Merge branch 'for-upstream' of...

	{ USB_DEVICE(0x13d3, 0x3393) },

	{ USB_DEVICE(0x13d3, 0x3402) },

	{ USB_DEVICE(0x13d3, 0x3408) },

	{ USB_DEVICE(0x13d3, 0x3423) },

	{ USB_DEVICE(0x13d3, 0x3432) },

	/* Atheros AR5BBU12 with sflash firmware */

	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },

	/* Atheros AR5BBU22 with sflash firmware */

#define USB_REQ_DFU_DNLOAD	1

#define BULK_SIZE		4096

#define FW_HDR_SIZE		20

#define TIMEGAP_USEC_MIN	50

#define TIMEGAP_USEC_MAX	100

static int ath3k_load_firmware(struct usb_device *udev,

				const struct firmware *firmware)

	pipe = usb_sndbulkpipe(udev, 0x02);

	while (count) {

		/* workaround the compatibility issue with xHCI controller*/

		usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);

		size = min_t(uint, count, BULK_SIZE);

		memcpy(send_buf, firmware->data + sent, size);

	pipe = usb_sndbulkpipe(udev, 0x02);

	while (count) {

		/* workaround the compatibility issue with xHCI controller*/

		usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);

		size = min_t(uint, count, BULK_SIZE);

		memcpy(send_buf, firmware->data + sent, size);

#include <net/bluetooth/bluetooth.h>

#include <net/bluetooth/hci_core.h>

#define VERSION "0.6"

#define VERSION "0.7"

static bool disable_scofix;

static bool force_scofix;

#define BTUSB_BCM_PATCHRAM	0x400

#define BTUSB_MARVELL		0x800

#define BTUSB_SWAVE		0x1000

#define BTUSB_INTEL_NEW		0x2000

#define BTUSB_AMP		0x4000

static const struct usb_device_id btusb_table[] = {

	/* Generic Bluetooth USB device */

	{ USB_DEVICE_INFO(0xe0, 0x01, 0x01) },

	/* Generic Bluetooth AMP device */

	{ USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },

	/* Apple-specific (Broadcom) devices */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },

	{ USB_DEVICE(0x13d3, 0x3404),

	  .driver_info = BTUSB_BCM_PATCHRAM },

	/* Broadcom BCM20702B0 (Dynex/Insignia) */

	{ USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },

	/* Foxconn - Hon Hai */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),

	  .driver_info = BTUSB_BCM_PATCHRAM },

	/* Lite-On Technology - Broadcom based */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),

	  .driver_info = BTUSB_BCM_PATCHRAM },

	/* Broadcom devices with vendor specific id */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),

	  .driver_info = BTUSB_BCM_PATCHRAM },

	/* ASUSTek Computer - Broadcom based */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },

	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),

	  .driver_info = BTUSB_BCM_PATCHRAM },

	/* Belkin F8065bf - Broadcom based */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },

	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },

	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },

	/* Atheros AR5BBU12 with sflash firmware */

	{ USB_DEVICE(0x16d3, 0x0002),

	  .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },

	/* Intel Bluetooth device */

	/* Marvell Bluetooth devices */

	{ USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },

	{ USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },

	/* Intel Bluetooth devices */

	{ USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },

	{ USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },

	{ USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW },

	/* Marvell device */

	{ USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },

	{ USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },

	/* Other Intel Bluetooth devices */

	{ USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),

	  .driver_info = BTUSB_IGNORE },

	{ }	/* Terminating entry */

};

#define BTUSB_ISOC_RUNNING	2

#define BTUSB_SUSPENDING	3

#define BTUSB_DID_ISO_RESUME	4

#define BTUSB_BOOTLOADER	5

#define BTUSB_DOWNLOADING	6

#define BTUSB_FIRMWARE_LOADED	7

#define BTUSB_FIRMWARE_FAILED	8

#define BTUSB_BOOTING		9

struct btusb_data {

	struct hci_dev       *hdev;

	struct usb_endpoint_descriptor *isoc_rx_ep;

	__u8 cmdreq_type;

	__u8 cmdreq;

	unsigned int sco_num;

	int isoc_altsetting;

	int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);

};

static int btusb_wait_on_bit_timeout(void *word, int bit, unsigned long timeout,

				     unsigned mode)

{

	might_sleep();

	if (!test_bit(bit, word))

		return 0;

	return out_of_line_wait_on_bit_timeout(word, bit, bit_wait_timeout,

					       mode, timeout);

}

static inline void btusb_free_frags(struct btusb_data *data)

{

	unsigned long flags;

	}

	dr->bRequestType = data->cmdreq_type;

	dr->bRequest     = 0;

	dr->bRequest     = data->cmdreq;

	dr->wIndex       = 0;

	dr->wValue       = 0;

	dr->wLength      = __cpu_to_le16(skb->len);

	u8 fw_patch_num;

} __packed;

struct intel_boot_params {

	__u8     status;

	__u8     otp_format;

	__u8     otp_content;

	__u8     otp_patch;

	__le16   dev_revid;

	__u8     secure_boot;

	__u8     key_from_hdr;

	__u8     key_type;

	__u8     otp_lock;

	__u8     api_lock;

	__u8     debug_lock;

	bdaddr_t otp_bdaddr;

	__u8     min_fw_build_nn;

	__u8     min_fw_build_cw;

	__u8     min_fw_build_yy;

	__u8     limited_cce;

	__u8     unlocked_state;

} __packed;

static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,

						       struct intel_version *ver)

{

	return 0;

}

static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)

{

	struct sk_buff *skb;

	struct hci_event_hdr *hdr;

	struct hci_ev_cmd_complete *evt;

	skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);

	if (!skb)

		return -ENOMEM;

	hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));

	hdr->evt = HCI_EV_CMD_COMPLETE;

	hdr->plen = sizeof(*evt) + 1;

	evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));

	evt->ncmd = 0x01;

	evt->opcode = cpu_to_le16(opcode);

	*skb_put(skb, 1) = 0x00;

	bt_cb(skb)->pkt_type = HCI_EVENT_PKT;

	return hci_recv_frame(hdev, skb);

}

static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,

				 int count)

{

	/* When the device is in bootloader mode, then it can send

	 * events via the bulk endpoint. These events are treated the

	 * same way as the ones received from the interrupt endpoint.

	 */

	if (test_bit(BTUSB_BOOTLOADER, &data->flags))

		return btusb_recv_intr(data, buffer, count);

	return btusb_recv_bulk(data, buffer, count);

}

static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)

{

	struct btusb_data *data = hci_get_drvdata(hdev);

	if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {

		struct hci_event_hdr *hdr = (void *)skb->data;

		/* When the firmware loading completes the device sends

		 * out a vendor specific event indicating the result of

		 * the firmware loading.

		 */

		if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 &&

		    skb->data[2] == 0x06) {

			if (skb->data[3] != 0x00)

				test_bit(BTUSB_FIRMWARE_FAILED, &data->flags);

			if (test_and_clear_bit(BTUSB_DOWNLOADING,

					       &data->flags) &&

			    test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) {

				smp_mb__after_atomic();

				wake_up_bit(&data->flags, BTUSB_DOWNLOADING);

			}

		}

		/* When switching to the operational firmware the device

		 * sends a vendor specific event indicating that the bootup

		 * completed.

		 */

		if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 &&

		    skb->data[2] == 0x02) {

			if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) {

				smp_mb__after_atomic();

				wake_up_bit(&data->flags, BTUSB_BOOTING);

			}

		}

	}

	return hci_recv_frame(hdev, skb);

}

static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)

{

	struct btusb_data *data = hci_get_drvdata(hdev);

	struct urb *urb;

	BT_DBG("%s", hdev->name);

	if (!test_bit(HCI_RUNNING, &hdev->flags))

		return -EBUSY;

	switch (bt_cb(skb)->pkt_type) {

	case HCI_COMMAND_PKT:

		if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {

			struct hci_command_hdr *cmd = (void *)skb->data;

			__u16 opcode = le16_to_cpu(cmd->opcode);

			/* When in bootloader mode and the command 0xfc09

			 * is received, it needs to be send down the

			 * bulk endpoint. So allocate a bulk URB instead.

			 */

			if (opcode == 0xfc09)

				urb = alloc_bulk_urb(hdev, skb);

			else

				urb = alloc_ctrl_urb(hdev, skb);

			/* When the 0xfc01 command is issued to boot into

			 * the operational firmware, it will actually not

			 * send a command complete event. To keep the flow

			 * control working inject that event here.

			 */

			if (opcode == 0xfc01)

				inject_cmd_complete(hdev, opcode);

		} else {

			urb = alloc_ctrl_urb(hdev, skb);

		}

		if (IS_ERR(urb))

			return PTR_ERR(urb);

		hdev->stat.cmd_tx++;

		return submit_or_queue_tx_urb(hdev, urb);

	case HCI_ACLDATA_PKT:

		urb = alloc_bulk_urb(hdev, skb);

		if (IS_ERR(urb))

			return PTR_ERR(urb);

		hdev->stat.acl_tx++;

		return submit_or_queue_tx_urb(hdev, urb);

	case HCI_SCODATA_PKT:

		if (hci_conn_num(hdev, SCO_LINK) < 1)

			return -ENODEV;

		urb = alloc_isoc_urb(hdev, skb);

		if (IS_ERR(urb))

			return PTR_ERR(urb);

		hdev->stat.sco_tx++;

		return submit_tx_urb(hdev, urb);

	}

	return -EILSEQ;

}

static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type,

				   u32 plen, const void *param)

{

	while (plen > 0) {

		struct sk_buff *skb;

		u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;

		cmd_param[0] = fragment_type;

		memcpy(cmd_param + 1, param, fragment_len);

		skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,

				     cmd_param, HCI_INIT_TIMEOUT);

		if (IS_ERR(skb))

			return PTR_ERR(skb);

		kfree_skb(skb);

		plen -= fragment_len;

		param += fragment_len;

	}

	return 0;

}

static void btusb_intel_version_info(struct hci_dev *hdev,

				     struct intel_version *ver)

{

	const char *variant;

	switch (ver->fw_variant) {

	case 0x06:

		variant = "Bootloader";

		break;

	case 0x23:

		variant = "Firmware";

		break;

	default:

		return;

	}

	BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name,

		variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,

		ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy);

}

static int btusb_setup_intel_new(struct hci_dev *hdev)

{

	static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,

					  0x00, 0x08, 0x04, 0x00 };

	struct btusb_data *data = hci_get_drvdata(hdev);

	struct sk_buff *skb;

	struct intel_version *ver;

	struct intel_boot_params *params;

	const struct firmware *fw;

	const u8 *fw_ptr;

	char fwname[64];

	ktime_t calltime, delta, rettime;

	unsigned long long duration;

	int err;

	BT_DBG("%s", hdev->name);

	calltime = ktime_get();

	/* Read the Intel version information to determine if the device

	 * is in bootloader mode or if it already has operational firmware

	 * loaded.

	 */

	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);

	if (IS_ERR(skb)) {

		BT_ERR("%s: Reading Intel version information failed (%ld)",

		       hdev->name, PTR_ERR(skb));

		return PTR_ERR(skb);

	}

	if (skb->len != sizeof(*ver)) {

		BT_ERR("%s: Intel version event size mismatch", hdev->name);

		kfree_skb(skb);

		return -EILSEQ;

	}

	ver = (struct intel_version *)skb->data;

	if (ver->status) {

		BT_ERR("%s: Intel version command failure (%02x)",

		       hdev->name, ver->status);

		err = -bt_to_errno(ver->status);

		kfree_skb(skb);

		return err;

	}

	/* The hardware platform number has a fixed value of 0x37 and

	 * for now only accept this single value.

	 */

	if (ver->hw_platform != 0x37) {

		BT_ERR("%s: Unsupported Intel hardware platform (%u)",

		       hdev->name, ver->hw_platform);

		kfree_skb(skb);

		return -EINVAL;

	}

	/* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is

	 * supported by this firmware loading method. This check has been

	 * put in place to ensure correct forward compatibility options

	 * when newer hardware variants come along.

	 */

	if (ver->hw_variant != 0x0b) {

		BT_ERR("%s: Unsupported Intel hardware variant (%u)",

		       hdev->name, ver->hw_variant);

		kfree_skb(skb);

		return -EINVAL;

	}

	btusb_intel_version_info(hdev, ver);

	/* The firmware variant determines if the device is in bootloader

	 * mode or is running operational firmware. The value 0x06 identifies

	 * the bootloader and the value 0x23 identifies the operational

	 * firmware.

	 *

	 * When the operational firmware is already present, then only

	 * the check for valid Bluetooth device address is needed. This

	 * determines if the device will be added as configured or

	 * unconfigured controller.

	 *

	 * It is not possible to use the Secure Boot Parameters in this

	 * case since that command is only available in bootloader mode.

	 */

	if (ver->fw_variant == 0x23) {

		kfree_skb(skb);

		clear_bit(BTUSB_BOOTLOADER, &data->flags);

		btusb_check_bdaddr_intel(hdev);

		return 0;

	}

	/* If the device is not in bootloader mode, then the only possible

	 * choice is to return an error and abort the device initialization.

	 */

	if (ver->fw_variant != 0x06) {

		BT_ERR("%s: Unsupported Intel firmware variant (%u)",

		       hdev->name, ver->fw_variant);

		kfree_skb(skb);

		return -ENODEV;

	}

	kfree_skb(skb);

	/* Read the secure boot parameters to identify the operating

	 * details of the bootloader.

	 */

	skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);

	if (IS_ERR(skb)) {

		BT_ERR("%s: Reading Intel boot parameters failed (%ld)",

		       hdev->name, PTR_ERR(skb));

		return PTR_ERR(skb);

	}

	if (skb->len != sizeof(*params)) {

		BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);

		kfree_skb(skb);

		return -EILSEQ;

	}

	params = (struct intel_boot_params *)skb->data;

	if (params->status) {

		BT_ERR("%s: Intel boot parameters command failure (%02x)",

		       hdev->name, params->status);

		err = -bt_to_errno(params->status);

		kfree_skb(skb);

		return err;

	}

	BT_INFO("%s: Device revision is %u", hdev->name,

		le16_to_cpu(params->dev_revid));

	BT_INFO("%s: Secure boot is %s", hdev->name,

		params->secure_boot ? "enabled" : "disabled");

	BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,

		params->min_fw_build_nn, params->min_fw_build_cw,

		2000 + params->min_fw_build_yy);

	/* It is required that every single firmware fragment is acknowledged

	 * with a command complete event. If the boot parameters indicate

	 * that this bootloader does not send them, then abort the setup.

	 */

	if (params->limited_cce != 0x00) {

		BT_ERR("%s: Unsupported Intel firmware loading method (%u)",

		       hdev->name, params->limited_cce);

		kfree_skb(skb);

		return -EINVAL;

	}

	/* If the OTP has no valid Bluetooth device address, then there will

	 * also be no valid address for the operational firmware.

	 */

	if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {

		BT_INFO("%s: No device address configured", hdev->name);

		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);

	}

	/* With this Intel bootloader only the hardware variant and device

	 * revision information are used to select the right firmware.

	 *

	 * Currently this bootloader support is limited to hardware variant

	 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).

	 */

	snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",

		 le16_to_cpu(params->dev_revid));

	err = request_firmware(&fw, fwname, &hdev->dev);

	if (err < 0) {

		BT_ERR("%s: Failed to load Intel firmware file (%d)",

		       hdev->name, err);

		kfree_skb(skb);

		return err;

	}

	BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);

	kfree_skb(skb);

	if (fw->size < 644) {

		BT_ERR("%s: Invalid size of firmware file (%zu)",

		       hdev->name, fw->size);

		err = -EBADF;

		goto done;

	}

	set_bit(BTUSB_DOWNLOADING, &data->flags);

	/* Start the firmware download transaction with the Init fragment

	 * represented by the 128 bytes of CSS header.

	 */

	err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data);

	if (err < 0) {

		BT_ERR("%s: Failed to send firmware header (%d)",

		       hdev->name, err);

		goto done;

	}

	/* Send the 256 bytes of public key information from the firmware

	 * as the PKey fragment.

	 */

	err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128);

	if (err < 0) {

		BT_ERR("%s: Failed to send firmware public key (%d)",

		       hdev->name, err);

		goto done;

	}

	/* Send the 256 bytes of signature information from the firmware

	 * as the Sign fragment.

	 */

	err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388);

	if (err < 0) {

		BT_ERR("%s: Failed to send firmware signature (%d)",

		       hdev->name, err);

		goto done;

	}

	fw_ptr = fw->data + 644;

	while (fw_ptr - fw->data < fw->size) {

		struct hci_command_hdr *cmd = (void *)fw_ptr;

		u8 cmd_len;

		cmd_len = sizeof(*cmd) + cmd->plen;

		/* Send each command from the firmware data buffer as

		 * a single Data fragment.

		 */

		err = btusb_intel_secure_send(hdev, 0x01, cmd_len, fw_ptr);

		if (err < 0) {

			BT_ERR("%s: Failed to send firmware data (%d)",

			       hdev->name, err);

			goto done;

		}

		fw_ptr += cmd_len;

	}

	set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);

	BT_INFO("%s: Waiting for firmware download to complete", hdev->name);

	/* Before switching the device into operational mode and with that

	 * booting the loaded firmware, wait for the bootloader notification

	 * that all fragments have been successfully received.

	 *

	 * When the event processing receives the notification, then the

	 * BTUSB_DOWNLOADING flag will be cleared.

	 *

	 * The firmware loading should not take longer than 5 seconds

	 * and thus just timeout if that happens and fail the setup

	 * of this device.

	 */

	err = btusb_wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,

					msecs_to_jiffies(5000),

					TASK_INTERRUPTIBLE);

	if (err == 1) {

		BT_ERR("%s: Firmware loading interrupted", hdev->name);

		err = -EINTR;

		goto done;

	}

	if (err) {

		BT_ERR("%s: Firmware loading timeout", hdev->name);

		err = -ETIMEDOUT;

		goto done;

	}

	if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {

		BT_ERR("%s: Firmware loading failed", hdev->name);

		err = -ENOEXEC;

		goto done;

	}

	rettime = ktime_get();

	delta = ktime_sub(rettime, calltime);

	duration = (unsigned long long) ktime_to_ns(delta) >> 10;

	BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);

done:

	release_firmware(fw);

	if (err < 0)

		return err;