xref: /linux/drivers/bluetooth/btqca.c (revision 3ff78451b8e446e9a548b98a0d4dd8d24dc5780b)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Bluetooth supports for Qualcomm Atheros chips
4  *
5  *  Copyright (c) 2015 The Linux Foundation. All rights reserved.
6  */
7 #include <linux/module.h>
8 #include <linux/firmware.h>
9 #include <linux/vmalloc.h>
10 
11 #include <net/bluetooth/bluetooth.h>
12 #include <net/bluetooth/hci_core.h>
13 
14 #include "btqca.h"
15 
16 int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver,
17 			 enum qca_btsoc_type soc_type)
18 {
19 	struct sk_buff *skb;
20 	struct edl_event_hdr *edl;
21 	char cmd;
22 	int err = 0;
23 	u8 event_type = HCI_EV_VENDOR;
24 	u8 rlen = sizeof(*edl) + sizeof(*ver);
25 	u8 rtype = EDL_APP_VER_RES_EVT;
26 
27 	bt_dev_dbg(hdev, "QCA Version Request");
28 
29 	/* Unlike other SoC's sending version command response as payload to
30 	 * VSE event. WCN3991 sends version command response as a payload to
31 	 * command complete event.
32 	 */
33 	if (soc_type >= QCA_WCN3991) {
34 		event_type = 0;
35 		rlen += 1;
36 		rtype = EDL_PATCH_VER_REQ_CMD;
37 	}
38 
39 	cmd = EDL_PATCH_VER_REQ_CMD;
40 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
41 				&cmd, event_type, HCI_INIT_TIMEOUT);
42 	if (IS_ERR(skb)) {
43 		err = PTR_ERR(skb);
44 		bt_dev_err(hdev, "Reading QCA version information failed (%d)",
45 			   err);
46 		return err;
47 	}
48 
49 	if (skb->len != rlen) {
50 		bt_dev_err(hdev, "QCA Version size mismatch len %d", skb->len);
51 		err = -EILSEQ;
52 		goto out;
53 	}
54 
55 	edl = (struct edl_event_hdr *)(skb->data);
56 
57 	if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
58 	    edl->rtype != rtype) {
59 		bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp,
60 			   edl->rtype);
61 		err = -EIO;
62 		goto out;
63 	}
64 
65 	if (soc_type >= QCA_WCN3991)
66 		memcpy(ver, edl->data + 1, sizeof(*ver));
67 	else
68 		memcpy(ver, &edl->data, sizeof(*ver));
69 
70 	bt_dev_info(hdev, "QCA Product ID   :0x%08x",
71 		    le32_to_cpu(ver->product_id));
72 	bt_dev_info(hdev, "QCA SOC Version  :0x%08x",
73 		    le32_to_cpu(ver->soc_id));
74 	bt_dev_info(hdev, "QCA ROM Version  :0x%08x",
75 		    le16_to_cpu(ver->rom_ver));
76 	bt_dev_info(hdev, "QCA Patch Version:0x%08x",
77 		    le16_to_cpu(ver->patch_ver));
78 
79 	if (ver->soc_id == 0 || ver->rom_ver == 0)
80 		err = -EILSEQ;
81 
82 out:
83 	kfree_skb(skb);
84 	if (err)
85 		bt_dev_err(hdev, "QCA Failed to get version (%d)", err);
86 
87 	return err;
88 }
89 EXPORT_SYMBOL_GPL(qca_read_soc_version);
90 
91 static int qca_read_fw_build_info(struct hci_dev *hdev)
92 {
93 	struct sk_buff *skb;
94 	struct edl_event_hdr *edl;
95 	char *build_label;
96 	char cmd;
97 	int build_lbl_len, err = 0;
98 
99 	bt_dev_dbg(hdev, "QCA read fw build info");
100 
101 	cmd = EDL_GET_BUILD_INFO_CMD;
102 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
103 				&cmd, 0, HCI_INIT_TIMEOUT);
104 	if (IS_ERR(skb)) {
105 		err = PTR_ERR(skb);
106 		bt_dev_err(hdev, "Reading QCA fw build info failed (%d)",
107 			   err);
108 		return err;
109 	}
110 
111 	if (skb->len < sizeof(*edl)) {
112 		err = -EILSEQ;
113 		goto out;
114 	}
115 
116 	edl = (struct edl_event_hdr *)(skb->data);
117 
118 	if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
119 	    edl->rtype != EDL_GET_BUILD_INFO_CMD) {
120 		bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp,
121 			   edl->rtype);
122 		err = -EIO;
123 		goto out;
124 	}
125 
126 	if (skb->len < sizeof(*edl) + 1) {
127 		err = -EILSEQ;
128 		goto out;
129 	}
130 
131 	build_lbl_len = edl->data[0];
132 
133 	if (skb->len < sizeof(*edl) + 1 + build_lbl_len) {
134 		err = -EILSEQ;
135 		goto out;
136 	}
137 
138 	build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL);
139 	if (!build_label) {
140 		err = -ENOMEM;
141 		goto out;
142 	}
143 
144 	hci_set_fw_info(hdev, "%s", build_label);
145 
146 	kfree(build_label);
147 out:
148 	kfree_skb(skb);
149 	return err;
150 }
151 
152 static int qca_send_patch_config_cmd(struct hci_dev *hdev)
153 {
154 	const u8 cmd[] = { EDL_PATCH_CONFIG_CMD, 0x01, 0, 0, 0 };
155 	struct sk_buff *skb;
156 	struct edl_event_hdr *edl;
157 	int err;
158 
159 	bt_dev_dbg(hdev, "QCA Patch config");
160 
161 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, sizeof(cmd),
162 				cmd, 0, HCI_INIT_TIMEOUT);
163 	if (IS_ERR(skb)) {
164 		err = PTR_ERR(skb);
165 		bt_dev_err(hdev, "Sending QCA Patch config failed (%d)", err);
166 		return err;
167 	}
168 
169 	if (skb->len != 2) {
170 		bt_dev_err(hdev, "QCA Patch config cmd size mismatch len %d", skb->len);
171 		err = -EILSEQ;
172 		goto out;
173 	}
174 
175 	edl = (struct edl_event_hdr *)(skb->data);
176 
177 	if (edl->cresp != EDL_PATCH_CONFIG_RES_EVT || edl->rtype != EDL_PATCH_CONFIG_CMD) {
178 		bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp,
179 			   edl->rtype);
180 		err = -EIO;
181 		goto out;
182 	}
183 
184 	err = 0;
185 
186 out:
187 	kfree_skb(skb);
188 	return err;
189 }
190 
191 static int qca_send_reset(struct hci_dev *hdev)
192 {
193 	struct sk_buff *skb;
194 	int err;
195 
196 	bt_dev_dbg(hdev, "QCA HCI_RESET");
197 
198 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
199 	if (IS_ERR(skb)) {
200 		err = PTR_ERR(skb);
201 		bt_dev_err(hdev, "QCA Reset failed (%d)", err);
202 		return err;
203 	}
204 
205 	kfree_skb(skb);
206 
207 	return 0;
208 }
209 
210 static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid)
211 {
212 	u8 cmd;
213 	struct sk_buff *skb;
214 	struct edl_event_hdr *edl;
215 	int err = 0;
216 
217 	cmd = EDL_GET_BID_REQ_CMD;
218 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
219 				&cmd, 0, HCI_INIT_TIMEOUT);
220 	if (IS_ERR(skb)) {
221 		err = PTR_ERR(skb);
222 		bt_dev_err(hdev, "Reading QCA board ID failed (%d)", err);
223 		return err;
224 	}
225 
226 	edl = skb_pull_data(skb, sizeof(*edl));
227 	if (!edl) {
228 		bt_dev_err(hdev, "QCA read board ID with no header");
229 		err = -EILSEQ;
230 		goto out;
231 	}
232 
233 	if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
234 	    edl->rtype != EDL_GET_BID_REQ_CMD) {
235 		bt_dev_err(hdev, "QCA Wrong packet: %d %d", edl->cresp, edl->rtype);
236 		err = -EIO;
237 		goto out;
238 	}
239 
240 	if (skb->len < 3) {
241 		err = -EILSEQ;
242 		goto out;
243 	}
244 
245 	*bid = (edl->data[1] << 8) + edl->data[2];
246 	bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
247 
248 out:
249 	kfree_skb(skb);
250 	return err;
251 }
252 
253 int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
254 {
255 	struct sk_buff *skb;
256 	int err;
257 
258 	bt_dev_dbg(hdev, "QCA pre shutdown cmd");
259 
260 	skb = __hci_cmd_sync_ev(hdev, QCA_PRE_SHUTDOWN_CMD, 0,
261 				NULL, HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT);
262 
263 	if (IS_ERR(skb)) {
264 		err = PTR_ERR(skb);
265 		bt_dev_err(hdev, "QCA preshutdown_cmd failed (%d)", err);
266 		return err;
267 	}
268 
269 	kfree_skb(skb);
270 
271 	return 0;
272 }
273 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
274 
275 static int qca_tlv_check_data(struct hci_dev *hdev,
276 			       struct qca_fw_config *config,
277 			       u8 *fw_data, size_t fw_size,
278 			       enum qca_btsoc_type soc_type)
279 {
280 	const u8 *data;
281 	u32 type_len;
282 	u16 tag_id, tag_len;
283 	int idx, length;
284 	struct tlv_type_hdr *tlv;
285 	struct tlv_type_patch *tlv_patch;
286 	struct tlv_type_nvm *tlv_nvm;
287 	uint8_t nvm_baud_rate = config->user_baud_rate;
288 	u8 type;
289 
290 	config->dnld_mode = QCA_SKIP_EVT_NONE;
291 	config->dnld_type = QCA_SKIP_EVT_NONE;
292 
293 	switch (config->type) {
294 	case ELF_TYPE_PATCH:
295 		if (fw_size < 7)
296 			return -EINVAL;
297 
298 		config->dnld_mode = QCA_SKIP_EVT_VSE_CC;
299 		config->dnld_type = QCA_SKIP_EVT_VSE_CC;
300 
301 		bt_dev_dbg(hdev, "File Class        : 0x%x", fw_data[4]);
302 		bt_dev_dbg(hdev, "Data Encoding     : 0x%x", fw_data[5]);
303 		bt_dev_dbg(hdev, "File version      : 0x%x", fw_data[6]);
304 		break;
305 	case TLV_TYPE_PATCH:
306 		if (fw_size < sizeof(struct tlv_type_hdr) + sizeof(struct tlv_type_patch))
307 			return -EINVAL;
308 
309 		tlv = (struct tlv_type_hdr *)fw_data;
310 		type_len = le32_to_cpu(tlv->type_len);
311 		tlv_patch = (struct tlv_type_patch *)tlv->data;
312 
313 		/* For Rome version 1.1 to 3.1, all segment commands
314 		 * are acked by a vendor specific event (VSE).
315 		 * For Rome >= 3.2, the download mode field indicates
316 		 * if VSE is skipped by the controller.
317 		 * In case VSE is skipped, only the last segment is acked.
318 		 */
319 		config->dnld_mode = tlv_patch->download_mode;
320 		config->dnld_type = config->dnld_mode;
321 
322 		BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff);
323 		BT_DBG("Total Length           : %d bytes",
324 		       le32_to_cpu(tlv_patch->total_size));
325 		BT_DBG("Patch Data Length      : %d bytes",
326 		       le32_to_cpu(tlv_patch->data_length));
327 		BT_DBG("Signing Format Version : 0x%x",
328 		       tlv_patch->format_version);
329 		BT_DBG("Signature Algorithm    : 0x%x",
330 		       tlv_patch->signature);
331 		BT_DBG("Download mode          : 0x%x",
332 		       tlv_patch->download_mode);
333 		BT_DBG("Reserved               : 0x%x",
334 		       tlv_patch->reserved1);
335 		BT_DBG("Product ID             : 0x%04x",
336 		       le16_to_cpu(tlv_patch->product_id));
337 		BT_DBG("Rom Build Version      : 0x%04x",
338 		       le16_to_cpu(tlv_patch->rom_build));
339 		BT_DBG("Patch Version          : 0x%04x",
340 		       le16_to_cpu(tlv_patch->patch_version));
341 		BT_DBG("Reserved               : 0x%x",
342 		       le16_to_cpu(tlv_patch->reserved2));
343 		BT_DBG("Patch Entry Address    : 0x%x",
344 		       le32_to_cpu(tlv_patch->entry));
345 		break;
346 
347 	case TLV_TYPE_NVM:
348 		if (fw_size < sizeof(struct tlv_type_hdr))
349 			return -EINVAL;
350 
351 		tlv = (struct tlv_type_hdr *)fw_data;
352 
353 		type_len = le32_to_cpu(tlv->type_len);
354 		length = type_len >> 8;
355 		type = type_len & 0xff;
356 
357 		/* Some NVM files have more than one set of tags, only parse
358 		 * the first set when it has type 2 for now. When there is
359 		 * more than one set there is an enclosing header of type 4.
360 		 */
361 		if (type == 4) {
362 			if (fw_size < 2 * sizeof(struct tlv_type_hdr))
363 				return -EINVAL;
364 
365 			tlv++;
366 
367 			type_len = le32_to_cpu(tlv->type_len);
368 			length = type_len >> 8;
369 			type = type_len & 0xff;
370 		}
371 
372 		BT_DBG("TLV Type\t\t : 0x%x", type);
373 		BT_DBG("Length\t\t : %d bytes", length);
374 
375 		if (type != 2)
376 			break;
377 
378 		if (fw_size < length + (tlv->data - fw_data))
379 			return -EINVAL;
380 
381 		idx = 0;
382 		data = tlv->data;
383 		while (idx < length - sizeof(struct tlv_type_nvm)) {
384 			tlv_nvm = (struct tlv_type_nvm *)(data + idx);
385 
386 			tag_id = le16_to_cpu(tlv_nvm->tag_id);
387 			tag_len = le16_to_cpu(tlv_nvm->tag_len);
388 
389 			if (length < idx + sizeof(struct tlv_type_nvm) + tag_len)
390 				return -EINVAL;
391 
392 			/* Update NVM tags as needed */
393 			switch (tag_id) {
394 			case EDL_TAG_ID_BD_ADDR:
395 				if (tag_len != sizeof(bdaddr_t))
396 					return -EINVAL;
397 
398 				memcpy(&config->bdaddr, tlv_nvm->data, sizeof(bdaddr_t));
399 
400 				break;
401 
402 			case EDL_TAG_ID_HCI:
403 				if (tag_len < 3)
404 					return -EINVAL;
405 
406 				/* HCI transport layer parameters
407 				 * enabling software inband sleep
408 				 * onto controller side.
409 				 */
410 				tlv_nvm->data[0] |= 0x80;
411 
412 				/* UART Baud Rate */
413 				if (soc_type >= QCA_WCN3991)
414 					tlv_nvm->data[1] = nvm_baud_rate;
415 				else
416 					tlv_nvm->data[2] = nvm_baud_rate;
417 
418 				break;
419 
420 			case EDL_TAG_ID_DEEP_SLEEP:
421 				if (tag_len < 1)
422 					return -EINVAL;
423 
424 				/* Sleep enable mask
425 				 * enabling deep sleep feature on controller.
426 				 */
427 				tlv_nvm->data[0] |= 0x01;
428 
429 				break;
430 			}
431 
432 			idx += sizeof(struct tlv_type_nvm) + tag_len;
433 		}
434 		break;
435 
436 	default:
437 		BT_ERR("Unknown TLV type %d", config->type);
438 		return -EINVAL;
439 	}
440 
441 	return 0;
442 }
443 
444 static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size,
445 				const u8 *data, enum qca_tlv_dnld_mode mode,
446 				enum qca_btsoc_type soc_type)
447 {
448 	struct sk_buff *skb;
449 	struct edl_event_hdr *edl;
450 	struct tlv_seg_resp *tlv_resp;
451 	u8 cmd[MAX_SIZE_PER_TLV_SEGMENT + 2];
452 	int err = 0;
453 	u8 event_type = HCI_EV_VENDOR;
454 	u8 rlen = (sizeof(*edl) + sizeof(*tlv_resp));
455 	u8 rtype = EDL_TVL_DNLD_RES_EVT;
456 
457 	cmd[0] = EDL_PATCH_TLV_REQ_CMD;
458 	cmd[1] = seg_size;
459 	memcpy(cmd + 2, data, seg_size);
460 
461 	if (mode == QCA_SKIP_EVT_VSE_CC || mode == QCA_SKIP_EVT_VSE)
462 		return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2,
463 				      cmd);
464 
465 	/* Unlike other SoC's sending version command response as payload to
466 	 * VSE event. WCN3991 sends version command response as a payload to
467 	 * command complete event.
468 	 */
469 	if (soc_type >= QCA_WCN3991) {
470 		event_type = 0;
471 		rlen = sizeof(*edl);
472 		rtype = EDL_PATCH_TLV_REQ_CMD;
473 	}
474 
475 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, cmd,
476 				event_type, HCI_INIT_TIMEOUT);
477 	if (IS_ERR(skb)) {
478 		err = PTR_ERR(skb);
479 		bt_dev_err(hdev, "QCA Failed to send TLV segment (%d)", err);
480 		return err;
481 	}
482 
483 	if (skb->len != rlen) {
484 		bt_dev_err(hdev, "QCA TLV response size mismatch");
485 		err = -EILSEQ;
486 		goto out;
487 	}
488 
489 	edl = (struct edl_event_hdr *)(skb->data);
490 
491 	if (edl->cresp != EDL_CMD_REQ_RES_EVT || edl->rtype != rtype) {
492 		bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x",
493 			   edl->cresp, edl->rtype);
494 		err = -EIO;
495 	}
496 
497 	if (soc_type >= QCA_WCN3991)
498 		goto out;
499 
500 	tlv_resp = (struct tlv_seg_resp *)(edl->data);
501 	if (tlv_resp->result) {
502 		bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x (0x%x)",
503 			   edl->cresp, edl->rtype, tlv_resp->result);
504 	}
505 
506 out:
507 	kfree_skb(skb);
508 
509 	return err;
510 }
511 
512 static int qca_inject_cmd_complete_event(struct hci_dev *hdev)
513 {
514 	struct hci_event_hdr *hdr;
515 	struct hci_ev_cmd_complete *evt;
516 	struct sk_buff *skb;
517 
518 	skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL);
519 	if (!skb)
520 		return -ENOMEM;
521 
522 	hdr = skb_put(skb, sizeof(*hdr));
523 	hdr->evt = HCI_EV_CMD_COMPLETE;
524 	hdr->plen = sizeof(*evt) + 1;
525 
526 	evt = skb_put(skb, sizeof(*evt));
527 	evt->ncmd = 1;
528 	evt->opcode = cpu_to_le16(QCA_HCI_CC_OPCODE);
529 
530 	skb_put_u8(skb, QCA_HCI_CC_SUCCESS);
531 
532 	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
533 
534 	return hci_recv_frame(hdev, skb);
535 }
536 
537 static int qca_download_firmware(struct hci_dev *hdev,
538 				 struct qca_fw_config *config,
539 				 enum qca_btsoc_type soc_type,
540 				 u8 rom_ver)
541 {
542 	const struct firmware *fw;
543 	u8 *data;
544 	const u8 *segment;
545 	int ret, size, remain, i = 0;
546 
547 	bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
548 
549 	ret = request_firmware(&fw, config->fwname, &hdev->dev);
550 	if (ret) {
551 		/* For WCN6750, if mbn file is not present then check for
552 		 * tlv file.
553 		 */
554 		if (soc_type == QCA_WCN6750 && config->type == ELF_TYPE_PATCH) {
555 			bt_dev_dbg(hdev, "QCA Failed to request file: %s (%d)",
556 				   config->fwname, ret);
557 			config->type = TLV_TYPE_PATCH;
558 			snprintf(config->fwname, sizeof(config->fwname),
559 				 "qca/msbtfw%02x.tlv", rom_ver);
560 			bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
561 			ret = request_firmware(&fw, config->fwname, &hdev->dev);
562 			if (ret) {
563 				bt_dev_err(hdev, "QCA Failed to request file: %s (%d)",
564 					   config->fwname, ret);
565 				return ret;
566 			}
567 		} else {
568 			bt_dev_err(hdev, "QCA Failed to request file: %s (%d)",
569 				   config->fwname, ret);
570 			return ret;
571 		}
572 	}
573 
574 	size = fw->size;
575 	data = vmalloc(fw->size);
576 	if (!data) {
577 		bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
578 			   config->fwname);
579 		release_firmware(fw);
580 		return -ENOMEM;
581 	}
582 
583 	memcpy(data, fw->data, size);
584 	release_firmware(fw);
585 
586 	ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
587 	if (ret)
588 		goto out;
589 
590 	segment = data;
591 	remain = size;
592 	while (remain > 0) {
593 		int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
594 
595 		bt_dev_dbg(hdev, "Send segment %d, size %d", i++, segsize);
596 
597 		remain -= segsize;
598 		/* The last segment is always acked regardless download mode */
599 		if (!remain || segsize < MAX_SIZE_PER_TLV_SEGMENT)
600 			config->dnld_mode = QCA_SKIP_EVT_NONE;
601 
602 		ret = qca_tlv_send_segment(hdev, segsize, segment,
603 					   config->dnld_mode, soc_type);
604 		if (ret)
605 			goto out;
606 
607 		segment += segsize;
608 	}
609 
610 	/* Latest qualcomm chipsets are not sending a command complete event
611 	 * for every fw packet sent. They only respond with a vendor specific
612 	 * event for the last packet. This optimization in the chip will
613 	 * decrease the BT in initialization time. Here we will inject a command
614 	 * complete event to avoid a command timeout error message.
615 	 */
616 	if (config->dnld_type == QCA_SKIP_EVT_VSE_CC ||
617 	    config->dnld_type == QCA_SKIP_EVT_VSE)
618 		ret = qca_inject_cmd_complete_event(hdev);
619 
620 out:
621 	vfree(data);
622 
623 	return ret;
624 }
625 
626 static int qca_disable_soc_logging(struct hci_dev *hdev)
627 {
628 	struct sk_buff *skb;
629 	u8 cmd[2];
630 	int err;
631 
632 	cmd[0] = QCA_DISABLE_LOGGING_SUB_OP;
633 	cmd[1] = 0x00;
634 	skb = __hci_cmd_sync_ev(hdev, QCA_DISABLE_LOGGING, sizeof(cmd), cmd,
635 				HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT);
636 	if (IS_ERR(skb)) {
637 		err = PTR_ERR(skb);
638 		bt_dev_err(hdev, "QCA Failed to disable soc logging(%d)", err);
639 		return err;
640 	}
641 
642 	kfree_skb(skb);
643 
644 	return 0;
645 }
646 
647 int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
648 {
649 	struct sk_buff *skb;
650 	u8 cmd[9];
651 	int err;
652 
653 	cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD;
654 	cmd[1] = 0x02; 			/* TAG ID */
655 	cmd[2] = sizeof(bdaddr_t);	/* size */
656 	memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t));
657 	skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd,
658 				HCI_EV_VENDOR, HCI_INIT_TIMEOUT);
659 	if (IS_ERR(skb)) {
660 		err = PTR_ERR(skb);
661 		bt_dev_err(hdev, "QCA Change address command failed (%d)", err);
662 		return err;
663 	}
664 
665 	kfree_skb(skb);
666 
667 	return 0;
668 }
669 EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
670 
671 static int qca_check_bdaddr(struct hci_dev *hdev, const struct qca_fw_config *config)
672 {
673 	struct hci_rp_read_bd_addr *bda;
674 	struct sk_buff *skb;
675 	int err;
676 
677 	if (bacmp(&hdev->public_addr, BDADDR_ANY))
678 		return 0;
679 
680 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
681 			     HCI_INIT_TIMEOUT);
682 	if (IS_ERR(skb)) {
683 		err = PTR_ERR(skb);
684 		bt_dev_err(hdev, "Failed to read device address (%d)", err);
685 		return err;
686 	}
687 
688 	if (skb->len != sizeof(*bda)) {
689 		bt_dev_err(hdev, "Device address length mismatch");
690 		kfree_skb(skb);
691 		return -EIO;
692 	}
693 
694 	bda = (struct hci_rp_read_bd_addr *)skb->data;
695 	if (!bacmp(&bda->bdaddr, &config->bdaddr))
696 		set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
697 
698 	kfree_skb(skb);
699 
700 	return 0;
701 }
702 
703 static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size,
704 		struct qca_btsoc_version ver, u8 rom_ver, u16 bid)
705 {
706 	const char *variant;
707 
708 	/* hsp gf chip */
709 	if ((le32_to_cpu(ver.soc_id) & QCA_HSP_GF_SOC_MASK) == QCA_HSP_GF_SOC_ID)
710 		variant = "g";
711 	else
712 		variant = "";
713 
714 	if (bid == 0x0)
715 		snprintf(fwname, max_size, "qca/hpnv%02x%s.bin", rom_ver, variant);
716 	else
717 		snprintf(fwname, max_size, "qca/hpnv%02x%s.%x", rom_ver, variant, bid);
718 }
719 
720 static inline void qca_get_nvm_name_generic(struct qca_fw_config *cfg,
721 					    const char *stem, u8 rom_ver, u16 bid)
722 {
723 	if (bid == 0x0)
724 		snprintf(cfg->fwname, sizeof(cfg->fwname), "qca/%snv%02x.bin", stem, rom_ver);
725 	else if (bid & 0xff00)
726 		snprintf(cfg->fwname, sizeof(cfg->fwname),
727 			 "qca/%snv%02x.b%x", stem, rom_ver, bid);
728 	else
729 		snprintf(cfg->fwname, sizeof(cfg->fwname),
730 			 "qca/%snv%02x.b%02x", stem, rom_ver, bid);
731 }
732 
733 int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
734 		   enum qca_btsoc_type soc_type, struct qca_btsoc_version ver,
735 		   const char *firmware_name)
736 {
737 	struct qca_fw_config config = {};
738 	int err;
739 	u8 rom_ver = 0;
740 	u32 soc_ver;
741 	u16 boardid = 0;
742 
743 	bt_dev_dbg(hdev, "QCA setup on UART");
744 
745 	soc_ver = get_soc_ver(ver.soc_id, ver.rom_ver);
746 
747 	bt_dev_info(hdev, "QCA controller version 0x%08x", soc_ver);
748 
749 	config.user_baud_rate = baudrate;
750 
751 	/* Firmware files to download are based on ROM version.
752 	 * ROM version is derived from last two bytes of soc_ver.
753 	 */
754 	if (soc_type == QCA_WCN3988)
755 		rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
756 	else
757 		rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
758 
759 	if (soc_type == QCA_WCN6750)
760 		qca_send_patch_config_cmd(hdev);
761 
762 	/* Download rampatch file */
763 	config.type = TLV_TYPE_PATCH;
764 	switch (soc_type) {
765 	case QCA_WCN3990:
766 	case QCA_WCN3991:
767 	case QCA_WCN3998:
768 		snprintf(config.fwname, sizeof(config.fwname),
769 			 "qca/crbtfw%02x.tlv", rom_ver);
770 		break;
771 	case QCA_WCN3988:
772 		snprintf(config.fwname, sizeof(config.fwname),
773 			 "qca/apbtfw%02x.tlv", rom_ver);
774 		break;
775 	case QCA_QCA2066:
776 		snprintf(config.fwname, sizeof(config.fwname),
777 			 "qca/hpbtfw%02x.tlv", rom_ver);
778 		break;
779 	case QCA_QCA6390:
780 		snprintf(config.fwname, sizeof(config.fwname),
781 			 "qca/htbtfw%02x.tlv", rom_ver);
782 		break;
783 	case QCA_WCN6750:
784 		/* Choose mbn file by default.If mbn file is not found
785 		 * then choose tlv file
786 		 */
787 		config.type = ELF_TYPE_PATCH;
788 		snprintf(config.fwname, sizeof(config.fwname),
789 			 "qca/msbtfw%02x.mbn", rom_ver);
790 		break;
791 	case QCA_WCN6855:
792 		snprintf(config.fwname, sizeof(config.fwname),
793 			 "qca/hpbtfw%02x.tlv", rom_ver);
794 		break;
795 	case QCA_WCN7850:
796 		snprintf(config.fwname, sizeof(config.fwname),
797 			 "qca/hmtbtfw%02x.tlv", rom_ver);
798 		break;
799 	default:
800 		snprintf(config.fwname, sizeof(config.fwname),
801 			 "qca/rampatch_%08x.bin", soc_ver);
802 	}
803 
804 	err = qca_download_firmware(hdev, &config, soc_type, rom_ver);
805 	if (err < 0) {
806 		bt_dev_err(hdev, "QCA Failed to download patch (%d)", err);
807 		return err;
808 	}
809 
810 	/* Give the controller some time to get ready to receive the NVM */
811 	msleep(10);
812 
813 	if (soc_type == QCA_QCA2066 || soc_type == QCA_WCN7850)
814 		qca_read_fw_board_id(hdev, &boardid);
815 
816 	/* Download NVM configuration */
817 	config.type = TLV_TYPE_NVM;
818 	if (firmware_name) {
819 		snprintf(config.fwname, sizeof(config.fwname),
820 			 "qca/%s", firmware_name);
821 	} else {
822 		switch (soc_type) {
823 		case QCA_WCN3990:
824 		case QCA_WCN3991:
825 		case QCA_WCN3998:
826 			if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
827 				snprintf(config.fwname, sizeof(config.fwname),
828 					 "qca/crnv%02xu.bin", rom_ver);
829 			} else {
830 				snprintf(config.fwname, sizeof(config.fwname),
831 					 "qca/crnv%02x.bin", rom_ver);
832 			}
833 			break;
834 		case QCA_WCN3988:
835 			snprintf(config.fwname, sizeof(config.fwname),
836 				 "qca/apnv%02x.bin", rom_ver);
837 			break;
838 		case QCA_QCA2066:
839 			qca_generate_hsp_nvm_name(config.fwname,
840 				sizeof(config.fwname), ver, rom_ver, boardid);
841 			break;
842 		case QCA_QCA6390:
843 			snprintf(config.fwname, sizeof(config.fwname),
844 				 "qca/htnv%02x.bin", rom_ver);
845 			break;
846 		case QCA_WCN6750:
847 			snprintf(config.fwname, sizeof(config.fwname),
848 				 "qca/msnv%02x.bin", rom_ver);
849 			break;
850 		case QCA_WCN6855:
851 			snprintf(config.fwname, sizeof(config.fwname),
852 				 "qca/hpnv%02x.bin", rom_ver);
853 			break;
854 		case QCA_WCN7850:
855 			qca_get_nvm_name_generic(&config, "hmt", rom_ver, boardid);
856 			break;
857 
858 		default:
859 			snprintf(config.fwname, sizeof(config.fwname),
860 				 "qca/nvm_%08x.bin", soc_ver);
861 		}
862 	}
863 
864 	err = qca_download_firmware(hdev, &config, soc_type, rom_ver);
865 	if (err < 0) {
866 		bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err);
867 		return err;
868 	}
869 
870 	switch (soc_type) {
871 	case QCA_WCN3991:
872 	case QCA_QCA2066:
873 	case QCA_QCA6390:
874 	case QCA_WCN6750:
875 	case QCA_WCN6855:
876 	case QCA_WCN7850:
877 		err = qca_disable_soc_logging(hdev);
878 		if (err < 0)
879 			return err;
880 		break;
881 	default:
882 		break;
883 	}
884 
885 	/* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the
886 	 * VsMsftOpCode.
887 	 */
888 	switch (soc_type) {
889 	case QCA_WCN3988:
890 	case QCA_WCN3990:
891 	case QCA_WCN3991:
892 	case QCA_WCN3998:
893 	case QCA_WCN6750:
894 		hci_set_msft_opcode(hdev, 0xFD70);
895 		break;
896 	default:
897 		break;
898 	}
899 
900 	/* Perform HCI reset */
901 	err = qca_send_reset(hdev);
902 	if (err < 0) {
903 		bt_dev_err(hdev, "QCA Failed to run HCI_RESET (%d)", err);
904 		return err;
905 	}
906 
907 	switch (soc_type) {
908 	case QCA_WCN3991:
909 	case QCA_WCN6750:
910 	case QCA_WCN6855:
911 	case QCA_WCN7850:
912 		/* get fw build info */
913 		err = qca_read_fw_build_info(hdev);
914 		if (err < 0)
915 			return err;
916 		break;
917 	default:
918 		break;
919 	}
920 
921 	err = qca_check_bdaddr(hdev, &config);
922 	if (err)
923 		return err;
924 
925 	bt_dev_info(hdev, "QCA setup on UART is completed");
926 
927 	return 0;
928 }
929 EXPORT_SYMBOL_GPL(qca_uart_setup);
930 
931 int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
932 {
933 	bdaddr_t bdaddr_swapped;
934 	struct sk_buff *skb;
935 	int err;
936 
937 	baswap(&bdaddr_swapped, bdaddr);
938 
939 	skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6,
940 				&bdaddr_swapped, HCI_EV_VENDOR,
941 				HCI_INIT_TIMEOUT);
942 	if (IS_ERR(skb)) {
943 		err = PTR_ERR(skb);
944 		bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err);
945 		return err;
946 	}
947 
948 	kfree_skb(skb);
949 
950 	return 0;
951 }
952 EXPORT_SYMBOL_GPL(qca_set_bdaddr);
953 
954 
955 MODULE_AUTHOR("Ben Young Tae Kim <ytkim@qca.qualcomm.com>");
956 MODULE_DESCRIPTION("Bluetooth support for Qualcomm Atheros family");
957 MODULE_LICENSE("GPL");
958