xref: /linux/drivers/bluetooth/btrtl.c (revision d53b8e36925256097a08d7cb749198d85cbf9b2b)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *  Bluetooth support for Realtek devices
4  *
5  *  Copyright (C) 2015 Endless Mobile, Inc.
6  */
7 
8 #include <linux/module.h>
9 #include <linux/firmware.h>
10 #include <asm/unaligned.h>
11 #include <linux/usb.h>
12 
13 #include <net/bluetooth/bluetooth.h>
14 #include <net/bluetooth/hci_core.h>
15 
16 #include "btrtl.h"
17 
18 #define VERSION "0.1"
19 
20 #define RTL_CHIP_8723CS_CG	3
21 #define RTL_CHIP_8723CS_VF	4
22 #define RTL_CHIP_8723CS_XX	5
23 #define RTL_EPATCH_SIGNATURE	"Realtech"
24 #define RTL_EPATCH_SIGNATURE_V2	"RTBTCore"
25 #define RTL_ROM_LMP_8703B	0x8703
26 #define RTL_ROM_LMP_8723A	0x1200
27 #define RTL_ROM_LMP_8723B	0x8723
28 #define RTL_ROM_LMP_8821A	0x8821
29 #define RTL_ROM_LMP_8761A	0x8761
30 #define RTL_ROM_LMP_8822B	0x8822
31 #define RTL_ROM_LMP_8852A	0x8852
32 #define RTL_ROM_LMP_8851B	0x8851
33 #define RTL_CONFIG_MAGIC	0x8723ab55
34 
35 #define RTL_VSC_OP_COREDUMP	0xfcff
36 
37 #define IC_MATCH_FL_LMPSUBV	(1 << 0)
38 #define IC_MATCH_FL_HCIREV	(1 << 1)
39 #define IC_MATCH_FL_HCIVER	(1 << 2)
40 #define IC_MATCH_FL_HCIBUS	(1 << 3)
41 #define IC_MATCH_FL_CHIP_TYPE	(1 << 4)
42 #define IC_INFO(lmps, hcir, hciv, bus) \
43 	.match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV | \
44 		       IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS, \
45 	.lmp_subver = (lmps), \
46 	.hci_rev = (hcir), \
47 	.hci_ver = (hciv), \
48 	.hci_bus = (bus)
49 
50 #define	RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}})
51 #define	RTL_CHIP_REV    (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}})
52 #define	RTL_SEC_PROJ    (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0x0D, 0x00, 0xb0}})
53 
54 #define RTL_PATCH_SNIPPETS		0x01
55 #define RTL_PATCH_DUMMY_HEADER		0x02
56 #define RTL_PATCH_SECURITY_HEADER	0x03
57 
58 enum btrtl_chip_id {
59 	CHIP_ID_8723A,
60 	CHIP_ID_8723B,
61 	CHIP_ID_8821A,
62 	CHIP_ID_8761A,
63 	CHIP_ID_8822B = 8,
64 	CHIP_ID_8723D,
65 	CHIP_ID_8821C,
66 	CHIP_ID_8822C = 13,
67 	CHIP_ID_8761B,
68 	CHIP_ID_8852A = 18,
69 	CHIP_ID_8852B = 20,
70 	CHIP_ID_8852C = 25,
71 	CHIP_ID_8851B = 36,
72 	CHIP_ID_8852BT = 47,
73 };
74 
75 struct id_table {
76 	__u16 match_flags;
77 	__u16 lmp_subver;
78 	__u16 hci_rev;
79 	__u8 hci_ver;
80 	__u8 hci_bus;
81 	__u8 chip_type;
82 	bool config_needed;
83 	bool has_rom_version;
84 	bool has_msft_ext;
85 	char *fw_name;
86 	char *cfg_name;
87 	char *hw_info;
88 };
89 
90 struct btrtl_device_info {
91 	const struct id_table *ic_info;
92 	u8 rom_version;
93 	u8 *fw_data;
94 	int fw_len;
95 	u8 *cfg_data;
96 	int cfg_len;
97 	bool drop_fw;
98 	int project_id;
99 	u8 key_id;
100 	struct list_head patch_subsecs;
101 };
102 
103 static const struct id_table ic_id_table[] = {
104 	/* 8723A */
105 	{ IC_INFO(RTL_ROM_LMP_8723A, 0xb, 0x6, HCI_USB),
106 	  .config_needed = false,
107 	  .has_rom_version = false,
108 	  .fw_name = "rtl_bt/rtl8723a_fw",
109 	  .cfg_name = NULL,
110 	  .hw_info = "rtl8723au" },
111 
112 	/* 8723BS */
113 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_UART),
114 	  .config_needed = true,
115 	  .has_rom_version = true,
116 	  .fw_name  = "rtl_bt/rtl8723bs_fw",
117 	  .cfg_name = "rtl_bt/rtl8723bs_config",
118 	  .hw_info  = "rtl8723bs" },
119 
120 	/* 8723B */
121 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_USB),
122 	  .config_needed = false,
123 	  .has_rom_version = true,
124 	  .fw_name  = "rtl_bt/rtl8723b_fw",
125 	  .cfg_name = "rtl_bt/rtl8723b_config",
126 	  .hw_info  = "rtl8723bu" },
127 
128 	/* 8723CS-CG */
129 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
130 			 IC_MATCH_FL_HCIBUS,
131 	  .lmp_subver = RTL_ROM_LMP_8703B,
132 	  .chip_type = RTL_CHIP_8723CS_CG,
133 	  .hci_bus = HCI_UART,
134 	  .config_needed = true,
135 	  .has_rom_version = true,
136 	  .fw_name  = "rtl_bt/rtl8723cs_cg_fw",
137 	  .cfg_name = "rtl_bt/rtl8723cs_cg_config",
138 	  .hw_info  = "rtl8723cs-cg" },
139 
140 	/* 8723CS-VF */
141 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
142 			 IC_MATCH_FL_HCIBUS,
143 	  .lmp_subver = RTL_ROM_LMP_8703B,
144 	  .chip_type = RTL_CHIP_8723CS_VF,
145 	  .hci_bus = HCI_UART,
146 	  .config_needed = true,
147 	  .has_rom_version = true,
148 	  .fw_name  = "rtl_bt/rtl8723cs_vf_fw",
149 	  .cfg_name = "rtl_bt/rtl8723cs_vf_config",
150 	  .hw_info  = "rtl8723cs-vf" },
151 
152 	/* 8723CS-XX */
153 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
154 			 IC_MATCH_FL_HCIBUS,
155 	  .lmp_subver = RTL_ROM_LMP_8703B,
156 	  .chip_type = RTL_CHIP_8723CS_XX,
157 	  .hci_bus = HCI_UART,
158 	  .config_needed = true,
159 	  .has_rom_version = true,
160 	  .fw_name  = "rtl_bt/rtl8723cs_xx_fw",
161 	  .cfg_name = "rtl_bt/rtl8723cs_xx_config",
162 	  .hw_info  = "rtl8723cs" },
163 
164 	/* 8723D */
165 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_USB),
166 	  .config_needed = true,
167 	  .has_rom_version = true,
168 	  .fw_name  = "rtl_bt/rtl8723d_fw",
169 	  .cfg_name = "rtl_bt/rtl8723d_config",
170 	  .hw_info  = "rtl8723du" },
171 
172 	/* 8723DS */
173 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_UART),
174 	  .config_needed = true,
175 	  .has_rom_version = true,
176 	  .fw_name  = "rtl_bt/rtl8723ds_fw",
177 	  .cfg_name = "rtl_bt/rtl8723ds_config",
178 	  .hw_info  = "rtl8723ds" },
179 
180 	/* 8821A */
181 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xa, 0x6, HCI_USB),
182 	  .config_needed = false,
183 	  .has_rom_version = true,
184 	  .fw_name  = "rtl_bt/rtl8821a_fw",
185 	  .cfg_name = "rtl_bt/rtl8821a_config",
186 	  .hw_info  = "rtl8821au" },
187 
188 	/* 8821C */
189 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_USB),
190 	  .config_needed = false,
191 	  .has_rom_version = true,
192 	  .has_msft_ext = true,
193 	  .fw_name  = "rtl_bt/rtl8821c_fw",
194 	  .cfg_name = "rtl_bt/rtl8821c_config",
195 	  .hw_info  = "rtl8821cu" },
196 
197 	/* 8821CS */
198 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_UART),
199 	  .config_needed = true,
200 	  .has_rom_version = true,
201 	  .has_msft_ext = true,
202 	  .fw_name  = "rtl_bt/rtl8821cs_fw",
203 	  .cfg_name = "rtl_bt/rtl8821cs_config",
204 	  .hw_info  = "rtl8821cs" },
205 
206 	/* 8761A */
207 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa, 0x6, HCI_USB),
208 	  .config_needed = false,
209 	  .has_rom_version = true,
210 	  .fw_name  = "rtl_bt/rtl8761a_fw",
211 	  .cfg_name = "rtl_bt/rtl8761a_config",
212 	  .hw_info  = "rtl8761au" },
213 
214 	/* 8761B */
215 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_UART),
216 	  .config_needed = false,
217 	  .has_rom_version = true,
218 	  .has_msft_ext = true,
219 	  .fw_name  = "rtl_bt/rtl8761b_fw",
220 	  .cfg_name = "rtl_bt/rtl8761b_config",
221 	  .hw_info  = "rtl8761btv" },
222 
223 	/* 8761BU */
224 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_USB),
225 	  .config_needed = false,
226 	  .has_rom_version = true,
227 	  .fw_name  = "rtl_bt/rtl8761bu_fw",
228 	  .cfg_name = "rtl_bt/rtl8761bu_config",
229 	  .hw_info  = "rtl8761bu" },
230 
231 	/* 8822C with UART interface */
232 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0x8, HCI_UART),
233 	  .config_needed = true,
234 	  .has_rom_version = true,
235 	  .has_msft_ext = true,
236 	  .fw_name  = "rtl_bt/rtl8822cs_fw",
237 	  .cfg_name = "rtl_bt/rtl8822cs_config",
238 	  .hw_info  = "rtl8822cs" },
239 
240 	/* 8822C with UART interface */
241 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_UART),
242 	  .config_needed = true,
243 	  .has_rom_version = true,
244 	  .has_msft_ext = true,
245 	  .fw_name  = "rtl_bt/rtl8822cs_fw",
246 	  .cfg_name = "rtl_bt/rtl8822cs_config",
247 	  .hw_info  = "rtl8822cs" },
248 
249 	/* 8822C with USB interface */
250 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_USB),
251 	  .config_needed = false,
252 	  .has_rom_version = true,
253 	  .has_msft_ext = true,
254 	  .fw_name  = "rtl_bt/rtl8822cu_fw",
255 	  .cfg_name = "rtl_bt/rtl8822cu_config",
256 	  .hw_info  = "rtl8822cu" },
257 
258 	/* 8822B */
259 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xb, 0x7, HCI_USB),
260 	  .config_needed = true,
261 	  .has_rom_version = true,
262 	  .has_msft_ext = true,
263 	  .fw_name  = "rtl_bt/rtl8822b_fw",
264 	  .cfg_name = "rtl_bt/rtl8822b_config",
265 	  .hw_info  = "rtl8822bu" },
266 
267 	/* 8852A */
268 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xa, 0xb, HCI_USB),
269 	  .config_needed = false,
270 	  .has_rom_version = true,
271 	  .has_msft_ext = true,
272 	  .fw_name  = "rtl_bt/rtl8852au_fw",
273 	  .cfg_name = "rtl_bt/rtl8852au_config",
274 	  .hw_info  = "rtl8852au" },
275 
276 	/* 8852B with UART interface */
277 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_UART),
278 	  .config_needed = true,
279 	  .has_rom_version = true,
280 	  .has_msft_ext = true,
281 	  .fw_name  = "rtl_bt/rtl8852bs_fw",
282 	  .cfg_name = "rtl_bt/rtl8852bs_config",
283 	  .hw_info  = "rtl8852bs" },
284 
285 	/* 8852B */
286 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_USB),
287 	  .config_needed = false,
288 	  .has_rom_version = true,
289 	  .has_msft_ext = true,
290 	  .fw_name  = "rtl_bt/rtl8852bu_fw",
291 	  .cfg_name = "rtl_bt/rtl8852bu_config",
292 	  .hw_info  = "rtl8852bu" },
293 
294 	/* 8852C */
295 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xc, 0xc, HCI_USB),
296 	  .config_needed = false,
297 	  .has_rom_version = true,
298 	  .has_msft_ext = true,
299 	  .fw_name  = "rtl_bt/rtl8852cu_fw",
300 	  .cfg_name = "rtl_bt/rtl8852cu_config",
301 	  .hw_info  = "rtl8852cu" },
302 
303 	/* 8851B */
304 	{ IC_INFO(RTL_ROM_LMP_8851B, 0xb, 0xc, HCI_USB),
305 	  .config_needed = false,
306 	  .has_rom_version = true,
307 	  .has_msft_ext = false,
308 	  .fw_name  = "rtl_bt/rtl8851bu_fw",
309 	  .cfg_name = "rtl_bt/rtl8851bu_config",
310 	  .hw_info  = "rtl8851bu" },
311 
312 	/* 8852BT/8852BE-VT */
313 	{ IC_INFO(RTL_ROM_LMP_8852A, 0x87, 0xc, HCI_USB),
314 	  .config_needed = false,
315 	  .has_rom_version = true,
316 	  .has_msft_ext = true,
317 	  .fw_name  = "rtl_bt/rtl8852btu_fw",
318 	  .cfg_name = "rtl_bt/rtl8852btu_config",
319 	  .hw_info  = "rtl8852btu" },
320 	};
321 
322 static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev,
323 					     u8 hci_ver, u8 hci_bus,
324 					     u8 chip_type)
325 {
326 	int i;
327 
328 	for (i = 0; i < ARRAY_SIZE(ic_id_table); i++) {
329 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_LMPSUBV) &&
330 		    (ic_id_table[i].lmp_subver != lmp_subver))
331 			continue;
332 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIREV) &&
333 		    (ic_id_table[i].hci_rev != hci_rev))
334 			continue;
335 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIVER) &&
336 		    (ic_id_table[i].hci_ver != hci_ver))
337 			continue;
338 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIBUS) &&
339 		    (ic_id_table[i].hci_bus != hci_bus))
340 			continue;
341 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_CHIP_TYPE) &&
342 		    (ic_id_table[i].chip_type != chip_type))
343 			continue;
344 
345 		break;
346 	}
347 	if (i >= ARRAY_SIZE(ic_id_table))
348 		return NULL;
349 
350 	return &ic_id_table[i];
351 }
352 
353 static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
354 {
355 	struct sk_buff *skb;
356 
357 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
358 			     HCI_INIT_TIMEOUT);
359 	if (IS_ERR(skb)) {
360 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION failed (%ld)",
361 			    PTR_ERR(skb));
362 		return skb;
363 	}
364 
365 	if (skb->len != sizeof(struct hci_rp_read_local_version)) {
366 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION event length mismatch");
367 		kfree_skb(skb);
368 		return ERR_PTR(-EIO);
369 	}
370 
371 	return skb;
372 }
373 
374 static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version)
375 {
376 	struct rtl_rom_version_evt *rom_version;
377 	struct sk_buff *skb;
378 
379 	/* Read RTL ROM version command */
380 	skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT);
381 	if (IS_ERR(skb)) {
382 		rtl_dev_err(hdev, "Read ROM version failed (%ld)",
383 			    PTR_ERR(skb));
384 		return PTR_ERR(skb);
385 	}
386 
387 	if (skb->len != sizeof(*rom_version)) {
388 		rtl_dev_err(hdev, "version event length mismatch");
389 		kfree_skb(skb);
390 		return -EIO;
391 	}
392 
393 	rom_version = (struct rtl_rom_version_evt *)skb->data;
394 	rtl_dev_info(hdev, "rom_version status=%x version=%x",
395 		     rom_version->status, rom_version->version);
396 
397 	*version = rom_version->version;
398 
399 	kfree_skb(skb);
400 	return 0;
401 }
402 
403 static int btrtl_vendor_read_reg16(struct hci_dev *hdev,
404 				   struct rtl_vendor_cmd *cmd, u8 *rp)
405 {
406 	struct sk_buff *skb;
407 	int err = 0;
408 
409 	skb = __hci_cmd_sync(hdev, 0xfc61, sizeof(*cmd), cmd,
410 			     HCI_INIT_TIMEOUT);
411 	if (IS_ERR(skb)) {
412 		err = PTR_ERR(skb);
413 		rtl_dev_err(hdev, "RTL: Read reg16 failed (%d)", err);
414 		return err;
415 	}
416 
417 	if (skb->len != 3 || skb->data[0]) {
418 		bt_dev_err(hdev, "RTL: Read reg16 length mismatch");
419 		kfree_skb(skb);
420 		return -EIO;
421 	}
422 
423 	if (rp)
424 		memcpy(rp, skb->data + 1, 2);
425 
426 	kfree_skb(skb);
427 
428 	return 0;
429 }
430 
431 static void *rtl_iov_pull_data(struct rtl_iovec *iov, u32 len)
432 {
433 	void *data = iov->data;
434 
435 	if (iov->len < len)
436 		return NULL;
437 
438 	iov->data += len;
439 	iov->len  -= len;
440 
441 	return data;
442 }
443 
444 static void btrtl_insert_ordered_subsec(struct rtl_subsection *node,
445 					struct btrtl_device_info *btrtl_dev)
446 {
447 	struct list_head *pos;
448 	struct list_head *next;
449 	struct rtl_subsection *subsec;
450 
451 	list_for_each_safe(pos, next, &btrtl_dev->patch_subsecs) {
452 		subsec = list_entry(pos, struct rtl_subsection, list);
453 		if (subsec->prio >= node->prio)
454 			break;
455 	}
456 	__list_add(&node->list, pos->prev, pos);
457 }
458 
459 static int btrtl_parse_section(struct hci_dev *hdev,
460 			       struct btrtl_device_info *btrtl_dev, u32 opcode,
461 			       u8 *data, u32 len)
462 {
463 	struct rtl_section_hdr *hdr;
464 	struct rtl_subsection *subsec;
465 	struct rtl_common_subsec *common_subsec;
466 	struct rtl_sec_hdr *sec_hdr;
467 	int i;
468 	u8 *ptr;
469 	u16 num_subsecs;
470 	u32 subsec_len;
471 	int rc = 0;
472 	struct rtl_iovec iov = {
473 		.data = data,
474 		.len  = len,
475 	};
476 
477 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
478 	if (!hdr)
479 		return -EINVAL;
480 	num_subsecs = le16_to_cpu(hdr->num);
481 
482 	for (i = 0; i < num_subsecs; i++) {
483 		common_subsec = rtl_iov_pull_data(&iov, sizeof(*common_subsec));
484 		if (!common_subsec)
485 			break;
486 		subsec_len = le32_to_cpu(common_subsec->len);
487 
488 		rtl_dev_dbg(hdev, "subsec, eco 0x%02x, len %08x",
489 			    common_subsec->eco, subsec_len);
490 
491 		ptr = rtl_iov_pull_data(&iov, subsec_len);
492 		if (!ptr)
493 			break;
494 
495 		if (common_subsec->eco != btrtl_dev->rom_version + 1)
496 			continue;
497 
498 		switch (opcode) {
499 		case RTL_PATCH_SECURITY_HEADER:
500 			sec_hdr = (void *)common_subsec;
501 			if (sec_hdr->key_id != btrtl_dev->key_id)
502 				continue;
503 			break;
504 		}
505 
506 		subsec = kzalloc(sizeof(*subsec), GFP_KERNEL);
507 		if (!subsec)
508 			return -ENOMEM;
509 		subsec->opcode = opcode;
510 		subsec->prio = common_subsec->prio;
511 		subsec->len  = subsec_len;
512 		subsec->data = ptr;
513 		btrtl_insert_ordered_subsec(subsec, btrtl_dev);
514 		rc  += subsec_len;
515 	}
516 
517 	return rc;
518 }
519 
520 static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
521 				   struct btrtl_device_info *btrtl_dev,
522 				   unsigned char **_buf)
523 {
524 	struct rtl_epatch_header_v2 *hdr;
525 	int rc;
526 	u8 reg_val[2];
527 	u8 key_id;
528 	u32 num_sections;
529 	struct rtl_section *section;
530 	struct rtl_subsection *entry, *tmp;
531 	u32 section_len;
532 	u32 opcode;
533 	int len = 0;
534 	int i;
535 	u8 *ptr;
536 	struct rtl_iovec iov = {
537 		.data = btrtl_dev->fw_data,
538 		.len  = btrtl_dev->fw_len - 7, /* Cut the tail */
539 	};
540 
541 	rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
542 	if (rc < 0)
543 		return -EIO;
544 	key_id = reg_val[0];
545 
546 	rtl_dev_dbg(hdev, "%s: key id %u", __func__, key_id);
547 
548 	btrtl_dev->key_id = key_id;
549 
550 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
551 	if (!hdr)
552 		return -EINVAL;
553 	num_sections = le32_to_cpu(hdr->num_sections);
554 
555 	rtl_dev_dbg(hdev, "FW version %08x-%08x", *((u32 *)hdr->fw_version),
556 		    *((u32 *)(hdr->fw_version + 4)));
557 
558 	for (i = 0; i < num_sections; i++) {
559 		section = rtl_iov_pull_data(&iov, sizeof(*section));
560 		if (!section)
561 			break;
562 		section_len = le32_to_cpu(section->len);
563 		opcode      = le32_to_cpu(section->opcode);
564 
565 		rtl_dev_dbg(hdev, "opcode 0x%04x", section->opcode);
566 
567 		ptr = rtl_iov_pull_data(&iov, section_len);
568 		if (!ptr)
569 			break;
570 
571 		switch (opcode) {
572 		case RTL_PATCH_SNIPPETS:
573 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
574 						 ptr, section_len);
575 			break;
576 		case RTL_PATCH_SECURITY_HEADER:
577 			/* If key_id from chip is zero, ignore all security
578 			 * headers.
579 			 */
580 			if (!key_id)
581 				break;
582 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
583 						 ptr, section_len);
584 			break;
585 		case RTL_PATCH_DUMMY_HEADER:
586 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
587 						 ptr, section_len);
588 			break;
589 		default:
590 			rc = 0;
591 			break;
592 		}
593 		if (rc < 0) {
594 			rtl_dev_err(hdev, "RTL: Parse section (%u) err %d",
595 				    opcode, rc);
596 			return rc;
597 		}
598 		len += rc;
599 	}
600 
601 	if (!len)
602 		return -ENODATA;
603 
604 	/* Allocate mem and copy all found subsecs. */
605 	ptr = kvmalloc(len, GFP_KERNEL);
606 	if (!ptr)
607 		return -ENOMEM;
608 
609 	len = 0;
610 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
611 		rtl_dev_dbg(hdev, "RTL: opcode %08x, addr %p, len 0x%x",
612 			    entry->opcode, entry->data, entry->len);
613 		memcpy(ptr + len, entry->data, entry->len);
614 		len += entry->len;
615 	}
616 
617 	if (!len)
618 		return -EPERM;
619 
620 	*_buf = ptr;
621 	return len;
622 }
623 
624 static int rtlbt_parse_firmware(struct hci_dev *hdev,
625 				struct btrtl_device_info *btrtl_dev,
626 				unsigned char **_buf)
627 {
628 	static const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 };
629 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
630 	struct rtl_epatch_header *epatch_info;
631 	unsigned char *buf;
632 	int i, len;
633 	size_t min_size;
634 	u8 opcode, length, data;
635 	int project_id = -1;
636 	const unsigned char *fwptr, *chip_id_base;
637 	const unsigned char *patch_length_base, *patch_offset_base;
638 	u32 patch_offset = 0;
639 	u16 patch_length, num_patches;
640 	static const struct {
641 		__u16 lmp_subver;
642 		__u8 id;
643 	} project_id_to_lmp_subver[] = {
644 		{ RTL_ROM_LMP_8723A, 0 },
645 		{ RTL_ROM_LMP_8723B, 1 },
646 		{ RTL_ROM_LMP_8821A, 2 },
647 		{ RTL_ROM_LMP_8761A, 3 },
648 		{ RTL_ROM_LMP_8703B, 7 },
649 		{ RTL_ROM_LMP_8822B, 8 },
650 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
651 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
652 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
653 		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
654 		{ RTL_ROM_LMP_8852A, 18 },	/* 8852A */
655 		{ RTL_ROM_LMP_8852A, 20 },	/* 8852B */
656 		{ RTL_ROM_LMP_8852A, 25 },	/* 8852C */
657 		{ RTL_ROM_LMP_8851B, 36 },	/* 8851B */
658 		{ RTL_ROM_LMP_8852A, 47 },	/* 8852BT */
659 	};
660 
661 	if (btrtl_dev->fw_len <= 8)
662 		return -EINVAL;
663 
664 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8))
665 		min_size = sizeof(struct rtl_epatch_header) +
666 				sizeof(extension_sig) + 3;
667 	else if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
668 		min_size = sizeof(struct rtl_epatch_header_v2) +
669 				sizeof(extension_sig) + 3;
670 	else
671 		return -EINVAL;
672 
673 	if (btrtl_dev->fw_len < min_size)
674 		return -EINVAL;
675 
676 	fwptr = btrtl_dev->fw_data + btrtl_dev->fw_len - sizeof(extension_sig);
677 	if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) {
678 		rtl_dev_err(hdev, "extension section signature mismatch");
679 		return -EINVAL;
680 	}
681 
682 	/* Loop from the end of the firmware parsing instructions, until
683 	 * we find an instruction that identifies the "project ID" for the
684 	 * hardware supported by this firwmare file.
685 	 * Once we have that, we double-check that project_id is suitable
686 	 * for the hardware we are working with.
687 	 */
688 	while (fwptr >= btrtl_dev->fw_data + (sizeof(*epatch_info) + 3)) {
689 		opcode = *--fwptr;
690 		length = *--fwptr;
691 		data = *--fwptr;
692 
693 		BT_DBG("check op=%x len=%x data=%x", opcode, length, data);
694 
695 		if (opcode == 0xff) /* EOF */
696 			break;
697 
698 		if (length == 0) {
699 			rtl_dev_err(hdev, "found instruction with length 0");
700 			return -EINVAL;
701 		}
702 
703 		if (opcode == 0 && length == 1) {
704 			project_id = data;
705 			break;
706 		}
707 
708 		fwptr -= length;
709 	}
710 
711 	if (project_id < 0) {
712 		rtl_dev_err(hdev, "failed to find version instruction");
713 		return -EINVAL;
714 	}
715 
716 	/* Find project_id in table */
717 	for (i = 0; i < ARRAY_SIZE(project_id_to_lmp_subver); i++) {
718 		if (project_id == project_id_to_lmp_subver[i].id) {
719 			btrtl_dev->project_id = project_id;
720 			break;
721 		}
722 	}
723 
724 	if (i >= ARRAY_SIZE(project_id_to_lmp_subver)) {
725 		rtl_dev_err(hdev, "unknown project id %d", project_id);
726 		return -EINVAL;
727 	}
728 
729 	if (btrtl_dev->ic_info->lmp_subver !=
730 				project_id_to_lmp_subver[i].lmp_subver) {
731 		rtl_dev_err(hdev, "firmware is for %x but this is a %x",
732 			    project_id_to_lmp_subver[i].lmp_subver,
733 			    btrtl_dev->ic_info->lmp_subver);
734 		return -EINVAL;
735 	}
736 
737 	if (memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8) != 0) {
738 		if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
739 			return rtlbt_parse_firmware_v2(hdev, btrtl_dev, _buf);
740 		rtl_dev_err(hdev, "bad EPATCH signature");
741 		return -EINVAL;
742 	}
743 
744 	epatch_info = (struct rtl_epatch_header *)btrtl_dev->fw_data;
745 	num_patches = le16_to_cpu(epatch_info->num_patches);
746 
747 	BT_DBG("fw_version=%x, num_patches=%d",
748 	       le32_to_cpu(epatch_info->fw_version), num_patches);
749 	coredump_info->rtl_dump.fw_version = le32_to_cpu(epatch_info->fw_version);
750 
751 	/* After the rtl_epatch_header there is a funky patch metadata section.
752 	 * Assuming 2 patches, the layout is:
753 	 * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2
754 	 *
755 	 * Find the right patch for this chip.
756 	 */
757 	min_size += 8 * num_patches;
758 	if (btrtl_dev->fw_len < min_size)
759 		return -EINVAL;
760 
761 	chip_id_base = btrtl_dev->fw_data + sizeof(struct rtl_epatch_header);
762 	patch_length_base = chip_id_base + (sizeof(u16) * num_patches);
763 	patch_offset_base = patch_length_base + (sizeof(u16) * num_patches);
764 	for (i = 0; i < num_patches; i++) {
765 		u16 chip_id = get_unaligned_le16(chip_id_base +
766 						 (i * sizeof(u16)));
767 		if (chip_id == btrtl_dev->rom_version + 1) {
768 			patch_length = get_unaligned_le16(patch_length_base +
769 							  (i * sizeof(u16)));
770 			patch_offset = get_unaligned_le32(patch_offset_base +
771 							  (i * sizeof(u32)));
772 			break;
773 		}
774 	}
775 
776 	if (!patch_offset) {
777 		rtl_dev_err(hdev, "didn't find patch for chip id %d",
778 			    btrtl_dev->rom_version);
779 		return -EINVAL;
780 	}
781 
782 	BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i);
783 	min_size = patch_offset + patch_length;
784 	if (btrtl_dev->fw_len < min_size)
785 		return -EINVAL;
786 
787 	/* Copy the firmware into a new buffer and write the version at
788 	 * the end.
789 	 */
790 	len = patch_length;
791 	buf = kvmalloc(patch_length, GFP_KERNEL);
792 	if (!buf)
793 		return -ENOMEM;
794 
795 	memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
796 	memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
797 
798 	*_buf = buf;
799 	return len;
800 }
801 
802 static int rtl_download_firmware(struct hci_dev *hdev,
803 				 const unsigned char *data, int fw_len)
804 {
805 	struct rtl_download_cmd *dl_cmd;
806 	int frag_num = fw_len / RTL_FRAG_LEN + 1;
807 	int frag_len = RTL_FRAG_LEN;
808 	int ret = 0;
809 	int i;
810 	int j = 0;
811 	struct sk_buff *skb;
812 	struct hci_rp_read_local_version *rp;
813 
814 	dl_cmd = kmalloc(sizeof(*dl_cmd), GFP_KERNEL);
815 	if (!dl_cmd)
816 		return -ENOMEM;
817 
818 	for (i = 0; i < frag_num; i++) {
819 		struct sk_buff *skb;
820 
821 		dl_cmd->index = j++;
822 		if (dl_cmd->index == 0x7f)
823 			j = 1;
824 
825 		if (i == (frag_num - 1)) {
826 			dl_cmd->index |= 0x80; /* data end */
827 			frag_len = fw_len % RTL_FRAG_LEN;
828 		}
829 		rtl_dev_dbg(hdev, "download fw (%d/%d). index = %d", i,
830 				frag_num, dl_cmd->index);
831 		memcpy(dl_cmd->data, data, frag_len);
832 
833 		/* Send download command */
834 		skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
835 				     HCI_INIT_TIMEOUT);
836 		if (IS_ERR(skb)) {
837 			rtl_dev_err(hdev, "download fw command failed (%ld)",
838 				    PTR_ERR(skb));
839 			ret = PTR_ERR(skb);
840 			goto out;
841 		}
842 
843 		if (skb->len != sizeof(struct rtl_download_response)) {
844 			rtl_dev_err(hdev, "download fw event length mismatch");
845 			kfree_skb(skb);
846 			ret = -EIO;
847 			goto out;
848 		}
849 
850 		kfree_skb(skb);
851 		data += RTL_FRAG_LEN;
852 	}
853 
854 	skb = btrtl_read_local_version(hdev);
855 	if (IS_ERR(skb)) {
856 		ret = PTR_ERR(skb);
857 		rtl_dev_err(hdev, "read local version failed");
858 		goto out;
859 	}
860 
861 	rp = (struct hci_rp_read_local_version *)skb->data;
862 	rtl_dev_info(hdev, "fw version 0x%04x%04x",
863 		     __le16_to_cpu(rp->hci_rev), __le16_to_cpu(rp->lmp_subver));
864 	kfree_skb(skb);
865 
866 out:
867 	kfree(dl_cmd);
868 	return ret;
869 }
870 
871 static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
872 {
873 	const struct firmware *fw;
874 	int ret;
875 
876 	rtl_dev_info(hdev, "loading %s", name);
877 	ret = request_firmware(&fw, name, &hdev->dev);
878 	if (ret < 0)
879 		return ret;
880 	ret = fw->size;
881 	*buff = kvmalloc(fw->size, GFP_KERNEL);
882 	if (*buff)
883 		memcpy(*buff, fw->data, ret);
884 	else
885 		ret = -ENOMEM;
886 
887 	release_firmware(fw);
888 
889 	return ret;
890 }
891 
892 static int btrtl_setup_rtl8723a(struct hci_dev *hdev,
893 				struct btrtl_device_info *btrtl_dev)
894 {
895 	if (btrtl_dev->fw_len < 8)
896 		return -EINVAL;
897 
898 	/* Check that the firmware doesn't have the epatch signature
899 	 * (which is only for RTL8723B and newer).
900 	 */
901 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8)) {
902 		rtl_dev_err(hdev, "unexpected EPATCH signature!");
903 		return -EINVAL;
904 	}
905 
906 	return rtl_download_firmware(hdev, btrtl_dev->fw_data,
907 				     btrtl_dev->fw_len);
908 }
909 
910 static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
911 				struct btrtl_device_info *btrtl_dev)
912 {
913 	unsigned char *fw_data = NULL;
914 	int ret;
915 	u8 *tbuff;
916 
917 	ret = rtlbt_parse_firmware(hdev, btrtl_dev, &fw_data);
918 	if (ret < 0)
919 		goto out;
920 
921 	if (btrtl_dev->cfg_len > 0) {
922 		tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
923 		if (!tbuff) {
924 			ret = -ENOMEM;
925 			goto out;
926 		}
927 
928 		memcpy(tbuff, fw_data, ret);
929 		kvfree(fw_data);
930 
931 		memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
932 		ret += btrtl_dev->cfg_len;
933 
934 		fw_data = tbuff;
935 	}
936 
937 	rtl_dev_info(hdev, "cfg_sz %d, total sz %d", btrtl_dev->cfg_len, ret);
938 
939 	ret = rtl_download_firmware(hdev, fw_data, ret);
940 
941 out:
942 	kvfree(fw_data);
943 	return ret;
944 }
945 
946 static void btrtl_coredump(struct hci_dev *hdev)
947 {
948 	static const u8 param[] = { 0x00, 0x00 };
949 
950 	__hci_cmd_send(hdev, RTL_VSC_OP_COREDUMP, sizeof(param), param);
951 }
952 
953 static void btrtl_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
954 {
955 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
956 	char buf[80];
957 
958 	if (coredump_info->rtl_dump.controller)
959 		snprintf(buf, sizeof(buf), "Controller Name: %s\n",
960 			 coredump_info->rtl_dump.controller);
961 	else
962 		snprintf(buf, sizeof(buf), "Controller Name: Unknown\n");
963 	skb_put_data(skb, buf, strlen(buf));
964 
965 	snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n",
966 		 coredump_info->rtl_dump.fw_version);
967 	skb_put_data(skb, buf, strlen(buf));
968 
969 	snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info->rtl_dump.driver_name);
970 	skb_put_data(skb, buf, strlen(buf));
971 
972 	snprintf(buf, sizeof(buf), "Vendor: Realtek\n");
973 	skb_put_data(skb, buf, strlen(buf));
974 }
975 
976 static void btrtl_register_devcoredump_support(struct hci_dev *hdev)
977 {
978 	hci_devcd_register(hdev, btrtl_coredump, btrtl_dmp_hdr, NULL);
979 
980 }
981 
982 void btrtl_set_driver_name(struct hci_dev *hdev, const char *driver_name)
983 {
984 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
985 
986 	coredump_info->rtl_dump.driver_name = driver_name;
987 }
988 EXPORT_SYMBOL_GPL(btrtl_set_driver_name);
989 
990 static bool rtl_has_chip_type(u16 lmp_subver)
991 {
992 	switch (lmp_subver) {
993 	case RTL_ROM_LMP_8703B:
994 		return true;
995 	default:
996 		break;
997 	}
998 
999 	return  false;
1000 }
1001 
1002 static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type)
1003 {
1004 	struct rtl_chip_type_evt *chip_type;
1005 	struct sk_buff *skb;
1006 	const unsigned char cmd_buf[] = {0x00, 0x94, 0xa0, 0x00, 0xb0};
1007 
1008 	/* Read RTL chip type command */
1009 	skb = __hci_cmd_sync(hdev, 0xfc61, 5, cmd_buf, HCI_INIT_TIMEOUT);
1010 	if (IS_ERR(skb)) {
1011 		rtl_dev_err(hdev, "Read chip type failed (%ld)",
1012 			    PTR_ERR(skb));
1013 		return PTR_ERR(skb);
1014 	}
1015 
1016 	chip_type = skb_pull_data(skb, sizeof(*chip_type));
1017 	if (!chip_type) {
1018 		rtl_dev_err(hdev, "RTL chip type event length mismatch");
1019 		kfree_skb(skb);
1020 		return -EIO;
1021 	}
1022 
1023 	rtl_dev_info(hdev, "chip_type status=%x type=%x",
1024 		     chip_type->status, chip_type->type);
1025 
1026 	*type = chip_type->type & 0x0f;
1027 
1028 	kfree_skb(skb);
1029 	return 0;
1030 }
1031 
1032 void btrtl_free(struct btrtl_device_info *btrtl_dev)
1033 {
1034 	struct rtl_subsection *entry, *tmp;
1035 
1036 	kvfree(btrtl_dev->fw_data);
1037 	kvfree(btrtl_dev->cfg_data);
1038 
1039 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
1040 		list_del(&entry->list);
1041 		kfree(entry);
1042 	}
1043 
1044 	kfree(btrtl_dev);
1045 }
1046 EXPORT_SYMBOL_GPL(btrtl_free);
1047 
1048 struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
1049 					   const char *postfix)
1050 {
1051 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
1052 	struct btrtl_device_info *btrtl_dev;
1053 	struct sk_buff *skb;
1054 	struct hci_rp_read_local_version *resp;
1055 	struct hci_command_hdr *cmd;
1056 	char fw_name[40];
1057 	char cfg_name[40];
1058 	u16 hci_rev, lmp_subver;
1059 	u8 hci_ver, lmp_ver, chip_type = 0;
1060 	int ret;
1061 	u8 reg_val[2];
1062 
1063 	btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL);
1064 	if (!btrtl_dev) {
1065 		ret = -ENOMEM;
1066 		goto err_alloc;
1067 	}
1068 
1069 	INIT_LIST_HEAD(&btrtl_dev->patch_subsecs);
1070 
1071 check_version:
1072 	ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_SUBVER, reg_val);
1073 	if (ret < 0)
1074 		goto err_free;
1075 	lmp_subver = get_unaligned_le16(reg_val);
1076 
1077 	if (lmp_subver == RTL_ROM_LMP_8822B) {
1078 		ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_REV, reg_val);
1079 		if (ret < 0)
1080 			goto err_free;
1081 		hci_rev = get_unaligned_le16(reg_val);
1082 
1083 		/* 8822E */
1084 		if (hci_rev == 0x000e) {
1085 			hci_ver = 0x0c;
1086 			lmp_ver = 0x0c;
1087 			btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev,
1088 							    hci_ver, hdev->bus,
1089 							    chip_type);
1090 			goto next;
1091 		}
1092 	}
1093 
1094 	skb = btrtl_read_local_version(hdev);
1095 	if (IS_ERR(skb)) {
1096 		ret = PTR_ERR(skb);
1097 		goto err_free;
1098 	}
1099 
1100 	resp = (struct hci_rp_read_local_version *)skb->data;
1101 
1102 	hci_ver    = resp->hci_ver;
1103 	hci_rev    = le16_to_cpu(resp->hci_rev);
1104 	lmp_ver    = resp->lmp_ver;
1105 	lmp_subver = le16_to_cpu(resp->lmp_subver);
1106 
1107 	kfree_skb(skb);
1108 
1109 	if (rtl_has_chip_type(lmp_subver)) {
1110 		ret = rtl_read_chip_type(hdev, &chip_type);
1111 		if (ret)
1112 			goto err_free;
1113 	}
1114 
1115 	btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver,
1116 					    hdev->bus, chip_type);
1117 
1118 next:
1119 	rtl_dev_info(hdev, "examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x lmp_subver=%04x",
1120 		     hci_ver, hci_rev,
1121 		     lmp_ver, lmp_subver);
1122 
1123 	if (!btrtl_dev->ic_info && !btrtl_dev->drop_fw)
1124 		btrtl_dev->drop_fw = true;
1125 	else
1126 		btrtl_dev->drop_fw = false;
1127 
1128 	if (btrtl_dev->drop_fw) {
1129 		skb = bt_skb_alloc(sizeof(*cmd), GFP_KERNEL);
1130 		if (!skb)
1131 			goto err_free;
1132 
1133 		cmd = skb_put(skb, HCI_COMMAND_HDR_SIZE);
1134 		cmd->opcode = cpu_to_le16(0xfc66);
1135 		cmd->plen = 0;
1136 
1137 		hci_skb_pkt_type(skb) = HCI_COMMAND_PKT;
1138 
1139 		ret = hdev->send(hdev, skb);
1140 		if (ret < 0) {
1141 			bt_dev_err(hdev, "sending frame failed (%d)", ret);
1142 			kfree_skb(skb);
1143 			goto err_free;
1144 		}
1145 
1146 		/* Ensure the above vendor command is sent to controller and
1147 		 * process has done.
1148 		 */
1149 		msleep(200);
1150 
1151 		goto check_version;
1152 	}
1153 
1154 	if (!btrtl_dev->ic_info) {
1155 		rtl_dev_info(hdev, "unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
1156 			    lmp_subver, hci_rev, hci_ver);
1157 		return btrtl_dev;
1158 	}
1159 
1160 	if (btrtl_dev->ic_info->has_rom_version) {
1161 		ret = rtl_read_rom_version(hdev, &btrtl_dev->rom_version);
1162 		if (ret)
1163 			goto err_free;
1164 	}
1165 
1166 	if (!btrtl_dev->ic_info->fw_name) {
1167 		ret = -ENOMEM;
1168 		goto err_free;
1169 	}
1170 
1171 	btrtl_dev->fw_len = -EIO;
1172 	if (lmp_subver == RTL_ROM_LMP_8852A && hci_rev == 0x000c) {
1173 		snprintf(fw_name, sizeof(fw_name), "%s_v2.bin",
1174 				btrtl_dev->ic_info->fw_name);
1175 		btrtl_dev->fw_len = rtl_load_file(hdev, fw_name,
1176 				&btrtl_dev->fw_data);
1177 	}
1178 
1179 	if (btrtl_dev->fw_len < 0) {
1180 		snprintf(fw_name, sizeof(fw_name), "%s.bin",
1181 				btrtl_dev->ic_info->fw_name);
1182 		btrtl_dev->fw_len = rtl_load_file(hdev, fw_name,
1183 				&btrtl_dev->fw_data);
1184 	}
1185 
1186 	if (btrtl_dev->fw_len < 0) {
1187 		rtl_dev_err(hdev, "firmware file %s not found",
1188 			    btrtl_dev->ic_info->fw_name);
1189 		ret = btrtl_dev->fw_len;
1190 		goto err_free;
1191 	}
1192 
1193 	if (btrtl_dev->ic_info->cfg_name) {
1194 		if (postfix) {
1195 			snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin",
1196 				 btrtl_dev->ic_info->cfg_name, postfix);
1197 		} else {
1198 			snprintf(cfg_name, sizeof(cfg_name), "%s.bin",
1199 				 btrtl_dev->ic_info->cfg_name);
1200 		}
1201 		btrtl_dev->cfg_len = rtl_load_file(hdev, cfg_name,
1202 						   &btrtl_dev->cfg_data);
1203 		if (btrtl_dev->ic_info->config_needed &&
1204 		    btrtl_dev->cfg_len <= 0) {
1205 			rtl_dev_err(hdev, "mandatory config file %s not found",
1206 				    btrtl_dev->ic_info->cfg_name);
1207 			ret = btrtl_dev->cfg_len;
1208 			goto err_free;
1209 		}
1210 	}
1211 
1212 	/* The following chips supports the Microsoft vendor extension,
1213 	 * therefore set the corresponding VsMsftOpCode.
1214 	 */
1215 	if (btrtl_dev->ic_info->has_msft_ext)
1216 		hci_set_msft_opcode(hdev, 0xFCF0);
1217 
1218 	if (btrtl_dev->ic_info)
1219 		coredump_info->rtl_dump.controller = btrtl_dev->ic_info->hw_info;
1220 
1221 	return btrtl_dev;
1222 
1223 err_free:
1224 	btrtl_free(btrtl_dev);
1225 err_alloc:
1226 	return ERR_PTR(ret);
1227 }
1228 EXPORT_SYMBOL_GPL(btrtl_initialize);
1229 
1230 int btrtl_download_firmware(struct hci_dev *hdev,
1231 			    struct btrtl_device_info *btrtl_dev)
1232 {
1233 	int err = 0;
1234 
1235 	/* Match a set of subver values that correspond to stock firmware,
1236 	 * which is not compatible with standard btusb.
1237 	 * If matched, upload an alternative firmware that does conform to
1238 	 * standard btusb. Once that firmware is uploaded, the subver changes
1239 	 * to a different value.
1240 	 */
1241 	if (!btrtl_dev->ic_info) {
1242 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1243 		err = 0;
1244 		goto done;
1245 	}
1246 
1247 	switch (btrtl_dev->ic_info->lmp_subver) {
1248 	case RTL_ROM_LMP_8723A:
1249 		err = btrtl_setup_rtl8723a(hdev, btrtl_dev);
1250 		break;
1251 	case RTL_ROM_LMP_8723B:
1252 	case RTL_ROM_LMP_8821A:
1253 	case RTL_ROM_LMP_8761A:
1254 	case RTL_ROM_LMP_8822B:
1255 	case RTL_ROM_LMP_8852A:
1256 	case RTL_ROM_LMP_8703B:
1257 	case RTL_ROM_LMP_8851B:
1258 		err = btrtl_setup_rtl8723b(hdev, btrtl_dev);
1259 		break;
1260 	default:
1261 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1262 		break;
1263 	}
1264 
1265 done:
1266 	btrtl_register_devcoredump_support(hdev);
1267 
1268 	return err;
1269 }
1270 EXPORT_SYMBOL_GPL(btrtl_download_firmware);
1271 
1272 void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev)
1273 {
1274 	/* Enable controller to do both LE scan and BR/EDR inquiry
1275 	 * simultaneously.
1276 	 */
1277 	set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
1278 
1279 	/* Enable central-peripheral role (able to create new connections with
1280 	 * an existing connection in slave role).
1281 	 */
1282 	/* Enable WBS supported for the specific Realtek devices. */
1283 	switch (btrtl_dev->project_id) {
1284 	case CHIP_ID_8822C:
1285 	case CHIP_ID_8852A:
1286 	case CHIP_ID_8852B:
1287 	case CHIP_ID_8852C:
1288 	case CHIP_ID_8851B:
1289 	case CHIP_ID_8852BT:
1290 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
1291 
1292 		/* RTL8852C needs to transmit mSBC data continuously without
1293 		 * the zero length of USB packets for the ALT 6 supported chips
1294 		 */
1295 		if (btrtl_dev->project_id == CHIP_ID_8852C)
1296 			btrealtek_set_flag(hdev, REALTEK_ALT6_CONTINUOUS_TX_CHIP);
1297 
1298 		if (btrtl_dev->project_id == CHIP_ID_8852A ||
1299 		    btrtl_dev->project_id == CHIP_ID_8852C)
1300 			set_bit(HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER, &hdev->quirks);
1301 
1302 		hci_set_aosp_capable(hdev);
1303 		break;
1304 	default:
1305 		rtl_dev_dbg(hdev, "Central-peripheral role not enabled.");
1306 		rtl_dev_dbg(hdev, "WBS supported not enabled.");
1307 		break;
1308 	}
1309 
1310 	if (!btrtl_dev->ic_info)
1311 		return;
1312 
1313 	switch (btrtl_dev->ic_info->lmp_subver) {
1314 	case RTL_ROM_LMP_8703B:
1315 		/* 8723CS reports two pages for local ext features,
1316 		 * but it doesn't support any features from page 2 -
1317 		 * it either responds with garbage or with error status
1318 		 */
1319 		set_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
1320 			&hdev->quirks);
1321 		break;
1322 	default:
1323 		break;
1324 	}
1325 }
1326 EXPORT_SYMBOL_GPL(btrtl_set_quirks);
1327 
1328 int btrtl_setup_realtek(struct hci_dev *hdev)
1329 {
1330 	struct btrtl_device_info *btrtl_dev;
1331 	int ret;
1332 
1333 	btrtl_dev = btrtl_initialize(hdev, NULL);
1334 	if (IS_ERR(btrtl_dev))
1335 		return PTR_ERR(btrtl_dev);
1336 
1337 	ret = btrtl_download_firmware(hdev, btrtl_dev);
1338 
1339 	btrtl_set_quirks(hdev, btrtl_dev);
1340 
1341 	hci_set_hw_info(hdev,
1342 			"RTL lmp_subver=%u hci_rev=%u hci_ver=%u hci_bus=%u",
1343 			btrtl_dev->ic_info->lmp_subver,
1344 			btrtl_dev->ic_info->hci_rev,
1345 			btrtl_dev->ic_info->hci_ver,
1346 			btrtl_dev->ic_info->hci_bus);
1347 
1348 	btrtl_free(btrtl_dev);
1349 	return ret;
1350 }
1351 EXPORT_SYMBOL_GPL(btrtl_setup_realtek);
1352 
1353 int btrtl_shutdown_realtek(struct hci_dev *hdev)
1354 {
1355 	struct sk_buff *skb;
1356 	int ret;
1357 
1358 	/* According to the vendor driver, BT must be reset on close to avoid
1359 	 * firmware crash.
1360 	 */
1361 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1362 	if (IS_ERR(skb)) {
1363 		ret = PTR_ERR(skb);
1364 		bt_dev_err(hdev, "HCI reset during shutdown failed");
1365 		return ret;
1366 	}
1367 	kfree_skb(skb);
1368 
1369 	return 0;
1370 }
1371 EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
1372 
1373 static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
1374 {
1375 	switch (device_baudrate) {
1376 	case 0x0252a00a:
1377 		return 230400;
1378 
1379 	case 0x05f75004:
1380 		return 921600;
1381 
1382 	case 0x00005004:
1383 		return 1000000;
1384 
1385 	case 0x04928002:
1386 	case 0x01128002:
1387 		return 1500000;
1388 
1389 	case 0x00005002:
1390 		return 2000000;
1391 
1392 	case 0x0000b001:
1393 		return 2500000;
1394 
1395 	case 0x04928001:
1396 		return 3000000;
1397 
1398 	case 0x052a6001:
1399 		return 3500000;
1400 
1401 	case 0x00005001:
1402 		return 4000000;
1403 
1404 	case 0x0252c014:
1405 	default:
1406 		return 115200;
1407 	}
1408 }
1409 
1410 int btrtl_get_uart_settings(struct hci_dev *hdev,
1411 			    struct btrtl_device_info *btrtl_dev,
1412 			    unsigned int *controller_baudrate,
1413 			    u32 *device_baudrate, bool *flow_control)
1414 {
1415 	struct rtl_vendor_config *config;
1416 	struct rtl_vendor_config_entry *entry;
1417 	int i, total_data_len;
1418 	bool found = false;
1419 
1420 	total_data_len = btrtl_dev->cfg_len - sizeof(*config);
1421 	if (total_data_len <= 0) {
1422 		rtl_dev_warn(hdev, "no config loaded");
1423 		return -EINVAL;
1424 	}
1425 
1426 	config = (struct rtl_vendor_config *)btrtl_dev->cfg_data;
1427 	if (le32_to_cpu(config->signature) != RTL_CONFIG_MAGIC) {
1428 		rtl_dev_err(hdev, "invalid config magic");
1429 		return -EINVAL;
1430 	}
1431 
1432 	if (total_data_len < le16_to_cpu(config->total_len)) {
1433 		rtl_dev_err(hdev, "config is too short");
1434 		return -EINVAL;
1435 	}
1436 
1437 	for (i = 0; i < total_data_len; ) {
1438 		entry = ((void *)config->entry) + i;
1439 
1440 		switch (le16_to_cpu(entry->offset)) {
1441 		case 0xc:
1442 			if (entry->len < sizeof(*device_baudrate)) {
1443 				rtl_dev_err(hdev, "invalid UART config entry");
1444 				return -EINVAL;
1445 			}
1446 
1447 			*device_baudrate = get_unaligned_le32(entry->data);
1448 			*controller_baudrate = btrtl_convert_baudrate(
1449 							*device_baudrate);
1450 
1451 			if (entry->len >= 13)
1452 				*flow_control = !!(entry->data[12] & BIT(2));
1453 			else
1454 				*flow_control = false;
1455 
1456 			found = true;
1457 			break;
1458 
1459 		default:
1460 			rtl_dev_dbg(hdev, "skipping config entry 0x%x (len %u)",
1461 				   le16_to_cpu(entry->offset), entry->len);
1462 			break;
1463 		}
1464 
1465 		i += sizeof(*entry) + entry->len;
1466 	}
1467 
1468 	if (!found) {
1469 		rtl_dev_err(hdev, "no UART config entry found");
1470 		return -ENOENT;
1471 	}
1472 
1473 	rtl_dev_dbg(hdev, "device baudrate = 0x%08x", *device_baudrate);
1474 	rtl_dev_dbg(hdev, "controller baudrate = %u", *controller_baudrate);
1475 	rtl_dev_dbg(hdev, "flow control %d", *flow_control);
1476 
1477 	return 0;
1478 }
1479 EXPORT_SYMBOL_GPL(btrtl_get_uart_settings);
1480 
1481 MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>");
1482 MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION);
1483 MODULE_VERSION(VERSION);
1484 MODULE_LICENSE("GPL");
1485 MODULE_FIRMWARE("rtl_bt/rtl8723a_fw.bin");
1486 MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin");
1487 MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin");
1488 MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin");
1489 MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin");
1490 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_fw.bin");
1491 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_config.bin");
1492 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_fw.bin");
1493 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_config.bin");
1494 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_fw.bin");
1495 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_config.bin");
1496 MODULE_FIRMWARE("rtl_bt/rtl8723d_fw.bin");
1497 MODULE_FIRMWARE("rtl_bt/rtl8723d_config.bin");
1498 MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin");
1499 MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin");
1500 MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin");
1501 MODULE_FIRMWARE("rtl_bt/rtl8761a_config.bin");
1502 MODULE_FIRMWARE("rtl_bt/rtl8761b_fw.bin");
1503 MODULE_FIRMWARE("rtl_bt/rtl8761b_config.bin");
1504 MODULE_FIRMWARE("rtl_bt/rtl8761bu_fw.bin");
1505 MODULE_FIRMWARE("rtl_bt/rtl8761bu_config.bin");
1506 MODULE_FIRMWARE("rtl_bt/rtl8821a_fw.bin");
1507 MODULE_FIRMWARE("rtl_bt/rtl8821a_config.bin");
1508 MODULE_FIRMWARE("rtl_bt/rtl8821c_fw.bin");
1509 MODULE_FIRMWARE("rtl_bt/rtl8821c_config.bin");
1510 MODULE_FIRMWARE("rtl_bt/rtl8821cs_fw.bin");
1511 MODULE_FIRMWARE("rtl_bt/rtl8821cs_config.bin");
1512 MODULE_FIRMWARE("rtl_bt/rtl8822b_fw.bin");
1513 MODULE_FIRMWARE("rtl_bt/rtl8822b_config.bin");
1514 MODULE_FIRMWARE("rtl_bt/rtl8822cs_fw.bin");
1515 MODULE_FIRMWARE("rtl_bt/rtl8822cs_config.bin");
1516 MODULE_FIRMWARE("rtl_bt/rtl8822cu_fw.bin");
1517 MODULE_FIRMWARE("rtl_bt/rtl8822cu_config.bin");
1518 MODULE_FIRMWARE("rtl_bt/rtl8851bu_fw.bin");
1519 MODULE_FIRMWARE("rtl_bt/rtl8851bu_config.bin");
1520 MODULE_FIRMWARE("rtl_bt/rtl8852au_fw.bin");
1521 MODULE_FIRMWARE("rtl_bt/rtl8852au_config.bin");
1522 MODULE_FIRMWARE("rtl_bt/rtl8852bs_fw.bin");
1523 MODULE_FIRMWARE("rtl_bt/rtl8852bs_config.bin");
1524 MODULE_FIRMWARE("rtl_bt/rtl8852bu_fw.bin");
1525 MODULE_FIRMWARE("rtl_bt/rtl8852bu_config.bin");
1526 MODULE_FIRMWARE("rtl_bt/rtl8852btu_fw.bin");
1527 MODULE_FIRMWARE("rtl_bt/rtl8852btu_config.bin");
1528 MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw.bin");
1529 MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw_v2.bin");
1530 MODULE_FIRMWARE("rtl_bt/rtl8852cu_config.bin");
1531