1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *
4  *  Bluetooth HCI UART driver for Intel/AG6xx devices
5  *
6  *  Copyright (C) 2016  Intel Corporation
7  */
8 
9 #include <linux/kernel.h>
10 #include <linux/errno.h>
11 #include <linux/skbuff.h>
12 #include <linux/firmware.h>
13 #include <linux/module.h>
14 #include <linux/tty.h>
15 
16 #include <net/bluetooth/bluetooth.h>
17 #include <net/bluetooth/hci_core.h>
18 
19 #include "hci_uart.h"
20 #include "btintel.h"
21 
22 struct ag6xx_data {
23 	struct sk_buff *rx_skb;
24 	struct sk_buff_head txq;
25 };
26 
27 struct pbn_entry {
28 	__le32 addr;
29 	__le32 plen;
30 	__u8 data[];
31 } __packed;
32 
ag6xx_open(struct hci_uart * hu)33 static int ag6xx_open(struct hci_uart *hu)
34 {
35 	struct ag6xx_data *ag6xx;
36 
37 	BT_DBG("hu %p", hu);
38 
39 	ag6xx = kzalloc(sizeof(*ag6xx), GFP_KERNEL);
40 	if (!ag6xx)
41 		return -ENOMEM;
42 
43 	skb_queue_head_init(&ag6xx->txq);
44 
45 	hu->priv = ag6xx;
46 	return 0;
47 }
48 
ag6xx_close(struct hci_uart * hu)49 static int ag6xx_close(struct hci_uart *hu)
50 {
51 	struct ag6xx_data *ag6xx = hu->priv;
52 
53 	BT_DBG("hu %p", hu);
54 
55 	skb_queue_purge(&ag6xx->txq);
56 	kfree_skb(ag6xx->rx_skb);
57 	kfree(ag6xx);
58 
59 	hu->priv = NULL;
60 	return 0;
61 }
62 
ag6xx_flush(struct hci_uart * hu)63 static int ag6xx_flush(struct hci_uart *hu)
64 {
65 	struct ag6xx_data *ag6xx = hu->priv;
66 
67 	BT_DBG("hu %p", hu);
68 
69 	skb_queue_purge(&ag6xx->txq);
70 	return 0;
71 }
72 
ag6xx_dequeue(struct hci_uart * hu)73 static struct sk_buff *ag6xx_dequeue(struct hci_uart *hu)
74 {
75 	struct ag6xx_data *ag6xx = hu->priv;
76 	struct sk_buff *skb;
77 
78 	skb = skb_dequeue(&ag6xx->txq);
79 	if (!skb)
80 		return skb;
81 
82 	/* Prepend skb with frame type */
83 	memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
84 	return skb;
85 }
86 
ag6xx_enqueue(struct hci_uart * hu,struct sk_buff * skb)87 static int ag6xx_enqueue(struct hci_uart *hu, struct sk_buff *skb)
88 {
89 	struct ag6xx_data *ag6xx = hu->priv;
90 
91 	skb_queue_tail(&ag6xx->txq, skb);
92 	return 0;
93 }
94 
95 static const struct h4_recv_pkt ag6xx_recv_pkts[] = {
96 	{ H4_RECV_ACL,    .recv = hci_recv_frame   },
97 	{ H4_RECV_SCO,    .recv = hci_recv_frame   },
98 	{ H4_RECV_EVENT,  .recv = hci_recv_frame   },
99 };
100 
ag6xx_recv(struct hci_uart * hu,const void * data,int count)101 static int ag6xx_recv(struct hci_uart *hu, const void *data, int count)
102 {
103 	struct ag6xx_data *ag6xx = hu->priv;
104 
105 	if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
106 		return -EUNATCH;
107 
108 	ag6xx->rx_skb = h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count,
109 				    ag6xx_recv_pkts,
110 				    ARRAY_SIZE(ag6xx_recv_pkts));
111 	if (IS_ERR(ag6xx->rx_skb)) {
112 		int err = PTR_ERR(ag6xx->rx_skb);
113 		bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err);
114 		ag6xx->rx_skb = NULL;
115 		return err;
116 	}
117 
118 	return count;
119 }
120 
intel_mem_write(struct hci_dev * hdev,u32 addr,u32 plen,const void * data)121 static int intel_mem_write(struct hci_dev *hdev, u32 addr, u32 plen,
122 			   const void *data)
123 {
124 	/* Can write a maximum of 247 bytes per HCI command.
125 	 * HCI cmd Header (3), Intel mem write header (6), data (247).
126 	 */
127 	while (plen > 0) {
128 		struct sk_buff *skb;
129 		u8 cmd_param[253], fragment_len = (plen > 247) ? 247 : plen;
130 		__le32 leaddr = cpu_to_le32(addr);
131 
132 		memcpy(cmd_param, &leaddr, 4);
133 		cmd_param[4] = 0;
134 		cmd_param[5] = fragment_len;
135 		memcpy(cmd_param + 6, data, fragment_len);
136 
137 		skb = __hci_cmd_sync(hdev, 0xfc8e, fragment_len + 6, cmd_param,
138 				     HCI_INIT_TIMEOUT);
139 		if (IS_ERR(skb))
140 			return PTR_ERR(skb);
141 		kfree_skb(skb);
142 
143 		plen -= fragment_len;
144 		data += fragment_len;
145 		addr += fragment_len;
146 	}
147 
148 	return 0;
149 }
150 
ag6xx_setup(struct hci_uart * hu)151 static int ag6xx_setup(struct hci_uart *hu)
152 {
153 	struct hci_dev *hdev = hu->hdev;
154 	struct sk_buff *skb;
155 	struct intel_version ver;
156 	const struct firmware *fw;
157 	const u8 *fw_ptr;
158 	char fwname[64];
159 	bool patched = false;
160 	int err;
161 
162 	hu->hdev->set_diag = btintel_set_diag;
163 	hu->hdev->set_bdaddr = btintel_set_bdaddr;
164 
165 	err = btintel_enter_mfg(hdev);
166 	if (err)
167 		return err;
168 
169 	err = btintel_read_version(hdev, &ver);
170 	if (err)
171 		return err;
172 
173 	btintel_version_info(hdev, &ver);
174 
175 	/* The hardware platform number has a fixed value of 0x37 and
176 	 * for now only accept this single value.
177 	 */
178 	if (ver.hw_platform != 0x37) {
179 		bt_dev_err(hdev, "Unsupported Intel hardware platform: 0x%X",
180 			   ver.hw_platform);
181 		return -EINVAL;
182 	}
183 
184 	/* Only the hardware variant iBT 2.1 (AG6XX) is supported by this
185 	 * firmware setup method.
186 	 */
187 	if (ver.hw_variant != 0x0a) {
188 		bt_dev_err(hdev, "Unsupported Intel hardware variant: 0x%x",
189 			   ver.hw_variant);
190 		return -EINVAL;
191 	}
192 
193 	snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bddata",
194 		 ver.hw_platform, ver.hw_variant);
195 
196 	err = request_firmware(&fw, fwname, &hdev->dev);
197 	if (err < 0) {
198 		bt_dev_err(hdev, "Failed to open Intel bddata file: %s (%d)",
199 			   fwname, err);
200 		goto patch;
201 	}
202 
203 	bt_dev_info(hdev, "Applying bddata (%s)", fwname);
204 
205 	skb = __hci_cmd_sync_ev(hdev, 0xfc2f, fw->size, fw->data,
206 				HCI_EV_CMD_STATUS, HCI_CMD_TIMEOUT);
207 	if (IS_ERR(skb)) {
208 		bt_dev_err(hdev, "Applying bddata failed (%ld)", PTR_ERR(skb));
209 		release_firmware(fw);
210 		return PTR_ERR(skb);
211 	}
212 	kfree_skb(skb);
213 
214 	release_firmware(fw);
215 
216 patch:
217 	/* If there is no applied patch, fw_patch_num is always 0x00. In other
218 	 * cases, current firmware is already patched. No need to patch it.
219 	 */
220 	if (ver.fw_patch_num) {
221 		bt_dev_info(hdev, "Device is already patched. patch num: %02x",
222 			    ver.fw_patch_num);
223 		patched = true;
224 		goto complete;
225 	}
226 
227 	snprintf(fwname, sizeof(fwname),
228 		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.pbn",
229 		 ver.hw_platform, ver.hw_variant, ver.hw_revision,
230 		 ver.fw_variant,  ver.fw_revision, ver.fw_build_num,
231 		 ver.fw_build_ww, ver.fw_build_yy);
232 
233 	err = request_firmware(&fw, fwname, &hdev->dev);
234 	if (err < 0) {
235 		bt_dev_err(hdev, "Failed to open Intel patch file: %s(%d)",
236 			   fwname, err);
237 		goto complete;
238 	}
239 	fw_ptr = fw->data;
240 
241 	bt_dev_info(hdev, "Patching firmware file (%s)", fwname);
242 
243 	/* PBN patch file contains a list of binary patches to be applied on top
244 	 * of the embedded firmware. Each patch entry header contains the target
245 	 * address and patch size.
246 	 *
247 	 * Patch entry:
248 	 * | addr(le) | patch_len(le) | patch_data |
249 	 * | 4 Bytes  |    4 Bytes    |   n Bytes  |
250 	 *
251 	 * PBN file is terminated by a patch entry whose address is 0xffffffff.
252 	 */
253 	while (fw->size > fw_ptr - fw->data) {
254 		struct pbn_entry *pbn = (void *)fw_ptr;
255 		u32 addr, plen;
256 
257 		if (pbn->addr == 0xffffffff) {
258 			bt_dev_info(hdev, "Patching complete");
259 			patched = true;
260 			break;
261 		}
262 
263 		addr = le32_to_cpu(pbn->addr);
264 		plen = le32_to_cpu(pbn->plen);
265 
266 		if (fw->data + fw->size <= pbn->data + plen) {
267 			bt_dev_info(hdev, "Invalid patch len (%d)", plen);
268 			break;
269 		}
270 
271 		bt_dev_info(hdev, "Patching %td/%zu", (fw_ptr - fw->data),
272 			    fw->size);
273 
274 		err = intel_mem_write(hdev, addr, plen, pbn->data);
275 		if (err) {
276 			bt_dev_err(hdev, "Patching failed");
277 			break;
278 		}
279 
280 		fw_ptr = pbn->data + plen;
281 	}
282 
283 	release_firmware(fw);
284 
285 complete:
286 	/* Exit manufacturing mode and reset */
287 	err = btintel_exit_mfg(hdev, true, patched);
288 	if (err)
289 		return err;
290 
291 	/* Set the event mask for Intel specific vendor events. This enables
292 	 * a few extra events that are useful during general operation.
293 	 */
294 	btintel_set_event_mask_mfg(hdev, false);
295 
296 	btintel_check_bdaddr(hdev);
297 	return 0;
298 }
299 
300 static const struct hci_uart_proto ag6xx_proto = {
301 	.id		= HCI_UART_AG6XX,
302 	.name		= "AG6XX",
303 	.manufacturer	= 2,
304 	.open		= ag6xx_open,
305 	.close		= ag6xx_close,
306 	.flush		= ag6xx_flush,
307 	.setup		= ag6xx_setup,
308 	.recv		= ag6xx_recv,
309 	.enqueue	= ag6xx_enqueue,
310 	.dequeue	= ag6xx_dequeue,
311 };
312 
ag6xx_init(void)313 int __init ag6xx_init(void)
314 {
315 	return hci_uart_register_proto(&ag6xx_proto);
316 }
317 
ag6xx_deinit(void)318 int __exit ag6xx_deinit(void)
319 {
320 	return hci_uart_unregister_proto(&ag6xx_proto);
321 }
322