xref: /linux/drivers/bluetooth/btintel.c (revision 4b660dbd9ee2059850fd30e0df420ca7a38a1856)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *
4  *  Bluetooth support for Intel devices
5  *
6  *  Copyright (C) 2015  Intel Corporation
7  */
8 
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <linux/regmap.h>
12 #include <linux/acpi.h>
13 #include <acpi/acpi_bus.h>
14 #include <asm/unaligned.h>
15 
16 #include <net/bluetooth/bluetooth.h>
17 #include <net/bluetooth/hci_core.h>
18 
19 #include "btintel.h"
20 
21 #define VERSION "0.1"
22 
23 #define BDADDR_INTEL		(&(bdaddr_t){{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
24 #define RSA_HEADER_LEN		644
25 #define CSS_HEADER_OFFSET	8
26 #define ECDSA_OFFSET		644
27 #define ECDSA_HEADER_LEN	320
28 
29 #define BTINTEL_PPAG_NAME   "PPAG"
30 
31 enum {
32 	DSM_SET_WDISABLE2_DELAY = 1,
33 	DSM_SET_RESET_METHOD = 3,
34 };
35 
36 /* structure to store the PPAG data read from ACPI table */
37 struct btintel_ppag {
38 	u32	domain;
39 	u32     mode;
40 	acpi_status status;
41 	struct hci_dev *hdev;
42 };
43 
44 #define CMD_WRITE_BOOT_PARAMS	0xfc0e
45 struct cmd_write_boot_params {
46 	__le32 boot_addr;
47 	u8  fw_build_num;
48 	u8  fw_build_ww;
49 	u8  fw_build_yy;
50 } __packed;
51 
52 static struct {
53 	const char *driver_name;
54 	u8         hw_variant;
55 	u32        fw_build_num;
56 } coredump_info;
57 
58 static const guid_t btintel_guid_dsm =
59 	GUID_INIT(0xaa10f4e0, 0x81ac, 0x4233,
60 		  0xab, 0xf6, 0x3b, 0x2a, 0xc5, 0x0e, 0x28, 0xd9);
61 
62 int btintel_check_bdaddr(struct hci_dev *hdev)
63 {
64 	struct hci_rp_read_bd_addr *bda;
65 	struct sk_buff *skb;
66 
67 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
68 			     HCI_INIT_TIMEOUT);
69 	if (IS_ERR(skb)) {
70 		int err = PTR_ERR(skb);
71 		bt_dev_err(hdev, "Reading Intel device address failed (%d)",
72 			   err);
73 		return err;
74 	}
75 
76 	if (skb->len != sizeof(*bda)) {
77 		bt_dev_err(hdev, "Intel device address length mismatch");
78 		kfree_skb(skb);
79 		return -EIO;
80 	}
81 
82 	bda = (struct hci_rp_read_bd_addr *)skb->data;
83 
84 	/* For some Intel based controllers, the default Bluetooth device
85 	 * address 00:03:19:9E:8B:00 can be found. These controllers are
86 	 * fully operational, but have the danger of duplicate addresses
87 	 * and that in turn can cause problems with Bluetooth operation.
88 	 */
89 	if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
90 		bt_dev_err(hdev, "Found Intel default device address (%pMR)",
91 			   &bda->bdaddr);
92 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
93 	}
94 
95 	kfree_skb(skb);
96 
97 	return 0;
98 }
99 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
100 
101 int btintel_enter_mfg(struct hci_dev *hdev)
102 {
103 	static const u8 param[] = { 0x01, 0x00 };
104 	struct sk_buff *skb;
105 
106 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
107 	if (IS_ERR(skb)) {
108 		bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
109 			   PTR_ERR(skb));
110 		return PTR_ERR(skb);
111 	}
112 	kfree_skb(skb);
113 
114 	return 0;
115 }
116 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
117 
118 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
119 {
120 	u8 param[] = { 0x00, 0x00 };
121 	struct sk_buff *skb;
122 
123 	/* The 2nd command parameter specifies the manufacturing exit method:
124 	 * 0x00: Just disable the manufacturing mode (0x00).
125 	 * 0x01: Disable manufacturing mode and reset with patches deactivated.
126 	 * 0x02: Disable manufacturing mode and reset with patches activated.
127 	 */
128 	if (reset)
129 		param[1] |= patched ? 0x02 : 0x01;
130 
131 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
132 	if (IS_ERR(skb)) {
133 		bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
134 			   PTR_ERR(skb));
135 		return PTR_ERR(skb);
136 	}
137 	kfree_skb(skb);
138 
139 	return 0;
140 }
141 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
142 
143 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
144 {
145 	struct sk_buff *skb;
146 	int err;
147 
148 	skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
149 	if (IS_ERR(skb)) {
150 		err = PTR_ERR(skb);
151 		bt_dev_err(hdev, "Changing Intel device address failed (%d)",
152 			   err);
153 		return err;
154 	}
155 	kfree_skb(skb);
156 
157 	return 0;
158 }
159 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
160 
161 static int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
162 {
163 	u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
164 	struct sk_buff *skb;
165 	int err;
166 
167 	if (debug)
168 		mask[1] |= 0x62;
169 
170 	skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
171 	if (IS_ERR(skb)) {
172 		err = PTR_ERR(skb);
173 		bt_dev_err(hdev, "Setting Intel event mask failed (%d)", err);
174 		return err;
175 	}
176 	kfree_skb(skb);
177 
178 	return 0;
179 }
180 
181 int btintel_set_diag(struct hci_dev *hdev, bool enable)
182 {
183 	struct sk_buff *skb;
184 	u8 param[3];
185 	int err;
186 
187 	if (enable) {
188 		param[0] = 0x03;
189 		param[1] = 0x03;
190 		param[2] = 0x03;
191 	} else {
192 		param[0] = 0x00;
193 		param[1] = 0x00;
194 		param[2] = 0x00;
195 	}
196 
197 	skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
198 	if (IS_ERR(skb)) {
199 		err = PTR_ERR(skb);
200 		if (err == -ENODATA)
201 			goto done;
202 		bt_dev_err(hdev, "Changing Intel diagnostic mode failed (%d)",
203 			   err);
204 		return err;
205 	}
206 	kfree_skb(skb);
207 
208 done:
209 	btintel_set_event_mask(hdev, enable);
210 	return 0;
211 }
212 EXPORT_SYMBOL_GPL(btintel_set_diag);
213 
214 static int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
215 {
216 	int err, ret;
217 
218 	err = btintel_enter_mfg(hdev);
219 	if (err)
220 		return err;
221 
222 	ret = btintel_set_diag(hdev, enable);
223 
224 	err = btintel_exit_mfg(hdev, false, false);
225 	if (err)
226 		return err;
227 
228 	return ret;
229 }
230 
231 static int btintel_set_diag_combined(struct hci_dev *hdev, bool enable)
232 {
233 	int ret;
234 
235 	/* Legacy ROM device needs to be in the manufacturer mode to apply
236 	 * diagnostic setting
237 	 *
238 	 * This flag is set after reading the Intel version.
239 	 */
240 	if (btintel_test_flag(hdev, INTEL_ROM_LEGACY))
241 		ret = btintel_set_diag_mfg(hdev, enable);
242 	else
243 		ret = btintel_set_diag(hdev, enable);
244 
245 	return ret;
246 }
247 
248 static void btintel_hw_error(struct hci_dev *hdev, u8 code)
249 {
250 	struct sk_buff *skb;
251 	u8 type = 0x00;
252 
253 	bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
254 
255 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
256 	if (IS_ERR(skb)) {
257 		bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
258 			   PTR_ERR(skb));
259 		return;
260 	}
261 	kfree_skb(skb);
262 
263 	skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
264 	if (IS_ERR(skb)) {
265 		bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
266 			   PTR_ERR(skb));
267 		return;
268 	}
269 
270 	if (skb->len != 13) {
271 		bt_dev_err(hdev, "Exception info size mismatch");
272 		kfree_skb(skb);
273 		return;
274 	}
275 
276 	bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
277 
278 	kfree_skb(skb);
279 }
280 
281 int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
282 {
283 	const char *variant;
284 
285 	/* The hardware platform number has a fixed value of 0x37 and
286 	 * for now only accept this single value.
287 	 */
288 	if (ver->hw_platform != 0x37) {
289 		bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
290 			   ver->hw_platform);
291 		return -EINVAL;
292 	}
293 
294 	/* Check for supported iBT hardware variants of this firmware
295 	 * loading method.
296 	 *
297 	 * This check has been put in place to ensure correct forward
298 	 * compatibility options when newer hardware variants come along.
299 	 */
300 	switch (ver->hw_variant) {
301 	case 0x07:	/* WP - Legacy ROM */
302 	case 0x08:	/* StP - Legacy ROM */
303 	case 0x0b:      /* SfP */
304 	case 0x0c:      /* WsP */
305 	case 0x11:      /* JfP */
306 	case 0x12:      /* ThP */
307 	case 0x13:      /* HrP */
308 	case 0x14:      /* CcP */
309 		break;
310 	default:
311 		bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
312 			   ver->hw_variant);
313 		return -EINVAL;
314 	}
315 
316 	switch (ver->fw_variant) {
317 	case 0x01:
318 		variant = "Legacy ROM 2.5";
319 		break;
320 	case 0x06:
321 		variant = "Bootloader";
322 		break;
323 	case 0x22:
324 		variant = "Legacy ROM 2.x";
325 		break;
326 	case 0x23:
327 		variant = "Firmware";
328 		break;
329 	default:
330 		bt_dev_err(hdev, "Unsupported firmware variant(%02x)", ver->fw_variant);
331 		return -EINVAL;
332 	}
333 
334 	coredump_info.hw_variant = ver->hw_variant;
335 	coredump_info.fw_build_num = ver->fw_build_num;
336 
337 	bt_dev_info(hdev, "%s revision %u.%u build %u week %u %u",
338 		    variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
339 		    ver->fw_build_num, ver->fw_build_ww,
340 		    2000 + ver->fw_build_yy);
341 
342 	return 0;
343 }
344 EXPORT_SYMBOL_GPL(btintel_version_info);
345 
346 static int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
347 			       const void *param)
348 {
349 	while (plen > 0) {
350 		struct sk_buff *skb;
351 		u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
352 
353 		cmd_param[0] = fragment_type;
354 		memcpy(cmd_param + 1, param, fragment_len);
355 
356 		skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
357 				     cmd_param, HCI_INIT_TIMEOUT);
358 		if (IS_ERR(skb))
359 			return PTR_ERR(skb);
360 
361 		kfree_skb(skb);
362 
363 		plen -= fragment_len;
364 		param += fragment_len;
365 	}
366 
367 	return 0;
368 }
369 
370 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
371 {
372 	const struct firmware *fw;
373 	struct sk_buff *skb;
374 	const u8 *fw_ptr;
375 	int err;
376 
377 	err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
378 	if (err < 0) {
379 		bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
380 			   ddc_name, err);
381 		return err;
382 	}
383 
384 	bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
385 
386 	fw_ptr = fw->data;
387 
388 	/* DDC file contains one or more DDC structure which has
389 	 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
390 	 */
391 	while (fw->size > fw_ptr - fw->data) {
392 		u8 cmd_plen = fw_ptr[0] + sizeof(u8);
393 
394 		skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
395 				     HCI_INIT_TIMEOUT);
396 		if (IS_ERR(skb)) {
397 			bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
398 				   PTR_ERR(skb));
399 			release_firmware(fw);
400 			return PTR_ERR(skb);
401 		}
402 
403 		fw_ptr += cmd_plen;
404 		kfree_skb(skb);
405 	}
406 
407 	release_firmware(fw);
408 
409 	bt_dev_info(hdev, "Applying Intel DDC parameters completed");
410 
411 	return 0;
412 }
413 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
414 
415 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
416 {
417 	int err, ret;
418 
419 	err = btintel_enter_mfg(hdev);
420 	if (err)
421 		return err;
422 
423 	ret = btintel_set_event_mask(hdev, debug);
424 
425 	err = btintel_exit_mfg(hdev, false, false);
426 	if (err)
427 		return err;
428 
429 	return ret;
430 }
431 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
432 
433 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
434 {
435 	struct sk_buff *skb;
436 
437 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
438 	if (IS_ERR(skb)) {
439 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
440 			   PTR_ERR(skb));
441 		return PTR_ERR(skb);
442 	}
443 
444 	if (!skb || skb->len != sizeof(*ver)) {
445 		bt_dev_err(hdev, "Intel version event size mismatch");
446 		kfree_skb(skb);
447 		return -EILSEQ;
448 	}
449 
450 	memcpy(ver, skb->data, sizeof(*ver));
451 
452 	kfree_skb(skb);
453 
454 	return 0;
455 }
456 EXPORT_SYMBOL_GPL(btintel_read_version);
457 
458 static int btintel_version_info_tlv(struct hci_dev *hdev,
459 				    struct intel_version_tlv *version)
460 {
461 	const char *variant;
462 
463 	/* The hardware platform number has a fixed value of 0x37 and
464 	 * for now only accept this single value.
465 	 */
466 	if (INTEL_HW_PLATFORM(version->cnvi_bt) != 0x37) {
467 		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
468 			   INTEL_HW_PLATFORM(version->cnvi_bt));
469 		return -EINVAL;
470 	}
471 
472 	/* Check for supported iBT hardware variants of this firmware
473 	 * loading method.
474 	 *
475 	 * This check has been put in place to ensure correct forward
476 	 * compatibility options when newer hardware variants come along.
477 	 */
478 	switch (INTEL_HW_VARIANT(version->cnvi_bt)) {
479 	case 0x17:	/* TyP */
480 	case 0x18:	/* Slr */
481 	case 0x19:	/* Slr-F */
482 	case 0x1b:      /* Mgr */
483 	case 0x1c:	/* Gale Peak (GaP) */
484 		break;
485 	default:
486 		bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%x)",
487 			   INTEL_HW_VARIANT(version->cnvi_bt));
488 		return -EINVAL;
489 	}
490 
491 	switch (version->img_type) {
492 	case 0x01:
493 		variant = "Bootloader";
494 		/* It is required that every single firmware fragment is acknowledged
495 		 * with a command complete event. If the boot parameters indicate
496 		 * that this bootloader does not send them, then abort the setup.
497 		 */
498 		if (version->limited_cce != 0x00) {
499 			bt_dev_err(hdev, "Unsupported Intel firmware loading method (0x%x)",
500 				   version->limited_cce);
501 			return -EINVAL;
502 		}
503 
504 		/* Secure boot engine type should be either 1 (ECDSA) or 0 (RSA) */
505 		if (version->sbe_type > 0x01) {
506 			bt_dev_err(hdev, "Unsupported Intel secure boot engine type (0x%x)",
507 				   version->sbe_type);
508 			return -EINVAL;
509 		}
510 
511 		bt_dev_info(hdev, "Device revision is %u", version->dev_rev_id);
512 		bt_dev_info(hdev, "Secure boot is %s",
513 			    version->secure_boot ? "enabled" : "disabled");
514 		bt_dev_info(hdev, "OTP lock is %s",
515 			    version->otp_lock ? "enabled" : "disabled");
516 		bt_dev_info(hdev, "API lock is %s",
517 			    version->api_lock ? "enabled" : "disabled");
518 		bt_dev_info(hdev, "Debug lock is %s",
519 			    version->debug_lock ? "enabled" : "disabled");
520 		bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
521 			    version->min_fw_build_nn, version->min_fw_build_cw,
522 			    2000 + version->min_fw_build_yy);
523 		break;
524 	case 0x03:
525 		variant = "Firmware";
526 		break;
527 	default:
528 		bt_dev_err(hdev, "Unsupported image type(%02x)", version->img_type);
529 		return -EINVAL;
530 	}
531 
532 	coredump_info.hw_variant = INTEL_HW_VARIANT(version->cnvi_bt);
533 	coredump_info.fw_build_num = version->build_num;
534 
535 	bt_dev_info(hdev, "%s timestamp %u.%u buildtype %u build %u", variant,
536 		    2000 + (version->timestamp >> 8), version->timestamp & 0xff,
537 		    version->build_type, version->build_num);
538 	if (version->img_type == 0x03)
539 		bt_dev_info(hdev, "Firmware SHA1: 0x%8.8x", version->git_sha1);
540 
541 	return 0;
542 }
543 
544 static int btintel_parse_version_tlv(struct hci_dev *hdev,
545 				     struct intel_version_tlv *version,
546 				     struct sk_buff *skb)
547 {
548 	/* Consume Command Complete Status field */
549 	skb_pull(skb, 1);
550 
551 	/* Event parameters contatin multiple TLVs. Read each of them
552 	 * and only keep the required data. Also, it use existing legacy
553 	 * version field like hw_platform, hw_variant, and fw_variant
554 	 * to keep the existing setup flow
555 	 */
556 	while (skb->len) {
557 		struct intel_tlv *tlv;
558 
559 		/* Make sure skb has a minimum length of the header */
560 		if (skb->len < sizeof(*tlv))
561 			return -EINVAL;
562 
563 		tlv = (struct intel_tlv *)skb->data;
564 
565 		/* Make sure skb has a enough data */
566 		if (skb->len < tlv->len + sizeof(*tlv))
567 			return -EINVAL;
568 
569 		switch (tlv->type) {
570 		case INTEL_TLV_CNVI_TOP:
571 			version->cnvi_top = get_unaligned_le32(tlv->val);
572 			break;
573 		case INTEL_TLV_CNVR_TOP:
574 			version->cnvr_top = get_unaligned_le32(tlv->val);
575 			break;
576 		case INTEL_TLV_CNVI_BT:
577 			version->cnvi_bt = get_unaligned_le32(tlv->val);
578 			break;
579 		case INTEL_TLV_CNVR_BT:
580 			version->cnvr_bt = get_unaligned_le32(tlv->val);
581 			break;
582 		case INTEL_TLV_DEV_REV_ID:
583 			version->dev_rev_id = get_unaligned_le16(tlv->val);
584 			break;
585 		case INTEL_TLV_IMAGE_TYPE:
586 			version->img_type = tlv->val[0];
587 			break;
588 		case INTEL_TLV_TIME_STAMP:
589 			/* If image type is Operational firmware (0x03), then
590 			 * running FW Calendar Week and Year information can
591 			 * be extracted from Timestamp information
592 			 */
593 			version->min_fw_build_cw = tlv->val[0];
594 			version->min_fw_build_yy = tlv->val[1];
595 			version->timestamp = get_unaligned_le16(tlv->val);
596 			break;
597 		case INTEL_TLV_BUILD_TYPE:
598 			version->build_type = tlv->val[0];
599 			break;
600 		case INTEL_TLV_BUILD_NUM:
601 			/* If image type is Operational firmware (0x03), then
602 			 * running FW build number can be extracted from the
603 			 * Build information
604 			 */
605 			version->min_fw_build_nn = tlv->val[0];
606 			version->build_num = get_unaligned_le32(tlv->val);
607 			break;
608 		case INTEL_TLV_SECURE_BOOT:
609 			version->secure_boot = tlv->val[0];
610 			break;
611 		case INTEL_TLV_OTP_LOCK:
612 			version->otp_lock = tlv->val[0];
613 			break;
614 		case INTEL_TLV_API_LOCK:
615 			version->api_lock = tlv->val[0];
616 			break;
617 		case INTEL_TLV_DEBUG_LOCK:
618 			version->debug_lock = tlv->val[0];
619 			break;
620 		case INTEL_TLV_MIN_FW:
621 			version->min_fw_build_nn = tlv->val[0];
622 			version->min_fw_build_cw = tlv->val[1];
623 			version->min_fw_build_yy = tlv->val[2];
624 			break;
625 		case INTEL_TLV_LIMITED_CCE:
626 			version->limited_cce = tlv->val[0];
627 			break;
628 		case INTEL_TLV_SBE_TYPE:
629 			version->sbe_type = tlv->val[0];
630 			break;
631 		case INTEL_TLV_OTP_BDADDR:
632 			memcpy(&version->otp_bd_addr, tlv->val,
633 							sizeof(bdaddr_t));
634 			break;
635 		case INTEL_TLV_GIT_SHA1:
636 			version->git_sha1 = get_unaligned_le32(tlv->val);
637 			break;
638 		default:
639 			/* Ignore rest of information */
640 			break;
641 		}
642 		/* consume the current tlv and move to next*/
643 		skb_pull(skb, tlv->len + sizeof(*tlv));
644 	}
645 
646 	return 0;
647 }
648 
649 static int btintel_read_version_tlv(struct hci_dev *hdev,
650 				    struct intel_version_tlv *version)
651 {
652 	struct sk_buff *skb;
653 	const u8 param[1] = { 0xFF };
654 
655 	if (!version)
656 		return -EINVAL;
657 
658 	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
659 	if (IS_ERR(skb)) {
660 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
661 			   PTR_ERR(skb));
662 		return PTR_ERR(skb);
663 	}
664 
665 	if (skb->data[0]) {
666 		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
667 			   skb->data[0]);
668 		kfree_skb(skb);
669 		return -EIO;
670 	}
671 
672 	btintel_parse_version_tlv(hdev, version, skb);
673 
674 	kfree_skb(skb);
675 	return 0;
676 }
677 
678 /* ------- REGMAP IBT SUPPORT ------- */
679 
680 #define IBT_REG_MODE_8BIT  0x00
681 #define IBT_REG_MODE_16BIT 0x01
682 #define IBT_REG_MODE_32BIT 0x02
683 
684 struct regmap_ibt_context {
685 	struct hci_dev *hdev;
686 	__u16 op_write;
687 	__u16 op_read;
688 };
689 
690 struct ibt_cp_reg_access {
691 	__le32  addr;
692 	__u8    mode;
693 	__u8    len;
694 	__u8    data[];
695 } __packed;
696 
697 struct ibt_rp_reg_access {
698 	__u8    status;
699 	__le32  addr;
700 	__u8    data[];
701 } __packed;
702 
703 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
704 			   void *val, size_t val_size)
705 {
706 	struct regmap_ibt_context *ctx = context;
707 	struct ibt_cp_reg_access cp;
708 	struct ibt_rp_reg_access *rp;
709 	struct sk_buff *skb;
710 	int err = 0;
711 
712 	if (reg_size != sizeof(__le32))
713 		return -EINVAL;
714 
715 	switch (val_size) {
716 	case 1:
717 		cp.mode = IBT_REG_MODE_8BIT;
718 		break;
719 	case 2:
720 		cp.mode = IBT_REG_MODE_16BIT;
721 		break;
722 	case 4:
723 		cp.mode = IBT_REG_MODE_32BIT;
724 		break;
725 	default:
726 		return -EINVAL;
727 	}
728 
729 	/* regmap provides a little-endian formatted addr */
730 	cp.addr = *(__le32 *)addr;
731 	cp.len = val_size;
732 
733 	bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
734 
735 	skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
736 			   HCI_CMD_TIMEOUT);
737 	if (IS_ERR(skb)) {
738 		err = PTR_ERR(skb);
739 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
740 			   le32_to_cpu(cp.addr), err);
741 		return err;
742 	}
743 
744 	if (skb->len != sizeof(*rp) + val_size) {
745 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
746 			   le32_to_cpu(cp.addr));
747 		err = -EINVAL;
748 		goto done;
749 	}
750 
751 	rp = (struct ibt_rp_reg_access *)skb->data;
752 
753 	if (rp->addr != cp.addr) {
754 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
755 			   le32_to_cpu(rp->addr));
756 		err = -EINVAL;
757 		goto done;
758 	}
759 
760 	memcpy(val, rp->data, val_size);
761 
762 done:
763 	kfree_skb(skb);
764 	return err;
765 }
766 
767 static int regmap_ibt_gather_write(void *context,
768 				   const void *addr, size_t reg_size,
769 				   const void *val, size_t val_size)
770 {
771 	struct regmap_ibt_context *ctx = context;
772 	struct ibt_cp_reg_access *cp;
773 	struct sk_buff *skb;
774 	int plen = sizeof(*cp) + val_size;
775 	u8 mode;
776 	int err = 0;
777 
778 	if (reg_size != sizeof(__le32))
779 		return -EINVAL;
780 
781 	switch (val_size) {
782 	case 1:
783 		mode = IBT_REG_MODE_8BIT;
784 		break;
785 	case 2:
786 		mode = IBT_REG_MODE_16BIT;
787 		break;
788 	case 4:
789 		mode = IBT_REG_MODE_32BIT;
790 		break;
791 	default:
792 		return -EINVAL;
793 	}
794 
795 	cp = kmalloc(plen, GFP_KERNEL);
796 	if (!cp)
797 		return -ENOMEM;
798 
799 	/* regmap provides a little-endian formatted addr/value */
800 	cp->addr = *(__le32 *)addr;
801 	cp->mode = mode;
802 	cp->len = val_size;
803 	memcpy(&cp->data, val, val_size);
804 
805 	bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
806 
807 	skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
808 	if (IS_ERR(skb)) {
809 		err = PTR_ERR(skb);
810 		bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
811 			   le32_to_cpu(cp->addr), err);
812 		goto done;
813 	}
814 	kfree_skb(skb);
815 
816 done:
817 	kfree(cp);
818 	return err;
819 }
820 
821 static int regmap_ibt_write(void *context, const void *data, size_t count)
822 {
823 	/* data contains register+value, since we only support 32bit addr,
824 	 * minimum data size is 4 bytes.
825 	 */
826 	if (WARN_ONCE(count < 4, "Invalid register access"))
827 		return -EINVAL;
828 
829 	return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
830 }
831 
832 static void regmap_ibt_free_context(void *context)
833 {
834 	kfree(context);
835 }
836 
837 static const struct regmap_bus regmap_ibt = {
838 	.read = regmap_ibt_read,
839 	.write = regmap_ibt_write,
840 	.gather_write = regmap_ibt_gather_write,
841 	.free_context = regmap_ibt_free_context,
842 	.reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
843 	.val_format_endian_default = REGMAP_ENDIAN_LITTLE,
844 };
845 
846 /* Config is the same for all register regions */
847 static const struct regmap_config regmap_ibt_cfg = {
848 	.name      = "btintel_regmap",
849 	.reg_bits  = 32,
850 	.val_bits  = 32,
851 };
852 
853 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
854 				   u16 opcode_write)
855 {
856 	struct regmap_ibt_context *ctx;
857 
858 	bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
859 		    opcode_write);
860 
861 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
862 	if (!ctx)
863 		return ERR_PTR(-ENOMEM);
864 
865 	ctx->op_read = opcode_read;
866 	ctx->op_write = opcode_write;
867 	ctx->hdev = hdev;
868 
869 	return regmap_init(&hdev->dev, &regmap_ibt, ctx, &regmap_ibt_cfg);
870 }
871 EXPORT_SYMBOL_GPL(btintel_regmap_init);
872 
873 int btintel_send_intel_reset(struct hci_dev *hdev, u32 boot_param)
874 {
875 	struct intel_reset params = { 0x00, 0x01, 0x00, 0x01, 0x00000000 };
876 	struct sk_buff *skb;
877 
878 	params.boot_param = cpu_to_le32(boot_param);
879 
880 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params), &params,
881 			     HCI_INIT_TIMEOUT);
882 	if (IS_ERR(skb)) {
883 		bt_dev_err(hdev, "Failed to send Intel Reset command");
884 		return PTR_ERR(skb);
885 	}
886 
887 	kfree_skb(skb);
888 
889 	return 0;
890 }
891 EXPORT_SYMBOL_GPL(btintel_send_intel_reset);
892 
893 int btintel_read_boot_params(struct hci_dev *hdev,
894 			     struct intel_boot_params *params)
895 {
896 	struct sk_buff *skb;
897 
898 	skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
899 	if (IS_ERR(skb)) {
900 		bt_dev_err(hdev, "Reading Intel boot parameters failed (%ld)",
901 			   PTR_ERR(skb));
902 		return PTR_ERR(skb);
903 	}
904 
905 	if (skb->len != sizeof(*params)) {
906 		bt_dev_err(hdev, "Intel boot parameters size mismatch");
907 		kfree_skb(skb);
908 		return -EILSEQ;
909 	}
910 
911 	memcpy(params, skb->data, sizeof(*params));
912 
913 	kfree_skb(skb);
914 
915 	if (params->status) {
916 		bt_dev_err(hdev, "Intel boot parameters command failed (%02x)",
917 			   params->status);
918 		return -bt_to_errno(params->status);
919 	}
920 
921 	bt_dev_info(hdev, "Device revision is %u",
922 		    le16_to_cpu(params->dev_revid));
923 
924 	bt_dev_info(hdev, "Secure boot is %s",
925 		    params->secure_boot ? "enabled" : "disabled");
926 
927 	bt_dev_info(hdev, "OTP lock is %s",
928 		    params->otp_lock ? "enabled" : "disabled");
929 
930 	bt_dev_info(hdev, "API lock is %s",
931 		    params->api_lock ? "enabled" : "disabled");
932 
933 	bt_dev_info(hdev, "Debug lock is %s",
934 		    params->debug_lock ? "enabled" : "disabled");
935 
936 	bt_dev_info(hdev, "Minimum firmware build %u week %u %u",
937 		    params->min_fw_build_nn, params->min_fw_build_cw,
938 		    2000 + params->min_fw_build_yy);
939 
940 	return 0;
941 }
942 EXPORT_SYMBOL_GPL(btintel_read_boot_params);
943 
944 static int btintel_sfi_rsa_header_secure_send(struct hci_dev *hdev,
945 					      const struct firmware *fw)
946 {
947 	int err;
948 
949 	/* Start the firmware download transaction with the Init fragment
950 	 * represented by the 128 bytes of CSS header.
951 	 */
952 	err = btintel_secure_send(hdev, 0x00, 128, fw->data);
953 	if (err < 0) {
954 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
955 		goto done;
956 	}
957 
958 	/* Send the 256 bytes of public key information from the firmware
959 	 * as the PKey fragment.
960 	 */
961 	err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
962 	if (err < 0) {
963 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
964 		goto done;
965 	}
966 
967 	/* Send the 256 bytes of signature information from the firmware
968 	 * as the Sign fragment.
969 	 */
970 	err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
971 	if (err < 0) {
972 		bt_dev_err(hdev, "Failed to send firmware signature (%d)", err);
973 		goto done;
974 	}
975 
976 done:
977 	return err;
978 }
979 
980 static int btintel_sfi_ecdsa_header_secure_send(struct hci_dev *hdev,
981 						const struct firmware *fw)
982 {
983 	int err;
984 
985 	/* Start the firmware download transaction with the Init fragment
986 	 * represented by the 128 bytes of CSS header.
987 	 */
988 	err = btintel_secure_send(hdev, 0x00, 128, fw->data + 644);
989 	if (err < 0) {
990 		bt_dev_err(hdev, "Failed to send firmware header (%d)", err);
991 		return err;
992 	}
993 
994 	/* Send the 96 bytes of public key information from the firmware
995 	 * as the PKey fragment.
996 	 */
997 	err = btintel_secure_send(hdev, 0x03, 96, fw->data + 644 + 128);
998 	if (err < 0) {
999 		bt_dev_err(hdev, "Failed to send firmware pkey (%d)", err);
1000 		return err;
1001 	}
1002 
1003 	/* Send the 96 bytes of signature information from the firmware
1004 	 * as the Sign fragment
1005 	 */
1006 	err = btintel_secure_send(hdev, 0x02, 96, fw->data + 644 + 224);
1007 	if (err < 0) {
1008 		bt_dev_err(hdev, "Failed to send firmware signature (%d)",
1009 			   err);
1010 		return err;
1011 	}
1012 	return 0;
1013 }
1014 
1015 static int btintel_download_firmware_payload(struct hci_dev *hdev,
1016 					     const struct firmware *fw,
1017 					     size_t offset)
1018 {
1019 	int err;
1020 	const u8 *fw_ptr;
1021 	u32 frag_len;
1022 
1023 	fw_ptr = fw->data + offset;
1024 	frag_len = 0;
1025 	err = -EINVAL;
1026 
1027 	while (fw_ptr - fw->data < fw->size) {
1028 		struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
1029 
1030 		frag_len += sizeof(*cmd) + cmd->plen;
1031 
1032 		/* The parameter length of the secure send command requires
1033 		 * a 4 byte alignment. It happens so that the firmware file
1034 		 * contains proper Intel_NOP commands to align the fragments
1035 		 * as needed.
1036 		 *
1037 		 * Send set of commands with 4 byte alignment from the
1038 		 * firmware data buffer as a single Data fragement.
1039 		 */
1040 		if (!(frag_len % 4)) {
1041 			err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
1042 			if (err < 0) {
1043 				bt_dev_err(hdev,
1044 					   "Failed to send firmware data (%d)",
1045 					   err);
1046 				goto done;
1047 			}
1048 
1049 			fw_ptr += frag_len;
1050 			frag_len = 0;
1051 		}
1052 	}
1053 
1054 done:
1055 	return err;
1056 }
1057 
1058 static bool btintel_firmware_version(struct hci_dev *hdev,
1059 				     u8 num, u8 ww, u8 yy,
1060 				     const struct firmware *fw,
1061 				     u32 *boot_addr)
1062 {
1063 	const u8 *fw_ptr;
1064 
1065 	fw_ptr = fw->data;
1066 
1067 	while (fw_ptr - fw->data < fw->size) {
1068 		struct hci_command_hdr *cmd = (void *)(fw_ptr);
1069 
1070 		/* Each SKU has a different reset parameter to use in the
1071 		 * HCI_Intel_Reset command and it is embedded in the firmware
1072 		 * data. So, instead of using static value per SKU, check
1073 		 * the firmware data and save it for later use.
1074 		 */
1075 		if (le16_to_cpu(cmd->opcode) == CMD_WRITE_BOOT_PARAMS) {
1076 			struct cmd_write_boot_params *params;
1077 
1078 			params = (void *)(fw_ptr + sizeof(*cmd));
1079 
1080 			*boot_addr = le32_to_cpu(params->boot_addr);
1081 
1082 			bt_dev_info(hdev, "Boot Address: 0x%x", *boot_addr);
1083 
1084 			bt_dev_info(hdev, "Firmware Version: %u-%u.%u",
1085 				    params->fw_build_num, params->fw_build_ww,
1086 				    params->fw_build_yy);
1087 
1088 			return (num == params->fw_build_num &&
1089 				ww == params->fw_build_ww &&
1090 				yy == params->fw_build_yy);
1091 		}
1092 
1093 		fw_ptr += sizeof(*cmd) + cmd->plen;
1094 	}
1095 
1096 	return false;
1097 }
1098 
1099 int btintel_download_firmware(struct hci_dev *hdev,
1100 			      struct intel_version *ver,
1101 			      const struct firmware *fw,
1102 			      u32 *boot_param)
1103 {
1104 	int err;
1105 
1106 	/* SfP and WsP don't seem to update the firmware version on file
1107 	 * so version checking is currently not possible.
1108 	 */
1109 	switch (ver->hw_variant) {
1110 	case 0x0b:	/* SfP */
1111 	case 0x0c:	/* WsP */
1112 		/* Skip version checking */
1113 		break;
1114 	default:
1115 
1116 		/* Skip download if firmware has the same version */
1117 		if (btintel_firmware_version(hdev, ver->fw_build_num,
1118 					     ver->fw_build_ww, ver->fw_build_yy,
1119 					     fw, boot_param)) {
1120 			bt_dev_info(hdev, "Firmware already loaded");
1121 			/* Return -EALREADY to indicate that the firmware has
1122 			 * already been loaded.
1123 			 */
1124 			return -EALREADY;
1125 		}
1126 	}
1127 
1128 	/* The firmware variant determines if the device is in bootloader
1129 	 * mode or is running operational firmware. The value 0x06 identifies
1130 	 * the bootloader and the value 0x23 identifies the operational
1131 	 * firmware.
1132 	 *
1133 	 * If the firmware version has changed that means it needs to be reset
1134 	 * to bootloader when operational so the new firmware can be loaded.
1135 	 */
1136 	if (ver->fw_variant == 0x23)
1137 		return -EINVAL;
1138 
1139 	err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1140 	if (err)
1141 		return err;
1142 
1143 	return btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1144 }
1145 EXPORT_SYMBOL_GPL(btintel_download_firmware);
1146 
1147 static int btintel_download_fw_tlv(struct hci_dev *hdev,
1148 				   struct intel_version_tlv *ver,
1149 				   const struct firmware *fw, u32 *boot_param,
1150 				   u8 hw_variant, u8 sbe_type)
1151 {
1152 	int err;
1153 	u32 css_header_ver;
1154 
1155 	/* Skip download if firmware has the same version */
1156 	if (btintel_firmware_version(hdev, ver->min_fw_build_nn,
1157 				     ver->min_fw_build_cw,
1158 				     ver->min_fw_build_yy,
1159 				     fw, boot_param)) {
1160 		bt_dev_info(hdev, "Firmware already loaded");
1161 		/* Return -EALREADY to indicate that firmware has
1162 		 * already been loaded.
1163 		 */
1164 		return -EALREADY;
1165 	}
1166 
1167 	/* The firmware variant determines if the device is in bootloader
1168 	 * mode or is running operational firmware. The value 0x01 identifies
1169 	 * the bootloader and the value 0x03 identifies the operational
1170 	 * firmware.
1171 	 *
1172 	 * If the firmware version has changed that means it needs to be reset
1173 	 * to bootloader when operational so the new firmware can be loaded.
1174 	 */
1175 	if (ver->img_type == 0x03)
1176 		return -EINVAL;
1177 
1178 	/* iBT hardware variants 0x0b, 0x0c, 0x11, 0x12, 0x13, 0x14 support
1179 	 * only RSA secure boot engine. Hence, the corresponding sfi file will
1180 	 * have RSA header of 644 bytes followed by Command Buffer.
1181 	 *
1182 	 * iBT hardware variants 0x17, 0x18 onwards support both RSA and ECDSA
1183 	 * secure boot engine. As a result, the corresponding sfi file will
1184 	 * have RSA header of 644, ECDSA header of 320 bytes followed by
1185 	 * Command Buffer.
1186 	 *
1187 	 * CSS Header byte positions 0x08 to 0x0B represent the CSS Header
1188 	 * version: RSA(0x00010000) , ECDSA (0x00020000)
1189 	 */
1190 	css_header_ver = get_unaligned_le32(fw->data + CSS_HEADER_OFFSET);
1191 	if (css_header_ver != 0x00010000) {
1192 		bt_dev_err(hdev, "Invalid CSS Header version");
1193 		return -EINVAL;
1194 	}
1195 
1196 	if (hw_variant <= 0x14) {
1197 		if (sbe_type != 0x00) {
1198 			bt_dev_err(hdev, "Invalid SBE type for hardware variant (%d)",
1199 				   hw_variant);
1200 			return -EINVAL;
1201 		}
1202 
1203 		err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1204 		if (err)
1205 			return err;
1206 
1207 		err = btintel_download_firmware_payload(hdev, fw, RSA_HEADER_LEN);
1208 		if (err)
1209 			return err;
1210 	} else if (hw_variant >= 0x17) {
1211 		/* Check if CSS header for ECDSA follows the RSA header */
1212 		if (fw->data[ECDSA_OFFSET] != 0x06)
1213 			return -EINVAL;
1214 
1215 		/* Check if the CSS Header version is ECDSA(0x00020000) */
1216 		css_header_ver = get_unaligned_le32(fw->data + ECDSA_OFFSET + CSS_HEADER_OFFSET);
1217 		if (css_header_ver != 0x00020000) {
1218 			bt_dev_err(hdev, "Invalid CSS Header version");
1219 			return -EINVAL;
1220 		}
1221 
1222 		if (sbe_type == 0x00) {
1223 			err = btintel_sfi_rsa_header_secure_send(hdev, fw);
1224 			if (err)
1225 				return err;
1226 
1227 			err = btintel_download_firmware_payload(hdev, fw,
1228 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1229 			if (err)
1230 				return err;
1231 		} else if (sbe_type == 0x01) {
1232 			err = btintel_sfi_ecdsa_header_secure_send(hdev, fw);
1233 			if (err)
1234 				return err;
1235 
1236 			err = btintel_download_firmware_payload(hdev, fw,
1237 								RSA_HEADER_LEN + ECDSA_HEADER_LEN);
1238 			if (err)
1239 				return err;
1240 		}
1241 	}
1242 	return 0;
1243 }
1244 
1245 static void btintel_reset_to_bootloader(struct hci_dev *hdev)
1246 {
1247 	struct intel_reset params;
1248 	struct sk_buff *skb;
1249 
1250 	/* Send Intel Reset command. This will result in
1251 	 * re-enumeration of BT controller.
1252 	 *
1253 	 * Intel Reset parameter description:
1254 	 * reset_type :   0x00 (Soft reset),
1255 	 *		  0x01 (Hard reset)
1256 	 * patch_enable : 0x00 (Do not enable),
1257 	 *		  0x01 (Enable)
1258 	 * ddc_reload :   0x00 (Do not reload),
1259 	 *		  0x01 (Reload)
1260 	 * boot_option:   0x00 (Current image),
1261 	 *                0x01 (Specified boot address)
1262 	 * boot_param:    Boot address
1263 	 *
1264 	 */
1265 	params.reset_type = 0x01;
1266 	params.patch_enable = 0x01;
1267 	params.ddc_reload = 0x01;
1268 	params.boot_option = 0x00;
1269 	params.boot_param = cpu_to_le32(0x00000000);
1270 
1271 	skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(params),
1272 			     &params, HCI_INIT_TIMEOUT);
1273 	if (IS_ERR(skb)) {
1274 		bt_dev_err(hdev, "FW download error recovery failed (%ld)",
1275 			   PTR_ERR(skb));
1276 		return;
1277 	}
1278 	bt_dev_info(hdev, "Intel reset sent to retry FW download");
1279 	kfree_skb(skb);
1280 
1281 	/* Current Intel BT controllers(ThP/JfP) hold the USB reset
1282 	 * lines for 2ms when it receives Intel Reset in bootloader mode.
1283 	 * Whereas, the upcoming Intel BT controllers will hold USB reset
1284 	 * for 150ms. To keep the delay generic, 150ms is chosen here.
1285 	 */
1286 	msleep(150);
1287 }
1288 
1289 static int btintel_read_debug_features(struct hci_dev *hdev,
1290 				       struct intel_debug_features *features)
1291 {
1292 	struct sk_buff *skb;
1293 	u8 page_no = 1;
1294 
1295 	/* Intel controller supports two pages, each page is of 128-bit
1296 	 * feature bit mask. And each bit defines specific feature support
1297 	 */
1298 	skb = __hci_cmd_sync(hdev, 0xfca6, sizeof(page_no), &page_no,
1299 			     HCI_INIT_TIMEOUT);
1300 	if (IS_ERR(skb)) {
1301 		bt_dev_err(hdev, "Reading supported features failed (%ld)",
1302 			   PTR_ERR(skb));
1303 		return PTR_ERR(skb);
1304 	}
1305 
1306 	if (skb->len != (sizeof(features->page1) + 3)) {
1307 		bt_dev_err(hdev, "Supported features event size mismatch");
1308 		kfree_skb(skb);
1309 		return -EILSEQ;
1310 	}
1311 
1312 	memcpy(features->page1, skb->data + 3, sizeof(features->page1));
1313 
1314 	/* Read the supported features page2 if required in future.
1315 	 */
1316 	kfree_skb(skb);
1317 	return 0;
1318 }
1319 
1320 static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data,
1321 					 void **ret)
1322 {
1323 	acpi_status status;
1324 	size_t len;
1325 	struct btintel_ppag *ppag = data;
1326 	union acpi_object *p, *elements;
1327 	struct acpi_buffer string = {ACPI_ALLOCATE_BUFFER, NULL};
1328 	struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
1329 	struct hci_dev *hdev = ppag->hdev;
1330 
1331 	status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &string);
1332 	if (ACPI_FAILURE(status)) {
1333 		bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
1334 		return status;
1335 	}
1336 
1337 	len = strlen(string.pointer);
1338 	if (len < strlen(BTINTEL_PPAG_NAME)) {
1339 		kfree(string.pointer);
1340 		return AE_OK;
1341 	}
1342 
1343 	if (strncmp((char *)string.pointer + len - 4, BTINTEL_PPAG_NAME, 4)) {
1344 		kfree(string.pointer);
1345 		return AE_OK;
1346 	}
1347 	kfree(string.pointer);
1348 
1349 	status = acpi_evaluate_object(handle, NULL, NULL, &buffer);
1350 	if (ACPI_FAILURE(status)) {
1351 		ppag->status = status;
1352 		bt_dev_warn(hdev, "PPAG-BT: ACPI Failure: %s", acpi_format_exception(status));
1353 		return status;
1354 	}
1355 
1356 	p = buffer.pointer;
1357 	ppag = (struct btintel_ppag *)data;
1358 
1359 	if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
1360 		kfree(buffer.pointer);
1361 		bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d",
1362 			    p->type, p->package.count);
1363 		ppag->status = AE_ERROR;
1364 		return AE_ERROR;
1365 	}
1366 
1367 	elements = p->package.elements;
1368 
1369 	/* PPAG table is located at element[1] */
1370 	p = &elements[1];
1371 
1372 	ppag->domain = (u32)p->package.elements[0].integer.value;
1373 	ppag->mode = (u32)p->package.elements[1].integer.value;
1374 	ppag->status = AE_OK;
1375 	kfree(buffer.pointer);
1376 	return AE_CTRL_TERMINATE;
1377 }
1378 
1379 static int btintel_set_debug_features(struct hci_dev *hdev,
1380 			       const struct intel_debug_features *features)
1381 {
1382 	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x7f, 0x00, 0x00, 0x00, 0x00,
1383 			0x00, 0x00, 0x00 };
1384 	u8 period[5] = { 0x04, 0x91, 0x02, 0x05, 0x00 };
1385 	u8 trace_enable = 0x02;
1386 	struct sk_buff *skb;
1387 
1388 	if (!features) {
1389 		bt_dev_warn(hdev, "Debug features not read");
1390 		return -EINVAL;
1391 	}
1392 
1393 	if (!(features->page1[0] & 0x3f)) {
1394 		bt_dev_info(hdev, "Telemetry exception format not supported");
1395 		return 0;
1396 	}
1397 
1398 	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1399 	if (IS_ERR(skb)) {
1400 		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1401 			   PTR_ERR(skb));
1402 		return PTR_ERR(skb);
1403 	}
1404 	kfree_skb(skb);
1405 
1406 	skb = __hci_cmd_sync(hdev, 0xfc8b, 5, period, HCI_INIT_TIMEOUT);
1407 	if (IS_ERR(skb)) {
1408 		bt_dev_err(hdev, "Setting periodicity for link statistics traces failed (%ld)",
1409 			   PTR_ERR(skb));
1410 		return PTR_ERR(skb);
1411 	}
1412 	kfree_skb(skb);
1413 
1414 	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1415 	if (IS_ERR(skb)) {
1416 		bt_dev_err(hdev, "Enable tracing of link statistics events failed (%ld)",
1417 			   PTR_ERR(skb));
1418 		return PTR_ERR(skb);
1419 	}
1420 	kfree_skb(skb);
1421 
1422 	bt_dev_info(hdev, "set debug features: trace_enable 0x%02x mask 0x%02x",
1423 		    trace_enable, mask[3]);
1424 
1425 	return 0;
1426 }
1427 
1428 static int btintel_reset_debug_features(struct hci_dev *hdev,
1429 				 const struct intel_debug_features *features)
1430 {
1431 	u8 mask[11] = { 0x0a, 0x92, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
1432 			0x00, 0x00, 0x00 };
1433 	u8 trace_enable = 0x00;
1434 	struct sk_buff *skb;
1435 
1436 	if (!features) {
1437 		bt_dev_warn(hdev, "Debug features not read");
1438 		return -EINVAL;
1439 	}
1440 
1441 	if (!(features->page1[0] & 0x3f)) {
1442 		bt_dev_info(hdev, "Telemetry exception format not supported");
1443 		return 0;
1444 	}
1445 
1446 	/* Should stop the trace before writing ddc event mask. */
1447 	skb = __hci_cmd_sync(hdev, 0xfca1, 1, &trace_enable, HCI_INIT_TIMEOUT);
1448 	if (IS_ERR(skb)) {
1449 		bt_dev_err(hdev, "Stop tracing of link statistics events failed (%ld)",
1450 			   PTR_ERR(skb));
1451 		return PTR_ERR(skb);
1452 	}
1453 	kfree_skb(skb);
1454 
1455 	skb = __hci_cmd_sync(hdev, 0xfc8b, 11, mask, HCI_INIT_TIMEOUT);
1456 	if (IS_ERR(skb)) {
1457 		bt_dev_err(hdev, "Setting Intel telemetry ddc write event mask failed (%ld)",
1458 			   PTR_ERR(skb));
1459 		return PTR_ERR(skb);
1460 	}
1461 	kfree_skb(skb);
1462 
1463 	bt_dev_info(hdev, "reset debug features: trace_enable 0x%02x mask 0x%02x",
1464 		    trace_enable, mask[3]);
1465 
1466 	return 0;
1467 }
1468 
1469 int btintel_set_quality_report(struct hci_dev *hdev, bool enable)
1470 {
1471 	struct intel_debug_features features;
1472 	int err;
1473 
1474 	bt_dev_dbg(hdev, "enable %d", enable);
1475 
1476 	/* Read the Intel supported features and if new exception formats
1477 	 * supported, need to load the additional DDC config to enable.
1478 	 */
1479 	err = btintel_read_debug_features(hdev, &features);
1480 	if (err)
1481 		return err;
1482 
1483 	/* Set or reset the debug features. */
1484 	if (enable)
1485 		err = btintel_set_debug_features(hdev, &features);
1486 	else
1487 		err = btintel_reset_debug_features(hdev, &features);
1488 
1489 	return err;
1490 }
1491 EXPORT_SYMBOL_GPL(btintel_set_quality_report);
1492 
1493 static void btintel_coredump(struct hci_dev *hdev)
1494 {
1495 	struct sk_buff *skb;
1496 
1497 	skb = __hci_cmd_sync(hdev, 0xfc4e, 0, NULL, HCI_CMD_TIMEOUT);
1498 	if (IS_ERR(skb)) {
1499 		bt_dev_err(hdev, "Coredump failed (%ld)", PTR_ERR(skb));
1500 		return;
1501 	}
1502 
1503 	kfree_skb(skb);
1504 }
1505 
1506 static void btintel_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
1507 {
1508 	char buf[80];
1509 
1510 	snprintf(buf, sizeof(buf), "Controller Name: 0x%X\n",
1511 		 coredump_info.hw_variant);
1512 	skb_put_data(skb, buf, strlen(buf));
1513 
1514 	snprintf(buf, sizeof(buf), "Firmware Version: 0x%X\n",
1515 		 coredump_info.fw_build_num);
1516 	skb_put_data(skb, buf, strlen(buf));
1517 
1518 	snprintf(buf, sizeof(buf), "Driver: %s\n", coredump_info.driver_name);
1519 	skb_put_data(skb, buf, strlen(buf));
1520 
1521 	snprintf(buf, sizeof(buf), "Vendor: Intel\n");
1522 	skb_put_data(skb, buf, strlen(buf));
1523 }
1524 
1525 static int btintel_register_devcoredump_support(struct hci_dev *hdev)
1526 {
1527 	struct intel_debug_features features;
1528 	int err;
1529 
1530 	err = btintel_read_debug_features(hdev, &features);
1531 	if (err) {
1532 		bt_dev_info(hdev, "Error reading debug features");
1533 		return err;
1534 	}
1535 
1536 	if (!(features.page1[0] & 0x3f)) {
1537 		bt_dev_dbg(hdev, "Telemetry exception format not supported");
1538 		return -EOPNOTSUPP;
1539 	}
1540 
1541 	hci_devcd_register(hdev, btintel_coredump, btintel_dmp_hdr, NULL);
1542 
1543 	return err;
1544 }
1545 
1546 static const struct firmware *btintel_legacy_rom_get_fw(struct hci_dev *hdev,
1547 					       struct intel_version *ver)
1548 {
1549 	const struct firmware *fw;
1550 	char fwname[64];
1551 	int ret;
1552 
1553 	snprintf(fwname, sizeof(fwname),
1554 		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1555 		 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1556 		 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1557 		 ver->fw_build_ww, ver->fw_build_yy);
1558 
1559 	ret = request_firmware(&fw, fwname, &hdev->dev);
1560 	if (ret < 0) {
1561 		if (ret == -EINVAL) {
1562 			bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1563 				   ret);
1564 			return NULL;
1565 		}
1566 
1567 		bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1568 			   fwname, ret);
1569 
1570 		/* If the correct firmware patch file is not found, use the
1571 		 * default firmware patch file instead
1572 		 */
1573 		snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1574 			 ver->hw_platform, ver->hw_variant);
1575 		if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1576 			bt_dev_err(hdev, "failed to open default fw file: %s",
1577 				   fwname);
1578 			return NULL;
1579 		}
1580 	}
1581 
1582 	bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1583 
1584 	return fw;
1585 }
1586 
1587 static int btintel_legacy_rom_patching(struct hci_dev *hdev,
1588 				      const struct firmware *fw,
1589 				      const u8 **fw_ptr, int *disable_patch)
1590 {
1591 	struct sk_buff *skb;
1592 	struct hci_command_hdr *cmd;
1593 	const u8 *cmd_param;
1594 	struct hci_event_hdr *evt = NULL;
1595 	const u8 *evt_param = NULL;
1596 	int remain = fw->size - (*fw_ptr - fw->data);
1597 
1598 	/* The first byte indicates the types of the patch command or event.
1599 	 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1600 	 * in the current firmware buffer doesn't start with 0x01 or
1601 	 * the size of remain buffer is smaller than HCI command header,
1602 	 * the firmware file is corrupted and it should stop the patching
1603 	 * process.
1604 	 */
1605 	if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1606 		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1607 		return -EINVAL;
1608 	}
1609 	(*fw_ptr)++;
1610 	remain--;
1611 
1612 	cmd = (struct hci_command_hdr *)(*fw_ptr);
1613 	*fw_ptr += sizeof(*cmd);
1614 	remain -= sizeof(*cmd);
1615 
1616 	/* Ensure that the remain firmware data is long enough than the length
1617 	 * of command parameter. If not, the firmware file is corrupted.
1618 	 */
1619 	if (remain < cmd->plen) {
1620 		bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1621 		return -EFAULT;
1622 	}
1623 
1624 	/* If there is a command that loads a patch in the firmware
1625 	 * file, then enable the patch upon success, otherwise just
1626 	 * disable the manufacturer mode, for example patch activation
1627 	 * is not required when the default firmware patch file is used
1628 	 * because there are no patch data to load.
1629 	 */
1630 	if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1631 		*disable_patch = 0;
1632 
1633 	cmd_param = *fw_ptr;
1634 	*fw_ptr += cmd->plen;
1635 	remain -= cmd->plen;
1636 
1637 	/* This reads the expected events when the above command is sent to the
1638 	 * device. Some vendor commands expects more than one events, for
1639 	 * example command status event followed by vendor specific event.
1640 	 * For this case, it only keeps the last expected event. so the command
1641 	 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1642 	 * last expected event.
1643 	 */
1644 	while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1645 		(*fw_ptr)++;
1646 		remain--;
1647 
1648 		evt = (struct hci_event_hdr *)(*fw_ptr);
1649 		*fw_ptr += sizeof(*evt);
1650 		remain -= sizeof(*evt);
1651 
1652 		if (remain < evt->plen) {
1653 			bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1654 			return -EFAULT;
1655 		}
1656 
1657 		evt_param = *fw_ptr;
1658 		*fw_ptr += evt->plen;
1659 		remain -= evt->plen;
1660 	}
1661 
1662 	/* Every HCI commands in the firmware file has its correspond event.
1663 	 * If event is not found or remain is smaller than zero, the firmware
1664 	 * file is corrupted.
1665 	 */
1666 	if (!evt || !evt_param || remain < 0) {
1667 		bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1668 		return -EFAULT;
1669 	}
1670 
1671 	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1672 				cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1673 	if (IS_ERR(skb)) {
1674 		bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1675 			   cmd->opcode, PTR_ERR(skb));
1676 		return PTR_ERR(skb);
1677 	}
1678 
1679 	/* It ensures that the returned event matches the event data read from
1680 	 * the firmware file. At fist, it checks the length and then
1681 	 * the contents of the event.
1682 	 */
1683 	if (skb->len != evt->plen) {
1684 		bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1685 			   le16_to_cpu(cmd->opcode));
1686 		kfree_skb(skb);
1687 		return -EFAULT;
1688 	}
1689 
1690 	if (memcmp(skb->data, evt_param, evt->plen)) {
1691 		bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
1692 			   le16_to_cpu(cmd->opcode));
1693 		kfree_skb(skb);
1694 		return -EFAULT;
1695 	}
1696 	kfree_skb(skb);
1697 
1698 	return 0;
1699 }
1700 
1701 static int btintel_legacy_rom_setup(struct hci_dev *hdev,
1702 				    struct intel_version *ver)
1703 {
1704 	const struct firmware *fw;
1705 	const u8 *fw_ptr;
1706 	int disable_patch, err;
1707 	struct intel_version new_ver;
1708 
1709 	BT_DBG("%s", hdev->name);
1710 
1711 	/* fw_patch_num indicates the version of patch the device currently
1712 	 * have. If there is no patch data in the device, it is always 0x00.
1713 	 * So, if it is other than 0x00, no need to patch the device again.
1714 	 */
1715 	if (ver->fw_patch_num) {
1716 		bt_dev_info(hdev,
1717 			    "Intel device is already patched. patch num: %02x",
1718 			    ver->fw_patch_num);
1719 		goto complete;
1720 	}
1721 
1722 	/* Opens the firmware patch file based on the firmware version read
1723 	 * from the controller. If it fails to open the matching firmware
1724 	 * patch file, it tries to open the default firmware patch file.
1725 	 * If no patch file is found, allow the device to operate without
1726 	 * a patch.
1727 	 */
1728 	fw = btintel_legacy_rom_get_fw(hdev, ver);
1729 	if (!fw)
1730 		goto complete;
1731 	fw_ptr = fw->data;
1732 
1733 	/* Enable the manufacturer mode of the controller.
1734 	 * Only while this mode is enabled, the driver can download the
1735 	 * firmware patch data and configuration parameters.
1736 	 */
1737 	err = btintel_enter_mfg(hdev);
1738 	if (err) {
1739 		release_firmware(fw);
1740 		return err;
1741 	}
1742 
1743 	disable_patch = 1;
1744 
1745 	/* The firmware data file consists of list of Intel specific HCI
1746 	 * commands and its expected events. The first byte indicates the
1747 	 * type of the message, either HCI command or HCI event.
1748 	 *
1749 	 * It reads the command and its expected event from the firmware file,
1750 	 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1751 	 * the returned event is compared with the event read from the firmware
1752 	 * file and it will continue until all the messages are downloaded to
1753 	 * the controller.
1754 	 *
1755 	 * Once the firmware patching is completed successfully,
1756 	 * the manufacturer mode is disabled with reset and activating the
1757 	 * downloaded patch.
1758 	 *
1759 	 * If the firmware patching fails, the manufacturer mode is
1760 	 * disabled with reset and deactivating the patch.
1761 	 *
1762 	 * If the default patch file is used, no reset is done when disabling
1763 	 * the manufacturer.
1764 	 */
1765 	while (fw->size > fw_ptr - fw->data) {
1766 		int ret;
1767 
1768 		ret = btintel_legacy_rom_patching(hdev, fw, &fw_ptr,
1769 						 &disable_patch);
1770 		if (ret < 0)
1771 			goto exit_mfg_deactivate;
1772 	}
1773 
1774 	release_firmware(fw);
1775 
1776 	if (disable_patch)
1777 		goto exit_mfg_disable;
1778 
1779 	/* Patching completed successfully and disable the manufacturer mode
1780 	 * with reset and activate the downloaded firmware patches.
1781 	 */
1782 	err = btintel_exit_mfg(hdev, true, true);
1783 	if (err)
1784 		return err;
1785 
1786 	/* Need build number for downloaded fw patches in
1787 	 * every power-on boot
1788 	 */
1789 	err = btintel_read_version(hdev, &new_ver);
1790 	if (err)
1791 		return err;
1792 
1793 	bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
1794 		    new_ver.fw_patch_num);
1795 
1796 	goto complete;
1797 
1798 exit_mfg_disable:
1799 	/* Disable the manufacturer mode without reset */
1800 	err = btintel_exit_mfg(hdev, false, false);
1801 	if (err)
1802 		return err;
1803 
1804 	bt_dev_info(hdev, "Intel firmware patch completed");
1805 
1806 	goto complete;
1807 
1808 exit_mfg_deactivate:
1809 	release_firmware(fw);
1810 
1811 	/* Patching failed. Disable the manufacturer mode with reset and
1812 	 * deactivate the downloaded firmware patches.
1813 	 */
1814 	err = btintel_exit_mfg(hdev, true, false);
1815 	if (err)
1816 		return err;
1817 
1818 	bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
1819 
1820 complete:
1821 	/* Set the event mask for Intel specific vendor events. This enables
1822 	 * a few extra events that are useful during general operation.
1823 	 */
1824 	btintel_set_event_mask_mfg(hdev, false);
1825 
1826 	btintel_check_bdaddr(hdev);
1827 
1828 	return 0;
1829 }
1830 
1831 static int btintel_download_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1832 {
1833 	ktime_t delta, rettime;
1834 	unsigned long long duration;
1835 	int err;
1836 
1837 	btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
1838 
1839 	bt_dev_info(hdev, "Waiting for firmware download to complete");
1840 
1841 	err = btintel_wait_on_flag_timeout(hdev, INTEL_DOWNLOADING,
1842 					   TASK_INTERRUPTIBLE,
1843 					   msecs_to_jiffies(msec));
1844 	if (err == -EINTR) {
1845 		bt_dev_err(hdev, "Firmware loading interrupted");
1846 		return err;
1847 	}
1848 
1849 	if (err) {
1850 		bt_dev_err(hdev, "Firmware loading timeout");
1851 		return -ETIMEDOUT;
1852 	}
1853 
1854 	if (btintel_test_flag(hdev, INTEL_FIRMWARE_FAILED)) {
1855 		bt_dev_err(hdev, "Firmware loading failed");
1856 		return -ENOEXEC;
1857 	}
1858 
1859 	rettime = ktime_get();
1860 	delta = ktime_sub(rettime, calltime);
1861 	duration = (unsigned long long)ktime_to_ns(delta) >> 10;
1862 
1863 	bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
1864 
1865 	return 0;
1866 }
1867 
1868 static int btintel_boot_wait(struct hci_dev *hdev, ktime_t calltime, int msec)
1869 {
1870 	ktime_t delta, rettime;
1871 	unsigned long long duration;
1872 	int err;
1873 
1874 	bt_dev_info(hdev, "Waiting for device to boot");
1875 
1876 	err = btintel_wait_on_flag_timeout(hdev, INTEL_BOOTING,
1877 					   TASK_INTERRUPTIBLE,
1878 					   msecs_to_jiffies(msec));
1879 	if (err == -EINTR) {
1880 		bt_dev_err(hdev, "Device boot interrupted");
1881 		return -EINTR;
1882 	}
1883 
1884 	if (err) {
1885 		bt_dev_err(hdev, "Device boot timeout");
1886 		return -ETIMEDOUT;
1887 	}
1888 
1889 	rettime = ktime_get();
1890 	delta = ktime_sub(rettime, calltime);
1891 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
1892 
1893 	bt_dev_info(hdev, "Device booted in %llu usecs", duration);
1894 
1895 	return 0;
1896 }
1897 
1898 static int btintel_boot(struct hci_dev *hdev, u32 boot_addr)
1899 {
1900 	ktime_t calltime;
1901 	int err;
1902 
1903 	calltime = ktime_get();
1904 
1905 	btintel_set_flag(hdev, INTEL_BOOTING);
1906 
1907 	err = btintel_send_intel_reset(hdev, boot_addr);
1908 	if (err) {
1909 		bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
1910 		btintel_reset_to_bootloader(hdev);
1911 		return err;
1912 	}
1913 
1914 	/* The bootloader will not indicate when the device is ready. This
1915 	 * is done by the operational firmware sending bootup notification.
1916 	 *
1917 	 * Booting into operational firmware should not take longer than
1918 	 * 1 second. However if that happens, then just fail the setup
1919 	 * since something went wrong.
1920 	 */
1921 	err = btintel_boot_wait(hdev, calltime, 1000);
1922 	if (err == -ETIMEDOUT)
1923 		btintel_reset_to_bootloader(hdev);
1924 
1925 	return err;
1926 }
1927 
1928 static int btintel_get_fw_name(struct intel_version *ver,
1929 					     struct intel_boot_params *params,
1930 					     char *fw_name, size_t len,
1931 					     const char *suffix)
1932 {
1933 	switch (ver->hw_variant) {
1934 	case 0x0b:	/* SfP */
1935 	case 0x0c:	/* WsP */
1936 		snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
1937 			 ver->hw_variant,
1938 			 le16_to_cpu(params->dev_revid),
1939 			 suffix);
1940 		break;
1941 	case 0x11:	/* JfP */
1942 	case 0x12:	/* ThP */
1943 	case 0x13:	/* HrP */
1944 	case 0x14:	/* CcP */
1945 		snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
1946 			 ver->hw_variant,
1947 			 ver->hw_revision,
1948 			 ver->fw_revision,
1949 			 suffix);
1950 		break;
1951 	default:
1952 		return -EINVAL;
1953 	}
1954 
1955 	return 0;
1956 }
1957 
1958 static int btintel_download_fw(struct hci_dev *hdev,
1959 					 struct intel_version *ver,
1960 					 struct intel_boot_params *params,
1961 					 u32 *boot_param)
1962 {
1963 	const struct firmware *fw;
1964 	char fwname[64];
1965 	int err;
1966 	ktime_t calltime;
1967 
1968 	if (!ver || !params)
1969 		return -EINVAL;
1970 
1971 	/* The firmware variant determines if the device is in bootloader
1972 	 * mode or is running operational firmware. The value 0x06 identifies
1973 	 * the bootloader and the value 0x23 identifies the operational
1974 	 * firmware.
1975 	 *
1976 	 * When the operational firmware is already present, then only
1977 	 * the check for valid Bluetooth device address is needed. This
1978 	 * determines if the device will be added as configured or
1979 	 * unconfigured controller.
1980 	 *
1981 	 * It is not possible to use the Secure Boot Parameters in this
1982 	 * case since that command is only available in bootloader mode.
1983 	 */
1984 	if (ver->fw_variant == 0x23) {
1985 		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
1986 		btintel_check_bdaddr(hdev);
1987 
1988 		/* SfP and WsP don't seem to update the firmware version on file
1989 		 * so version checking is currently possible.
1990 		 */
1991 		switch (ver->hw_variant) {
1992 		case 0x0b:	/* SfP */
1993 		case 0x0c:	/* WsP */
1994 			return 0;
1995 		}
1996 
1997 		/* Proceed to download to check if the version matches */
1998 		goto download;
1999 	}
2000 
2001 	/* Read the secure boot parameters to identify the operating
2002 	 * details of the bootloader.
2003 	 */
2004 	err = btintel_read_boot_params(hdev, params);
2005 	if (err)
2006 		return err;
2007 
2008 	/* It is required that every single firmware fragment is acknowledged
2009 	 * with a command complete event. If the boot parameters indicate
2010 	 * that this bootloader does not send them, then abort the setup.
2011 	 */
2012 	if (params->limited_cce != 0x00) {
2013 		bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
2014 			   params->limited_cce);
2015 		return -EINVAL;
2016 	}
2017 
2018 	/* If the OTP has no valid Bluetooth device address, then there will
2019 	 * also be no valid address for the operational firmware.
2020 	 */
2021 	if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2022 		bt_dev_info(hdev, "No device address configured");
2023 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2024 	}
2025 
2026 download:
2027 	/* With this Intel bootloader only the hardware variant and device
2028 	 * revision information are used to select the right firmware for SfP
2029 	 * and WsP.
2030 	 *
2031 	 * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
2032 	 *
2033 	 * Currently the supported hardware variants are:
2034 	 *   11 (0x0b) for iBT3.0 (LnP/SfP)
2035 	 *   12 (0x0c) for iBT3.5 (WsP)
2036 	 *
2037 	 * For ThP/JfP and for future SKU's, the FW name varies based on HW
2038 	 * variant, HW revision and FW revision, as these are dependent on CNVi
2039 	 * and RF Combination.
2040 	 *
2041 	 *   17 (0x11) for iBT3.5 (JfP)
2042 	 *   18 (0x12) for iBT3.5 (ThP)
2043 	 *
2044 	 * The firmware file name for these will be
2045 	 * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
2046 	 *
2047 	 */
2048 	err = btintel_get_fw_name(ver, params, fwname, sizeof(fwname), "sfi");
2049 	if (err < 0) {
2050 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2051 			/* Firmware has already been loaded */
2052 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2053 			return 0;
2054 		}
2055 
2056 		bt_dev_err(hdev, "Unsupported Intel firmware naming");
2057 		return -EINVAL;
2058 	}
2059 
2060 	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2061 	if (err < 0) {
2062 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2063 			/* Firmware has already been loaded */
2064 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2065 			return 0;
2066 		}
2067 
2068 		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2069 			   fwname, err);
2070 		return err;
2071 	}
2072 
2073 	bt_dev_info(hdev, "Found device firmware: %s", fwname);
2074 
2075 	if (fw->size < 644) {
2076 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2077 			   fw->size);
2078 		err = -EBADF;
2079 		goto done;
2080 	}
2081 
2082 	calltime = ktime_get();
2083 
2084 	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2085 
2086 	/* Start firmware downloading and get boot parameter */
2087 	err = btintel_download_firmware(hdev, ver, fw, boot_param);
2088 	if (err < 0) {
2089 		if (err == -EALREADY) {
2090 			/* Firmware has already been loaded */
2091 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2092 			err = 0;
2093 			goto done;
2094 		}
2095 
2096 		/* When FW download fails, send Intel Reset to retry
2097 		 * FW download.
2098 		 */
2099 		btintel_reset_to_bootloader(hdev);
2100 		goto done;
2101 	}
2102 
2103 	/* Before switching the device into operational mode and with that
2104 	 * booting the loaded firmware, wait for the bootloader notification
2105 	 * that all fragments have been successfully received.
2106 	 *
2107 	 * When the event processing receives the notification, then the
2108 	 * INTEL_DOWNLOADING flag will be cleared.
2109 	 *
2110 	 * The firmware loading should not take longer than 5 seconds
2111 	 * and thus just timeout if that happens and fail the setup
2112 	 * of this device.
2113 	 */
2114 	err = btintel_download_wait(hdev, calltime, 5000);
2115 	if (err == -ETIMEDOUT)
2116 		btintel_reset_to_bootloader(hdev);
2117 
2118 done:
2119 	release_firmware(fw);
2120 	return err;
2121 }
2122 
2123 static int btintel_bootloader_setup(struct hci_dev *hdev,
2124 				    struct intel_version *ver)
2125 {
2126 	struct intel_version new_ver;
2127 	struct intel_boot_params params;
2128 	u32 boot_param;
2129 	char ddcname[64];
2130 	int err;
2131 
2132 	BT_DBG("%s", hdev->name);
2133 
2134 	/* Set the default boot parameter to 0x0 and it is updated to
2135 	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2136 	 * command while downloading the firmware.
2137 	 */
2138 	boot_param = 0x00000000;
2139 
2140 	btintel_set_flag(hdev, INTEL_BOOTLOADER);
2141 
2142 	err = btintel_download_fw(hdev, ver, &params, &boot_param);
2143 	if (err)
2144 		return err;
2145 
2146 	/* controller is already having an operational firmware */
2147 	if (ver->fw_variant == 0x23)
2148 		goto finish;
2149 
2150 	err = btintel_boot(hdev, boot_param);
2151 	if (err)
2152 		return err;
2153 
2154 	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2155 
2156 	err = btintel_get_fw_name(ver, &params, ddcname,
2157 						sizeof(ddcname), "ddc");
2158 
2159 	if (err < 0) {
2160 		bt_dev_err(hdev, "Unsupported Intel firmware naming");
2161 	} else {
2162 		/* Once the device is running in operational mode, it needs to
2163 		 * apply the device configuration (DDC) parameters.
2164 		 *
2165 		 * The device can work without DDC parameters, so even if it
2166 		 * fails to load the file, no need to fail the setup.
2167 		 */
2168 		btintel_load_ddc_config(hdev, ddcname);
2169 	}
2170 
2171 	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2172 
2173 	/* Read the Intel version information after loading the FW  */
2174 	err = btintel_read_version(hdev, &new_ver);
2175 	if (err)
2176 		return err;
2177 
2178 	btintel_version_info(hdev, &new_ver);
2179 
2180 finish:
2181 	/* Set the event mask for Intel specific vendor events. This enables
2182 	 * a few extra events that are useful during general operation. It
2183 	 * does not enable any debugging related events.
2184 	 *
2185 	 * The device will function correctly without these events enabled
2186 	 * and thus no need to fail the setup.
2187 	 */
2188 	btintel_set_event_mask(hdev, false);
2189 
2190 	return 0;
2191 }
2192 
2193 static void btintel_get_fw_name_tlv(const struct intel_version_tlv *ver,
2194 				    char *fw_name, size_t len,
2195 				    const char *suffix)
2196 {
2197 	/* The firmware file name for new generation controllers will be
2198 	 * ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step>
2199 	 */
2200 	snprintf(fw_name, len, "intel/ibt-%04x-%04x.%s",
2201 		 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvi_top),
2202 					  INTEL_CNVX_TOP_STEP(ver->cnvi_top)),
2203 		 INTEL_CNVX_TOP_PACK_SWAB(INTEL_CNVX_TOP_TYPE(ver->cnvr_top),
2204 					  INTEL_CNVX_TOP_STEP(ver->cnvr_top)),
2205 		 suffix);
2206 }
2207 
2208 static int btintel_prepare_fw_download_tlv(struct hci_dev *hdev,
2209 					   struct intel_version_tlv *ver,
2210 					   u32 *boot_param)
2211 {
2212 	const struct firmware *fw;
2213 	char fwname[64];
2214 	int err;
2215 	ktime_t calltime;
2216 
2217 	if (!ver || !boot_param)
2218 		return -EINVAL;
2219 
2220 	/* The firmware variant determines if the device is in bootloader
2221 	 * mode or is running operational firmware. The value 0x03 identifies
2222 	 * the bootloader and the value 0x23 identifies the operational
2223 	 * firmware.
2224 	 *
2225 	 * When the operational firmware is already present, then only
2226 	 * the check for valid Bluetooth device address is needed. This
2227 	 * determines if the device will be added as configured or
2228 	 * unconfigured controller.
2229 	 *
2230 	 * It is not possible to use the Secure Boot Parameters in this
2231 	 * case since that command is only available in bootloader mode.
2232 	 */
2233 	if (ver->img_type == 0x03) {
2234 		btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2235 		btintel_check_bdaddr(hdev);
2236 	} else {
2237 		/*
2238 		 * Check for valid bd address in boot loader mode. Device
2239 		 * will be marked as unconfigured if empty bd address is
2240 		 * found.
2241 		 */
2242 		if (!bacmp(&ver->otp_bd_addr, BDADDR_ANY)) {
2243 			bt_dev_info(hdev, "No device address configured");
2244 			set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2245 		}
2246 	}
2247 
2248 	btintel_get_fw_name_tlv(ver, fwname, sizeof(fwname), "sfi");
2249 	err = firmware_request_nowarn(&fw, fwname, &hdev->dev);
2250 	if (err < 0) {
2251 		if (!btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
2252 			/* Firmware has already been loaded */
2253 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2254 			return 0;
2255 		}
2256 
2257 		bt_dev_err(hdev, "Failed to load Intel firmware file %s (%d)",
2258 			   fwname, err);
2259 
2260 		return err;
2261 	}
2262 
2263 	bt_dev_info(hdev, "Found device firmware: %s", fwname);
2264 
2265 	if (fw->size < 644) {
2266 		bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2267 			   fw->size);
2268 		err = -EBADF;
2269 		goto done;
2270 	}
2271 
2272 	calltime = ktime_get();
2273 
2274 	btintel_set_flag(hdev, INTEL_DOWNLOADING);
2275 
2276 	/* Start firmware downloading and get boot parameter */
2277 	err = btintel_download_fw_tlv(hdev, ver, fw, boot_param,
2278 					       INTEL_HW_VARIANT(ver->cnvi_bt),
2279 					       ver->sbe_type);
2280 	if (err < 0) {
2281 		if (err == -EALREADY) {
2282 			/* Firmware has already been loaded */
2283 			btintel_set_flag(hdev, INTEL_FIRMWARE_LOADED);
2284 			err = 0;
2285 			goto done;
2286 		}
2287 
2288 		/* When FW download fails, send Intel Reset to retry
2289 		 * FW download.
2290 		 */
2291 		btintel_reset_to_bootloader(hdev);
2292 		goto done;
2293 	}
2294 
2295 	/* Before switching the device into operational mode and with that
2296 	 * booting the loaded firmware, wait for the bootloader notification
2297 	 * that all fragments have been successfully received.
2298 	 *
2299 	 * When the event processing receives the notification, then the
2300 	 * BTUSB_DOWNLOADING flag will be cleared.
2301 	 *
2302 	 * The firmware loading should not take longer than 5 seconds
2303 	 * and thus just timeout if that happens and fail the setup
2304 	 * of this device.
2305 	 */
2306 	err = btintel_download_wait(hdev, calltime, 5000);
2307 	if (err == -ETIMEDOUT)
2308 		btintel_reset_to_bootloader(hdev);
2309 
2310 done:
2311 	release_firmware(fw);
2312 	return err;
2313 }
2314 
2315 static int btintel_get_codec_config_data(struct hci_dev *hdev,
2316 					 __u8 link, struct bt_codec *codec,
2317 					 __u8 *ven_len, __u8 **ven_data)
2318 {
2319 	int err = 0;
2320 
2321 	if (!ven_data || !ven_len)
2322 		return -EINVAL;
2323 
2324 	*ven_len = 0;
2325 	*ven_data = NULL;
2326 
2327 	if (link != ESCO_LINK) {
2328 		bt_dev_err(hdev, "Invalid link type(%u)", link);
2329 		return -EINVAL;
2330 	}
2331 
2332 	*ven_data = kmalloc(sizeof(__u8), GFP_KERNEL);
2333 	if (!*ven_data) {
2334 		err = -ENOMEM;
2335 		goto error;
2336 	}
2337 
2338 	/* supports only CVSD and mSBC offload codecs */
2339 	switch (codec->id) {
2340 	case 0x02:
2341 		**ven_data = 0x00;
2342 		break;
2343 	case 0x05:
2344 		**ven_data = 0x01;
2345 		break;
2346 	default:
2347 		err = -EINVAL;
2348 		bt_dev_err(hdev, "Invalid codec id(%u)", codec->id);
2349 		goto error;
2350 	}
2351 	/* codec and its capabilities are pre-defined to ids
2352 	 * preset id = 0x00 represents CVSD codec with sampling rate 8K
2353 	 * preset id = 0x01 represents mSBC codec with sampling rate 16K
2354 	 */
2355 	*ven_len = sizeof(__u8);
2356 	return err;
2357 
2358 error:
2359 	kfree(*ven_data);
2360 	*ven_data = NULL;
2361 	return err;
2362 }
2363 
2364 static int btintel_get_data_path_id(struct hci_dev *hdev, __u8 *data_path_id)
2365 {
2366 	/* Intel uses 1 as data path id for all the usecases */
2367 	*data_path_id = 1;
2368 	return 0;
2369 }
2370 
2371 static int btintel_configure_offload(struct hci_dev *hdev)
2372 {
2373 	struct sk_buff *skb;
2374 	int err = 0;
2375 	struct intel_offload_use_cases *use_cases;
2376 
2377 	skb = __hci_cmd_sync(hdev, 0xfc86, 0, NULL, HCI_INIT_TIMEOUT);
2378 	if (IS_ERR(skb)) {
2379 		bt_dev_err(hdev, "Reading offload use cases failed (%ld)",
2380 			   PTR_ERR(skb));
2381 		return PTR_ERR(skb);
2382 	}
2383 
2384 	if (skb->len < sizeof(*use_cases)) {
2385 		err = -EIO;
2386 		goto error;
2387 	}
2388 
2389 	use_cases = (void *)skb->data;
2390 
2391 	if (use_cases->status) {
2392 		err = -bt_to_errno(skb->data[0]);
2393 		goto error;
2394 	}
2395 
2396 	if (use_cases->preset[0] & 0x03) {
2397 		hdev->get_data_path_id = btintel_get_data_path_id;
2398 		hdev->get_codec_config_data = btintel_get_codec_config_data;
2399 	}
2400 error:
2401 	kfree_skb(skb);
2402 	return err;
2403 }
2404 
2405 static void btintel_set_ppag(struct hci_dev *hdev, struct intel_version_tlv *ver)
2406 {
2407 	struct btintel_ppag ppag;
2408 	struct sk_buff *skb;
2409 	struct hci_ppag_enable_cmd ppag_cmd;
2410 	acpi_handle handle;
2411 
2412 	/* PPAG is not supported if CRF is HrP2, Jfp2, JfP1 */
2413 	switch (ver->cnvr_top & 0xFFF) {
2414 	case 0x504:     /* Hrp2 */
2415 	case 0x202:     /* Jfp2 */
2416 	case 0x201:     /* Jfp1 */
2417 		bt_dev_dbg(hdev, "PPAG not supported for Intel CNVr (0x%3x)",
2418 			   ver->cnvr_top & 0xFFF);
2419 		return;
2420 	}
2421 
2422 	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2423 	if (!handle) {
2424 		bt_dev_info(hdev, "No support for BT device in ACPI firmware");
2425 		return;
2426 	}
2427 
2428 	memset(&ppag, 0, sizeof(ppag));
2429 
2430 	ppag.hdev = hdev;
2431 	ppag.status = AE_NOT_FOUND;
2432 	acpi_walk_namespace(ACPI_TYPE_PACKAGE, handle, 1, NULL,
2433 			    btintel_ppag_callback, &ppag, NULL);
2434 
2435 	if (ACPI_FAILURE(ppag.status)) {
2436 		if (ppag.status == AE_NOT_FOUND) {
2437 			bt_dev_dbg(hdev, "PPAG-BT: ACPI entry not found");
2438 			return;
2439 		}
2440 		return;
2441 	}
2442 
2443 	if (ppag.domain != 0x12) {
2444 		bt_dev_dbg(hdev, "PPAG-BT: Bluetooth domain is disabled in ACPI firmware");
2445 		return;
2446 	}
2447 
2448 	/* PPAG mode
2449 	 * BIT 0 : 0 Disabled in EU
2450 	 *         1 Enabled in EU
2451 	 * BIT 1 : 0 Disabled in China
2452 	 *         1 Enabled in China
2453 	 */
2454 	if ((ppag.mode & 0x01) != BIT(0) && (ppag.mode & 0x02) != BIT(1)) {
2455 		bt_dev_dbg(hdev, "PPAG-BT: EU, China mode are disabled in CB/BIOS");
2456 		return;
2457 	}
2458 
2459 	ppag_cmd.ppag_enable_flags = cpu_to_le32(ppag.mode);
2460 
2461 	skb = __hci_cmd_sync(hdev, INTEL_OP_PPAG_CMD, sizeof(ppag_cmd), &ppag_cmd, HCI_CMD_TIMEOUT);
2462 	if (IS_ERR(skb)) {
2463 		bt_dev_warn(hdev, "Failed to send PPAG Enable (%ld)", PTR_ERR(skb));
2464 		return;
2465 	}
2466 	bt_dev_info(hdev, "PPAG-BT: Enabled (Mode %d)", ppag.mode);
2467 	kfree_skb(skb);
2468 }
2469 
2470 static int btintel_acpi_reset_method(struct hci_dev *hdev)
2471 {
2472 	int ret = 0;
2473 	acpi_status status;
2474 	union acpi_object *p, *ref;
2475 	struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
2476 
2477 	status = acpi_evaluate_object(ACPI_HANDLE(GET_HCIDEV_DEV(hdev)), "_PRR", NULL, &buffer);
2478 	if (ACPI_FAILURE(status)) {
2479 		bt_dev_err(hdev, "Failed to run _PRR method");
2480 		ret = -ENODEV;
2481 		return ret;
2482 	}
2483 	p = buffer.pointer;
2484 
2485 	if (p->package.count != 1 || p->type != ACPI_TYPE_PACKAGE) {
2486 		bt_dev_err(hdev, "Invalid arguments");
2487 		ret = -EINVAL;
2488 		goto exit_on_error;
2489 	}
2490 
2491 	ref = &p->package.elements[0];
2492 	if (ref->type != ACPI_TYPE_LOCAL_REFERENCE) {
2493 		bt_dev_err(hdev, "Invalid object type: 0x%x", ref->type);
2494 		ret = -EINVAL;
2495 		goto exit_on_error;
2496 	}
2497 
2498 	status = acpi_evaluate_object(ref->reference.handle, "_RST", NULL, NULL);
2499 	if (ACPI_FAILURE(status)) {
2500 		bt_dev_err(hdev, "Failed to run_RST method");
2501 		ret = -ENODEV;
2502 		goto exit_on_error;
2503 	}
2504 
2505 exit_on_error:
2506 	kfree(buffer.pointer);
2507 	return ret;
2508 }
2509 
2510 static void btintel_set_dsm_reset_method(struct hci_dev *hdev,
2511 					 struct intel_version_tlv *ver_tlv)
2512 {
2513 	struct btintel_data *data = hci_get_priv(hdev);
2514 	acpi_handle handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2515 	u8 reset_payload[4] = {0x01, 0x00, 0x01, 0x00};
2516 	union acpi_object *obj, argv4;
2517 	enum {
2518 		RESET_TYPE_WDISABLE2,
2519 		RESET_TYPE_VSEC
2520 	};
2521 
2522 	handle = ACPI_HANDLE(GET_HCIDEV_DEV(hdev));
2523 
2524 	if (!handle) {
2525 		bt_dev_dbg(hdev, "No support for bluetooth device in ACPI firmware");
2526 		return;
2527 	}
2528 
2529 	if (!acpi_has_method(handle, "_PRR")) {
2530 		bt_dev_err(hdev, "No support for _PRR ACPI method");
2531 		return;
2532 	}
2533 
2534 	switch (ver_tlv->cnvi_top & 0xfff) {
2535 	case 0x910: /* GalePeak2 */
2536 		reset_payload[2] = RESET_TYPE_VSEC;
2537 		break;
2538 	default:
2539 		/* WDISABLE2 is the default reset method */
2540 		reset_payload[2] = RESET_TYPE_WDISABLE2;
2541 
2542 		if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2543 				    BIT(DSM_SET_WDISABLE2_DELAY))) {
2544 			bt_dev_err(hdev, "No dsm support to set reset delay");
2545 			return;
2546 		}
2547 		argv4.integer.type = ACPI_TYPE_INTEGER;
2548 		/* delay required to toggle BT power */
2549 		argv4.integer.value = 160;
2550 		obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2551 					DSM_SET_WDISABLE2_DELAY, &argv4);
2552 		if (!obj) {
2553 			bt_dev_err(hdev, "Failed to call dsm to set reset delay");
2554 			return;
2555 		}
2556 		ACPI_FREE(obj);
2557 	}
2558 
2559 	bt_dev_info(hdev, "DSM reset method type: 0x%02x", reset_payload[2]);
2560 
2561 	if (!acpi_check_dsm(handle, &btintel_guid_dsm, 0,
2562 			    DSM_SET_RESET_METHOD)) {
2563 		bt_dev_warn(hdev, "No support for dsm to set reset method");
2564 		return;
2565 	}
2566 	argv4.buffer.type = ACPI_TYPE_BUFFER;
2567 	argv4.buffer.length = sizeof(reset_payload);
2568 	argv4.buffer.pointer = reset_payload;
2569 
2570 	obj = acpi_evaluate_dsm(handle, &btintel_guid_dsm, 0,
2571 				DSM_SET_RESET_METHOD, &argv4);
2572 	if (!obj) {
2573 		bt_dev_err(hdev, "Failed to call dsm to set reset method");
2574 		return;
2575 	}
2576 	ACPI_FREE(obj);
2577 	data->acpi_reset_method = btintel_acpi_reset_method;
2578 }
2579 
2580 static int btintel_bootloader_setup_tlv(struct hci_dev *hdev,
2581 					struct intel_version_tlv *ver)
2582 {
2583 	u32 boot_param;
2584 	char ddcname[64];
2585 	int err;
2586 	struct intel_version_tlv new_ver;
2587 
2588 	bt_dev_dbg(hdev, "");
2589 
2590 	/* Set the default boot parameter to 0x0 and it is updated to
2591 	 * SKU specific boot parameter after reading Intel_Write_Boot_Params
2592 	 * command while downloading the firmware.
2593 	 */
2594 	boot_param = 0x00000000;
2595 
2596 	btintel_set_flag(hdev, INTEL_BOOTLOADER);
2597 
2598 	err = btintel_prepare_fw_download_tlv(hdev, ver, &boot_param);
2599 	if (err)
2600 		return err;
2601 
2602 	/* check if controller is already having an operational firmware */
2603 	if (ver->img_type == 0x03)
2604 		goto finish;
2605 
2606 	err = btintel_boot(hdev, boot_param);
2607 	if (err)
2608 		return err;
2609 
2610 	btintel_clear_flag(hdev, INTEL_BOOTLOADER);
2611 
2612 	btintel_get_fw_name_tlv(ver, ddcname, sizeof(ddcname), "ddc");
2613 	/* Once the device is running in operational mode, it needs to
2614 	 * apply the device configuration (DDC) parameters.
2615 	 *
2616 	 * The device can work without DDC parameters, so even if it
2617 	 * fails to load the file, no need to fail the setup.
2618 	 */
2619 	btintel_load_ddc_config(hdev, ddcname);
2620 
2621 	/* Read supported use cases and set callbacks to fetch datapath id */
2622 	btintel_configure_offload(hdev);
2623 
2624 	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
2625 
2626 	/* Set PPAG feature */
2627 	btintel_set_ppag(hdev, ver);
2628 
2629 	/* Read the Intel version information after loading the FW  */
2630 	err = btintel_read_version_tlv(hdev, &new_ver);
2631 	if (err)
2632 		return err;
2633 
2634 	btintel_version_info_tlv(hdev, &new_ver);
2635 
2636 finish:
2637 	/* Set the event mask for Intel specific vendor events. This enables
2638 	 * a few extra events that are useful during general operation. It
2639 	 * does not enable any debugging related events.
2640 	 *
2641 	 * The device will function correctly without these events enabled
2642 	 * and thus no need to fail the setup.
2643 	 */
2644 	btintel_set_event_mask(hdev, false);
2645 
2646 	return 0;
2647 }
2648 
2649 static void btintel_set_msft_opcode(struct hci_dev *hdev, u8 hw_variant)
2650 {
2651 	switch (hw_variant) {
2652 	/* Legacy bootloader devices that supports MSFT Extension */
2653 	case 0x11:	/* JfP */
2654 	case 0x12:	/* ThP */
2655 	case 0x13:	/* HrP */
2656 	case 0x14:	/* CcP */
2657 	/* All Intel new genration controllers support the Microsoft vendor
2658 	 * extension are using 0xFC1E for VsMsftOpCode.
2659 	 */
2660 	case 0x17:
2661 	case 0x18:
2662 	case 0x19:
2663 	case 0x1b:
2664 	case 0x1c:
2665 		hci_set_msft_opcode(hdev, 0xFC1E);
2666 		break;
2667 	default:
2668 		/* Not supported */
2669 		break;
2670 	}
2671 }
2672 
2673 static void btintel_print_fseq_info(struct hci_dev *hdev)
2674 {
2675 	struct sk_buff *skb;
2676 	u8 *p;
2677 	u32 val;
2678 	const char *str;
2679 
2680 	skb = __hci_cmd_sync(hdev, 0xfcb3, 0, NULL, HCI_CMD_TIMEOUT);
2681 	if (IS_ERR(skb)) {
2682 		bt_dev_dbg(hdev, "Reading fseq status command failed (%ld)",
2683 			   PTR_ERR(skb));
2684 		return;
2685 	}
2686 
2687 	if (skb->len < (sizeof(u32) * 16 + 2)) {
2688 		bt_dev_dbg(hdev, "Malformed packet of length %u received",
2689 			   skb->len);
2690 		kfree_skb(skb);
2691 		return;
2692 	}
2693 
2694 	p = skb_pull_data(skb, 1);
2695 	if (*p) {
2696 		bt_dev_dbg(hdev, "Failed to get fseq status (0x%2.2x)", *p);
2697 		kfree_skb(skb);
2698 		return;
2699 	}
2700 
2701 	p = skb_pull_data(skb, 1);
2702 	switch (*p) {
2703 	case 0:
2704 		str = "Success";
2705 		break;
2706 	case 1:
2707 		str = "Fatal error";
2708 		break;
2709 	case 2:
2710 		str = "Semaphore acquire error";
2711 		break;
2712 	default:
2713 		str = "Unknown error";
2714 		break;
2715 	}
2716 
2717 	if (*p) {
2718 		bt_dev_err(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
2719 		kfree_skb(skb);
2720 		return;
2721 	}
2722 
2723 	bt_dev_info(hdev, "Fseq status: %s (0x%2.2x)", str, *p);
2724 
2725 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2726 	bt_dev_dbg(hdev, "Reason: 0x%8.8x", val);
2727 
2728 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2729 	bt_dev_dbg(hdev, "Global version: 0x%8.8x", val);
2730 
2731 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2732 	bt_dev_dbg(hdev, "Installed version: 0x%8.8x", val);
2733 
2734 	p = skb->data;
2735 	skb_pull_data(skb, 4);
2736 	bt_dev_info(hdev, "Fseq executed: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
2737 		    p[2], p[3]);
2738 
2739 	p = skb->data;
2740 	skb_pull_data(skb, 4);
2741 	bt_dev_info(hdev, "Fseq BT Top: %2.2u.%2.2u.%2.2u.%2.2u", p[0], p[1],
2742 		    p[2], p[3]);
2743 
2744 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2745 	bt_dev_dbg(hdev, "Fseq Top init version: 0x%8.8x", val);
2746 
2747 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2748 	bt_dev_dbg(hdev, "Fseq Cnvio init version: 0x%8.8x", val);
2749 
2750 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2751 	bt_dev_dbg(hdev, "Fseq MBX Wifi file version: 0x%8.8x", val);
2752 
2753 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2754 	bt_dev_dbg(hdev, "Fseq BT version: 0x%8.8x", val);
2755 
2756 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2757 	bt_dev_dbg(hdev, "Fseq Top reset address: 0x%8.8x", val);
2758 
2759 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2760 	bt_dev_dbg(hdev, "Fseq MBX timeout: 0x%8.8x", val);
2761 
2762 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2763 	bt_dev_dbg(hdev, "Fseq MBX ack: 0x%8.8x", val);
2764 
2765 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2766 	bt_dev_dbg(hdev, "Fseq CNVi id: 0x%8.8x", val);
2767 
2768 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2769 	bt_dev_dbg(hdev, "Fseq CNVr id: 0x%8.8x", val);
2770 
2771 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2772 	bt_dev_dbg(hdev, "Fseq Error handle: 0x%8.8x", val);
2773 
2774 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2775 	bt_dev_dbg(hdev, "Fseq Magic noalive indication: 0x%8.8x", val);
2776 
2777 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2778 	bt_dev_dbg(hdev, "Fseq OTP version: 0x%8.8x", val);
2779 
2780 	val = get_unaligned_le32(skb_pull_data(skb, 4));
2781 	bt_dev_dbg(hdev, "Fseq MBX otp version: 0x%8.8x", val);
2782 
2783 	kfree_skb(skb);
2784 }
2785 
2786 static int btintel_setup_combined(struct hci_dev *hdev)
2787 {
2788 	const u8 param[1] = { 0xFF };
2789 	struct intel_version ver;
2790 	struct intel_version_tlv ver_tlv;
2791 	struct sk_buff *skb;
2792 	int err;
2793 
2794 	BT_DBG("%s", hdev->name);
2795 
2796 	/* The some controllers have a bug with the first HCI command sent to it
2797 	 * returning number of completed commands as zero. This would stall the
2798 	 * command processing in the Bluetooth core.
2799 	 *
2800 	 * As a workaround, send HCI Reset command first which will reset the
2801 	 * number of completed commands and allow normal command processing
2802 	 * from now on.
2803 	 *
2804 	 * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe
2805 	 * in the SW_RFKILL ON state as a workaround of fixing LED issue during
2806 	 * the shutdown() procedure, and once the device is in SW_RFKILL ON
2807 	 * state, the only way to exit out of it is sending the HCI_Reset
2808 	 * command.
2809 	 */
2810 	if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) ||
2811 	    btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
2812 		skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
2813 				     HCI_INIT_TIMEOUT);
2814 		if (IS_ERR(skb)) {
2815 			bt_dev_err(hdev,
2816 				   "sending initial HCI reset failed (%ld)",
2817 				   PTR_ERR(skb));
2818 			return PTR_ERR(skb);
2819 		}
2820 		kfree_skb(skb);
2821 	}
2822 
2823 	/* Starting from TyP device, the command parameter and response are
2824 	 * changed even though the OCF for HCI_Intel_Read_Version command
2825 	 * remains same. The legacy devices can handle even if the
2826 	 * command has a parameter and returns a correct version information.
2827 	 * So, it uses new format to support both legacy and new format.
2828 	 */
2829 	skb = __hci_cmd_sync(hdev, 0xfc05, 1, param, HCI_CMD_TIMEOUT);
2830 	if (IS_ERR(skb)) {
2831 		bt_dev_err(hdev, "Reading Intel version command failed (%ld)",
2832 			   PTR_ERR(skb));
2833 		return PTR_ERR(skb);
2834 	}
2835 
2836 	/* Check the status */
2837 	if (skb->data[0]) {
2838 		bt_dev_err(hdev, "Intel Read Version command failed (%02x)",
2839 			   skb->data[0]);
2840 		err = -EIO;
2841 		goto exit_error;
2842 	}
2843 
2844 	/* Apply the common HCI quirks for Intel device */
2845 	set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2846 	set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2847 	set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
2848 
2849 	/* Set up the quality report callback for Intel devices */
2850 	hdev->set_quality_report = btintel_set_quality_report;
2851 
2852 	/* For Legacy device, check the HW platform value and size */
2853 	if (skb->len == sizeof(ver) && skb->data[1] == 0x37) {
2854 		bt_dev_dbg(hdev, "Read the legacy Intel version information");
2855 
2856 		memcpy(&ver, skb->data, sizeof(ver));
2857 
2858 		/* Display version information */
2859 		btintel_version_info(hdev, &ver);
2860 
2861 		/* Check for supported iBT hardware variants of this firmware
2862 		 * loading method.
2863 		 *
2864 		 * This check has been put in place to ensure correct forward
2865 		 * compatibility options when newer hardware variants come
2866 		 * along.
2867 		 */
2868 		switch (ver.hw_variant) {
2869 		case 0x07:	/* WP */
2870 		case 0x08:	/* StP */
2871 			/* Legacy ROM product */
2872 			btintel_set_flag(hdev, INTEL_ROM_LEGACY);
2873 
2874 			/* Apply the device specific HCI quirks
2875 			 *
2876 			 * WBS for SdP - For the Legacy ROM products, only SdP
2877 			 * supports the WBS. But the version information is not
2878 			 * enough to use here because the StP2 and SdP have same
2879 			 * hw_variant and fw_variant. So, this flag is set by
2880 			 * the transport driver (btusb) based on the HW info
2881 			 * (idProduct)
2882 			 */
2883 			if (!btintel_test_flag(hdev,
2884 					       INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
2885 				set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2886 					&hdev->quirks);
2887 			if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22)
2888 				set_bit(HCI_QUIRK_VALID_LE_STATES,
2889 					&hdev->quirks);
2890 
2891 			err = btintel_legacy_rom_setup(hdev, &ver);
2892 			break;
2893 		case 0x0b:      /* SfP */
2894 		case 0x11:      /* JfP */
2895 		case 0x12:      /* ThP */
2896 		case 0x13:      /* HrP */
2897 		case 0x14:      /* CcP */
2898 			set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2899 			fallthrough;
2900 		case 0x0c:	/* WsP */
2901 			/* Apply the device specific HCI quirks
2902 			 *
2903 			 * All Legacy bootloader devices support WBS
2904 			 */
2905 			set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
2906 				&hdev->quirks);
2907 
2908 			/* These variants don't seem to support LE Coded PHY */
2909 			set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2910 
2911 			/* Setup MSFT Extension support */
2912 			btintel_set_msft_opcode(hdev, ver.hw_variant);
2913 
2914 			err = btintel_bootloader_setup(hdev, &ver);
2915 			btintel_register_devcoredump_support(hdev);
2916 			break;
2917 		default:
2918 			bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
2919 				   ver.hw_variant);
2920 			err = -EINVAL;
2921 		}
2922 
2923 		goto exit_error;
2924 	}
2925 
2926 	/* memset ver_tlv to start with clean state as few fields are exclusive
2927 	 * to bootloader mode and are not populated in operational mode
2928 	 */
2929 	memset(&ver_tlv, 0, sizeof(ver_tlv));
2930 	/* For TLV type device, parse the tlv data */
2931 	err = btintel_parse_version_tlv(hdev, &ver_tlv, skb);
2932 	if (err) {
2933 		bt_dev_err(hdev, "Failed to parse TLV version information");
2934 		goto exit_error;
2935 	}
2936 
2937 	if (INTEL_HW_PLATFORM(ver_tlv.cnvi_bt) != 0x37) {
2938 		bt_dev_err(hdev, "Unsupported Intel hardware platform (0x%2x)",
2939 			   INTEL_HW_PLATFORM(ver_tlv.cnvi_bt));
2940 		err = -EINVAL;
2941 		goto exit_error;
2942 	}
2943 
2944 	/* Check for supported iBT hardware variants of this firmware
2945 	 * loading method.
2946 	 *
2947 	 * This check has been put in place to ensure correct forward
2948 	 * compatibility options when newer hardware variants come
2949 	 * along.
2950 	 */
2951 	switch (INTEL_HW_VARIANT(ver_tlv.cnvi_bt)) {
2952 	case 0x11:      /* JfP */
2953 	case 0x12:      /* ThP */
2954 	case 0x13:      /* HrP */
2955 	case 0x14:      /* CcP */
2956 		/* Some legacy bootloader devices starting from JfP,
2957 		 * the operational firmware supports both old and TLV based
2958 		 * HCI_Intel_Read_Version command based on the command
2959 		 * parameter.
2960 		 *
2961 		 * For upgrading firmware case, the TLV based version cannot
2962 		 * be used because the firmware filename for legacy bootloader
2963 		 * is based on the old format.
2964 		 *
2965 		 * Also, it is not easy to convert TLV based version from the
2966 		 * legacy version format.
2967 		 *
2968 		 * So, as a workaround for those devices, use the legacy
2969 		 * HCI_Intel_Read_Version to get the version information and
2970 		 * run the legacy bootloader setup.
2971 		 */
2972 		err = btintel_read_version(hdev, &ver);
2973 		if (err)
2974 			break;
2975 
2976 		/* Apply the device specific HCI quirks
2977 		 *
2978 		 * All Legacy bootloader devices support WBS
2979 		 */
2980 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
2981 
2982 		/* These variants don't seem to support LE Coded PHY */
2983 		set_bit(HCI_QUIRK_BROKEN_LE_CODED, &hdev->quirks);
2984 
2985 		/* Set Valid LE States quirk */
2986 		set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
2987 
2988 		/* Setup MSFT Extension support */
2989 		btintel_set_msft_opcode(hdev, ver.hw_variant);
2990 
2991 		err = btintel_bootloader_setup(hdev, &ver);
2992 		btintel_register_devcoredump_support(hdev);
2993 		break;
2994 	case 0x17:
2995 	case 0x18:
2996 	case 0x19:
2997 	case 0x1b:
2998 	case 0x1c:
2999 		/* Display version information of TLV type */
3000 		btintel_version_info_tlv(hdev, &ver_tlv);
3001 
3002 		/* Apply the device specific HCI quirks for TLV based devices
3003 		 *
3004 		 * All TLV based devices support WBS
3005 		 */
3006 		set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
3007 
3008 		/* Apply LE States quirk from solar onwards */
3009 		set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
3010 
3011 		/* Setup MSFT Extension support */
3012 		btintel_set_msft_opcode(hdev,
3013 					INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3014 		btintel_set_dsm_reset_method(hdev, &ver_tlv);
3015 
3016 		err = btintel_bootloader_setup_tlv(hdev, &ver_tlv);
3017 		btintel_register_devcoredump_support(hdev);
3018 		btintel_print_fseq_info(hdev);
3019 		break;
3020 	default:
3021 		bt_dev_err(hdev, "Unsupported Intel hw variant (%u)",
3022 			   INTEL_HW_VARIANT(ver_tlv.cnvi_bt));
3023 		err = -EINVAL;
3024 		break;
3025 	}
3026 
3027 exit_error:
3028 	kfree_skb(skb);
3029 
3030 	return err;
3031 }
3032 
3033 static int btintel_shutdown_combined(struct hci_dev *hdev)
3034 {
3035 	struct sk_buff *skb;
3036 	int ret;
3037 
3038 	/* Send HCI Reset to the controller to stop any BT activity which
3039 	 * were triggered. This will help to save power and maintain the
3040 	 * sync b/w Host and controller
3041 	 */
3042 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
3043 	if (IS_ERR(skb)) {
3044 		bt_dev_err(hdev, "HCI reset during shutdown failed");
3045 		return PTR_ERR(skb);
3046 	}
3047 	kfree_skb(skb);
3048 
3049 
3050 	/* Some platforms have an issue with BT LED when the interface is
3051 	 * down or BT radio is turned off, which takes 5 seconds to BT LED
3052 	 * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the
3053 	 * device in the RFKILL ON state which turns off the BT LED immediately.
3054 	 */
3055 	if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) {
3056 		skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
3057 		if (IS_ERR(skb)) {
3058 			ret = PTR_ERR(skb);
3059 			bt_dev_err(hdev, "turning off Intel device LED failed");
3060 			return ret;
3061 		}
3062 		kfree_skb(skb);
3063 	}
3064 
3065 	return 0;
3066 }
3067 
3068 int btintel_configure_setup(struct hci_dev *hdev, const char *driver_name)
3069 {
3070 	hdev->manufacturer = 2;
3071 	hdev->setup = btintel_setup_combined;
3072 	hdev->shutdown = btintel_shutdown_combined;
3073 	hdev->hw_error = btintel_hw_error;
3074 	hdev->set_diag = btintel_set_diag_combined;
3075 	hdev->set_bdaddr = btintel_set_bdaddr;
3076 
3077 	coredump_info.driver_name = driver_name;
3078 
3079 	return 0;
3080 }
3081 EXPORT_SYMBOL_GPL(btintel_configure_setup);
3082 
3083 static int btintel_diagnostics(struct hci_dev *hdev, struct sk_buff *skb)
3084 {
3085 	struct intel_tlv *tlv = (void *)&skb->data[5];
3086 
3087 	/* The first event is always an event type TLV */
3088 	if (tlv->type != INTEL_TLV_TYPE_ID)
3089 		goto recv_frame;
3090 
3091 	switch (tlv->val[0]) {
3092 	case INTEL_TLV_SYSTEM_EXCEPTION:
3093 	case INTEL_TLV_FATAL_EXCEPTION:
3094 	case INTEL_TLV_DEBUG_EXCEPTION:
3095 	case INTEL_TLV_TEST_EXCEPTION:
3096 		/* Generate devcoredump from exception */
3097 		if (!hci_devcd_init(hdev, skb->len)) {
3098 			hci_devcd_append(hdev, skb);
3099 			hci_devcd_complete(hdev);
3100 		} else {
3101 			bt_dev_err(hdev, "Failed to generate devcoredump");
3102 			kfree_skb(skb);
3103 		}
3104 		return 0;
3105 	default:
3106 		bt_dev_err(hdev, "Invalid exception type %02X", tlv->val[0]);
3107 	}
3108 
3109 recv_frame:
3110 	return hci_recv_frame(hdev, skb);
3111 }
3112 
3113 int btintel_recv_event(struct hci_dev *hdev, struct sk_buff *skb)
3114 {
3115 	struct hci_event_hdr *hdr = (void *)skb->data;
3116 	const char diagnostics_hdr[] = { 0x87, 0x80, 0x03 };
3117 
3118 	if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
3119 	    hdr->plen > 0) {
3120 		const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
3121 		unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
3122 
3123 		if (btintel_test_flag(hdev, INTEL_BOOTLOADER)) {
3124 			switch (skb->data[2]) {
3125 			case 0x02:
3126 				/* When switching to the operational firmware
3127 				 * the device sends a vendor specific event
3128 				 * indicating that the bootup completed.
3129 				 */
3130 				btintel_bootup(hdev, ptr, len);
3131 				break;
3132 			case 0x06:
3133 				/* When the firmware loading completes the
3134 				 * device sends out a vendor specific event
3135 				 * indicating the result of the firmware
3136 				 * loading.
3137 				 */
3138 				btintel_secure_send_result(hdev, ptr, len);
3139 				break;
3140 			}
3141 		}
3142 
3143 		/* Handle all diagnostics events separately. May still call
3144 		 * hci_recv_frame.
3145 		 */
3146 		if (len >= sizeof(diagnostics_hdr) &&
3147 		    memcmp(&skb->data[2], diagnostics_hdr,
3148 			   sizeof(diagnostics_hdr)) == 0) {
3149 			return btintel_diagnostics(hdev, skb);
3150 		}
3151 	}
3152 
3153 	return hci_recv_frame(hdev, skb);
3154 }
3155 EXPORT_SYMBOL_GPL(btintel_recv_event);
3156 
3157 void btintel_bootup(struct hci_dev *hdev, const void *ptr, unsigned int len)
3158 {
3159 	const struct intel_bootup *evt = ptr;
3160 
3161 	if (len != sizeof(*evt))
3162 		return;
3163 
3164 	if (btintel_test_and_clear_flag(hdev, INTEL_BOOTING))
3165 		btintel_wake_up_flag(hdev, INTEL_BOOTING);
3166 }
3167 EXPORT_SYMBOL_GPL(btintel_bootup);
3168 
3169 void btintel_secure_send_result(struct hci_dev *hdev,
3170 				const void *ptr, unsigned int len)
3171 {
3172 	const struct intel_secure_send_result *evt = ptr;
3173 
3174 	if (len != sizeof(*evt))
3175 		return;
3176 
3177 	if (evt->result)
3178 		btintel_set_flag(hdev, INTEL_FIRMWARE_FAILED);
3179 
3180 	if (btintel_test_and_clear_flag(hdev, INTEL_DOWNLOADING) &&
3181 	    btintel_test_flag(hdev, INTEL_FIRMWARE_LOADED))
3182 		btintel_wake_up_flag(hdev, INTEL_DOWNLOADING);
3183 }
3184 EXPORT_SYMBOL_GPL(btintel_secure_send_result);
3185 
3186 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
3187 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
3188 MODULE_VERSION(VERSION);
3189 MODULE_LICENSE("GPL");
3190 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
3191 MODULE_FIRMWARE("intel/ibt-11-5.ddc");
3192 MODULE_FIRMWARE("intel/ibt-12-16.sfi");
3193 MODULE_FIRMWARE("intel/ibt-12-16.ddc");
3194