xref: /linux/drivers/bluetooth/btrtl.c (revision bd912c991d2ef079a32558f057b8663bcf1fb6fc)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *  Bluetooth support for Realtek devices
4  *
5  *  Copyright (C) 2015 Endless Mobile, Inc.
6  */
7 
8 #include <linux/module.h>
9 #include <linux/firmware.h>
10 #include <asm/unaligned.h>
11 #include <linux/usb.h>
12 
13 #include <net/bluetooth/bluetooth.h>
14 #include <net/bluetooth/hci_core.h>
15 
16 #include "btrtl.h"
17 
18 #define VERSION "0.1"
19 
20 #define RTL_CHIP_8723CS_CG	3
21 #define RTL_CHIP_8723CS_VF	4
22 #define RTL_CHIP_8723CS_XX	5
23 #define RTL_EPATCH_SIGNATURE	"Realtech"
24 #define RTL_EPATCH_SIGNATURE_V2	"RTBTCore"
25 #define RTL_ROM_LMP_8703B	0x8703
26 #define RTL_ROM_LMP_8723A	0x1200
27 #define RTL_ROM_LMP_8723B	0x8723
28 #define RTL_ROM_LMP_8821A	0x8821
29 #define RTL_ROM_LMP_8761A	0x8761
30 #define RTL_ROM_LMP_8822B	0x8822
31 #define RTL_ROM_LMP_8852A	0x8852
32 #define RTL_ROM_LMP_8851B	0x8851
33 #define RTL_CONFIG_MAGIC	0x8723ab55
34 
35 #define IC_MATCH_FL_LMPSUBV	(1 << 0)
36 #define IC_MATCH_FL_HCIREV	(1 << 1)
37 #define IC_MATCH_FL_HCIVER	(1 << 2)
38 #define IC_MATCH_FL_HCIBUS	(1 << 3)
39 #define IC_MATCH_FL_CHIP_TYPE	(1 << 4)
40 #define IC_INFO(lmps, hcir, hciv, bus) \
41 	.match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV | \
42 		       IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS, \
43 	.lmp_subver = (lmps), \
44 	.hci_rev = (hcir), \
45 	.hci_ver = (hciv), \
46 	.hci_bus = (bus)
47 
48 #define	RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}})
49 #define	RTL_CHIP_REV    (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}})
50 #define	RTL_SEC_PROJ    (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0x0D, 0x00, 0xb0}})
51 
52 #define RTL_PATCH_SNIPPETS		0x01
53 #define RTL_PATCH_DUMMY_HEADER		0x02
54 #define RTL_PATCH_SECURITY_HEADER	0x03
55 
56 enum btrtl_chip_id {
57 	CHIP_ID_8723A,
58 	CHIP_ID_8723B,
59 	CHIP_ID_8821A,
60 	CHIP_ID_8761A,
61 	CHIP_ID_8822B = 8,
62 	CHIP_ID_8723D,
63 	CHIP_ID_8821C,
64 	CHIP_ID_8822C = 13,
65 	CHIP_ID_8761B,
66 	CHIP_ID_8852A = 18,
67 	CHIP_ID_8852B = 20,
68 	CHIP_ID_8852C = 25,
69 	CHIP_ID_8851B = 36,
70 };
71 
72 struct id_table {
73 	__u16 match_flags;
74 	__u16 lmp_subver;
75 	__u16 hci_rev;
76 	__u8 hci_ver;
77 	__u8 hci_bus;
78 	__u8 chip_type;
79 	bool config_needed;
80 	bool has_rom_version;
81 	bool has_msft_ext;
82 	char *fw_name;
83 	char *cfg_name;
84 };
85 
86 struct btrtl_device_info {
87 	const struct id_table *ic_info;
88 	u8 rom_version;
89 	u8 *fw_data;
90 	int fw_len;
91 	u8 *cfg_data;
92 	int cfg_len;
93 	bool drop_fw;
94 	int project_id;
95 	u8 key_id;
96 	struct list_head patch_subsecs;
97 };
98 
99 static const struct id_table ic_id_table[] = {
100 	/* 8723A */
101 	{ IC_INFO(RTL_ROM_LMP_8723A, 0xb, 0x6, HCI_USB),
102 	  .config_needed = false,
103 	  .has_rom_version = false,
104 	  .fw_name = "rtl_bt/rtl8723a_fw.bin",
105 	  .cfg_name = NULL },
106 
107 	/* 8723BS */
108 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_UART),
109 	  .config_needed = true,
110 	  .has_rom_version = true,
111 	  .fw_name  = "rtl_bt/rtl8723bs_fw.bin",
112 	  .cfg_name = "rtl_bt/rtl8723bs_config" },
113 
114 	/* 8723B */
115 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_USB),
116 	  .config_needed = false,
117 	  .has_rom_version = true,
118 	  .fw_name  = "rtl_bt/rtl8723b_fw.bin",
119 	  .cfg_name = "rtl_bt/rtl8723b_config" },
120 
121 	/* 8723CS-CG */
122 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
123 			 IC_MATCH_FL_HCIBUS,
124 	  .lmp_subver = RTL_ROM_LMP_8703B,
125 	  .chip_type = RTL_CHIP_8723CS_CG,
126 	  .hci_bus = HCI_UART,
127 	  .config_needed = true,
128 	  .has_rom_version = true,
129 	  .fw_name  = "rtl_bt/rtl8723cs_cg_fw.bin",
130 	  .cfg_name = "rtl_bt/rtl8723cs_cg_config" },
131 
132 	/* 8723CS-VF */
133 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
134 			 IC_MATCH_FL_HCIBUS,
135 	  .lmp_subver = RTL_ROM_LMP_8703B,
136 	  .chip_type = RTL_CHIP_8723CS_VF,
137 	  .hci_bus = HCI_UART,
138 	  .config_needed = true,
139 	  .has_rom_version = true,
140 	  .fw_name  = "rtl_bt/rtl8723cs_vf_fw.bin",
141 	  .cfg_name = "rtl_bt/rtl8723cs_vf_config" },
142 
143 	/* 8723CS-XX */
144 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
145 			 IC_MATCH_FL_HCIBUS,
146 	  .lmp_subver = RTL_ROM_LMP_8703B,
147 	  .chip_type = RTL_CHIP_8723CS_XX,
148 	  .hci_bus = HCI_UART,
149 	  .config_needed = true,
150 	  .has_rom_version = true,
151 	  .fw_name  = "rtl_bt/rtl8723cs_xx_fw.bin",
152 	  .cfg_name = "rtl_bt/rtl8723cs_xx_config" },
153 
154 	/* 8723D */
155 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_USB),
156 	  .config_needed = true,
157 	  .has_rom_version = true,
158 	  .fw_name  = "rtl_bt/rtl8723d_fw.bin",
159 	  .cfg_name = "rtl_bt/rtl8723d_config" },
160 
161 	/* 8723DS */
162 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_UART),
163 	  .config_needed = true,
164 	  .has_rom_version = true,
165 	  .fw_name  = "rtl_bt/rtl8723ds_fw.bin",
166 	  .cfg_name = "rtl_bt/rtl8723ds_config" },
167 
168 	/* 8821A */
169 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xa, 0x6, HCI_USB),
170 	  .config_needed = false,
171 	  .has_rom_version = true,
172 	  .fw_name  = "rtl_bt/rtl8821a_fw.bin",
173 	  .cfg_name = "rtl_bt/rtl8821a_config" },
174 
175 	/* 8821C */
176 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_USB),
177 	  .config_needed = false,
178 	  .has_rom_version = true,
179 	  .has_msft_ext = true,
180 	  .fw_name  = "rtl_bt/rtl8821c_fw.bin",
181 	  .cfg_name = "rtl_bt/rtl8821c_config" },
182 
183 	/* 8821CS */
184 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_UART),
185 	  .config_needed = true,
186 	  .has_rom_version = true,
187 	  .has_msft_ext = true,
188 	  .fw_name  = "rtl_bt/rtl8821cs_fw.bin",
189 	  .cfg_name = "rtl_bt/rtl8821cs_config" },
190 
191 	/* 8761A */
192 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa, 0x6, HCI_USB),
193 	  .config_needed = false,
194 	  .has_rom_version = true,
195 	  .fw_name  = "rtl_bt/rtl8761a_fw.bin",
196 	  .cfg_name = "rtl_bt/rtl8761a_config" },
197 
198 	/* 8761B */
199 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_UART),
200 	  .config_needed = false,
201 	  .has_rom_version = true,
202 	  .has_msft_ext = true,
203 	  .fw_name  = "rtl_bt/rtl8761b_fw.bin",
204 	  .cfg_name = "rtl_bt/rtl8761b_config" },
205 
206 	/* 8761BU */
207 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_USB),
208 	  .config_needed = false,
209 	  .has_rom_version = true,
210 	  .fw_name  = "rtl_bt/rtl8761bu_fw.bin",
211 	  .cfg_name = "rtl_bt/rtl8761bu_config" },
212 
213 	/* 8822C with UART interface */
214 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0x8, HCI_UART),
215 	  .config_needed = true,
216 	  .has_rom_version = true,
217 	  .has_msft_ext = true,
218 	  .fw_name  = "rtl_bt/rtl8822cs_fw.bin",
219 	  .cfg_name = "rtl_bt/rtl8822cs_config" },
220 
221 	/* 8822C with UART interface */
222 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_UART),
223 	  .config_needed = true,
224 	  .has_rom_version = true,
225 	  .has_msft_ext = true,
226 	  .fw_name  = "rtl_bt/rtl8822cs_fw.bin",
227 	  .cfg_name = "rtl_bt/rtl8822cs_config" },
228 
229 	/* 8822C with USB interface */
230 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_USB),
231 	  .config_needed = false,
232 	  .has_rom_version = true,
233 	  .has_msft_ext = true,
234 	  .fw_name  = "rtl_bt/rtl8822cu_fw.bin",
235 	  .cfg_name = "rtl_bt/rtl8822cu_config" },
236 
237 	/* 8822B */
238 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xb, 0x7, HCI_USB),
239 	  .config_needed = true,
240 	  .has_rom_version = true,
241 	  .has_msft_ext = true,
242 	  .fw_name  = "rtl_bt/rtl8822b_fw.bin",
243 	  .cfg_name = "rtl_bt/rtl8822b_config" },
244 
245 	/* 8852A */
246 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xa, 0xb, HCI_USB),
247 	  .config_needed = false,
248 	  .has_rom_version = true,
249 	  .has_msft_ext = true,
250 	  .fw_name  = "rtl_bt/rtl8852au_fw.bin",
251 	  .cfg_name = "rtl_bt/rtl8852au_config" },
252 
253 	/* 8852B with UART interface */
254 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_UART),
255 	  .config_needed = true,
256 	  .has_rom_version = true,
257 	  .has_msft_ext = true,
258 	  .fw_name  = "rtl_bt/rtl8852bs_fw.bin",
259 	  .cfg_name = "rtl_bt/rtl8852bs_config" },
260 
261 	/* 8852B */
262 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_USB),
263 	  .config_needed = false,
264 	  .has_rom_version = true,
265 	  .has_msft_ext = true,
266 	  .fw_name  = "rtl_bt/rtl8852bu_fw.bin",
267 	  .cfg_name = "rtl_bt/rtl8852bu_config" },
268 
269 	/* 8852C */
270 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xc, 0xc, HCI_USB),
271 	  .config_needed = false,
272 	  .has_rom_version = true,
273 	  .has_msft_ext = true,
274 	  .fw_name  = "rtl_bt/rtl8852cu_fw.bin",
275 	  .cfg_name = "rtl_bt/rtl8852cu_config" },
276 
277 	/* 8851B */
278 	{ IC_INFO(RTL_ROM_LMP_8851B, 0xb, 0xc, HCI_USB),
279 	  .config_needed = false,
280 	  .has_rom_version = true,
281 	  .has_msft_ext = false,
282 	  .fw_name  = "rtl_bt/rtl8851bu_fw.bin",
283 	  .cfg_name = "rtl_bt/rtl8851bu_config" },
284 	};
285 
286 static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev,
287 					     u8 hci_ver, u8 hci_bus,
288 					     u8 chip_type)
289 {
290 	int i;
291 
292 	for (i = 0; i < ARRAY_SIZE(ic_id_table); i++) {
293 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_LMPSUBV) &&
294 		    (ic_id_table[i].lmp_subver != lmp_subver))
295 			continue;
296 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIREV) &&
297 		    (ic_id_table[i].hci_rev != hci_rev))
298 			continue;
299 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIVER) &&
300 		    (ic_id_table[i].hci_ver != hci_ver))
301 			continue;
302 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIBUS) &&
303 		    (ic_id_table[i].hci_bus != hci_bus))
304 			continue;
305 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_CHIP_TYPE) &&
306 		    (ic_id_table[i].chip_type != chip_type))
307 			continue;
308 
309 		break;
310 	}
311 	if (i >= ARRAY_SIZE(ic_id_table))
312 		return NULL;
313 
314 	return &ic_id_table[i];
315 }
316 
317 static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
318 {
319 	struct sk_buff *skb;
320 
321 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
322 			     HCI_INIT_TIMEOUT);
323 	if (IS_ERR(skb)) {
324 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION failed (%ld)",
325 			    PTR_ERR(skb));
326 		return skb;
327 	}
328 
329 	if (skb->len != sizeof(struct hci_rp_read_local_version)) {
330 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION event length mismatch");
331 		kfree_skb(skb);
332 		return ERR_PTR(-EIO);
333 	}
334 
335 	return skb;
336 }
337 
338 static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version)
339 {
340 	struct rtl_rom_version_evt *rom_version;
341 	struct sk_buff *skb;
342 
343 	/* Read RTL ROM version command */
344 	skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT);
345 	if (IS_ERR(skb)) {
346 		rtl_dev_err(hdev, "Read ROM version failed (%ld)",
347 			    PTR_ERR(skb));
348 		return PTR_ERR(skb);
349 	}
350 
351 	if (skb->len != sizeof(*rom_version)) {
352 		rtl_dev_err(hdev, "version event length mismatch");
353 		kfree_skb(skb);
354 		return -EIO;
355 	}
356 
357 	rom_version = (struct rtl_rom_version_evt *)skb->data;
358 	rtl_dev_info(hdev, "rom_version status=%x version=%x",
359 		     rom_version->status, rom_version->version);
360 
361 	*version = rom_version->version;
362 
363 	kfree_skb(skb);
364 	return 0;
365 }
366 
367 static int btrtl_vendor_read_reg16(struct hci_dev *hdev,
368 				   struct rtl_vendor_cmd *cmd, u8 *rp)
369 {
370 	struct sk_buff *skb;
371 	int err = 0;
372 
373 	skb = __hci_cmd_sync(hdev, 0xfc61, sizeof(*cmd), cmd,
374 			     HCI_INIT_TIMEOUT);
375 	if (IS_ERR(skb)) {
376 		err = PTR_ERR(skb);
377 		rtl_dev_err(hdev, "RTL: Read reg16 failed (%d)", err);
378 		return err;
379 	}
380 
381 	if (skb->len != 3 || skb->data[0]) {
382 		bt_dev_err(hdev, "RTL: Read reg16 length mismatch");
383 		kfree_skb(skb);
384 		return -EIO;
385 	}
386 
387 	if (rp)
388 		memcpy(rp, skb->data + 1, 2);
389 
390 	kfree_skb(skb);
391 
392 	return 0;
393 }
394 
395 static void *rtl_iov_pull_data(struct rtl_iovec *iov, u32 len)
396 {
397 	void *data = iov->data;
398 
399 	if (iov->len < len)
400 		return NULL;
401 
402 	iov->data += len;
403 	iov->len  -= len;
404 
405 	return data;
406 }
407 
408 static void btrtl_insert_ordered_subsec(struct rtl_subsection *node,
409 					struct btrtl_device_info *btrtl_dev)
410 {
411 	struct list_head *pos;
412 	struct list_head *next;
413 	struct rtl_subsection *subsec;
414 
415 	list_for_each_safe(pos, next, &btrtl_dev->patch_subsecs) {
416 		subsec = list_entry(pos, struct rtl_subsection, list);
417 		if (subsec->prio >= node->prio)
418 			break;
419 	}
420 	__list_add(&node->list, pos->prev, pos);
421 }
422 
423 static int btrtl_parse_section(struct hci_dev *hdev,
424 			       struct btrtl_device_info *btrtl_dev, u32 opcode,
425 			       u8 *data, u32 len)
426 {
427 	struct rtl_section_hdr *hdr;
428 	struct rtl_subsection *subsec;
429 	struct rtl_common_subsec *common_subsec;
430 	struct rtl_sec_hdr *sec_hdr;
431 	int i;
432 	u8 *ptr;
433 	u16 num_subsecs;
434 	u32 subsec_len;
435 	int rc = 0;
436 	struct rtl_iovec iov = {
437 		.data = data,
438 		.len  = len,
439 	};
440 
441 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
442 	if (!hdr)
443 		return -EINVAL;
444 	num_subsecs = le16_to_cpu(hdr->num);
445 
446 	for (i = 0; i < num_subsecs; i++) {
447 		common_subsec = rtl_iov_pull_data(&iov, sizeof(*common_subsec));
448 		if (!common_subsec)
449 			break;
450 		subsec_len = le32_to_cpu(common_subsec->len);
451 
452 		rtl_dev_dbg(hdev, "subsec, eco 0x%02x, len %08x",
453 			    common_subsec->eco, subsec_len);
454 
455 		ptr = rtl_iov_pull_data(&iov, subsec_len);
456 		if (!ptr)
457 			break;
458 
459 		if (common_subsec->eco != btrtl_dev->rom_version + 1)
460 			continue;
461 
462 		switch (opcode) {
463 		case RTL_PATCH_SECURITY_HEADER:
464 			sec_hdr = (void *)common_subsec;
465 			if (sec_hdr->key_id != btrtl_dev->key_id)
466 				continue;
467 			break;
468 		}
469 
470 		subsec = kzalloc(sizeof(*subsec), GFP_KERNEL);
471 		if (!subsec)
472 			return -ENOMEM;
473 		subsec->opcode = opcode;
474 		subsec->prio = common_subsec->prio;
475 		subsec->len  = subsec_len;
476 		subsec->data = ptr;
477 		btrtl_insert_ordered_subsec(subsec, btrtl_dev);
478 		rc  += subsec_len;
479 	}
480 
481 	return rc;
482 }
483 
484 static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
485 				   struct btrtl_device_info *btrtl_dev,
486 				   unsigned char **_buf)
487 {
488 	struct rtl_epatch_header_v2 *hdr;
489 	int rc;
490 	u8 reg_val[2];
491 	u8 key_id;
492 	u32 num_sections;
493 	struct rtl_section *section;
494 	struct rtl_subsection *entry, *tmp;
495 	u32 section_len;
496 	u32 opcode;
497 	int len = 0;
498 	int i;
499 	u8 *ptr;
500 	struct rtl_iovec iov = {
501 		.data = btrtl_dev->fw_data,
502 		.len  = btrtl_dev->fw_len - 7, /* Cut the tail */
503 	};
504 
505 	rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
506 	if (rc < 0)
507 		return -EIO;
508 	key_id = reg_val[0];
509 
510 	rtl_dev_dbg(hdev, "%s: key id %u", __func__, key_id);
511 
512 	btrtl_dev->key_id = key_id;
513 
514 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
515 	if (!hdr)
516 		return -EINVAL;
517 	num_sections = le32_to_cpu(hdr->num_sections);
518 
519 	rtl_dev_dbg(hdev, "FW version %08x-%08x", *((u32 *)hdr->fw_version),
520 		    *((u32 *)(hdr->fw_version + 4)));
521 
522 	for (i = 0; i < num_sections; i++) {
523 		section = rtl_iov_pull_data(&iov, sizeof(*section));
524 		if (!section)
525 			break;
526 		section_len = le32_to_cpu(section->len);
527 		opcode      = le32_to_cpu(section->opcode);
528 
529 		rtl_dev_dbg(hdev, "opcode 0x%04x", section->opcode);
530 
531 		ptr = rtl_iov_pull_data(&iov, section_len);
532 		if (!ptr)
533 			break;
534 
535 		switch (opcode) {
536 		case RTL_PATCH_SNIPPETS:
537 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
538 						 ptr, section_len);
539 			break;
540 		case RTL_PATCH_SECURITY_HEADER:
541 			/* If key_id from chip is zero, ignore all security
542 			 * headers.
543 			 */
544 			if (!key_id)
545 				break;
546 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
547 						 ptr, section_len);
548 			break;
549 		case RTL_PATCH_DUMMY_HEADER:
550 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
551 						 ptr, section_len);
552 			break;
553 		default:
554 			rc = 0;
555 			break;
556 		}
557 		if (rc < 0) {
558 			rtl_dev_err(hdev, "RTL: Parse section (%u) err %d",
559 				    opcode, rc);
560 			return rc;
561 		}
562 		len += rc;
563 	}
564 
565 	if (!len)
566 		return -ENODATA;
567 
568 	/* Allocate mem and copy all found subsecs. */
569 	ptr = kvmalloc(len, GFP_KERNEL);
570 	if (!ptr)
571 		return -ENOMEM;
572 
573 	len = 0;
574 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
575 		rtl_dev_dbg(hdev, "RTL: opcode %08x, addr %p, len 0x%x",
576 			    entry->opcode, entry->data, entry->len);
577 		memcpy(ptr + len, entry->data, entry->len);
578 		len += entry->len;
579 	}
580 
581 	if (!len)
582 		return -EPERM;
583 
584 	*_buf = ptr;
585 	return len;
586 }
587 
588 static int rtlbt_parse_firmware(struct hci_dev *hdev,
589 				struct btrtl_device_info *btrtl_dev,
590 				unsigned char **_buf)
591 {
592 	static const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 };
593 	struct rtl_epatch_header *epatch_info;
594 	unsigned char *buf;
595 	int i, len;
596 	size_t min_size;
597 	u8 opcode, length, data;
598 	int project_id = -1;
599 	const unsigned char *fwptr, *chip_id_base;
600 	const unsigned char *patch_length_base, *patch_offset_base;
601 	u32 patch_offset = 0;
602 	u16 patch_length, num_patches;
603 	static const struct {
604 		__u16 lmp_subver;
605 		__u8 id;
606 	} project_id_to_lmp_subver[] = {
607 		{ RTL_ROM_LMP_8723A, 0 },
608 		{ RTL_ROM_LMP_8723B, 1 },
609 		{ RTL_ROM_LMP_8821A, 2 },
610 		{ RTL_ROM_LMP_8761A, 3 },
611 		{ RTL_ROM_LMP_8703B, 7 },
612 		{ RTL_ROM_LMP_8822B, 8 },
613 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
614 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
615 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
616 		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
617 		{ RTL_ROM_LMP_8852A, 18 },	/* 8852A */
618 		{ RTL_ROM_LMP_8852A, 20 },	/* 8852B */
619 		{ RTL_ROM_LMP_8852A, 25 },	/* 8852C */
620 		{ RTL_ROM_LMP_8851B, 36 },	/* 8851B */
621 	};
622 
623 	if (btrtl_dev->fw_len <= 8)
624 		return -EINVAL;
625 
626 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8))
627 		min_size = sizeof(struct rtl_epatch_header) +
628 				sizeof(extension_sig) + 3;
629 	else if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
630 		min_size = sizeof(struct rtl_epatch_header_v2) +
631 				sizeof(extension_sig) + 3;
632 	else
633 		return -EINVAL;
634 
635 	if (btrtl_dev->fw_len < min_size)
636 		return -EINVAL;
637 
638 	fwptr = btrtl_dev->fw_data + btrtl_dev->fw_len - sizeof(extension_sig);
639 	if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) {
640 		rtl_dev_err(hdev, "extension section signature mismatch");
641 		return -EINVAL;
642 	}
643 
644 	/* Loop from the end of the firmware parsing instructions, until
645 	 * we find an instruction that identifies the "project ID" for the
646 	 * hardware supported by this firwmare file.
647 	 * Once we have that, we double-check that project_id is suitable
648 	 * for the hardware we are working with.
649 	 */
650 	while (fwptr >= btrtl_dev->fw_data + (sizeof(*epatch_info) + 3)) {
651 		opcode = *--fwptr;
652 		length = *--fwptr;
653 		data = *--fwptr;
654 
655 		BT_DBG("check op=%x len=%x data=%x", opcode, length, data);
656 
657 		if (opcode == 0xff) /* EOF */
658 			break;
659 
660 		if (length == 0) {
661 			rtl_dev_err(hdev, "found instruction with length 0");
662 			return -EINVAL;
663 		}
664 
665 		if (opcode == 0 && length == 1) {
666 			project_id = data;
667 			break;
668 		}
669 
670 		fwptr -= length;
671 	}
672 
673 	if (project_id < 0) {
674 		rtl_dev_err(hdev, "failed to find version instruction");
675 		return -EINVAL;
676 	}
677 
678 	/* Find project_id in table */
679 	for (i = 0; i < ARRAY_SIZE(project_id_to_lmp_subver); i++) {
680 		if (project_id == project_id_to_lmp_subver[i].id) {
681 			btrtl_dev->project_id = project_id;
682 			break;
683 		}
684 	}
685 
686 	if (i >= ARRAY_SIZE(project_id_to_lmp_subver)) {
687 		rtl_dev_err(hdev, "unknown project id %d", project_id);
688 		return -EINVAL;
689 	}
690 
691 	if (btrtl_dev->ic_info->lmp_subver !=
692 				project_id_to_lmp_subver[i].lmp_subver) {
693 		rtl_dev_err(hdev, "firmware is for %x but this is a %x",
694 			    project_id_to_lmp_subver[i].lmp_subver,
695 			    btrtl_dev->ic_info->lmp_subver);
696 		return -EINVAL;
697 	}
698 
699 	if (memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8) != 0) {
700 		if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
701 			return rtlbt_parse_firmware_v2(hdev, btrtl_dev, _buf);
702 		rtl_dev_err(hdev, "bad EPATCH signature");
703 		return -EINVAL;
704 	}
705 
706 	epatch_info = (struct rtl_epatch_header *)btrtl_dev->fw_data;
707 	num_patches = le16_to_cpu(epatch_info->num_patches);
708 	BT_DBG("fw_version=%x, num_patches=%d",
709 	       le32_to_cpu(epatch_info->fw_version), num_patches);
710 
711 	/* After the rtl_epatch_header there is a funky patch metadata section.
712 	 * Assuming 2 patches, the layout is:
713 	 * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2
714 	 *
715 	 * Find the right patch for this chip.
716 	 */
717 	min_size += 8 * num_patches;
718 	if (btrtl_dev->fw_len < min_size)
719 		return -EINVAL;
720 
721 	chip_id_base = btrtl_dev->fw_data + sizeof(struct rtl_epatch_header);
722 	patch_length_base = chip_id_base + (sizeof(u16) * num_patches);
723 	patch_offset_base = patch_length_base + (sizeof(u16) * num_patches);
724 	for (i = 0; i < num_patches; i++) {
725 		u16 chip_id = get_unaligned_le16(chip_id_base +
726 						 (i * sizeof(u16)));
727 		if (chip_id == btrtl_dev->rom_version + 1) {
728 			patch_length = get_unaligned_le16(patch_length_base +
729 							  (i * sizeof(u16)));
730 			patch_offset = get_unaligned_le32(patch_offset_base +
731 							  (i * sizeof(u32)));
732 			break;
733 		}
734 	}
735 
736 	if (!patch_offset) {
737 		rtl_dev_err(hdev, "didn't find patch for chip id %d",
738 			    btrtl_dev->rom_version);
739 		return -EINVAL;
740 	}
741 
742 	BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i);
743 	min_size = patch_offset + patch_length;
744 	if (btrtl_dev->fw_len < min_size)
745 		return -EINVAL;
746 
747 	/* Copy the firmware into a new buffer and write the version at
748 	 * the end.
749 	 */
750 	len = patch_length;
751 	buf = kvmalloc(patch_length, GFP_KERNEL);
752 	if (!buf)
753 		return -ENOMEM;
754 
755 	memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
756 	memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
757 
758 	*_buf = buf;
759 	return len;
760 }
761 
762 static int rtl_download_firmware(struct hci_dev *hdev,
763 				 const unsigned char *data, int fw_len)
764 {
765 	struct rtl_download_cmd *dl_cmd;
766 	int frag_num = fw_len / RTL_FRAG_LEN + 1;
767 	int frag_len = RTL_FRAG_LEN;
768 	int ret = 0;
769 	int i;
770 	int j = 0;
771 	struct sk_buff *skb;
772 	struct hci_rp_read_local_version *rp;
773 
774 	dl_cmd = kmalloc(sizeof(struct rtl_download_cmd), GFP_KERNEL);
775 	if (!dl_cmd)
776 		return -ENOMEM;
777 
778 	for (i = 0; i < frag_num; i++) {
779 		struct sk_buff *skb;
780 
781 		dl_cmd->index = j++;
782 		if (dl_cmd->index == 0x7f)
783 			j = 1;
784 
785 		if (i == (frag_num - 1)) {
786 			dl_cmd->index |= 0x80; /* data end */
787 			frag_len = fw_len % RTL_FRAG_LEN;
788 		}
789 		rtl_dev_dbg(hdev, "download fw (%d/%d). index = %d", i,
790 				frag_num, dl_cmd->index);
791 		memcpy(dl_cmd->data, data, frag_len);
792 
793 		/* Send download command */
794 		skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
795 				     HCI_INIT_TIMEOUT);
796 		if (IS_ERR(skb)) {
797 			rtl_dev_err(hdev, "download fw command failed (%ld)",
798 				    PTR_ERR(skb));
799 			ret = PTR_ERR(skb);
800 			goto out;
801 		}
802 
803 		if (skb->len != sizeof(struct rtl_download_response)) {
804 			rtl_dev_err(hdev, "download fw event length mismatch");
805 			kfree_skb(skb);
806 			ret = -EIO;
807 			goto out;
808 		}
809 
810 		kfree_skb(skb);
811 		data += RTL_FRAG_LEN;
812 	}
813 
814 	skb = btrtl_read_local_version(hdev);
815 	if (IS_ERR(skb)) {
816 		ret = PTR_ERR(skb);
817 		rtl_dev_err(hdev, "read local version failed");
818 		goto out;
819 	}
820 
821 	rp = (struct hci_rp_read_local_version *)skb->data;
822 	rtl_dev_info(hdev, "fw version 0x%04x%04x",
823 		     __le16_to_cpu(rp->hci_rev), __le16_to_cpu(rp->lmp_subver));
824 	kfree_skb(skb);
825 
826 out:
827 	kfree(dl_cmd);
828 	return ret;
829 }
830 
831 static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
832 {
833 	const struct firmware *fw;
834 	int ret;
835 
836 	rtl_dev_info(hdev, "loading %s", name);
837 	ret = request_firmware(&fw, name, &hdev->dev);
838 	if (ret < 0)
839 		return ret;
840 	ret = fw->size;
841 	*buff = kvmalloc(fw->size, GFP_KERNEL);
842 	if (*buff)
843 		memcpy(*buff, fw->data, ret);
844 	else
845 		ret = -ENOMEM;
846 
847 	release_firmware(fw);
848 
849 	return ret;
850 }
851 
852 static int btrtl_setup_rtl8723a(struct hci_dev *hdev,
853 				struct btrtl_device_info *btrtl_dev)
854 {
855 	if (btrtl_dev->fw_len < 8)
856 		return -EINVAL;
857 
858 	/* Check that the firmware doesn't have the epatch signature
859 	 * (which is only for RTL8723B and newer).
860 	 */
861 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8)) {
862 		rtl_dev_err(hdev, "unexpected EPATCH signature!");
863 		return -EINVAL;
864 	}
865 
866 	return rtl_download_firmware(hdev, btrtl_dev->fw_data,
867 				     btrtl_dev->fw_len);
868 }
869 
870 static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
871 				struct btrtl_device_info *btrtl_dev)
872 {
873 	unsigned char *fw_data = NULL;
874 	int ret;
875 	u8 *tbuff;
876 
877 	ret = rtlbt_parse_firmware(hdev, btrtl_dev, &fw_data);
878 	if (ret < 0)
879 		goto out;
880 
881 	if (btrtl_dev->cfg_len > 0) {
882 		tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
883 		if (!tbuff) {
884 			ret = -ENOMEM;
885 			goto out;
886 		}
887 
888 		memcpy(tbuff, fw_data, ret);
889 		kvfree(fw_data);
890 
891 		memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
892 		ret += btrtl_dev->cfg_len;
893 
894 		fw_data = tbuff;
895 	}
896 
897 	rtl_dev_info(hdev, "cfg_sz %d, total sz %d", btrtl_dev->cfg_len, ret);
898 
899 	ret = rtl_download_firmware(hdev, fw_data, ret);
900 
901 out:
902 	kvfree(fw_data);
903 	return ret;
904 }
905 
906 static bool rtl_has_chip_type(u16 lmp_subver)
907 {
908 	switch (lmp_subver) {
909 	case RTL_ROM_LMP_8703B:
910 		return true;
911 	default:
912 		break;
913 	}
914 
915 	return  false;
916 }
917 
918 static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type)
919 {
920 	struct rtl_chip_type_evt *chip_type;
921 	struct sk_buff *skb;
922 	const unsigned char cmd_buf[] = {0x00, 0x94, 0xa0, 0x00, 0xb0};
923 
924 	/* Read RTL chip type command */
925 	skb = __hci_cmd_sync(hdev, 0xfc61, 5, cmd_buf, HCI_INIT_TIMEOUT);
926 	if (IS_ERR(skb)) {
927 		rtl_dev_err(hdev, "Read chip type failed (%ld)",
928 			    PTR_ERR(skb));
929 		return PTR_ERR(skb);
930 	}
931 
932 	chip_type = skb_pull_data(skb, sizeof(*chip_type));
933 	if (!chip_type) {
934 		rtl_dev_err(hdev, "RTL chip type event length mismatch");
935 		kfree_skb(skb);
936 		return -EIO;
937 	}
938 
939 	rtl_dev_info(hdev, "chip_type status=%x type=%x",
940 		     chip_type->status, chip_type->type);
941 
942 	*type = chip_type->type & 0x0f;
943 
944 	kfree_skb(skb);
945 	return 0;
946 }
947 
948 void btrtl_free(struct btrtl_device_info *btrtl_dev)
949 {
950 	struct rtl_subsection *entry, *tmp;
951 
952 	kvfree(btrtl_dev->fw_data);
953 	kvfree(btrtl_dev->cfg_data);
954 
955 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
956 		list_del(&entry->list);
957 		kfree(entry);
958 	}
959 
960 	kfree(btrtl_dev);
961 }
962 EXPORT_SYMBOL_GPL(btrtl_free);
963 
964 struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
965 					   const char *postfix)
966 {
967 	struct btrtl_device_info *btrtl_dev;
968 	struct sk_buff *skb;
969 	struct hci_rp_read_local_version *resp;
970 	char cfg_name[40];
971 	u16 hci_rev, lmp_subver;
972 	u8 hci_ver, lmp_ver, chip_type = 0;
973 	int ret;
974 	u16 opcode;
975 	u8 cmd[2];
976 	u8 reg_val[2];
977 
978 	btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL);
979 	if (!btrtl_dev) {
980 		ret = -ENOMEM;
981 		goto err_alloc;
982 	}
983 
984 	INIT_LIST_HEAD(&btrtl_dev->patch_subsecs);
985 
986 check_version:
987 	ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_SUBVER, reg_val);
988 	if (ret < 0)
989 		goto err_free;
990 	lmp_subver = get_unaligned_le16(reg_val);
991 
992 	if (lmp_subver == RTL_ROM_LMP_8822B) {
993 		ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_REV, reg_val);
994 		if (ret < 0)
995 			goto err_free;
996 		hci_rev = get_unaligned_le16(reg_val);
997 
998 		/* 8822E */
999 		if (hci_rev == 0x000e) {
1000 			hci_ver = 0x0c;
1001 			lmp_ver = 0x0c;
1002 			btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev,
1003 							    hci_ver, hdev->bus,
1004 							    chip_type);
1005 			goto next;
1006 		}
1007 	}
1008 
1009 	skb = btrtl_read_local_version(hdev);
1010 	if (IS_ERR(skb)) {
1011 		ret = PTR_ERR(skb);
1012 		goto err_free;
1013 	}
1014 
1015 	resp = (struct hci_rp_read_local_version *)skb->data;
1016 
1017 	hci_ver    = resp->hci_ver;
1018 	hci_rev    = le16_to_cpu(resp->hci_rev);
1019 	lmp_ver    = resp->lmp_ver;
1020 	lmp_subver = le16_to_cpu(resp->lmp_subver);
1021 
1022 	kfree_skb(skb);
1023 
1024 	if (rtl_has_chip_type(lmp_subver)) {
1025 		ret = rtl_read_chip_type(hdev, &chip_type);
1026 		if (ret)
1027 			goto err_free;
1028 	}
1029 
1030 	btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver,
1031 					    hdev->bus, chip_type);
1032 
1033 next:
1034 	rtl_dev_info(hdev, "examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x lmp_subver=%04x",
1035 		     hci_ver, hci_rev,
1036 		     lmp_ver, lmp_subver);
1037 
1038 	if (!btrtl_dev->ic_info && !btrtl_dev->drop_fw)
1039 		btrtl_dev->drop_fw = true;
1040 	else
1041 		btrtl_dev->drop_fw = false;
1042 
1043 	if (btrtl_dev->drop_fw) {
1044 		opcode = hci_opcode_pack(0x3f, 0x66);
1045 		cmd[0] = opcode & 0xff;
1046 		cmd[1] = opcode >> 8;
1047 
1048 		skb = bt_skb_alloc(sizeof(cmd), GFP_KERNEL);
1049 		if (!skb)
1050 			goto err_free;
1051 
1052 		skb_put_data(skb, cmd, sizeof(cmd));
1053 		hci_skb_pkt_type(skb) = HCI_COMMAND_PKT;
1054 
1055 		ret = hdev->send(hdev, skb);
1056 		if (ret < 0) {
1057 			bt_dev_err(hdev, "sending frame failed (%d)", ret);
1058 			kfree_skb(skb);
1059 			goto err_free;
1060 		}
1061 
1062 		/* Ensure the above vendor command is sent to controller and
1063 		 * process has done.
1064 		 */
1065 		msleep(200);
1066 
1067 		goto check_version;
1068 	}
1069 
1070 	if (!btrtl_dev->ic_info) {
1071 		rtl_dev_info(hdev, "unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
1072 			    lmp_subver, hci_rev, hci_ver);
1073 		return btrtl_dev;
1074 	}
1075 
1076 	if (btrtl_dev->ic_info->has_rom_version) {
1077 		ret = rtl_read_rom_version(hdev, &btrtl_dev->rom_version);
1078 		if (ret)
1079 			goto err_free;
1080 	}
1081 
1082 	btrtl_dev->fw_len = rtl_load_file(hdev, btrtl_dev->ic_info->fw_name,
1083 					  &btrtl_dev->fw_data);
1084 	if (btrtl_dev->fw_len < 0) {
1085 		rtl_dev_err(hdev, "firmware file %s not found",
1086 			    btrtl_dev->ic_info->fw_name);
1087 		ret = btrtl_dev->fw_len;
1088 		goto err_free;
1089 	}
1090 
1091 	if (btrtl_dev->ic_info->cfg_name) {
1092 		if (postfix) {
1093 			snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin",
1094 				 btrtl_dev->ic_info->cfg_name, postfix);
1095 		} else {
1096 			snprintf(cfg_name, sizeof(cfg_name), "%s.bin",
1097 				 btrtl_dev->ic_info->cfg_name);
1098 		}
1099 		btrtl_dev->cfg_len = rtl_load_file(hdev, cfg_name,
1100 						   &btrtl_dev->cfg_data);
1101 		if (btrtl_dev->ic_info->config_needed &&
1102 		    btrtl_dev->cfg_len <= 0) {
1103 			rtl_dev_err(hdev, "mandatory config file %s not found",
1104 				    btrtl_dev->ic_info->cfg_name);
1105 			ret = btrtl_dev->cfg_len;
1106 			goto err_free;
1107 		}
1108 	}
1109 
1110 	/* The following chips supports the Microsoft vendor extension,
1111 	 * therefore set the corresponding VsMsftOpCode.
1112 	 */
1113 	if (btrtl_dev->ic_info->has_msft_ext)
1114 		hci_set_msft_opcode(hdev, 0xFCF0);
1115 
1116 	return btrtl_dev;
1117 
1118 err_free:
1119 	btrtl_free(btrtl_dev);
1120 err_alloc:
1121 	return ERR_PTR(ret);
1122 }
1123 EXPORT_SYMBOL_GPL(btrtl_initialize);
1124 
1125 int btrtl_download_firmware(struct hci_dev *hdev,
1126 			    struct btrtl_device_info *btrtl_dev)
1127 {
1128 	/* Match a set of subver values that correspond to stock firmware,
1129 	 * which is not compatible with standard btusb.
1130 	 * If matched, upload an alternative firmware that does conform to
1131 	 * standard btusb. Once that firmware is uploaded, the subver changes
1132 	 * to a different value.
1133 	 */
1134 	if (!btrtl_dev->ic_info) {
1135 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1136 		return 0;
1137 	}
1138 
1139 	switch (btrtl_dev->ic_info->lmp_subver) {
1140 	case RTL_ROM_LMP_8723A:
1141 		return btrtl_setup_rtl8723a(hdev, btrtl_dev);
1142 	case RTL_ROM_LMP_8723B:
1143 	case RTL_ROM_LMP_8821A:
1144 	case RTL_ROM_LMP_8761A:
1145 	case RTL_ROM_LMP_8822B:
1146 	case RTL_ROM_LMP_8852A:
1147 	case RTL_ROM_LMP_8703B:
1148 	case RTL_ROM_LMP_8851B:
1149 		return btrtl_setup_rtl8723b(hdev, btrtl_dev);
1150 	default:
1151 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1152 		return 0;
1153 	}
1154 }
1155 EXPORT_SYMBOL_GPL(btrtl_download_firmware);
1156 
1157 void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev)
1158 {
1159 	/* Enable controller to do both LE scan and BR/EDR inquiry
1160 	 * simultaneously.
1161 	 */
1162 	set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
1163 
1164 	/* Enable central-peripheral role (able to create new connections with
1165 	 * an existing connection in slave role).
1166 	 */
1167 	/* Enable WBS supported for the specific Realtek devices. */
1168 	switch (btrtl_dev->project_id) {
1169 	case CHIP_ID_8822C:
1170 	case CHIP_ID_8852A:
1171 	case CHIP_ID_8852B:
1172 	case CHIP_ID_8852C:
1173 	case CHIP_ID_8851B:
1174 		set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
1175 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
1176 
1177 		/* RTL8852C needs to transmit mSBC data continuously without
1178 		 * the zero length of USB packets for the ALT 6 supported chips
1179 		 */
1180 		if (btrtl_dev->project_id == CHIP_ID_8852C)
1181 			btrealtek_set_flag(hdev, REALTEK_ALT6_CONTINUOUS_TX_CHIP);
1182 
1183 		hci_set_aosp_capable(hdev);
1184 		break;
1185 	default:
1186 		rtl_dev_dbg(hdev, "Central-peripheral role not enabled.");
1187 		rtl_dev_dbg(hdev, "WBS supported not enabled.");
1188 		break;
1189 	}
1190 
1191 	if (!btrtl_dev->ic_info)
1192 		return;
1193 
1194 	switch (btrtl_dev->ic_info->lmp_subver) {
1195 	case RTL_ROM_LMP_8703B:
1196 		/* 8723CS reports two pages for local ext features,
1197 		 * but it doesn't support any features from page 2 -
1198 		 * it either responds with garbage or with error status
1199 		 */
1200 		set_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
1201 			&hdev->quirks);
1202 		break;
1203 	default:
1204 		break;
1205 	}
1206 }
1207 EXPORT_SYMBOL_GPL(btrtl_set_quirks);
1208 
1209 int btrtl_setup_realtek(struct hci_dev *hdev)
1210 {
1211 	struct btrtl_device_info *btrtl_dev;
1212 	int ret;
1213 
1214 	btrtl_dev = btrtl_initialize(hdev, NULL);
1215 	if (IS_ERR(btrtl_dev))
1216 		return PTR_ERR(btrtl_dev);
1217 
1218 	ret = btrtl_download_firmware(hdev, btrtl_dev);
1219 
1220 	btrtl_set_quirks(hdev, btrtl_dev);
1221 
1222 	btrtl_free(btrtl_dev);
1223 	return ret;
1224 }
1225 EXPORT_SYMBOL_GPL(btrtl_setup_realtek);
1226 
1227 int btrtl_shutdown_realtek(struct hci_dev *hdev)
1228 {
1229 	struct sk_buff *skb;
1230 	int ret;
1231 
1232 	/* According to the vendor driver, BT must be reset on close to avoid
1233 	 * firmware crash.
1234 	 */
1235 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1236 	if (IS_ERR(skb)) {
1237 		ret = PTR_ERR(skb);
1238 		bt_dev_err(hdev, "HCI reset during shutdown failed");
1239 		return ret;
1240 	}
1241 	kfree_skb(skb);
1242 
1243 	return 0;
1244 }
1245 EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
1246 
1247 static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
1248 {
1249 	switch (device_baudrate) {
1250 	case 0x0252a00a:
1251 		return 230400;
1252 
1253 	case 0x05f75004:
1254 		return 921600;
1255 
1256 	case 0x00005004:
1257 		return 1000000;
1258 
1259 	case 0x04928002:
1260 	case 0x01128002:
1261 		return 1500000;
1262 
1263 	case 0x00005002:
1264 		return 2000000;
1265 
1266 	case 0x0000b001:
1267 		return 2500000;
1268 
1269 	case 0x04928001:
1270 		return 3000000;
1271 
1272 	case 0x052a6001:
1273 		return 3500000;
1274 
1275 	case 0x00005001:
1276 		return 4000000;
1277 
1278 	case 0x0252c014:
1279 	default:
1280 		return 115200;
1281 	}
1282 }
1283 
1284 int btrtl_get_uart_settings(struct hci_dev *hdev,
1285 			    struct btrtl_device_info *btrtl_dev,
1286 			    unsigned int *controller_baudrate,
1287 			    u32 *device_baudrate, bool *flow_control)
1288 {
1289 	struct rtl_vendor_config *config;
1290 	struct rtl_vendor_config_entry *entry;
1291 	int i, total_data_len;
1292 	bool found = false;
1293 
1294 	total_data_len = btrtl_dev->cfg_len - sizeof(*config);
1295 	if (total_data_len <= 0) {
1296 		rtl_dev_warn(hdev, "no config loaded");
1297 		return -EINVAL;
1298 	}
1299 
1300 	config = (struct rtl_vendor_config *)btrtl_dev->cfg_data;
1301 	if (le32_to_cpu(config->signature) != RTL_CONFIG_MAGIC) {
1302 		rtl_dev_err(hdev, "invalid config magic");
1303 		return -EINVAL;
1304 	}
1305 
1306 	if (total_data_len < le16_to_cpu(config->total_len)) {
1307 		rtl_dev_err(hdev, "config is too short");
1308 		return -EINVAL;
1309 	}
1310 
1311 	for (i = 0; i < total_data_len; ) {
1312 		entry = ((void *)config->entry) + i;
1313 
1314 		switch (le16_to_cpu(entry->offset)) {
1315 		case 0xc:
1316 			if (entry->len < sizeof(*device_baudrate)) {
1317 				rtl_dev_err(hdev, "invalid UART config entry");
1318 				return -EINVAL;
1319 			}
1320 
1321 			*device_baudrate = get_unaligned_le32(entry->data);
1322 			*controller_baudrate = btrtl_convert_baudrate(
1323 							*device_baudrate);
1324 
1325 			if (entry->len >= 13)
1326 				*flow_control = !!(entry->data[12] & BIT(2));
1327 			else
1328 				*flow_control = false;
1329 
1330 			found = true;
1331 			break;
1332 
1333 		default:
1334 			rtl_dev_dbg(hdev, "skipping config entry 0x%x (len %u)",
1335 				   le16_to_cpu(entry->offset), entry->len);
1336 			break;
1337 		}
1338 
1339 		i += sizeof(*entry) + entry->len;
1340 	}
1341 
1342 	if (!found) {
1343 		rtl_dev_err(hdev, "no UART config entry found");
1344 		return -ENOENT;
1345 	}
1346 
1347 	rtl_dev_dbg(hdev, "device baudrate = 0x%08x", *device_baudrate);
1348 	rtl_dev_dbg(hdev, "controller baudrate = %u", *controller_baudrate);
1349 	rtl_dev_dbg(hdev, "flow control %d", *flow_control);
1350 
1351 	return 0;
1352 }
1353 EXPORT_SYMBOL_GPL(btrtl_get_uart_settings);
1354 
1355 MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>");
1356 MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION);
1357 MODULE_VERSION(VERSION);
1358 MODULE_LICENSE("GPL");
1359 MODULE_FIRMWARE("rtl_bt/rtl8723a_fw.bin");
1360 MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin");
1361 MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin");
1362 MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin");
1363 MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin");
1364 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_fw.bin");
1365 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_config.bin");
1366 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_fw.bin");
1367 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_config.bin");
1368 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_fw.bin");
1369 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_config.bin");
1370 MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin");
1371 MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin");
1372 MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin");
1373 MODULE_FIRMWARE("rtl_bt/rtl8761a_config.bin");
1374 MODULE_FIRMWARE("rtl_bt/rtl8821a_fw.bin");
1375 MODULE_FIRMWARE("rtl_bt/rtl8821a_config.bin");
1376 MODULE_FIRMWARE("rtl_bt/rtl8822b_fw.bin");
1377 MODULE_FIRMWARE("rtl_bt/rtl8822b_config.bin");
1378 MODULE_FIRMWARE("rtl_bt/rtl8852au_fw.bin");
1379 MODULE_FIRMWARE("rtl_bt/rtl8852au_config.bin");
1380 MODULE_FIRMWARE("rtl_bt/rtl8852bs_fw.bin");
1381 MODULE_FIRMWARE("rtl_bt/rtl8852bs_config.bin");
1382 MODULE_FIRMWARE("rtl_bt/rtl8852bu_fw.bin");
1383 MODULE_FIRMWARE("rtl_bt/rtl8852bu_config.bin");
1384 MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw.bin");
1385 MODULE_FIRMWARE("rtl_bt/rtl8852cu_config.bin");
1386 MODULE_FIRMWARE("rtl_bt/rtl8851bu_fw.bin");
1387 MODULE_FIRMWARE("rtl_bt/rtl8851bu_config.bin");
1388