xref: /linux/drivers/bluetooth/hci_bcm4377.c (revision 67f9c312b0a7f4bc869376d2a68308e673235954)
1 // SPDX-License-Identifier: GPL-2.0-only OR MIT
2 /*
3  * Bluetooth HCI driver for Broadcom 4377/4378/4387 devices attached via PCIe
4  *
5  * Copyright (C) The Asahi Linux Contributors
6  */
7 
8 #include <linux/async.h>
9 #include <linux/bitfield.h>
10 #include <linux/completion.h>
11 #include <linux/dma-mapping.h>
12 #include <linux/dmi.h>
13 #include <linux/firmware.h>
14 #include <linux/module.h>
15 #include <linux/msi.h>
16 #include <linux/of.h>
17 #include <linux/pci.h>
18 #include <linux/printk.h>
19 
20 #include <asm/unaligned.h>
21 
22 #include <net/bluetooth/bluetooth.h>
23 #include <net/bluetooth/hci_core.h>
24 
25 enum bcm4377_chip {
26 	BCM4377 = 0,
27 	BCM4378,
28 	BCM4387,
29 };
30 
31 #define BCM4377_DEVICE_ID 0x5fa0
32 #define BCM4378_DEVICE_ID 0x5f69
33 #define BCM4387_DEVICE_ID 0x5f71
34 
35 #define BCM4377_TIMEOUT 1000
36 
37 /*
38  * These devices only support DMA transactions inside a 32bit window
39  * (possibly to avoid 64 bit arithmetic). The window size cannot exceed
40  * 0xffffffff but is always aligned down to the previous 0x200 byte boundary
41  * which effectively limits the window to [start, start+0xfffffe00].
42  * We just limit the DMA window to [0, 0xfffffe00] to make sure we don't
43  * run into this limitation.
44  */
45 #define BCM4377_DMA_MASK 0xfffffe00
46 
47 #define BCM4377_PCIECFG_BAR0_WINDOW1	   0x80
48 #define BCM4377_PCIECFG_BAR0_WINDOW2	   0x70
49 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1 0x74
50 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW2 0x78
51 #define BCM4377_PCIECFG_BAR2_WINDOW	   0x84
52 
53 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT 0x18011000
54 #define BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT	   0x19000000
55 
56 #define BCM4377_PCIECFG_SUBSYSTEM_CTRL 0x88
57 
58 #define BCM4377_BAR0_FW_DOORBELL 0x140
59 #define BCM4377_BAR0_RTI_CONTROL 0x144
60 
61 #define BCM4377_BAR0_SLEEP_CONTROL	      0x150
62 #define BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE  0
63 #define BCM4377_BAR0_SLEEP_CONTROL_AWAKE      2
64 #define BCM4377_BAR0_SLEEP_CONTROL_QUIESCE    3
65 
66 #define BCM4377_BAR0_DOORBELL	    0x174
67 #define BCM4377_BAR0_DOORBELL_VALUE GENMASK(31, 16)
68 #define BCM4377_BAR0_DOORBELL_IDX   GENMASK(15, 8)
69 #define BCM4377_BAR0_DOORBELL_RING  BIT(5)
70 
71 #define BCM4377_BAR0_HOST_WINDOW_LO   0x590
72 #define BCM4377_BAR0_HOST_WINDOW_HI   0x594
73 #define BCM4377_BAR0_HOST_WINDOW_SIZE 0x598
74 
75 #define BCM4377_BAR2_BOOTSTAGE 0x200454
76 
77 #define BCM4377_BAR2_FW_LO   0x200478
78 #define BCM4377_BAR2_FW_HI   0x20047c
79 #define BCM4377_BAR2_FW_SIZE 0x200480
80 
81 #define BCM4377_BAR2_CONTEXT_ADDR_LO 0x20048c
82 #define BCM4377_BAR2_CONTEXT_ADDR_HI 0x200450
83 
84 #define BCM4377_BAR2_RTI_STATUS	     0x20045c
85 #define BCM4377_BAR2_RTI_WINDOW_LO   0x200494
86 #define BCM4377_BAR2_RTI_WINDOW_HI   0x200498
87 #define BCM4377_BAR2_RTI_WINDOW_SIZE 0x20049c
88 
89 #define BCM4377_OTP_SIZE	  0xe0
90 #define BCM4377_OTP_SYS_VENDOR	  0x15
91 #define BCM4377_OTP_CIS		  0x80
92 #define BCM4377_OTP_VENDOR_HDR	  0x00000008
93 #define BCM4377_OTP_MAX_PARAM_LEN 16
94 
95 #define BCM4377_N_TRANSFER_RINGS   9
96 #define BCM4377_N_COMPLETION_RINGS 6
97 
98 #define BCM4377_MAX_RING_SIZE 256
99 
100 #define BCM4377_MSGID_GENERATION GENMASK(15, 8)
101 #define BCM4377_MSGID_ID	 GENMASK(7, 0)
102 
103 #define BCM4377_RING_N_ENTRIES 128
104 
105 #define BCM4377_CONTROL_MSG_SIZE		   0x34
106 #define BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE (4 * 0xff)
107 
108 #define MAX_ACL_PAYLOAD_SIZE   (HCI_MAX_FRAME_SIZE + HCI_ACL_HDR_SIZE)
109 #define MAX_SCO_PAYLOAD_SIZE   (HCI_MAX_SCO_SIZE + HCI_SCO_HDR_SIZE)
110 #define MAX_EVENT_PAYLOAD_SIZE (HCI_MAX_EVENT_SIZE + HCI_EVENT_HDR_SIZE)
111 
112 enum bcm4377_otp_params_type {
113 	BCM4377_OTP_BOARD_PARAMS,
114 	BCM4377_OTP_CHIP_PARAMS
115 };
116 
117 enum bcm4377_transfer_ring_id {
118 	BCM4377_XFER_RING_CONTROL = 0,
119 	BCM4377_XFER_RING_HCI_H2D = 1,
120 	BCM4377_XFER_RING_HCI_D2H = 2,
121 	BCM4377_XFER_RING_SCO_H2D = 3,
122 	BCM4377_XFER_RING_SCO_D2H = 4,
123 	BCM4377_XFER_RING_ACL_H2D = 5,
124 	BCM4377_XFER_RING_ACL_D2H = 6,
125 };
126 
127 enum bcm4377_completion_ring_id {
128 	BCM4377_ACK_RING_CONTROL = 0,
129 	BCM4377_ACK_RING_HCI_ACL = 1,
130 	BCM4377_EVENT_RING_HCI_ACL = 2,
131 	BCM4377_ACK_RING_SCO = 3,
132 	BCM4377_EVENT_RING_SCO = 4,
133 };
134 
135 enum bcm4377_doorbell {
136 	BCM4377_DOORBELL_CONTROL = 0,
137 	BCM4377_DOORBELL_HCI_H2D = 1,
138 	BCM4377_DOORBELL_HCI_D2H = 2,
139 	BCM4377_DOORBELL_ACL_H2D = 3,
140 	BCM4377_DOORBELL_ACL_D2H = 4,
141 	BCM4377_DOORBELL_SCO = 6,
142 };
143 
144 /*
145  * Transfer ring entry
146  *
147  * flags: Flags to indicate if the payload is appended or mapped
148  * len: Payload length
149  * payload: Optional payload DMA address
150  * id: Message id to recognize the answer in the completion ring entry
151  */
152 struct bcm4377_xfer_ring_entry {
153 #define BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED	 BIT(0)
154 #define BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER BIT(1)
155 	u8 flags;
156 	__le16 len;
157 	u8 _unk0;
158 	__le64 payload;
159 	__le16 id;
160 	u8 _unk1[2];
161 } __packed;
162 static_assert(sizeof(struct bcm4377_xfer_ring_entry) == 0x10);
163 
164 /*
165  * Completion ring entry
166  *
167  * flags: Flags to indicate if the payload is appended or mapped. If the payload
168  *        is mapped it can be found in the buffer of the corresponding transfer
169  *        ring message.
170  * ring_id: Transfer ring ID which required this message
171  * msg_id: Message ID specified in transfer ring entry
172  * len: Payload length
173  */
174 struct bcm4377_completion_ring_entry {
175 	u8 flags;
176 	u8 _unk0;
177 	__le16 ring_id;
178 	__le16 msg_id;
179 	__le32 len;
180 	u8 _unk1[6];
181 } __packed;
182 static_assert(sizeof(struct bcm4377_completion_ring_entry) == 0x10);
183 
184 enum bcm4377_control_message_type {
185 	BCM4377_CONTROL_MSG_CREATE_XFER_RING = 1,
186 	BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING = 2,
187 	BCM4377_CONTROL_MSG_DESTROY_XFER_RING = 3,
188 	BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING = 4,
189 };
190 
191 /*
192  * Control message used to create a completion ring
193  *
194  * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING
195  * header_size: Unknown, but probably reserved space in front of the entry
196  * footer_size: Number of 32 bit words reserved for payloads after the entry
197  * id/id_again: Completion ring index
198  * ring_iova: DMA address of the ring buffer
199  * n_elements: Number of elements inside the ring buffer
200  * msi: MSI index, doesn't work for all rings though and should be zero
201  * intmod_delay: Unknown delay
202  * intmod_bytes: Unknown
203  */
204 struct bcm4377_create_completion_ring_msg {
205 	u8 msg_type;
206 	u8 header_size;
207 	u8 footer_size;
208 	u8 _unk0;
209 	__le16 id;
210 	__le16 id_again;
211 	__le64 ring_iova;
212 	__le16 n_elements;
213 	__le32 unk;
214 	u8 _unk1[6];
215 	__le16 msi;
216 	__le16 intmod_delay;
217 	__le32 intmod_bytes;
218 	__le16 _unk2;
219 	__le32 _unk3;
220 	u8 _unk4[10];
221 } __packed;
222 static_assert(sizeof(struct bcm4377_create_completion_ring_msg) ==
223 	      BCM4377_CONTROL_MSG_SIZE);
224 
225 /*
226  * Control ring message used to destroy a completion ring
227  *
228  * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING
229  * ring_id: Completion ring to be destroyed
230  */
231 struct bcm4377_destroy_completion_ring_msg {
232 	u8 msg_type;
233 	u8 _pad0;
234 	__le16 ring_id;
235 	u8 _pad1[48];
236 } __packed;
237 static_assert(sizeof(struct bcm4377_destroy_completion_ring_msg) ==
238 	      BCM4377_CONTROL_MSG_SIZE);
239 
240 /*
241  * Control message used to create a transfer ring
242  *
243  * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_XFER_RING
244  * header_size: Number of 32 bit words reserved for unknown content before the
245  *              entry
246  * footer_size: Number of 32 bit words reserved for payloads after the entry
247  * ring_id/ring_id_again: Transfer ring index
248  * ring_iova: DMA address of the ring buffer
249  * n_elements: Number of elements inside the ring buffer
250  * completion_ring_id: Completion ring index for acknowledgements and events
251  * doorbell: Doorbell index used to notify device of new entries
252  * flags: Transfer ring flags
253  *          - virtual: set if there is no associated shared memory and only the
254  *                     corresponding completion ring is used
255  *          - sync: only set for the SCO rings
256  */
257 struct bcm4377_create_transfer_ring_msg {
258 	u8 msg_type;
259 	u8 header_size;
260 	u8 footer_size;
261 	u8 _unk0;
262 	__le16 ring_id;
263 	__le16 ring_id_again;
264 	__le64 ring_iova;
265 	u8 _unk1[8];
266 	__le16 n_elements;
267 	__le16 completion_ring_id;
268 	__le16 doorbell;
269 #define BCM4377_XFER_RING_FLAG_VIRTUAL BIT(7)
270 #define BCM4377_XFER_RING_FLAG_SYNC    BIT(8)
271 	__le16 flags;
272 	u8 _unk2[20];
273 } __packed;
274 static_assert(sizeof(struct bcm4377_create_transfer_ring_msg) ==
275 	      BCM4377_CONTROL_MSG_SIZE);
276 
277 /*
278  * Control ring message used to destroy a transfer ring
279  *
280  * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_XFER_RING
281  * ring_id: Transfer ring to be destroyed
282  */
283 struct bcm4377_destroy_transfer_ring_msg {
284 	u8 msg_type;
285 	u8 _pad0;
286 	__le16 ring_id;
287 	u8 _pad1[48];
288 } __packed;
289 static_assert(sizeof(struct bcm4377_destroy_transfer_ring_msg) ==
290 	      BCM4377_CONTROL_MSG_SIZE);
291 
292 /*
293  * "Converged IPC" context struct used to make the device aware of all other
294  * shared memory structures. A pointer to this structure is configured inside a
295  * MMIO register.
296  *
297  * version: Protocol version, must be 2.
298  * size: Size of this structure, must be 0x68.
299  * enabled_caps: Enabled capabilities. Unknown bitfield but should be 2.
300  * peripheral_info_addr: DMA address for a 0x20 buffer to which the device will
301  *                       write unknown contents
302  * {completion,xfer}_ring_{tails,heads}_addr: DMA pointers to ring heads/tails
303  * n_completion_rings: Number of completion rings, the firmware only works if
304  *                     this is set to BCM4377_N_COMPLETION_RINGS.
305  * n_xfer_rings: Number of transfer rings, the firmware only works if
306  *               this is set to BCM4377_N_TRANSFER_RINGS.
307  * control_completion_ring_addr: Control completion ring buffer DMA address
308  * control_xfer_ring_addr: Control transfer ring buffer DMA address
309  * control_xfer_ring_n_entries: Number of control transfer ring entries
310  * control_completion_ring_n_entries: Number of control completion ring entries
311  * control_xfer_ring_doorbell: Control transfer ring doorbell
312  * control_completion_ring_doorbell: Control completion ring doorbell,
313  *                                   must be set to 0xffff
314  * control_xfer_ring_msi: Control completion ring MSI index, must be 0
315  * control_completion_ring_msi: Control completion ring MSI index, must be 0.
316  * control_xfer_ring_header_size: Number of 32 bit words reserved in front of
317  *                                every control transfer ring entry
318  * control_xfer_ring_footer_size: Number of 32 bit words reserved after every
319  *                                control transfer ring entry
320  * control_completion_ring_header_size: Number of 32 bit words reserved in front
321  *                                      of every control completion ring entry
322  * control_completion_ring_footer_size: Number of 32 bit words reserved after
323  *                                      every control completion ring entry
324  * scratch_pad: Optional scratch pad DMA address
325  * scratch_pad_size: Scratch pad size
326  */
327 struct bcm4377_context {
328 	__le16 version;
329 	__le16 size;
330 	__le32 enabled_caps;
331 
332 	__le64 peripheral_info_addr;
333 
334 	/* ring heads and tails */
335 	__le64 completion_ring_heads_addr;
336 	__le64 xfer_ring_tails_addr;
337 	__le64 completion_ring_tails_addr;
338 	__le64 xfer_ring_heads_addr;
339 	__le16 n_completion_rings;
340 	__le16 n_xfer_rings;
341 
342 	/* control ring configuration */
343 	__le64 control_completion_ring_addr;
344 	__le64 control_xfer_ring_addr;
345 	__le16 control_xfer_ring_n_entries;
346 	__le16 control_completion_ring_n_entries;
347 	__le16 control_xfer_ring_doorbell;
348 	__le16 control_completion_ring_doorbell;
349 	__le16 control_xfer_ring_msi;
350 	__le16 control_completion_ring_msi;
351 	u8 control_xfer_ring_header_size;
352 	u8 control_xfer_ring_footer_size;
353 	u8 control_completion_ring_header_size;
354 	u8 control_completion_ring_footer_size;
355 
356 	__le16 _unk0;
357 	__le16 _unk1;
358 
359 	__le64 scratch_pad;
360 	__le32 scratch_pad_size;
361 
362 	__le32 _unk3;
363 } __packed;
364 static_assert(sizeof(struct bcm4377_context) == 0x68);
365 
366 #define BCM4378_CALIBRATION_CHUNK_SIZE 0xe6
367 struct bcm4378_hci_send_calibration_cmd {
368 	u8 unk;
369 	__le16 blocks_left;
370 	u8 data[BCM4378_CALIBRATION_CHUNK_SIZE];
371 } __packed;
372 
373 #define BCM4378_PTB_CHUNK_SIZE 0xcf
374 struct bcm4378_hci_send_ptb_cmd {
375 	__le16 blocks_left;
376 	u8 data[BCM4378_PTB_CHUNK_SIZE];
377 } __packed;
378 
379 /*
380  * Shared memory structure used to store the ring head and tail pointers.
381  */
382 struct bcm4377_ring_state {
383 	__le16 completion_ring_head[BCM4377_N_COMPLETION_RINGS];
384 	__le16 completion_ring_tail[BCM4377_N_COMPLETION_RINGS];
385 	__le16 xfer_ring_head[BCM4377_N_TRANSFER_RINGS];
386 	__le16 xfer_ring_tail[BCM4377_N_TRANSFER_RINGS];
387 };
388 
389 /*
390  * A transfer ring can be used in two configurations:
391  *  1) Send control or HCI messages to the device which are then acknowledged
392  *     in the corresponding completion ring
393  *  2) Receiving HCI frames from the devices. In this case the transfer ring
394  *     itself contains empty messages that are acknowledged once data is
395  *     available from the device. If the payloads fit inside the footers
396  *     of the completion ring the transfer ring can be configured to be
397  *     virtual such that it has no ring buffer.
398  *
399  * ring_id: ring index hardcoded in the firmware
400  * doorbell: doorbell index to notify device of new entries
401  * payload_size: optional in-place payload size
402  * mapped_payload_size: optional out-of-place payload size
403  * completion_ring: index of corresponding completion ring
404  * n_entries: number of entries inside this ring
405  * generation: ring generation; incremented on hci_open to detect stale messages
406  * sync: set to true for SCO rings
407  * virtual: set to true if this ring has no entries and is just required to
408  *          setup a corresponding completion ring for device->host messages
409  * d2h_buffers_only: set to true if this ring is only used to provide large
410  *                   buffers used by device->host messages in the completion
411  *                   ring
412  * allow_wait: allow to wait for messages to be acknowledged
413  * enabled: true once the ring has been created and can be used
414  * ring: ring buffer for entries (struct bcm4377_xfer_ring_entry)
415  * ring_dma: DMA address for ring entry buffer
416  * payloads: payload buffer for mapped_payload_size payloads
417  * payloads_dma:DMA address for payload buffer
418  * events: pointer to array of completions if waiting is allowed
419  * msgids: bitmap to keep track of used message ids
420  * lock: Spinlock to protect access to ring structurs used in the irq handler
421  */
422 struct bcm4377_transfer_ring {
423 	enum bcm4377_transfer_ring_id ring_id;
424 	enum bcm4377_doorbell doorbell;
425 	size_t payload_size;
426 	size_t mapped_payload_size;
427 	u8 completion_ring;
428 	u16 n_entries;
429 	u8 generation;
430 
431 	bool sync;
432 	bool virtual;
433 	bool d2h_buffers_only;
434 	bool allow_wait;
435 	bool enabled;
436 
437 	void *ring;
438 	dma_addr_t ring_dma;
439 
440 	void *payloads;
441 	dma_addr_t payloads_dma;
442 
443 	struct completion **events;
444 	DECLARE_BITMAP(msgids, BCM4377_MAX_RING_SIZE);
445 	spinlock_t lock;
446 };
447 
448 /*
449  * A completion ring can be either used to either acknowledge messages sent in
450  * the corresponding transfer ring or to receive messages associated with the
451  * transfer ring. When used to receive messages the transfer ring either
452  * has no ring buffer and is only advanced ("virtual transfer ring") or it
453  * only contains empty DMA buffers to be used for the payloads.
454  *
455  * ring_id: completion ring id, hardcoded in firmware
456  * payload_size: optional payload size after each entry
457  * delay: unknown delay
458  * n_entries: number of entries in this ring
459  * enabled: true once the ring has been created and can be used
460  * ring: ring buffer for entries (struct bcm4377_completion_ring_entry)
461  * ring_dma: DMA address of ring buffer
462  * transfer_rings: bitmap of corresponding transfer ring ids
463  */
464 struct bcm4377_completion_ring {
465 	enum bcm4377_completion_ring_id ring_id;
466 	u16 payload_size;
467 	u16 delay;
468 	u16 n_entries;
469 	bool enabled;
470 
471 	void *ring;
472 	dma_addr_t ring_dma;
473 
474 	unsigned long transfer_rings;
475 };
476 
477 struct bcm4377_data;
478 
479 /*
480  * Chip-specific configuration struct
481  *
482  * id: Chip id (e.g. 0x4377 for BCM4377)
483  * otp_offset: Offset to the start of the OTP inside BAR0
484  * bar0_window1: Backplane address mapped to the first window in BAR0
485  * bar0_window2: Backplane address mapped to the second window in BAR0
486  * bar0_core2_window2: Optional backplane address mapped to the second core's
487  *                     second window in BAR0
488  * has_bar0_core2_window2: Set to true if this chip requires the second core's
489  *                         second window to be configured
490  * clear_pciecfg_subsystem_ctrl_bit19: Set to true if bit 19 in the
491  *                                     vendor-specific subsystem control
492  *                                     register has to be cleared
493  * disable_aspm: Set to true if ASPM must be disabled due to hardware errata
494  * broken_ext_scan: Set to true if the chip erroneously claims to support
495  *                  extended scanning
496  * broken_mws_transport_config: Set to true if the chip erroneously claims to
497  *                              support MWS Transport Configuration
498  * broken_le_ext_adv_report_phy: Set to true if this chip stuffs flags inside
499  *                               reserved bits of Primary/Secondary_PHY inside
500  *                               LE Extended Advertising Report events which
501  *                               have to be ignored
502  * send_calibration: Optional callback to send calibration data
503  * send_ptb: Callback to send "PTB" regulatory/calibration data
504  */
505 struct bcm4377_hw {
506 	unsigned int id;
507 
508 	u32 otp_offset;
509 
510 	u32 bar0_window1;
511 	u32 bar0_window2;
512 	u32 bar0_core2_window2;
513 
514 	unsigned long has_bar0_core2_window2 : 1;
515 	unsigned long clear_pciecfg_subsystem_ctrl_bit19 : 1;
516 	unsigned long disable_aspm : 1;
517 	unsigned long broken_ext_scan : 1;
518 	unsigned long broken_mws_transport_config : 1;
519 	unsigned long broken_le_coded : 1;
520 	unsigned long broken_le_ext_adv_report_phy : 1;
521 
522 	int (*send_calibration)(struct bcm4377_data *bcm4377);
523 	int (*send_ptb)(struct bcm4377_data *bcm4377,
524 			const struct firmware *fw);
525 };
526 
527 static const struct bcm4377_hw bcm4377_hw_variants[];
528 static const struct dmi_system_id bcm4377_dmi_board_table[];
529 
530 /*
531  * Private struct associated with each device containing global state
532  *
533  * pdev: Pointer to associated struct pci_dev
534  * hdev: Pointer to associated strucy hci_dev
535  * bar0: iomem pointing to BAR0
536  * bar1: iomem pointing to BAR2
537  * bootstage: Current value of the bootstage
538  * rti_status: Current "RTI" status value
539  * hw: Pointer to chip-specific struct bcm4377_hw
540  * taurus_cal_blob: "Taurus" calibration blob used for some chips
541  * taurus_cal_size: "Taurus" calibration blob size
542  * taurus_beamforming_cal_blob: "Taurus" beamforming calibration blob used for
543  *                              some chips
544  * taurus_beamforming_cal_size: "Taurus" beamforming calibration blob size
545  * stepping: Chip stepping read from OTP; used for firmware selection
546  * vendor: Antenna vendor read from OTP; used for firmware selection
547  * board_type: Board type from FDT or DMI match; used for firmware selection
548  * event: Event for changed bootstage or rti_status; used for booting firmware
549  * ctx: "Converged IPC" context
550  * ctx_dma: "Converged IPC" context DMA address
551  * ring_state: Shared memory buffer containing ring head and tail indexes
552  * ring_state_dma: DMA address for ring_state
553  * {control,hci_acl,sco}_ack_ring: Completion rings used to acknowledge messages
554  * {hci_acl,sco}_event_ring: Completion rings used for device->host messages
555  * control_h2d_ring: Transfer ring used for control messages
556  * {hci,sco,acl}_h2d_ring: Transfer ring used to transfer HCI frames
557  * {hci,sco,acl}_d2h_ring: Transfer ring used to receive HCI frames in the
558  *                         corresponding completion ring
559  */
560 struct bcm4377_data {
561 	struct pci_dev *pdev;
562 	struct hci_dev *hdev;
563 
564 	void __iomem *bar0;
565 	void __iomem *bar2;
566 
567 	u32 bootstage;
568 	u32 rti_status;
569 
570 	const struct bcm4377_hw *hw;
571 
572 	const void *taurus_cal_blob;
573 	int taurus_cal_size;
574 	const void *taurus_beamforming_cal_blob;
575 	int taurus_beamforming_cal_size;
576 
577 	char stepping[BCM4377_OTP_MAX_PARAM_LEN];
578 	char vendor[BCM4377_OTP_MAX_PARAM_LEN];
579 	const char *board_type;
580 
581 	struct completion event;
582 
583 	struct bcm4377_context *ctx;
584 	dma_addr_t ctx_dma;
585 
586 	struct bcm4377_ring_state *ring_state;
587 	dma_addr_t ring_state_dma;
588 
589 	/*
590 	 * The HCI and ACL rings have to be merged because this structure is
591 	 * hardcoded in the firmware.
592 	 */
593 	struct bcm4377_completion_ring control_ack_ring;
594 	struct bcm4377_completion_ring hci_acl_ack_ring;
595 	struct bcm4377_completion_ring hci_acl_event_ring;
596 	struct bcm4377_completion_ring sco_ack_ring;
597 	struct bcm4377_completion_ring sco_event_ring;
598 
599 	struct bcm4377_transfer_ring control_h2d_ring;
600 	struct bcm4377_transfer_ring hci_h2d_ring;
601 	struct bcm4377_transfer_ring hci_d2h_ring;
602 	struct bcm4377_transfer_ring sco_h2d_ring;
603 	struct bcm4377_transfer_ring sco_d2h_ring;
604 	struct bcm4377_transfer_ring acl_h2d_ring;
605 	struct bcm4377_transfer_ring acl_d2h_ring;
606 };
607 
608 static void bcm4377_ring_doorbell(struct bcm4377_data *bcm4377, u8 doorbell,
609 				  u16 val)
610 {
611 	u32 db = 0;
612 
613 	db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_VALUE, val);
614 	db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_IDX, doorbell);
615 	db |= BCM4377_BAR0_DOORBELL_RING;
616 
617 	dev_dbg(&bcm4377->pdev->dev, "write %d to doorbell #%d (0x%x)\n", val,
618 		doorbell, db);
619 	iowrite32(db, bcm4377->bar0 + BCM4377_BAR0_DOORBELL);
620 }
621 
622 static int bcm4377_extract_msgid(struct bcm4377_data *bcm4377,
623 				 struct bcm4377_transfer_ring *ring,
624 				 u16 raw_msgid, u8 *msgid)
625 {
626 	u8 generation = FIELD_GET(BCM4377_MSGID_GENERATION, raw_msgid);
627 	*msgid = FIELD_GET(BCM4377_MSGID_ID, raw_msgid);
628 
629 	if (generation != ring->generation) {
630 		dev_warn(
631 			&bcm4377->pdev->dev,
632 			"invalid message generation %d should be %d in entry for ring %d\n",
633 			generation, ring->generation, ring->ring_id);
634 		return -EINVAL;
635 	}
636 
637 	if (*msgid >= ring->n_entries) {
638 		dev_warn(&bcm4377->pdev->dev,
639 			 "invalid message id in entry for ring %d: %d > %d\n",
640 			 ring->ring_id, *msgid, ring->n_entries);
641 		return -EINVAL;
642 	}
643 
644 	return 0;
645 }
646 
647 static void bcm4377_handle_event(struct bcm4377_data *bcm4377,
648 				 struct bcm4377_transfer_ring *ring,
649 				 u16 raw_msgid, u8 entry_flags, u8 type,
650 				 void *payload, size_t len)
651 {
652 	struct sk_buff *skb;
653 	u16 head;
654 	u8 msgid;
655 	unsigned long flags;
656 
657 	spin_lock_irqsave(&ring->lock, flags);
658 	if (!ring->enabled) {
659 		dev_warn(&bcm4377->pdev->dev,
660 			 "event for disabled transfer ring %d\n",
661 			 ring->ring_id);
662 		goto out;
663 	}
664 
665 	if (ring->d2h_buffers_only &&
666 	    entry_flags & BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED) {
667 		if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
668 			goto out;
669 
670 		if (len > ring->mapped_payload_size) {
671 			dev_warn(
672 				&bcm4377->pdev->dev,
673 				"invalid payload len in event for ring %d: %zu > %zu\n",
674 				ring->ring_id, len, ring->mapped_payload_size);
675 			goto out;
676 		}
677 
678 		payload = ring->payloads + msgid * ring->mapped_payload_size;
679 	}
680 
681 	skb = bt_skb_alloc(len, GFP_ATOMIC);
682 	if (!skb)
683 		goto out;
684 
685 	memcpy(skb_put(skb, len), payload, len);
686 	hci_skb_pkt_type(skb) = type;
687 	hci_recv_frame(bcm4377->hdev, skb);
688 
689 out:
690 	head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
691 	head = (head + 1) % ring->n_entries;
692 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] = cpu_to_le16(head);
693 
694 	bcm4377_ring_doorbell(bcm4377, ring->doorbell, head);
695 
696 	spin_unlock_irqrestore(&ring->lock, flags);
697 }
698 
699 static void bcm4377_handle_ack(struct bcm4377_data *bcm4377,
700 			       struct bcm4377_transfer_ring *ring,
701 			       u16 raw_msgid)
702 {
703 	unsigned long flags;
704 	u8 msgid;
705 
706 	spin_lock_irqsave(&ring->lock, flags);
707 
708 	if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
709 		goto unlock;
710 
711 	if (!test_bit(msgid, ring->msgids)) {
712 		dev_warn(
713 			&bcm4377->pdev->dev,
714 			"invalid message id in ack for ring %d: %d is not used\n",
715 			ring->ring_id, msgid);
716 		goto unlock;
717 	}
718 
719 	if (ring->allow_wait && ring->events[msgid]) {
720 		complete(ring->events[msgid]);
721 		ring->events[msgid] = NULL;
722 	}
723 
724 	bitmap_release_region(ring->msgids, msgid, 0);
725 
726 unlock:
727 	spin_unlock_irqrestore(&ring->lock, flags);
728 }
729 
730 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
731 				      struct bcm4377_completion_ring *ring,
732 				      u16 pos)
733 {
734 	struct bcm4377_completion_ring_entry *entry;
735 	u16 msg_id, transfer_ring;
736 	size_t entry_size, data_len;
737 	void *data;
738 
739 	if (pos >= ring->n_entries) {
740 		dev_warn(&bcm4377->pdev->dev,
741 			 "invalid offset %d for completion ring %d\n", pos,
742 			 ring->ring_id);
743 		return;
744 	}
745 
746 	entry_size = sizeof(*entry) + ring->payload_size;
747 	entry = ring->ring + pos * entry_size;
748 	data = ring->ring + pos * entry_size + sizeof(*entry);
749 	data_len = le32_to_cpu(entry->len);
750 	msg_id = le16_to_cpu(entry->msg_id);
751 	transfer_ring = le16_to_cpu(entry->ring_id);
752 
753 	if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
754 		dev_warn(
755 			&bcm4377->pdev->dev,
756 			"invalid entry at offset %d for transfer ring %d in completion ring %d\n",
757 			pos, transfer_ring, ring->ring_id);
758 		return;
759 	}
760 
761 	dev_dbg(&bcm4377->pdev->dev,
762 		"entry in completion ring %d for transfer ring %d with msg_id %d\n",
763 		ring->ring_id, transfer_ring, msg_id);
764 
765 	switch (transfer_ring) {
766 	case BCM4377_XFER_RING_CONTROL:
767 		bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
768 		break;
769 	case BCM4377_XFER_RING_HCI_H2D:
770 		bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
771 		break;
772 	case BCM4377_XFER_RING_SCO_H2D:
773 		bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
774 		break;
775 	case BCM4377_XFER_RING_ACL_H2D:
776 		bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
777 		break;
778 
779 	case BCM4377_XFER_RING_HCI_D2H:
780 		bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
781 				     entry->flags, HCI_EVENT_PKT, data,
782 				     data_len);
783 		break;
784 	case BCM4377_XFER_RING_SCO_D2H:
785 		bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
786 				     entry->flags, HCI_SCODATA_PKT, data,
787 				     data_len);
788 		break;
789 	case BCM4377_XFER_RING_ACL_D2H:
790 		bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
791 				     entry->flags, HCI_ACLDATA_PKT, data,
792 				     data_len);
793 		break;
794 
795 	default:
796 		dev_warn(
797 			&bcm4377->pdev->dev,
798 			"entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
799 			ring->ring_id, transfer_ring, msg_id);
800 	}
801 }
802 
803 static void bcm4377_poll_completion_ring(struct bcm4377_data *bcm4377,
804 					 struct bcm4377_completion_ring *ring)
805 {
806 	u16 tail;
807 	__le16 *heads = bcm4377->ring_state->completion_ring_head;
808 	__le16 *tails = bcm4377->ring_state->completion_ring_tail;
809 
810 	if (!ring->enabled)
811 		return;
812 
813 	tail = le16_to_cpu(tails[ring->ring_id]);
814 	dev_dbg(&bcm4377->pdev->dev,
815 		"completion ring #%d: head: %d, tail: %d\n", ring->ring_id,
816 		le16_to_cpu(heads[ring->ring_id]), tail);
817 
818 	while (tail != le16_to_cpu(READ_ONCE(heads[ring->ring_id]))) {
819 		/*
820 		 * ensure the CPU doesn't speculate through the comparison.
821 		 * otherwise it might already read the (empty) queue entry
822 		 * before the updated head has been loaded and checked.
823 		 */
824 		dma_rmb();
825 
826 		bcm4377_handle_completion(bcm4377, ring, tail);
827 
828 		tail = (tail + 1) % ring->n_entries;
829 		tails[ring->ring_id] = cpu_to_le16(tail);
830 	}
831 }
832 
833 static irqreturn_t bcm4377_irq(int irq, void *data)
834 {
835 	struct bcm4377_data *bcm4377 = data;
836 	u32 bootstage, rti_status;
837 
838 	bootstage = ioread32(bcm4377->bar2 + BCM4377_BAR2_BOOTSTAGE);
839 	rti_status = ioread32(bcm4377->bar2 + BCM4377_BAR2_RTI_STATUS);
840 
841 	if (bootstage != bcm4377->bootstage ||
842 	    rti_status != bcm4377->rti_status) {
843 		dev_dbg(&bcm4377->pdev->dev,
844 			"bootstage = %d -> %d, rti state = %d -> %d\n",
845 			bcm4377->bootstage, bootstage, bcm4377->rti_status,
846 			rti_status);
847 		complete(&bcm4377->event);
848 		bcm4377->bootstage = bootstage;
849 		bcm4377->rti_status = rti_status;
850 	}
851 
852 	if (rti_status > 2)
853 		dev_err(&bcm4377->pdev->dev, "RTI status is %d\n", rti_status);
854 
855 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->control_ack_ring);
856 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
857 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
858 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
859 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_event_ring);
860 
861 	return IRQ_HANDLED;
862 }
863 
864 static int bcm4377_enqueue(struct bcm4377_data *bcm4377,
865 			   struct bcm4377_transfer_ring *ring, void *data,
866 			   size_t len, bool wait)
867 {
868 	unsigned long flags;
869 	struct bcm4377_xfer_ring_entry *entry;
870 	void *payload;
871 	size_t offset;
872 	u16 head, tail, new_head;
873 	u16 raw_msgid;
874 	int ret, msgid;
875 	DECLARE_COMPLETION_ONSTACK(event);
876 
877 	if (len > ring->payload_size && len > ring->mapped_payload_size) {
878 		dev_warn(
879 			&bcm4377->pdev->dev,
880 			"payload len %zu is too large for ring %d (max is %zu or %zu)\n",
881 			len, ring->ring_id, ring->payload_size,
882 			ring->mapped_payload_size);
883 		return -EINVAL;
884 	}
885 	if (wait && !ring->allow_wait)
886 		return -EINVAL;
887 	if (ring->virtual)
888 		return -EINVAL;
889 
890 	spin_lock_irqsave(&ring->lock, flags);
891 
892 	head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
893 	tail = le16_to_cpu(bcm4377->ring_state->xfer_ring_tail[ring->ring_id]);
894 
895 	new_head = (head + 1) % ring->n_entries;
896 
897 	if (new_head == tail) {
898 		dev_warn(&bcm4377->pdev->dev,
899 			 "can't send message because ring %d is full\n",
900 			 ring->ring_id);
901 		ret = -EINVAL;
902 		goto out;
903 	}
904 
905 	msgid = bitmap_find_free_region(ring->msgids, ring->n_entries, 0);
906 	if (msgid < 0) {
907 		dev_warn(&bcm4377->pdev->dev,
908 			 "can't find message id for ring %d\n", ring->ring_id);
909 		ret = -EINVAL;
910 		goto out;
911 	}
912 
913 	raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION, ring->generation);
914 	raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, msgid);
915 
916 	offset = head * (sizeof(*entry) + ring->payload_size);
917 	entry = ring->ring + offset;
918 
919 	memset(entry, 0, sizeof(*entry));
920 	entry->id = cpu_to_le16(raw_msgid);
921 	entry->len = cpu_to_le16(len);
922 
923 	if (len <= ring->payload_size) {
924 		entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER;
925 		payload = ring->ring + offset + sizeof(*entry);
926 	} else {
927 		entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
928 		entry->payload = cpu_to_le64(ring->payloads_dma +
929 					     msgid * ring->mapped_payload_size);
930 		payload = ring->payloads + msgid * ring->mapped_payload_size;
931 	}
932 
933 	memcpy(payload, data, len);
934 
935 	if (wait)
936 		ring->events[msgid] = &event;
937 
938 	/*
939 	 * The 4377 chips stop responding to any commands as soon as they
940 	 * have been idle for a while. Poking the sleep control register here
941 	 * makes them come alive again.
942 	 */
943 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_AWAKE,
944 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
945 
946 	dev_dbg(&bcm4377->pdev->dev,
947 		"updating head for transfer queue #%d to %d\n", ring->ring_id,
948 		new_head);
949 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
950 		cpu_to_le16(new_head);
951 
952 	if (!ring->sync)
953 		bcm4377_ring_doorbell(bcm4377, ring->doorbell, new_head);
954 	ret = 0;
955 
956 out:
957 	spin_unlock_irqrestore(&ring->lock, flags);
958 
959 	if (ret == 0 && wait) {
960 		ret = wait_for_completion_interruptible_timeout(
961 			&event, BCM4377_TIMEOUT);
962 		if (ret == 0)
963 			ret = -ETIMEDOUT;
964 		else if (ret > 0)
965 			ret = 0;
966 
967 		spin_lock_irqsave(&ring->lock, flags);
968 		ring->events[msgid] = NULL;
969 		spin_unlock_irqrestore(&ring->lock, flags);
970 	}
971 
972 	return ret;
973 }
974 
975 static int bcm4377_create_completion_ring(struct bcm4377_data *bcm4377,
976 					  struct bcm4377_completion_ring *ring)
977 {
978 	struct bcm4377_create_completion_ring_msg msg;
979 	int ret;
980 
981 	if (ring->enabled) {
982 		dev_warn(&bcm4377->pdev->dev,
983 			 "completion ring %d already enabled\n", ring->ring_id);
984 		return 0;
985 	}
986 
987 	memset(ring->ring, 0,
988 	       ring->n_entries * (sizeof(struct bcm4377_completion_ring_entry) +
989 				  ring->payload_size));
990 	memset(&msg, 0, sizeof(msg));
991 	msg.msg_type = BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING;
992 	msg.id = cpu_to_le16(ring->ring_id);
993 	msg.id_again = cpu_to_le16(ring->ring_id);
994 	msg.ring_iova = cpu_to_le64(ring->ring_dma);
995 	msg.n_elements = cpu_to_le16(ring->n_entries);
996 	msg.intmod_bytes = cpu_to_le32(0xffffffff);
997 	msg.unk = cpu_to_le32(0xffffffff);
998 	msg.intmod_delay = cpu_to_le16(ring->delay);
999 	msg.footer_size = ring->payload_size / 4;
1000 
1001 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1002 			      sizeof(msg), true);
1003 	if (!ret)
1004 		ring->enabled = true;
1005 
1006 	return ret;
1007 }
1008 
1009 static int bcm4377_destroy_completion_ring(struct bcm4377_data *bcm4377,
1010 					   struct bcm4377_completion_ring *ring)
1011 {
1012 	struct bcm4377_destroy_completion_ring_msg msg;
1013 	int ret;
1014 
1015 	memset(&msg, 0, sizeof(msg));
1016 	msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING;
1017 	msg.ring_id = cpu_to_le16(ring->ring_id);
1018 
1019 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1020 			      sizeof(msg), true);
1021 	if (ret)
1022 		dev_warn(&bcm4377->pdev->dev,
1023 			 "failed to destroy completion ring %d\n",
1024 			 ring->ring_id);
1025 
1026 	ring->enabled = false;
1027 	return ret;
1028 }
1029 
1030 static int bcm4377_create_transfer_ring(struct bcm4377_data *bcm4377,
1031 					struct bcm4377_transfer_ring *ring)
1032 {
1033 	struct bcm4377_create_transfer_ring_msg msg;
1034 	u16 flags = 0;
1035 	int ret, i;
1036 	unsigned long spinlock_flags;
1037 
1038 	if (ring->virtual)
1039 		flags |= BCM4377_XFER_RING_FLAG_VIRTUAL;
1040 	if (ring->sync)
1041 		flags |= BCM4377_XFER_RING_FLAG_SYNC;
1042 
1043 	spin_lock_irqsave(&ring->lock, spinlock_flags);
1044 	memset(&msg, 0, sizeof(msg));
1045 	msg.msg_type = BCM4377_CONTROL_MSG_CREATE_XFER_RING;
1046 	msg.ring_id = cpu_to_le16(ring->ring_id);
1047 	msg.ring_id_again = cpu_to_le16(ring->ring_id);
1048 	msg.ring_iova = cpu_to_le64(ring->ring_dma);
1049 	msg.n_elements = cpu_to_le16(ring->n_entries);
1050 	msg.completion_ring_id = cpu_to_le16(ring->completion_ring);
1051 	msg.doorbell = cpu_to_le16(ring->doorbell);
1052 	msg.flags = cpu_to_le16(flags);
1053 	msg.footer_size = ring->payload_size / 4;
1054 
1055 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 0;
1056 	bcm4377->ring_state->xfer_ring_tail[ring->ring_id] = 0;
1057 	ring->generation++;
1058 	spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1059 
1060 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1061 			      sizeof(msg), true);
1062 
1063 	spin_lock_irqsave(&ring->lock, spinlock_flags);
1064 
1065 	if (ring->d2h_buffers_only) {
1066 		for (i = 0; i < ring->n_entries; ++i) {
1067 			struct bcm4377_xfer_ring_entry *entry =
1068 				ring->ring + i * sizeof(*entry);
1069 			u16 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION,
1070 						   ring->generation);
1071 			raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, i);
1072 
1073 			memset(entry, 0, sizeof(*entry));
1074 			entry->id = cpu_to_le16(raw_msgid);
1075 			entry->len = cpu_to_le16(ring->mapped_payload_size);
1076 			entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
1077 			entry->payload =
1078 				cpu_to_le64(ring->payloads_dma +
1079 					    i * ring->mapped_payload_size);
1080 		}
1081 	}
1082 
1083 	/*
1084 	 * send some messages if this is a device->host ring to allow the device
1085 	 * to reply by acknowledging them in the completion ring
1086 	 */
1087 	if (ring->virtual || ring->d2h_buffers_only) {
1088 		bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
1089 			cpu_to_le16(0xf);
1090 		bcm4377_ring_doorbell(bcm4377, ring->doorbell, 0xf);
1091 	}
1092 
1093 	ring->enabled = true;
1094 	spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1095 
1096 	return ret;
1097 }
1098 
1099 static int bcm4377_destroy_transfer_ring(struct bcm4377_data *bcm4377,
1100 					 struct bcm4377_transfer_ring *ring)
1101 {
1102 	struct bcm4377_destroy_transfer_ring_msg msg;
1103 	int ret;
1104 
1105 	memset(&msg, 0, sizeof(msg));
1106 	msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_XFER_RING;
1107 	msg.ring_id = cpu_to_le16(ring->ring_id);
1108 
1109 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1110 			      sizeof(msg), true);
1111 	if (ret)
1112 		dev_warn(&bcm4377->pdev->dev,
1113 			 "failed to destroy transfer ring %d\n", ring->ring_id);
1114 
1115 	ring->enabled = false;
1116 	return ret;
1117 }
1118 
1119 static int __bcm4378_send_calibration_chunk(struct bcm4377_data *bcm4377,
1120 					    const void *data, size_t data_len,
1121 					    u16 blocks_left)
1122 {
1123 	struct bcm4378_hci_send_calibration_cmd cmd;
1124 	struct sk_buff *skb;
1125 
1126 	if (data_len > sizeof(cmd.data))
1127 		return -EINVAL;
1128 
1129 	memset(&cmd, 0, sizeof(cmd));
1130 	cmd.unk = 0x03;
1131 	cmd.blocks_left = cpu_to_le16(blocks_left);
1132 	memcpy(cmd.data, data, data_len);
1133 
1134 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfd97, sizeof(cmd), &cmd,
1135 			     HCI_INIT_TIMEOUT);
1136 	if (IS_ERR(skb))
1137 		return PTR_ERR(skb);
1138 
1139 	kfree_skb(skb);
1140 	return 0;
1141 }
1142 
1143 static int __bcm4378_send_calibration(struct bcm4377_data *bcm4377,
1144 				      const void *data, size_t data_size)
1145 {
1146 	int ret;
1147 	size_t i, left, transfer_len;
1148 	size_t blocks =
1149 		DIV_ROUND_UP(data_size, (size_t)BCM4378_CALIBRATION_CHUNK_SIZE);
1150 
1151 	if (!data) {
1152 		dev_err(&bcm4377->pdev->dev,
1153 			"no calibration data available.\n");
1154 		return -ENOENT;
1155 	}
1156 
1157 	for (i = 0, left = data_size; i < blocks; ++i, left -= transfer_len) {
1158 		transfer_len =
1159 			min_t(size_t, left, BCM4378_CALIBRATION_CHUNK_SIZE);
1160 
1161 		ret = __bcm4378_send_calibration_chunk(
1162 			bcm4377, data + i * BCM4378_CALIBRATION_CHUNK_SIZE,
1163 			transfer_len, blocks - i - 1);
1164 		if (ret) {
1165 			dev_err(&bcm4377->pdev->dev,
1166 				"send calibration chunk failed with %d\n", ret);
1167 			return ret;
1168 		}
1169 	}
1170 
1171 	return 0;
1172 }
1173 
1174 static int bcm4378_send_calibration(struct bcm4377_data *bcm4377)
1175 {
1176 	if ((strcmp(bcm4377->stepping, "b1") == 0) ||
1177 	    strcmp(bcm4377->stepping, "b3") == 0)
1178 		return __bcm4378_send_calibration(
1179 			bcm4377, bcm4377->taurus_beamforming_cal_blob,
1180 			bcm4377->taurus_beamforming_cal_size);
1181 	else
1182 		return __bcm4378_send_calibration(bcm4377,
1183 						  bcm4377->taurus_cal_blob,
1184 						  bcm4377->taurus_cal_size);
1185 }
1186 
1187 static int bcm4387_send_calibration(struct bcm4377_data *bcm4377)
1188 {
1189 	if (strcmp(bcm4377->stepping, "c2") == 0)
1190 		return __bcm4378_send_calibration(
1191 			bcm4377, bcm4377->taurus_beamforming_cal_blob,
1192 			bcm4377->taurus_beamforming_cal_size);
1193 	else
1194 		return __bcm4378_send_calibration(bcm4377,
1195 						  bcm4377->taurus_cal_blob,
1196 						  bcm4377->taurus_cal_size);
1197 }
1198 
1199 static const struct firmware *bcm4377_request_blob(struct bcm4377_data *bcm4377,
1200 						   const char *suffix)
1201 {
1202 	const struct firmware *fw;
1203 	char name0[64], name1[64];
1204 	int ret;
1205 
1206 	snprintf(name0, sizeof(name0), "brcm/brcmbt%04x%s-%s-%s.%s",
1207 		 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1208 		 bcm4377->vendor, suffix);
1209 	snprintf(name1, sizeof(name1), "brcm/brcmbt%04x%s-%s.%s",
1210 		 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1211 		 suffix);
1212 	dev_dbg(&bcm4377->pdev->dev, "Trying to load firmware: '%s' or '%s'\n",
1213 		name0, name1);
1214 
1215 	ret = firmware_request_nowarn(&fw, name0, &bcm4377->pdev->dev);
1216 	if (!ret)
1217 		return fw;
1218 	ret = firmware_request_nowarn(&fw, name1, &bcm4377->pdev->dev);
1219 	if (!ret)
1220 		return fw;
1221 
1222 	dev_err(&bcm4377->pdev->dev,
1223 		"Unable to load firmware; tried '%s' and '%s'\n", name0, name1);
1224 	return NULL;
1225 }
1226 
1227 static int bcm4377_send_ptb(struct bcm4377_data *bcm4377,
1228 			    const struct firmware *fw)
1229 {
1230 	struct sk_buff *skb;
1231 
1232 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfd98, fw->size, fw->data,
1233 			     HCI_INIT_TIMEOUT);
1234 	/*
1235 	 * This command seems to always fail on more recent firmware versions
1236 	 * (even in traces taken from the macOS driver). It's unclear why this
1237 	 * happens but because the PTB file contains calibration and/or
1238 	 * regulatory data and may be required on older firmware we still try to
1239 	 * send it here just in case and just ignore if it fails.
1240 	 */
1241 	if (!IS_ERR(skb))
1242 		kfree_skb(skb);
1243 	return 0;
1244 }
1245 
1246 static int bcm4378_send_ptb_chunk(struct bcm4377_data *bcm4377,
1247 				  const void *data, size_t data_len,
1248 				  u16 blocks_left)
1249 {
1250 	struct bcm4378_hci_send_ptb_cmd cmd;
1251 	struct sk_buff *skb;
1252 
1253 	if (data_len > BCM4378_PTB_CHUNK_SIZE)
1254 		return -EINVAL;
1255 
1256 	memset(&cmd, 0, sizeof(cmd));
1257 	cmd.blocks_left = cpu_to_le16(blocks_left);
1258 	memcpy(cmd.data, data, data_len);
1259 
1260 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfe0d, sizeof(cmd), &cmd,
1261 			     HCI_INIT_TIMEOUT);
1262 	if (IS_ERR(skb))
1263 		return PTR_ERR(skb);
1264 
1265 	kfree_skb(skb);
1266 	return 0;
1267 }
1268 
1269 static int bcm4378_send_ptb(struct bcm4377_data *bcm4377,
1270 			    const struct firmware *fw)
1271 {
1272 	size_t chunks = DIV_ROUND_UP(fw->size, (size_t)BCM4378_PTB_CHUNK_SIZE);
1273 	size_t i, left, transfer_len;
1274 	int ret;
1275 
1276 	for (i = 0, left = fw->size; i < chunks; ++i, left -= transfer_len) {
1277 		transfer_len = min_t(size_t, left, BCM4378_PTB_CHUNK_SIZE);
1278 
1279 		dev_dbg(&bcm4377->pdev->dev, "sending ptb chunk %zu/%zu\n",
1280 			i + 1, chunks);
1281 		ret = bcm4378_send_ptb_chunk(
1282 			bcm4377, fw->data + i * BCM4378_PTB_CHUNK_SIZE,
1283 			transfer_len, chunks - i - 1);
1284 		if (ret) {
1285 			dev_err(&bcm4377->pdev->dev,
1286 				"sending ptb chunk %zu failed (%d)", i, ret);
1287 			return ret;
1288 		}
1289 	}
1290 
1291 	return 0;
1292 }
1293 
1294 static int bcm4377_hci_open(struct hci_dev *hdev)
1295 {
1296 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1297 	int ret;
1298 
1299 	dev_dbg(&bcm4377->pdev->dev, "creating rings\n");
1300 
1301 	ret = bcm4377_create_completion_ring(bcm4377,
1302 					     &bcm4377->hci_acl_ack_ring);
1303 	if (ret)
1304 		return ret;
1305 	ret = bcm4377_create_completion_ring(bcm4377,
1306 					     &bcm4377->hci_acl_event_ring);
1307 	if (ret)
1308 		goto destroy_hci_acl_ack;
1309 	ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1310 	if (ret)
1311 		goto destroy_hci_acl_event;
1312 	ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1313 	if (ret)
1314 		goto destroy_sco_ack;
1315 	dev_dbg(&bcm4377->pdev->dev,
1316 		"all completion rings successfully created!\n");
1317 
1318 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1319 	if (ret)
1320 		goto destroy_sco_event;
1321 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1322 	if (ret)
1323 		goto destroy_hci_h2d;
1324 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1325 	if (ret)
1326 		goto destroy_hci_d2h;
1327 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1328 	if (ret)
1329 		goto destroy_sco_h2d;
1330 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1331 	if (ret)
1332 		goto destroy_sco_d2h;
1333 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1334 	if (ret)
1335 		goto destroy_acl_h2d;
1336 	dev_dbg(&bcm4377->pdev->dev,
1337 		"all transfer rings successfully created!\n");
1338 
1339 	return 0;
1340 
1341 destroy_acl_h2d:
1342 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1343 destroy_sco_d2h:
1344 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1345 destroy_sco_h2d:
1346 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1347 destroy_hci_d2h:
1348 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1349 destroy_hci_h2d:
1350 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1351 destroy_sco_event:
1352 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1353 destroy_sco_ack:
1354 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1355 destroy_hci_acl_event:
1356 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1357 destroy_hci_acl_ack:
1358 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1359 
1360 	dev_err(&bcm4377->pdev->dev, "Creating rings failed with %d\n", ret);
1361 	return ret;
1362 }
1363 
1364 static int bcm4377_hci_close(struct hci_dev *hdev)
1365 {
1366 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1367 
1368 	dev_dbg(&bcm4377->pdev->dev, "destroying rings in hci_close\n");
1369 
1370 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1371 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1372 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1373 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1374 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1375 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1376 
1377 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1378 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1379 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1380 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1381 
1382 	return 0;
1383 }
1384 
1385 static bool bcm4377_is_valid_bdaddr(struct bcm4377_data *bcm4377,
1386 				    bdaddr_t *addr)
1387 {
1388 	if (addr->b[0] != 0x93)
1389 		return true;
1390 	if (addr->b[1] != 0x76)
1391 		return true;
1392 	if (addr->b[2] != 0x00)
1393 		return true;
1394 	if (addr->b[4] != (bcm4377->hw->id & 0xff))
1395 		return true;
1396 	if (addr->b[5] != (bcm4377->hw->id >> 8))
1397 		return true;
1398 	return false;
1399 }
1400 
1401 static int bcm4377_check_bdaddr(struct bcm4377_data *bcm4377)
1402 {
1403 	struct hci_rp_read_bd_addr *bda;
1404 	struct sk_buff *skb;
1405 
1406 	skb = __hci_cmd_sync(bcm4377->hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1407 			     HCI_INIT_TIMEOUT);
1408 	if (IS_ERR(skb)) {
1409 		int err = PTR_ERR(skb);
1410 
1411 		dev_err(&bcm4377->pdev->dev, "HCI_OP_READ_BD_ADDR failed (%d)",
1412 			err);
1413 		return err;
1414 	}
1415 
1416 	if (skb->len != sizeof(*bda)) {
1417 		dev_err(&bcm4377->pdev->dev,
1418 			"HCI_OP_READ_BD_ADDR reply length invalid");
1419 		kfree_skb(skb);
1420 		return -EIO;
1421 	}
1422 
1423 	bda = (struct hci_rp_read_bd_addr *)skb->data;
1424 	if (!bcm4377_is_valid_bdaddr(bcm4377, &bda->bdaddr))
1425 		set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &bcm4377->hdev->quirks);
1426 
1427 	kfree_skb(skb);
1428 	return 0;
1429 }
1430 
1431 static int bcm4377_hci_setup(struct hci_dev *hdev)
1432 {
1433 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1434 	const struct firmware *fw;
1435 	int ret;
1436 
1437 	if (bcm4377->hw->send_calibration) {
1438 		ret = bcm4377->hw->send_calibration(bcm4377);
1439 		if (ret)
1440 			return ret;
1441 	}
1442 
1443 	fw = bcm4377_request_blob(bcm4377, "ptb");
1444 	if (!fw) {
1445 		dev_err(&bcm4377->pdev->dev, "failed to load PTB data");
1446 		return -ENOENT;
1447 	}
1448 
1449 	ret = bcm4377->hw->send_ptb(bcm4377, fw);
1450 	release_firmware(fw);
1451 	if (ret)
1452 		return ret;
1453 
1454 	return bcm4377_check_bdaddr(bcm4377);
1455 }
1456 
1457 static int bcm4377_hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1458 {
1459 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1460 	struct bcm4377_transfer_ring *ring;
1461 	int ret;
1462 
1463 	switch (hci_skb_pkt_type(skb)) {
1464 	case HCI_COMMAND_PKT:
1465 		hdev->stat.cmd_tx++;
1466 		ring = &bcm4377->hci_h2d_ring;
1467 		break;
1468 
1469 	case HCI_ACLDATA_PKT:
1470 		hdev->stat.acl_tx++;
1471 		ring = &bcm4377->acl_h2d_ring;
1472 		break;
1473 
1474 	case HCI_SCODATA_PKT:
1475 		hdev->stat.sco_tx++;
1476 		ring = &bcm4377->sco_h2d_ring;
1477 		break;
1478 
1479 	default:
1480 		return -EILSEQ;
1481 	}
1482 
1483 	ret = bcm4377_enqueue(bcm4377, ring, skb->data, skb->len, false);
1484 	if (ret < 0) {
1485 		hdev->stat.err_tx++;
1486 		return ret;
1487 	}
1488 
1489 	hdev->stat.byte_tx += skb->len;
1490 	kfree_skb(skb);
1491 	return ret;
1492 }
1493 
1494 static int bcm4377_hci_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1495 {
1496 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1497 	struct sk_buff *skb;
1498 	int err;
1499 
1500 	skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1501 	if (IS_ERR(skb)) {
1502 		err = PTR_ERR(skb);
1503 		dev_err(&bcm4377->pdev->dev,
1504 			"Change address command failed (%d)", err);
1505 		return err;
1506 	}
1507 	kfree_skb(skb);
1508 
1509 	return 0;
1510 }
1511 
1512 static int bcm4377_alloc_transfer_ring(struct bcm4377_data *bcm4377,
1513 				       struct bcm4377_transfer_ring *ring)
1514 {
1515 	size_t entry_size;
1516 
1517 	spin_lock_init(&ring->lock);
1518 	ring->payload_size = ALIGN(ring->payload_size, 4);
1519 	ring->mapped_payload_size = ALIGN(ring->mapped_payload_size, 4);
1520 
1521 	if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1522 		return -EINVAL;
1523 	if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1524 		return -EINVAL;
1525 	if (ring->virtual && ring->allow_wait)
1526 		return -EINVAL;
1527 
1528 	if (ring->d2h_buffers_only) {
1529 		if (ring->virtual)
1530 			return -EINVAL;
1531 		if (ring->payload_size)
1532 			return -EINVAL;
1533 		if (!ring->mapped_payload_size)
1534 			return -EINVAL;
1535 	}
1536 	if (ring->virtual)
1537 		return 0;
1538 
1539 	entry_size =
1540 		ring->payload_size + sizeof(struct bcm4377_xfer_ring_entry);
1541 	ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1542 					 ring->n_entries * entry_size,
1543 					 &ring->ring_dma, GFP_KERNEL);
1544 	if (!ring->ring)
1545 		return -ENOMEM;
1546 
1547 	if (ring->allow_wait) {
1548 		ring->events = devm_kcalloc(&bcm4377->pdev->dev,
1549 					    ring->n_entries,
1550 					    sizeof(*ring->events), GFP_KERNEL);
1551 		if (!ring->events)
1552 			return -ENOMEM;
1553 	}
1554 
1555 	if (ring->mapped_payload_size) {
1556 		ring->payloads = dmam_alloc_coherent(
1557 			&bcm4377->pdev->dev,
1558 			ring->n_entries * ring->mapped_payload_size,
1559 			&ring->payloads_dma, GFP_KERNEL);
1560 		if (!ring->payloads)
1561 			return -ENOMEM;
1562 	}
1563 
1564 	return 0;
1565 }
1566 
1567 static int bcm4377_alloc_completion_ring(struct bcm4377_data *bcm4377,
1568 					 struct bcm4377_completion_ring *ring)
1569 {
1570 	size_t entry_size;
1571 
1572 	ring->payload_size = ALIGN(ring->payload_size, 4);
1573 	if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1574 		return -EINVAL;
1575 	if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1576 		return -EINVAL;
1577 
1578 	entry_size = ring->payload_size +
1579 		     sizeof(struct bcm4377_completion_ring_entry);
1580 
1581 	ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1582 					 ring->n_entries * entry_size,
1583 					 &ring->ring_dma, GFP_KERNEL);
1584 	if (!ring->ring)
1585 		return -ENOMEM;
1586 	return 0;
1587 }
1588 
1589 static int bcm4377_init_context(struct bcm4377_data *bcm4377)
1590 {
1591 	struct device *dev = &bcm4377->pdev->dev;
1592 	dma_addr_t peripheral_info_dma;
1593 
1594 	bcm4377->ctx = dmam_alloc_coherent(dev, sizeof(*bcm4377->ctx),
1595 					   &bcm4377->ctx_dma, GFP_KERNEL);
1596 	if (!bcm4377->ctx)
1597 		return -ENOMEM;
1598 	memset(bcm4377->ctx, 0, sizeof(*bcm4377->ctx));
1599 
1600 	bcm4377->ring_state =
1601 		dmam_alloc_coherent(dev, sizeof(*bcm4377->ring_state),
1602 				    &bcm4377->ring_state_dma, GFP_KERNEL);
1603 	if (!bcm4377->ring_state)
1604 		return -ENOMEM;
1605 	memset(bcm4377->ring_state, 0, sizeof(*bcm4377->ring_state));
1606 
1607 	bcm4377->ctx->version = cpu_to_le16(1);
1608 	bcm4377->ctx->size = cpu_to_le16(sizeof(*bcm4377->ctx));
1609 	bcm4377->ctx->enabled_caps = cpu_to_le32(2);
1610 
1611 	/*
1612 	 * The BT device will write 0x20 bytes of data to this buffer but
1613 	 * the exact contents are unknown. It only needs to exist for BT
1614 	 * to work such that we can just allocate and then ignore it.
1615 	 */
1616 	if (!dmam_alloc_coherent(&bcm4377->pdev->dev, 0x20,
1617 				 &peripheral_info_dma, GFP_KERNEL))
1618 		return -ENOMEM;
1619 	bcm4377->ctx->peripheral_info_addr = cpu_to_le64(peripheral_info_dma);
1620 
1621 	bcm4377->ctx->xfer_ring_heads_addr = cpu_to_le64(
1622 		bcm4377->ring_state_dma +
1623 		offsetof(struct bcm4377_ring_state, xfer_ring_head));
1624 	bcm4377->ctx->xfer_ring_tails_addr = cpu_to_le64(
1625 		bcm4377->ring_state_dma +
1626 		offsetof(struct bcm4377_ring_state, xfer_ring_tail));
1627 	bcm4377->ctx->completion_ring_heads_addr = cpu_to_le64(
1628 		bcm4377->ring_state_dma +
1629 		offsetof(struct bcm4377_ring_state, completion_ring_head));
1630 	bcm4377->ctx->completion_ring_tails_addr = cpu_to_le64(
1631 		bcm4377->ring_state_dma +
1632 		offsetof(struct bcm4377_ring_state, completion_ring_tail));
1633 
1634 	bcm4377->ctx->n_completion_rings =
1635 		cpu_to_le16(BCM4377_N_COMPLETION_RINGS);
1636 	bcm4377->ctx->n_xfer_rings = cpu_to_le16(BCM4377_N_TRANSFER_RINGS);
1637 
1638 	bcm4377->ctx->control_completion_ring_addr =
1639 		cpu_to_le64(bcm4377->control_ack_ring.ring_dma);
1640 	bcm4377->ctx->control_completion_ring_n_entries =
1641 		cpu_to_le16(bcm4377->control_ack_ring.n_entries);
1642 	bcm4377->ctx->control_completion_ring_doorbell = cpu_to_le16(0xffff);
1643 	bcm4377->ctx->control_completion_ring_msi = 0;
1644 	bcm4377->ctx->control_completion_ring_header_size = 0;
1645 	bcm4377->ctx->control_completion_ring_footer_size = 0;
1646 
1647 	bcm4377->ctx->control_xfer_ring_addr =
1648 		cpu_to_le64(bcm4377->control_h2d_ring.ring_dma);
1649 	bcm4377->ctx->control_xfer_ring_n_entries =
1650 		cpu_to_le16(bcm4377->control_h2d_ring.n_entries);
1651 	bcm4377->ctx->control_xfer_ring_doorbell =
1652 		cpu_to_le16(bcm4377->control_h2d_ring.doorbell);
1653 	bcm4377->ctx->control_xfer_ring_msi = 0;
1654 	bcm4377->ctx->control_xfer_ring_header_size = 0;
1655 	bcm4377->ctx->control_xfer_ring_footer_size =
1656 		bcm4377->control_h2d_ring.payload_size / 4;
1657 
1658 	dev_dbg(&bcm4377->pdev->dev, "context initialized at IOVA %pad",
1659 		&bcm4377->ctx_dma);
1660 
1661 	return 0;
1662 }
1663 
1664 static int bcm4377_prepare_rings(struct bcm4377_data *bcm4377)
1665 {
1666 	int ret;
1667 
1668 	/*
1669 	 * Even though many of these settings appear to be configurable
1670 	 * when sending the "create ring" messages most of these are
1671 	 * actually hardcoded in some (and quite possibly all) firmware versions
1672 	 * and changing them on the host has no effect.
1673 	 * Specifically, this applies to at least the doorbells, the transfer
1674 	 * and completion ring ids and their mapping (e.g. both HCI and ACL
1675 	 * entries will always be queued in completion rings 1 and 2 no matter
1676 	 * what we configure here).
1677 	 */
1678 	bcm4377->control_ack_ring.ring_id = BCM4377_ACK_RING_CONTROL;
1679 	bcm4377->control_ack_ring.n_entries = 32;
1680 	bcm4377->control_ack_ring.transfer_rings =
1681 		BIT(BCM4377_XFER_RING_CONTROL);
1682 
1683 	bcm4377->hci_acl_ack_ring.ring_id = BCM4377_ACK_RING_HCI_ACL;
1684 	bcm4377->hci_acl_ack_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1685 	bcm4377->hci_acl_ack_ring.transfer_rings =
1686 		BIT(BCM4377_XFER_RING_HCI_H2D) | BIT(BCM4377_XFER_RING_ACL_H2D);
1687 	bcm4377->hci_acl_ack_ring.delay = 1000;
1688 
1689 	/*
1690 	 * A payload size of MAX_EVENT_PAYLOAD_SIZE is enough here since large
1691 	 * ACL packets will be transmitted inside buffers mapped via
1692 	 * acl_d2h_ring anyway.
1693 	 */
1694 	bcm4377->hci_acl_event_ring.ring_id = BCM4377_EVENT_RING_HCI_ACL;
1695 	bcm4377->hci_acl_event_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1696 	bcm4377->hci_acl_event_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1697 	bcm4377->hci_acl_event_ring.transfer_rings =
1698 		BIT(BCM4377_XFER_RING_HCI_D2H) | BIT(BCM4377_XFER_RING_ACL_D2H);
1699 	bcm4377->hci_acl_event_ring.delay = 1000;
1700 
1701 	bcm4377->sco_ack_ring.ring_id = BCM4377_ACK_RING_SCO;
1702 	bcm4377->sco_ack_ring.n_entries = BCM4377_RING_N_ENTRIES;
1703 	bcm4377->sco_ack_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_H2D);
1704 
1705 	bcm4377->sco_event_ring.ring_id = BCM4377_EVENT_RING_SCO;
1706 	bcm4377->sco_event_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1707 	bcm4377->sco_event_ring.n_entries = BCM4377_RING_N_ENTRIES;
1708 	bcm4377->sco_event_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_D2H);
1709 
1710 	bcm4377->control_h2d_ring.ring_id = BCM4377_XFER_RING_CONTROL;
1711 	bcm4377->control_h2d_ring.doorbell = BCM4377_DOORBELL_CONTROL;
1712 	bcm4377->control_h2d_ring.payload_size = BCM4377_CONTROL_MSG_SIZE;
1713 	bcm4377->control_h2d_ring.completion_ring = BCM4377_ACK_RING_CONTROL;
1714 	bcm4377->control_h2d_ring.allow_wait = true;
1715 	bcm4377->control_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1716 
1717 	bcm4377->hci_h2d_ring.ring_id = BCM4377_XFER_RING_HCI_H2D;
1718 	bcm4377->hci_h2d_ring.doorbell = BCM4377_DOORBELL_HCI_H2D;
1719 	bcm4377->hci_h2d_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1720 	bcm4377->hci_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1721 	bcm4377->hci_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1722 
1723 	bcm4377->hci_d2h_ring.ring_id = BCM4377_XFER_RING_HCI_D2H;
1724 	bcm4377->hci_d2h_ring.doorbell = BCM4377_DOORBELL_HCI_D2H;
1725 	bcm4377->hci_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1726 	bcm4377->hci_d2h_ring.virtual = true;
1727 	bcm4377->hci_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1728 
1729 	bcm4377->sco_h2d_ring.ring_id = BCM4377_XFER_RING_SCO_H2D;
1730 	bcm4377->sco_h2d_ring.doorbell = BCM4377_DOORBELL_SCO;
1731 	bcm4377->sco_h2d_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1732 	bcm4377->sco_h2d_ring.completion_ring = BCM4377_ACK_RING_SCO;
1733 	bcm4377->sco_h2d_ring.sync = true;
1734 	bcm4377->sco_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1735 
1736 	bcm4377->sco_d2h_ring.ring_id = BCM4377_XFER_RING_SCO_D2H;
1737 	bcm4377->sco_d2h_ring.doorbell = BCM4377_DOORBELL_SCO;
1738 	bcm4377->sco_d2h_ring.completion_ring = BCM4377_EVENT_RING_SCO;
1739 	bcm4377->sco_d2h_ring.virtual = true;
1740 	bcm4377->sco_d2h_ring.sync = true;
1741 	bcm4377->sco_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1742 
1743 	/*
1744 	 * This ring has to use mapped_payload_size because the largest ACL
1745 	 * packet doesn't fit inside the largest possible footer
1746 	 */
1747 	bcm4377->acl_h2d_ring.ring_id = BCM4377_XFER_RING_ACL_H2D;
1748 	bcm4377->acl_h2d_ring.doorbell = BCM4377_DOORBELL_ACL_H2D;
1749 	bcm4377->acl_h2d_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1750 	bcm4377->acl_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1751 	bcm4377->acl_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1752 
1753 	/*
1754 	 * This ring only contains empty buffers to be used by incoming
1755 	 * ACL packets that do not fit inside the footer of hci_acl_event_ring
1756 	 */
1757 	bcm4377->acl_d2h_ring.ring_id = BCM4377_XFER_RING_ACL_D2H;
1758 	bcm4377->acl_d2h_ring.doorbell = BCM4377_DOORBELL_ACL_D2H;
1759 	bcm4377->acl_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1760 	bcm4377->acl_d2h_ring.d2h_buffers_only = true;
1761 	bcm4377->acl_d2h_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1762 	bcm4377->acl_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1763 
1764 	/*
1765 	 * no need for any cleanup since this is only called from _probe
1766 	 * and only devres-managed allocations are used
1767 	 */
1768 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->control_h2d_ring);
1769 	if (ret)
1770 		return ret;
1771 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1772 	if (ret)
1773 		return ret;
1774 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1775 	if (ret)
1776 		return ret;
1777 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1778 	if (ret)
1779 		return ret;
1780 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1781 	if (ret)
1782 		return ret;
1783 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1784 	if (ret)
1785 		return ret;
1786 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1787 	if (ret)
1788 		return ret;
1789 
1790 	ret = bcm4377_alloc_completion_ring(bcm4377,
1791 					    &bcm4377->control_ack_ring);
1792 	if (ret)
1793 		return ret;
1794 	ret = bcm4377_alloc_completion_ring(bcm4377,
1795 					    &bcm4377->hci_acl_ack_ring);
1796 	if (ret)
1797 		return ret;
1798 	ret = bcm4377_alloc_completion_ring(bcm4377,
1799 					    &bcm4377->hci_acl_event_ring);
1800 	if (ret)
1801 		return ret;
1802 	ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1803 	if (ret)
1804 		return ret;
1805 	ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1806 	if (ret)
1807 		return ret;
1808 
1809 	dev_dbg(&bcm4377->pdev->dev, "all rings allocated and prepared\n");
1810 
1811 	return 0;
1812 }
1813 
1814 static int bcm4377_boot(struct bcm4377_data *bcm4377)
1815 {
1816 	const struct firmware *fw;
1817 	void *bfr;
1818 	dma_addr_t fw_dma;
1819 	int ret = 0;
1820 	u32 bootstage, rti_status;
1821 
1822 	bootstage = ioread32(bcm4377->bar2 + BCM4377_BAR2_BOOTSTAGE);
1823 	rti_status = ioread32(bcm4377->bar2 + BCM4377_BAR2_RTI_STATUS);
1824 
1825 	if (bootstage != 0) {
1826 		dev_err(&bcm4377->pdev->dev, "bootstage is %d and not 0\n",
1827 			bootstage);
1828 		return -EINVAL;
1829 	}
1830 
1831 	if (rti_status != 0) {
1832 		dev_err(&bcm4377->pdev->dev, "RTI status is %d and not 0\n",
1833 			rti_status);
1834 		return -EINVAL;
1835 	}
1836 
1837 	fw = bcm4377_request_blob(bcm4377, "bin");
1838 	if (!fw) {
1839 		dev_err(&bcm4377->pdev->dev, "Failed to load firmware\n");
1840 		return -ENOENT;
1841 	}
1842 
1843 	bfr = dma_alloc_coherent(&bcm4377->pdev->dev, fw->size, &fw_dma,
1844 				 GFP_KERNEL);
1845 	if (!bfr) {
1846 		ret = -ENOMEM;
1847 		goto out_release_fw;
1848 	}
1849 
1850 	memcpy(bfr, fw->data, fw->size);
1851 
1852 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_LO);
1853 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_HI);
1854 	iowrite32(BCM4377_DMA_MASK,
1855 		  bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_SIZE);
1856 
1857 	iowrite32(lower_32_bits(fw_dma), bcm4377->bar2 + BCM4377_BAR2_FW_LO);
1858 	iowrite32(upper_32_bits(fw_dma), bcm4377->bar2 + BCM4377_BAR2_FW_HI);
1859 	iowrite32(fw->size, bcm4377->bar2 + BCM4377_BAR2_FW_SIZE);
1860 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_FW_DOORBELL);
1861 
1862 	dev_dbg(&bcm4377->pdev->dev, "waiting for firmware to boot\n");
1863 
1864 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1865 							BCM4377_TIMEOUT);
1866 	if (ret == 0) {
1867 		ret = -ETIMEDOUT;
1868 		goto out_dma_free;
1869 	} else if (ret < 0) {
1870 		goto out_dma_free;
1871 	}
1872 
1873 	if (bcm4377->bootstage != 2) {
1874 		dev_err(&bcm4377->pdev->dev, "boostage %d != 2\n",
1875 			bcm4377->bootstage);
1876 		ret = -ENXIO;
1877 		goto out_dma_free;
1878 	}
1879 
1880 	dev_dbg(&bcm4377->pdev->dev, "firmware has booted (stage = %x)\n",
1881 		bcm4377->bootstage);
1882 	ret = 0;
1883 
1884 out_dma_free:
1885 	dma_free_coherent(&bcm4377->pdev->dev, fw->size, bfr, fw_dma);
1886 out_release_fw:
1887 	release_firmware(fw);
1888 	return ret;
1889 }
1890 
1891 static int bcm4377_setup_rti(struct bcm4377_data *bcm4377)
1892 {
1893 	int ret;
1894 
1895 	dev_dbg(&bcm4377->pdev->dev, "starting RTI\n");
1896 	iowrite32(1, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1897 
1898 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1899 							BCM4377_TIMEOUT);
1900 	if (ret == 0) {
1901 		dev_err(&bcm4377->pdev->dev,
1902 			"timed out while waiting for RTI to transition to state 1");
1903 		return -ETIMEDOUT;
1904 	} else if (ret < 0) {
1905 		return ret;
1906 	}
1907 
1908 	if (bcm4377->rti_status != 1) {
1909 		dev_err(&bcm4377->pdev->dev, "RTI did not ack state 1 (%d)\n",
1910 			bcm4377->rti_status);
1911 		return -ENODEV;
1912 	}
1913 	dev_dbg(&bcm4377->pdev->dev, "RTI is in state 1\n");
1914 
1915 	/* allow access to the entire IOVA space again */
1916 	iowrite32(0, bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_LO);
1917 	iowrite32(0, bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_HI);
1918 	iowrite32(BCM4377_DMA_MASK,
1919 		  bcm4377->bar2 + BCM4377_BAR2_RTI_WINDOW_SIZE);
1920 
1921 	/* setup "Converged IPC" context */
1922 	iowrite32(lower_32_bits(bcm4377->ctx_dma),
1923 		  bcm4377->bar2 + BCM4377_BAR2_CONTEXT_ADDR_LO);
1924 	iowrite32(upper_32_bits(bcm4377->ctx_dma),
1925 		  bcm4377->bar2 + BCM4377_BAR2_CONTEXT_ADDR_HI);
1926 	iowrite32(2, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1927 
1928 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1929 							BCM4377_TIMEOUT);
1930 	if (ret == 0) {
1931 		dev_err(&bcm4377->pdev->dev,
1932 			"timed out while waiting for RTI to transition to state 2");
1933 		return -ETIMEDOUT;
1934 	} else if (ret < 0) {
1935 		return ret;
1936 	}
1937 
1938 	if (bcm4377->rti_status != 2) {
1939 		dev_err(&bcm4377->pdev->dev, "RTI did not ack state 2 (%d)\n",
1940 			bcm4377->rti_status);
1941 		return -ENODEV;
1942 	}
1943 
1944 	dev_dbg(&bcm4377->pdev->dev,
1945 		"RTI is in state 2; control ring is ready\n");
1946 	bcm4377->control_ack_ring.enabled = true;
1947 
1948 	return 0;
1949 }
1950 
1951 static int bcm4377_parse_otp_board_params(struct bcm4377_data *bcm4377,
1952 					  char tag, const char *val, size_t len)
1953 {
1954 	if (tag != 'V')
1955 		return 0;
1956 	if (len >= sizeof(bcm4377->vendor))
1957 		return -EINVAL;
1958 
1959 	strscpy(bcm4377->vendor, val, len + 1);
1960 	return 0;
1961 }
1962 
1963 static int bcm4377_parse_otp_chip_params(struct bcm4377_data *bcm4377, char tag,
1964 					 const char *val, size_t len)
1965 {
1966 	size_t idx = 0;
1967 
1968 	if (tag != 's')
1969 		return 0;
1970 	if (len >= sizeof(bcm4377->stepping))
1971 		return -EINVAL;
1972 
1973 	while (len != 0) {
1974 		bcm4377->stepping[idx] = tolower(val[idx]);
1975 		if (val[idx] == '\0')
1976 			return 0;
1977 
1978 		idx++;
1979 		len--;
1980 	}
1981 
1982 	bcm4377->stepping[idx] = '\0';
1983 	return 0;
1984 }
1985 
1986 static int bcm4377_parse_otp_str(struct bcm4377_data *bcm4377, const u8 *str,
1987 				 enum bcm4377_otp_params_type type)
1988 {
1989 	const char *p;
1990 	int ret;
1991 
1992 	p = skip_spaces(str);
1993 	while (*p) {
1994 		char tag = *p++;
1995 		const char *end;
1996 		size_t len;
1997 
1998 		if (*p++ != '=') /* implicit NUL check */
1999 			return -EINVAL;
2000 
2001 		/* *p might be NUL here, if so end == p and len == 0 */
2002 		end = strchrnul(p, ' ');
2003 		len = end - p;
2004 
2005 		/* leave 1 byte for NUL in destination string */
2006 		if (len > (BCM4377_OTP_MAX_PARAM_LEN - 1))
2007 			return -EINVAL;
2008 
2009 		switch (type) {
2010 		case BCM4377_OTP_BOARD_PARAMS:
2011 			ret = bcm4377_parse_otp_board_params(bcm4377, tag, p,
2012 							     len);
2013 			break;
2014 		case BCM4377_OTP_CHIP_PARAMS:
2015 			ret = bcm4377_parse_otp_chip_params(bcm4377, tag, p,
2016 							    len);
2017 			break;
2018 		default:
2019 			ret = -EINVAL;
2020 			break;
2021 		}
2022 
2023 		if (ret)
2024 			return ret;
2025 
2026 		/* Skip to next arg, if any */
2027 		p = skip_spaces(end);
2028 	}
2029 
2030 	return 0;
2031 }
2032 
2033 static int bcm4377_parse_otp_sys_vendor(struct bcm4377_data *bcm4377, u8 *otp,
2034 					size_t size)
2035 {
2036 	int idx = 4;
2037 	const char *chip_params;
2038 	const char *board_params;
2039 	int ret;
2040 
2041 	/* 4-byte header and two empty strings */
2042 	if (size < 6)
2043 		return -EINVAL;
2044 
2045 	if (get_unaligned_le32(otp) != BCM4377_OTP_VENDOR_HDR)
2046 		return -EINVAL;
2047 
2048 	chip_params = &otp[idx];
2049 
2050 	/* Skip first string, including terminator */
2051 	idx += strnlen(chip_params, size - idx) + 1;
2052 	if (idx >= size)
2053 		return -EINVAL;
2054 
2055 	board_params = &otp[idx];
2056 
2057 	/* Skip to terminator of second string */
2058 	idx += strnlen(board_params, size - idx);
2059 	if (idx >= size)
2060 		return -EINVAL;
2061 
2062 	/* At this point both strings are guaranteed NUL-terminated */
2063 	dev_dbg(&bcm4377->pdev->dev,
2064 		"OTP: chip_params='%s' board_params='%s'\n", chip_params,
2065 		board_params);
2066 
2067 	ret = bcm4377_parse_otp_str(bcm4377, chip_params,
2068 				    BCM4377_OTP_CHIP_PARAMS);
2069 	if (ret)
2070 		return ret;
2071 
2072 	ret = bcm4377_parse_otp_str(bcm4377, board_params,
2073 				    BCM4377_OTP_BOARD_PARAMS);
2074 	if (ret)
2075 		return ret;
2076 
2077 	if (!bcm4377->stepping[0] || !bcm4377->vendor[0])
2078 		return -EINVAL;
2079 
2080 	dev_dbg(&bcm4377->pdev->dev, "OTP: stepping=%s, vendor=%s\n",
2081 		bcm4377->stepping, bcm4377->vendor);
2082 	return 0;
2083 }
2084 
2085 static int bcm4377_parse_otp(struct bcm4377_data *bcm4377)
2086 {
2087 	u8 *otp;
2088 	int i;
2089 	int ret = -ENOENT;
2090 
2091 	otp = kzalloc(BCM4377_OTP_SIZE, GFP_KERNEL);
2092 	if (!otp)
2093 		return -ENOMEM;
2094 
2095 	for (i = 0; i < BCM4377_OTP_SIZE; ++i)
2096 		otp[i] = ioread8(bcm4377->bar0 + bcm4377->hw->otp_offset + i);
2097 
2098 	i = 0;
2099 	while (i < (BCM4377_OTP_SIZE - 1)) {
2100 		u8 type = otp[i];
2101 		u8 length = otp[i + 1];
2102 
2103 		if (type == 0)
2104 			break;
2105 
2106 		if ((i + 2 + length) > BCM4377_OTP_SIZE)
2107 			break;
2108 
2109 		switch (type) {
2110 		case BCM4377_OTP_SYS_VENDOR:
2111 			dev_dbg(&bcm4377->pdev->dev,
2112 				"OTP @ 0x%x (%d): SYS_VENDOR", i, length);
2113 			ret = bcm4377_parse_otp_sys_vendor(bcm4377, &otp[i + 2],
2114 							   length);
2115 			break;
2116 		case BCM4377_OTP_CIS:
2117 			dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): CIS", i,
2118 				length);
2119 			break;
2120 		default:
2121 			dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): unknown",
2122 				i, length);
2123 			break;
2124 		}
2125 
2126 		i += 2 + length;
2127 	}
2128 
2129 	kfree(otp);
2130 	return ret;
2131 }
2132 
2133 static int bcm4377_init_cfg(struct bcm4377_data *bcm4377)
2134 {
2135 	int ret;
2136 	u32 ctrl;
2137 
2138 	ret = pci_write_config_dword(bcm4377->pdev,
2139 				     BCM4377_PCIECFG_BAR0_WINDOW1,
2140 				     bcm4377->hw->bar0_window1);
2141 	if (ret)
2142 		return ret;
2143 
2144 	ret = pci_write_config_dword(bcm4377->pdev,
2145 				     BCM4377_PCIECFG_BAR0_WINDOW2,
2146 				     bcm4377->hw->bar0_window2);
2147 	if (ret)
2148 		return ret;
2149 
2150 	ret = pci_write_config_dword(
2151 		bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1,
2152 		BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT);
2153 	if (ret)
2154 		return ret;
2155 
2156 	if (bcm4377->hw->has_bar0_core2_window2) {
2157 		ret = pci_write_config_dword(bcm4377->pdev,
2158 					     BCM4377_PCIECFG_BAR0_CORE2_WINDOW2,
2159 					     bcm4377->hw->bar0_core2_window2);
2160 		if (ret)
2161 			return ret;
2162 	}
2163 
2164 	ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR2_WINDOW,
2165 				     BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT);
2166 	if (ret)
2167 		return ret;
2168 
2169 	ret = pci_read_config_dword(bcm4377->pdev,
2170 				    BCM4377_PCIECFG_SUBSYSTEM_CTRL, &ctrl);
2171 	if (ret)
2172 		return ret;
2173 
2174 	if (bcm4377->hw->clear_pciecfg_subsystem_ctrl_bit19)
2175 		ctrl &= ~BIT(19);
2176 	ctrl |= BIT(16);
2177 
2178 	return pci_write_config_dword(bcm4377->pdev,
2179 				      BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl);
2180 }
2181 
2182 static int bcm4377_probe_dmi(struct bcm4377_data *bcm4377)
2183 {
2184 	const struct dmi_system_id *board_type_dmi_id;
2185 
2186 	board_type_dmi_id = dmi_first_match(bcm4377_dmi_board_table);
2187 	if (board_type_dmi_id && board_type_dmi_id->driver_data) {
2188 		bcm4377->board_type = board_type_dmi_id->driver_data;
2189 		dev_dbg(&bcm4377->pdev->dev,
2190 			"found board type via DMI match: %s\n",
2191 			bcm4377->board_type);
2192 	}
2193 
2194 	return 0;
2195 }
2196 
2197 static int bcm4377_probe_of(struct bcm4377_data *bcm4377)
2198 {
2199 	struct device_node *np = bcm4377->pdev->dev.of_node;
2200 	int ret;
2201 
2202 	if (!np)
2203 		return 0;
2204 
2205 	ret = of_property_read_string(np, "brcm,board-type",
2206 				      &bcm4377->board_type);
2207 	if (ret) {
2208 		dev_err(&bcm4377->pdev->dev, "no brcm,board-type property\n");
2209 		return ret;
2210 	}
2211 
2212 	bcm4377->taurus_beamforming_cal_blob =
2213 		of_get_property(np, "brcm,taurus-bf-cal-blob",
2214 				&bcm4377->taurus_beamforming_cal_size);
2215 	if (!bcm4377->taurus_beamforming_cal_blob) {
2216 		dev_err(&bcm4377->pdev->dev,
2217 			"no brcm,taurus-bf-cal-blob property\n");
2218 		return -ENOENT;
2219 	}
2220 	bcm4377->taurus_cal_blob = of_get_property(np, "brcm,taurus-cal-blob",
2221 						   &bcm4377->taurus_cal_size);
2222 	if (!bcm4377->taurus_cal_blob) {
2223 		dev_err(&bcm4377->pdev->dev,
2224 			"no brcm,taurus-cal-blob property\n");
2225 		return -ENOENT;
2226 	}
2227 
2228 	return 0;
2229 }
2230 
2231 static void bcm4377_disable_aspm(struct bcm4377_data *bcm4377)
2232 {
2233 	pci_disable_link_state(bcm4377->pdev,
2234 			       PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1);
2235 
2236 	/*
2237 	 * pci_disable_link_state can fail if either CONFIG_PCIEASPM is disabled
2238 	 * or if the BIOS hasn't handed over control to us. We must *always*
2239 	 * disable ASPM for this device due to hardware errata though.
2240 	 */
2241 	pcie_capability_clear_word(bcm4377->pdev, PCI_EXP_LNKCTL,
2242 				   PCI_EXP_LNKCTL_ASPMC);
2243 }
2244 
2245 static void bcm4377_pci_free_irq_vectors(void *data)
2246 {
2247 	pci_free_irq_vectors(data);
2248 }
2249 
2250 static void bcm4377_hci_free_dev(void *data)
2251 {
2252 	hci_free_dev(data);
2253 }
2254 
2255 static void bcm4377_hci_unregister_dev(void *data)
2256 {
2257 	hci_unregister_dev(data);
2258 }
2259 
2260 static int bcm4377_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2261 {
2262 	struct bcm4377_data *bcm4377;
2263 	struct hci_dev *hdev;
2264 	int ret, irq;
2265 
2266 	ret = dma_set_mask_and_coherent(&pdev->dev, BCM4377_DMA_MASK);
2267 	if (ret)
2268 		return ret;
2269 
2270 	bcm4377 = devm_kzalloc(&pdev->dev, sizeof(*bcm4377), GFP_KERNEL);
2271 	if (!bcm4377)
2272 		return -ENOMEM;
2273 
2274 	bcm4377->pdev = pdev;
2275 	bcm4377->hw = &bcm4377_hw_variants[id->driver_data];
2276 	init_completion(&bcm4377->event);
2277 
2278 	ret = bcm4377_prepare_rings(bcm4377);
2279 	if (ret)
2280 		return ret;
2281 
2282 	ret = bcm4377_init_context(bcm4377);
2283 	if (ret)
2284 		return ret;
2285 
2286 	ret = bcm4377_probe_dmi(bcm4377);
2287 	if (ret)
2288 		return ret;
2289 	ret = bcm4377_probe_of(bcm4377);
2290 	if (ret)
2291 		return ret;
2292 	if (!bcm4377->board_type) {
2293 		dev_err(&pdev->dev, "unable to determine board type\n");
2294 		return -ENODEV;
2295 	}
2296 
2297 	if (bcm4377->hw->disable_aspm)
2298 		bcm4377_disable_aspm(bcm4377);
2299 
2300 	ret = pci_reset_function_locked(pdev);
2301 	if (ret)
2302 		dev_warn(
2303 			&pdev->dev,
2304 			"function level reset failed with %d; trying to continue anyway\n",
2305 			ret);
2306 
2307 	/*
2308 	 * If this number is too low and we try to access any BAR too
2309 	 * early the device will crash. Experiments have shown that
2310 	 * approximately 50 msec is the minimum amount we have to wait.
2311 	 * Let's double that to be safe.
2312 	 */
2313 	msleep(100);
2314 
2315 	ret = pcim_enable_device(pdev);
2316 	if (ret)
2317 		return ret;
2318 	pci_set_master(pdev);
2319 
2320 	ret = bcm4377_init_cfg(bcm4377);
2321 	if (ret)
2322 		return ret;
2323 
2324 	bcm4377->bar0 = pcim_iomap(pdev, 0, 0);
2325 	if (!bcm4377->bar0)
2326 		return -EBUSY;
2327 	bcm4377->bar2 = pcim_iomap(pdev, 2, 0);
2328 	if (!bcm4377->bar2)
2329 		return -EBUSY;
2330 
2331 	ret = bcm4377_parse_otp(bcm4377);
2332 	if (ret) {
2333 		dev_err(&pdev->dev, "Reading OTP failed with %d\n", ret);
2334 		return ret;
2335 	}
2336 
2337 	/*
2338 	 * Legacy interrupts result in an IRQ storm because we don't know where
2339 	 * the interrupt mask and status registers for these chips are.
2340 	 * MSIs are acked automatically instead.
2341 	 */
2342 	ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_MSI);
2343 	if (ret < 0)
2344 		return -ENODEV;
2345 	ret = devm_add_action_or_reset(&pdev->dev, bcm4377_pci_free_irq_vectors,
2346 				       pdev);
2347 	if (ret)
2348 		return ret;
2349 
2350 	irq = pci_irq_vector(pdev, 0);
2351 	if (irq <= 0)
2352 		return -ENODEV;
2353 
2354 	ret = devm_request_irq(&pdev->dev, irq, bcm4377_irq, 0, "bcm4377",
2355 			       bcm4377);
2356 	if (ret)
2357 		return ret;
2358 
2359 	hdev = hci_alloc_dev();
2360 	if (!hdev)
2361 		return -ENOMEM;
2362 	ret = devm_add_action_or_reset(&pdev->dev, bcm4377_hci_free_dev, hdev);
2363 	if (ret)
2364 		return ret;
2365 
2366 	bcm4377->hdev = hdev;
2367 
2368 	hdev->bus = HCI_PCI;
2369 	hdev->open = bcm4377_hci_open;
2370 	hdev->close = bcm4377_hci_close;
2371 	hdev->send = bcm4377_hci_send_frame;
2372 	hdev->set_bdaddr = bcm4377_hci_set_bdaddr;
2373 	hdev->setup = bcm4377_hci_setup;
2374 
2375 	if (bcm4377->hw->broken_mws_transport_config)
2376 		set_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &hdev->quirks);
2377 	if (bcm4377->hw->broken_ext_scan)
2378 		set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks);
2379 	if (bcm4377->hw->broken_le_coded)
2380 		set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2381 	if (bcm4377->hw->broken_le_ext_adv_report_phy)
2382 		set_bit(HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY, &hdev->quirks);
2383 
2384 	pci_set_drvdata(pdev, bcm4377);
2385 	hci_set_drvdata(hdev, bcm4377);
2386 	SET_HCIDEV_DEV(hdev, &pdev->dev);
2387 
2388 	ret = bcm4377_boot(bcm4377);
2389 	if (ret)
2390 		return ret;
2391 
2392 	ret = bcm4377_setup_rti(bcm4377);
2393 	if (ret)
2394 		return ret;
2395 
2396 	ret = hci_register_dev(hdev);
2397 	if (ret)
2398 		return ret;
2399 	return devm_add_action_or_reset(&pdev->dev, bcm4377_hci_unregister_dev,
2400 					hdev);
2401 }
2402 
2403 static int bcm4377_suspend(struct pci_dev *pdev, pm_message_t state)
2404 {
2405 	struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2406 	int ret;
2407 
2408 	ret = hci_suspend_dev(bcm4377->hdev);
2409 	if (ret)
2410 		return ret;
2411 
2412 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_QUIESCE,
2413 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2414 
2415 	return 0;
2416 }
2417 
2418 static int bcm4377_resume(struct pci_dev *pdev)
2419 {
2420 	struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2421 
2422 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE,
2423 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2424 
2425 	return hci_resume_dev(bcm4377->hdev);
2426 }
2427 
2428 static const struct dmi_system_id bcm4377_dmi_board_table[] = {
2429 	{
2430 		.matches = {
2431 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2432 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
2433 		},
2434 		.driver_data = "apple,formosa",
2435 	},
2436 	{
2437 		.matches = {
2438 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2439 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,4"),
2440 		},
2441 		.driver_data = "apple,formosa",
2442 	},
2443 	{
2444 		.matches = {
2445 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2446 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro16,3"),
2447 		},
2448 		.driver_data = "apple,formosa",
2449 	},
2450 	{}
2451 };
2452 
2453 static const struct bcm4377_hw bcm4377_hw_variants[] = {
2454 	[BCM4377] = {
2455 		.id = 0x4377,
2456 		.otp_offset = 0x4120,
2457 		.bar0_window1 = 0x1800b000,
2458 		.bar0_window2 = 0x1810c000,
2459 		.disable_aspm = true,
2460 		.broken_ext_scan = true,
2461 		.send_ptb = bcm4377_send_ptb,
2462 	},
2463 
2464 	[BCM4378] = {
2465 		.id = 0x4378,
2466 		.otp_offset = 0x4120,
2467 		.bar0_window1 = 0x18002000,
2468 		.bar0_window2 = 0x1810a000,
2469 		.bar0_core2_window2 = 0x18107000,
2470 		.has_bar0_core2_window2 = true,
2471 		.broken_mws_transport_config = true,
2472 		.broken_le_coded = true,
2473 		.send_calibration = bcm4378_send_calibration,
2474 		.send_ptb = bcm4378_send_ptb,
2475 	},
2476 
2477 	[BCM4387] = {
2478 		.id = 0x4387,
2479 		.otp_offset = 0x413c,
2480 		.bar0_window1 = 0x18002000,
2481 		.bar0_window2 = 0x18109000,
2482 		.bar0_core2_window2 = 0x18106000,
2483 		.has_bar0_core2_window2 = true,
2484 		.clear_pciecfg_subsystem_ctrl_bit19 = true,
2485 		.broken_mws_transport_config = true,
2486 		.broken_le_coded = true,
2487 		.broken_le_ext_adv_report_phy = true,
2488 		.send_calibration = bcm4387_send_calibration,
2489 		.send_ptb = bcm4378_send_ptb,
2490 	},
2491 };
2492 
2493 #define BCM4377_DEVID_ENTRY(id)                                             \
2494 	{                                                                   \
2495 		PCI_VENDOR_ID_BROADCOM, BCM##id##_DEVICE_ID, PCI_ANY_ID,    \
2496 			PCI_ANY_ID, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, \
2497 			BCM##id                                             \
2498 	}
2499 
2500 static const struct pci_device_id bcm4377_devid_table[] = {
2501 	BCM4377_DEVID_ENTRY(4377),
2502 	BCM4377_DEVID_ENTRY(4378),
2503 	BCM4377_DEVID_ENTRY(4387),
2504 	{},
2505 };
2506 MODULE_DEVICE_TABLE(pci, bcm4377_devid_table);
2507 
2508 static struct pci_driver bcm4377_pci_driver = {
2509 	.name = "hci_bcm4377",
2510 	.id_table = bcm4377_devid_table,
2511 	.probe = bcm4377_probe,
2512 	.suspend = bcm4377_suspend,
2513 	.resume = bcm4377_resume,
2514 };
2515 module_pci_driver(bcm4377_pci_driver);
2516 
2517 MODULE_AUTHOR("Sven Peter <sven@svenpeter.dev>");
2518 MODULE_DESCRIPTION("Bluetooth support for Broadcom 4377/4378/4387 devices");
2519 MODULE_LICENSE("Dual MIT/GPL");
2520 MODULE_FIRMWARE("brcm/brcmbt4377*.bin");
2521 MODULE_FIRMWARE("brcm/brcmbt4377*.ptb");
2522 MODULE_FIRMWARE("brcm/brcmbt4378*.bin");
2523 MODULE_FIRMWARE("brcm/brcmbt4378*.ptb");
2524 MODULE_FIRMWARE("brcm/brcmbt4387*.bin");
2525 MODULE_FIRMWARE("brcm/brcmbt4387*.ptb");
2526