid entry at offset %d for transfer ring %d in completion ring %d\n", 751 pos, transfer_ring, ring->ring_id); 752 return; 753 } 754 755 dev_dbg(&bcm4377->pdev->dev, 756 "entry in completion ring %d for transfer ring %d with msg_id %d\n", 757 ring->ring_id, transfer_ring, msg_id); 758 759 switch (transfer_ring) { 760 case BCM4377_XFER_RING_CONTROL: 761 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id); 762 break; 763 case BCM4377_XFER_RING_HCI_H2D: 764 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id); 765 break; 766 case BCM4377_XFER_RING_SCO_H2D: 767 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id); 768 break; 769 case BCM4377_XFER_RING_ACL_H2D: 770 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id); 771 break; 772 773 case BCM4377_XFER_RING_HCI_D2H: 774 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id, 775 entry->flags, HCI_EVENT_PKT, data, 776 data_len); 777 break; 778 case BCM4377_XFER_RING_SCO_D2H: 779 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id, 780 entry->flags, HCI_SCODATA_PKT, data, 781 data_len); 782 break; 783 case BCM4377_XFER_RING_ACL_D2H: 784 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id, 785 entry->flags, HCI_ACLDATA_PKT, data, 786 data_len); 787 break; 788 789 default: 790 dev_warn( 791 &bcm4377->pdev->dev, 792 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n", 793 ring->ring_id, transfer_ring, msg_id); 794 } 795 } 796 bcm4377_poll_completion_ring(struct bcm4377_data * bcm4377,struct bcm4377_completion_ring * ring)797 static void bcm4377_poll_completion_ring(struct bcm4377_data *bcm4377, 798 struct bcm4377_completion_ring *ring) 799 { 800 u16 tail; 801 __le16 *heads = bcm4377->ring_state->completion_ring_head; 802 __le16 *tails = bcm4377->ring_state->completion_ring_tail; 803 804 if (!ring->enabled) 805 return; 806 807 tail = le16_to_cpu(tails[ring->ring_id]); 808 dev_dbg(&bcm4377->pdev->dev, 809 "completion ring #%d: head: %d, tail: %d\n", ring->ring_id, 810 le16_to_cpu(heads[ring->ring_id]), tail); 811 812 while (tail != le16_to_cpu(READ_ONCE(heads[ring->ring_id]))) { 813 /* 814 * ensure the CPU doesn't speculate through the comparison. 815 * otherwise it might already read the (empty) queue entry 816 * before the updated head has been loaded and checked. 817 */ 818 dma_rmb(); 819 820 bcm4377_handle_completion(bcm4377, ring, tail); 821 822 tail = (tail + 1) % ring->n_entries; 823 tails[ring->ring_id] = cpu_to_le16(tail); 824 } 825 } 826 bcm4377_irq(int irq,void * data)827 static irqreturn_t bcm4377_irq(int irq, void *data) 828 { 829 struct bcm4377_data *bcm4377 = data; 830 u32 bootstage, rti_status; 831 832 bootstage = ioread32(bcm4377->bar2 + BCM4377_BAR2_BOOTSTAGE); 833 rti_status = ioread32(bcm4377->bar2 + BCM4377_BAR2_RTI_STATUS); 834 835 if (bootstage != bcm4377->bootstage || 836 rti_status != bcm4377->rti_status) { 837 dev_dbg(&bcm4377->pdev->dev, 838 "bootstage = %d -> %d, rti state = %d -> %d\n", 839 bcm4377->bootstage, bootstage, bcm4377->rti_status, 840 rti_status); 841 complete(&bcm4377->event); 842 bcm4377->bootstage = bootstage; 843 bcm4377->rti_status = rti_status; 844 } 845 846 if (rti_status > 2) 847 dev_err(&bcm4377->pdev->dev, "RTI status is %d\n", rti_status); 848 849 bcm4377_poll_completion_ring(bcm4377, &bcm4377->control_ack_ring); 850 bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring); 851 bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring); 852 bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_ack_ring); 853 bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_event_ring); 854 855 return IRQ_HANDLED; 856 } 857 bcm4377_enqueue(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring,void * data,size_t len,bool wait)858 static int bcm4377_enqueue(struct bcm4377_data *bcm4377, 859 struct bcm4377_transfer_ring *ring, void *data, 860 size_t len, bool wait) 861 { 862 unsigned long flags; 863 struct bcm4377_xfer_ring_entry *entry; 864 void *payload; 865 size_t offset; 866 u16 head, tail, new_head; 867 u16 raw_msgid; 868 int ret, msgid; 869 DECLARE_COMPLETION_ONSTACK(event); 870 871 if (len > ring->payload_size && len > ring->mapped_payload_size) { 872 dev_warn( 873 &bcm4377->pdev->dev, 874 "payload len %zu is too large for ring %d (max is %zu or %zu)\n", 875 len, ring->ring_id, ring->payload_size, 876 ring->mapped_payload_size); 877 return -EINVAL; 878 } 879 if (wait && !ring->allow_wait) 880 return -EINVAL; 881 if (ring->virtual) 882 return -EINVAL; 883 884 spin_lock_irqsave(&ring->lock, flags); 885 886 head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]); 887 tail = le16_to_cpu(bcm4377->ring_state->xfer_ring_tail[ring->ring_id]); 888 889 new_head = (head + 1) % ring->n_entries; 890 891 if (new_head == tail) { 892 dev_warn(&bcm4377->pdev->dev, 893 "can't send message because ring %d is full\n", 894 ring->ring_id); 895 ret = -EINVAL; 896 goto out; 897 } 898 899 msgid = bitmap_find_free_region(ring->msgids, ring->n_entries, 0); 900 if (msgid < 0) { 901 dev_warn(&bcm4377->pdev->dev, 902 "can't find message id for ring %d\n", ring->ring_id); 903 ret = -EINVAL; 904 goto out; 905 } 906 907 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION, ring->generation); 908 raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, msgid); 909 910 offset = head * (sizeof(*entry) + ring->payload_size); 911 entry = ring->ring + offset; 912 913 memset(entry, 0, sizeof(*entry)); 914 entry->id = cpu_to_le16(raw_msgid); 915 entry->len = cpu_to_le16(len); 916 917 if (len <= ring->payload_size) { 918 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER; 919 payload = ring->ring + offset + sizeof(*entry); 920 } else { 921 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED; 922 entry->payload = cpu_to_le64(ring->payloads_dma + 923 msgid * ring->mapped_payload_size); 924 payload = ring->payloads + msgid * ring->mapped_payload_size; 925 } 926 927 memcpy(payload, data, len); 928 929 if (wait) 930 ring->events[msgid] = &event; 931 932 /* 933 * The 4377 chips stop responding to any commands as soon as they 934 * have been idle for a while. Poking the sleep control register here 935 * makes them come alive again. 936 */ 937 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_AWAKE, 938 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL); 939 940 dev_dbg(&bcm4377->pdev->dev, 941 "updating head for transfer queue #%d to %d\n", ring->ring_id, 942 new_head); 943 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 944 cpu_to_le16(new_head); 945 946 if (!ring->sync) 947 bcm4377_ring_doorbell(bcm4377, ring->doorbell, new_head); 948 ret = 0; 949 950 out: 951 spin_unlock_irqrestore(&ring->lock, flags); 952 953 if (ret == 0 && wait) { 954 ret = wait_for_completion_interruptible_timeout( 955 &event, BCM4377_TIMEOUT); 956 if (ret == 0) 957 ret = -ETIMEDOUT; 958 else if (ret > 0) 959 ret = 0; 960 961 spin_lock_irqsave(&ring->lock, flags); 962 ring->events[msgid] = NULL; 963 spin_unlock_irqrestore(&ring->lock, flags); 964 } 965 966 return ret; 967 } 968 bcm4377_create_completion_ring(struct bcm4377_data * bcm4377,struct bcm4377_completion_ring * ring)969 static int bcm4377_create_completion_ring(struct bcm4377_data *bcm4377, 970 struct bcm4377_completion_ring *ring) 971 { 972 struct bcm4377_create_completion_ring_msg msg; 973 int ret; 974 975 if (ring->enabled) { 976 dev_warn(&bcm4377->pdev->dev, 977 "completion ring %d already enabled\n", ring->ring_id); 978 return 0; 979 } 980 981 memset(ring->ring, 0, 982 ring->n_entries * (sizeof(struct bcm4377_completion_ring_entry) + 983 ring->payload_size)); 984 memset(&msg, 0, sizeof(msg)); 985 msg.msg_type = BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING; 986 msg.id = cpu_to_le16(ring->ring_id); 987 msg.id_again = cpu_to_le16(ring->ring_id); 988 msg.ring_iova = cpu_to_le64(ring->ring_dma); 989 msg.n_elements = cpu_to_le16(ring->n_entries); 990 msg.intmod_bytes = cpu_to_le32(0xffffffff); 991 msg.unk = cpu_to_le32(0xffffffff); 992 msg.intmod_delay = cpu_to_le16(ring->delay); 993 msg.footer_size = ring->payload_size / 4; 994 995 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg, 996 sizeof(msg), true); 997 if (!ret) 998 ring->enabled = true; 999 1000 return ret; 1001 } 1002 bcm4377_destroy_completion_ring(struct bcm4377_data * bcm4377,struct bcm4377_completion_ring * ring)1003 static int bcm4377_destroy_completion_ring(struct bcm4377_data *bcm4377, 1004 struct bcm4377_completion_ring *ring) 1005 { 1006 struct bcm4377_destroy_completion_ring_msg msg; 1007 int ret; 1008 1009 memset(&msg, 0, sizeof(msg)); 1010 msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING; 1011 msg.ring_id = cpu_to_le16(ring->ring_id); 1012 1013 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg, 1014 sizeof(msg), true); 1015 if (ret) 1016 dev_warn(&bcm4377->pdev->dev, 1017 "failed to destroy completion ring %d\n", 1018 ring->ring_id); 1019 1020 ring->enabled = false; 1021 return ret; 1022 } 1023 bcm4377_create_transfer_ring(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring)1024 static int bcm4377_create_transfer_ring(struct bcm4377_data *bcm4377, 1025 struct bcm4377_transfer_ring *ring) 1026 { 1027 struct bcm4377_create_transfer_ring_msg msg; 1028 u16 flags = 0; 1029 int ret, i; 1030 unsigned long spinlock_flags; 1031 1032 if (ring->virtual) 1033 flags |= BCM4377_XFER_RING_FLAG_VIRTUAL; 1034 if (ring->sync) 1035 flags |= BCM4377_XFER_RING_FLAG_SYNC; 1036 1037 spin_lock_irqsave(&ring->lock, spinlock_flags); 1038 memset(&msg, 0, sizeof(msg)); 1039 msg.msg_type = BCM4377_CONTROL_MSG_CREATE_XFER_RING; 1040 msg.ring_id = cpu_to_le16(ring->ring_id); 1041 msg.ring_id_again = cpu_to_le16(ring->ring_id); 1042 msg.ring_iova = cpu_to_le64(ring->ring_dma); 1043 msg.n_elements = cpu_to_le16(ring->n_entries); 1044 msg.completion_ring_id = cpu_to_le16(ring->completion_ring); 1045 msg.doorbell = cpu_to_le16(ring->doorbell); 1046 msg.flags = cpu_to_le16(flags); 1047 msg.footer_size = ring->payload_size / 4; 1048 1049 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 0; 1050 bcm4377->ring_state->xfer_ring_tail[ring->ring_id] = 0; 1051 ring->generation++; 1052 spin_unlock_irqrestore(&ring->lock, spinlock_flags); 1053 1054 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg, 1055 sizeof(msg), true); 1056 1057 spin_lock_irqsave(&ring->lock, spinlock_flags); 1058 1059 if (ring->d2h_buffers_only) { 1060 for (i = 0; i < ring->n_entries; ++i) { 1061 struct bcm4377_xfer_ring_entry *entry = 1062 ring->ring + i * sizeof(*entry); 1063 u16 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION, 1064 ring->generation); 1065 raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, i); 1066 1067 memset(entry, 0, sizeof(*entry)); 1068 entry->id = cpu_to_le16(raw_msgid); 1069 entry->len = cpu_to_le16(ring->mapped_payload_size); 1070 entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED; 1071 entry->payload = 1072 cpu_to_le64(ring->payloads_dma + 1073 i * ring->mapped_payload_size); 1074 } 1075 } 1076 1077 /* 1078 * send some messages if this is a device->host ring to allow the device 1079 * to reply by acknowledging them in the completion ring 1080 */ 1081 if (ring->virtual || ring->d2h_buffers_only) { 1082 bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 1083 cpu_to_le16(0xf); 1084 bcm4377_ring_doorbell(bcm4377, ring->doorbell, 0xf); 1085 } 1086 1087 ring->enabled = true; 1088 spin_unlock_irqrestore(&ring->lock, spinlock_flags); 1089 1090 return ret; 1091 } 1092 bcm4377_destroy_transfer_ring(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring)1093 static int bcm4377_destroy_transfer_ring(struct bcm4377_data *bcm4377, 1094 struct bcm4377_transfer_ring *ring) 1095 { 1096 struct bcm4377_destroy_transfer_ring_msg msg; 1097 int ret; 1098 1099 memset(&msg, 0, sizeof(msg)); 1100 msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_XFER_RING; 1101 msg.ring_id = cpu_to_le16(ring->ring_id); 1102 1103 ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg, 1104 sizeof(msg), true); 1105 if (ret) 1106 dev_warn(&bcm4377->pdev->dev, 1107 "failed to destroy transfer ring %d\n", ring->ring_id); 1108 1109 ring->enabled = false; 1110 return ret; 1111 } 1112 __bcm4378_send_calibration_chunk(struct bcm4377_data * bcm4377,const void * data,size_t data_len,u16 blocks_left)1113 static int __bcm4378_send_calibration_chunk(struct bcm4377_data *bcm4377, 1114 const void *data, size_t data_len, 1115 u16 blocks_left) 1116 { 1117 struct bcm4378_hci_send_calibration_cmd cmd; 1118 struct sk_buff *skb; 1119 1120 if (data_len > sizeof(cmd.data)) 1121 return -EINVAL; 1122 1123 memset(&cmd, 0, sizeof(cmd)); 1124 cmd.unk = 0x03; 1125 cmd.blocks_left = cpu_to_le16(blocks_left); 1126 memcpy(cmd.data, data, data_len); 1127 1128 skb = __hci_cmd_sync(bcm4377->hdev, 0xfd97, sizeof(cmd), &cmd, 1129 HCI_INIT_TIMEOUT); 1130 if (IS_ERR(skb)) 1131 return PTR_ERR(skb); 1132 1133 kfree_skb(skb); 1134 return 0; 1135 } 1136 __bcm4378_send_calibration(struct bcm4377_data * bcm4377,const void * data,size_t data_size)1137 static int __bcm4378_send_calibration(struct bcm4377_data *bcm4377, 1138 const void *data, size_t data_size) 1139 { 1140 int ret; 1141 size_t i, left, transfer_len; 1142 size_t blocks = 1143 DIV_ROUND_UP(data_size, (size_t)BCM4378_CALIBRATION_CHUNK_SIZE); 1144 1145 if (!data) { 1146 dev_err(&bcm4377->pdev->dev, 1147 "no calibration data available.\n"); 1148 return -ENOENT; 1149 } 1150 1151 for (i = 0, left = data_size; i < blocks; ++i, left -= transfer_len) { 1152 transfer_len = 1153 min_t(size_t, left, BCM4378_CALIBRATION_CHUNK_SIZE); 1154 1155 ret = __bcm4378_send_calibration_chunk( 1156 bcm4377, data + i * BCM4378_CALIBRATION_CHUNK_SIZE, 1157 transfer_len, blocks - i - 1); 1158 if (ret) { 1159 dev_err(&bcm4377->pdev->dev, 1160 "send calibration chunk failed with %d\n", ret); 1161 return ret; 1162 } 1163 } 1164 1165 return 0; 1166 } 1167 bcm4378_send_calibration(struct bcm4377_data * bcm4377)1168 static int bcm4378_send_calibration(struct bcm4377_data *bcm4377) 1169 { 1170 if ((strcmp(bcm4377->stepping, "b1") == 0) || 1171 strcmp(bcm4377->stepping, "b3") == 0) 1172 return __bcm4378_send_calibration( 1173 bcm4377, bcm4377->taurus_beamforming_cal_blob, 1174 bcm4377->taurus_beamforming_cal_size); 1175 else 1176 return __bcm4378_send_calibration(bcm4377, 1177 bcm4377->taurus_cal_blob, 1178 bcm4377->taurus_cal_size); 1179 } 1180 bcm4387_send_calibration(struct bcm4377_data * bcm4377)1181 static int bcm4387_send_calibration(struct bcm4377_data *bcm4377) 1182 { 1183 if (strcmp(bcm4377->stepping, "c2") == 0) 1184 return __bcm4378_send_calibration( 1185 bcm4377, bcm4377->taurus_beamforming_cal_blob, 1186 bcm4377->taurus_beamforming_cal_size); 1187 else 1188 return __bcm4378_send_calibration(bcm4377, 1189 bcm4377->taurus_cal_blob, 1190 bcm4377->taurus_cal_size); 1191 } 1192 bcm4377_request_blob(struct bcm4377_data * bcm4377,const char * suffix)1193 static const struct firmware *bcm4377_request_blob(struct bcm4377_data *bcm4377, 1194 const char *suffix) 1195 { 1196 const struct firmware *fw; 1197 char name0[64], name1[64]; 1198 int ret; 1199 1200 snprintf(name0, sizeof(name0), "brcm/brcmbt%04x%s-%s-%s.%s", 1201 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type, 1202 bcm4377->vendor, suffix); 1203 snprintf(name1, sizeof(name1), "brcm/brcmbt%04x%s-%s.%s", 1204 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type, 1205 suffix); 1206 dev_dbg(&bcm4377->pdev->dev, "Trying to load firmware: '%s' or '%s'\n", 1207 name0, name1); 1208 1209 ret = firmware_request_nowarn(&fw, name0, &bcm4377->pdev->dev); 1210 if (!ret) 1211 return fw; 1212 ret = firmware_request_nowarn(&fw, name1, &bcm4377->pdev->dev); 1213 if (!ret) 1214 return fw; 1215 1216 dev_err(&bcm4377->pdev->dev, 1217 "Unable to load firmware; tried '%s' and '%s'\n", name0, name1); 1218 return NULL; 1219 } 1220 bcm4377_send_ptb(struct bcm4377_data * bcm4377,const struct firmware * fw)1221 static int bcm4377_send_ptb(struct bcm4377_data *bcm4377, 1222 const struct firmware *fw) 1223 { 1224 struct sk_buff *skb; 1225 1226 skb = __hci_cmd_sync(bcm4377->hdev, 0xfd98, fw->size, fw->data, 1227 HCI_INIT_TIMEOUT); 1228 /* 1229 * This command seems to always fail on more recent firmware versions 1230 * (even in traces taken from the macOS driver). It's unclear why this 1231 * happens but because the PTB file contains calibration and/or 1232 * regulatory data and may be required on older firmware we still try to 1233 * send it here just in case and just ignore if it fails. 1234 */ 1235 if (!IS_ERR(skb)) 1236 kfree_skb(skb); 1237 return 0; 1238 } 1239 bcm4378_send_ptb_chunk(struct bcm4377_data * bcm4377,const void * data,size_t data_len,u16 blocks_left)1240 static int bcm4378_send_ptb_chunk(struct bcm4377_data *bcm4377, 1241 const void *data, size_t data_len, 1242 u16 blocks_left) 1243 { 1244 struct bcm4378_hci_send_ptb_cmd cmd; 1245 struct sk_buff *skb; 1246 1247 if (data_len > BCM4378_PTB_CHUNK_SIZE) 1248 return -EINVAL; 1249 1250 memset(&cmd, 0, sizeof(cmd)); 1251 cmd.blocks_left = cpu_to_le16(blocks_left); 1252 memcpy(cmd.data, data, data_len); 1253 1254 skb = __hci_cmd_sync(bcm4377->hdev, 0xfe0d, sizeof(cmd), &cmd, 1255 HCI_INIT_TIMEOUT); 1256 if (IS_ERR(skb)) 1257 return PTR_ERR(skb); 1258 1259 kfree_skb(skb); 1260 return 0; 1261 } 1262 bcm4378_send_ptb(struct bcm4377_data * bcm4377,const struct firmware * fw)1263 static int bcm4378_send_ptb(struct bcm4377_data *bcm4377, 1264 const struct firmware *fw) 1265 { 1266 size_t chunks = DIV_ROUND_UP(fw->size, (size_t)BCM4378_PTB_CHUNK_SIZE); 1267 size_t i, left, transfer_len; 1268 int ret; 1269 1270 for (i = 0, left = fw->size; i < chunks; ++i, left -= transfer_len) { 1271 transfer_len = min_t(size_t, left, BCM4378_PTB_CHUNK_SIZE); 1272 1273 dev_dbg(&bcm4377->pdev->dev, "sending ptb chunk %zu/%zu\n", 1274 i + 1, chunks); 1275 ret = bcm4378_send_ptb_chunk( 1276 bcm4377, fw->data + i * BCM4378_PTB_CHUNK_SIZE, 1277 transfer_len, chunks - i - 1); 1278 if (ret) { 1279 dev_err(&bcm4377->pdev->dev, 1280 "sending ptb chunk %zu failed (%d)", i, ret); 1281 return ret; 1282 } 1283 } 1284 1285 return 0; 1286 } 1287 bcm4377_hci_open(struct hci_dev * hdev)1288 static int bcm4377_hci_open(struct hci_dev *hdev) 1289 { 1290 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev); 1291 int ret; 1292 1293 dev_dbg(&bcm4377->pdev->dev, "creating rings\n"); 1294 1295 ret = bcm4377_create_completion_ring(bcm4377, 1296 &bcm4377->hci_acl_ack_ring); 1297 if (ret) 1298 return ret; 1299 ret = bcm4377_create_completion_ring(bcm4377, 1300 &bcm4377->hci_acl_event_ring); 1301 if (ret) 1302 goto destroy_hci_acl_ack; 1303 ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_ack_ring); 1304 if (ret) 1305 goto destroy_hci_acl_event; 1306 ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_event_ring); 1307 if (ret) 1308 goto destroy_sco_ack; 1309 dev_dbg(&bcm4377->pdev->dev, 1310 "all completion rings successfully created!\n"); 1311 1312 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring); 1313 if (ret) 1314 goto destroy_sco_event; 1315 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring); 1316 if (ret) 1317 goto destroy_hci_h2d; 1318 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring); 1319 if (ret) 1320 goto destroy_hci_d2h; 1321 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring); 1322 if (ret) 1323 goto destroy_sco_h2d; 1324 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring); 1325 if (ret) 1326 goto destroy_sco_d2h; 1327 ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring); 1328 if (ret) 1329 goto destroy_acl_h2d; 1330 dev_dbg(&bcm4377->pdev->dev, 1331 "all transfer rings successfully created!\n"); 1332 1333 return 0; 1334 1335 destroy_acl_h2d: 1336 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring); 1337 destroy_sco_d2h: 1338 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring); 1339 destroy_sco_h2d: 1340 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring); 1341 destroy_hci_d2h: 1342 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring); 1343 destroy_hci_h2d: 1344 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring); 1345 destroy_sco_event: 1346 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring); 1347 destroy_sco_ack: 1348 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring); 1349 destroy_hci_acl_event: 1350 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring); 1351 destroy_hci_acl_ack: 1352 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring); 1353 1354 dev_err(&bcm4377->pdev->dev, "Creating rings failed with %d\n", ret); 1355 return ret; 1356 } 1357 bcm4377_hci_close(struct hci_dev * hdev)1358 static int bcm4377_hci_close(struct hci_dev *hdev) 1359 { 1360 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev); 1361 1362 dev_dbg(&bcm4377->pdev->dev, "destroying rings in hci_close\n"); 1363 1364 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring); 1365 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring); 1366 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring); 1367 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring); 1368 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring); 1369 bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring); 1370 1371 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring); 1372 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring); 1373 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring); 1374 bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring); 1375 1376 return 0; 1377 } 1378 bcm4377_is_valid_bdaddr(struct bcm4377_data * bcm4377,bdaddr_t * addr)1379 static bool bcm4377_is_valid_bdaddr(struct bcm4377_data *bcm4377, 1380 bdaddr_t *addr) 1381 { 1382 if (addr->b[0] != 0x93) 1383 return true; 1384 if (addr->b[1] != 0x76) 1385 return true; 1386 if (addr->b[2] != 0x00) 1387 return true; 1388 if (addr->b[4] != (bcm4377->hw->id & 0xff)) 1389 return true; 1390 if (addr->b[5] != (bcm4377->hw->id >> 8)) 1391 return true; 1392 return false; 1393 } 1394 bcm4377_check_bdaddr(struct bcm4377_data * bcm4377)1395 static int bcm4377_check_bdaddr(struct bcm4377_data *bcm4377) 1396 { 1397 struct hci_rp_read_bd_addr *bda; 1398 struct sk_buff *skb; 1399 1400 skb = __hci_cmd_sync(bcm4377->hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 1401 HCI_INIT_TIMEOUT); 1402 if (IS_ERR(skb)) { 1403 int err = PTR_ERR(skb); 1404 1405 dev_err(&bcm4377->pdev->dev, "HCI_OP_READ_BD_ADDR failed (%d)", 1406 err); 1407 return err; 1408 } 1409 1410 if (skb->len != sizeof(*bda)) { 1411 dev_err(&bcm4377->pdev->dev, 1412 "HCI_OP_READ_BD_ADDR reply length invalid"); 1413 kfree_skb(skb); 1414 return -EIO; 1415 } 1416 1417 bda = (struct hci_rp_read_bd_addr *)skb->data; 1418 if (!bcm4377_is_valid_bdaddr(bcm4377, &bda->bdaddr)) 1419 set_bit(HCI_QUIRK_INVALID_BDADDR, &bcm4377->hdev->quirks); 1420 1421 kfree_skb(skb); 1422 return 0; 1423 } 1424 bcm4377_hci_setup(struct hci_dev * hdev)1425 static int bcm4377_hci_setup(struct hci_dev *hdev) 1426 { 1427 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev); 1428 const struct firmware *fw; 1429 int ret; 1430 1431 if (bcm4377->hw->send_calibration) { 1432 ret = bcm4377->hw->send_calibration(bcm4377); 1433 if (ret) 1434 return ret; 1435 } 1436 1437 fw = bcm4377_request_blob(bcm4377, "ptb"); 1438 if (!fw) { 1439 dev_err(&bcm4377->pdev->dev, "failed to load PTB data"); 1440 return -ENOENT; 1441 } 1442 1443 ret = bcm4377->hw->send_ptb(bcm4377, fw); 1444 release_firmware(fw); 1445 if (ret) 1446 return ret; 1447 1448 return bcm4377_check_bdaddr(bcm4377); 1449 } 1450 bcm4377_hci_send_frame(struct hci_dev * hdev,struct sk_buff * skb)1451 static int bcm4377_hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1452 { 1453 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev); 1454 struct bcm4377_transfer_ring *ring; 1455 int ret; 1456 1457 switch (hci_skb_pkt_type(skb)) { 1458 case HCI_COMMAND_PKT: 1459 hdev->stat.cmd_tx++; 1460 ring = &bcm4377->hci_h2d_ring; 1461 break; 1462 1463 case HCI_ACLDATA_PKT: 1464 hdev->stat.acl_tx++; 1465 ring = &bcm4377->acl_h2d_ring; 1466 break; 1467 1468 case HCI_SCODATA_PKT: 1469 hdev->stat.sco_tx++; 1470 ring = &bcm4377->sco_h2d_ring; 1471 break; 1472 1473 default: 1474 return -EILSEQ; 1475 } 1476 1477 ret = bcm4377_enqueue(bcm4377, ring, skb->data, skb->len, false); 1478 if (ret < 0) { 1479 hdev->stat.err_tx++; 1480 return ret; 1481 } 1482 1483 hdev->stat.byte_tx += skb->len; 1484 kfree_skb(skb); 1485 return ret; 1486 } 1487 bcm4377_hci_set_bdaddr(struct hci_dev * hdev,const bdaddr_t * bdaddr)1488 static int bcm4377_hci_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 1489 { 1490 struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev); 1491 struct sk_buff *skb; 1492 int err; 1493 1494 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT); 1495 if (IS_ERR(skb)) { 1496 err = PTR_ERR(skb); 1497 dev_err(&bcm4377->pdev->dev, 1498 "Change address command failed (%d)", err); 1499 return err; 1500 } 1501 kfree_skb(skb); 1502 1503 return 0; 1504 } 1505 bcm4377_alloc_transfer_ring(struct bcm4377_data * bcm4377,struct bcm4377_transfer_ring * ring)1506 static int bcm4377_alloc_transfer_ring(struct bcm4377_data *bcm4377, 1507 struct bcm4377_transfer_ring *ring) 1508 { 1509 size_t entry_size; 1510 1511 spin_lock_init(&ring->lock); 1512 ring->payload_size = ALIGN(ring->payload_size, 4); 1513 ring->mapped_payload_size = ALIGN(ring->mapped_payload_size, 4); 1514 1515 if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE) 1516 return -EINVAL; 1517 if (ring->n_entries > BCM4377_MAX_RING_SIZE) 1518 return -EINVAL; 1519 if (ring->virtual && ring->allow_wait) 1520 return -EINVAL; 1521 1522 if (ring->d2h_buffers_only) { 1523 if (ring->virtual) 1524 return -EINVAL; 1525 if (ring->payload_size) 1526 return -EINVAL; 1527 if (!ring->mapped_payload_size) 1528 return -EINVAL; 1529 } 1530 if (ring->virtual) 1531 return 0; 1532 1533 entry_size = 1534 ring->payload_size + sizeof(struct bcm4377_xfer_ring_entry); 1535 ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev, 1536 ring->n_entries * entry_size, 1537 &ring->ring_dma, GFP_KERNEL); 1538 if (!ring->ring) 1539 return -ENOMEM; 1540 1541 if (ring->allow_wait) { 1542 ring->events = devm_kcalloc(&bcm4377->pdev->dev, 1543 ring->n_entries, 1544 sizeof(*ring->events), GFP_KERNEL); 1545 if (!ring->events) 1546 return -ENOMEM; 1547 } 1548 1549 if (ring->mapped_payload_size) { 1550 ring->payloads = dmam_alloc_coherent( 1551 &bcm4377->pdev->dev, 1552 ring->n_entries * ring->mapped_payload_size, 1553 &ring->payloads_dma, GFP_KERNEL); 1554 if (!ring->payloads) 1555 return -ENOMEM; 1556 } 1557 1558 return 0; 1559 } 1560 bcm4377_alloc_completion_ring(struct bcm4377_data * bcm4377,struct bcm4377_completion_ring * ring)1561 static int bcm4377_alloc_completion_ring(struct bcm4377_data *bcm4377, 1562 struct bcm4377_completion_ring *ring) 1563 { 1564 size_t entry_size; 1565 1566 ring->payload_size = ALIGN(ring->payload_size, 4); 1567 if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE) 1568 return -EINVAL; 1569 if (ring->n_entries > BCM4377_MAX_RING_SIZE) 1570 return -EINVAL; 1571 1572 entry_size = ring->payload_size + 1573 sizeof(struct bcm4377_completion_ring_entry); 1574 1575 ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev, 1576 ring->n_entries * entry_size, 1577 &ring->ring_dma, GFP_KERNEL); 1578 if (!ring->ring) 1579 return -ENOMEM; 1580 return 0; 1581 } 1582 bcm4377_init_context(struct bcm4377_data * bcm4377)1583 static int bcm4377_init_context(struct bcm4377_data *bcm4377) 1584 { 1585 struct device *dev = &bcm4377->pdev->dev; 1586 dma_addr_t peripheral_info_dma; 1587 1588 bcm4377->ctx = dmam_alloc_coherent(dev, sizeof(*bcm4377->ctx), 1589 &bcm4377->ctx_dma, GFP_KERNEL); 1590 if (!bcm4377->ctx) 1591 return -ENOMEM; 1592 memset(bcm4377->ctx, 0, sizeof(*bcm4377->ctx)); 1593 1594 bcm4377->ring_state = 1595 dmam_alloc_coherent(dev, sizeof(*bcm4377->ring_state), 1596 &bcm4377->ring_state_dma, GFP_KERNEL); 1597 if (!bcm4377->ring_state) 1598 return -ENOMEM; 1599 memset(bcm4377->ring_state, 0, sizeof(*bcm4377->ring_state)); 1600 1601 bcm4377->ctx->version = cpu_to_le16(1); 1602 bcm4377->ctx->size = cpu_to_le16(sizeof(*bcm4377->ctx)); 1603 bcm4377->ctx->enabled_caps = cpu_to_le32(2); 1604 1605 /* 1606 * The BT device will write 0x20 bytes of data to this buffer but 1607 * the exact contents are unknown. It only needs to exist for BT 1608 * to work such that we can just allocate and then ignore it. 1609 */ 1610 if (!dmam_alloc_coherent(&bcm4377->pdev->dev, 0x20, 1611 &peripheral_info_dma, GFP_KERNEL)) 1612 return -ENOMEM; 1613 bcm4377->ctx->peripheral_info_addr = cpu_to_le64(peripheral_info_dma); 1614 1615 bcm4377->ctx->xfer_ring_heads_addr = cpu_to_le64( 1616 bcm4377->ring_state_dma + 1617 offsetof(struct bcm4377_ring_state, xfer_ring_head)); 1618 bcm4377->ctx->xfer_ring_tails_addr = cpu_to_le64( 1619 bcm4377->ring_state_dma + 1620 offsetof(struct bcm4377_ring_state, xfer_ring_tail)); 1621 bcm4377->ctx->completion_ring_heads_addr = cpu_to_le64( 1622 bcm4377->ring_state_dma + 1623 offsetof(struct bcm4377_ring_state, completion_ring_head)); 1624 bcm4377->ctx->completion_ring_tails_addr = cpu_to_le64( 1625 bcm4377->ring_state_dma + 1626 offsetof(struct bcm4377_ring_state, completion_ring_tail)); 1627 1628 bcm4377->ctx->n_completion_rings = 1629 cpu_to_le16(BCM4377_N_COMPLETION_RINGS); 1630 bcm4377->ctx->n_xfer_rings = cpu_to_le16(BCM4377_N_TRANSFER_RINGS); 1631 1632 bcm4377->ctx->control_completion_ring_addr = 1633 cpu_to_le64(bcm4377->control_ack_ring.ring_dma); 1634 bcm4377->ctx->control_completion_ring_n_entries = 1635 cpu_to_le16(bcm4377->control_ack_ring.n_entries); 1636 bcm4377->ctx->control_completion_ring_doorbell = cpu_to_le16(0xffff); 1637 bcm4377->ctx->control_completion_ring_msi = 0; 1638 bcm4377->ctx->control_completion_ring_header_size = 0; 1639 bcm4377->ctx->control_completion_ring_footer_size = 0; 1640 1641 bcm4377->ctx->control_xfer_ring_addr = 1642 cpu_to_le64(bcm4377->control_h2d_ring.ring_dma); 1643 bcm4377->ctx->control_xfer_ring_n_entries = 1644 cpu_to_le16(bcm4377->control_h2d_ring.n_entries); 1645 bcm4377->ctx->control_xfer_ring_doorbell = 1646 cpu_to_le16(bcm4377->control_h2d_ring.doorbell); 1647 bcm4377->ctx->control_xfer_ring_msi = 0; 1648 bcm4377->ctx->control_xfer_ring_header_size = 0; 1649 bcm4377->ctx->control_xfer_ring_footer_size = 1650 bcm4377->control_h2d_ring.payload_size / 4; 1651 1652 dev_dbg(&bcm4377->pdev->dev, "context initialized at IOVA %pad", 1653 &bcm4377->ctx_dma); 1654 1655 return 0; 1656 } 1657 bcm4377_prepare_rings(struct bcm4377_data * bcm4377)1658 static int bcm4377_prepare_rings(struct bcm4377_data *bcm4377) 1659 { 1660 int ret; 1661 1662 /* 1663 * Even though many of these settings appear to be configurable 1664 * when sending the "create ring" messages most of these are 1665 * actually hardcoded in some (and quite possibly all) firmware versions 1666 * and changing them on the host has no effect. 1667 * Specifically, this applies to at least the doorbells, the transfer 1668 * and completion ring ids and their mapping (e.g. both HCI and ACL 1669 * entries will always be queued in completion rings 1 and 2 no matter 1670 * what we configure here). 1671 */ 1672 bcm4377->control_ack_ring.ring_id = BCM4377_ACK_RING_CONTROL; 1673 bcm4377->control_ack_ring.n_entries = 32; 1674 bcm4377->control_ack_ring.transfer_rings = 1675 BIT(BCM4377_XFER_RING_CONTROL); 1676 1677 bcm4377->hci_acl_ack_ring.ring_id = BCM4377_ACK_RING_HCI_ACL; 1678 bcm4377->hci_acl_ack_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES; 1679 bcm4377->hci_acl_ack_ring.transfer_rings = 1680 BIT(BCM4377_XFER_RING_HCI_H2D) | BIT(BCM4377_XFER_RING_ACL_H2D); 1681 bcm4377->hci_acl_ack_ring.delay = 1000; 1682 1683 /* 1684 * A payload size of MAX_EVENT_PAYLOAD_SIZE is enough here since large 1685 * ACL packets will be transmitted inside buffers mapped via 1686 * acl_d2h_ring anyway. 1687 */ 1688 bcm4377->hci_acl_event_ring.ring_id = BCM4377_EVENT_RING_HCI_ACL; 1689 bcm4377->hci_acl_event_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE; 1690 bcm4377->hci_acl_event_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES; 1691 bcm4377->hci_acl_event_ring.transfer_rings = 1692 BIT(BCM4377_XFER_RING_HCI_D2H) | BIT(BCM4377_XFER_RING_ACL_D2H); 1693 bcm4377->hci_acl_event_ring.delay = 1000; 1694 1695 bcm4377->sco_ack_ring.ring_id = BCM4377_ACK_RING_SCO; 1696 bcm4377->sco_ack_ring.n_entries = BCM4377_RING_N_ENTRIES; 1697 bcm4377->sco_ack_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_H2D); 1698 1699 bcm4377->sco_event_ring.ring_id = BCM4377_EVENT_RING_SCO; 1700 bcm4377->sco_event_ring.payload_size = MAX_SCO_PAYLOAD_SIZE; 1701 bcm4377->sco_event_ring.n_entries = BCM4377_RING_N_ENTRIES; 1702 bcm4377->sco_event_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_D2H); 1703 1704 bcm4377->control_h2d_ring.ring_id = BCM4377_XFER_RING_CONTROL; 1705 bcm4377->control_h2d_ring.doorbell = BCM4377_DOORBELL_CONTROL; 1706 bcm4377->control_h2d_ring.payload_size = BCM4377_CONTROL_MSG_SIZE; 1707 bcm4377->control_h2d_ring.completion_ring = BCM4377_ACK_RING_CONTROL; 1708 bcm4377->control_h2d_ring.allow_wait = true; 1709 bcm4377->control_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES; 1710 1711 bcm4377->hci_h2d_ring.ring_id = BCM4377_XFER_RING_HCI_H2D; 1712 bcm4377->hci_h2d_ring.doorbell = BCM4377_DOORBELL_HCI_H2D; 1713 bcm4377->hci_h2d_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE; 1714 bcm4377->hci_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL; 1715 bcm4377->hci_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES; 1716 1717 bcm4377->hci_d2h_ring.ring_id = BCM4377_XFER_RING_HCI_D2H; 1718 bcm4377->hci_d2h_ring.doorbell = BCM4377_DOORBELL_HCI_D2H; 1719 bcm4377->hci_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL; 1720 bcm4377->hci_d2h_ring.virtual = true; 1721 bcm4377->hci_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES; 1722 1723 bcm4377->sco_h2d_ring.ring_id = BCM4377_XFER_RING_SCO_H2D; 1724 bcm4377->sco_h2d_ring.doorbell = BCM4377_DOORBELL_SCO; 1725 bcm4377->sco_h2d_ring.payload_size = MAX_SCO_PAYLOAD_SIZE; 1726 bcm4377->sco_h2d_ring.completion_ring = BCM4377_ACK_RING_SCO; 1727 bcm4377->sco_h2d_ring.sync = true; 1728 bcm4377->sco_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES; 1729 1730 bcm4377->sco_d2h_ring.ring_id = BCM4377_XFER_RING_SCO_D2H; 1731 bcm4377->sco_d2h_ring.doorbell = BCM4377_DOORBELL_SCO; 1732 bcm4377->sco_d2h_ring.completion_ring = BCM4377_EVENT_RING_SCO; 1733 bcm4377->sco_d2h_ring.virtual = true; 1734 bcm4377->sco_d2h_ring.sync = true; 1735 bcm4377->sco_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES; 1736 1737 /* 1738 * This ring has to use mapped_payload_size because the largest ACL 1739 * packet doesn't fit inside the largest possible footer 1740 */ 1741 bcm4377->acl_h2d_ring.ring_id = BCM4377_XFER_RING_ACL_H2D; 1742 bcm4377->acl_h2d_ring.doorbell = BCM4377_DOORBELL_ACL_H2D; 1743 bcm4377->acl_h2d_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE; 1744 bcm4377->acl_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL; 1745 bcm4377->acl_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES; 1746 1747 /* 1748 * This ring only contains empty buffers to be used by incoming 1749 * ACL packets that do not fit inside the footer of hci_acl_event_ring 1750 */ 1751 bcm4377->acl_d2h_ring.ring_id = BCM4377_XFER_RING_ACL_D2H; 1752 bcm4377->acl_d2h_ring.doorbell = BCM4377_DOORBELL_ACL_D2H; 1753 bcm4377->acl_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL; 1754 bcm4377->acl_d2h_ring.d2h_buffers_only = true; 1755 bcm4377->acl_d2h_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE; 1756 bcm4377->acl_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES; 1757 1758 /* 1759 * no need for any cleanup since this is only called from _probe 1760 * and only devres-managed allocations are used 1761 */ 1762 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->control_h2d_ring); 1763 if (ret) 1764 return ret; 1765 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring); 1766 if (ret) 1767 return ret; 1768 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring); 1769 if (ret) 1770 return ret; 1771 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring); 1772 if (ret) 1773 return ret; 1774 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring); 1775 if (ret) 1776 return ret; 1777 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring); 1778 if (ret) 1779 return ret; 1780 ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring); 1781 if (ret) 1782 return ret; 1783 1784 ret = bcm4377_alloc_completion_ring(bcm4377, 1785 &bcm4377->control_ack_ring); 1786 if (ret) 1787 return ret; 1788 ret = bcm4377_alloc_completion_ring(bcm4377, 1789 &bcm4377->hci_acl_ack_ring); 1790 if (ret) 1791 return ret; 1792 ret = bcm4377_alloc_completion_ring(bcm4377, 1793 &bcm4377->hci_acl_event_ring); 1794 if (ret) 1795 return ret; 1796 ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_ack_ring); 1797 if (ret) 1798 return ret; 1799 ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_event_ring); 1800 if (ret) 1801 return ret; 1802 1803 dev_dbg(&bcm4377->pdev->dev, "all rings allocated and prepared\n"); 1804 1805 return 0; 1806 } 1807 bcm4377_boot(struct bcm4377_data * bcm4377)1808 static int bcm4377_boot(struct bcm4377_data *bcm4377) 1809 { 1810 const struct firmware *fw; 1811 void *bfr; 1812 dma_addr_t fw_dma; 1813 int ret = 0; 1814 u32 bootstage, rti_status; 1815 1816 bootstage = ioread32(bcm4377->bar2 + BCM4377_BAR2_BOOTSTAGE); 1817 rti_status = ioread32(bcm4377->bar2 + BCM4377_BAR2_RTI_STATUS); 1818 1819 if (bootstage != 0) { 1820 dev_err(&bcm4377->pdev->dev, "bootstage is %d and not 0\n", 1821 bootstage); 1822 return -EINVAL; 1823 } 1824 1825 if (rti_status != 0) { 1826 dev_err(&bcm4377->pdev->dev, "RTI status is %d and not 0\n", 1827 rti_status); 1828 return -EINVAL; 1829 } 1830 1831 fw = bcm4377_request_blob(bcm4377, "bin"); 1832 if (!fw) { 1833 dev_err(&bcm4377->pdev->dev, "Failed to load firmware\n"); 1834 return -ENOENT; 1835 } 1836 1837 bfr = dma_alloc_coherent(&bcm4377->pdev->dev, fw->size, &fw_dma, 1838 GFP_KERNEL); 1839 if (!bfr) { 1840 ret = -ENOMEM; 1841 goto out_release_fw; 1842 } 1843 1844 memcpy(bfr, fw->data, fw->size); 1845 1846 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_LO); 1847 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_HI); 1848 iowrite32(BCM4377_DMA_MASK, 1849 bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_SIZE); 1850 1851 iowrite32(lower_32_bits(fw_dma), bcm4377->bar2 + BCM4377_BAR2_FW_LO); 1852 iowrite32(upper_32_bits(fw_dma), bcm4377->bar2 + BCM4377_BAR2_FW_HI); 1853 iowrite32(fw->size, bcm4377->bar2 + BCM4377_BAR2_FW_SIZE); 1854 iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_FW_DOORBELL); 1855 1856 dev_dbg(&bcm4377->pdev->dev, "waiting for firmware to boot\n"); 1857 1858 ret = wait_for_completion_interruptible_timeout(&bcm4377->event, 1859 BCM4377_TIMEOUT); 1860 if (ret == 0) { 1861 ret = -ETIMEDOUT; 1862 goto out_dma_free; 1863 } else if (ret < 0) { 1864 goto out_dma_free; 1865 } 1866 1867 if (bcm4377->bootstage != 2) { 1868 dev_err(&bcm4377->pdev->dev, "boostage %d != 2\n", 1869 bcm4377->bootstage); 1870 ret = -ENXIO; 1871 goto out_dma_free; 1872 } 1873 1874 dev_dbg(&bcm4377->pdev->dev, "firmware has booted (stage = %x)\n", 1875 bcm4377->bootstage); 1876 ret = 0; 1877 1878 out_dma_free: 1879 dma_free_coherent(&bcm4377->pdev->dev, fw->size, bfr, fw_dma); 1880 out_release_fw: 1881 release_firmware(fw); 1882 return ret; 1883 } 1884 bcm4377_setup_rti(struct bcm4377_data * bcm4377)1885 static int bcm4377_setup_rti(struct bcm4377_data *bcm4377) 1886 { 1887 int ret; 1888 1889 dev_dbg(&bcm4377->pdev->dev, "starting RTI\n"); 1890 iowrite32(1, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL); 1891 1892 ret = wait_for_completion_interruptible_timeout(&bcm4377->event, 1893 BCM4377_TIMEOUT); 1894 if (ret == 0) { 1895 dev_err(&bcm4377->pdev->dev, 1896 "timed out while waiting for RTI to transition to state 1"); 1897 return -ETIMEDOUT; 1898 } else if (ret < 0) { 1899 return ret; 1900 } 1901 1902 if (bcm4377->rti_status != 1) { 1903 dev_err(&bcm4377->pdev->dev, "RTI did not ack state 1 (%d)\n", 1904 bcm4377->rti_status); 1905 return -ENODEV; 1906 } 1907 dev_dbg(&bcm4377->pdev->dev, "RTI is in state 1\n"); 1908 1909 /* allow access to the entire IOVA space again */ 1910 iowrite32(0, bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_LO); 1911 iowrite32(0, bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_HI); 1912 iowrite32(BCM4377_DMA_MASK, 1913 bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_SIZE); 1914 1915 /* setup "Converged IPC" context */ 1916 iowrite32(lower_32_bits(bcm4377->ctx_dma), 1917 bcm4377->bar2 + BCM4377_BAR2_CONTEXT_ADDR_LO); 1918 iowrite32(upper_32_bits(bcm4377->ctx_dma), 1919 bcm4377->bar2 + BCM4377_BAR2_CONTEXT_ADDR_HI); 1920 iowrite32(2, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL); 1921 1922 ret = wait_for_completion_interruptible_timeout(&bcm4377->event, 1923 BCM4377_TIMEOUT); 1924 if (ret == 0) { 1925 dev_err(&bcm4377->pdev->dev, 1926 "timed out while waiting for RTI to transition to state 2"); 1927 return -ETIMEDOUT; 1928 } else if (ret < 0) { 1929 return ret; 1930 } 1931 1932 if (bcm4377->rti_status != 2) { 1933 dev_err(&bcm4377->pdev->dev, "RTI did not ack state 2 (%d)\n", 1934 bcm4377->rti_status); 1935 return -ENODEV; 1936 } 1937 1938 dev_dbg(&bcm4377->pdev->dev, 1939 "RTI is in state 2; control ring is ready\n"); 1940 bcm4377->control_ack_ring.enabled = true; 1941 1942 return 0; 1943 } 1944 bcm4377_parse_otp_board_params(struct bcm4377_data * bcm4377,char tag,const char * val,size_t len)1945 static int bcm4377_parse_otp_board_params(struct bcm4377_data *bcm4377, 1946 char tag, const char *val, size_t len) 1947 { 1948 if (tag != 'V') 1949 return 0; 1950 if (len >= sizeof(bcm4377->vendor)) 1951 return -EINVAL; 1952 1953 strscpy(bcm4377->vendor, val, len + 1); 1954 return 0; 1955 } 1956 bcm4377_parse_otp_chip_params(struct bcm4377_data * bcm4377,char tag,const char * val,size_t len)1957 static int bcm4377_parse_otp_chip_params(struct bcm4377_data *bcm4377, char tag, 1958 const char *val, size_t len) 1959 { 1960 size_t idx = 0; 1961 1962 if (tag != 's') 1963 return 0; 1964 if (len >= sizeof(bcm4377->stepping)) 1965 return -EINVAL; 1966 1967 while (len != 0) { 1968 bcm4377->stepping[idx] = tolower(val[idx]); 1969 if (val[idx] == '\0') 1970 return 0; 1971 1972 idx++; 1973 len--; 1974 } 1975 1976 bcm4377->stepping[idx] = '\0'; 1977 return 0; 1978 } 1979 bcm4377_parse_otp_str(struct bcm4377_data * bcm4377,const u8 * str,enum bcm4377_otp_params_type type)1980 static int bcm4377_parse_otp_str(struct bcm4377_data *bcm4377, const u8 *str, 1981 enum bcm4377_otp_params_type type) 1982 { 1983 const char *p; 1984 int ret; 1985 1986 p = skip_spaces(str); 1987 while (*p) { 1988 char tag = *p++; 1989 const char *end; 1990 size_t len; 1991 1992 if (*p++ != '=') /* implicit NUL check */ 1993 return -EINVAL; 1994 1995 /* *p might be NUL here, if so end == p and len == 0 */ 1996 end = strchrnul(p, ' '); 1997 len = end - p; 1998 1999 /* leave 1 byte for NUL in destination string */ 2000 if (len > (BCM4377_OTP_MAX_PARAM_LEN - 1)) 2001 return -EINVAL; 2002 2003 switch (type) { 2004 case BCM4377_OTP_BOARD_PARAMS: 2005 ret = bcm4377_parse_otp_board_params(bcm4377, tag, p, 2006 len); 2007 break; 2008 case BCM4377_OTP_CHIP_PARAMS: 2009 ret = bcm4377_parse_otp_chip_params(bcm4377, tag, p, 2010 len); 2011 break; 2012 default: 2013 ret = -EINVAL; 2014 break; 2015 } 2016 2017 if (ret) 2018 return ret; 2019 2020 /* Skip to next arg, if any */ 2021 p = skip_spaces(end); 2022 } 2023 2024 return 0; 2025 } 2026 bcm4377_parse_otp_sys_vendor(struct bcm4377_data * bcm4377,u8 * otp,size_t size)2027 static int bcm4377_parse_otp_sys_vendor(struct bcm4377_data *bcm4377, u8 *otp, 2028 size_t size) 2029 { 2030 int idx = 4; 2031 const char *chip_params; 2032 const char *board_params; 2033 int ret; 2034 2035 /* 4-byte header and two empty strings */ 2036 if (size < 6) 2037 return -EINVAL; 2038 2039 if (get_unaligned_le32(otp) != BCM4377_OTP_VENDOR_HDR) 2040 return -EINVAL; 2041 2042 chip_params = &otp[idx]; 2043 2044 /* Skip first string, including terminator */ 2045 idx += strnlen(chip_params, size - idx) + 1; 2046 if (idx >= size) 2047 return -EINVAL; 2048 2049 board_params = &otp[idx]; 2050 2051 /* Skip to terminator of second string */ 2052 idx += strnlen(board_params, size - idx); 2053 if (idx >= size) 2054 return -EINVAL; 2055 2056 /* At this point both strings are guaranteed NUL-terminated */ 2057 dev_dbg(&bcm4377->pdev->dev, 2058 "OTP: chip_params='%s' board_params='%s'\n", chip_params, 2059 board_params); 2060 2061 ret = bcm4377_parse_otp_str(bcm4377, chip_params, 2062 BCM4377_OTP_CHIP_PARAMS); 2063 if (ret) 2064 return ret; 2065 2066 ret = bcm4377_parse_otp_str(bcm4377, board_params, 2067 BCM4377_OTP_BOARD_PARAMS); 2068 if (ret) 2069 return ret; 2070 2071 if (!bcm4377->stepping[0] || !bcm4377->vendor[0]) 2072 return -EINVAL; 2073 2074 dev_dbg(&bcm4377->pdev->dev, "OTP: stepping=%s, vendor=%s\n", 2075 bcm4377->stepping, bcm4377->vendor); 2076 return 0; 2077 } 2078 bcm4377_parse_otp(struct bcm4377_data * bcm4377)2079 static int bcm4377_parse_otp(struct bcm4377_data *bcm4377) 2080 { 2081 u8 *otp; 2082 int i; 2083 int ret = -ENOENT; 2084 2085 otp = kzalloc(BCM4377_OTP_SIZE, GFP_KERNEL); 2086 if (!otp) 2087 return -ENOMEM; 2088 2089 for (i = 0; i < BCM4377_OTP_SIZE; ++i) 2090 otp[i] = ioread8(bcm4377->bar0 + bcm4377->hw->otp_offset + i); 2091 2092 i = 0; 2093 while (i < (BCM4377_OTP_SIZE - 1)) { 2094 u8 type = otp[i]; 2095 u8 length = otp[i + 1]; 2096 2097 if (type == 0) 2098 break; 2099 2100 if ((i + 2 + length) > BCM4377_OTP_SIZE) 2101 break; 2102 2103 switch (type) { 2104 case BCM4377_OTP_SYS_VENDOR: 2105 dev_dbg(&bcm4377->pdev->dev, 2106 "OTP @ 0x%x (%d): SYS_VENDOR", i, length); 2107 ret = bcm4377_parse_otp_sys_vendor(bcm4377, &otp[i + 2], 2108 length); 2109 break; 2110 case BCM4377_OTP_CIS: 2111 dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): CIS", i, 2112 length); 2113 break; 2114 default: 2115 dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): unknown", 2116 i, length); 2117 break; 2118 } 2119 2120 i += 2 + length; 2121 } 2122 2123 kfree(otp); 2124 return ret; 2125 } 2126 bcm4377_init_cfg(struct bcm4377_data * bcm4377)2127 static int bcm4377_init_cfg(struct bcm4377_data *bcm4377) 2128 { 2129 int ret; 2130 u32 ctrl; 2131 2132 ret = pci_write_config_dword(bcm4377->pdev, 2133 BCM4377_PCIECFG_BAR0_WINDOW1, 2134 bcm4377->hw->bar0_window1); 2135 if (ret) 2136 return ret; 2137 2138 ret = pci_write_config_dword(bcm4377->pdev, 2139 BCM4377_PCIECFG_BAR0_WINDOW2, 2140 bcm4377->hw->bar0_window2); 2141 if (ret) 2142 return ret; 2143 2144 ret = pci_write_config_dword( 2145 bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1, 2146 BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT); 2147 if (ret) 2148 return ret; 2149 2150 if (bcm4377->hw->has_bar0_core2_window2) { 2151 ret = pci_write_config_dword(bcm4377->pdev, 2152 BCM4377_PCIECFG_BAR0_CORE2_WINDOW2, 2153 bcm4377->hw->bar0_core2_window2); 2154 if (ret) 2155 return ret; 2156 } 2157 2158 ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR2_WINDOW, 2159 BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT); 2160 if (ret) 2161 return ret; 2162 2163 ret = pci_read_config_dword(bcm4377->pdev, 2164 BCM4377_PCIECFG_SUBSYSTEM_CTRL, &ctrl); 2165 if (ret) 2166 return ret; 2167 2168 if (bcm4377->hw->clear_pciecfg_subsystem_ctrl_bit19) 2169 ctrl &= ~BIT(19); 2170 ctrl |= BIT(16); 2171 2172 return pci_write_config_dword(bcm4377->pdev, 2173 BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl); 2174 } 2175 bcm4377_probe_dmi(struct bcm4377_data * bcm4377)2176 static int bcm4377_probe_dmi(struct bcm4377_data *bcm4377) 2177 { 2178 const struct dmi_system_id *board_type_dmi_id; 2179 2180 board_type_dmi_id = dmi_first_match(bcm4377_dmi_board_table); 2181 if (board_type_dmi_id && board_type_dmi_id->driver_data) { 2182 bcm4377->board_type = board_type_dmi_id->driver_data; 2183 dev_dbg(&bcm4377->pdev->dev, 2184 "found board type via DMI match: %s\n", 2185 bcm4377->board_type); 2186 } 2187 2188 return 0; 2189 } 2190 bcm4377_probe_of(struct bcm4377_data * bcm4377)2191 static int bcm4377_probe_of(struct bcm4377_data *bcm4377) 2192 { 2193 struct device_node *np = bcm4377->pdev->dev.of_node; 2194 int ret; 2195 2196 if (!np) 2197 return 0; 2198 2199 ret = of_property_read_string(np, "brcm,board-type", 2200 &bcm4377->board_type); 2201 if (ret) { 2202 dev_err(&bcm4377->pdev->dev, "no brcm,board-type property\n"); 2203 return ret; 2204 } 2205 2206 bcm4377->taurus_beamforming_cal_blob = 2207 of_get_property(np, "brcm,taurus-bf-cal-blob", 2208 &bcm4377->taurus_beamforming_cal_size); 2209 if (!bcm4377->taurus_beamforming_cal_blob) { 2210 dev_err(&bcm4377->pdev->dev, 2211 "no brcm,taurus-bf-cal-blob property\n"); 2212 return -ENOENT; 2213 } 2214 bcm4377->taurus_cal_blob = of_get_property(np, "brcm,taurus-cal-blob", 2215 &bcm4377->taurus_cal_size); 2216 if (!bcm4377->taurus_cal_blob) { 2217 dev_err(&bcm4377->pdev->dev, 2218 "no brcm,taurus-cal-blob property\n"); 2219 return -ENOENT; 2220 } 2221 2222 return 0; 2223 } 2224 bcm4377_disable_aspm(struct bcm4377_data * bcm4377)2225 static void bcm4377_disable_aspm(struct bcm4377_data *bcm4377) 2226 { 2227 pci_disable_link_state(bcm4377->pdev, 2228 PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1); 2229 2230 /* 2231 * pci_disable_link_state can fail if either CONFIG_PCIEASPM is disabled 2232 * or if the BIOS hasn't handed over control to us. We must *always* 2233 * disable ASPM for this device due to hardware errata though. 2234 */ 2235 pcie_capability_clear_word(bcm4377->pdev, PCI_EXP_LNKCTL, 2236 PCI_EXP_LNKCTL_ASPMC); 2237 } 2238 bcm4377_pci_free_irq_vectors(void * data)2239 static void bcm4377_pci_free_irq_vectors(void *data) 2240 { 2241 pci_free_irq_vectors(data); 2242 } 2243 bcm4377_hci_free_dev(void * data)2244 static void bcm4377_hci_free_dev(void *data) 2245 { 2246 hci_free_dev(data); 2247 } 2248 bcm4377_hci_unregister_dev(void * data)2249 static void bcm4377_hci_unregister_dev(void *data) 2250 { 2251 hci_unregister_dev(data); 2252 } 2253 bcm4377_probe(struct pci_dev * pdev,const struct pci_device_id * id)2254 static int bcm4377_probe(struct pci_dev *pdev, const struct pci_device_id *id) 2255 { 2256 struct bcm4377_data *bcm4377; 2257 struct hci_dev *hdev; 2258 int ret, irq; 2259 2260 ret = dma_set_mask_and_coherent(&pdev->dev, BCM4377_DMA_MASK); 2261 if (ret) 2262 return ret; 2263 2264 bcm4377 = devm_kzalloc(&pdev->dev, sizeof(*bcm4377), GFP_KERNEL); 2265 if (!bcm4377) 2266 return -ENOMEM; 2267 2268 bcm4377->pdev = pdev; 2269 bcm4377->hw = &bcm4377_hw_variants[id->driver_data]; 2270 init_completion(&bcm4377->event); 2271 2272 ret = bcm4377_prepare_rings(bcm4377); 2273 if (ret) 2274 return ret; 2275 2276 ret = bcm4377_init_context(bcm4377); 2277 if (ret) 2278 return ret; 2279 2280 ret = bcm4377_probe_dmi(bcm4377); 2281 if (ret) 2282 return ret; 2283 ret = bcm4377_probe_of(bcm4377); 2284 if (ret) 2285 return ret; 2286 if (!bcm4377->board_type) { 2287 dev_err(&pdev->dev, "unable to determine board type\n"); 2288 return -ENODEV; 2289 } 2290 2291 if (bcm4377->hw->disable_aspm) 2292 bcm4377_disable_aspm(bcm4377); 2293 2294 ret = pci_reset_function_locked(pdev); 2295 if (ret) 2296 dev_warn( 2297 &pdev->dev, 2298 "function level reset failed with %d; trying to continue anyway\n", 2299 ret); 2300 2301 /* 2302 * If this number is too low and we try to access any BAR too 2303 * early the device will crash. Experiments have shown that 2304 * approximately 50 msec is the minimum amount we have to wait. 2305 * Let's double that to be safe. 2306 */ 2307 msleep(100); 2308 2309 ret = pcim_enable_device(pdev); 2310 if (ret) 2311 return ret; 2312 pci_set_master(pdev); 2313 2314 ret = bcm4377_init_cfg(bcm4377); 2315 if (ret) 2316 return ret; 2317 2318 bcm4377->bar0 = pcim_iomap(pdev, 0, 0); 2319 if (!bcm4377->bar0) 2320 return -EBUSY; 2321 bcm4377->bar2 = pcim_iomap(pdev, 2, 0); 2322 if (!bcm4377->bar2) 2323 return -EBUSY; 2324 2325 ret = bcm4377_parse_otp(bcm4377); 2326 if (ret) { 2327 dev_err(&pdev->dev, "Reading OTP failed with %d\n", ret); 2328 return ret; 2329 } 2330 2331 /* 2332 * Legacy interrupts result in an IRQ storm because we don't know where 2333 * the interrupt mask and status registers for these chips are. 2334 * MSIs are acked automatically instead. 2335 */ 2336 ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_MSI); 2337 if (ret < 0) 2338 return -ENODEV; 2339 ret = devm_add_action_or_reset(&pdev->dev, bcm4377_pci_free_irq_vectors, 2340 pdev); 2341 if (ret) 2342 return ret; 2343 2344 irq = pci_irq_vector(pdev, 0); 2345 if (irq <= 0) 2346 return -ENODEV; 2347 2348 ret = devm_request_irq(&pdev->dev, irq, bcm4377_irq, 0, "bcm4377", 2349 bcm4377); 2350 if (ret) 2351 return ret; 2352 2353 hdev = hci_alloc_dev(); 2354 if (!hdev) 2355 return -ENOMEM; 2356 ret = devm_add_action_or_reset(&pdev->dev, bcm4377_hci_free_dev, hdev); 2357 if (ret) 2358 return ret; 2359 2360 bcm4377->hdev = hdev; 2361 2362 hdev->bus = HCI_PCI; 2363 hdev->dev_type = HCI_PRIMARY; 2364 hdev->open = bcm4377_hci_open; 2365 hdev->close = bcm4377_hci_close; 2366 hdev->send = bcm4377_hci_send_frame; 2367 hdev->set_bdaddr = bcm4377_hci_set_bdaddr; 2368 hdev->setup = bcm4377_hci_setup; 2369 2370 set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); 2371 if (bcm4377->hw->broken_mws_transport_config) 2372 set_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &hdev->quirks); 2373 if (bcm4377->hw->broken_ext_scan) 2374 set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks); 2375 2376 pci_set_drvdata(pdev, bcm4377); 2377 hci_set_drvdata(hdev, bcm4377); 2378 SET_HCIDEV_DEV(hdev, &pdev->dev); 2379 2380 ret = bcm4377_boot(bcm4377); 2381 if (ret) 2382 return ret; 2383 2384 ret = bcm4377_setup_rti(bcm4377); 2385 if (ret) 2386 return ret; 2387 2388 ret = hci_register_dev(hdev); 2389 if (ret) 2390 return ret; 2391 return devm_add_action_or_reset(&pdev->dev, bcm4377_hci_unregister_dev, 2392 hdev); 2393 } 2394 bcm4377_suspend(struct pci_dev * pdev,pm_message_t state)2395 static int bcm4377_suspend(struct pci_dev *pdev, pm_message_t state) 2396 { 2397 struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev); 2398 int ret; 2399 2400 ret = hci_suspend_dev(bcm4377->hdev); 2401 if (ret) 2402 return ret; 2403 2404 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_QUIESCE, 2405 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL); 2406 2407 return 0; 2408 } 2409 bcm4377_resume(struct pci_dev * pdev)2410 static int bcm4377_resume(struct pci_dev *pdev) 2411 { 2412 struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev); 2413 2414 iowrite32(BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE, 2415 bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL); 2416 2417 return hci_resume_dev(bcm4377->hdev); 2418 } 2419 2420 static const struct dmi_system_id bcm4377_dmi_board_table[] = { 2421 { 2422 .matches = { 2423 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."), 2424 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"), 2425 }, 2426 .driver_data = "apple,formosa", 2427 }, 2428 { 2429 .matches = { 2430 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."), 2431 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,4"), 2432 }, 2433 .driver_data = "apple,formosa", 2434 }, 2435 { 2436 .matches = { 2437 DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."), 2438 DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro16,3"), 2439 }, 2440 .driver_data = "apple,formosa", 2441 }, 2442 {} 2443 }; 2444 2445 static const struct bcm4377_hw bcm4377_hw_variants[] = { 2446 [BCM4377] = { 2447 .id = 0x4377, 2448 .otp_offset = 0x4120, 2449 .bar0_window1 = 0x1800b000, 2450 .bar0_window2 = 0x1810c000, 2451 .disable_aspm = true, 2452 .broken_ext_scan = true, 2453 .send_ptb = bcm4377_send_ptb, 2454 }, 2455 2456 [BCM4378] = { 2457 .id = 0x4378, 2458 .otp_offset = 0x4120, 2459 .bar0_window1 = 0x18002000, 2460 .bar0_window2 = 0x1810a000, 2461 .bar0_core2_window2 = 0x18107000, 2462 .has_bar0_core2_window2 = true, 2463 .broken_mws_transport_config = true, 2464 .send_calibration = bcm4378_send_calibration, 2465 .send_ptb = bcm4378_send_ptb, 2466 }, 2467 2468 [BCM4387] = { 2469 .id = 0x4387, 2470 .otp_offset = 0x413c, 2471 .bar0_window1 = 0x18002000, 2472 .bar0_window2 = 0x18109000, 2473 .bar0_core2_window2 = 0x18106000, 2474 .has_bar0_core2_window2 = true, 2475 .clear_pciecfg_subsystem_ctrl_bit19 = true, 2476 .broken_mws_transport_config = true, 2477 .send_calibration = bcm4387_send_calibration, 2478 .send_ptb = bcm4378_send_ptb, 2479 }, 2480 }; 2481 2482 #define BCM4377_DEVID_ENTRY(id) \ 2483 { \ 2484 PCI_VENDOR_ID_BROADCOM, BCM##id##_DEVICE_ID, PCI_ANY_ID, \ 2485 PCI_ANY_ID, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, \ 2486 BCM##id \ 2487 } 2488 2489 static const struct pci_device_id bcm4377_devid_table[] = { 2490 BCM4377_DEVID_ENTRY(4377), 2491 BCM4377_DEVID_ENTRY(4378), 2492 BCM4377_DEVID_ENTRY(4387), 2493 {}, 2494 }; 2495 MODULE_DEVICE_TABLE(pci, bcm4377_devid_table); 2496 2497 static struct pci_driver bcm4377_pci_driver = { 2498 .name = "hci_bcm4377", 2499 .id_table = bcm4377_devid_table, 2500 .probe = bcm4377_probe, 2501 .suspend = bcm4377_suspend, 2502 .resume = bcm4377_resume, 2503 }; 2504 module_pci_driver(bcm4377_pci_driver); 2505 2506 MODULE_AUTHOR("Sven Peter <sven@svenpeter.dev>"); 2507 MODULE_DESCRIPTION("Bluetooth support for Broadcom 4377/4378/4387 devices"); 2508 MODULE_LICENSE("Dual MIT/GPL"); 2509 MODULE_FIRMWARE("brcm/brcmbt4377*.bin"); 2510 MODULE_FIRMWARE("brcm/brcmbt4377*.ptb"); 2511 MODULE_FIRMWARE("brcm/brcmbt4378*.bin"); 2512 MODULE_FIRMWARE("brcm/brcmbt4378*.ptb"); 2513 MODULE_FIRMWARE("brcm/brcmbt4387*.bin"); 2514 MODULE_FIRMWARE("brcm/brcmbt4387*.ptb"); 2515
