drivers/bluetooth/hci_ag6xx.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  *
0004  *  Bluetooth HCI UART driver for Intel/AG6xx devices
0005  *
0006  *  Copyright (C) 2016  Intel Corporation
0007  */
0008
0009 #include <linux/kernel.h>
0010 #include <linux/errno.h>
0011 #include <linux/skbuff.h>
0012 #include <linux/firmware.h>
0013 #include <linux/module.h>
0014 #include <linux/tty.h>
0015
0016 #include <net/bluetooth/bluetooth.h>
0017 #include <net/bluetooth/hci_core.h>
0018
0019 #include "hci_uart.h"
0020 #include "btintel.h"
0021
0022 struct ag6xx_data {
0023     struct sk_buff *rx_skb;
0024     struct sk_buff_head txq;
0025 };
0026
0027 struct pbn_entry {
0028     __le32 addr;
0029     __le32 plen;
0030     __u8 data[];
0031 } __packed;
0032
0033 static int ag6xx_open(struct hci_uart *hu)
0034 {
0035     struct ag6xx_data *ag6xx;
0036
0037     BT_DBG("hu %p", hu);
0038
0039     ag6xx = kzalloc(sizeof(*ag6xx), GFP_KERNEL);
0040     if (!ag6xx)
0041         return -ENOMEM;
0042
0043     skb_queue_head_init(&ag6xx->txq);
0044
0045     hu->priv = ag6xx;
0046     return 0;
0047 }
0048
0049 static int ag6xx_close(struct hci_uart *hu)
0050 {
0051     struct ag6xx_data *ag6xx = hu->priv;
0052
0053     BT_DBG("hu %p", hu);
0054
0055     skb_queue_purge(&ag6xx->txq);
0056     kfree_skb(ag6xx->rx_skb);
0057     kfree(ag6xx);
0058
0059     hu->priv = NULL;
0060     return 0;
0061 }
0062
0063 static int ag6xx_flush(struct hci_uart *hu)
0064 {
0065     struct ag6xx_data *ag6xx = hu->priv;
0066
0067     BT_DBG("hu %p", hu);
0068
0069     skb_queue_purge(&ag6xx->txq);
0070     return 0;
0071 }
0072
0073 static struct sk_buff *ag6xx_dequeue(struct hci_uart *hu)
0074 {
0075     struct ag6xx_data *ag6xx = hu->priv;
0076     struct sk_buff *skb;
0077
0078     skb = skb_dequeue(&ag6xx->txq);
0079     if (!skb)
0080         return skb;
0081
0082     /* Prepend skb with frame type */
0083     memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
0084     return skb;
0085 }
0086
0087 static int ag6xx_enqueue(struct hci_uart *hu, struct sk_buff *skb)
0088 {
0089     struct ag6xx_data *ag6xx = hu->priv;
0090
0091     skb_queue_tail(&ag6xx->txq, skb);
0092     return 0;
0093 }
0094
0095 static const struct h4_recv_pkt ag6xx_recv_pkts[] = {
0096     { H4_RECV_ACL,    .recv = hci_recv_frame   },
0097     { H4_RECV_SCO,    .recv = hci_recv_frame   },
0098     { H4_RECV_EVENT,  .recv = hci_recv_frame   },
0099 };
0100
0101 static int ag6xx_recv(struct hci_uart *hu, const void *data, int count)
0102 {
0103     struct ag6xx_data *ag6xx = hu->priv;
0104
0105     if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
0106         return -EUNATCH;
0107
0108     ag6xx->rx_skb = h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count,
0109                     ag6xx_recv_pkts,
0110                     ARRAY_SIZE(ag6xx_recv_pkts));
0111     if (IS_ERR(ag6xx->rx_skb)) {
0112         int err = PTR_ERR(ag6xx->rx_skb);
0113         bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err);
0114         ag6xx->rx_skb = NULL;
0115         return err;
0116     }
0117
0118     return count;
0119 }
0120
0121 static int intel_mem_write(struct hci_dev *hdev, u32 addr, u32 plen,
0122                const void *data)
0123 {
0124     /* Can write a maximum of 247 bytes per HCI command.
0125      * HCI cmd Header (3), Intel mem write header (6), data (247).
0126      */
0127     while (plen > 0) {
0128         struct sk_buff *skb;
0129         u8 cmd_param[253], fragment_len = (plen > 247) ? 247 : plen;
0130         __le32 leaddr = cpu_to_le32(addr);
0131
0132         memcpy(cmd_param, &leaddr, 4);
0133         cmd_param[4] = 0;
0134         cmd_param[5] = fragment_len;
0135         memcpy(cmd_param + 6, data, fragment_len);
0136
0137         skb = __hci_cmd_sync(hdev, 0xfc8e, fragment_len + 6, cmd_param,
0138                      HCI_INIT_TIMEOUT);
0139         if (IS_ERR(skb))
0140             return PTR_ERR(skb);
0141         kfree_skb(skb);
0142
0143         plen -= fragment_len;
0144         data += fragment_len;
0145         addr += fragment_len;
0146     }
0147
0148     return 0;
0149 }
0150
0151 static int ag6xx_setup(struct hci_uart *hu)
0152 {
0153     struct hci_dev *hdev = hu->hdev;
0154     struct sk_buff *skb;
0155     struct intel_version ver;
0156     const struct firmware *fw;
0157     const u8 *fw_ptr;
0158     char fwname[64];
0159     bool patched = false;
0160     int err;
0161
0162     hu->hdev->set_diag = btintel_set_diag;
0163     hu->hdev->set_bdaddr = btintel_set_bdaddr;
0164
0165     err = btintel_enter_mfg(hdev);
0166     if (err)
0167         return err;
0168
0169     err = btintel_read_version(hdev, &ver);
0170     if (err)
0171         return err;
0172
0173     btintel_version_info(hdev, &ver);
0174
0175     /* The hardware platform number has a fixed value of 0x37 and
0176      * for now only accept this single value.
0177      */
0178     if (ver.hw_platform != 0x37) {
0179         bt_dev_err(hdev, "Unsupported Intel hardware platform: 0x%X",
0180                ver.hw_platform);
0181         return -EINVAL;
0182     }
0183
0184     /* Only the hardware variant iBT 2.1 (AG6XX) is supported by this
0185      * firmware setup method.
0186      */
0187     if (ver.hw_variant != 0x0a) {
0188         bt_dev_err(hdev, "Unsupported Intel hardware variant: 0x%x",
0189                ver.hw_variant);
0190         return -EINVAL;
0191     }
0192
0193     snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bddata",
0194          ver.hw_platform, ver.hw_variant);
0195
0196     err = request_firmware(&fw, fwname, &hdev->dev);
0197     if (err < 0) {
0198         bt_dev_err(hdev, "Failed to open Intel bddata file: %s (%d)",
0199                fwname, err);
0200         goto patch;
0201     }
0202
0203     bt_dev_info(hdev, "Applying bddata (%s)", fwname);
0204
0205     skb = __hci_cmd_sync_ev(hdev, 0xfc2f, fw->size, fw->data,
0206                 HCI_EV_CMD_STATUS, HCI_CMD_TIMEOUT);
0207     if (IS_ERR(skb)) {
0208         bt_dev_err(hdev, "Applying bddata failed (%ld)", PTR_ERR(skb));
0209         release_firmware(fw);
0210         return PTR_ERR(skb);
0211     }
0212     kfree_skb(skb);
0213
0214     release_firmware(fw);
0215
0216 patch:
0217     /* If there is no applied patch, fw_patch_num is always 0x00. In other
0218      * cases, current firmware is already patched. No need to patch it.
0219      */
0220     if (ver.fw_patch_num) {
0221         bt_dev_info(hdev, "Device is already patched. patch num: %02x",
0222                 ver.fw_patch_num);
0223         patched = true;
0224         goto complete;
0225     }
0226
0227     snprintf(fwname, sizeof(fwname),
0228          "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.pbn",
0229          ver.hw_platform, ver.hw_variant, ver.hw_revision,
0230          ver.fw_variant,  ver.fw_revision, ver.fw_build_num,
0231          ver.fw_build_ww, ver.fw_build_yy);
0232
0233     err = request_firmware(&fw, fwname, &hdev->dev);
0234     if (err < 0) {
0235         bt_dev_err(hdev, "Failed to open Intel patch file: %s(%d)",
0236                fwname, err);
0237         goto complete;
0238     }
0239     fw_ptr = fw->data;
0240
0241     bt_dev_info(hdev, "Patching firmware file (%s)", fwname);
0242
0243     /* PBN patch file contains a list of binary patches to be applied on top
0244      * of the embedded firmware. Each patch entry header contains the target
0245      * address and patch size.
0246      *
0247      * Patch entry:
0248      * | addr(le) | patch_len(le) | patch_data |
0249      * | 4 Bytes  |    4 Bytes    |   n Bytes  |
0250      *
0251      * PBN file is terminated by a patch entry whose address is 0xffffffff.
0252      */
0253     while (fw->size > fw_ptr - fw->data) {
0254         struct pbn_entry *pbn = (void *)fw_ptr;
0255         u32 addr, plen;
0256
0257         if (pbn->addr == 0xffffffff) {
0258             bt_dev_info(hdev, "Patching complete");
0259             patched = true;
0260             break;
0261         }
0262
0263         addr = le32_to_cpu(pbn->addr);
0264         plen = le32_to_cpu(pbn->plen);
0265
0266         if (fw->data + fw->size <= pbn->data + plen) {
0267             bt_dev_info(hdev, "Invalid patch len (%d)", plen);
0268             break;
0269         }
0270
0271         bt_dev_info(hdev, "Patching %td/%zu", (fw_ptr - fw->data),
0272                 fw->size);
0273
0274         err = intel_mem_write(hdev, addr, plen, pbn->data);
0275         if (err) {
0276             bt_dev_err(hdev, "Patching failed");
0277             break;
0278         }
0279
0280         fw_ptr = pbn->data + plen;
0281     }
0282
0283     release_firmware(fw);
0284
0285 complete:
0286     /* Exit manufacturing mode and reset */
0287     err = btintel_exit_mfg(hdev, true, patched);
0288     if (err)
0289         return err;
0290
0291     /* Set the event mask for Intel specific vendor events. This enables
0292      * a few extra events that are useful during general operation.
0293      */
0294     btintel_set_event_mask_mfg(hdev, false);
0295
0296     btintel_check_bdaddr(hdev);
0297     return 0;
0298 }
0299
0300 static const struct hci_uart_proto ag6xx_proto = {
0301     .id     = HCI_UART_AG6XX,
0302     .name       = "AG6XX",
0303     .manufacturer   = 2,
0304     .open       = ag6xx_open,
0305     .close      = ag6xx_close,
0306     .flush      = ag6xx_flush,
0307     .setup      = ag6xx_setup,
0308     .recv       = ag6xx_recv,
0309     .enqueue    = ag6xx_enqueue,
0310     .dequeue    = ag6xx_dequeue,
0311 };
0312
0313 int __init ag6xx_init(void)
0314 {
0315     return hci_uart_register_proto(&ag6xx_proto);
0316 }
0317
0318 int __exit ag6xx_deinit(void)
0319 {
0320     return hci_uart_unregister_proto(&ag6xx_proto);
0321 }