1 files changed, 377 insertions, 0 deletions
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 3d684d20b584..7a7e5f8ecadc 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -23,6 +23,7 @@
 #include <linux/module.h>
 #include <linux/usb.h>
+#include <linux/firmware.h>
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
@@ -47,6 +48,7 @@ static struct usb_driver btusb_driver;
 #define BTUSB_BROKEN_ISOC       0x20
 #define BTUSB_WRONG_SCO_MTU     0x40
 #define BTUSB_ATH3012           0x80
+#define BTUSB_INTEL             0x100
 static struct usb_device_id btusb_table[] = {
        /* Generic Bluetooth USB device */
@@ -207,6 +209,9 @@ static struct usb_device_id blacklist_table[] = {
        /* Frontline ComProbe Bluetooth Sniffer */
        { USB_DEVICE(0x16d3, 0x0002), .driver_info = BTUSB_SNIFFER },
+        /* Intel Bluetooth device */
+        { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
        { }     /* Terminating entry */
 };
@@ -943,6 +948,375 @@ static int btusb_setup_bcm92035(struct hci_dev *hdev)
        return 0;
 }
+struct intel_version {
+        u8 status;
+        u8 hw_platform;
+        u8 hw_variant;
+        u8 hw_revision;
+        u8 fw_variant;
+        u8 fw_revision;
+        u8 fw_build_num;
+        u8 fw_build_ww;
+        u8 fw_build_yy;
+        u8 fw_patch_num;
+} __packed;
+static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
+                                                struct intel_version *ver)
+{
+        const struct firmware *fw;
+        char fwname[64];
+        int ret;
+        snprintf(fwname, sizeof(fwname),
+                 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
+                 ver->hw_platform, ver->hw_variant, ver->hw_revision,
+                 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
+                 ver->fw_build_ww, ver->fw_build_yy);
+        ret = request_firmware(&fw, fwname, &hdev->dev);
+        if (ret < 0) {
+                if (ret == -EINVAL) {
+                        BT_ERR("%s Intel firmware file request failed (%d)",
+                               hdev->name, ret);
+                        return NULL;
+                }
+                BT_ERR("%s failed to open Intel firmware file: %s(%d)",
+                       hdev->name, fwname, ret);
+                /* If the correct firmware patch file is not found, use the
+                 * default firmware patch file instead
+                 */
+                snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
+                         ver->hw_platform, ver->hw_variant);
+                if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
+                        BT_ERR("%s failed to open default Intel fw file: %s",
+                               hdev->name, fwname);
+                        return NULL;
+                }
+        }
+        BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
+        return fw;
+}
+static int btusb_setup_intel_patching(struct hci_dev *hdev,
+                                      const struct firmware *fw,
+                                      const u8 **fw_ptr, int *disable_patch)
+{
+        struct sk_buff *skb;
+        struct hci_command_hdr *cmd;
+        const u8 *cmd_param;
+        struct hci_event_hdr *evt = NULL;
+        const u8 *evt_param = NULL;
+        int remain = fw->size - (*fw_ptr - fw->data);
+        /* The first byte indicates the types of the patch command or event.
+         * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
+         * in the current firmware buffer doesn't start with 0x01 or
+         * the size of remain buffer is smaller than HCI command header,
+         * the firmware file is corrupted and it should stop the patching
+         * process.
+         */
+        if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
+                BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
+                return -EINVAL;
+        }
+        (*fw_ptr)++;
+        remain--;
+        cmd = (struct hci_command_hdr *)(*fw_ptr);
+        *fw_ptr += sizeof(*cmd);
+        remain -= sizeof(*cmd);
+        /* Ensure that the remain firmware data is long enough than the length
+         * of command parameter. If not, the firmware file is corrupted.
+         */
+        if (remain < cmd->plen) {
+                BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
+                return -EFAULT;
+        }
+        /* If there is a command that loads a patch in the firmware
+         * file, then enable the patch upon success, otherwise just
+         * disable the manufacturer mode, for example patch activation
+         * is not required when the default firmware patch file is used
+         * because there are no patch data to load.
+         */
+        if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
+                *disable_patch = 0;
+        cmd_param = *fw_ptr;
+        *fw_ptr += cmd->plen;
+        remain -= cmd->plen;
+        /* This reads the expected events when the above command is sent to the
+         * device. Some vendor commands expects more than one events, for
+         * example command status event followed by vendor specific event.
+         * For this case, it only keeps the last expected event. so the command
+         * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
+         * last expected event.
+         */
+        while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
+                (*fw_ptr)++;
+                remain--;
+                evt = (struct hci_event_hdr *)(*fw_ptr);
+                *fw_ptr += sizeof(*evt);
+                remain -= sizeof(*evt);
+                if (remain < evt->plen) {
+                        BT_ERR("%s Intel fw corrupted: invalid evt len",
+                               hdev->name);
+                        return -EFAULT;
+                }
+                evt_param = *fw_ptr;
+                *fw_ptr += evt->plen;
+                remain -= evt->plen;
+        }
+        /* Every HCI commands in the firmware file has its correspond event.
+         * If event is not found or remain is smaller than zero, the firmware
+         * file is corrupted.
+         */
+        if (!evt || !evt_param || remain < 0) {
+                BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
+                return -EFAULT;
+        }
+        skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
+                                cmd_param, evt->evt, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
+                       hdev->name, cmd->opcode, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        /* It ensures that the returned event matches the event data read from
+         * the firmware file. At fist, it checks the length and then
+         * the contents of the event.
+         */
+        if (skb->len != evt->plen) {
+                BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
+                       le16_to_cpu(cmd->opcode));
+                kfree_skb(skb);
+                return -EFAULT;
+        }
+        if (memcmp(skb->data, evt_param, evt->plen)) {
+                BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
+                       hdev->name, le16_to_cpu(cmd->opcode));
+                kfree_skb(skb);
+                return -EFAULT;
+        }
+        kfree_skb(skb);
+        return 0;
+}
+static int btusb_setup_intel(struct hci_dev *hdev)
+{
+        struct sk_buff *skb;
+        const struct firmware *fw;
+        const u8 *fw_ptr;
+        int disable_patch;
+        struct intel_version *ver;
+        const u8 mfg_enable[] = { 0x01, 0x00 };
+        const u8 mfg_disable[] = { 0x00, 0x00 };
+        const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
+        const u8 mfg_reset_activate[] = { 0x00, 0x02 };
+        BT_DBG("%s", hdev->name);
+        /* The controller has a bug with the first HCI command sent to it
+         * returning number of completed commands as zero. This would stall the
+         * command processing in the Bluetooth core.
+         *
+         * As a workaround, send HCI Reset command first which will reset the
+         * number of completed commands and allow normal command processing
+         * from now on.
+         */
+        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s sending initial HCI reset command failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        kfree_skb(skb);
+        /* Read Intel specific controller version first to allow selection of
+         * which firmware file to load.
+         *
+         * The returned information are hardware variant and revision plus
+         * firmware variant, revision and build number.
+         */
+        skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s reading Intel fw version command failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        if (skb->len != sizeof(*ver)) {
+                BT_ERR("%s Intel version event length mismatch", hdev->name);
+                kfree_skb(skb);
+                return -EIO;
+        }
+        ver = (struct intel_version *)skb->data;
+        if (ver->status) {
+                BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
+                       ver->status);
+                kfree_skb(skb);
+                return -bt_to_errno(ver->status);
+        }
+        BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
+                hdev->name, ver->hw_platform, ver->hw_variant,
+                ver->hw_revision, ver->fw_variant,  ver->fw_revision,
+                ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
+                ver->fw_patch_num);
+        /* fw_patch_num indicates the version of patch the device currently
+         * have. If there is no patch data in the device, it is always 0x00.
+         * So, if it is other than 0x00, no need to patch the deivce again.
+         */
+        if (ver->fw_patch_num) {
+                BT_INFO("%s: Intel device is already patched. patch num: %02x",
+                        hdev->name, ver->fw_patch_num);
+                kfree_skb(skb);
+                return 0;
+        }
+        /* Opens the firmware patch file based on the firmware version read
+         * from the controller. If it fails to open the matching firmware
+         * patch file, it tries to open the default firmware patch file.
+         * If no patch file is found, allow the device to operate without
+         * a patch.
+         */
+        fw = btusb_setup_intel_get_fw(hdev, ver);
+        if (!fw) {
+                kfree_skb(skb);
+                return 0;
+        }
+        fw_ptr = fw->data;
+        /* This Intel specific command enables the manufacturer mode of the
+         * controller.
+         *
+         * Only while this mode is enabled, the driver can download the
+         * firmware patch data and configuration parameters.
+         */
+        skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                release_firmware(fw);
+                return -PTR_ERR(skb);
+        }
+        if (skb->data[0]) {
+                u8 evt_status = skb->data[0];
+                BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
+                       hdev->name, evt_status);
+                kfree_skb(skb);
+                release_firmware(fw);
+                return -bt_to_errno(evt_status);
+        }
+        kfree_skb(skb);
+        disable_patch = 1;
+        /* The firmware data file consists of list of Intel specific HCI
+         * commands and its expected events. The first byte indicates the
+         * type of the message, either HCI command or HCI event.
+         *
+         * It reads the command and its expected event from the firmware file,
+         * and send to the controller. Once __hci_cmd_sync_ev() returns,
+         * the returned event is compared with the event read from the firmware
+         * file and it will continue until all the messages are downloaded to
+         * the controller.
+         *
+         * Once the firmware patching is completed successfully,
+         * the manufacturer mode is disabled with reset and activating the
+         * downloaded patch.
+         *
+         * If the firmware patching fails, the manufacturer mode is
+         * disabled with reset and deactivating the patch.
+         *
+         * If the default patch file is used, no reset is done when disabling
+         * the manufacturer.
+         */
+        while (fw->size > fw_ptr - fw->data) {
+                int ret;
+                ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
+                                                 &disable_patch);
+                if (ret < 0)
+                        goto exit_mfg_deactivate;
+        }
+        release_firmware(fw);
+        if (disable_patch)
+                goto exit_mfg_disable;
+        /* Patching completed successfully and disable the manufacturer mode
+         * with reset and activate the downloaded firmware patches.
+         */
+        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
+                             mfg_reset_activate, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        kfree_skb(skb);
+        BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
+                hdev->name);
+        return 0;
+exit_mfg_disable:
+        /* Disable the manufacturer mode without reset */
+        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
+                             HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        kfree_skb(skb);
+        BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
+        return 0;
+exit_mfg_deactivate:
+        release_firmware(fw);
+        /* Patching failed. Disable the manufacturer mode with reset and
+         * deactivate the downloaded firmware patches.
+         */
+        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
+                             mfg_reset_deactivate, HCI_INIT_TIMEOUT);
+        if (IS_ERR(skb)) {
+                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
+                       hdev->name, PTR_ERR(skb));
+                return -PTR_ERR(skb);
+        }
+        kfree_skb(skb);
+        BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
+                hdev->name);
+        return 0;
+}
 static int btusb_probe(struct usb_interface *intf,
                                const struct usb_device_id *id)
 {
@@ -1048,6 +1422,9 @@ static int btusb_probe(struct usb_interface *intf,
        if (id->driver_info & BTUSB_BCM92035)
                hdev->setup = btusb_setup_bcm92035;
+        if (id->driver_info & BTUSB_INTEL)
+                hdev->setup = btusb_setup_intel;
        /* Interface numbers are hardcoded in the specification */
        data->isoc = usb_ifnum_to_if(data->udev, 1);

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 3d684d20b584..7a7e5f8ecadc 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c
@@ -23,6 +23,7 @@
23		23
24	#include <linux/module.h>	24	#include <linux/module.h>
25	#include <linux/usb.h>	25	#include <linux/usb.h>
		26	#include <linux/firmware.h>
26		27
27	#include <net/bluetooth/bluetooth.h>	28	#include <net/bluetooth/bluetooth.h>
28	#include <net/bluetooth/hci_core.h>	29	#include <net/bluetooth/hci_core.h>
@@ -47,6 +48,7 @@ static struct usb_driver btusb_driver;
47	#define BTUSB_BROKEN_ISOC 0x20	48	#define BTUSB_BROKEN_ISOC 0x20
48	#define BTUSB_WRONG_SCO_MTU 0x40	49	#define BTUSB_WRONG_SCO_MTU 0x40
49	#define BTUSB_ATH3012 0x80	50	#define BTUSB_ATH3012 0x80
		51	#define BTUSB_INTEL 0x100
50		52
51	static struct usb_device_id btusb_table[] = {	53	static struct usb_device_id btusb_table[] = {
52	/* Generic Bluetooth USB device */	54	/* Generic Bluetooth USB device */
@@ -207,6 +209,9 @@ static struct usb_device_id blacklist_table[] = {
207	/* Frontline ComProbe Bluetooth Sniffer */	209	/* Frontline ComProbe Bluetooth Sniffer */
208	{ USB_DEVICE(0x16d3, 0x0002), .driver_info = BTUSB_SNIFFER },	210	{ USB_DEVICE(0x16d3, 0x0002), .driver_info = BTUSB_SNIFFER },
209		211
		212	/* Intel Bluetooth device */
		213	{ USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
		214
210	{ } /* Terminating entry */	215	{ } /* Terminating entry */
211	};	216	};
212		217
@@ -943,6 +948,375 @@ static int btusb_setup_bcm92035(struct hci_dev *hdev)
943	return 0;	948	return 0;
944	}	949	}
945		950
		951	struct intel_version {
		952	u8 status;
		953	u8 hw_platform;
		954	u8 hw_variant;
		955	u8 hw_revision;
		956	u8 fw_variant;
		957	u8 fw_revision;
		958	u8 fw_build_num;
		959	u8 fw_build_ww;
		960	u8 fw_build_yy;
		961	u8 fw_patch_num;
		962	} __packed;
		963
		964	static const struct firmware btusb_setup_intel_get_fw(struct hci_dev hdev,
		965	struct intel_version *ver)
		966	{
		967	const struct firmware *fw;
		968	char fwname[64];
		969	int ret;
		970
		971	snprintf(fwname, sizeof(fwname),
		972	"intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
		973	ver->hw_platform, ver->hw_variant, ver->hw_revision,
		974	ver->fw_variant, ver->fw_revision, ver->fw_build_num,
		975	ver->fw_build_ww, ver->fw_build_yy);
		976
		977	ret = request_firmware(&fw, fwname, &hdev->dev);
		978	if (ret < 0) {
		979	if (ret == -EINVAL) {
		980	BT_ERR("%s Intel firmware file request failed (%d)",
		981	hdev->name, ret);
		982	return NULL;
		983	}
		984
		985	BT_ERR("%s failed to open Intel firmware file: %s(%d)",
		986	hdev->name, fwname, ret);
		987
		988	/* If the correct firmware patch file is not found, use the
		989	* default firmware patch file instead
		990	*/
		991	snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
		992	ver->hw_platform, ver->hw_variant);
		993	if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
		994	BT_ERR("%s failed to open default Intel fw file: %s",
		995	hdev->name, fwname);
		996	return NULL;
		997	}
		998	}
		999
		1000	BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
		1001
		1002	return fw;
		1003	}
		1004
		1005	static int btusb_setup_intel_patching(struct hci_dev *hdev,
		1006	const struct firmware *fw,
		1007	const u8 *fw_ptr, int disable_patch)
		1008	{
		1009	struct sk_buff *skb;
		1010	struct hci_command_hdr *cmd;
		1011	const u8 *cmd_param;
		1012	struct hci_event_hdr *evt = NULL;
		1013	const u8 *evt_param = NULL;
		1014	int remain = fw->size - (*fw_ptr - fw->data);
		1015
		1016	/* The first byte indicates the types of the patch command or event.
		1017	* 0x01 means HCI command and 0x02 is HCI event. If the first bytes
		1018	* in the current firmware buffer doesn't start with 0x01 or
		1019	* the size of remain buffer is smaller than HCI command header,
		1020	* the firmware file is corrupted and it should stop the patching
		1021	* process.
		1022	*/
		1023	if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
		1024	BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
		1025	return -EINVAL;
		1026	}
		1027	(*fw_ptr)++;
		1028	remain--;
		1029
		1030	cmd = (struct hci_command_hdr )(fw_ptr);
		1031	fw_ptr += sizeof(cmd);
		1032	remain -= sizeof(*cmd);
		1033
		1034	/* Ensure that the remain firmware data is long enough than the length
		1035	* of command parameter. If not, the firmware file is corrupted.
		1036	*/
		1037	if (remain < cmd->plen) {
		1038	BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
		1039	return -EFAULT;
		1040	}
		1041
		1042	/* If there is a command that loads a patch in the firmware
		1043	* file, then enable the patch upon success, otherwise just
		1044	* disable the manufacturer mode, for example patch activation
		1045	* is not required when the default firmware patch file is used
		1046	* because there are no patch data to load.
		1047	*/
		1048	if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
		1049	*disable_patch = 0;
		1050
		1051	cmd_param = *fw_ptr;
		1052	*fw_ptr += cmd->plen;
		1053	remain -= cmd->plen;
		1054
		1055	/* This reads the expected events when the above command is sent to the
		1056	* device. Some vendor commands expects more than one events, for
		1057	* example command status event followed by vendor specific event.
		1058	* For this case, it only keeps the last expected event. so the command
		1059	* can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
		1060	* last expected event.
		1061	*/
		1062	while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
		1063	(*fw_ptr)++;
		1064	remain--;
		1065
		1066	evt = (struct hci_event_hdr )(fw_ptr);
		1067	fw_ptr += sizeof(evt);
		1068	remain -= sizeof(*evt);
		1069
		1070	if (remain < evt->plen) {
		1071	BT_ERR("%s Intel fw corrupted: invalid evt len",
		1072	hdev->name);
		1073	return -EFAULT;
		1074	}
		1075
		1076	evt_param = *fw_ptr;
		1077	*fw_ptr += evt->plen;
		1078	remain -= evt->plen;
		1079	}
		1080
		1081	/* Every HCI commands in the firmware file has its correspond event.
		1082	* If event is not found or remain is smaller than zero, the firmware
		1083	* file is corrupted.
		1084	*/
		1085	if (!evt \|\| !evt_param \|\| remain < 0) {
		1086	BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
		1087	return -EFAULT;
		1088	}
		1089
		1090	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
		1091	cmd_param, evt->evt, HCI_INIT_TIMEOUT);
		1092	if (IS_ERR(skb)) {
		1093	BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
		1094	hdev->name, cmd->opcode, PTR_ERR(skb));
		1095	return -PTR_ERR(skb);
		1096	}
		1097
		1098	/* It ensures that the returned event matches the event data read from
		1099	* the firmware file. At fist, it checks the length and then
		1100	* the contents of the event.
		1101	*/
		1102	if (skb->len != evt->plen) {
		1103	BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
		1104	le16_to_cpu(cmd->opcode));
		1105	kfree_skb(skb);
		1106	return -EFAULT;
		1107	}
		1108
		1109	if (memcmp(skb->data, evt_param, evt->plen)) {
		1110	BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
		1111	hdev->name, le16_to_cpu(cmd->opcode));
		1112	kfree_skb(skb);
		1113	return -EFAULT;
		1114	}
		1115	kfree_skb(skb);
		1116
		1117	return 0;
		1118	}
		1119
		1120	static int btusb_setup_intel(struct hci_dev *hdev)
		1121	{
		1122	struct sk_buff *skb;
		1123	const struct firmware *fw;
		1124	const u8 *fw_ptr;
		1125	int disable_patch;
		1126	struct intel_version *ver;
		1127
		1128	const u8 mfg_enable[] = { 0x01, 0x00 };
		1129	const u8 mfg_disable[] = { 0x00, 0x00 };
		1130	const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
		1131	const u8 mfg_reset_activate[] = { 0x00, 0x02 };
		1132
		1133	BT_DBG("%s", hdev->name);
		1134
		1135	/* The controller has a bug with the first HCI command sent to it
		1136	* returning number of completed commands as zero. This would stall the
		1137	* command processing in the Bluetooth core.
		1138	*
		1139	* As a workaround, send HCI Reset command first which will reset the
		1140	* number of completed commands and allow normal command processing
		1141	* from now on.
		1142	*/
		1143	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
		1144	if (IS_ERR(skb)) {
		1145	BT_ERR("%s sending initial HCI reset command failed (%ld)",
		1146	hdev->name, PTR_ERR(skb));
		1147	return -PTR_ERR(skb);
		1148	}
		1149	kfree_skb(skb);
		1150
		1151	/* Read Intel specific controller version first to allow selection of
		1152	* which firmware file to load.
		1153	*
		1154	* The returned information are hardware variant and revision plus
		1155	* firmware variant, revision and build number.
		1156	*/
		1157	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
		1158	if (IS_ERR(skb)) {
		1159	BT_ERR("%s reading Intel fw version command failed (%ld)",
		1160	hdev->name, PTR_ERR(skb));
		1161	return -PTR_ERR(skb);
		1162	}
		1163
		1164	if (skb->len != sizeof(*ver)) {
		1165	BT_ERR("%s Intel version event length mismatch", hdev->name);
		1166	kfree_skb(skb);
		1167	return -EIO;
		1168	}
		1169
		1170	ver = (struct intel_version *)skb->data;
		1171	if (ver->status) {
		1172	BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
		1173	ver->status);
		1174	kfree_skb(skb);
		1175	return -bt_to_errno(ver->status);
		1176	}
		1177
		1178	BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
		1179	hdev->name, ver->hw_platform, ver->hw_variant,
		1180	ver->hw_revision, ver->fw_variant, ver->fw_revision,
		1181	ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
		1182	ver->fw_patch_num);
		1183
		1184	/* fw_patch_num indicates the version of patch the device currently
		1185	* have. If there is no patch data in the device, it is always 0x00.
		1186	* So, if it is other than 0x00, no need to patch the deivce again.
		1187	*/
		1188	if (ver->fw_patch_num) {
		1189	BT_INFO("%s: Intel device is already patched. patch num: %02x",
		1190	hdev->name, ver->fw_patch_num);
		1191	kfree_skb(skb);
		1192	return 0;
		1193	}
		1194
		1195	/* Opens the firmware patch file based on the firmware version read
		1196	* from the controller. If it fails to open the matching firmware
		1197	* patch file, it tries to open the default firmware patch file.
		1198	* If no patch file is found, allow the device to operate without
		1199	* a patch.
		1200	*/
		1201	fw = btusb_setup_intel_get_fw(hdev, ver);
		1202	if (!fw) {
		1203	kfree_skb(skb);
		1204	return 0;
		1205	}
		1206	fw_ptr = fw->data;
		1207
		1208	/* This Intel specific command enables the manufacturer mode of the
		1209	* controller.
		1210	*
		1211	* Only while this mode is enabled, the driver can download the
		1212	* firmware patch data and configuration parameters.
		1213	*/
		1214	skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
		1215	if (IS_ERR(skb)) {
		1216	BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
		1217	hdev->name, PTR_ERR(skb));
		1218	release_firmware(fw);
		1219	return -PTR_ERR(skb);
		1220	}
		1221
		1222	if (skb->data[0]) {
		1223	u8 evt_status = skb->data[0];
		1224	BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
		1225	hdev->name, evt_status);
		1226	kfree_skb(skb);
		1227	release_firmware(fw);
		1228	return -bt_to_errno(evt_status);
		1229	}
		1230	kfree_skb(skb);
		1231
		1232	disable_patch = 1;
		1233
		1234	/* The firmware data file consists of list of Intel specific HCI
		1235	* commands and its expected events. The first byte indicates the
		1236	* type of the message, either HCI command or HCI event.
		1237	*
		1238	* It reads the command and its expected event from the firmware file,
		1239	* and send to the controller. Once __hci_cmd_sync_ev() returns,
		1240	* the returned event is compared with the event read from the firmware
		1241	* file and it will continue until all the messages are downloaded to
		1242	* the controller.
		1243	*
		1244	* Once the firmware patching is completed successfully,
		1245	* the manufacturer mode is disabled with reset and activating the
		1246	* downloaded patch.
		1247	*
		1248	* If the firmware patching fails, the manufacturer mode is
		1249	* disabled with reset and deactivating the patch.
		1250	*
		1251	* If the default patch file is used, no reset is done when disabling
		1252	* the manufacturer.
		1253	*/
		1254	while (fw->size > fw_ptr - fw->data) {
		1255	int ret;
		1256
		1257	ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
		1258	&disable_patch);
		1259	if (ret < 0)
		1260	goto exit_mfg_deactivate;
		1261	}
		1262
		1263	release_firmware(fw);
		1264
		1265	if (disable_patch)
		1266	goto exit_mfg_disable;
		1267
		1268	/* Patching completed successfully and disable the manufacturer mode
		1269	* with reset and activate the downloaded firmware patches.
		1270	*/
		1271	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
		1272	mfg_reset_activate, HCI_INIT_TIMEOUT);
		1273	if (IS_ERR(skb)) {
		1274	BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
		1275	hdev->name, PTR_ERR(skb));
		1276	return -PTR_ERR(skb);
		1277	}
		1278	kfree_skb(skb);
		1279
		1280	BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
		1281	hdev->name);
		1282
		1283	return 0;
		1284
		1285	exit_mfg_disable:
		1286	/* Disable the manufacturer mode without reset */
		1287	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
		1288	HCI_INIT_TIMEOUT);
		1289	if (IS_ERR(skb)) {
		1290	BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
		1291	hdev->name, PTR_ERR(skb));
		1292	return -PTR_ERR(skb);
		1293	}
		1294	kfree_skb(skb);
		1295
		1296	BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
		1297	return 0;
		1298
		1299	exit_mfg_deactivate:
		1300	release_firmware(fw);
		1301
		1302	/* Patching failed. Disable the manufacturer mode with reset and
		1303	* deactivate the downloaded firmware patches.
		1304	*/
		1305	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
		1306	mfg_reset_deactivate, HCI_INIT_TIMEOUT);
		1307	if (IS_ERR(skb)) {
		1308	BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
		1309	hdev->name, PTR_ERR(skb));
		1310	return -PTR_ERR(skb);
		1311	}
		1312	kfree_skb(skb);
		1313
		1314	BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
		1315	hdev->name);
		1316
		1317	return 0;
		1318	}
		1319
946	static int btusb_probe(struct usb_interface *intf,	1320	static int btusb_probe(struct usb_interface *intf,
947	const struct usb_device_id *id)	1321	const struct usb_device_id *id)
948	{	1322	{
@@ -1048,6 +1422,9 @@ static int btusb_probe(struct usb_interface *intf,
1048	if (id->driver_info & BTUSB_BCM92035)	1422	if (id->driver_info & BTUSB_BCM92035)
1049	hdev->setup = btusb_setup_bcm92035;	1423	hdev->setup = btusb_setup_bcm92035;
1050		1424
		1425	if (id->driver_info & BTUSB_INTEL)
		1426	hdev->setup = btusb_setup_intel;
		1427
1051	/* Interface numbers are hardcoded in the specification */	1428	/* Interface numbers are hardcoded in the specification */
1052	data->isoc = usb_ifnum_to_if(data->udev, 1);	1429	data->isoc = usb_ifnum_to_if(data->udev, 1);
1053		1430