search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
leds: wm831x-status: fix use-after-free on unbind
[linux/fpc-iii.git] / drivers / bluetooth / btmtksdio.c
blobbff095be2f97114c9d540b153b54b018314da1ba
1 // SPDX-License-Identifier: GPL-2.0
2 // Copyright (c) 2019 MediaTek Inc.
3
4 /*
5 * Bluetooth support for MediaTek SDIO devices
6 *
7 * This file is written based on btsdio.c and btmtkuart.c.
8 *
9 * Author: Sean Wang <sean.wang@mediatek.com>
10 *
11 */
12
13 #include <asm/unaligned.h>
14 #include <linux/atomic.h>
15 #include <linux/firmware.h>
16 #include <linux/init.h>
17 #include <linux/iopoll.h>
18 #include <linux/kernel.h>
19 #include <linux/module.h>
20 #include <linux/pm_runtime.h>
21 #include <linux/skbuff.h>
22
23 #include <linux/mmc/host.h>
24 #include <linux/mmc/sdio_ids.h>
25 #include <linux/mmc/sdio_func.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29
30 #include "h4_recv.h"
31
32 #define VERSION "0.1"
33
34 #define FIRMWARE_MT7663 "mediatek/mt7663pr2h.bin"
35 #define FIRMWARE_MT7668 "mediatek/mt7668pr2h.bin"
36
37 #define MTKBTSDIO_AUTOSUSPEND_DELAY 8000
38
39 static bool enable_autosuspend;
40
41 struct btmtksdio_data {
42 const char *fwname;
43 };
44
45 static const struct btmtksdio_data mt7663_data = {
46 .fwname = FIRMWARE_MT7663,
47 };
48
49 static const struct btmtksdio_data mt7668_data = {
50 .fwname = FIRMWARE_MT7668,
51 };
52
53 static const struct sdio_device_id btmtksdio_table[] = {
54 {SDIO_DEVICE(SDIO_VENDOR_ID_MEDIATEK, SDIO_DEVICE_ID_MEDIATEK_MT7663),
55 .driver_data = (kernel_ulong_t)&mt7663_data },
56 {SDIO_DEVICE(SDIO_VENDOR_ID_MEDIATEK, SDIO_DEVICE_ID_MEDIATEK_MT7668),
57 .driver_data = (kernel_ulong_t)&mt7668_data },
58 { } /* Terminating entry */
59 };
60 MODULE_DEVICE_TABLE(sdio, btmtksdio_table);
61
62 #define MTK_REG_CHLPCR 0x4 /* W1S */
63 #define C_INT_EN_SET BIT(0)
64 #define C_INT_EN_CLR BIT(1)
65 #define C_FW_OWN_REQ_SET BIT(8) /* For write */
66 #define C_COM_DRV_OWN BIT(8) /* For read */
67 #define C_FW_OWN_REQ_CLR BIT(9)
68
69 #define MTK_REG_CSDIOCSR 0x8
70 #define SDIO_RE_INIT_EN BIT(0)
71 #define SDIO_INT_CTL BIT(2)
72
73 #define MTK_REG_CHCR 0xc
74 #define C_INT_CLR_CTRL BIT(1)
75
76 /* CHISR have the same bits field definition with CHIER */
77 #define MTK_REG_CHISR 0x10
78 #define MTK_REG_CHIER 0x14
79 #define FW_OWN_BACK_INT BIT(0)
80 #define RX_DONE_INT BIT(1)
81 #define TX_EMPTY BIT(2)
82 #define TX_FIFO_OVERFLOW BIT(8)
83 #define RX_PKT_LEN GENMASK(31, 16)
84
85 #define MTK_REG_CTDR 0x18
86
87 #define MTK_REG_CRDR 0x1c
88
89 #define MTK_SDIO_BLOCK_SIZE 256
90
91 #define BTMTKSDIO_TX_WAIT_VND_EVT 1
92
93 enum {
94 MTK_WMT_PATCH_DWNLD = 0x1,
95 MTK_WMT_TEST = 0x2,
96 MTK_WMT_WAKEUP = 0x3,
97 MTK_WMT_HIF = 0x4,
98 MTK_WMT_FUNC_CTRL = 0x6,
99 MTK_WMT_RST = 0x7,
100 MTK_WMT_SEMAPHORE = 0x17,
101 };
102
103 enum {
104 BTMTK_WMT_INVALID,
105 BTMTK_WMT_PATCH_UNDONE,
106 BTMTK_WMT_PATCH_DONE,
107 BTMTK_WMT_ON_UNDONE,
108 BTMTK_WMT_ON_DONE,
109 BTMTK_WMT_ON_PROGRESS,
110 };
111
112 struct mtkbtsdio_hdr {
113 __le16 len;
114 __le16 reserved;
115 u8 bt_type;
116 } __packed;
117
118 struct mtk_wmt_hdr {
119 u8 dir;
120 u8 op;
121 __le16 dlen;
122 u8 flag;
123 } __packed;
124
125 struct mtk_hci_wmt_cmd {
126 struct mtk_wmt_hdr hdr;
127 u8 data[256];
128 } __packed;
129
130 struct btmtk_hci_wmt_evt {
131 struct hci_event_hdr hhdr;
132 struct mtk_wmt_hdr whdr;
133 } __packed;
134
135 struct btmtk_hci_wmt_evt_funcc {
136 struct btmtk_hci_wmt_evt hwhdr;
137 __be16 status;
138 } __packed;
139
140 struct btmtk_tci_sleep {
141 u8 mode;
142 __le16 duration;
143 __le16 host_duration;
144 u8 host_wakeup_pin;
145 u8 time_compensation;
146 } __packed;
147
148 struct btmtk_hci_wmt_params {
149 u8 op;
150 u8 flag;
151 u16 dlen;
152 const void *data;
153 u32 *status;
154 };
155
156 struct btmtksdio_dev {
157 struct hci_dev *hdev;
158 struct sdio_func *func;
159 struct device *dev;
160
161 struct work_struct tx_work;
162 unsigned long tx_state;
163 struct sk_buff_head txq;
164
165 struct sk_buff *evt_skb;
166
167 const struct btmtksdio_data *data;
168 };
169
170 static int mtk_hci_wmt_sync(struct hci_dev *hdev,
171 struct btmtk_hci_wmt_params *wmt_params)
172 {
173 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
174 struct btmtk_hci_wmt_evt_funcc *wmt_evt_funcc;
175 u32 hlen, status = BTMTK_WMT_INVALID;
176 struct btmtk_hci_wmt_evt *wmt_evt;
177 struct mtk_hci_wmt_cmd wc;
178 struct mtk_wmt_hdr *hdr;
179 int err;
180
181 hlen = sizeof(*hdr) + wmt_params->dlen;
182 if (hlen > 255)
183 return -EINVAL;
184
185 hdr = (struct mtk_wmt_hdr *)&wc;
186 hdr->dir = 1;
187 hdr->op = wmt_params->op;
188 hdr->dlen = cpu_to_le16(wmt_params->dlen + 1);
189 hdr->flag = wmt_params->flag;
190 memcpy(wc.data, wmt_params->data, wmt_params->dlen);
191
192 set_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state);
193
194 err = __hci_cmd_send(hdev, 0xfc6f, hlen, &wc);
195 if (err < 0) {
196 clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state);
197 return err;
198 }
199
200 /* The vendor specific WMT commands are all answered by a vendor
201 * specific event and will not have the Command Status or Command
202 * Complete as with usual HCI command flow control.
203 *
204 * After sending the command, wait for BTMTKSDIO_TX_WAIT_VND_EVT
205 * state to be cleared. The driver specific event receive routine
206 * will clear that state and with that indicate completion of the
207 * WMT command.
208 */
209 err = wait_on_bit_timeout(&bdev->tx_state, BTMTKSDIO_TX_WAIT_VND_EVT,
210 TASK_INTERRUPTIBLE, HCI_INIT_TIMEOUT);
211 if (err == -EINTR) {
212 bt_dev_err(hdev, "Execution of wmt command interrupted");
213 clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state);
214 return err;
215 }
216
217 if (err) {
218 bt_dev_err(hdev, "Execution of wmt command timed out");
219 clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state);
220 return -ETIMEDOUT;
221 }
222
223 /* Parse and handle the return WMT event */
224 wmt_evt = (struct btmtk_hci_wmt_evt *)bdev->evt_skb->data;
225 if (wmt_evt->whdr.op != hdr->op) {
226 bt_dev_err(hdev, "Wrong op received %d expected %d",
227 wmt_evt->whdr.op, hdr->op);
228 err = -EIO;
229 goto err_free_skb;
230 }
231
232 switch (wmt_evt->whdr.op) {
233 case MTK_WMT_SEMAPHORE:
234 if (wmt_evt->whdr.flag == 2)
235 status = BTMTK_WMT_PATCH_UNDONE;
236 else
237 status = BTMTK_WMT_PATCH_DONE;
238 break;
239 case MTK_WMT_FUNC_CTRL:
240 wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
241 if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
242 status = BTMTK_WMT_ON_DONE;
243 else if (be16_to_cpu(wmt_evt_funcc->status) == 0x420)
244 status = BTMTK_WMT_ON_PROGRESS;
245 else
246 status = BTMTK_WMT_ON_UNDONE;
247 break;
248 }
249
250 if (wmt_params->status)
251 *wmt_params->status = status;
252
253 err_free_skb:
254 kfree_skb(bdev->evt_skb);
255 bdev->evt_skb = NULL;
256
257 return err;
258 }
259
260 static int btmtksdio_tx_packet(struct btmtksdio_dev *bdev,
261 struct sk_buff *skb)
262 {
263 struct mtkbtsdio_hdr *sdio_hdr;
264 int err;
265
266 /* Make sure that there are enough rooms for SDIO header */
267 if (unlikely(skb_headroom(skb) < sizeof(*sdio_hdr))) {
268 err = pskb_expand_head(skb, sizeof(*sdio_hdr), 0,
269 GFP_ATOMIC);
270 if (err < 0)
271 return err;
272 }
273
274 /* Prepend MediaTek SDIO Specific Header */
275 skb_push(skb, sizeof(*sdio_hdr));
276
277 sdio_hdr = (void *)skb->data;
278 sdio_hdr->len = cpu_to_le16(skb->len);
279 sdio_hdr->reserved = cpu_to_le16(0);
280 sdio_hdr->bt_type = hci_skb_pkt_type(skb);
281
282 err = sdio_writesb(bdev->func, MTK_REG_CTDR, skb->data,
283 round_up(skb->len, MTK_SDIO_BLOCK_SIZE));
284 if (err < 0)
285 goto err_skb_pull;
286
287 bdev->hdev->stat.byte_tx += skb->len;
288
289 kfree_skb(skb);
290
291 return 0;
292
293 err_skb_pull:
294 skb_pull(skb, sizeof(*sdio_hdr));
295
296 return err;
297 }
298
299 static u32 btmtksdio_drv_own_query(struct btmtksdio_dev *bdev)
300 {
301 return sdio_readl(bdev->func, MTK_REG_CHLPCR, NULL);
302 }
303
304 static void btmtksdio_tx_work(struct work_struct *work)
305 {
306 struct btmtksdio_dev *bdev = container_of(work, struct btmtksdio_dev,
307 tx_work);
308 struct sk_buff *skb;
309 int err;
310
311 pm_runtime_get_sync(bdev->dev);
312
313 sdio_claim_host(bdev->func);
314
315 while ((skb = skb_dequeue(&bdev->txq))) {
316 err = btmtksdio_tx_packet(bdev, skb);
317 if (err < 0) {
318 bdev->hdev->stat.err_tx++;
319 skb_queue_head(&bdev->txq, skb);
320 break;
321 }
322 }
323
324 sdio_release_host(bdev->func);
325
326 pm_runtime_mark_last_busy(bdev->dev);
327 pm_runtime_put_autosuspend(bdev->dev);
328 }
329
330 static int btmtksdio_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
331 {
332 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
333 struct hci_event_hdr *hdr = (void *)skb->data;
334 int err;
335
336 /* Fix up the vendor event id with 0xff for vendor specific instead
337 * of 0xe4 so that event send via monitoring socket can be parsed
338 * properly.
339 */
340 if (hdr->evt == 0xe4)
341 hdr->evt = HCI_EV_VENDOR;
342
343 /* When someone waits for the WMT event, the skb is being cloned
344 * and being processed the events from there then.
345 */
346 if (test_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state)) {
347 bdev->evt_skb = skb_clone(skb, GFP_KERNEL);
348 if (!bdev->evt_skb) {
349 err = -ENOMEM;
350 goto err_out;
351 }
352 }
353
354 err = hci_recv_frame(hdev, skb);
355 if (err < 0)
356 goto err_free_skb;
357
358 if (hdr->evt == HCI_EV_VENDOR) {
359 if (test_and_clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT,
360 &bdev->tx_state)) {
361 /* Barrier to sync with other CPUs */
362 smp_mb__after_atomic();
363 wake_up_bit(&bdev->tx_state, BTMTKSDIO_TX_WAIT_VND_EVT);
364 }
365 }
366
367 return 0;
368
369 err_free_skb:
370 kfree_skb(bdev->evt_skb);
371 bdev->evt_skb = NULL;
372
373 err_out:
374 return err;
375 }
376
377 static const struct h4_recv_pkt mtk_recv_pkts[] = {
378 { H4_RECV_ACL, .recv = hci_recv_frame },
379 { H4_RECV_SCO, .recv = hci_recv_frame },
380 { H4_RECV_EVENT, .recv = btmtksdio_recv_event },
381 };
382
383 static int btmtksdio_rx_packet(struct btmtksdio_dev *bdev, u16 rx_size)
384 {
385 const struct h4_recv_pkt *pkts = mtk_recv_pkts;
386 int pkts_count = ARRAY_SIZE(mtk_recv_pkts);
387 struct mtkbtsdio_hdr *sdio_hdr;
388 int err, i, pad_size;
389 struct sk_buff *skb;
390 u16 dlen;
391
392 if (rx_size < sizeof(*sdio_hdr))
393 return -EILSEQ;
394
395 /* A SDIO packet is exactly containing a Bluetooth packet */
396 skb = bt_skb_alloc(rx_size, GFP_KERNEL);
397 if (!skb)
398 return -ENOMEM;
399
400 skb_put(skb, rx_size);
401
402 err = sdio_readsb(bdev->func, skb->data, MTK_REG_CRDR, rx_size);
403 if (err < 0)
404 goto err_kfree_skb;
405
406 sdio_hdr = (void *)skb->data;
407
408 /* We assume the default error as -EILSEQ simply to make the error path
409 * be cleaner.
410 */
411 err = -EILSEQ;
412
413 if (rx_size != le16_to_cpu(sdio_hdr->len)) {
414 bt_dev_err(bdev->hdev, "Rx size in sdio header is mismatched ");
415 goto err_kfree_skb;
416 }
417
418 hci_skb_pkt_type(skb) = sdio_hdr->bt_type;
419
420 /* Remove MediaTek SDIO header */
421 skb_pull(skb, sizeof(*sdio_hdr));
422
423 /* We have to dig into the packet to get payload size and then know how
424 * many padding bytes at the tail, these padding bytes should be removed
425 * before the packet is indicated to the core layer.
426 */
427 for (i = 0; i < pkts_count; i++) {
428 if (sdio_hdr->bt_type == (&pkts[i])->type)
429 break;
430 }
431
432 if (i >= pkts_count) {
433 bt_dev_err(bdev->hdev, "Invalid bt type 0x%02x",
434 sdio_hdr->bt_type);
435 goto err_kfree_skb;
436 }
437
438 /* Remaining bytes cannot hold a header*/
439 if (skb->len < (&pkts[i])->hlen) {
440 bt_dev_err(bdev->hdev, "The size of bt header is mismatched");
441 goto err_kfree_skb;
442 }
443
444 switch ((&pkts[i])->lsize) {
445 case 1:
446 dlen = skb->data[(&pkts[i])->loff];
447 break;
448 case 2:
449 dlen = get_unaligned_le16(skb->data +
450 (&pkts[i])->loff);
451 break;
452 default:
453 goto err_kfree_skb;
454 }
455
456 pad_size = skb->len - (&pkts[i])->hlen - dlen;
457
458 /* Remaining bytes cannot hold a payload */
459 if (pad_size < 0) {
460 bt_dev_err(bdev->hdev, "The size of bt payload is mismatched");
461 goto err_kfree_skb;
462 }
463
464 /* Remove padding bytes */
465 skb_trim(skb, skb->len - pad_size);
466
467 /* Complete frame */
468 (&pkts[i])->recv(bdev->hdev, skb);
469
470 bdev->hdev->stat.byte_rx += rx_size;
471
472 return 0;
473
474 err_kfree_skb:
475 kfree_skb(skb);
476
477 return err;
478 }
479
480 static void btmtksdio_interrupt(struct sdio_func *func)
481 {
482 struct btmtksdio_dev *bdev = sdio_get_drvdata(func);
483 u32 int_status;
484 u16 rx_size;
485
486 /* It is required that the host gets ownership from the device before
487 * accessing any register, however, if SDIO host is not being released,
488 * a potential deadlock probably happens in a circular wait between SDIO
489 * IRQ work and PM runtime work. So, we have to explicitly release SDIO
490 * host here and claim again after the PM runtime work is all done.
491 */
492 sdio_release_host(bdev->func);
493
494 pm_runtime_get_sync(bdev->dev);
495
496 sdio_claim_host(bdev->func);
497
498 /* Disable interrupt */
499 sdio_writel(func, C_INT_EN_CLR, MTK_REG_CHLPCR, 0);
500
501 int_status = sdio_readl(func, MTK_REG_CHISR, NULL);
502
503 /* Ack an interrupt as soon as possible before any operation on
504 * hardware.
505 *
506 * Note that we don't ack any status during operations to avoid race
507 * condition between the host and the device such as it's possible to
508 * mistakenly ack RX_DONE for the next packet and then cause interrupts
509 * not be raised again but there is still pending data in the hardware
510 * FIFO.
511 */
512 sdio_writel(func, int_status, MTK_REG_CHISR, NULL);
513
514 if (unlikely(!int_status))
515 bt_dev_err(bdev->hdev, "CHISR is 0");
516
517 if (int_status & FW_OWN_BACK_INT)
518 bt_dev_dbg(bdev->hdev, "Get fw own back");
519
520 if (int_status & TX_EMPTY)
521 schedule_work(&bdev->tx_work);
522 else if (unlikely(int_status & TX_FIFO_OVERFLOW))
523 bt_dev_warn(bdev->hdev, "Tx fifo overflow");
524
525 if (int_status & RX_DONE_INT) {
526 rx_size = (int_status & RX_PKT_LEN) >> 16;
527
528 if (btmtksdio_rx_packet(bdev, rx_size) < 0)
529 bdev->hdev->stat.err_rx++;
530 }
531
532 /* Enable interrupt */
533 sdio_writel(func, C_INT_EN_SET, MTK_REG_CHLPCR, 0);
534
535 pm_runtime_mark_last_busy(bdev->dev);
536 pm_runtime_put_autosuspend(bdev->dev);
537 }
538
539 static int btmtksdio_open(struct hci_dev *hdev)
540 {
541 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
542 int err;
543 u32 status;
544
545 sdio_claim_host(bdev->func);
546
547 err = sdio_enable_func(bdev->func);
548 if (err < 0)
549 goto err_release_host;
550
551 /* Get ownership from the device */
552 sdio_writel(bdev->func, C_FW_OWN_REQ_CLR, MTK_REG_CHLPCR, &err);
553 if (err < 0)
554 goto err_disable_func;
555
556 err = readx_poll_timeout(btmtksdio_drv_own_query, bdev, status,
557 status & C_COM_DRV_OWN, 2000, 1000000);
558 if (err < 0) {
559 bt_dev_err(bdev->hdev, "Cannot get ownership from device");
560 goto err_disable_func;
561 }
562
563 /* Disable interrupt & mask out all interrupt sources */
564 sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, &err);
565 if (err < 0)
566 goto err_disable_func;
567
568 sdio_writel(bdev->func, 0, MTK_REG_CHIER, &err);
569 if (err < 0)
570 goto err_disable_func;
571
572 err = sdio_claim_irq(bdev->func, btmtksdio_interrupt);
573 if (err < 0)
574 goto err_disable_func;
575
576 err = sdio_set_block_size(bdev->func, MTK_SDIO_BLOCK_SIZE);
577 if (err < 0)
578 goto err_release_irq;
579
580 /* SDIO CMD 5 allows the SDIO device back to idle state an
581 * synchronous interrupt is supported in SDIO 4-bit mode
582 */
583 sdio_writel(bdev->func, SDIO_INT_CTL | SDIO_RE_INIT_EN,
584 MTK_REG_CSDIOCSR, &err);
585 if (err < 0)
586 goto err_release_irq;
587
588 /* Setup write-1-clear for CHISR register */
589 sdio_writel(bdev->func, C_INT_CLR_CTRL, MTK_REG_CHCR, &err);
590 if (err < 0)
591 goto err_release_irq;
592
593 /* Setup interrupt sources */
594 sdio_writel(bdev->func, RX_DONE_INT | TX_EMPTY | TX_FIFO_OVERFLOW,
595 MTK_REG_CHIER, &err);
596 if (err < 0)
597 goto err_release_irq;
598
599 /* Enable interrupt */
600 sdio_writel(bdev->func, C_INT_EN_SET, MTK_REG_CHLPCR, &err);
601 if (err < 0)
602 goto err_release_irq;
603
604 sdio_release_host(bdev->func);
605
606 return 0;
607
608 err_release_irq:
609 sdio_release_irq(bdev->func);
610
611 err_disable_func:
612 sdio_disable_func(bdev->func);
613
614 err_release_host:
615 sdio_release_host(bdev->func);
616
617 return err;
618 }
619
620 static int btmtksdio_close(struct hci_dev *hdev)
621 {
622 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
623 u32 status;
624 int err;
625
626 sdio_claim_host(bdev->func);
627
628 /* Disable interrupt */
629 sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL);
630
631 sdio_release_irq(bdev->func);
632
633 /* Return ownership to the device */
634 sdio_writel(bdev->func, C_FW_OWN_REQ_SET, MTK_REG_CHLPCR, NULL);
635
636 err = readx_poll_timeout(btmtksdio_drv_own_query, bdev, status,
637 !(status & C_COM_DRV_OWN), 2000, 1000000);
638 if (err < 0)
639 bt_dev_err(bdev->hdev, "Cannot return ownership to device");
640
641 sdio_disable_func(bdev->func);
642
643 sdio_release_host(bdev->func);
644
645 return 0;
646 }
647
648 static int btmtksdio_flush(struct hci_dev *hdev)
649 {
650 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
651
652 skb_queue_purge(&bdev->txq);
653
654 cancel_work_sync(&bdev->tx_work);
655
656 return 0;
657 }
658
659 static int btmtksdio_func_query(struct hci_dev *hdev)
660 {
661 struct btmtk_hci_wmt_params wmt_params;
662 int status, err;
663 u8 param = 0;
664
665 /* Query whether the function is enabled */
666 wmt_params.op = MTK_WMT_FUNC_CTRL;
667 wmt_params.flag = 4;
668 wmt_params.dlen = sizeof(param);
669 wmt_params.data = &param;
670 wmt_params.status = &status;
671
672 err = mtk_hci_wmt_sync(hdev, &wmt_params);
673 if (err < 0) {
674 bt_dev_err(hdev, "Failed to query function status (%d)", err);
675 return err;
676 }
677
678 return status;
679 }
680
681 static int mtk_setup_firmware(struct hci_dev *hdev, const char *fwname)
682 {
683 struct btmtk_hci_wmt_params wmt_params;
684 const struct firmware *fw;
685 const u8 *fw_ptr;
686 size_t fw_size;
687 int err, dlen;
688 u8 flag;
689
690 err = request_firmware(&fw, fwname, &hdev->dev);
691 if (err < 0) {
692 bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
693 return err;
694 }
695
696 fw_ptr = fw->data;
697 fw_size = fw->size;
698
699 /* The size of patch header is 30 bytes, should be skip */
700 if (fw_size < 30) {
701 err = -EINVAL;
702 goto free_fw;
703 }
704
705 fw_size -= 30;
706 fw_ptr += 30;
707 flag = 1;
708
709 wmt_params.op = MTK_WMT_PATCH_DWNLD;
710 wmt_params.status = NULL;
711
712 while (fw_size > 0) {
713 dlen = min_t(int, 250, fw_size);
714
715 /* Tell device the position in sequence */
716 if (fw_size - dlen <= 0)
717 flag = 3;
718 else if (fw_size < fw->size - 30)
719 flag = 2;
720
721 wmt_params.flag = flag;
722 wmt_params.dlen = dlen;
723 wmt_params.data = fw_ptr;
724
725 err = mtk_hci_wmt_sync(hdev, &wmt_params);
726 if (err < 0) {
727 bt_dev_err(hdev, "Failed to send wmt patch dwnld (%d)",
728 err);
729 goto free_fw;
730 }
731
732 fw_size -= dlen;
733 fw_ptr += dlen;
734 }
735
736 wmt_params.op = MTK_WMT_RST;
737 wmt_params.flag = 4;
738 wmt_params.dlen = 0;
739 wmt_params.data = NULL;
740 wmt_params.status = NULL;
741
742 /* Activate funciton the firmware providing to */
743 err = mtk_hci_wmt_sync(hdev, &wmt_params);
744 if (err < 0) {
745 bt_dev_err(hdev, "Failed to send wmt rst (%d)", err);
746 goto free_fw;
747 }
748
749 /* Wait a few moments for firmware activation done */
750 usleep_range(10000, 12000);
751
752 free_fw:
753 release_firmware(fw);
754 return err;
755 }
756
757 static int btmtksdio_setup(struct hci_dev *hdev)
758 {
759 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
760 struct btmtk_hci_wmt_params wmt_params;
761 ktime_t calltime, delta, rettime;
762 struct btmtk_tci_sleep tci_sleep;
763 unsigned long long duration;
764 struct sk_buff *skb;
765 int err, status;
766 u8 param = 0x1;
767
768 calltime = ktime_get();
769
770 /* Query whether the firmware is already download */
771 wmt_params.op = MTK_WMT_SEMAPHORE;
772 wmt_params.flag = 1;
773 wmt_params.dlen = 0;
774 wmt_params.data = NULL;
775 wmt_params.status = &status;
776
777 err = mtk_hci_wmt_sync(hdev, &wmt_params);
778 if (err < 0) {
779 bt_dev_err(hdev, "Failed to query firmware status (%d)", err);
780 return err;
781 }
782
783 if (status == BTMTK_WMT_PATCH_DONE) {
784 bt_dev_info(hdev, "Firmware already downloaded");
785 goto ignore_setup_fw;
786 }
787
788 /* Setup a firmware which the device definitely requires */
789 err = mtk_setup_firmware(hdev, bdev->data->fwname);
790 if (err < 0)
791 return err;
792
793 ignore_setup_fw:
794 /* Query whether the device is already enabled */
795 err = readx_poll_timeout(btmtksdio_func_query, hdev, status,
796 status < 0 || status != BTMTK_WMT_ON_PROGRESS,
797 2000, 5000000);
798 /* -ETIMEDOUT happens */
799 if (err < 0)
800 return err;
801
802 /* The other errors happen in btusb_mtk_func_query */
803 if (status < 0)
804 return status;
805
806 if (status == BTMTK_WMT_ON_DONE) {
807 bt_dev_info(hdev, "function already on");
808 goto ignore_func_on;
809 }
810
811 /* Enable Bluetooth protocol */
812 wmt_params.op = MTK_WMT_FUNC_CTRL;
813 wmt_params.flag = 0;
814 wmt_params.dlen = sizeof(param);
815 wmt_params.data = &param;
816 wmt_params.status = NULL;
817
818 err = mtk_hci_wmt_sync(hdev, &wmt_params);
819 if (err < 0) {
820 bt_dev_err(hdev, "Failed to send wmt func ctrl (%d)", err);
821 return err;
822 }
823
824 ignore_func_on:
825 /* Apply the low power environment setup */
826 tci_sleep.mode = 0x5;
827 tci_sleep.duration = cpu_to_le16(0x640);
828 tci_sleep.host_duration = cpu_to_le16(0x640);
829 tci_sleep.host_wakeup_pin = 0;
830 tci_sleep.time_compensation = 0;
831
832 skb = __hci_cmd_sync(hdev, 0xfc7a, sizeof(tci_sleep), &tci_sleep,
833 HCI_INIT_TIMEOUT);
834 if (IS_ERR(skb)) {
835 err = PTR_ERR(skb);
836 bt_dev_err(hdev, "Failed to apply low power setting (%d)", err);
837 return err;
838 }
839 kfree_skb(skb);
840
841 rettime = ktime_get();
842 delta = ktime_sub(rettime, calltime);
843 duration = (unsigned long long)ktime_to_ns(delta) >> 10;
844
845 pm_runtime_set_autosuspend_delay(bdev->dev,
846 MTKBTSDIO_AUTOSUSPEND_DELAY);
847 pm_runtime_use_autosuspend(bdev->dev);
848
849 err = pm_runtime_set_active(bdev->dev);
850 if (err < 0)
851 return err;
852
853 /* Default forbid runtime auto suspend, that can be allowed by
854 * enable_autosuspend flag or the PM runtime entry under sysfs.
855 */
856 pm_runtime_forbid(bdev->dev);
857 pm_runtime_enable(bdev->dev);
858
859 if (enable_autosuspend)
860 pm_runtime_allow(bdev->dev);
861
862 bt_dev_info(hdev, "Device setup in %llu usecs", duration);
863
864 return 0;
865 }
866
867 static int btmtksdio_shutdown(struct hci_dev *hdev)
868 {
869 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
870 struct btmtk_hci_wmt_params wmt_params;
871 u8 param = 0x0;
872 int err;
873
874 /* Get back the state to be consistent with the state
875 * in btmtksdio_setup.
876 */
877 pm_runtime_get_sync(bdev->dev);
878
879 /* Disable the device */
880 wmt_params.op = MTK_WMT_FUNC_CTRL;
881 wmt_params.flag = 0;
882 wmt_params.dlen = sizeof(param);
883 wmt_params.data = &param;
884 wmt_params.status = NULL;
885
886 err = mtk_hci_wmt_sync(hdev, &wmt_params);
887 if (err < 0) {
888 bt_dev_err(hdev, "Failed to send wmt func ctrl (%d)", err);
889 return err;
890 }
891
892 pm_runtime_put_noidle(bdev->dev);
893 pm_runtime_disable(bdev->dev);
894
895 return 0;
896 }
897
898 static int btmtksdio_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
899 {
900 struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
901
902 switch (hci_skb_pkt_type(skb)) {
903 case HCI_COMMAND_PKT:
904 hdev->stat.cmd_tx++;
905 break;
906
907 case HCI_ACLDATA_PKT:
908 hdev->stat.acl_tx++;
909 break;
910
911 case HCI_SCODATA_PKT:
912 hdev->stat.sco_tx++;
913 break;
914
915 default:
916 return -EILSEQ;
917 }
918
919 skb_queue_tail(&bdev->txq, skb);
920
921 schedule_work(&bdev->tx_work);
922
923 return 0;
924 }
925
926 static int btmtksdio_probe(struct sdio_func *func,
927 const struct sdio_device_id *id)
928 {
929 struct btmtksdio_dev *bdev;
930 struct hci_dev *hdev;
931 int err;
932
933 bdev = devm_kzalloc(&func->dev, sizeof(*bdev), GFP_KERNEL);
934 if (!bdev)
935 return -ENOMEM;
936
937 bdev->data = (void *)id->driver_data;
938 if (!bdev->data)
939 return -ENODEV;
940
941 bdev->dev = &func->dev;
942 bdev->func = func;
943
944 INIT_WORK(&bdev->tx_work, btmtksdio_tx_work);
945 skb_queue_head_init(&bdev->txq);
946
947 /* Initialize and register HCI device */
948 hdev = hci_alloc_dev();
949 if (!hdev) {
950 dev_err(&func->dev, "Can't allocate HCI device\n");
951 return -ENOMEM;
952 }
953
954 bdev->hdev = hdev;
955
956 hdev->bus = HCI_SDIO;
957 hci_set_drvdata(hdev, bdev);
958
959 hdev->open = btmtksdio_open;
960 hdev->close = btmtksdio_close;
961 hdev->flush = btmtksdio_flush;
962 hdev->setup = btmtksdio_setup;
963 hdev->shutdown = btmtksdio_shutdown;
964 hdev->send = btmtksdio_send_frame;
965 SET_HCIDEV_DEV(hdev, &func->dev);
966
967 hdev->manufacturer = 70;
968 set_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks);
969
970 err = hci_register_dev(hdev);
971 if (err < 0) {
972 dev_err(&func->dev, "Can't register HCI device\n");
973 hci_free_dev(hdev);
974 return err;
975 }
976
977 sdio_set_drvdata(func, bdev);
978
979 /* pm_runtime_enable would be done after the firmware is being
980 * downloaded because the core layer probably already enables
981 * runtime PM for this func such as the case host->caps &
982 * MMC_CAP_POWER_OFF_CARD.
983 */
984 if (pm_runtime_enabled(bdev->dev))
985 pm_runtime_disable(bdev->dev);
986
987 /* As explaination in drivers/mmc/core/sdio_bus.c tells us:
988 * Unbound SDIO functions are always suspended.
989 * During probe, the function is set active and the usage count
990 * is incremented. If the driver supports runtime PM,
991 * it should call pm_runtime_put_noidle() in its probe routine and
992 * pm_runtime_get_noresume() in its remove routine.
993 *
994 * So, put a pm_runtime_put_noidle here !
995 */
996 pm_runtime_put_noidle(bdev->dev);
997
998 return 0;
999 }
1000
1001 static void btmtksdio_remove(struct sdio_func *func)
1002 {
1003 struct btmtksdio_dev *bdev = sdio_get_drvdata(func);
1004 struct hci_dev *hdev;
1005
1006 if (!bdev)
1007 return;
1008
1009 /* Be consistent the state in btmtksdio_probe */
1010 pm_runtime_get_noresume(bdev->dev);
1011
1012 hdev = bdev->hdev;
1013
1014 sdio_set_drvdata(func, NULL);
1015 hci_unregister_dev(hdev);
1016 hci_free_dev(hdev);
1017 }
1018
1019 #ifdef CONFIG_PM
1020 static int btmtksdio_runtime_suspend(struct device *dev)
1021 {
1022 struct sdio_func *func = dev_to_sdio_func(dev);
1023 struct btmtksdio_dev *bdev;
1024 u32 status;
1025 int err;
1026
1027 bdev = sdio_get_drvdata(func);
1028 if (!bdev)
1029 return 0;
1030
1031 sdio_claim_host(bdev->func);
1032
1033 sdio_writel(bdev->func, C_FW_OWN_REQ_SET, MTK_REG_CHLPCR, &err);
1034 if (err < 0)
1035 goto out;
1036
1037 err = readx_poll_timeout(btmtksdio_drv_own_query, bdev, status,
1038 !(status & C_COM_DRV_OWN), 2000, 1000000);
1039 out:
1040 bt_dev_info(bdev->hdev, "status (%d) return ownership to device", err);
1041
1042 sdio_release_host(bdev->func);
1043
1044 return err;
1045 }
1046
1047 static int btmtksdio_runtime_resume(struct device *dev)
1048 {
1049 struct sdio_func *func = dev_to_sdio_func(dev);
1050 struct btmtksdio_dev *bdev;
1051 u32 status;
1052 int err;
1053
1054 bdev = sdio_get_drvdata(func);
1055 if (!bdev)
1056 return 0;
1057
1058 sdio_claim_host(bdev->func);
1059
1060 sdio_writel(bdev->func, C_FW_OWN_REQ_CLR, MTK_REG_CHLPCR, &err);
1061 if (err < 0)
1062 goto out;
1063
1064 err = readx_poll_timeout(btmtksdio_drv_own_query, bdev, status,
1065 status & C_COM_DRV_OWN, 2000, 1000000);
1066 out:
1067 bt_dev_info(bdev->hdev, "status (%d) get ownership from device", err);
1068
1069 sdio_release_host(bdev->func);
1070
1071 return err;
1072 }
1073
1074 static UNIVERSAL_DEV_PM_OPS(btmtksdio_pm_ops, btmtksdio_runtime_suspend,
1075 btmtksdio_runtime_resume, NULL);
1076 #define BTMTKSDIO_PM_OPS (&btmtksdio_pm_ops)
1077 #else /* CONFIG_PM */
1078 #define BTMTKSDIO_PM_OPS NULL
1079 #endif /* CONFIG_PM */
1080
1081 static struct sdio_driver btmtksdio_driver = {
1082 .name = "btmtksdio",
1083 .probe = btmtksdio_probe,
1084 .remove = btmtksdio_remove,
1085 .id_table = btmtksdio_table,
1086 .drv = {
1087 .owner = THIS_MODULE,
1088 .pm = BTMTKSDIO_PM_OPS,
1089 }
1090 };
1091
1092 module_sdio_driver(btmtksdio_driver);
1093
1094 module_param(enable_autosuspend, bool, 0644);
1095 MODULE_PARM_DESC(enable_autosuspend, "Enable autosuspend by default");
1096
1097 MODULE_AUTHOR("Sean Wang <sean.wang@mediatek.com>");
1098 MODULE_DESCRIPTION("MediaTek Bluetooth SDIO driver ver " VERSION);
1099 MODULE_VERSION(VERSION);
1100 MODULE_LICENSE("GPL");
1101 MODULE_FIRMWARE(FIRMWARE_MT7663);
1102 MODULE_FIRMWARE(FIRMWARE_MT7668);
Linux with added FPC-III support