xref: /linux/drivers/bluetooth/btrtl.c (revision db6b35cffe59c619ea3772b21d7c7c8a7b885dc1) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *  Bluetooth support for Realtek devices
4  *
5  *  Copyright (C) 2015 Endless Mobile, Inc.
6  */
7 
8 #include <linux/module.h>
9 #include <linux/firmware.h>
10 #include <linux/unaligned.h>
11 #include <linux/usb.h>
12 
13 #include <net/bluetooth/bluetooth.h>
14 #include <net/bluetooth/hci_core.h>
15 
16 #include "btrtl.h"
17 
18 #define VERSION "0.1"
19 
20 #define RTL_CHIP_8723CS_CG	3
21 #define RTL_CHIP_8723CS_VF	4
22 #define RTL_CHIP_8723CS_XX	5
23 #define RTL_EPATCH_SIGNATURE	"Realtech"
24 #define RTL_EPATCH_SIGNATURE_V2	"RTBTCore"
25 #define RTL_ROM_LMP_8703B	0x8703
26 #define RTL_ROM_LMP_8723A	0x1200
27 #define RTL_ROM_LMP_8723B	0x8723
28 #define RTL_ROM_LMP_8821A	0x8821
29 #define RTL_ROM_LMP_8761A	0x8761
30 #define RTL_ROM_LMP_8822B	0x8822
31 #define RTL_ROM_LMP_8852A	0x8852
32 #define RTL_ROM_LMP_8851B	0x8851
33 #define RTL_ROM_LMP_8922A	0x8922
34 #define RTL_CONFIG_MAGIC	0x8723ab55
35 
36 #define RTL_VSC_OP_COREDUMP	0xfcff
37 
38 #define IC_MATCH_FL_LMPSUBV	(1 << 0)
39 #define IC_MATCH_FL_HCIREV	(1 << 1)
40 #define IC_MATCH_FL_HCIVER	(1 << 2)
41 #define IC_MATCH_FL_HCIBUS	(1 << 3)
42 #define IC_MATCH_FL_CHIP_TYPE	(1 << 4)
43 #define IC_INFO(lmps, hcir, hciv, bus) \
44 	.match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV | \
45 		       IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS, \
46 	.lmp_subver = (lmps), \
47 	.hci_rev = (hcir), \
48 	.hci_ver = (hciv), \
49 	.hci_bus = (bus)
50 
51 #define	RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}})
52 #define	RTL_CHIP_REV    (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}})
53 #define	RTL_SEC_PROJ    (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0xAD, 0x00, 0xb0}})
54 
55 #define RTL_PATCH_SNIPPETS		0x01
56 #define RTL_PATCH_DUMMY_HEADER		0x02
57 #define RTL_PATCH_SECURITY_HEADER	0x03
58 
59 enum btrtl_chip_id {
60 	CHIP_ID_8723A,
61 	CHIP_ID_8723B,
62 	CHIP_ID_8821A,
63 	CHIP_ID_8761A,
64 	CHIP_ID_8822B = 8,
65 	CHIP_ID_8723D,
66 	CHIP_ID_8821C,
67 	CHIP_ID_8822C = 13,
68 	CHIP_ID_8761B,
69 	CHIP_ID_8852A = 18,
70 	CHIP_ID_8852B = 20,
71 	CHIP_ID_8852C = 25,
72 	CHIP_ID_8851B = 36,
73 	CHIP_ID_8922A = 44,
74 	CHIP_ID_8852BT = 47,
75 	CHIP_ID_8761C = 51,
76 };
77 
78 struct id_table {
79 	__u16 match_flags;
80 	__u16 lmp_subver;
81 	__u16 hci_rev;
82 	__u8 hci_ver;
83 	__u8 hci_bus;
84 	__u8 chip_type;
85 	bool config_needed;
86 	bool has_rom_version;
87 	bool has_msft_ext;
88 	char *fw_name;
89 	char *cfg_name;
90 	char *hw_info;
91 };
92 
93 struct btrtl_device_info {
94 	const struct id_table *ic_info;
95 	u8 rom_version;
96 	u8 *fw_data;
97 	int fw_len;
98 	u8 *cfg_data;
99 	int cfg_len;
100 	bool drop_fw;
101 	int project_id;
102 	u8 key_id;
103 	struct list_head patch_subsecs;
104 };
105 
106 static const struct id_table ic_id_table[] = {
107 	/* 8723A */
108 	{ IC_INFO(RTL_ROM_LMP_8723A, 0xb, 0x6, HCI_USB),
109 	  .config_needed = false,
110 	  .has_rom_version = false,
111 	  .fw_name = "rtl_bt/rtl8723a_fw",
112 	  .cfg_name = NULL,
113 	  .hw_info = "rtl8723au" },
114 
115 	/* 8723BS */
116 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_UART),
117 	  .config_needed = true,
118 	  .has_rom_version = true,
119 	  .fw_name  = "rtl_bt/rtl8723bs_fw",
120 	  .cfg_name = "rtl_bt/rtl8723bs_config",
121 	  .hw_info  = "rtl8723bs" },
122 
123 	/* 8723B */
124 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xb, 0x6, HCI_USB),
125 	  .config_needed = false,
126 	  .has_rom_version = true,
127 	  .fw_name  = "rtl_bt/rtl8723b_fw",
128 	  .cfg_name = "rtl_bt/rtl8723b_config",
129 	  .hw_info  = "rtl8723bu" },
130 
131 	/* 8723CS-CG */
132 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
133 			 IC_MATCH_FL_HCIBUS,
134 	  .lmp_subver = RTL_ROM_LMP_8703B,
135 	  .chip_type = RTL_CHIP_8723CS_CG,
136 	  .hci_bus = HCI_UART,
137 	  .config_needed = true,
138 	  .has_rom_version = true,
139 	  .fw_name  = "rtl_bt/rtl8723cs_cg_fw",
140 	  .cfg_name = "rtl_bt/rtl8723cs_cg_config",
141 	  .hw_info  = "rtl8723cs-cg" },
142 
143 	/* 8723CS-VF */
144 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
145 			 IC_MATCH_FL_HCIBUS,
146 	  .lmp_subver = RTL_ROM_LMP_8703B,
147 	  .chip_type = RTL_CHIP_8723CS_VF,
148 	  .hci_bus = HCI_UART,
149 	  .config_needed = true,
150 	  .has_rom_version = true,
151 	  .fw_name  = "rtl_bt/rtl8723cs_vf_fw",
152 	  .cfg_name = "rtl_bt/rtl8723cs_vf_config",
153 	  .hw_info  = "rtl8723cs-vf" },
154 
155 	/* 8723CS-XX */
156 	{ .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_CHIP_TYPE |
157 			 IC_MATCH_FL_HCIBUS,
158 	  .lmp_subver = RTL_ROM_LMP_8703B,
159 	  .chip_type = RTL_CHIP_8723CS_XX,
160 	  .hci_bus = HCI_UART,
161 	  .config_needed = true,
162 	  .has_rom_version = true,
163 	  .fw_name  = "rtl_bt/rtl8723cs_xx_fw",
164 	  .cfg_name = "rtl_bt/rtl8723cs_xx_config",
165 	  .hw_info  = "rtl8723cs" },
166 
167 	/* 8723D */
168 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_USB),
169 	  .config_needed = true,
170 	  .has_rom_version = true,
171 	  .fw_name  = "rtl_bt/rtl8723d_fw",
172 	  .cfg_name = "rtl_bt/rtl8723d_config",
173 	  .hw_info  = "rtl8723du" },
174 
175 	/* 8723DS */
176 	{ IC_INFO(RTL_ROM_LMP_8723B, 0xd, 0x8, HCI_UART),
177 	  .config_needed = true,
178 	  .has_rom_version = true,
179 	  .fw_name  = "rtl_bt/rtl8723ds_fw",
180 	  .cfg_name = "rtl_bt/rtl8723ds_config",
181 	  .hw_info  = "rtl8723ds" },
182 
183 	/* 8821A */
184 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xa, 0x6, HCI_USB),
185 	  .config_needed = false,
186 	  .has_rom_version = true,
187 	  .fw_name  = "rtl_bt/rtl8821a_fw",
188 	  .cfg_name = "rtl_bt/rtl8821a_config",
189 	  .hw_info  = "rtl8821au" },
190 
191 	/* 8821C */
192 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_USB),
193 	  .config_needed = false,
194 	  .has_rom_version = true,
195 	  .has_msft_ext = true,
196 	  .fw_name  = "rtl_bt/rtl8821c_fw",
197 	  .cfg_name = "rtl_bt/rtl8821c_config",
198 	  .hw_info  = "rtl8821cu" },
199 
200 	/* 8821CS */
201 	{ IC_INFO(RTL_ROM_LMP_8821A, 0xc, 0x8, HCI_UART),
202 	  .config_needed = true,
203 	  .has_rom_version = true,
204 	  .has_msft_ext = true,
205 	  .fw_name  = "rtl_bt/rtl8821cs_fw",
206 	  .cfg_name = "rtl_bt/rtl8821cs_config",
207 	  .hw_info  = "rtl8821cs" },
208 
209 	/* 8761A */
210 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa, 0x6, HCI_USB),
211 	  .config_needed = false,
212 	  .has_rom_version = true,
213 	  .fw_name  = "rtl_bt/rtl8761a_fw",
214 	  .cfg_name = "rtl_bt/rtl8761a_config",
215 	  .hw_info  = "rtl8761au" },
216 
217 	/* 8761B */
218 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_UART),
219 	  .config_needed = false,
220 	  .has_rom_version = true,
221 	  .has_msft_ext = true,
222 	  .fw_name  = "rtl_bt/rtl8761b_fw",
223 	  .cfg_name = "rtl_bt/rtl8761b_config",
224 	  .hw_info  = "rtl8761btv" },
225 
226 	/* 8761BU */
227 	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb, 0xa, HCI_USB),
228 	  .config_needed = false,
229 	  .has_rom_version = true,
230 	  .fw_name  = "rtl_bt/rtl8761bu_fw",
231 	  .cfg_name = "rtl_bt/rtl8761bu_config",
232 	  .hw_info  = "rtl8761bu" },
233 
234 	/* 8761CU */
235 	{ IC_INFO(RTL_ROM_LMP_8761A, 0x0e, 0, HCI_USB),
236 	  .config_needed = false,
237 	  .has_rom_version = true,
238 	  .fw_name  = "rtl_bt/rtl8761cu_fw",
239 	  .cfg_name = "rtl_bt/rtl8761cu_config",
240 	  .hw_info  = "rtl8761cu" },
241 
242 	/* 8822C with UART interface */
243 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0x8, HCI_UART),
244 	  .config_needed = true,
245 	  .has_rom_version = true,
246 	  .has_msft_ext = true,
247 	  .fw_name  = "rtl_bt/rtl8822cs_fw",
248 	  .cfg_name = "rtl_bt/rtl8822cs_config",
249 	  .hw_info  = "rtl8822cs" },
250 
251 	/* 8822C with UART interface */
252 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_UART),
253 	  .config_needed = true,
254 	  .has_rom_version = true,
255 	  .has_msft_ext = true,
256 	  .fw_name  = "rtl_bt/rtl8822cs_fw",
257 	  .cfg_name = "rtl_bt/rtl8822cs_config",
258 	  .hw_info  = "rtl8822cs" },
259 
260 	/* 8822C with USB interface */
261 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc, 0xa, HCI_USB),
262 	  .config_needed = false,
263 	  .has_rom_version = true,
264 	  .has_msft_ext = true,
265 	  .fw_name  = "rtl_bt/rtl8822cu_fw",
266 	  .cfg_name = "rtl_bt/rtl8822cu_config",
267 	  .hw_info  = "rtl8822cu" },
268 
269 	/* 8822B */
270 	{ IC_INFO(RTL_ROM_LMP_8822B, 0xb, 0x7, HCI_USB),
271 	  .config_needed = true,
272 	  .has_rom_version = true,
273 	  .has_msft_ext = true,
274 	  .fw_name  = "rtl_bt/rtl8822b_fw",
275 	  .cfg_name = "rtl_bt/rtl8822b_config",
276 	  .hw_info  = "rtl8822bu" },
277 
278 	/* 8852A */
279 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xa, 0xb, HCI_USB),
280 	  .config_needed = false,
281 	  .has_rom_version = true,
282 	  .has_msft_ext = true,
283 	  .fw_name  = "rtl_bt/rtl8852au_fw",
284 	  .cfg_name = "rtl_bt/rtl8852au_config",
285 	  .hw_info  = "rtl8852au" },
286 
287 	/* 8852B with UART interface */
288 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_UART),
289 	  .config_needed = true,
290 	  .has_rom_version = true,
291 	  .has_msft_ext = true,
292 	  .fw_name  = "rtl_bt/rtl8852bs_fw",
293 	  .cfg_name = "rtl_bt/rtl8852bs_config",
294 	  .hw_info  = "rtl8852bs" },
295 
296 	/* 8852B */
297 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xb, 0xb, HCI_USB),
298 	  .config_needed = false,
299 	  .has_rom_version = true,
300 	  .has_msft_ext = true,
301 	  .fw_name  = "rtl_bt/rtl8852bu_fw",
302 	  .cfg_name = "rtl_bt/rtl8852bu_config",
303 	  .hw_info  = "rtl8852bu" },
304 
305 	/* 8852C */
306 	{ IC_INFO(RTL_ROM_LMP_8852A, 0xc, 0xc, HCI_USB),
307 	  .config_needed = false,
308 	  .has_rom_version = true,
309 	  .has_msft_ext = true,
310 	  .fw_name  = "rtl_bt/rtl8852cu_fw",
311 	  .cfg_name = "rtl_bt/rtl8852cu_config",
312 	  .hw_info  = "rtl8852cu" },
313 
314 	/* 8851B */
315 	{ IC_INFO(RTL_ROM_LMP_8851B, 0xb, 0xc, HCI_USB),
316 	  .config_needed = false,
317 	  .has_rom_version = true,
318 	  .has_msft_ext = false,
319 	  .fw_name  = "rtl_bt/rtl8851bu_fw",
320 	  .cfg_name = "rtl_bt/rtl8851bu_config",
321 	  .hw_info  = "rtl8851bu" },
322 
323 	/* 8922A */
324 	{ IC_INFO(RTL_ROM_LMP_8922A, 0xa, 0xc, HCI_USB),
325 	  .config_needed = false,
326 	  .has_rom_version = true,
327 	  .has_msft_ext = true,
328 	  .fw_name  = "rtl_bt/rtl8922au_fw",
329 	  .cfg_name = "rtl_bt/rtl8922au_config",
330 	  .hw_info  = "rtl8922au" },
331 
332 	/* 8852BT/8852BE-VT */
333 	{ IC_INFO(RTL_ROM_LMP_8852A, 0x87, 0xc, HCI_USB),
334 	  .config_needed = false,
335 	  .has_rom_version = true,
336 	  .has_msft_ext = true,
337 	  .fw_name  = "rtl_bt/rtl8852btu_fw",
338 	  .cfg_name = "rtl_bt/rtl8852btu_config",
339 	  .hw_info  = "rtl8852btu" },
340 	};
341 
342 static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev,
343 					     u8 hci_ver, u8 hci_bus,
344 					     u8 chip_type)
345 {
346 	int i;
347 
348 	for (i = 0; i < ARRAY_SIZE(ic_id_table); i++) {
349 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_LMPSUBV) &&
350 		    (ic_id_table[i].lmp_subver != lmp_subver))
351 			continue;
352 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIREV) &&
353 		    (ic_id_table[i].hci_rev != hci_rev))
354 			continue;
355 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIVER) &&
356 		    (ic_id_table[i].hci_ver != hci_ver) &&
357 		    (ic_id_table[i].hci_ver != 0))
358 			continue;
359 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIBUS) &&
360 		    (ic_id_table[i].hci_bus != hci_bus))
361 			continue;
362 		if ((ic_id_table[i].match_flags & IC_MATCH_FL_CHIP_TYPE) &&
363 		    (ic_id_table[i].chip_type != chip_type))
364 			continue;
365 
366 		break;
367 	}
368 	if (i >= ARRAY_SIZE(ic_id_table))
369 		return NULL;
370 
371 	return &ic_id_table[i];
372 }
373 
374 static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
375 {
376 	struct sk_buff *skb;
377 
378 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
379 			     HCI_INIT_TIMEOUT);
380 	if (IS_ERR(skb)) {
381 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION failed (%ld)",
382 			    PTR_ERR(skb));
383 		return skb;
384 	}
385 
386 	if (skb->len != sizeof(struct hci_rp_read_local_version)) {
387 		rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION event length mismatch");
388 		kfree_skb(skb);
389 		return ERR_PTR(-EIO);
390 	}
391 
392 	return skb;
393 }
394 
395 static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version)
396 {
397 	struct rtl_rom_version_evt *rom_version;
398 	struct sk_buff *skb;
399 
400 	/* Read RTL ROM version command */
401 	skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT);
402 	if (IS_ERR(skb)) {
403 		rtl_dev_err(hdev, "Read ROM version failed (%ld)",
404 			    PTR_ERR(skb));
405 		return PTR_ERR(skb);
406 	}
407 
408 	if (skb->len != sizeof(*rom_version)) {
409 		rtl_dev_err(hdev, "version event length mismatch");
410 		kfree_skb(skb);
411 		return -EIO;
412 	}
413 
414 	rom_version = (struct rtl_rom_version_evt *)skb->data;
415 	rtl_dev_info(hdev, "rom_version status=%x version=%x",
416 		     rom_version->status, rom_version->version);
417 
418 	*version = rom_version->version;
419 
420 	kfree_skb(skb);
421 	return 0;
422 }
423 
424 static int btrtl_vendor_read_reg16(struct hci_dev *hdev,
425 				   struct rtl_vendor_cmd *cmd, u8 *rp)
426 {
427 	struct sk_buff *skb;
428 	int err = 0;
429 
430 	skb = __hci_cmd_sync(hdev, 0xfc61, sizeof(*cmd), cmd,
431 			     HCI_INIT_TIMEOUT);
432 	if (IS_ERR(skb)) {
433 		err = PTR_ERR(skb);
434 		rtl_dev_err(hdev, "RTL: Read reg16 failed (%d)", err);
435 		return err;
436 	}
437 
438 	if (skb->len != 3 || skb->data[0]) {
439 		bt_dev_err(hdev, "RTL: Read reg16 length mismatch");
440 		kfree_skb(skb);
441 		return -EIO;
442 	}
443 
444 	if (rp)
445 		memcpy(rp, skb->data + 1, 2);
446 
447 	kfree_skb(skb);
448 
449 	return 0;
450 }
451 
452 static void *rtl_iov_pull_data(struct rtl_iovec *iov, u32 len)
453 {
454 	void *data = iov->data;
455 
456 	if (iov->len < len)
457 		return NULL;
458 
459 	iov->data += len;
460 	iov->len  -= len;
461 
462 	return data;
463 }
464 
465 static void btrtl_insert_ordered_subsec(struct rtl_subsection *node,
466 					struct btrtl_device_info *btrtl_dev)
467 {
468 	struct list_head *pos;
469 	struct list_head *next;
470 	struct rtl_subsection *subsec;
471 
472 	list_for_each_safe(pos, next, &btrtl_dev->patch_subsecs) {
473 		subsec = list_entry(pos, struct rtl_subsection, list);
474 		if (subsec->prio >= node->prio)
475 			break;
476 	}
477 	__list_add(&node->list, pos->prev, pos);
478 }
479 
480 static int btrtl_parse_section(struct hci_dev *hdev,
481 			       struct btrtl_device_info *btrtl_dev, u32 opcode,
482 			       u8 *data, u32 len)
483 {
484 	struct rtl_section_hdr *hdr;
485 	struct rtl_subsection *subsec;
486 	struct rtl_common_subsec *common_subsec;
487 	struct rtl_sec_hdr *sec_hdr;
488 	int i;
489 	u8 *ptr;
490 	u16 num_subsecs;
491 	u32 subsec_len;
492 	int rc = 0;
493 	struct rtl_iovec iov = {
494 		.data = data,
495 		.len  = len,
496 	};
497 
498 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
499 	if (!hdr)
500 		return -EINVAL;
501 	num_subsecs = le16_to_cpu(hdr->num);
502 
503 	for (i = 0; i < num_subsecs; i++) {
504 		common_subsec = rtl_iov_pull_data(&iov, sizeof(*common_subsec));
505 		if (!common_subsec)
506 			break;
507 		subsec_len = le32_to_cpu(common_subsec->len);
508 
509 		rtl_dev_dbg(hdev, "subsec, eco 0x%02x, len %08x",
510 			    common_subsec->eco, subsec_len);
511 
512 		ptr = rtl_iov_pull_data(&iov, subsec_len);
513 		if (!ptr)
514 			break;
515 
516 		if (common_subsec->eco != btrtl_dev->rom_version + 1)
517 			continue;
518 
519 		switch (opcode) {
520 		case RTL_PATCH_SECURITY_HEADER:
521 			sec_hdr = (void *)common_subsec;
522 			if (sec_hdr->key_id != btrtl_dev->key_id)
523 				continue;
524 			break;
525 		}
526 
527 		subsec = kzalloc(sizeof(*subsec), GFP_KERNEL);
528 		if (!subsec)
529 			return -ENOMEM;
530 		subsec->opcode = opcode;
531 		subsec->prio = common_subsec->prio;
532 		subsec->len  = subsec_len;
533 		subsec->data = ptr;
534 		btrtl_insert_ordered_subsec(subsec, btrtl_dev);
535 		rc  += subsec_len;
536 	}
537 
538 	return rc;
539 }
540 
541 static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
542 				   struct btrtl_device_info *btrtl_dev,
543 				   unsigned char **_buf)
544 {
545 	struct rtl_epatch_header_v2 *hdr;
546 	int rc;
547 	u8 key_id;
548 	u32 num_sections;
549 	struct rtl_section *section;
550 	struct rtl_subsection *entry, *tmp;
551 	u32 section_len;
552 	u32 opcode;
553 	int len = 0;
554 	int i;
555 	u8 *ptr;
556 	struct rtl_iovec iov = {
557 		.data = btrtl_dev->fw_data,
558 		.len  = btrtl_dev->fw_len - 7, /* Cut the tail */
559 	};
560 
561 	key_id = btrtl_dev->key_id;
562 
563 	hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
564 	if (!hdr)
565 		return -EINVAL;
566 	num_sections = le32_to_cpu(hdr->num_sections);
567 
568 	rtl_dev_dbg(hdev, "FW version %08x-%08x", *((u32 *)hdr->fw_version),
569 		    *((u32 *)(hdr->fw_version + 4)));
570 
571 	for (i = 0; i < num_sections; i++) {
572 		section = rtl_iov_pull_data(&iov, sizeof(*section));
573 		if (!section)
574 			break;
575 		section_len = le32_to_cpu(section->len);
576 		opcode      = le32_to_cpu(section->opcode);
577 
578 		rtl_dev_dbg(hdev, "opcode 0x%04x", section->opcode);
579 
580 		ptr = rtl_iov_pull_data(&iov, section_len);
581 		if (!ptr)
582 			break;
583 
584 		switch (opcode) {
585 		case RTL_PATCH_SNIPPETS:
586 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
587 						 ptr, section_len);
588 			break;
589 		case RTL_PATCH_SECURITY_HEADER:
590 			/* If key_id from chip is zero, ignore all security
591 			 * headers.
592 			 */
593 			if (!key_id)
594 				break;
595 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
596 						 ptr, section_len);
597 			break;
598 		case RTL_PATCH_DUMMY_HEADER:
599 			rc = btrtl_parse_section(hdev, btrtl_dev, opcode,
600 						 ptr, section_len);
601 			break;
602 		default:
603 			rc = 0;
604 			break;
605 		}
606 		if (rc < 0) {
607 			rtl_dev_err(hdev, "RTL: Parse section (%u) err %d",
608 				    opcode, rc);
609 			return rc;
610 		}
611 		len += rc;
612 	}
613 
614 	if (!len)
615 		return -ENODATA;
616 
617 	/* Allocate mem and copy all found subsecs. */
618 	ptr = kvmalloc(len, GFP_KERNEL);
619 	if (!ptr)
620 		return -ENOMEM;
621 
622 	len = 0;
623 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
624 		rtl_dev_dbg(hdev, "RTL: opcode %08x, addr %p, len 0x%x",
625 			    entry->opcode, entry->data, entry->len);
626 		memcpy(ptr + len, entry->data, entry->len);
627 		len += entry->len;
628 	}
629 
630 	if (!len) {
631 		kvfree(ptr);
632 		return -EPERM;
633 	}
634 
635 	*_buf = ptr;
636 	return len;
637 }
638 
639 static int rtlbt_parse_firmware(struct hci_dev *hdev,
640 				struct btrtl_device_info *btrtl_dev,
641 				unsigned char **_buf)
642 {
643 	static const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 };
644 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
645 	struct rtl_epatch_header *epatch_info;
646 	unsigned char *buf;
647 	int i, len;
648 	size_t min_size;
649 	u8 opcode, length, data;
650 	int project_id = -1;
651 	const unsigned char *fwptr, *chip_id_base;
652 	const unsigned char *patch_length_base, *patch_offset_base;
653 	u32 patch_offset = 0;
654 	u16 patch_length, num_patches;
655 	static const struct {
656 		__u16 lmp_subver;
657 		__u8 id;
658 	} project_id_to_lmp_subver[] = {
659 		{ RTL_ROM_LMP_8723A, 0 },
660 		{ RTL_ROM_LMP_8723B, 1 },
661 		{ RTL_ROM_LMP_8821A, 2 },
662 		{ RTL_ROM_LMP_8761A, 3 },
663 		{ RTL_ROM_LMP_8703B, 7 },
664 		{ RTL_ROM_LMP_8822B, 8 },
665 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
666 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
667 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
668 		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
669 		{ RTL_ROM_LMP_8852A, 18 },	/* 8852A */
670 		{ RTL_ROM_LMP_8852A, 20 },	/* 8852B */
671 		{ RTL_ROM_LMP_8852A, 25 },	/* 8852C */
672 		{ RTL_ROM_LMP_8851B, 36 },	/* 8851B */
673 		{ RTL_ROM_LMP_8922A, 44 },	/* 8922A */
674 		{ RTL_ROM_LMP_8852A, 47 },	/* 8852BT */
675 		{ RTL_ROM_LMP_8761A, 51 },	/* 8761C */
676 	};
677 
678 	if (btrtl_dev->fw_len <= 8)
679 		return -EINVAL;
680 
681 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8))
682 		min_size = sizeof(struct rtl_epatch_header) +
683 				sizeof(extension_sig) + 3;
684 	else if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
685 		min_size = sizeof(struct rtl_epatch_header_v2) +
686 				sizeof(extension_sig) + 3;
687 	else
688 		return -EINVAL;
689 
690 	if (btrtl_dev->fw_len < min_size)
691 		return -EINVAL;
692 
693 	fwptr = btrtl_dev->fw_data + btrtl_dev->fw_len - sizeof(extension_sig);
694 	if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) {
695 		rtl_dev_err(hdev, "extension section signature mismatch");
696 		return -EINVAL;
697 	}
698 
699 	/* Loop from the end of the firmware parsing instructions, until
700 	 * we find an instruction that identifies the "project ID" for the
701 	 * hardware supported by this firmware file.
702 	 * Once we have that, we double-check that project_id is suitable
703 	 * for the hardware we are working with.
704 	 */
705 	while (fwptr >= btrtl_dev->fw_data + (sizeof(*epatch_info) + 3)) {
706 		opcode = *--fwptr;
707 		length = *--fwptr;
708 		data = *--fwptr;
709 
710 		BT_DBG("check op=%x len=%x data=%x", opcode, length, data);
711 
712 		if (opcode == 0xff) /* EOF */
713 			break;
714 
715 		if (length == 0) {
716 			rtl_dev_err(hdev, "found instruction with length 0");
717 			return -EINVAL;
718 		}
719 
720 		if (opcode == 0 && length == 1) {
721 			project_id = data;
722 			break;
723 		}
724 
725 		fwptr -= length;
726 	}
727 
728 	if (project_id < 0) {
729 		rtl_dev_err(hdev, "failed to find version instruction");
730 		return -EINVAL;
731 	}
732 
733 	/* Find project_id in table */
734 	for (i = 0; i < ARRAY_SIZE(project_id_to_lmp_subver); i++) {
735 		if (project_id == project_id_to_lmp_subver[i].id) {
736 			btrtl_dev->project_id = project_id;
737 			break;
738 		}
739 	}
740 
741 	if (i >= ARRAY_SIZE(project_id_to_lmp_subver)) {
742 		rtl_dev_err(hdev, "unknown project id %d", project_id);
743 		return -EINVAL;
744 	}
745 
746 	if (btrtl_dev->ic_info->lmp_subver !=
747 				project_id_to_lmp_subver[i].lmp_subver) {
748 		rtl_dev_err(hdev, "firmware is for %x but this is a %x",
749 			    project_id_to_lmp_subver[i].lmp_subver,
750 			    btrtl_dev->ic_info->lmp_subver);
751 		return -EINVAL;
752 	}
753 
754 	if (memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8) != 0) {
755 		if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE_V2, 8))
756 			return rtlbt_parse_firmware_v2(hdev, btrtl_dev, _buf);
757 		rtl_dev_err(hdev, "bad EPATCH signature");
758 		return -EINVAL;
759 	}
760 
761 	epatch_info = (struct rtl_epatch_header *)btrtl_dev->fw_data;
762 	num_patches = le16_to_cpu(epatch_info->num_patches);
763 
764 	BT_DBG("fw_version=%x, num_patches=%d",
765 	       le32_to_cpu(epatch_info->fw_version), num_patches);
766 	coredump_info->rtl_dump.fw_version = le32_to_cpu(epatch_info->fw_version);
767 
768 	/* After the rtl_epatch_header there is a funky patch metadata section.
769 	 * Assuming 2 patches, the layout is:
770 	 * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2
771 	 *
772 	 * Find the right patch for this chip.
773 	 */
774 	min_size += 8 * num_patches;
775 	if (btrtl_dev->fw_len < min_size)
776 		return -EINVAL;
777 
778 	chip_id_base = btrtl_dev->fw_data + sizeof(struct rtl_epatch_header);
779 	patch_length_base = chip_id_base + (sizeof(u16) * num_patches);
780 	patch_offset_base = patch_length_base + (sizeof(u16) * num_patches);
781 	for (i = 0; i < num_patches; i++) {
782 		u16 chip_id = get_unaligned_le16(chip_id_base +
783 						 (i * sizeof(u16)));
784 		if (chip_id == btrtl_dev->rom_version + 1) {
785 			patch_length = get_unaligned_le16(patch_length_base +
786 							  (i * sizeof(u16)));
787 			patch_offset = get_unaligned_le32(patch_offset_base +
788 							  (i * sizeof(u32)));
789 			break;
790 		}
791 	}
792 
793 	if (!patch_offset) {
794 		rtl_dev_err(hdev, "didn't find patch for chip id %d",
795 			    btrtl_dev->rom_version);
796 		return -EINVAL;
797 	}
798 
799 	BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i);
800 	min_size = patch_offset + patch_length;
801 	if (btrtl_dev->fw_len < min_size)
802 		return -EINVAL;
803 
804 	/* Copy the firmware into a new buffer and write the version at
805 	 * the end.
806 	 */
807 	len = patch_length;
808 	buf = kvmalloc(patch_length, GFP_KERNEL);
809 	if (!buf)
810 		return -ENOMEM;
811 
812 	memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
813 	memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
814 
815 	*_buf = buf;
816 	return len;
817 }
818 
819 static int rtl_download_firmware(struct hci_dev *hdev,
820 				 const unsigned char *data, int fw_len)
821 {
822 	struct rtl_download_cmd *dl_cmd;
823 	int frag_num = fw_len / RTL_FRAG_LEN + 1;
824 	int frag_len = RTL_FRAG_LEN;
825 	int ret = 0;
826 	int i;
827 	int j = 0;
828 	struct sk_buff *skb;
829 	struct hci_rp_read_local_version *rp;
830 
831 	dl_cmd = kmalloc(sizeof(*dl_cmd), GFP_KERNEL);
832 	if (!dl_cmd)
833 		return -ENOMEM;
834 
835 	for (i = 0; i < frag_num; i++) {
836 		struct sk_buff *skb;
837 
838 		dl_cmd->index = j++;
839 		if (dl_cmd->index == 0x7f)
840 			j = 1;
841 
842 		if (i == (frag_num - 1)) {
843 			dl_cmd->index |= 0x80; /* data end */
844 			frag_len = fw_len % RTL_FRAG_LEN;
845 		}
846 		rtl_dev_dbg(hdev, "download fw (%d/%d). index = %d", i,
847 				frag_num, dl_cmd->index);
848 		memcpy(dl_cmd->data, data, frag_len);
849 
850 		/* Send download command */
851 		skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
852 				     HCI_INIT_TIMEOUT);
853 		if (IS_ERR(skb)) {
854 			rtl_dev_err(hdev, "download fw command failed (%ld)",
855 				    PTR_ERR(skb));
856 			ret = PTR_ERR(skb);
857 			goto out;
858 		}
859 
860 		if (skb->len != sizeof(struct rtl_download_response)) {
861 			rtl_dev_err(hdev, "download fw event length mismatch");
862 			kfree_skb(skb);
863 			ret = -EIO;
864 			goto out;
865 		}
866 
867 		kfree_skb(skb);
868 		data += RTL_FRAG_LEN;
869 	}
870 
871 	skb = btrtl_read_local_version(hdev);
872 	if (IS_ERR(skb)) {
873 		ret = PTR_ERR(skb);
874 		rtl_dev_err(hdev, "read local version failed");
875 		goto out;
876 	}
877 
878 	rp = (struct hci_rp_read_local_version *)skb->data;
879 	rtl_dev_info(hdev, "fw version 0x%04x%04x",
880 		     __le16_to_cpu(rp->hci_rev), __le16_to_cpu(rp->lmp_subver));
881 	kfree_skb(skb);
882 
883 out:
884 	kfree(dl_cmd);
885 	return ret;
886 }
887 
888 static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
889 {
890 	const struct firmware *fw;
891 	int ret;
892 
893 	rtl_dev_info(hdev, "loading %s", name);
894 	ret = request_firmware(&fw, name, &hdev->dev);
895 	if (ret < 0)
896 		return ret;
897 	ret = fw->size;
898 	*buff = kvmemdup(fw->data, fw->size, GFP_KERNEL);
899 	if (!*buff)
900 		ret = -ENOMEM;
901 
902 	release_firmware(fw);
903 
904 	return ret;
905 }
906 
907 static int btrtl_setup_rtl8723a(struct hci_dev *hdev,
908 				struct btrtl_device_info *btrtl_dev)
909 {
910 	if (btrtl_dev->fw_len < 8)
911 		return -EINVAL;
912 
913 	/* Check that the firmware doesn't have the epatch signature
914 	 * (which is only for RTL8723B and newer).
915 	 */
916 	if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8)) {
917 		rtl_dev_err(hdev, "unexpected EPATCH signature!");
918 		return -EINVAL;
919 	}
920 
921 	return rtl_download_firmware(hdev, btrtl_dev->fw_data,
922 				     btrtl_dev->fw_len);
923 }
924 
925 static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
926 				struct btrtl_device_info *btrtl_dev)
927 {
928 	unsigned char *fw_data = NULL;
929 	int ret;
930 	u8 *tbuff;
931 
932 	ret = rtlbt_parse_firmware(hdev, btrtl_dev, &fw_data);
933 	if (ret < 0)
934 		goto out;
935 
936 	if (btrtl_dev->cfg_len > 0) {
937 		tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
938 		if (!tbuff) {
939 			ret = -ENOMEM;
940 			goto out;
941 		}
942 
943 		memcpy(tbuff, fw_data, ret);
944 		kvfree(fw_data);
945 
946 		memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
947 		ret += btrtl_dev->cfg_len;
948 
949 		fw_data = tbuff;
950 	}
951 
952 	rtl_dev_info(hdev, "cfg_sz %d, total sz %d", btrtl_dev->cfg_len, ret);
953 
954 	ret = rtl_download_firmware(hdev, fw_data, ret);
955 
956 out:
957 	kvfree(fw_data);
958 	return ret;
959 }
960 
961 static void btrtl_coredump(struct hci_dev *hdev)
962 {
963 	static const u8 param[] = { 0x00, 0x00 };
964 
965 	__hci_cmd_send(hdev, RTL_VSC_OP_COREDUMP, sizeof(param), param);
966 }
967 
968 static void btrtl_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
969 {
970 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
971 	char buf[80];
972 
973 	if (coredump_info->rtl_dump.controller)
974 		snprintf(buf, sizeof(buf), "Controller Name: %s\n",
975 			 coredump_info->rtl_dump.controller);
976 	else
977 		snprintf(buf, sizeof(buf), "Controller Name: Unknown\n");
978 	skb_put_data(skb, buf, strlen(buf));
979 
980 	snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n",
981 		 coredump_info->rtl_dump.fw_version);
982 	skb_put_data(skb, buf, strlen(buf));
983 
984 	snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info->rtl_dump.driver_name);
985 	skb_put_data(skb, buf, strlen(buf));
986 
987 	snprintf(buf, sizeof(buf), "Vendor: Realtek\n");
988 	skb_put_data(skb, buf, strlen(buf));
989 }
990 
991 static void btrtl_register_devcoredump_support(struct hci_dev *hdev)
992 {
993 	hci_devcd_register(hdev, btrtl_coredump, btrtl_dmp_hdr, NULL);
994 
995 }
996 
997 void btrtl_set_driver_name(struct hci_dev *hdev, const char *driver_name)
998 {
999 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
1000 
1001 	coredump_info->rtl_dump.driver_name = driver_name;
1002 }
1003 EXPORT_SYMBOL_GPL(btrtl_set_driver_name);
1004 
1005 static bool rtl_has_chip_type(u16 lmp_subver)
1006 {
1007 	switch (lmp_subver) {
1008 	case RTL_ROM_LMP_8703B:
1009 		return true;
1010 	default:
1011 		break;
1012 	}
1013 
1014 	return  false;
1015 }
1016 
1017 static int rtl_read_chip_type(struct hci_dev *hdev, u8 *type)
1018 {
1019 	struct rtl_chip_type_evt *chip_type;
1020 	struct sk_buff *skb;
1021 	const unsigned char cmd_buf[] = {0x00, 0x94, 0xa0, 0x00, 0xb0};
1022 
1023 	/* Read RTL chip type command */
1024 	skb = __hci_cmd_sync(hdev, 0xfc61, 5, cmd_buf, HCI_INIT_TIMEOUT);
1025 	if (IS_ERR(skb)) {
1026 		rtl_dev_err(hdev, "Read chip type failed (%ld)",
1027 			    PTR_ERR(skb));
1028 		return PTR_ERR(skb);
1029 	}
1030 
1031 	chip_type = skb_pull_data(skb, sizeof(*chip_type));
1032 	if (!chip_type) {
1033 		rtl_dev_err(hdev, "RTL chip type event length mismatch");
1034 		kfree_skb(skb);
1035 		return -EIO;
1036 	}
1037 
1038 	rtl_dev_info(hdev, "chip_type status=%x type=%x",
1039 		     chip_type->status, chip_type->type);
1040 
1041 	*type = chip_type->type & 0x0f;
1042 
1043 	kfree_skb(skb);
1044 	return 0;
1045 }
1046 
1047 void btrtl_free(struct btrtl_device_info *btrtl_dev)
1048 {
1049 	struct rtl_subsection *entry, *tmp;
1050 
1051 	kvfree(btrtl_dev->fw_data);
1052 	kvfree(btrtl_dev->cfg_data);
1053 
1054 	list_for_each_entry_safe(entry, tmp, &btrtl_dev->patch_subsecs, list) {
1055 		list_del(&entry->list);
1056 		kfree(entry);
1057 	}
1058 
1059 	kfree(btrtl_dev);
1060 }
1061 EXPORT_SYMBOL_GPL(btrtl_free);
1062 
1063 struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
1064 					   const char *postfix)
1065 {
1066 	struct btrealtek_data *coredump_info = hci_get_priv(hdev);
1067 	struct btrtl_device_info *btrtl_dev;
1068 	struct sk_buff *skb;
1069 	struct hci_rp_read_local_version *resp;
1070 	struct hci_command_hdr *cmd;
1071 	char fw_name[40];
1072 	char cfg_name[40];
1073 	u16 hci_rev, lmp_subver;
1074 	u8 hci_ver, lmp_ver, chip_type = 0;
1075 	int ret;
1076 	int rc;
1077 	u8 key_id;
1078 	u8 reg_val[2];
1079 
1080 	btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL);
1081 	if (!btrtl_dev) {
1082 		ret = -ENOMEM;
1083 		goto err_alloc;
1084 	}
1085 
1086 	INIT_LIST_HEAD(&btrtl_dev->patch_subsecs);
1087 
1088 check_version:
1089 	ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_SUBVER, reg_val);
1090 	if (ret < 0)
1091 		goto err_free;
1092 	lmp_subver = get_unaligned_le16(reg_val);
1093 
1094 	if (lmp_subver == RTL_ROM_LMP_8822B) {
1095 		ret = btrtl_vendor_read_reg16(hdev, RTL_CHIP_REV, reg_val);
1096 		if (ret < 0)
1097 			goto err_free;
1098 		hci_rev = get_unaligned_le16(reg_val);
1099 
1100 		/* 8822E */
1101 		if (hci_rev == 0x000e) {
1102 			hci_ver = 0x0c;
1103 			lmp_ver = 0x0c;
1104 			btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev,
1105 							    hci_ver, hdev->bus,
1106 							    chip_type);
1107 			goto next;
1108 		}
1109 	}
1110 
1111 	skb = btrtl_read_local_version(hdev);
1112 	if (IS_ERR(skb)) {
1113 		ret = PTR_ERR(skb);
1114 		goto err_free;
1115 	}
1116 
1117 	resp = (struct hci_rp_read_local_version *)skb->data;
1118 
1119 	hci_ver    = resp->hci_ver;
1120 	hci_rev    = le16_to_cpu(resp->hci_rev);
1121 	lmp_ver    = resp->lmp_ver;
1122 	lmp_subver = le16_to_cpu(resp->lmp_subver);
1123 
1124 	kfree_skb(skb);
1125 
1126 	if (rtl_has_chip_type(lmp_subver)) {
1127 		ret = rtl_read_chip_type(hdev, &chip_type);
1128 		if (ret)
1129 			goto err_free;
1130 	}
1131 
1132 	btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver,
1133 					    hdev->bus, chip_type);
1134 
1135 next:
1136 	rtl_dev_info(hdev, "examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x lmp_subver=%04x",
1137 		     hci_ver, hci_rev,
1138 		     lmp_ver, lmp_subver);
1139 
1140 	if (!btrtl_dev->ic_info && !btrtl_dev->drop_fw)
1141 		btrtl_dev->drop_fw = true;
1142 	else
1143 		btrtl_dev->drop_fw = false;
1144 
1145 	if (btrtl_dev->drop_fw) {
1146 		skb = bt_skb_alloc(sizeof(*cmd), GFP_KERNEL);
1147 		if (!skb)
1148 			goto err_free;
1149 
1150 		cmd = skb_put(skb, HCI_COMMAND_HDR_SIZE);
1151 		cmd->opcode = cpu_to_le16(0xfc66);
1152 		cmd->plen = 0;
1153 
1154 		hci_skb_pkt_type(skb) = HCI_COMMAND_PKT;
1155 
1156 		ret = hdev->send(hdev, skb);
1157 		if (ret < 0) {
1158 			bt_dev_err(hdev, "sending frame failed (%d)", ret);
1159 			kfree_skb(skb);
1160 			goto err_free;
1161 		}
1162 
1163 		/* Ensure the above vendor command is sent to controller and
1164 		 * process has done.
1165 		 */
1166 		msleep(200);
1167 
1168 		goto check_version;
1169 	}
1170 
1171 	if (!btrtl_dev->ic_info) {
1172 		rtl_dev_info(hdev, "unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
1173 			    lmp_subver, hci_rev, hci_ver);
1174 		return btrtl_dev;
1175 	}
1176 
1177 	if (btrtl_dev->ic_info->has_rom_version) {
1178 		ret = rtl_read_rom_version(hdev, &btrtl_dev->rom_version);
1179 		if (ret)
1180 			goto err_free;
1181 	}
1182 
1183 	if (!btrtl_dev->ic_info->fw_name) {
1184 		ret = -ENOMEM;
1185 		goto err_free;
1186 	}
1187 
1188 	rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
1189 	if (rc < 0)
1190 		goto err_free;
1191 
1192 	key_id = reg_val[0];
1193 	btrtl_dev->key_id = key_id;
1194 	rtl_dev_info(hdev, "%s: key id %u", __func__, key_id);
1195 
1196 	btrtl_dev->fw_len = -EIO;
1197 	if (lmp_subver == RTL_ROM_LMP_8852A && hci_rev == 0x000c) {
1198 		snprintf(fw_name, sizeof(fw_name), "%s_v2.bin",
1199 				btrtl_dev->ic_info->fw_name);
1200 		btrtl_dev->fw_len = rtl_load_file(hdev, fw_name,
1201 				&btrtl_dev->fw_data);
1202 	}
1203 
1204 	if (btrtl_dev->fw_len < 0) {
1205 		snprintf(fw_name, sizeof(fw_name), "%s.bin",
1206 				btrtl_dev->ic_info->fw_name);
1207 		btrtl_dev->fw_len = rtl_load_file(hdev, fw_name,
1208 				&btrtl_dev->fw_data);
1209 	}
1210 
1211 	if (btrtl_dev->fw_len < 0) {
1212 		rtl_dev_err(hdev, "firmware file %s not found",
1213 			    btrtl_dev->ic_info->fw_name);
1214 		ret = btrtl_dev->fw_len;
1215 		goto err_free;
1216 	}
1217 
1218 	if (btrtl_dev->ic_info->cfg_name && !btrtl_dev->key_id) {
1219 		if (postfix) {
1220 			snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin",
1221 				 btrtl_dev->ic_info->cfg_name, postfix);
1222 		} else {
1223 			snprintf(cfg_name, sizeof(cfg_name), "%s.bin",
1224 				 btrtl_dev->ic_info->cfg_name);
1225 		}
1226 		btrtl_dev->cfg_len = rtl_load_file(hdev, cfg_name,
1227 						   &btrtl_dev->cfg_data);
1228 		if (btrtl_dev->ic_info->config_needed &&
1229 		    btrtl_dev->cfg_len <= 0) {
1230 			rtl_dev_err(hdev, "mandatory config file %s not found",
1231 				    btrtl_dev->ic_info->cfg_name);
1232 			ret = btrtl_dev->cfg_len;
1233 			if (!ret)
1234 				ret = -EINVAL;
1235 			goto err_free;
1236 		}
1237 	}
1238 
1239 	/* The following chips supports the Microsoft vendor extension,
1240 	 * therefore set the corresponding VsMsftOpCode.
1241 	 */
1242 	if (btrtl_dev->ic_info->has_msft_ext)
1243 		hci_set_msft_opcode(hdev, 0xFCF0);
1244 
1245 	if (btrtl_dev->ic_info)
1246 		coredump_info->rtl_dump.controller = btrtl_dev->ic_info->hw_info;
1247 
1248 	return btrtl_dev;
1249 
1250 err_free:
1251 	btrtl_free(btrtl_dev);
1252 err_alloc:
1253 	return ERR_PTR(ret);
1254 }
1255 EXPORT_SYMBOL_GPL(btrtl_initialize);
1256 
1257 int btrtl_download_firmware(struct hci_dev *hdev,
1258 			    struct btrtl_device_info *btrtl_dev)
1259 {
1260 	int err = 0;
1261 
1262 	/* Match a set of subver values that correspond to stock firmware,
1263 	 * which is not compatible with standard btusb.
1264 	 * If matched, upload an alternative firmware that does conform to
1265 	 * standard btusb. Once that firmware is uploaded, the subver changes
1266 	 * to a different value.
1267 	 */
1268 	if (!btrtl_dev->ic_info) {
1269 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1270 		err = 0;
1271 		goto done;
1272 	}
1273 
1274 	switch (btrtl_dev->ic_info->lmp_subver) {
1275 	case RTL_ROM_LMP_8723A:
1276 		err = btrtl_setup_rtl8723a(hdev, btrtl_dev);
1277 		break;
1278 	case RTL_ROM_LMP_8723B:
1279 	case RTL_ROM_LMP_8821A:
1280 	case RTL_ROM_LMP_8761A:
1281 	case RTL_ROM_LMP_8822B:
1282 	case RTL_ROM_LMP_8852A:
1283 	case RTL_ROM_LMP_8703B:
1284 	case RTL_ROM_LMP_8851B:
1285 	case RTL_ROM_LMP_8922A:
1286 		err = btrtl_setup_rtl8723b(hdev, btrtl_dev);
1287 		break;
1288 	default:
1289 		rtl_dev_info(hdev, "assuming no firmware upload needed");
1290 		break;
1291 	}
1292 
1293 done:
1294 	btrtl_register_devcoredump_support(hdev);
1295 
1296 	return err;
1297 }
1298 EXPORT_SYMBOL_GPL(btrtl_download_firmware);
1299 
1300 void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev)
1301 {
1302 	/* Enable controller to do both LE scan and BR/EDR inquiry
1303 	 * simultaneously.
1304 	 */
1305 	hci_set_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY);
1306 
1307 	/* Enable central-peripheral role (able to create new connections with
1308 	 * an existing connection in slave role).
1309 	 */
1310 	/* Enable WBS supported for the specific Realtek devices. */
1311 	switch (btrtl_dev->project_id) {
1312 	case CHIP_ID_8822C:
1313 	case CHIP_ID_8852A:
1314 	case CHIP_ID_8852B:
1315 	case CHIP_ID_8852C:
1316 	case CHIP_ID_8851B:
1317 	case CHIP_ID_8922A:
1318 	case CHIP_ID_8852BT:
1319 	case CHIP_ID_8761C:
1320 		hci_set_quirk(hdev, HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED);
1321 
1322 		/* RTL8852C needs to transmit mSBC data continuously without
1323 		 * the zero length of USB packets for the ALT 6 supported chips
1324 		 */
1325 		if (btrtl_dev->project_id == CHIP_ID_8852C)
1326 			btrealtek_set_flag(hdev, REALTEK_ALT6_CONTINUOUS_TX_CHIP);
1327 
1328 		if (btrtl_dev->project_id == CHIP_ID_8852A ||
1329 		    btrtl_dev->project_id == CHIP_ID_8852B ||
1330 		    btrtl_dev->project_id == CHIP_ID_8852C)
1331 			hci_set_quirk(hdev,
1332 				      HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER);
1333 
1334 		hci_set_aosp_capable(hdev);
1335 		break;
1336 	default:
1337 		rtl_dev_dbg(hdev, "Central-peripheral role not enabled.");
1338 		rtl_dev_dbg(hdev, "WBS supported not enabled.");
1339 		break;
1340 	}
1341 
1342 	if (!btrtl_dev->ic_info)
1343 		return;
1344 
1345 	switch (btrtl_dev->ic_info->lmp_subver) {
1346 	case RTL_ROM_LMP_8703B:
1347 		/* 8723CS reports two pages for local ext features,
1348 		 * but it doesn't support any features from page 2 -
1349 		 * it either responds with garbage or with error status
1350 		 */
1351 		hci_set_quirk(hdev, HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2);
1352 		break;
1353 	default:
1354 		break;
1355 	}
1356 }
1357 EXPORT_SYMBOL_GPL(btrtl_set_quirks);
1358 
1359 int btrtl_setup_realtek(struct hci_dev *hdev)
1360 {
1361 	struct btrtl_device_info *btrtl_dev;
1362 	int ret;
1363 
1364 	btrtl_dev = btrtl_initialize(hdev, NULL);
1365 	if (IS_ERR(btrtl_dev))
1366 		return PTR_ERR(btrtl_dev);
1367 
1368 	ret = btrtl_download_firmware(hdev, btrtl_dev);
1369 
1370 	btrtl_set_quirks(hdev, btrtl_dev);
1371 
1372 	if (btrtl_dev->ic_info) {
1373 		hci_set_hw_info(hdev,
1374 			"RTL lmp_subver=%u hci_rev=%u hci_ver=%u hci_bus=%u",
1375 			btrtl_dev->ic_info->lmp_subver,
1376 			btrtl_dev->ic_info->hci_rev,
1377 			btrtl_dev->ic_info->hci_ver,
1378 			btrtl_dev->ic_info->hci_bus);
1379 	}
1380 
1381 	btrtl_free(btrtl_dev);
1382 	return ret;
1383 }
1384 EXPORT_SYMBOL_GPL(btrtl_setup_realtek);
1385 
1386 int btrtl_shutdown_realtek(struct hci_dev *hdev)
1387 {
1388 	struct sk_buff *skb;
1389 	int ret;
1390 
1391 	/* According to the vendor driver, BT must be reset on close to avoid
1392 	 * firmware crash.
1393 	 */
1394 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_CMD_TIMEOUT);
1395 	if (IS_ERR(skb)) {
1396 		ret = PTR_ERR(skb);
1397 		bt_dev_err(hdev, "HCI reset during shutdown failed");
1398 		return ret;
1399 	}
1400 	kfree_skb(skb);
1401 
1402 	return 0;
1403 }
1404 EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
1405 
1406 static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
1407 {
1408 	switch (device_baudrate) {
1409 	case 0x0252a00a:
1410 		return 230400;
1411 
1412 	case 0x05f75004:
1413 		return 921600;
1414 
1415 	case 0x00005004:
1416 		return 1000000;
1417 
1418 	case 0x04928002:
1419 	case 0x01128002:
1420 		return 1500000;
1421 
1422 	case 0x00005002:
1423 		return 2000000;
1424 
1425 	case 0x0000b001:
1426 		return 2500000;
1427 
1428 	case 0x04928001:
1429 		return 3000000;
1430 
1431 	case 0x052a6001:
1432 		return 3500000;
1433 
1434 	case 0x00005001:
1435 		return 4000000;
1436 
1437 	case 0x0252c014:
1438 	default:
1439 		return 115200;
1440 	}
1441 }
1442 
1443 int btrtl_get_uart_settings(struct hci_dev *hdev,
1444 			    struct btrtl_device_info *btrtl_dev,
1445 			    unsigned int *controller_baudrate,
1446 			    u32 *device_baudrate, bool *flow_control)
1447 {
1448 	struct rtl_vendor_config *config;
1449 	struct rtl_vendor_config_entry *entry;
1450 	int i, total_data_len;
1451 	bool found = false;
1452 
1453 	total_data_len = btrtl_dev->cfg_len - sizeof(*config);
1454 	if (total_data_len <= 0) {
1455 		rtl_dev_warn(hdev, "no config loaded");
1456 		return -EINVAL;
1457 	}
1458 
1459 	config = (struct rtl_vendor_config *)btrtl_dev->cfg_data;
1460 	if (le32_to_cpu(config->signature) != RTL_CONFIG_MAGIC) {
1461 		rtl_dev_err(hdev, "invalid config magic");
1462 		return -EINVAL;
1463 	}
1464 
1465 	if (total_data_len < le16_to_cpu(config->total_len)) {
1466 		rtl_dev_err(hdev, "config is too short");
1467 		return -EINVAL;
1468 	}
1469 
1470 	for (i = 0; i < total_data_len; ) {
1471 		entry = ((void *)config->entry) + i;
1472 
1473 		switch (le16_to_cpu(entry->offset)) {
1474 		case 0xc:
1475 			if (entry->len < sizeof(*device_baudrate)) {
1476 				rtl_dev_err(hdev, "invalid UART config entry");
1477 				return -EINVAL;
1478 			}
1479 
1480 			*device_baudrate = get_unaligned_le32(entry->data);
1481 			*controller_baudrate = btrtl_convert_baudrate(
1482 							*device_baudrate);
1483 
1484 			if (entry->len >= 13)
1485 				*flow_control = !!(entry->data[12] & BIT(2));
1486 			else
1487 				*flow_control = false;
1488 
1489 			found = true;
1490 			break;
1491 
1492 		default:
1493 			rtl_dev_dbg(hdev, "skipping config entry 0x%x (len %u)",
1494 				   le16_to_cpu(entry->offset), entry->len);
1495 			break;
1496 		}
1497 
1498 		i += sizeof(*entry) + entry->len;
1499 	}
1500 
1501 	if (!found) {
1502 		rtl_dev_err(hdev, "no UART config entry found");
1503 		return -ENOENT;
1504 	}
1505 
1506 	rtl_dev_dbg(hdev, "device baudrate = 0x%08x", *device_baudrate);
1507 	rtl_dev_dbg(hdev, "controller baudrate = %u", *controller_baudrate);
1508 	rtl_dev_dbg(hdev, "flow control %d", *flow_control);
1509 
1510 	return 0;
1511 }
1512 EXPORT_SYMBOL_GPL(btrtl_get_uart_settings);
1513 
1514 MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>");
1515 MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION);
1516 MODULE_VERSION(VERSION);
1517 MODULE_LICENSE("GPL");
1518 MODULE_FIRMWARE("rtl_bt/rtl8723a_fw.bin");
1519 MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin");
1520 MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin");
1521 MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin");
1522 MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin");
1523 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_fw.bin");
1524 MODULE_FIRMWARE("rtl_bt/rtl8723cs_cg_config.bin");
1525 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_fw.bin");
1526 MODULE_FIRMWARE("rtl_bt/rtl8723cs_vf_config.bin");
1527 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_fw.bin");
1528 MODULE_FIRMWARE("rtl_bt/rtl8723cs_xx_config.bin");
1529 MODULE_FIRMWARE("rtl_bt/rtl8723d_fw.bin");
1530 MODULE_FIRMWARE("rtl_bt/rtl8723d_config.bin");
1531 MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin");
1532 MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin");
1533 MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin");
1534 MODULE_FIRMWARE("rtl_bt/rtl8761a_config.bin");
1535 MODULE_FIRMWARE("rtl_bt/rtl8761b_fw.bin");
1536 MODULE_FIRMWARE("rtl_bt/rtl8761b_config.bin");
1537 MODULE_FIRMWARE("rtl_bt/rtl8761bu_fw.bin");
1538 MODULE_FIRMWARE("rtl_bt/rtl8761bu_config.bin");
1539 MODULE_FIRMWARE("rtl_bt/rtl8761cu_fw.bin");
1540 MODULE_FIRMWARE("rtl_bt/rtl8761cu_config.bin");
1541 MODULE_FIRMWARE("rtl_bt/rtl8821a_fw.bin");
1542 MODULE_FIRMWARE("rtl_bt/rtl8821a_config.bin");
1543 MODULE_FIRMWARE("rtl_bt/rtl8821c_fw.bin");
1544 MODULE_FIRMWARE("rtl_bt/rtl8821c_config.bin");
1545 MODULE_FIRMWARE("rtl_bt/rtl8821cs_fw.bin");
1546 MODULE_FIRMWARE("rtl_bt/rtl8821cs_config.bin");
1547 MODULE_FIRMWARE("rtl_bt/rtl8822b_fw.bin");
1548 MODULE_FIRMWARE("rtl_bt/rtl8822b_config.bin");
1549 MODULE_FIRMWARE("rtl_bt/rtl8822cs_fw.bin");
1550 MODULE_FIRMWARE("rtl_bt/rtl8822cs_config.bin");
1551 MODULE_FIRMWARE("rtl_bt/rtl8822cu_fw.bin");
1552 MODULE_FIRMWARE("rtl_bt/rtl8822cu_config.bin");
1553 MODULE_FIRMWARE("rtl_bt/rtl8851bu_fw.bin");
1554 MODULE_FIRMWARE("rtl_bt/rtl8851bu_config.bin");
1555 MODULE_FIRMWARE("rtl_bt/rtl8852au_fw.bin");
1556 MODULE_FIRMWARE("rtl_bt/rtl8852au_config.bin");
1557 MODULE_FIRMWARE("rtl_bt/rtl8852bs_fw.bin");
1558 MODULE_FIRMWARE("rtl_bt/rtl8852bs_config.bin");
1559 MODULE_FIRMWARE("rtl_bt/rtl8852bu_fw.bin");
1560 MODULE_FIRMWARE("rtl_bt/rtl8852bu_config.bin");
1561 MODULE_FIRMWARE("rtl_bt/rtl8852btu_fw.bin");
1562 MODULE_FIRMWARE("rtl_bt/rtl8852btu_config.bin");
1563 MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw.bin");
1564 MODULE_FIRMWARE("rtl_bt/rtl8852cu_fw_v2.bin");
1565 MODULE_FIRMWARE("rtl_bt/rtl8852cu_config.bin");
1566 MODULE_FIRMWARE("rtl_bt/rtl8922au_fw.bin");
1567 MODULE_FIRMWARE("rtl_bt/rtl8922au_config.bin");
1568