xref: /linux/drivers/bluetooth/hci_bcm4377.c (revision c532de5a67a70f8533d495f8f2aaa9a0491c3ad0)
1 // SPDX-License-Identifier: GPL-2.0-only OR MIT
2 /*
3  * Bluetooth HCI driver for Broadcom 4377/4378/4387/4388 devices attached via PCIe
4  *
5  * Copyright (C) The Asahi Linux Contributors
6  */
7 
8 #include <linux/async.h>
9 #include <linux/bitfield.h>
10 #include <linux/completion.h>
11 #include <linux/dma-mapping.h>
12 #include <linux/dmi.h>
13 #include <linux/firmware.h>
14 #include <linux/module.h>
15 #include <linux/msi.h>
16 #include <linux/of.h>
17 #include <linux/pci.h>
18 #include <linux/printk.h>
19 
20 #include <linux/unaligned.h>
21 
22 #include <net/bluetooth/bluetooth.h>
23 #include <net/bluetooth/hci_core.h>
24 
25 enum bcm4377_chip {
26 	BCM4377 = 0,
27 	BCM4378,
28 	BCM4387,
29 	BCM4388,
30 };
31 
32 #define BCM4377_DEVICE_ID 0x5fa0
33 #define BCM4378_DEVICE_ID 0x5f69
34 #define BCM4387_DEVICE_ID 0x5f71
35 #define BCM4388_DEVICE_ID 0x5f72
36 
37 #define BCM4377_TIMEOUT msecs_to_jiffies(1000)
38 #define BCM4377_BOOT_TIMEOUT msecs_to_jiffies(5000)
39 
40 /*
41  * These devices only support DMA transactions inside a 32bit window
42  * (possibly to avoid 64 bit arithmetic). The window size cannot exceed
43  * 0xffffffff but is always aligned down to the previous 0x200 byte boundary
44  * which effectively limits the window to [start, start+0xfffffe00].
45  * We just limit the DMA window to [0, 0xfffffe00] to make sure we don't
46  * run into this limitation.
47  */
48 #define BCM4377_DMA_MASK 0xfffffe00
49 
50 #define BCM4377_PCIECFG_BAR0_WINDOW1	   0x80
51 #define BCM4377_PCIECFG_BAR0_WINDOW2	   0x70
52 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1 0x74
53 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW2 0x78
54 #define BCM4377_PCIECFG_BAR2_WINDOW	   0x84
55 
56 #define BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT 0x18011000
57 #define BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT	   0x19000000
58 
59 #define BCM4377_PCIECFG_SUBSYSTEM_CTRL 0x88
60 
61 #define BCM4377_BAR0_FW_DOORBELL 0x140
62 #define BCM4377_BAR0_RTI_CONTROL 0x144
63 
64 #define BCM4377_BAR0_SLEEP_CONTROL	      0x150
65 #define BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE  0
66 #define BCM4377_BAR0_SLEEP_CONTROL_AWAKE      2
67 #define BCM4377_BAR0_SLEEP_CONTROL_QUIESCE    3
68 
69 #define BCM4377_BAR0_DOORBELL	    0x174
70 #define BCM4377_BAR0_DOORBELL_VALUE GENMASK(31, 16)
71 #define BCM4377_BAR0_DOORBELL_IDX   GENMASK(15, 8)
72 #define BCM4377_BAR0_DOORBELL_RING  BIT(5)
73 
74 #define BCM4377_BAR0_HOST_WINDOW_LO   0x590
75 #define BCM4377_BAR0_HOST_WINDOW_HI   0x594
76 #define BCM4377_BAR0_HOST_WINDOW_SIZE 0x598
77 
78 #define BCM4377_BAR2_BOOTSTAGE 0x200454
79 
80 #define BCM4377_BAR2_FW_LO   0x200478
81 #define BCM4377_BAR2_FW_HI   0x20047c
82 #define BCM4377_BAR2_FW_SIZE 0x200480
83 
84 #define BCM4377_BAR2_CONTEXT_ADDR_LO 0x20048c
85 #define BCM4377_BAR2_CONTEXT_ADDR_HI 0x200450
86 
87 #define BCM4377_BAR2_RTI_STATUS	     0x20045c
88 #define BCM4377_BAR2_RTI_WINDOW_LO   0x200494
89 #define BCM4377_BAR2_RTI_WINDOW_HI   0x200498
90 #define BCM4377_BAR2_RTI_WINDOW_SIZE 0x20049c
91 
92 #define BCM4377_OTP_SIZE	  0xe0
93 #define BCM4377_OTP_SYS_VENDOR	  0x15
94 #define BCM4377_OTP_CIS		  0x80
95 #define BCM4377_OTP_VENDOR_HDR	  0x00000008
96 #define BCM4377_OTP_MAX_PARAM_LEN 16
97 
98 #define BCM4377_N_TRANSFER_RINGS   9
99 #define BCM4377_N_COMPLETION_RINGS 6
100 
101 #define BCM4377_MAX_RING_SIZE 256
102 
103 #define BCM4377_MSGID_GENERATION GENMASK(15, 8)
104 #define BCM4377_MSGID_ID	 GENMASK(7, 0)
105 
106 #define BCM4377_RING_N_ENTRIES 128
107 
108 #define BCM4377_CONTROL_MSG_SIZE		   0x34
109 #define BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE (4 * 0xff)
110 
111 #define MAX_ACL_PAYLOAD_SIZE   (HCI_MAX_FRAME_SIZE + HCI_ACL_HDR_SIZE)
112 #define MAX_SCO_PAYLOAD_SIZE   (HCI_MAX_SCO_SIZE + HCI_SCO_HDR_SIZE)
113 #define MAX_EVENT_PAYLOAD_SIZE (HCI_MAX_EVENT_SIZE + HCI_EVENT_HDR_SIZE)
114 
115 enum bcm4377_otp_params_type {
116 	BCM4377_OTP_BOARD_PARAMS,
117 	BCM4377_OTP_CHIP_PARAMS
118 };
119 
120 enum bcm4377_transfer_ring_id {
121 	BCM4377_XFER_RING_CONTROL = 0,
122 	BCM4377_XFER_RING_HCI_H2D = 1,
123 	BCM4377_XFER_RING_HCI_D2H = 2,
124 	BCM4377_XFER_RING_SCO_H2D = 3,
125 	BCM4377_XFER_RING_SCO_D2H = 4,
126 	BCM4377_XFER_RING_ACL_H2D = 5,
127 	BCM4377_XFER_RING_ACL_D2H = 6,
128 };
129 
130 enum bcm4377_completion_ring_id {
131 	BCM4377_ACK_RING_CONTROL = 0,
132 	BCM4377_ACK_RING_HCI_ACL = 1,
133 	BCM4377_EVENT_RING_HCI_ACL = 2,
134 	BCM4377_ACK_RING_SCO = 3,
135 	BCM4377_EVENT_RING_SCO = 4,
136 };
137 
138 enum bcm4377_doorbell {
139 	BCM4377_DOORBELL_CONTROL = 0,
140 	BCM4377_DOORBELL_HCI_H2D = 1,
141 	BCM4377_DOORBELL_HCI_D2H = 2,
142 	BCM4377_DOORBELL_ACL_H2D = 3,
143 	BCM4377_DOORBELL_ACL_D2H = 4,
144 	BCM4377_DOORBELL_SCO = 6,
145 };
146 
147 /*
148  * Transfer ring entry
149  *
150  * flags: Flags to indicate if the payload is appended or mapped
151  * len: Payload length
152  * payload: Optional payload DMA address
153  * id: Message id to recognize the answer in the completion ring entry
154  */
155 struct bcm4377_xfer_ring_entry {
156 #define BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED	 BIT(0)
157 #define BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER BIT(1)
158 	u8 flags;
159 	__le16 len;
160 	u8 _unk0;
161 	__le64 payload;
162 	__le16 id;
163 	u8 _unk1[2];
164 } __packed;
165 static_assert(sizeof(struct bcm4377_xfer_ring_entry) == 0x10);
166 
167 /*
168  * Completion ring entry
169  *
170  * flags: Flags to indicate if the payload is appended or mapped. If the payload
171  *        is mapped it can be found in the buffer of the corresponding transfer
172  *        ring message.
173  * ring_id: Transfer ring ID which required this message
174  * msg_id: Message ID specified in transfer ring entry
175  * len: Payload length
176  */
177 struct bcm4377_completion_ring_entry {
178 	u8 flags;
179 	u8 _unk0;
180 	__le16 ring_id;
181 	__le16 msg_id;
182 	__le32 len;
183 	u8 _unk1[6];
184 } __packed;
185 static_assert(sizeof(struct bcm4377_completion_ring_entry) == 0x10);
186 
187 enum bcm4377_control_message_type {
188 	BCM4377_CONTROL_MSG_CREATE_XFER_RING = 1,
189 	BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING = 2,
190 	BCM4377_CONTROL_MSG_DESTROY_XFER_RING = 3,
191 	BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING = 4,
192 };
193 
194 /*
195  * Control message used to create a completion ring
196  *
197  * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING
198  * header_size: Unknown, but probably reserved space in front of the entry
199  * footer_size: Number of 32 bit words reserved for payloads after the entry
200  * id/id_again: Completion ring index
201  * ring_iova: DMA address of the ring buffer
202  * n_elements: Number of elements inside the ring buffer
203  * msi: MSI index, doesn't work for all rings though and should be zero
204  * intmod_delay: Unknown delay
205  * intmod_bytes: Unknown
206  */
207 struct bcm4377_create_completion_ring_msg {
208 	u8 msg_type;
209 	u8 header_size;
210 	u8 footer_size;
211 	u8 _unk0;
212 	__le16 id;
213 	__le16 id_again;
214 	__le64 ring_iova;
215 	__le16 n_elements;
216 	__le32 unk;
217 	u8 _unk1[6];
218 	__le16 msi;
219 	__le16 intmod_delay;
220 	__le32 intmod_bytes;
221 	__le16 _unk2;
222 	__le32 _unk3;
223 	u8 _unk4[10];
224 } __packed;
225 static_assert(sizeof(struct bcm4377_create_completion_ring_msg) ==
226 	      BCM4377_CONTROL_MSG_SIZE);
227 
228 /*
229  * Control ring message used to destroy a completion ring
230  *
231  * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING
232  * ring_id: Completion ring to be destroyed
233  */
234 struct bcm4377_destroy_completion_ring_msg {
235 	u8 msg_type;
236 	u8 _pad0;
237 	__le16 ring_id;
238 	u8 _pad1[48];
239 } __packed;
240 static_assert(sizeof(struct bcm4377_destroy_completion_ring_msg) ==
241 	      BCM4377_CONTROL_MSG_SIZE);
242 
243 /*
244  * Control message used to create a transfer ring
245  *
246  * msg_type: Must be BCM4377_CONTROL_MSG_CREATE_XFER_RING
247  * header_size: Number of 32 bit words reserved for unknown content before the
248  *              entry
249  * footer_size: Number of 32 bit words reserved for payloads after the entry
250  * ring_id/ring_id_again: Transfer ring index
251  * ring_iova: DMA address of the ring buffer
252  * n_elements: Number of elements inside the ring buffer
253  * completion_ring_id: Completion ring index for acknowledgements and events
254  * doorbell: Doorbell index used to notify device of new entries
255  * flags: Transfer ring flags
256  *          - virtual: set if there is no associated shared memory and only the
257  *                     corresponding completion ring is used
258  *          - sync: only set for the SCO rings
259  */
260 struct bcm4377_create_transfer_ring_msg {
261 	u8 msg_type;
262 	u8 header_size;
263 	u8 footer_size;
264 	u8 _unk0;
265 	__le16 ring_id;
266 	__le16 ring_id_again;
267 	__le64 ring_iova;
268 	u8 _unk1[8];
269 	__le16 n_elements;
270 	__le16 completion_ring_id;
271 	__le16 doorbell;
272 #define BCM4377_XFER_RING_FLAG_VIRTUAL BIT(7)
273 #define BCM4377_XFER_RING_FLAG_SYNC    BIT(8)
274 	__le16 flags;
275 	u8 _unk2[20];
276 } __packed;
277 static_assert(sizeof(struct bcm4377_create_transfer_ring_msg) ==
278 	      BCM4377_CONTROL_MSG_SIZE);
279 
280 /*
281  * Control ring message used to destroy a transfer ring
282  *
283  * msg_type: Must be BCM4377_CONTROL_MSG_DESTROY_XFER_RING
284  * ring_id: Transfer ring to be destroyed
285  */
286 struct bcm4377_destroy_transfer_ring_msg {
287 	u8 msg_type;
288 	u8 _pad0;
289 	__le16 ring_id;
290 	u8 _pad1[48];
291 } __packed;
292 static_assert(sizeof(struct bcm4377_destroy_transfer_ring_msg) ==
293 	      BCM4377_CONTROL_MSG_SIZE);
294 
295 /*
296  * "Converged IPC" context struct used to make the device aware of all other
297  * shared memory structures. A pointer to this structure is configured inside a
298  * MMIO register.
299  *
300  * version: Protocol version, must be 2.
301  * size: Size of this structure, must be 0x68.
302  * enabled_caps: Enabled capabilities. Unknown bitfield but should be 2.
303  * peripheral_info_addr: DMA address for a 0x20 buffer to which the device will
304  *                       write unknown contents
305  * {completion,xfer}_ring_{tails,heads}_addr: DMA pointers to ring heads/tails
306  * n_completion_rings: Number of completion rings, the firmware only works if
307  *                     this is set to BCM4377_N_COMPLETION_RINGS.
308  * n_xfer_rings: Number of transfer rings, the firmware only works if
309  *               this is set to BCM4377_N_TRANSFER_RINGS.
310  * control_completion_ring_addr: Control completion ring buffer DMA address
311  * control_xfer_ring_addr: Control transfer ring buffer DMA address
312  * control_xfer_ring_n_entries: Number of control transfer ring entries
313  * control_completion_ring_n_entries: Number of control completion ring entries
314  * control_xfer_ring_doorbell: Control transfer ring doorbell
315  * control_completion_ring_doorbell: Control completion ring doorbell,
316  *                                   must be set to 0xffff
317  * control_xfer_ring_msi: Control completion ring MSI index, must be 0
318  * control_completion_ring_msi: Control completion ring MSI index, must be 0.
319  * control_xfer_ring_header_size: Number of 32 bit words reserved in front of
320  *                                every control transfer ring entry
321  * control_xfer_ring_footer_size: Number of 32 bit words reserved after every
322  *                                control transfer ring entry
323  * control_completion_ring_header_size: Number of 32 bit words reserved in front
324  *                                      of every control completion ring entry
325  * control_completion_ring_footer_size: Number of 32 bit words reserved after
326  *                                      every control completion ring entry
327  * scratch_pad: Optional scratch pad DMA address
328  * scratch_pad_size: Scratch pad size
329  */
330 struct bcm4377_context {
331 	__le16 version;
332 	__le16 size;
333 	__le32 enabled_caps;
334 
335 	__le64 peripheral_info_addr;
336 
337 	/* ring heads and tails */
338 	__le64 completion_ring_heads_addr;
339 	__le64 xfer_ring_tails_addr;
340 	__le64 completion_ring_tails_addr;
341 	__le64 xfer_ring_heads_addr;
342 	__le16 n_completion_rings;
343 	__le16 n_xfer_rings;
344 
345 	/* control ring configuration */
346 	__le64 control_completion_ring_addr;
347 	__le64 control_xfer_ring_addr;
348 	__le16 control_xfer_ring_n_entries;
349 	__le16 control_completion_ring_n_entries;
350 	__le16 control_xfer_ring_doorbell;
351 	__le16 control_completion_ring_doorbell;
352 	__le16 control_xfer_ring_msi;
353 	__le16 control_completion_ring_msi;
354 	u8 control_xfer_ring_header_size;
355 	u8 control_xfer_ring_footer_size;
356 	u8 control_completion_ring_header_size;
357 	u8 control_completion_ring_footer_size;
358 
359 	__le16 _unk0;
360 	__le16 _unk1;
361 
362 	__le64 scratch_pad;
363 	__le32 scratch_pad_size;
364 
365 	__le32 _unk3;
366 } __packed;
367 static_assert(sizeof(struct bcm4377_context) == 0x68);
368 
369 #define BCM4378_CALIBRATION_CHUNK_SIZE 0xe6
370 struct bcm4378_hci_send_calibration_cmd {
371 	u8 unk;
372 	__le16 blocks_left;
373 	u8 data[BCM4378_CALIBRATION_CHUNK_SIZE];
374 } __packed;
375 
376 #define BCM4378_PTB_CHUNK_SIZE 0xcf
377 struct bcm4378_hci_send_ptb_cmd {
378 	__le16 blocks_left;
379 	u8 data[BCM4378_PTB_CHUNK_SIZE];
380 } __packed;
381 
382 /*
383  * Shared memory structure used to store the ring head and tail pointers.
384  */
385 struct bcm4377_ring_state {
386 	__le16 completion_ring_head[BCM4377_N_COMPLETION_RINGS];
387 	__le16 completion_ring_tail[BCM4377_N_COMPLETION_RINGS];
388 	__le16 xfer_ring_head[BCM4377_N_TRANSFER_RINGS];
389 	__le16 xfer_ring_tail[BCM4377_N_TRANSFER_RINGS];
390 };
391 
392 /*
393  * A transfer ring can be used in two configurations:
394  *  1) Send control or HCI messages to the device which are then acknowledged
395  *     in the corresponding completion ring
396  *  2) Receiving HCI frames from the devices. In this case the transfer ring
397  *     itself contains empty messages that are acknowledged once data is
398  *     available from the device. If the payloads fit inside the footers
399  *     of the completion ring the transfer ring can be configured to be
400  *     virtual such that it has no ring buffer.
401  *
402  * ring_id: ring index hardcoded in the firmware
403  * doorbell: doorbell index to notify device of new entries
404  * payload_size: optional in-place payload size
405  * mapped_payload_size: optional out-of-place payload size
406  * completion_ring: index of corresponding completion ring
407  * n_entries: number of entries inside this ring
408  * generation: ring generation; incremented on hci_open to detect stale messages
409  * sync: set to true for SCO rings
410  * virtual: set to true if this ring has no entries and is just required to
411  *          setup a corresponding completion ring for device->host messages
412  * d2h_buffers_only: set to true if this ring is only used to provide large
413  *                   buffers used by device->host messages in the completion
414  *                   ring
415  * allow_wait: allow to wait for messages to be acknowledged
416  * enabled: true once the ring has been created and can be used
417  * ring: ring buffer for entries (struct bcm4377_xfer_ring_entry)
418  * ring_dma: DMA address for ring entry buffer
419  * payloads: payload buffer for mapped_payload_size payloads
420  * payloads_dma:DMA address for payload buffer
421  * events: pointer to array of completions if waiting is allowed
422  * msgids: bitmap to keep track of used message ids
423  * lock: Spinlock to protect access to ring structurs used in the irq handler
424  */
425 struct bcm4377_transfer_ring {
426 	enum bcm4377_transfer_ring_id ring_id;
427 	enum bcm4377_doorbell doorbell;
428 	size_t payload_size;
429 	size_t mapped_payload_size;
430 	u8 completion_ring;
431 	u16 n_entries;
432 	u8 generation;
433 
434 	bool sync;
435 	bool virtual;
436 	bool d2h_buffers_only;
437 	bool allow_wait;
438 	bool enabled;
439 
440 	void *ring;
441 	dma_addr_t ring_dma;
442 
443 	void *payloads;
444 	dma_addr_t payloads_dma;
445 
446 	struct completion **events;
447 	DECLARE_BITMAP(msgids, BCM4377_MAX_RING_SIZE);
448 	spinlock_t lock;
449 };
450 
451 /*
452  * A completion ring can be either used to either acknowledge messages sent in
453  * the corresponding transfer ring or to receive messages associated with the
454  * transfer ring. When used to receive messages the transfer ring either
455  * has no ring buffer and is only advanced ("virtual transfer ring") or it
456  * only contains empty DMA buffers to be used for the payloads.
457  *
458  * ring_id: completion ring id, hardcoded in firmware
459  * payload_size: optional payload size after each entry
460  * delay: unknown delay
461  * n_entries: number of entries in this ring
462  * enabled: true once the ring has been created and can be used
463  * ring: ring buffer for entries (struct bcm4377_completion_ring_entry)
464  * ring_dma: DMA address of ring buffer
465  * transfer_rings: bitmap of corresponding transfer ring ids
466  */
467 struct bcm4377_completion_ring {
468 	enum bcm4377_completion_ring_id ring_id;
469 	u16 payload_size;
470 	u16 delay;
471 	u16 n_entries;
472 	bool enabled;
473 
474 	void *ring;
475 	dma_addr_t ring_dma;
476 
477 	unsigned long transfer_rings;
478 };
479 
480 struct bcm4377_data;
481 
482 /*
483  * Chip-specific configuration struct
484  *
485  * id: Chip id (e.g. 0x4377 for BCM4377)
486  * otp_offset: Offset to the start of the OTP inside BAR0
487  * bar0_window1: Backplane address mapped to the first window in BAR0
488  * bar0_window2: Backplane address mapped to the second window in BAR0
489  * bar0_core2_window2: Optional backplane address mapped to the second core's
490  *                     second window in BAR0
491  * has_bar0_core2_window2: Set to true if this chip requires the second core's
492  *                         second window to be configured
493  * bar2_offset: Offset to the start of the variables in BAR2
494  * clear_pciecfg_subsystem_ctrl_bit19: Set to true if bit 19 in the
495  *                                     vendor-specific subsystem control
496  *                                     register has to be cleared
497  * disable_aspm: Set to true if ASPM must be disabled due to hardware errata
498  * broken_ext_scan: Set to true if the chip erroneously claims to support
499  *                  extended scanning
500  * broken_mws_transport_config: Set to true if the chip erroneously claims to
501  *                              support MWS Transport Configuration
502  * broken_le_ext_adv_report_phy: Set to true if this chip stuffs flags inside
503  *                               reserved bits of Primary/Secondary_PHY inside
504  *                               LE Extended Advertising Report events which
505  *                               have to be ignored
506  * send_calibration: Optional callback to send calibration data
507  * send_ptb: Callback to send "PTB" regulatory/calibration data
508  */
509 struct bcm4377_hw {
510 	unsigned int id;
511 
512 	u32 otp_offset;
513 
514 	u32 bar0_window1;
515 	u32 bar0_window2;
516 	u32 bar0_core2_window2;
517 	u32 bar2_offset;
518 
519 	unsigned long has_bar0_core2_window2 : 1;
520 	unsigned long clear_pciecfg_subsystem_ctrl_bit19 : 1;
521 	unsigned long disable_aspm : 1;
522 	unsigned long broken_ext_scan : 1;
523 	unsigned long broken_mws_transport_config : 1;
524 	unsigned long broken_le_coded : 1;
525 	unsigned long broken_le_ext_adv_report_phy : 1;
526 
527 	int (*send_calibration)(struct bcm4377_data *bcm4377);
528 	int (*send_ptb)(struct bcm4377_data *bcm4377,
529 			const struct firmware *fw);
530 };
531 
532 static const struct bcm4377_hw bcm4377_hw_variants[];
533 static const struct dmi_system_id bcm4377_dmi_board_table[];
534 
535 /*
536  * Private struct associated with each device containing global state
537  *
538  * pdev: Pointer to associated struct pci_dev
539  * hdev: Pointer to associated strucy hci_dev
540  * bar0: iomem pointing to BAR0
541  * bar1: iomem pointing to BAR2
542  * bootstage: Current value of the bootstage
543  * rti_status: Current "RTI" status value
544  * hw: Pointer to chip-specific struct bcm4377_hw
545  * taurus_cal_blob: "Taurus" calibration blob used for some chips
546  * taurus_cal_size: "Taurus" calibration blob size
547  * taurus_beamforming_cal_blob: "Taurus" beamforming calibration blob used for
548  *                              some chips
549  * taurus_beamforming_cal_size: "Taurus" beamforming calibration blob size
550  * stepping: Chip stepping read from OTP; used for firmware selection
551  * vendor: Antenna vendor read from OTP; used for firmware selection
552  * board_type: Board type from FDT or DMI match; used for firmware selection
553  * event: Event for changed bootstage or rti_status; used for booting firmware
554  * ctx: "Converged IPC" context
555  * ctx_dma: "Converged IPC" context DMA address
556  * ring_state: Shared memory buffer containing ring head and tail indexes
557  * ring_state_dma: DMA address for ring_state
558  * {control,hci_acl,sco}_ack_ring: Completion rings used to acknowledge messages
559  * {hci_acl,sco}_event_ring: Completion rings used for device->host messages
560  * control_h2d_ring: Transfer ring used for control messages
561  * {hci,sco,acl}_h2d_ring: Transfer ring used to transfer HCI frames
562  * {hci,sco,acl}_d2h_ring: Transfer ring used to receive HCI frames in the
563  *                         corresponding completion ring
564  */
565 struct bcm4377_data {
566 	struct pci_dev *pdev;
567 	struct hci_dev *hdev;
568 
569 	void __iomem *bar0;
570 	void __iomem *bar2;
571 
572 	u32 bootstage;
573 	u32 rti_status;
574 
575 	const struct bcm4377_hw *hw;
576 
577 	const void *taurus_cal_blob;
578 	int taurus_cal_size;
579 	const void *taurus_beamforming_cal_blob;
580 	int taurus_beamforming_cal_size;
581 
582 	char stepping[BCM4377_OTP_MAX_PARAM_LEN];
583 	char vendor[BCM4377_OTP_MAX_PARAM_LEN];
584 	const char *board_type;
585 
586 	struct completion event;
587 
588 	struct bcm4377_context *ctx;
589 	dma_addr_t ctx_dma;
590 
591 	struct bcm4377_ring_state *ring_state;
592 	dma_addr_t ring_state_dma;
593 
594 	/*
595 	 * The HCI and ACL rings have to be merged because this structure is
596 	 * hardcoded in the firmware.
597 	 */
598 	struct bcm4377_completion_ring control_ack_ring;
599 	struct bcm4377_completion_ring hci_acl_ack_ring;
600 	struct bcm4377_completion_ring hci_acl_event_ring;
601 	struct bcm4377_completion_ring sco_ack_ring;
602 	struct bcm4377_completion_ring sco_event_ring;
603 
604 	struct bcm4377_transfer_ring control_h2d_ring;
605 	struct bcm4377_transfer_ring hci_h2d_ring;
606 	struct bcm4377_transfer_ring hci_d2h_ring;
607 	struct bcm4377_transfer_ring sco_h2d_ring;
608 	struct bcm4377_transfer_ring sco_d2h_ring;
609 	struct bcm4377_transfer_ring acl_h2d_ring;
610 	struct bcm4377_transfer_ring acl_d2h_ring;
611 };
612 
613 static void bcm4377_ring_doorbell(struct bcm4377_data *bcm4377, u8 doorbell,
614 				  u16 val)
615 {
616 	u32 db = 0;
617 
618 	db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_VALUE, val);
619 	db |= FIELD_PREP(BCM4377_BAR0_DOORBELL_IDX, doorbell);
620 	db |= BCM4377_BAR0_DOORBELL_RING;
621 
622 	dev_dbg(&bcm4377->pdev->dev, "write %d to doorbell #%d (0x%x)\n", val,
623 		doorbell, db);
624 	iowrite32(db, bcm4377->bar0 + BCM4377_BAR0_DOORBELL);
625 }
626 
627 static int bcm4377_extract_msgid(struct bcm4377_data *bcm4377,
628 				 struct bcm4377_transfer_ring *ring,
629 				 u16 raw_msgid, u8 *msgid)
630 {
631 	u8 generation = FIELD_GET(BCM4377_MSGID_GENERATION, raw_msgid);
632 	*msgid = FIELD_GET(BCM4377_MSGID_ID, raw_msgid);
633 
634 	if (generation != ring->generation) {
635 		dev_warn(
636 			&bcm4377->pdev->dev,
637 			"invalid message generation %d should be %d in entry for ring %d\n",
638 			generation, ring->generation, ring->ring_id);
639 		return -EINVAL;
640 	}
641 
642 	if (*msgid >= ring->n_entries) {
643 		dev_warn(&bcm4377->pdev->dev,
644 			 "invalid message id in entry for ring %d: %d > %d\n",
645 			 ring->ring_id, *msgid, ring->n_entries);
646 		return -EINVAL;
647 	}
648 
649 	return 0;
650 }
651 
652 static void bcm4377_handle_event(struct bcm4377_data *bcm4377,
653 				 struct bcm4377_transfer_ring *ring,
654 				 u16 raw_msgid, u8 entry_flags, u8 type,
655 				 void *payload, size_t len)
656 {
657 	struct sk_buff *skb;
658 	u16 head;
659 	u8 msgid;
660 	unsigned long flags;
661 
662 	spin_lock_irqsave(&ring->lock, flags);
663 	if (!ring->enabled) {
664 		dev_warn(&bcm4377->pdev->dev,
665 			 "event for disabled transfer ring %d\n",
666 			 ring->ring_id);
667 		goto out;
668 	}
669 
670 	if (ring->d2h_buffers_only &&
671 	    entry_flags & BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED) {
672 		if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
673 			goto out;
674 
675 		if (len > ring->mapped_payload_size) {
676 			dev_warn(
677 				&bcm4377->pdev->dev,
678 				"invalid payload len in event for ring %d: %zu > %zu\n",
679 				ring->ring_id, len, ring->mapped_payload_size);
680 			goto out;
681 		}
682 
683 		payload = ring->payloads + msgid * ring->mapped_payload_size;
684 	}
685 
686 	skb = bt_skb_alloc(len, GFP_ATOMIC);
687 	if (!skb)
688 		goto out;
689 
690 	memcpy(skb_put(skb, len), payload, len);
691 	hci_skb_pkt_type(skb) = type;
692 	hci_recv_frame(bcm4377->hdev, skb);
693 
694 out:
695 	head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
696 	head = (head + 1) % ring->n_entries;
697 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] = cpu_to_le16(head);
698 
699 	bcm4377_ring_doorbell(bcm4377, ring->doorbell, head);
700 
701 	spin_unlock_irqrestore(&ring->lock, flags);
702 }
703 
704 static void bcm4377_handle_ack(struct bcm4377_data *bcm4377,
705 			       struct bcm4377_transfer_ring *ring,
706 			       u16 raw_msgid)
707 {
708 	unsigned long flags;
709 	u8 msgid;
710 
711 	spin_lock_irqsave(&ring->lock, flags);
712 
713 	if (bcm4377_extract_msgid(bcm4377, ring, raw_msgid, &msgid))
714 		goto unlock;
715 
716 	if (!test_bit(msgid, ring->msgids)) {
717 		dev_warn(
718 			&bcm4377->pdev->dev,
719 			"invalid message id in ack for ring %d: %d is not used\n",
720 			ring->ring_id, msgid);
721 		goto unlock;
722 	}
723 
724 	if (ring->allow_wait && ring->events[msgid]) {
725 		complete(ring->events[msgid]);
726 		ring->events[msgid] = NULL;
727 	}
728 
729 	bitmap_release_region(ring->msgids, msgid, 0);
730 
731 unlock:
732 	spin_unlock_irqrestore(&ring->lock, flags);
733 }
734 
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 				      struct bcm4377_completion_ring *ring,
737 				      u16 pos)
738 {
739 	struct bcm4377_completion_ring_entry *entry;
740 	u16 msg_id, transfer_ring;
741 	size_t entry_size, data_len;
742 	void *data;
743 
744 	if (pos >= ring->n_entries) {
745 		dev_warn(&bcm4377->pdev->dev,
746 			 "invalid offset %d for completion ring %d\n", pos,
747 			 ring->ring_id);
748 		return;
749 	}
750 
751 	entry_size = sizeof(*entry) + ring->payload_size;
752 	entry = ring->ring + pos * entry_size;
753 	data = ring->ring + pos * entry_size + sizeof(*entry);
754 	data_len = le32_to_cpu(entry->len);
755 	msg_id = le16_to_cpu(entry->msg_id);
756 	transfer_ring = le16_to_cpu(entry->ring_id);
757 
758 	if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
759 		dev_warn(
760 			&bcm4377->pdev->dev,
761 			"invalid entry at offset %d for transfer ring %d in completion ring %d\n",
762 			pos, transfer_ring, ring->ring_id);
763 		return;
764 	}
765 
766 	dev_dbg(&bcm4377->pdev->dev,
767 		"entry in completion ring %d for transfer ring %d with msg_id %d\n",
768 		ring->ring_id, transfer_ring, msg_id);
769 
770 	switch (transfer_ring) {
771 	case BCM4377_XFER_RING_CONTROL:
772 		bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
773 		break;
774 	case BCM4377_XFER_RING_HCI_H2D:
775 		bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
776 		break;
777 	case BCM4377_XFER_RING_SCO_H2D:
778 		bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
779 		break;
780 	case BCM4377_XFER_RING_ACL_H2D:
781 		bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
782 		break;
783 
784 	case BCM4377_XFER_RING_HCI_D2H:
785 		bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
786 				     entry->flags, HCI_EVENT_PKT, data,
787 				     data_len);
788 		break;
789 	case BCM4377_XFER_RING_SCO_D2H:
790 		bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
791 				     entry->flags, HCI_SCODATA_PKT, data,
792 				     data_len);
793 		break;
794 	case BCM4377_XFER_RING_ACL_D2H:
795 		bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
796 				     entry->flags, HCI_ACLDATA_PKT, data,
797 				     data_len);
798 		break;
799 
800 	default:
801 		dev_warn(
802 			&bcm4377->pdev->dev,
803 			"entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
804 			ring->ring_id, transfer_ring, msg_id);
805 	}
806 }
807 
808 static void bcm4377_poll_completion_ring(struct bcm4377_data *bcm4377,
809 					 struct bcm4377_completion_ring *ring)
810 {
811 	u16 tail;
812 	__le16 *heads = bcm4377->ring_state->completion_ring_head;
813 	__le16 *tails = bcm4377->ring_state->completion_ring_tail;
814 
815 	if (!ring->enabled)
816 		return;
817 
818 	tail = le16_to_cpu(tails[ring->ring_id]);
819 	dev_dbg(&bcm4377->pdev->dev,
820 		"completion ring #%d: head: %d, tail: %d\n", ring->ring_id,
821 		le16_to_cpu(heads[ring->ring_id]), tail);
822 
823 	while (tail != le16_to_cpu(READ_ONCE(heads[ring->ring_id]))) {
824 		/*
825 		 * ensure the CPU doesn't speculate through the comparison.
826 		 * otherwise it might already read the (empty) queue entry
827 		 * before the updated head has been loaded and checked.
828 		 */
829 		dma_rmb();
830 
831 		bcm4377_handle_completion(bcm4377, ring, tail);
832 
833 		tail = (tail + 1) % ring->n_entries;
834 		tails[ring->ring_id] = cpu_to_le16(tail);
835 	}
836 }
837 
838 static irqreturn_t bcm4377_irq(int irq, void *data)
839 {
840 	struct bcm4377_data *bcm4377 = data;
841 	u32 bootstage, rti_status;
842 
843 	bootstage = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_BOOTSTAGE);
844 	rti_status = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_STATUS);
845 
846 	if (bootstage != bcm4377->bootstage ||
847 	    rti_status != bcm4377->rti_status) {
848 		dev_dbg(&bcm4377->pdev->dev,
849 			"bootstage = %d -> %d, rti state = %d -> %d\n",
850 			bcm4377->bootstage, bootstage, bcm4377->rti_status,
851 			rti_status);
852 		complete(&bcm4377->event);
853 		bcm4377->bootstage = bootstage;
854 		bcm4377->rti_status = rti_status;
855 	}
856 
857 	if (rti_status > 2)
858 		dev_err(&bcm4377->pdev->dev, "RTI status is %d\n", rti_status);
859 
860 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->control_ack_ring);
861 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
862 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
863 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
864 	bcm4377_poll_completion_ring(bcm4377, &bcm4377->sco_event_ring);
865 
866 	return IRQ_HANDLED;
867 }
868 
869 static int bcm4377_enqueue(struct bcm4377_data *bcm4377,
870 			   struct bcm4377_transfer_ring *ring, void *data,
871 			   size_t len, bool wait)
872 {
873 	unsigned long flags;
874 	struct bcm4377_xfer_ring_entry *entry;
875 	void *payload;
876 	size_t offset;
877 	u16 head, tail, new_head;
878 	u16 raw_msgid;
879 	int ret, msgid;
880 	DECLARE_COMPLETION_ONSTACK(event);
881 
882 	if (len > ring->payload_size && len > ring->mapped_payload_size) {
883 		dev_warn(
884 			&bcm4377->pdev->dev,
885 			"payload len %zu is too large for ring %d (max is %zu or %zu)\n",
886 			len, ring->ring_id, ring->payload_size,
887 			ring->mapped_payload_size);
888 		return -EINVAL;
889 	}
890 	if (wait && !ring->allow_wait)
891 		return -EINVAL;
892 	if (ring->virtual)
893 		return -EINVAL;
894 
895 	spin_lock_irqsave(&ring->lock, flags);
896 
897 	head = le16_to_cpu(bcm4377->ring_state->xfer_ring_head[ring->ring_id]);
898 	tail = le16_to_cpu(bcm4377->ring_state->xfer_ring_tail[ring->ring_id]);
899 
900 	new_head = (head + 1) % ring->n_entries;
901 
902 	if (new_head == tail) {
903 		dev_warn(&bcm4377->pdev->dev,
904 			 "can't send message because ring %d is full\n",
905 			 ring->ring_id);
906 		ret = -EINVAL;
907 		goto out;
908 	}
909 
910 	msgid = bitmap_find_free_region(ring->msgids, ring->n_entries, 0);
911 	if (msgid < 0) {
912 		dev_warn(&bcm4377->pdev->dev,
913 			 "can't find message id for ring %d\n", ring->ring_id);
914 		ret = -EINVAL;
915 		goto out;
916 	}
917 
918 	raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION, ring->generation);
919 	raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, msgid);
920 
921 	offset = head * (sizeof(*entry) + ring->payload_size);
922 	entry = ring->ring + offset;
923 
924 	memset(entry, 0, sizeof(*entry));
925 	entry->id = cpu_to_le16(raw_msgid);
926 	entry->len = cpu_to_le16(len);
927 
928 	if (len <= ring->payload_size) {
929 		entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_IN_FOOTER;
930 		payload = ring->ring + offset + sizeof(*entry);
931 	} else {
932 		entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
933 		entry->payload = cpu_to_le64(ring->payloads_dma +
934 					     msgid * ring->mapped_payload_size);
935 		payload = ring->payloads + msgid * ring->mapped_payload_size;
936 	}
937 
938 	memcpy(payload, data, len);
939 
940 	if (wait)
941 		ring->events[msgid] = &event;
942 
943 	/*
944 	 * The 4377 chips stop responding to any commands as soon as they
945 	 * have been idle for a while. Poking the sleep control register here
946 	 * makes them come alive again.
947 	 */
948 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_AWAKE,
949 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
950 
951 	dev_dbg(&bcm4377->pdev->dev,
952 		"updating head for transfer queue #%d to %d\n", ring->ring_id,
953 		new_head);
954 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
955 		cpu_to_le16(new_head);
956 
957 	if (!ring->sync)
958 		bcm4377_ring_doorbell(bcm4377, ring->doorbell, new_head);
959 	ret = 0;
960 
961 out:
962 	spin_unlock_irqrestore(&ring->lock, flags);
963 
964 	if (ret == 0 && wait) {
965 		ret = wait_for_completion_interruptible_timeout(
966 			&event, BCM4377_TIMEOUT);
967 		if (ret == 0)
968 			ret = -ETIMEDOUT;
969 		else if (ret > 0)
970 			ret = 0;
971 
972 		spin_lock_irqsave(&ring->lock, flags);
973 		ring->events[msgid] = NULL;
974 		spin_unlock_irqrestore(&ring->lock, flags);
975 	}
976 
977 	return ret;
978 }
979 
980 static int bcm4377_create_completion_ring(struct bcm4377_data *bcm4377,
981 					  struct bcm4377_completion_ring *ring)
982 {
983 	struct bcm4377_create_completion_ring_msg msg;
984 	int ret;
985 
986 	if (ring->enabled) {
987 		dev_warn(&bcm4377->pdev->dev,
988 			 "completion ring %d already enabled\n", ring->ring_id);
989 		return 0;
990 	}
991 
992 	memset(ring->ring, 0,
993 	       ring->n_entries * (sizeof(struct bcm4377_completion_ring_entry) +
994 				  ring->payload_size));
995 	memset(&msg, 0, sizeof(msg));
996 	msg.msg_type = BCM4377_CONTROL_MSG_CREATE_COMPLETION_RING;
997 	msg.id = cpu_to_le16(ring->ring_id);
998 	msg.id_again = cpu_to_le16(ring->ring_id);
999 	msg.ring_iova = cpu_to_le64(ring->ring_dma);
1000 	msg.n_elements = cpu_to_le16(ring->n_entries);
1001 	msg.intmod_bytes = cpu_to_le32(0xffffffff);
1002 	msg.unk = cpu_to_le32(0xffffffff);
1003 	msg.intmod_delay = cpu_to_le16(ring->delay);
1004 	msg.footer_size = ring->payload_size / 4;
1005 
1006 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1007 			      sizeof(msg), true);
1008 	if (!ret)
1009 		ring->enabled = true;
1010 
1011 	return ret;
1012 }
1013 
1014 static int bcm4377_destroy_completion_ring(struct bcm4377_data *bcm4377,
1015 					   struct bcm4377_completion_ring *ring)
1016 {
1017 	struct bcm4377_destroy_completion_ring_msg msg;
1018 	int ret;
1019 
1020 	memset(&msg, 0, sizeof(msg));
1021 	msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_COMPLETION_RING;
1022 	msg.ring_id = cpu_to_le16(ring->ring_id);
1023 
1024 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1025 			      sizeof(msg), true);
1026 	if (ret)
1027 		dev_warn(&bcm4377->pdev->dev,
1028 			 "failed to destroy completion ring %d\n",
1029 			 ring->ring_id);
1030 
1031 	ring->enabled = false;
1032 	return ret;
1033 }
1034 
1035 static int bcm4377_create_transfer_ring(struct bcm4377_data *bcm4377,
1036 					struct bcm4377_transfer_ring *ring)
1037 {
1038 	struct bcm4377_create_transfer_ring_msg msg;
1039 	u16 flags = 0;
1040 	int ret, i;
1041 	unsigned long spinlock_flags;
1042 
1043 	if (ring->virtual)
1044 		flags |= BCM4377_XFER_RING_FLAG_VIRTUAL;
1045 	if (ring->sync)
1046 		flags |= BCM4377_XFER_RING_FLAG_SYNC;
1047 
1048 	spin_lock_irqsave(&ring->lock, spinlock_flags);
1049 	memset(&msg, 0, sizeof(msg));
1050 	msg.msg_type = BCM4377_CONTROL_MSG_CREATE_XFER_RING;
1051 	msg.ring_id = cpu_to_le16(ring->ring_id);
1052 	msg.ring_id_again = cpu_to_le16(ring->ring_id);
1053 	msg.ring_iova = cpu_to_le64(ring->ring_dma);
1054 	msg.n_elements = cpu_to_le16(ring->n_entries);
1055 	msg.completion_ring_id = cpu_to_le16(ring->completion_ring);
1056 	msg.doorbell = cpu_to_le16(ring->doorbell);
1057 	msg.flags = cpu_to_le16(flags);
1058 	msg.footer_size = ring->payload_size / 4;
1059 
1060 	bcm4377->ring_state->xfer_ring_head[ring->ring_id] = 0;
1061 	bcm4377->ring_state->xfer_ring_tail[ring->ring_id] = 0;
1062 	ring->generation++;
1063 	spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1064 
1065 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1066 			      sizeof(msg), true);
1067 
1068 	spin_lock_irqsave(&ring->lock, spinlock_flags);
1069 
1070 	if (ring->d2h_buffers_only) {
1071 		for (i = 0; i < ring->n_entries; ++i) {
1072 			struct bcm4377_xfer_ring_entry *entry =
1073 				ring->ring + i * sizeof(*entry);
1074 			u16 raw_msgid = FIELD_PREP(BCM4377_MSGID_GENERATION,
1075 						   ring->generation);
1076 			raw_msgid |= FIELD_PREP(BCM4377_MSGID_ID, i);
1077 
1078 			memset(entry, 0, sizeof(*entry));
1079 			entry->id = cpu_to_le16(raw_msgid);
1080 			entry->len = cpu_to_le16(ring->mapped_payload_size);
1081 			entry->flags = BCM4377_XFER_RING_FLAG_PAYLOAD_MAPPED;
1082 			entry->payload =
1083 				cpu_to_le64(ring->payloads_dma +
1084 					    i * ring->mapped_payload_size);
1085 		}
1086 	}
1087 
1088 	/*
1089 	 * send some messages if this is a device->host ring to allow the device
1090 	 * to reply by acknowledging them in the completion ring
1091 	 */
1092 	if (ring->virtual || ring->d2h_buffers_only) {
1093 		bcm4377->ring_state->xfer_ring_head[ring->ring_id] =
1094 			cpu_to_le16(0xf);
1095 		bcm4377_ring_doorbell(bcm4377, ring->doorbell, 0xf);
1096 	}
1097 
1098 	ring->enabled = true;
1099 	spin_unlock_irqrestore(&ring->lock, spinlock_flags);
1100 
1101 	return ret;
1102 }
1103 
1104 static int bcm4377_destroy_transfer_ring(struct bcm4377_data *bcm4377,
1105 					 struct bcm4377_transfer_ring *ring)
1106 {
1107 	struct bcm4377_destroy_transfer_ring_msg msg;
1108 	int ret;
1109 
1110 	memset(&msg, 0, sizeof(msg));
1111 	msg.msg_type = BCM4377_CONTROL_MSG_DESTROY_XFER_RING;
1112 	msg.ring_id = cpu_to_le16(ring->ring_id);
1113 
1114 	ret = bcm4377_enqueue(bcm4377, &bcm4377->control_h2d_ring, &msg,
1115 			      sizeof(msg), true);
1116 	if (ret)
1117 		dev_warn(&bcm4377->pdev->dev,
1118 			 "failed to destroy transfer ring %d\n", ring->ring_id);
1119 
1120 	ring->enabled = false;
1121 	return ret;
1122 }
1123 
1124 static int __bcm4378_send_calibration_chunk(struct bcm4377_data *bcm4377,
1125 					    const void *data, size_t data_len,
1126 					    u16 blocks_left)
1127 {
1128 	struct bcm4378_hci_send_calibration_cmd cmd;
1129 	struct sk_buff *skb;
1130 
1131 	if (data_len > sizeof(cmd.data))
1132 		return -EINVAL;
1133 
1134 	memset(&cmd, 0, sizeof(cmd));
1135 	cmd.unk = 0x03;
1136 	cmd.blocks_left = cpu_to_le16(blocks_left);
1137 	memcpy(cmd.data, data, data_len);
1138 
1139 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfd97, sizeof(cmd), &cmd,
1140 			     HCI_INIT_TIMEOUT);
1141 	if (IS_ERR(skb))
1142 		return PTR_ERR(skb);
1143 
1144 	kfree_skb(skb);
1145 	return 0;
1146 }
1147 
1148 static int __bcm4378_send_calibration(struct bcm4377_data *bcm4377,
1149 				      const void *data, size_t data_size)
1150 {
1151 	int ret;
1152 	size_t i, left, transfer_len;
1153 	size_t blocks =
1154 		DIV_ROUND_UP(data_size, (size_t)BCM4378_CALIBRATION_CHUNK_SIZE);
1155 
1156 	if (!data) {
1157 		dev_err(&bcm4377->pdev->dev,
1158 			"no calibration data available.\n");
1159 		return -ENOENT;
1160 	}
1161 
1162 	for (i = 0, left = data_size; i < blocks; ++i, left -= transfer_len) {
1163 		transfer_len =
1164 			min_t(size_t, left, BCM4378_CALIBRATION_CHUNK_SIZE);
1165 
1166 		ret = __bcm4378_send_calibration_chunk(
1167 			bcm4377, data + i * BCM4378_CALIBRATION_CHUNK_SIZE,
1168 			transfer_len, blocks - i - 1);
1169 		if (ret) {
1170 			dev_err(&bcm4377->pdev->dev,
1171 				"send calibration chunk failed with %d\n", ret);
1172 			return ret;
1173 		}
1174 	}
1175 
1176 	return 0;
1177 }
1178 
1179 static int bcm4378_send_calibration(struct bcm4377_data *bcm4377)
1180 {
1181 	if ((strcmp(bcm4377->stepping, "b1") == 0) ||
1182 	    strcmp(bcm4377->stepping, "b3") == 0)
1183 		return __bcm4378_send_calibration(
1184 			bcm4377, bcm4377->taurus_beamforming_cal_blob,
1185 			bcm4377->taurus_beamforming_cal_size);
1186 	else
1187 		return __bcm4378_send_calibration(bcm4377,
1188 						  bcm4377->taurus_cal_blob,
1189 						  bcm4377->taurus_cal_size);
1190 }
1191 
1192 static int bcm4387_send_calibration(struct bcm4377_data *bcm4377)
1193 {
1194 	if (strcmp(bcm4377->stepping, "c2") == 0)
1195 		return __bcm4378_send_calibration(
1196 			bcm4377, bcm4377->taurus_beamforming_cal_blob,
1197 			bcm4377->taurus_beamforming_cal_size);
1198 	else
1199 		return __bcm4378_send_calibration(bcm4377,
1200 						  bcm4377->taurus_cal_blob,
1201 						  bcm4377->taurus_cal_size);
1202 }
1203 
1204 static int bcm4388_send_calibration(struct bcm4377_data *bcm4377)
1205 {
1206 	/* BCM4388 always uses beamforming */
1207 	return __bcm4378_send_calibration(
1208 		bcm4377, bcm4377->taurus_beamforming_cal_blob,
1209 		bcm4377->taurus_beamforming_cal_size);
1210 }
1211 
1212 static const struct firmware *bcm4377_request_blob(struct bcm4377_data *bcm4377,
1213 						   const char *suffix)
1214 {
1215 	const struct firmware *fw;
1216 	char name0[64], name1[64];
1217 	int ret;
1218 
1219 	snprintf(name0, sizeof(name0), "brcm/brcmbt%04x%s-%s-%s.%s",
1220 		 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1221 		 bcm4377->vendor, suffix);
1222 	snprintf(name1, sizeof(name1), "brcm/brcmbt%04x%s-%s.%s",
1223 		 bcm4377->hw->id, bcm4377->stepping, bcm4377->board_type,
1224 		 suffix);
1225 	dev_dbg(&bcm4377->pdev->dev, "Trying to load firmware: '%s' or '%s'\n",
1226 		name0, name1);
1227 
1228 	ret = firmware_request_nowarn(&fw, name0, &bcm4377->pdev->dev);
1229 	if (!ret)
1230 		return fw;
1231 	ret = firmware_request_nowarn(&fw, name1, &bcm4377->pdev->dev);
1232 	if (!ret)
1233 		return fw;
1234 
1235 	dev_err(&bcm4377->pdev->dev,
1236 		"Unable to load firmware; tried '%s' and '%s'\n", name0, name1);
1237 	return NULL;
1238 }
1239 
1240 static int bcm4377_send_ptb(struct bcm4377_data *bcm4377,
1241 			    const struct firmware *fw)
1242 {
1243 	struct sk_buff *skb;
1244 
1245 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfd98, fw->size, fw->data,
1246 			     HCI_INIT_TIMEOUT);
1247 	/*
1248 	 * This command seems to always fail on more recent firmware versions
1249 	 * (even in traces taken from the macOS driver). It's unclear why this
1250 	 * happens but because the PTB file contains calibration and/or
1251 	 * regulatory data and may be required on older firmware we still try to
1252 	 * send it here just in case and just ignore if it fails.
1253 	 */
1254 	if (!IS_ERR(skb))
1255 		kfree_skb(skb);
1256 	return 0;
1257 }
1258 
1259 static int bcm4378_send_ptb_chunk(struct bcm4377_data *bcm4377,
1260 				  const void *data, size_t data_len,
1261 				  u16 blocks_left)
1262 {
1263 	struct bcm4378_hci_send_ptb_cmd cmd;
1264 	struct sk_buff *skb;
1265 
1266 	if (data_len > BCM4378_PTB_CHUNK_SIZE)
1267 		return -EINVAL;
1268 
1269 	memset(&cmd, 0, sizeof(cmd));
1270 	cmd.blocks_left = cpu_to_le16(blocks_left);
1271 	memcpy(cmd.data, data, data_len);
1272 
1273 	skb = __hci_cmd_sync(bcm4377->hdev, 0xfe0d, sizeof(cmd), &cmd,
1274 			     HCI_INIT_TIMEOUT);
1275 	if (IS_ERR(skb))
1276 		return PTR_ERR(skb);
1277 
1278 	kfree_skb(skb);
1279 	return 0;
1280 }
1281 
1282 static int bcm4378_send_ptb(struct bcm4377_data *bcm4377,
1283 			    const struct firmware *fw)
1284 {
1285 	size_t chunks = DIV_ROUND_UP(fw->size, (size_t)BCM4378_PTB_CHUNK_SIZE);
1286 	size_t i, left, transfer_len;
1287 	int ret;
1288 
1289 	for (i = 0, left = fw->size; i < chunks; ++i, left -= transfer_len) {
1290 		transfer_len = min_t(size_t, left, BCM4378_PTB_CHUNK_SIZE);
1291 
1292 		dev_dbg(&bcm4377->pdev->dev, "sending ptb chunk %zu/%zu\n",
1293 			i + 1, chunks);
1294 		ret = bcm4378_send_ptb_chunk(
1295 			bcm4377, fw->data + i * BCM4378_PTB_CHUNK_SIZE,
1296 			transfer_len, chunks - i - 1);
1297 		if (ret) {
1298 			dev_err(&bcm4377->pdev->dev,
1299 				"sending ptb chunk %zu failed (%d)", i, ret);
1300 			return ret;
1301 		}
1302 	}
1303 
1304 	return 0;
1305 }
1306 
1307 static int bcm4377_hci_open(struct hci_dev *hdev)
1308 {
1309 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1310 	int ret;
1311 
1312 	dev_dbg(&bcm4377->pdev->dev, "creating rings\n");
1313 
1314 	ret = bcm4377_create_completion_ring(bcm4377,
1315 					     &bcm4377->hci_acl_ack_ring);
1316 	if (ret)
1317 		return ret;
1318 	ret = bcm4377_create_completion_ring(bcm4377,
1319 					     &bcm4377->hci_acl_event_ring);
1320 	if (ret)
1321 		goto destroy_hci_acl_ack;
1322 	ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1323 	if (ret)
1324 		goto destroy_hci_acl_event;
1325 	ret = bcm4377_create_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1326 	if (ret)
1327 		goto destroy_sco_ack;
1328 	dev_dbg(&bcm4377->pdev->dev,
1329 		"all completion rings successfully created!\n");
1330 
1331 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1332 	if (ret)
1333 		goto destroy_sco_event;
1334 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1335 	if (ret)
1336 		goto destroy_hci_h2d;
1337 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1338 	if (ret)
1339 		goto destroy_hci_d2h;
1340 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1341 	if (ret)
1342 		goto destroy_sco_h2d;
1343 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1344 	if (ret)
1345 		goto destroy_sco_d2h;
1346 	ret = bcm4377_create_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1347 	if (ret)
1348 		goto destroy_acl_h2d;
1349 	dev_dbg(&bcm4377->pdev->dev,
1350 		"all transfer rings successfully created!\n");
1351 
1352 	return 0;
1353 
1354 destroy_acl_h2d:
1355 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1356 destroy_sco_d2h:
1357 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1358 destroy_sco_h2d:
1359 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1360 destroy_hci_d2h:
1361 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1362 destroy_hci_h2d:
1363 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1364 destroy_sco_event:
1365 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1366 destroy_sco_ack:
1367 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1368 destroy_hci_acl_event:
1369 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1370 destroy_hci_acl_ack:
1371 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1372 
1373 	dev_err(&bcm4377->pdev->dev, "Creating rings failed with %d\n", ret);
1374 	return ret;
1375 }
1376 
1377 static int bcm4377_hci_close(struct hci_dev *hdev)
1378 {
1379 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1380 
1381 	dev_dbg(&bcm4377->pdev->dev, "destroying rings in hci_close\n");
1382 
1383 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1384 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1385 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1386 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1387 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1388 	bcm4377_destroy_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1389 
1390 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1391 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1392 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_event_ring);
1393 	bcm4377_destroy_completion_ring(bcm4377, &bcm4377->hci_acl_ack_ring);
1394 
1395 	return 0;
1396 }
1397 
1398 static bool bcm4377_is_valid_bdaddr(struct bcm4377_data *bcm4377,
1399 				    bdaddr_t *addr)
1400 {
1401 	if (addr->b[0] != 0x93)
1402 		return true;
1403 	if (addr->b[1] != 0x76)
1404 		return true;
1405 	if (addr->b[2] != 0x00)
1406 		return true;
1407 	if (addr->b[4] != (bcm4377->hw->id & 0xff))
1408 		return true;
1409 	if (addr->b[5] != (bcm4377->hw->id >> 8))
1410 		return true;
1411 	return false;
1412 }
1413 
1414 static int bcm4377_check_bdaddr(struct bcm4377_data *bcm4377)
1415 {
1416 	struct hci_rp_read_bd_addr *bda;
1417 	struct sk_buff *skb;
1418 
1419 	skb = __hci_cmd_sync(bcm4377->hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1420 			     HCI_INIT_TIMEOUT);
1421 	if (IS_ERR(skb)) {
1422 		int err = PTR_ERR(skb);
1423 
1424 		dev_err(&bcm4377->pdev->dev, "HCI_OP_READ_BD_ADDR failed (%d)",
1425 			err);
1426 		return err;
1427 	}
1428 
1429 	if (skb->len != sizeof(*bda)) {
1430 		dev_err(&bcm4377->pdev->dev,
1431 			"HCI_OP_READ_BD_ADDR reply length invalid");
1432 		kfree_skb(skb);
1433 		return -EIO;
1434 	}
1435 
1436 	bda = (struct hci_rp_read_bd_addr *)skb->data;
1437 	if (!bcm4377_is_valid_bdaddr(bcm4377, &bda->bdaddr))
1438 		set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &bcm4377->hdev->quirks);
1439 
1440 	kfree_skb(skb);
1441 	return 0;
1442 }
1443 
1444 static int bcm4377_hci_setup(struct hci_dev *hdev)
1445 {
1446 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1447 	const struct firmware *fw;
1448 	int ret;
1449 
1450 	if (bcm4377->hw->send_calibration) {
1451 		ret = bcm4377->hw->send_calibration(bcm4377);
1452 		if (ret)
1453 			return ret;
1454 	}
1455 
1456 	fw = bcm4377_request_blob(bcm4377, "ptb");
1457 	if (!fw) {
1458 		dev_err(&bcm4377->pdev->dev, "failed to load PTB data");
1459 		return -ENOENT;
1460 	}
1461 
1462 	ret = bcm4377->hw->send_ptb(bcm4377, fw);
1463 	release_firmware(fw);
1464 	if (ret)
1465 		return ret;
1466 
1467 	return bcm4377_check_bdaddr(bcm4377);
1468 }
1469 
1470 static int bcm4377_hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1471 {
1472 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1473 	struct bcm4377_transfer_ring *ring;
1474 	int ret;
1475 
1476 	switch (hci_skb_pkt_type(skb)) {
1477 	case HCI_COMMAND_PKT:
1478 		hdev->stat.cmd_tx++;
1479 		ring = &bcm4377->hci_h2d_ring;
1480 		break;
1481 
1482 	case HCI_ACLDATA_PKT:
1483 		hdev->stat.acl_tx++;
1484 		ring = &bcm4377->acl_h2d_ring;
1485 		break;
1486 
1487 	case HCI_SCODATA_PKT:
1488 		hdev->stat.sco_tx++;
1489 		ring = &bcm4377->sco_h2d_ring;
1490 		break;
1491 
1492 	default:
1493 		return -EILSEQ;
1494 	}
1495 
1496 	ret = bcm4377_enqueue(bcm4377, ring, skb->data, skb->len, false);
1497 	if (ret < 0) {
1498 		hdev->stat.err_tx++;
1499 		return ret;
1500 	}
1501 
1502 	hdev->stat.byte_tx += skb->len;
1503 	kfree_skb(skb);
1504 	return ret;
1505 }
1506 
1507 static int bcm4377_hci_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1508 {
1509 	struct bcm4377_data *bcm4377 = hci_get_drvdata(hdev);
1510 	struct sk_buff *skb;
1511 	int err;
1512 
1513 	skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1514 	if (IS_ERR(skb)) {
1515 		err = PTR_ERR(skb);
1516 		dev_err(&bcm4377->pdev->dev,
1517 			"Change address command failed (%d)", err);
1518 		return err;
1519 	}
1520 	kfree_skb(skb);
1521 
1522 	return 0;
1523 }
1524 
1525 static int bcm4377_alloc_transfer_ring(struct bcm4377_data *bcm4377,
1526 				       struct bcm4377_transfer_ring *ring)
1527 {
1528 	size_t entry_size;
1529 
1530 	spin_lock_init(&ring->lock);
1531 	ring->payload_size = ALIGN(ring->payload_size, 4);
1532 	ring->mapped_payload_size = ALIGN(ring->mapped_payload_size, 4);
1533 
1534 	if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1535 		return -EINVAL;
1536 	if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1537 		return -EINVAL;
1538 	if (ring->virtual && ring->allow_wait)
1539 		return -EINVAL;
1540 
1541 	if (ring->d2h_buffers_only) {
1542 		if (ring->virtual)
1543 			return -EINVAL;
1544 		if (ring->payload_size)
1545 			return -EINVAL;
1546 		if (!ring->mapped_payload_size)
1547 			return -EINVAL;
1548 	}
1549 	if (ring->virtual)
1550 		return 0;
1551 
1552 	entry_size =
1553 		ring->payload_size + sizeof(struct bcm4377_xfer_ring_entry);
1554 	ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1555 					 ring->n_entries * entry_size,
1556 					 &ring->ring_dma, GFP_KERNEL);
1557 	if (!ring->ring)
1558 		return -ENOMEM;
1559 
1560 	if (ring->allow_wait) {
1561 		ring->events = devm_kcalloc(&bcm4377->pdev->dev,
1562 					    ring->n_entries,
1563 					    sizeof(*ring->events), GFP_KERNEL);
1564 		if (!ring->events)
1565 			return -ENOMEM;
1566 	}
1567 
1568 	if (ring->mapped_payload_size) {
1569 		ring->payloads = dmam_alloc_coherent(
1570 			&bcm4377->pdev->dev,
1571 			ring->n_entries * ring->mapped_payload_size,
1572 			&ring->payloads_dma, GFP_KERNEL);
1573 		if (!ring->payloads)
1574 			return -ENOMEM;
1575 	}
1576 
1577 	return 0;
1578 }
1579 
1580 static int bcm4377_alloc_completion_ring(struct bcm4377_data *bcm4377,
1581 					 struct bcm4377_completion_ring *ring)
1582 {
1583 	size_t entry_size;
1584 
1585 	ring->payload_size = ALIGN(ring->payload_size, 4);
1586 	if (ring->payload_size > BCM4377_XFER_RING_MAX_INPLACE_PAYLOAD_SIZE)
1587 		return -EINVAL;
1588 	if (ring->n_entries > BCM4377_MAX_RING_SIZE)
1589 		return -EINVAL;
1590 
1591 	entry_size = ring->payload_size +
1592 		     sizeof(struct bcm4377_completion_ring_entry);
1593 
1594 	ring->ring = dmam_alloc_coherent(&bcm4377->pdev->dev,
1595 					 ring->n_entries * entry_size,
1596 					 &ring->ring_dma, GFP_KERNEL);
1597 	if (!ring->ring)
1598 		return -ENOMEM;
1599 	return 0;
1600 }
1601 
1602 static int bcm4377_init_context(struct bcm4377_data *bcm4377)
1603 {
1604 	struct device *dev = &bcm4377->pdev->dev;
1605 	dma_addr_t peripheral_info_dma;
1606 
1607 	bcm4377->ctx = dmam_alloc_coherent(dev, sizeof(*bcm4377->ctx),
1608 					   &bcm4377->ctx_dma, GFP_KERNEL);
1609 	if (!bcm4377->ctx)
1610 		return -ENOMEM;
1611 	memset(bcm4377->ctx, 0, sizeof(*bcm4377->ctx));
1612 
1613 	bcm4377->ring_state =
1614 		dmam_alloc_coherent(dev, sizeof(*bcm4377->ring_state),
1615 				    &bcm4377->ring_state_dma, GFP_KERNEL);
1616 	if (!bcm4377->ring_state)
1617 		return -ENOMEM;
1618 	memset(bcm4377->ring_state, 0, sizeof(*bcm4377->ring_state));
1619 
1620 	bcm4377->ctx->version = cpu_to_le16(1);
1621 	bcm4377->ctx->size = cpu_to_le16(sizeof(*bcm4377->ctx));
1622 	bcm4377->ctx->enabled_caps = cpu_to_le32(2);
1623 
1624 	/*
1625 	 * The BT device will write 0x20 bytes of data to this buffer but
1626 	 * the exact contents are unknown. It only needs to exist for BT
1627 	 * to work such that we can just allocate and then ignore it.
1628 	 */
1629 	if (!dmam_alloc_coherent(&bcm4377->pdev->dev, 0x20,
1630 				 &peripheral_info_dma, GFP_KERNEL))
1631 		return -ENOMEM;
1632 	bcm4377->ctx->peripheral_info_addr = cpu_to_le64(peripheral_info_dma);
1633 
1634 	bcm4377->ctx->xfer_ring_heads_addr = cpu_to_le64(
1635 		bcm4377->ring_state_dma +
1636 		offsetof(struct bcm4377_ring_state, xfer_ring_head));
1637 	bcm4377->ctx->xfer_ring_tails_addr = cpu_to_le64(
1638 		bcm4377->ring_state_dma +
1639 		offsetof(struct bcm4377_ring_state, xfer_ring_tail));
1640 	bcm4377->ctx->completion_ring_heads_addr = cpu_to_le64(
1641 		bcm4377->ring_state_dma +
1642 		offsetof(struct bcm4377_ring_state, completion_ring_head));
1643 	bcm4377->ctx->completion_ring_tails_addr = cpu_to_le64(
1644 		bcm4377->ring_state_dma +
1645 		offsetof(struct bcm4377_ring_state, completion_ring_tail));
1646 
1647 	bcm4377->ctx->n_completion_rings =
1648 		cpu_to_le16(BCM4377_N_COMPLETION_RINGS);
1649 	bcm4377->ctx->n_xfer_rings = cpu_to_le16(BCM4377_N_TRANSFER_RINGS);
1650 
1651 	bcm4377->ctx->control_completion_ring_addr =
1652 		cpu_to_le64(bcm4377->control_ack_ring.ring_dma);
1653 	bcm4377->ctx->control_completion_ring_n_entries =
1654 		cpu_to_le16(bcm4377->control_ack_ring.n_entries);
1655 	bcm4377->ctx->control_completion_ring_doorbell = cpu_to_le16(0xffff);
1656 	bcm4377->ctx->control_completion_ring_msi = 0;
1657 	bcm4377->ctx->control_completion_ring_header_size = 0;
1658 	bcm4377->ctx->control_completion_ring_footer_size = 0;
1659 
1660 	bcm4377->ctx->control_xfer_ring_addr =
1661 		cpu_to_le64(bcm4377->control_h2d_ring.ring_dma);
1662 	bcm4377->ctx->control_xfer_ring_n_entries =
1663 		cpu_to_le16(bcm4377->control_h2d_ring.n_entries);
1664 	bcm4377->ctx->control_xfer_ring_doorbell =
1665 		cpu_to_le16(bcm4377->control_h2d_ring.doorbell);
1666 	bcm4377->ctx->control_xfer_ring_msi = 0;
1667 	bcm4377->ctx->control_xfer_ring_header_size = 0;
1668 	bcm4377->ctx->control_xfer_ring_footer_size =
1669 		bcm4377->control_h2d_ring.payload_size / 4;
1670 
1671 	dev_dbg(&bcm4377->pdev->dev, "context initialized at IOVA %pad",
1672 		&bcm4377->ctx_dma);
1673 
1674 	return 0;
1675 }
1676 
1677 static int bcm4377_prepare_rings(struct bcm4377_data *bcm4377)
1678 {
1679 	int ret;
1680 
1681 	/*
1682 	 * Even though many of these settings appear to be configurable
1683 	 * when sending the "create ring" messages most of these are
1684 	 * actually hardcoded in some (and quite possibly all) firmware versions
1685 	 * and changing them on the host has no effect.
1686 	 * Specifically, this applies to at least the doorbells, the transfer
1687 	 * and completion ring ids and their mapping (e.g. both HCI and ACL
1688 	 * entries will always be queued in completion rings 1 and 2 no matter
1689 	 * what we configure here).
1690 	 */
1691 	bcm4377->control_ack_ring.ring_id = BCM4377_ACK_RING_CONTROL;
1692 	bcm4377->control_ack_ring.n_entries = 32;
1693 	bcm4377->control_ack_ring.transfer_rings =
1694 		BIT(BCM4377_XFER_RING_CONTROL);
1695 
1696 	bcm4377->hci_acl_ack_ring.ring_id = BCM4377_ACK_RING_HCI_ACL;
1697 	bcm4377->hci_acl_ack_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1698 	bcm4377->hci_acl_ack_ring.transfer_rings =
1699 		BIT(BCM4377_XFER_RING_HCI_H2D) | BIT(BCM4377_XFER_RING_ACL_H2D);
1700 	bcm4377->hci_acl_ack_ring.delay = 1000;
1701 
1702 	/*
1703 	 * A payload size of MAX_EVENT_PAYLOAD_SIZE is enough here since large
1704 	 * ACL packets will be transmitted inside buffers mapped via
1705 	 * acl_d2h_ring anyway.
1706 	 */
1707 	bcm4377->hci_acl_event_ring.ring_id = BCM4377_EVENT_RING_HCI_ACL;
1708 	bcm4377->hci_acl_event_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1709 	bcm4377->hci_acl_event_ring.n_entries = 2 * BCM4377_RING_N_ENTRIES;
1710 	bcm4377->hci_acl_event_ring.transfer_rings =
1711 		BIT(BCM4377_XFER_RING_HCI_D2H) | BIT(BCM4377_XFER_RING_ACL_D2H);
1712 	bcm4377->hci_acl_event_ring.delay = 1000;
1713 
1714 	bcm4377->sco_ack_ring.ring_id = BCM4377_ACK_RING_SCO;
1715 	bcm4377->sco_ack_ring.n_entries = BCM4377_RING_N_ENTRIES;
1716 	bcm4377->sco_ack_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_H2D);
1717 
1718 	bcm4377->sco_event_ring.ring_id = BCM4377_EVENT_RING_SCO;
1719 	bcm4377->sco_event_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1720 	bcm4377->sco_event_ring.n_entries = BCM4377_RING_N_ENTRIES;
1721 	bcm4377->sco_event_ring.transfer_rings = BIT(BCM4377_XFER_RING_SCO_D2H);
1722 
1723 	bcm4377->control_h2d_ring.ring_id = BCM4377_XFER_RING_CONTROL;
1724 	bcm4377->control_h2d_ring.doorbell = BCM4377_DOORBELL_CONTROL;
1725 	bcm4377->control_h2d_ring.payload_size = BCM4377_CONTROL_MSG_SIZE;
1726 	bcm4377->control_h2d_ring.completion_ring = BCM4377_ACK_RING_CONTROL;
1727 	bcm4377->control_h2d_ring.allow_wait = true;
1728 	bcm4377->control_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1729 
1730 	bcm4377->hci_h2d_ring.ring_id = BCM4377_XFER_RING_HCI_H2D;
1731 	bcm4377->hci_h2d_ring.doorbell = BCM4377_DOORBELL_HCI_H2D;
1732 	bcm4377->hci_h2d_ring.payload_size = MAX_EVENT_PAYLOAD_SIZE;
1733 	bcm4377->hci_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1734 	bcm4377->hci_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1735 
1736 	bcm4377->hci_d2h_ring.ring_id = BCM4377_XFER_RING_HCI_D2H;
1737 	bcm4377->hci_d2h_ring.doorbell = BCM4377_DOORBELL_HCI_D2H;
1738 	bcm4377->hci_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1739 	bcm4377->hci_d2h_ring.virtual = true;
1740 	bcm4377->hci_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1741 
1742 	bcm4377->sco_h2d_ring.ring_id = BCM4377_XFER_RING_SCO_H2D;
1743 	bcm4377->sco_h2d_ring.doorbell = BCM4377_DOORBELL_SCO;
1744 	bcm4377->sco_h2d_ring.payload_size = MAX_SCO_PAYLOAD_SIZE;
1745 	bcm4377->sco_h2d_ring.completion_ring = BCM4377_ACK_RING_SCO;
1746 	bcm4377->sco_h2d_ring.sync = true;
1747 	bcm4377->sco_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1748 
1749 	bcm4377->sco_d2h_ring.ring_id = BCM4377_XFER_RING_SCO_D2H;
1750 	bcm4377->sco_d2h_ring.doorbell = BCM4377_DOORBELL_SCO;
1751 	bcm4377->sco_d2h_ring.completion_ring = BCM4377_EVENT_RING_SCO;
1752 	bcm4377->sco_d2h_ring.virtual = true;
1753 	bcm4377->sco_d2h_ring.sync = true;
1754 	bcm4377->sco_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1755 
1756 	/*
1757 	 * This ring has to use mapped_payload_size because the largest ACL
1758 	 * packet doesn't fit inside the largest possible footer
1759 	 */
1760 	bcm4377->acl_h2d_ring.ring_id = BCM4377_XFER_RING_ACL_H2D;
1761 	bcm4377->acl_h2d_ring.doorbell = BCM4377_DOORBELL_ACL_H2D;
1762 	bcm4377->acl_h2d_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1763 	bcm4377->acl_h2d_ring.completion_ring = BCM4377_ACK_RING_HCI_ACL;
1764 	bcm4377->acl_h2d_ring.n_entries = BCM4377_RING_N_ENTRIES;
1765 
1766 	/*
1767 	 * This ring only contains empty buffers to be used by incoming
1768 	 * ACL packets that do not fit inside the footer of hci_acl_event_ring
1769 	 */
1770 	bcm4377->acl_d2h_ring.ring_id = BCM4377_XFER_RING_ACL_D2H;
1771 	bcm4377->acl_d2h_ring.doorbell = BCM4377_DOORBELL_ACL_D2H;
1772 	bcm4377->acl_d2h_ring.completion_ring = BCM4377_EVENT_RING_HCI_ACL;
1773 	bcm4377->acl_d2h_ring.d2h_buffers_only = true;
1774 	bcm4377->acl_d2h_ring.mapped_payload_size = MAX_ACL_PAYLOAD_SIZE;
1775 	bcm4377->acl_d2h_ring.n_entries = BCM4377_RING_N_ENTRIES;
1776 
1777 	/*
1778 	 * no need for any cleanup since this is only called from _probe
1779 	 * and only devres-managed allocations are used
1780 	 */
1781 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->control_h2d_ring);
1782 	if (ret)
1783 		return ret;
1784 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_h2d_ring);
1785 	if (ret)
1786 		return ret;
1787 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->hci_d2h_ring);
1788 	if (ret)
1789 		return ret;
1790 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_h2d_ring);
1791 	if (ret)
1792 		return ret;
1793 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->sco_d2h_ring);
1794 	if (ret)
1795 		return ret;
1796 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_h2d_ring);
1797 	if (ret)
1798 		return ret;
1799 	ret = bcm4377_alloc_transfer_ring(bcm4377, &bcm4377->acl_d2h_ring);
1800 	if (ret)
1801 		return ret;
1802 
1803 	ret = bcm4377_alloc_completion_ring(bcm4377,
1804 					    &bcm4377->control_ack_ring);
1805 	if (ret)
1806 		return ret;
1807 	ret = bcm4377_alloc_completion_ring(bcm4377,
1808 					    &bcm4377->hci_acl_ack_ring);
1809 	if (ret)
1810 		return ret;
1811 	ret = bcm4377_alloc_completion_ring(bcm4377,
1812 					    &bcm4377->hci_acl_event_ring);
1813 	if (ret)
1814 		return ret;
1815 	ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_ack_ring);
1816 	if (ret)
1817 		return ret;
1818 	ret = bcm4377_alloc_completion_ring(bcm4377, &bcm4377->sco_event_ring);
1819 	if (ret)
1820 		return ret;
1821 
1822 	dev_dbg(&bcm4377->pdev->dev, "all rings allocated and prepared\n");
1823 
1824 	return 0;
1825 }
1826 
1827 static int bcm4377_boot(struct bcm4377_data *bcm4377)
1828 {
1829 	const struct firmware *fw;
1830 	void *bfr;
1831 	dma_addr_t fw_dma;
1832 	int ret = 0;
1833 	u32 bootstage, rti_status;
1834 
1835 	bootstage = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_BOOTSTAGE);
1836 	rti_status = ioread32(bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_STATUS);
1837 
1838 	if (bootstage != 0) {
1839 		dev_err(&bcm4377->pdev->dev, "bootstage is %d and not 0\n",
1840 			bootstage);
1841 		return -EINVAL;
1842 	}
1843 
1844 	if (rti_status != 0) {
1845 		dev_err(&bcm4377->pdev->dev, "RTI status is %d and not 0\n",
1846 			rti_status);
1847 		return -EINVAL;
1848 	}
1849 
1850 	fw = bcm4377_request_blob(bcm4377, "bin");
1851 	if (!fw) {
1852 		dev_err(&bcm4377->pdev->dev, "Failed to load firmware\n");
1853 		return -ENOENT;
1854 	}
1855 
1856 	bfr = dma_alloc_coherent(&bcm4377->pdev->dev, fw->size, &fw_dma,
1857 				 GFP_KERNEL);
1858 	if (!bfr) {
1859 		ret = -ENOMEM;
1860 		goto out_release_fw;
1861 	}
1862 
1863 	memcpy(bfr, fw->data, fw->size);
1864 
1865 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_LO);
1866 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_HI);
1867 	iowrite32(BCM4377_DMA_MASK,
1868 		  bcm4377->bar0 + BCM4377_BAR0_HOST_WINDOW_SIZE);
1869 
1870 	iowrite32(lower_32_bits(fw_dma),
1871 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_LO);
1872 	iowrite32(upper_32_bits(fw_dma),
1873 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_HI);
1874 	iowrite32(fw->size,
1875 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_FW_SIZE);
1876 	iowrite32(0, bcm4377->bar0 + BCM4377_BAR0_FW_DOORBELL);
1877 
1878 	dev_dbg(&bcm4377->pdev->dev, "waiting for firmware to boot\n");
1879 
1880 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1881 							BCM4377_BOOT_TIMEOUT);
1882 	if (ret == 0) {
1883 		ret = -ETIMEDOUT;
1884 		goto out_dma_free;
1885 	} else if (ret < 0) {
1886 		goto out_dma_free;
1887 	}
1888 
1889 	if (bcm4377->bootstage != 2) {
1890 		dev_err(&bcm4377->pdev->dev, "boostage %d != 2\n",
1891 			bcm4377->bootstage);
1892 		ret = -ENXIO;
1893 		goto out_dma_free;
1894 	}
1895 
1896 	dev_dbg(&bcm4377->pdev->dev, "firmware has booted (stage = %x)\n",
1897 		bcm4377->bootstage);
1898 	ret = 0;
1899 
1900 out_dma_free:
1901 	dma_free_coherent(&bcm4377->pdev->dev, fw->size, bfr, fw_dma);
1902 out_release_fw:
1903 	release_firmware(fw);
1904 	return ret;
1905 }
1906 
1907 static int bcm4377_setup_rti(struct bcm4377_data *bcm4377)
1908 {
1909 	int ret;
1910 
1911 	dev_dbg(&bcm4377->pdev->dev, "starting RTI\n");
1912 	iowrite32(1, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1913 
1914 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1915 							BCM4377_TIMEOUT);
1916 	if (ret == 0) {
1917 		dev_err(&bcm4377->pdev->dev,
1918 			"timed out while waiting for RTI to transition to state 1");
1919 		return -ETIMEDOUT;
1920 	} else if (ret < 0) {
1921 		return ret;
1922 	}
1923 
1924 	if (bcm4377->rti_status != 1) {
1925 		dev_err(&bcm4377->pdev->dev, "RTI did not ack state 1 (%d)\n",
1926 			bcm4377->rti_status);
1927 		return -ENODEV;
1928 	}
1929 	dev_dbg(&bcm4377->pdev->dev, "RTI is in state 1\n");
1930 
1931 	/* allow access to the entire IOVA space again */
1932 	iowrite32(0, bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_LO);
1933 	iowrite32(0, bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_HI);
1934 	iowrite32(BCM4377_DMA_MASK,
1935 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_RTI_WINDOW_SIZE);
1936 
1937 	/* setup "Converged IPC" context */
1938 	iowrite32(lower_32_bits(bcm4377->ctx_dma),
1939 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_CONTEXT_ADDR_LO);
1940 	iowrite32(upper_32_bits(bcm4377->ctx_dma),
1941 		  bcm4377->bar2 + bcm4377->hw->bar2_offset + BCM4377_BAR2_CONTEXT_ADDR_HI);
1942 	iowrite32(2, bcm4377->bar0 + BCM4377_BAR0_RTI_CONTROL);
1943 
1944 	ret = wait_for_completion_interruptible_timeout(&bcm4377->event,
1945 							BCM4377_TIMEOUT);
1946 	if (ret == 0) {
1947 		dev_err(&bcm4377->pdev->dev,
1948 			"timed out while waiting for RTI to transition to state 2");
1949 		return -ETIMEDOUT;
1950 	} else if (ret < 0) {
1951 		return ret;
1952 	}
1953 
1954 	if (bcm4377->rti_status != 2) {
1955 		dev_err(&bcm4377->pdev->dev, "RTI did not ack state 2 (%d)\n",
1956 			bcm4377->rti_status);
1957 		return -ENODEV;
1958 	}
1959 
1960 	dev_dbg(&bcm4377->pdev->dev,
1961 		"RTI is in state 2; control ring is ready\n");
1962 	bcm4377->control_ack_ring.enabled = true;
1963 
1964 	return 0;
1965 }
1966 
1967 static int bcm4377_parse_otp_board_params(struct bcm4377_data *bcm4377,
1968 					  char tag, const char *val, size_t len)
1969 {
1970 	if (tag != 'V')
1971 		return 0;
1972 	if (len >= sizeof(bcm4377->vendor))
1973 		return -EINVAL;
1974 
1975 	strscpy(bcm4377->vendor, val, len + 1);
1976 	return 0;
1977 }
1978 
1979 static int bcm4377_parse_otp_chip_params(struct bcm4377_data *bcm4377, char tag,
1980 					 const char *val, size_t len)
1981 {
1982 	size_t idx = 0;
1983 
1984 	if (tag != 's')
1985 		return 0;
1986 	if (len >= sizeof(bcm4377->stepping))
1987 		return -EINVAL;
1988 
1989 	while (len != 0) {
1990 		bcm4377->stepping[idx] = tolower(val[idx]);
1991 		if (val[idx] == '\0')
1992 			return 0;
1993 
1994 		idx++;
1995 		len--;
1996 	}
1997 
1998 	bcm4377->stepping[idx] = '\0';
1999 	return 0;
2000 }
2001 
2002 static int bcm4377_parse_otp_str(struct bcm4377_data *bcm4377, const u8 *str,
2003 				 enum bcm4377_otp_params_type type)
2004 {
2005 	const char *p;
2006 	int ret;
2007 
2008 	p = skip_spaces(str);
2009 	while (*p) {
2010 		char tag = *p++;
2011 		const char *end;
2012 		size_t len;
2013 
2014 		if (*p++ != '=') /* implicit NUL check */
2015 			return -EINVAL;
2016 
2017 		/* *p might be NUL here, if so end == p and len == 0 */
2018 		end = strchrnul(p, ' ');
2019 		len = end - p;
2020 
2021 		/* leave 1 byte for NUL in destination string */
2022 		if (len > (BCM4377_OTP_MAX_PARAM_LEN - 1))
2023 			return -EINVAL;
2024 
2025 		switch (type) {
2026 		case BCM4377_OTP_BOARD_PARAMS:
2027 			ret = bcm4377_parse_otp_board_params(bcm4377, tag, p,
2028 							     len);
2029 			break;
2030 		case BCM4377_OTP_CHIP_PARAMS:
2031 			ret = bcm4377_parse_otp_chip_params(bcm4377, tag, p,
2032 							    len);
2033 			break;
2034 		default:
2035 			ret = -EINVAL;
2036 			break;
2037 		}
2038 
2039 		if (ret)
2040 			return ret;
2041 
2042 		/* Skip to next arg, if any */
2043 		p = skip_spaces(end);
2044 	}
2045 
2046 	return 0;
2047 }
2048 
2049 static int bcm4377_parse_otp_sys_vendor(struct bcm4377_data *bcm4377, u8 *otp,
2050 					size_t size)
2051 {
2052 	int idx = 4;
2053 	const char *chip_params;
2054 	const char *board_params;
2055 	int ret;
2056 
2057 	/* 4-byte header and two empty strings */
2058 	if (size < 6)
2059 		return -EINVAL;
2060 
2061 	if (get_unaligned_le32(otp) != BCM4377_OTP_VENDOR_HDR)
2062 		return -EINVAL;
2063 
2064 	chip_params = &otp[idx];
2065 
2066 	/* Skip first string, including terminator */
2067 	idx += strnlen(chip_params, size - idx) + 1;
2068 	if (idx >= size)
2069 		return -EINVAL;
2070 
2071 	board_params = &otp[idx];
2072 
2073 	/* Skip to terminator of second string */
2074 	idx += strnlen(board_params, size - idx);
2075 	if (idx >= size)
2076 		return -EINVAL;
2077 
2078 	/* At this point both strings are guaranteed NUL-terminated */
2079 	dev_dbg(&bcm4377->pdev->dev,
2080 		"OTP: chip_params='%s' board_params='%s'\n", chip_params,
2081 		board_params);
2082 
2083 	ret = bcm4377_parse_otp_str(bcm4377, chip_params,
2084 				    BCM4377_OTP_CHIP_PARAMS);
2085 	if (ret)
2086 		return ret;
2087 
2088 	ret = bcm4377_parse_otp_str(bcm4377, board_params,
2089 				    BCM4377_OTP_BOARD_PARAMS);
2090 	if (ret)
2091 		return ret;
2092 
2093 	if (!bcm4377->stepping[0] || !bcm4377->vendor[0])
2094 		return -EINVAL;
2095 
2096 	dev_dbg(&bcm4377->pdev->dev, "OTP: stepping=%s, vendor=%s\n",
2097 		bcm4377->stepping, bcm4377->vendor);
2098 	return 0;
2099 }
2100 
2101 static int bcm4377_parse_otp(struct bcm4377_data *bcm4377)
2102 {
2103 	u8 *otp;
2104 	int i;
2105 	int ret = -ENOENT;
2106 
2107 	otp = kzalloc(BCM4377_OTP_SIZE, GFP_KERNEL);
2108 	if (!otp)
2109 		return -ENOMEM;
2110 
2111 	for (i = 0; i < BCM4377_OTP_SIZE; ++i)
2112 		otp[i] = ioread8(bcm4377->bar0 + bcm4377->hw->otp_offset + i);
2113 
2114 	i = 0;
2115 	while (i < (BCM4377_OTP_SIZE - 1)) {
2116 		u8 type = otp[i];
2117 		u8 length = otp[i + 1];
2118 
2119 		if (type == 0)
2120 			break;
2121 
2122 		if ((i + 2 + length) > BCM4377_OTP_SIZE)
2123 			break;
2124 
2125 		switch (type) {
2126 		case BCM4377_OTP_SYS_VENDOR:
2127 			dev_dbg(&bcm4377->pdev->dev,
2128 				"OTP @ 0x%x (%d): SYS_VENDOR", i, length);
2129 			ret = bcm4377_parse_otp_sys_vendor(bcm4377, &otp[i + 2],
2130 							   length);
2131 			break;
2132 		case BCM4377_OTP_CIS:
2133 			dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): CIS", i,
2134 				length);
2135 			break;
2136 		default:
2137 			dev_dbg(&bcm4377->pdev->dev, "OTP @ 0x%x (%d): unknown",
2138 				i, length);
2139 			break;
2140 		}
2141 
2142 		i += 2 + length;
2143 	}
2144 
2145 	kfree(otp);
2146 	return ret;
2147 }
2148 
2149 static int bcm4377_init_cfg(struct bcm4377_data *bcm4377)
2150 {
2151 	int ret;
2152 	u32 ctrl;
2153 
2154 	ret = pci_write_config_dword(bcm4377->pdev,
2155 				     BCM4377_PCIECFG_BAR0_WINDOW1,
2156 				     bcm4377->hw->bar0_window1);
2157 	if (ret)
2158 		return ret;
2159 
2160 	ret = pci_write_config_dword(bcm4377->pdev,
2161 				     BCM4377_PCIECFG_BAR0_WINDOW2,
2162 				     bcm4377->hw->bar0_window2);
2163 	if (ret)
2164 		return ret;
2165 
2166 	ret = pci_write_config_dword(
2167 		bcm4377->pdev, BCM4377_PCIECFG_BAR0_CORE2_WINDOW1,
2168 		BCM4377_PCIECFG_BAR0_CORE2_WINDOW1_DEFAULT);
2169 	if (ret)
2170 		return ret;
2171 
2172 	if (bcm4377->hw->has_bar0_core2_window2) {
2173 		ret = pci_write_config_dword(bcm4377->pdev,
2174 					     BCM4377_PCIECFG_BAR0_CORE2_WINDOW2,
2175 					     bcm4377->hw->bar0_core2_window2);
2176 		if (ret)
2177 			return ret;
2178 	}
2179 
2180 	ret = pci_write_config_dword(bcm4377->pdev, BCM4377_PCIECFG_BAR2_WINDOW,
2181 				     BCM4377_PCIECFG_BAR2_WINDOW_DEFAULT);
2182 	if (ret)
2183 		return ret;
2184 
2185 	ret = pci_read_config_dword(bcm4377->pdev,
2186 				    BCM4377_PCIECFG_SUBSYSTEM_CTRL, &ctrl);
2187 	if (ret)
2188 		return ret;
2189 
2190 	if (bcm4377->hw->clear_pciecfg_subsystem_ctrl_bit19)
2191 		ctrl &= ~BIT(19);
2192 	ctrl |= BIT(16);
2193 
2194 	return pci_write_config_dword(bcm4377->pdev,
2195 				      BCM4377_PCIECFG_SUBSYSTEM_CTRL, ctrl);
2196 }
2197 
2198 static int bcm4377_probe_dmi(struct bcm4377_data *bcm4377)
2199 {
2200 	const struct dmi_system_id *board_type_dmi_id;
2201 
2202 	board_type_dmi_id = dmi_first_match(bcm4377_dmi_board_table);
2203 	if (board_type_dmi_id && board_type_dmi_id->driver_data) {
2204 		bcm4377->board_type = board_type_dmi_id->driver_data;
2205 		dev_dbg(&bcm4377->pdev->dev,
2206 			"found board type via DMI match: %s\n",
2207 			bcm4377->board_type);
2208 	}
2209 
2210 	return 0;
2211 }
2212 
2213 static int bcm4377_probe_of(struct bcm4377_data *bcm4377)
2214 {
2215 	struct device_node *np = bcm4377->pdev->dev.of_node;
2216 	int ret;
2217 
2218 	if (!np)
2219 		return 0;
2220 
2221 	ret = of_property_read_string(np, "brcm,board-type",
2222 				      &bcm4377->board_type);
2223 	if (ret) {
2224 		dev_err(&bcm4377->pdev->dev, "no brcm,board-type property\n");
2225 		return ret;
2226 	}
2227 
2228 	bcm4377->taurus_beamforming_cal_blob =
2229 		of_get_property(np, "brcm,taurus-bf-cal-blob",
2230 				&bcm4377->taurus_beamforming_cal_size);
2231 	if (!bcm4377->taurus_beamforming_cal_blob) {
2232 		dev_err(&bcm4377->pdev->dev,
2233 			"no brcm,taurus-bf-cal-blob property\n");
2234 		return -ENOENT;
2235 	}
2236 	bcm4377->taurus_cal_blob = of_get_property(np, "brcm,taurus-cal-blob",
2237 						   &bcm4377->taurus_cal_size);
2238 	if (!bcm4377->taurus_cal_blob) {
2239 		dev_err(&bcm4377->pdev->dev,
2240 			"no brcm,taurus-cal-blob property\n");
2241 		return -ENOENT;
2242 	}
2243 
2244 	return 0;
2245 }
2246 
2247 static void bcm4377_disable_aspm(struct bcm4377_data *bcm4377)
2248 {
2249 	pci_disable_link_state(bcm4377->pdev,
2250 			       PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1);
2251 
2252 	/*
2253 	 * pci_disable_link_state can fail if either CONFIG_PCIEASPM is disabled
2254 	 * or if the BIOS hasn't handed over control to us. We must *always*
2255 	 * disable ASPM for this device due to hardware errata though.
2256 	 */
2257 	pcie_capability_clear_word(bcm4377->pdev, PCI_EXP_LNKCTL,
2258 				   PCI_EXP_LNKCTL_ASPMC);
2259 }
2260 
2261 static void bcm4377_pci_free_irq_vectors(void *data)
2262 {
2263 	pci_free_irq_vectors(data);
2264 }
2265 
2266 static void bcm4377_hci_free_dev(void *data)
2267 {
2268 	hci_free_dev(data);
2269 }
2270 
2271 static void bcm4377_hci_unregister_dev(void *data)
2272 {
2273 	hci_unregister_dev(data);
2274 }
2275 
2276 static int bcm4377_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2277 {
2278 	struct bcm4377_data *bcm4377;
2279 	struct hci_dev *hdev;
2280 	int ret, irq;
2281 
2282 	ret = dma_set_mask_and_coherent(&pdev->dev, BCM4377_DMA_MASK);
2283 	if (ret)
2284 		return ret;
2285 
2286 	bcm4377 = devm_kzalloc(&pdev->dev, sizeof(*bcm4377), GFP_KERNEL);
2287 	if (!bcm4377)
2288 		return -ENOMEM;
2289 
2290 	bcm4377->pdev = pdev;
2291 	bcm4377->hw = &bcm4377_hw_variants[id->driver_data];
2292 	init_completion(&bcm4377->event);
2293 
2294 	ret = bcm4377_prepare_rings(bcm4377);
2295 	if (ret)
2296 		return ret;
2297 
2298 	ret = bcm4377_init_context(bcm4377);
2299 	if (ret)
2300 		return ret;
2301 
2302 	ret = bcm4377_probe_dmi(bcm4377);
2303 	if (ret)
2304 		return ret;
2305 	ret = bcm4377_probe_of(bcm4377);
2306 	if (ret)
2307 		return ret;
2308 	if (!bcm4377->board_type) {
2309 		dev_err(&pdev->dev, "unable to determine board type\n");
2310 		return -ENODEV;
2311 	}
2312 
2313 	if (bcm4377->hw->disable_aspm)
2314 		bcm4377_disable_aspm(bcm4377);
2315 
2316 	ret = pci_reset_function_locked(pdev);
2317 	if (ret)
2318 		dev_warn(
2319 			&pdev->dev,
2320 			"function level reset failed with %d; trying to continue anyway\n",
2321 			ret);
2322 
2323 	/*
2324 	 * If this number is too low and we try to access any BAR too
2325 	 * early the device will crash. Experiments have shown that
2326 	 * approximately 50 msec is the minimum amount we have to wait.
2327 	 * Let's double that to be safe.
2328 	 */
2329 	msleep(100);
2330 
2331 	ret = pcim_enable_device(pdev);
2332 	if (ret)
2333 		return ret;
2334 	pci_set_master(pdev);
2335 
2336 	ret = bcm4377_init_cfg(bcm4377);
2337 	if (ret)
2338 		return ret;
2339 
2340 	bcm4377->bar0 = pcim_iomap(pdev, 0, 0);
2341 	if (!bcm4377->bar0)
2342 		return -EBUSY;
2343 	bcm4377->bar2 = pcim_iomap(pdev, 2, 0);
2344 	if (!bcm4377->bar2)
2345 		return -EBUSY;
2346 
2347 	ret = bcm4377_parse_otp(bcm4377);
2348 	if (ret) {
2349 		dev_err(&pdev->dev, "Reading OTP failed with %d\n", ret);
2350 		return ret;
2351 	}
2352 
2353 	/*
2354 	 * Legacy interrupts result in an IRQ storm because we don't know where
2355 	 * the interrupt mask and status registers for these chips are.
2356 	 * MSIs are acked automatically instead.
2357 	 */
2358 	ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_MSI);
2359 	if (ret < 0)
2360 		return -ENODEV;
2361 	ret = devm_add_action_or_reset(&pdev->dev, bcm4377_pci_free_irq_vectors,
2362 				       pdev);
2363 	if (ret)
2364 		return ret;
2365 
2366 	irq = pci_irq_vector(pdev, 0);
2367 	if (irq <= 0)
2368 		return -ENODEV;
2369 
2370 	ret = devm_request_irq(&pdev->dev, irq, bcm4377_irq, 0, "bcm4377",
2371 			       bcm4377);
2372 	if (ret)
2373 		return ret;
2374 
2375 	hdev = hci_alloc_dev();
2376 	if (!hdev)
2377 		return -ENOMEM;
2378 	ret = devm_add_action_or_reset(&pdev->dev, bcm4377_hci_free_dev, hdev);
2379 	if (ret)
2380 		return ret;
2381 
2382 	bcm4377->hdev = hdev;
2383 
2384 	hdev->bus = HCI_PCI;
2385 	hdev->open = bcm4377_hci_open;
2386 	hdev->close = bcm4377_hci_close;
2387 	hdev->send = bcm4377_hci_send_frame;
2388 	hdev->set_bdaddr = bcm4377_hci_set_bdaddr;
2389 	hdev->setup = bcm4377_hci_setup;
2390 
2391 	if (bcm4377->hw->broken_mws_transport_config)
2392 		set_bit(HCI_QUIRK_BROKEN_MWS_TRANSPORT_CONFIG, &hdev->quirks);
2393 	if (bcm4377->hw->broken_ext_scan)
2394 		set_bit(HCI_QUIRK_BROKEN_EXT_SCAN, &hdev->quirks);
2395 	if (bcm4377->hw->broken_le_coded)
2396 		set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2397 	if (bcm4377->hw->broken_le_ext_adv_report_phy)
2398 		set_bit(HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY, &hdev->quirks);
2399 
2400 	pci_set_drvdata(pdev, bcm4377);
2401 	hci_set_drvdata(hdev, bcm4377);
2402 	SET_HCIDEV_DEV(hdev, &pdev->dev);
2403 
2404 	ret = bcm4377_boot(bcm4377);
2405 	if (ret)
2406 		return ret;
2407 
2408 	ret = bcm4377_setup_rti(bcm4377);
2409 	if (ret)
2410 		return ret;
2411 
2412 	ret = hci_register_dev(hdev);
2413 	if (ret)
2414 		return ret;
2415 	return devm_add_action_or_reset(&pdev->dev, bcm4377_hci_unregister_dev,
2416 					hdev);
2417 }
2418 
2419 static int bcm4377_suspend(struct pci_dev *pdev, pm_message_t state)
2420 {
2421 	struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2422 	int ret;
2423 
2424 	ret = hci_suspend_dev(bcm4377->hdev);
2425 	if (ret)
2426 		return ret;
2427 
2428 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_QUIESCE,
2429 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2430 
2431 	return 0;
2432 }
2433 
2434 static int bcm4377_resume(struct pci_dev *pdev)
2435 {
2436 	struct bcm4377_data *bcm4377 = pci_get_drvdata(pdev);
2437 
2438 	iowrite32(BCM4377_BAR0_SLEEP_CONTROL_UNQUIESCE,
2439 		  bcm4377->bar0 + BCM4377_BAR0_SLEEP_CONTROL);
2440 
2441 	return hci_resume_dev(bcm4377->hdev);
2442 }
2443 
2444 static const struct dmi_system_id bcm4377_dmi_board_table[] = {
2445 	{
2446 		.matches = {
2447 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2448 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
2449 		},
2450 		.driver_data = "apple,formosa",
2451 	},
2452 	{
2453 		.matches = {
2454 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2455 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro15,4"),
2456 		},
2457 		.driver_data = "apple,formosa",
2458 	},
2459 	{
2460 		.matches = {
2461 			DMI_MATCH(DMI_BOARD_VENDOR, "Apple Inc."),
2462 			DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro16,3"),
2463 		},
2464 		.driver_data = "apple,formosa",
2465 	},
2466 	{}
2467 };
2468 
2469 static const struct bcm4377_hw bcm4377_hw_variants[] = {
2470 	[BCM4377] = {
2471 		.id = 0x4377,
2472 		.otp_offset = 0x4120,
2473 		.bar0_window1 = 0x1800b000,
2474 		.bar0_window2 = 0x1810c000,
2475 		.disable_aspm = true,
2476 		.broken_ext_scan = true,
2477 		.send_ptb = bcm4377_send_ptb,
2478 	},
2479 
2480 	[BCM4378] = {
2481 		.id = 0x4378,
2482 		.otp_offset = 0x4120,
2483 		.bar0_window1 = 0x18002000,
2484 		.bar0_window2 = 0x1810a000,
2485 		.bar0_core2_window2 = 0x18107000,
2486 		.has_bar0_core2_window2 = true,
2487 		.broken_mws_transport_config = true,
2488 		.broken_le_coded = true,
2489 		.send_calibration = bcm4378_send_calibration,
2490 		.send_ptb = bcm4378_send_ptb,
2491 	},
2492 
2493 	[BCM4387] = {
2494 		.id = 0x4387,
2495 		.otp_offset = 0x413c,
2496 		.bar0_window1 = 0x18002000,
2497 		.bar0_window2 = 0x18109000,
2498 		.bar0_core2_window2 = 0x18106000,
2499 		.has_bar0_core2_window2 = true,
2500 		.clear_pciecfg_subsystem_ctrl_bit19 = true,
2501 		.broken_mws_transport_config = true,
2502 		.broken_le_coded = true,
2503 		.broken_le_ext_adv_report_phy = true,
2504 		.send_calibration = bcm4387_send_calibration,
2505 		.send_ptb = bcm4378_send_ptb,
2506 	},
2507 
2508 	[BCM4388] = {
2509 		.id = 0x4388,
2510 		.otp_offset = 0x415c,
2511 		.bar2_offset = 0x200000,
2512 		.bar0_window1 = 0x18002000,
2513 		.bar0_window2 = 0x18109000,
2514 		.bar0_core2_window2 = 0x18106000,
2515 		.has_bar0_core2_window2 = true,
2516 		.broken_mws_transport_config = true,
2517 		.broken_le_coded = true,
2518 		.broken_le_ext_adv_report_phy = true,
2519 		.send_calibration = bcm4388_send_calibration,
2520 		.send_ptb = bcm4378_send_ptb,
2521 	},
2522 };
2523 
2524 #define BCM4377_DEVID_ENTRY(id)                                             \
2525 	{                                                                   \
2526 		PCI_VENDOR_ID_BROADCOM, BCM##id##_DEVICE_ID, PCI_ANY_ID,    \
2527 			PCI_ANY_ID, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, \
2528 			BCM##id                                             \
2529 	}
2530 
2531 static const struct pci_device_id bcm4377_devid_table[] = {
2532 	BCM4377_DEVID_ENTRY(4377),
2533 	BCM4377_DEVID_ENTRY(4378),
2534 	BCM4377_DEVID_ENTRY(4387),
2535 	BCM4377_DEVID_ENTRY(4388),
2536 	{},
2537 };
2538 MODULE_DEVICE_TABLE(pci, bcm4377_devid_table);
2539 
2540 static struct pci_driver bcm4377_pci_driver = {
2541 	.name = "hci_bcm4377",
2542 	.id_table = bcm4377_devid_table,
2543 	.probe = bcm4377_probe,
2544 	.suspend = bcm4377_suspend,
2545 	.resume = bcm4377_resume,
2546 };
2547 module_pci_driver(bcm4377_pci_driver);
2548 
2549 MODULE_AUTHOR("Sven Peter <sven@svenpeter.dev>");
2550 MODULE_DESCRIPTION("Bluetooth support for Broadcom 4377/4378/4387/4388 devices");
2551 MODULE_LICENSE("Dual MIT/GPL");
2552 MODULE_FIRMWARE("brcm/brcmbt4377*.bin");
2553 MODULE_FIRMWARE("brcm/brcmbt4377*.ptb");
2554 MODULE_FIRMWARE("brcm/brcmbt4378*.bin");
2555 MODULE_FIRMWARE("brcm/brcmbt4378*.ptb");
2556 MODULE_FIRMWARE("brcm/brcmbt4387*.bin");
2557 MODULE_FIRMWARE("brcm/brcmbt4387*.ptb");
2558 MODULE_FIRMWARE("brcm/brcmbt4388*.bin");
2559 MODULE_FIRMWARE("brcm/brcmbt4388*.ptb");
2560